Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    6.2.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    HA Between Zones

    HA Between Zones

    6.2 supports auto-scaling HA (High Availability) between Zones in Google Cloud environments.

    Example

    Following is an overview of how the feature works:

    1. Create FGT-A as a primary on one zone with metadata that has ha-primary configuration.
    2. Create FGT-B as a secondary on another zone with metadata that has ha-secondary configuration.
    3. Create a PC that can access the Internet via FGT-HA.
    4. Shut down FGT-A, and FGT-B become the primary to handle traffic. The public EIP will attach to FGT-B.

    To configure HA between zones:
    1. Create 4 VPC networks in region, such as us-central1.

    2. Create routes for each network.

    3. Create firewall rules for each network.

    4. Reserve three external IP addresses for convenience.

    5. Create both FGT-A and FGT-B in GCP:

      gcloud beta compute --project=dev-project-001-166400 instances create fhua-fgt-a --zone=us-central1-c --machine-type=n1-standard-4 --network-tier=PREMIUM --can-ip-forward --maintenance-policy=MIGRATE --service-account=966517025500-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=fhua-ond-0804 --image-project=dev-project-001-166400 --boot-disk-type=pd-standard --boot-disk-device-name=fhua-fgt-0804 --network-interface subnet=fhua-hapvc-port1external,private-network-ip=10.0.0.15,address=104.154.241.0 --network-interface subnet=fhua-hapvc-port2internal,private-network-ip=10.0.1.15,no-address --network-interface subnet=fhua-hapvc-port3heartbeat,private-network-ip=10.0.2.15,no-address --network-interface subnet=fhua-hapvc-port4mgmt,private-network-ip=10.0.3.15,address=104.154.25.116 --metadata-from-file user-data=/home/gcloud/config/master.conf

      gcloud beta compute --project=dev-project-001-166400 instances create fhua-fgt-b --zone=us-central1-a --machine-type=n1-standard-4 --network-tier=PREMIUM --can-ip-forward --maintenance-policy=MIGRATE --service-account=966517025500-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=fhua-ond-0804 --image-project=dev-project-001-166400 --boot-disk-type=pd-standard --boot-disk-device-name=fhua-fgt-0804 --network-interface subnet=fhua-hapvc-port1external,private-network-ip=10.0.0.16,no-address --network-interface subnet=fhua-hapvc-port2internal,private-network-ip=10.0.1.16,no-address --network-interface subnet=fhua-hapvc-port3heartbeat,private-network-ip=10.0.2.16,no-address --network-interface subnet=fhua-hapvc-port4mgmt,private-network-ip=10.0.3.16,address=35.226.235.236 --metadata-from-file user-data=/home/gcloud/config/slave.conf

      After the FGT-VM-GCP is set up, you can view it in the FortiOS GUI:

    6. Configure FGT-A:

      config system ha

      set group-id 21

      set group-name "cluster1"

      set mode a-p

      set hbdev "port3" 50

      set session-pickup enable

      set session-pickup-connectionless enable

      set ha-mgmt-status enable

      config ha-mgmt-interfaces

      edit 1

      set interface "port4"

      set gateway 10.0.3.1

      next

      end

      set override enable

      set priority 200

      set unicast-hb enable

      set unicast-hb-peerip 10.0.2.16

      set unicast-hb-netmask 255.255.255.0

      end

      config system sdn-connector

      edit "gcp_conn"

      set type gcp

      set ha-status enable

      config external-ip

      edit "fhua-reserve-fgthapublic"

      next

      end

      config route

      edit "fhua-route-internal"

      next

      end

      set use-metadata-iam disable

      set gcp-project "..."

      set service-account "..."

      set private-key "..."

      next

      end

    7. Configure FGT-B:

      config system ha

      set group-id 21

      set group-name "cluster1"

      set mode a-p set hbdev "port3" 50

      set session-pickup enable

      set session-pickup-connectionless enable

      set ha-mgmt-status enable

      config ha-mgmt-interfaces

      edit 1

      set interface "port4"

      set gateway 10.0.3.1

      next

      end

      set override enable

      set priority 20

      set unicast-hb enable

      set unicast-hb-peerip 10.0.2.15

      set unicast-hb-netmask 255.255.255.0

      end

    8. Create a PC that can access the Internet via FGT-HA.
    Previous
    Next

    HA Between Zones

    HA Between Zones

    6.2 supports auto-scaling HA (High Availability) between Zones in Google Cloud environments.

    Example

    Following is an overview of how the feature works:

    1. Create FGT-A as a primary on one zone with metadata that has ha-primary configuration.
    2. Create FGT-B as a secondary on another zone with metadata that has ha-secondary configuration.
    3. Create a PC that can access the Internet via FGT-HA.
    4. Shut down FGT-A, and FGT-B become the primary to handle traffic. The public EIP will attach to FGT-B.

    To configure HA between zones:
    1. Create 4 VPC networks in region, such as us-central1.

    2. Create routes for each network.

    3. Create firewall rules for each network.

    4. Reserve three external IP addresses for convenience.

    5. Create both FGT-A and FGT-B in GCP:

      gcloud beta compute --project=dev-project-001-166400 instances create fhua-fgt-a --zone=us-central1-c --machine-type=n1-standard-4 --network-tier=PREMIUM --can-ip-forward --maintenance-policy=MIGRATE --service-account=966517025500-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=fhua-ond-0804 --image-project=dev-project-001-166400 --boot-disk-type=pd-standard --boot-disk-device-name=fhua-fgt-0804 --network-interface subnet=fhua-hapvc-port1external,private-network-ip=10.0.0.15,address=104.154.241.0 --network-interface subnet=fhua-hapvc-port2internal,private-network-ip=10.0.1.15,no-address --network-interface subnet=fhua-hapvc-port3heartbeat,private-network-ip=10.0.2.15,no-address --network-interface subnet=fhua-hapvc-port4mgmt,private-network-ip=10.0.3.15,address=104.154.25.116 --metadata-from-file user-data=/home/gcloud/config/master.conf

      gcloud beta compute --project=dev-project-001-166400 instances create fhua-fgt-b --zone=us-central1-a --machine-type=n1-standard-4 --network-tier=PREMIUM --can-ip-forward --maintenance-policy=MIGRATE --service-account=966517025500-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=fhua-ond-0804 --image-project=dev-project-001-166400 --boot-disk-type=pd-standard --boot-disk-device-name=fhua-fgt-0804 --network-interface subnet=fhua-hapvc-port1external,private-network-ip=10.0.0.16,no-address --network-interface subnet=fhua-hapvc-port2internal,private-network-ip=10.0.1.16,no-address --network-interface subnet=fhua-hapvc-port3heartbeat,private-network-ip=10.0.2.16,no-address --network-interface subnet=fhua-hapvc-port4mgmt,private-network-ip=10.0.3.16,address=35.226.235.236 --metadata-from-file user-data=/home/gcloud/config/slave.conf

      After the FGT-VM-GCP is set up, you can view it in the FortiOS GUI:

    6. Configure FGT-A:

      config system ha

      set group-id 21

      set group-name "cluster1"

      set mode a-p

      set hbdev "port3" 50

      set session-pickup enable

      set session-pickup-connectionless enable

      set ha-mgmt-status enable

      config ha-mgmt-interfaces

      edit 1

      set interface "port4"

      set gateway 10.0.3.1

      next

      end

      set override enable

      set priority 200

      set unicast-hb enable

      set unicast-hb-peerip 10.0.2.16

      set unicast-hb-netmask 255.255.255.0

      end

      config system sdn-connector

      edit "gcp_conn"

      set type gcp

      set ha-status enable

      config external-ip

      edit "fhua-reserve-fgthapublic"

      next

      end

      config route

      edit "fhua-route-internal"

      next

      end

      set use-metadata-iam disable

      set gcp-project "..."

      set service-account "..."

      set private-key "..."

      next

      end

    7. Configure FGT-B:

      config system ha

      set group-id 21

      set group-name "cluster1"

      set mode a-p set hbdev "port3" 50

      set session-pickup enable

      set session-pickup-connectionless enable

      set ha-mgmt-status enable

      config ha-mgmt-interfaces

      edit 1

      set interface "port4"

      set gateway 10.0.3.1

      next

      end

      set override enable

      set priority 20

      set unicast-hb enable

      set unicast-hb-peerip 10.0.2.15

      set unicast-hb-netmask 255.255.255.0

      end

    8. Create a PC that can access the Internet via FGT-HA.
    Previous
    Next