Deploying FortiGate-VM HA on OCI within one AD
FortiGate active-passive HA
You can configure FortiGate's native active-passive high availability (HA) feature (without using an OCI supplementary mechanism such as a load balancer) with two FortiGate-VM instances: one acting as the primary node and the other as the secondary node, both located in the same availability domain. This guide refers to the primary and secondary nodes as FortiGate A and FortiGate B, respectively. This is called "unicast HA" and is specific to cloud environments, including OCI, to comply to their network restrictions in comparison to an equivalent feature that physical FortiGates provided. The FortiGate-VMs run heartbeats between dedicated ports and synchronize operating system configurations. When the primary node fails, the secondary node takes over as the primary node so endpoints continue to communicate with external resources over the FortiGate-VM. The FortiGates also synchronize sessions at the time of failover.
Using the latest version of FortiGate-VM is always recommended.
When deploying a FortiGate-VM HA cluster, choose a compute VM shape that supports four or more vNICs for each FortiGate-VM instance. Two FortiGate-VM instances must be the same compute VM shape. |
Deploying and configuring FortiGate active-passive HA
For this HA deployment, you can manually configure two FortiGate-VM instances after deployment on OCI using CLI commands or run Terraform scripts. Terraform scripts for FortiOS Your deployment will have different IP addresses than in the diagram.
Unlike other public clouds, on OCI, you must configure port 1 as the management interface. The other ports are interchangeable. Locating each port in a different subnet is considered best practice. DNS must work with port 1 to resolve OCI's API endpoint URLs at the time of HA failover.
You must configure primary private IP addresses, even where the diagram does not mention them. Although not required for HA purposes, you must do this to comply with general networking requirements. |