Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • IBM Cloud Administration Guide

    Home FortiGate Public Cloud 7.6.0 IBM Cloud Administration Guide
    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Deploying FortiGate-VM A-A HA load balancer sandwich

    Deploying FortiGate-VM A-A HA load balancer sandwich

    FortiOS supports deploying FortiGate-VM bring your own license (BYOL) for IBM Cloud. IBM Cloud users can purchase and deploy FortiGate-VMs. The following describes the steps that you take to create and access FortiGate-VM BYOL in active-active (A-A) state in IBM Cloud.

    This scenario uses the following load balancers (LB):

    • External LB, which sends traffic from the Internet to the FortiGate-VMs
    • Internal load balancer, which sends internal traffic to the FortiGate-VMs.

    The following lists the steps to configure this deployment:

    1. Create a new virtual private cloud (VPC). See To create a new VPC:.
    2. Deploy the FortiGate-VMs. See To deploy the FortiGate-VMs:.
    3. Allow IP address spoofing. See To allow IP address spoofing:.
    4. Configure access for the FortiGate-VMs. See To configure access for the FortiGate-VM:.
    5. Access the FortiGate-VMs. See To access the FortiGate-VMs:.
    6. Create a network load balancer (NLB). See To create NLBs:.
    7. Create and change route tables. See To create and change route tables:.
    8. (Optional) Create an Ubuntu instance in the workload subnet for testing. See (Optional) To create an Ubuntu instance in workload subnet for testing:.
    9. Test the FortiGate-VMs. See To test the FortiGate-VMs:.
    To create a new VPC:
    1. Go to VPC Infrastructure > Network > VPCs.
    2. Select the Geography and Region.
    3. Enter a name.
    4. Click Create.
    5. Deselect Create a default prefix for each zone.
      Note

      Deselecting Create a default prefix for each zone is recommended so you can have more control on the subnets that you are creating.

    6. Click Create virtual private cloud.

    7. Configure the subnet:
      1. Click the subnet that you created.
      2. Go to the Address prefixes tab.
      3. Click Create.
      4. Set your IP Range and Location.
      5. Click Create.
    8. Go to the Overview tab.
    9. You must create at least two subnets for the FortiGate-VM: one external (public) and one internal. This example also creates an optional subnet to add a virtual machine for testing purposes. Scroll to Subnets in this VPC session and click Create. Configure the following subnets:
      1. Configure the external (public) subnet:
        1. Ensure to select the desired VPC.
        2. Set the IP address range for the subnet.
        3. Enable the Public gateway attach.
        4. Configure other fields as desired. In this example, the external subnet is named external.
        5. Click Create subnet.
      2. Configure the internal subnet:
        1. Click Create in the Subnets page.
        2. Ensure to select the desired VPC.
        3. Set the IP address range for the subnet.
        4. Leave Public gateway unselected.
        5. Configure other fields as desired. In this example, the internal subnet is named internal.
        6. Click Create subnet.
      3. (Optional) Repeat the steps for the internal subnet to create the workload subnet. This example names this subnet workload.
    To deploy the FortiGate-VMs:

    See Deploying FortiGate-VM on IBM Cloud.

    To allow IP address spoofing:
    1. In VPC Infrastructure, go to and select the FortiGate port1.
    2. Under Network interfaces, select and edit eth0/port1 or the interface used in the public/external subnet.
    3. Enable Allow IP spoofing.
    4. Click Save.
    To configure access for the FortiGate-VM:
    1. Go to VPC Infrastructure > Compute > Virtual server instances.
    2. Select FortiGate 01 (fgtaa-01).
    3. Scroll to Network interfaces and edit eth0.
    4. In Floating IP address, select Reserve a new floating IP.
    5. Click Save.
    6. Copy the generated Floating IP and note it for later.
    7. Click the associated security group.

    8. Go to the Rules tab and edit the existing rule or create a new rule allowing all TCP and UDP traffic.

    9. Repeat steps 1-6 for FortiGate 02 (fgtaa-02).
    To access the FortiGate-VMs:
    1. Log in to FortiGate 01:
      1. Using your browser, access FortiGate 01 with the floating IP address that you created: https://<Floating IP address>.
      2. Ignore certificate issues.
      3. Click Accept on Login Disclaimer.
      4. Log in using the following credentials:
        1. For the username, enter admin.
        2. For the password, enter the virtual server instance ID. You can find this value in IBM Cloud.

      5. Change the default password and log in.
    2. If you did not license the FortiGate-VM during deployment with user data, you must do so now. FortiGate reboots after you insert the license. Log in again.
    3. If you created an optional subnet to the workload, you must create a route to access it. Create the route:
      1. Go to Network > Static Routes.
      2. Click Create New
      3. In the Destination field, select Subnet, then enter the workload subnet.
      4. In the Gateway Address field, enter the port2 subnet first valid IP address.
      5. Click OK.

    4. Open the FortiOS CLI and run the following commands to enable system probe-response:

      config system probe-response

      set mode http-probe

      end

      config sys interface

      edit port1

      set allowaccess ping https ssh http fgfm probe-response

      next

      edit port2

      set allowaccess ping https ssh http fgfm probe-response

      end

    5. Repeat steps 1-6 for FortiGate 02.
      Note

      You can use FortiManager or the autoscale feature on FortiOS to sync config between the VMs. This example uses the autoscale feature. It does not enable autoscaling and only syncs the config.

    6. Note the FortiGate 01 port2 address.
    7. On FortiGate 01, open the CLI and enter the following:
      config system auto-scale
    set status enable
    set role primary
    set sync-interface "port2"
    set psksecret "averystrongpassword"
end
    8. On FortiGate 02, open the CLI and enter the following:
      config system auto-scale
    set status enable
    set role secondary
    set sync-interface "port2"
    set primary-ip FGT_01_PORT2_IP
    set psksecret "averystrongpassword"
end
    9. Execute the following command to check the autoscale sync status of both FortiGates. If both FortiGates are not visible in the output, log out, wait a couple of minutes, and log in again: diagnose sys ha autoscale-peers

    To create NLBs:
    1. You must create one LB for external traffic and another for internal traffic:
      1. Go to VPC Infrastructure > Network > Load balancers. Click Create+.
      2. Choose Network load balancer.
      3. Configure the region, name, and VPC as desired. This example names the LB external-nlb.
      4. Leave the type as public.
      5. In Subnet, select the external subnet that you created.
      6. Create a backend pool:
        1. In Back-end pools, click Create pool.
        2. Enter a name. This example names the LB beext-pool.
        3. Click Create.

      7. Attach the external subnet to the backend line:
        1. In the backend line created, click Attach server.
        2. Select the external subnet.
        3. Select both FortiGates and in the Server port field, enter 8008.
        4. Click Attach.
      8. Create a listener:
        1. Under Front-end listeners, click Create listener.
        2. Select the back-end pool that you created.
        3. If desired, you can choose to redirect only one port or a port range. These ports are forwarded to FortiGate external interfaces. Click Create.
      9. Ensure that the security group used allows all desired traffic.
      10. Click Create load balancer.
    2. Create the internal load balancer:
      1. Go to VPC Infrastructure > Network > Load balancers. Click Create+.
      2. Choose Network load balancer.
      3. Configure the region, name, and VPC as desired. This example names the LB internal-nlb.
      4. For Type, select Private.
      5. Enable Routing mode.
      6. In Subnet, select the internal subnet that you created.
      7. Create a backend pool:
        1. In Back-end pools, click Create pool.
        2. Enter a name. This example names the LB beint-pool.
        3. Click Create.
      8. Attach the external subnet to the backend line:
        1. In the backend line created, click Attach server.
        2. Select the internal subnet.
        3. Select both FortiGates and in the Server port field, enter 8008.
        4. Click Attach.
      9. Create a listener:
        1. Under Front-end listeners, click Create listener.
        2. Select the backend pool that you created.
      10. Ensure that the security group used allows all desired traffic.
      11. Click Create load balancer.
    3. Wait for both LB statuses to change to Active.
    4. When their statuses show as Active, click them and copy their IP addresses. The internal LB shows two IP addresses. Only copy the first IP address.
    To create and change route tables:

    You must change route tables to the newly created LB.

    1. Create a route table:
      1. Go to VPC Infrastructure > Network > Routing tables.
      2. Select your VPC and click Create+.
      3. Name the table as desired. This example names the table rtb-external.
      4. Leave all the fields at their default values and click Create routing table.
    2. In the newly created route table, click its number of attached subnets.
    3. Click Attach+, select the external subnet, and click Attach.
    4. Return to the routing table list and click the other route table with the VPC default tag.
    5. Configure a route for the external subnet:
      1. Scroll to Routes and click Create+.
      2. Name the route as desired. This example names the route tointernet.
      3. In the Destination CIDR field, enter 0.0.0.0/0.
      4. For Action, select Deliver.
      5. In the Next hop field, enter the internal LB IP address.
      6. Save.
    6. Configure a route for the internal subnet:
      1. Click Create+ under Routes.
      2. Name the route as desired. This example names the route tointernal.
      3. In the Destination CIDR field, enter 10.6.1.0/24. This is your internal subnet CIDR.
      4. For Action, select Delegate.
      5. Save.
    7. Configure a route for the optional workload subnet:
      1. Click Create+ under Routes.
      2. Name the route as desired. This example names the route toworkload.
      3. In the Destination CIDR field, enter 10.6.2.0/24. This is your workload subnet CIDR.
      4. For Action, select Delegate.
      5. Save.

    (Optional) To create an Ubuntu instance in workload subnet for testing:
    1. Go to VPC Infrastructure > Compute > Virtual server instances.
    2. Click Create.
    3. Configure the Ubuntu instance:
      1. Configure Region, Zone, and Name as desired. This example names the Ubuntu instance ubuntu-testing-01.
      2. Under Image and profile, click Change image.
      3. Search for and select Ubuntu, and save.
      4. Choose the desired profile.
      5. Choose or create an SSH key.
      6. Under Networking, select the VPC previously created.
      7. Edit Network interfaces on eth0 and select the workload subnet.
    4. Click Create virtual server.
    To test the FortiGate-VMs:
    1. As your FortiGate-VMs are under the external LB, access the FortiGate by entering the external LB public IP address and the FortiGate HTTPS port.
    2. Create a virtual IP object (VIP). This example redirects port 2222 to port 22 (SSH). Complete the configuration as fits your environment and remember that you have to set this port in the external LB to forward the traffic.
    3. Go to Policy & Objects > Firewall Policy and click Create New.
    4. Configure as follows:
      1. For Type, select Standard.
      2. From the Incoming Interface dropdown list, select port1.
      3. From the Outgoing Interface dropdown list, select port2.
      4. For Source, select all.
      5. For Destination, select the VIP that you created.
      6. For Service, select SSH.
      7. For Action, select Accept.
      8. Configure other fields as desired.
    5. Test the access. You should have access to your Ubuntu instance.
    Previous
    Next

    Deploying FortiGate-VM A-A HA load balancer sandwich

    Deploying FortiGate-VM A-A HA load balancer sandwich

    FortiOS supports deploying FortiGate-VM bring your own license (BYOL) for IBM Cloud. IBM Cloud users can purchase and deploy FortiGate-VMs. The following describes the steps that you take to create and access FortiGate-VM BYOL in active-active (A-A) state in IBM Cloud.

    This scenario uses the following load balancers (LB):

    • External LB, which sends traffic from the Internet to the FortiGate-VMs
    • Internal load balancer, which sends internal traffic to the FortiGate-VMs.

    The following lists the steps to configure this deployment:

    1. Create a new virtual private cloud (VPC). See To create a new VPC:.
    2. Deploy the FortiGate-VMs. See To deploy the FortiGate-VMs:.
    3. Allow IP address spoofing. See To allow IP address spoofing:.
    4. Configure access for the FortiGate-VMs. See To configure access for the FortiGate-VM:.
    5. Access the FortiGate-VMs. See To access the FortiGate-VMs:.
    6. Create a network load balancer (NLB). See To create NLBs:.
    7. Create and change route tables. See To create and change route tables:.
    8. (Optional) Create an Ubuntu instance in the workload subnet for testing. See (Optional) To create an Ubuntu instance in workload subnet for testing:.
    9. Test the FortiGate-VMs. See To test the FortiGate-VMs:.
    To create a new VPC:
    1. Go to VPC Infrastructure > Network > VPCs.
    2. Select the Geography and Region.
    3. Enter a name.
    4. Click Create.
    5. Deselect Create a default prefix for each zone.
      Note

      Deselecting Create a default prefix for each zone is recommended so you can have more control on the subnets that you are creating.

    6. Click Create virtual private cloud.

    7. Configure the subnet:
      1. Click the subnet that you created.
      2. Go to the Address prefixes tab.
      3. Click Create.
      4. Set your IP Range and Location.
      5. Click Create.
    8. Go to the Overview tab.
    9. You must create at least two subnets for the FortiGate-VM: one external (public) and one internal. This example also creates an optional subnet to add a virtual machine for testing purposes. Scroll to Subnets in this VPC session and click Create. Configure the following subnets:
      1. Configure the external (public) subnet:
        1. Ensure to select the desired VPC.
        2. Set the IP address range for the subnet.
        3. Enable the Public gateway attach.
        4. Configure other fields as desired. In this example, the external subnet is named external.
        5. Click Create subnet.
      2. Configure the internal subnet:
        1. Click Create in the Subnets page.
        2. Ensure to select the desired VPC.
        3. Set the IP address range for the subnet.
        4. Leave Public gateway unselected.
        5. Configure other fields as desired. In this example, the internal subnet is named internal.
        6. Click Create subnet.
      3. (Optional) Repeat the steps for the internal subnet to create the workload subnet. This example names this subnet workload.
    To deploy the FortiGate-VMs:

    See Deploying FortiGate-VM on IBM Cloud.

    To allow IP address spoofing:
    1. In VPC Infrastructure, go to and select the FortiGate port1.
    2. Under Network interfaces, select and edit eth0/port1 or the interface used in the public/external subnet.
    3. Enable Allow IP spoofing.
    4. Click Save.
    To configure access for the FortiGate-VM:
    1. Go to VPC Infrastructure > Compute > Virtual server instances.
    2. Select FortiGate 01 (fgtaa-01).
    3. Scroll to Network interfaces and edit eth0.
    4. In Floating IP address, select Reserve a new floating IP.
    5. Click Save.
    6. Copy the generated Floating IP and note it for later.
    7. Click the associated security group.

    8. Go to the Rules tab and edit the existing rule or create a new rule allowing all TCP and UDP traffic.

    9. Repeat steps 1-6 for FortiGate 02 (fgtaa-02).
    To access the FortiGate-VMs:
    1. Log in to FortiGate 01:
      1. Using your browser, access FortiGate 01 with the floating IP address that you created: https://<Floating IP address>.
      2. Ignore certificate issues.
      3. Click Accept on Login Disclaimer.
      4. Log in using the following credentials:
        1. For the username, enter admin.
        2. For the password, enter the virtual server instance ID. You can find this value in IBM Cloud.

      5. Change the default password and log in.
    2. If you did not license the FortiGate-VM during deployment with user data, you must do so now. FortiGate reboots after you insert the license. Log in again.
    3. If you created an optional subnet to the workload, you must create a route to access it. Create the route:
      1. Go to Network > Static Routes.
      2. Click Create New
      3. In the Destination field, select Subnet, then enter the workload subnet.
      4. In the Gateway Address field, enter the port2 subnet first valid IP address.
      5. Click OK.

    4. Open the FortiOS CLI and run the following commands to enable system probe-response:

      config system probe-response

      set mode http-probe

      end

      config sys interface

      edit port1

      set allowaccess ping https ssh http fgfm probe-response

      next

      edit port2

      set allowaccess ping https ssh http fgfm probe-response

      end

    5. Repeat steps 1-6 for FortiGate 02.
      Note

      You can use FortiManager or the autoscale feature on FortiOS to sync config between the VMs. This example uses the autoscale feature. It does not enable autoscaling and only syncs the config.

    6. Note the FortiGate 01 port2 address.
    7. On FortiGate 01, open the CLI and enter the following:
      config system auto-scale
    set status enable
    set role primary
    set sync-interface "port2"
    set psksecret "averystrongpassword"
end
    8. On FortiGate 02, open the CLI and enter the following:
      config system auto-scale
    set status enable
    set role secondary
    set sync-interface "port2"
    set primary-ip FGT_01_PORT2_IP
    set psksecret "averystrongpassword"
end
    9. Execute the following command to check the autoscale sync status of both FortiGates. If both FortiGates are not visible in the output, log out, wait a couple of minutes, and log in again: diagnose sys ha autoscale-peers

    To create NLBs:
    1. You must create one LB for external traffic and another for internal traffic:
      1. Go to VPC Infrastructure > Network > Load balancers. Click Create+.
      2. Choose Network load balancer.
      3. Configure the region, name, and VPC as desired. This example names the LB external-nlb.
      4. Leave the type as public.
      5. In Subnet, select the external subnet that you created.
      6. Create a backend pool:
        1. In Back-end pools, click Create pool.
        2. Enter a name. This example names the LB beext-pool.
        3. Click Create.

      7. Attach the external subnet to the backend line:
        1. In the backend line created, click Attach server.
        2. Select the external subnet.
        3. Select both FortiGates and in the Server port field, enter 8008.
        4. Click Attach.
      8. Create a listener:
        1. Under Front-end listeners, click Create listener.
        2. Select the back-end pool that you created.
        3. If desired, you can choose to redirect only one port or a port range. These ports are forwarded to FortiGate external interfaces. Click Create.
      9. Ensure that the security group used allows all desired traffic.
      10. Click Create load balancer.
    2. Create the internal load balancer:
      1. Go to VPC Infrastructure > Network > Load balancers. Click Create+.
      2. Choose Network load balancer.
      3. Configure the region, name, and VPC as desired. This example names the LB internal-nlb.
      4. For Type, select Private.
      5. Enable Routing mode.
      6. In Subnet, select the internal subnet that you created.
      7. Create a backend pool:
        1. In Back-end pools, click Create pool.
        2. Enter a name. This example names the LB beint-pool.
        3. Click Create.
      8. Attach the external subnet to the backend line:
        1. In the backend line created, click Attach server.
        2. Select the internal subnet.
        3. Select both FortiGates and in the Server port field, enter 8008.
        4. Click Attach.
      9. Create a listener:
        1. Under Front-end listeners, click Create listener.
        2. Select the backend pool that you created.
      10. Ensure that the security group used allows all desired traffic.
      11. Click Create load balancer.
    3. Wait for both LB statuses to change to Active.
    4. When their statuses show as Active, click them and copy their IP addresses. The internal LB shows two IP addresses. Only copy the first IP address.
    To create and change route tables:

    You must change route tables to the newly created LB.

    1. Create a route table:
      1. Go to VPC Infrastructure > Network > Routing tables.
      2. Select your VPC and click Create+.
      3. Name the table as desired. This example names the table rtb-external.
      4. Leave all the fields at their default values and click Create routing table.
    2. In the newly created route table, click its number of attached subnets.
    3. Click Attach+, select the external subnet, and click Attach.
    4. Return to the routing table list and click the other route table with the VPC default tag.
    5. Configure a route for the external subnet:
      1. Scroll to Routes and click Create+.
      2. Name the route as desired. This example names the route tointernet.
      3. In the Destination CIDR field, enter 0.0.0.0/0.
      4. For Action, select Deliver.
      5. In the Next hop field, enter the internal LB IP address.
      6. Save.
    6. Configure a route for the internal subnet:
      1. Click Create+ under Routes.
      2. Name the route as desired. This example names the route tointernal.
      3. In the Destination CIDR field, enter 10.6.1.0/24. This is your internal subnet CIDR.
      4. For Action, select Delegate.
      5. Save.
    7. Configure a route for the optional workload subnet:
      1. Click Create+ under Routes.
      2. Name the route as desired. This example names the route toworkload.
      3. In the Destination CIDR field, enter 10.6.2.0/24. This is your workload subnet CIDR.
      4. For Action, select Delegate.
      5. Save.

    (Optional) To create an Ubuntu instance in workload subnet for testing:
    1. Go to VPC Infrastructure > Compute > Virtual server instances.
    2. Click Create.
    3. Configure the Ubuntu instance:
      1. Configure Region, Zone, and Name as desired. This example names the Ubuntu instance ubuntu-testing-01.
      2. Under Image and profile, click Change image.
      3. Search for and select Ubuntu, and save.
      4. Choose the desired profile.
      5. Choose or create an SSH key.
      6. Under Networking, select the VPC previously created.
      7. Edit Network interfaces on eth0 and select the workload subnet.
    4. Click Create virtual server.
    To test the FortiGate-VMs:
    1. As your FortiGate-VMs are under the external LB, access the FortiGate by entering the external LB public IP address and the FortiGate HTTPS port.
    2. Create a virtual IP object (VIP). This example redirects port 2222 to port 22 (SSH). Complete the configuration as fits your environment and remember that you have to set this port in the external LB to forward the traffic.
    3. Go to Policy & Objects > Firewall Policy and click Create New.
    4. Configure as follows:
      1. For Type, select Standard.
      2. From the Incoming Interface dropdown list, select port1.
      3. From the Outgoing Interface dropdown list, select port2.
      4. For Source, select all.
      5. For Destination, select the VIP that you created.
      6. For Service, select SSH.
      7. For Action, select Accept.
      8. Configure other fields as desired.
    5. Test the access. You should have access to your Ubuntu instance.
    Previous
    Next