Fortinet black logo

New Features

HA Between Zones

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:214747
Download PDF

HA Between Zones

6.2 supports auto-scaling HA (High Availability) between Zones in Google Cloud environments.

Example

Following is an overview of how the feature works:

  1. Create FGT-A as a primary on one zone with metadata that has ha-primary configuration.
  2. Create FGT-B as a secondary on another zone with metadata that has ha-secondary configuration.
  3. Create a PC that can access the Internet via FGT-HA.
  4. Shut down FGT-A, and FGT-B become the primary to handle traffic. The public EIP will attach to FGT-B.

To configure HA between zones:
  1. Create 4 VPC networks in region, such as us-central1.

  2. Create routes for each network.

  3. Create firewall rules for each network.

  4. Reserve three external IP addresses for convenience.

  5. Create both FGT-A and FGT-B in GCP:

    gcloud beta compute --project=dev-project-001-166400 instances create fhua-fgt-a --zone=us-central1-c --machine-type=n1-standard-4 --network-tier=PREMIUM --can-ip-forward --maintenance-policy=MIGRATE --service-account=966517025500-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=fhua-ond-0804 --image-project=dev-project-001-166400 --boot-disk-type=pd-standard --boot-disk-device-name=fhua-fgt-0804 --network-interface subnet=fhua-hapvc-port1external,private-network-ip=10.0.0.15,address=104.154.241.0 --network-interface subnet=fhua-hapvc-port2internal,private-network-ip=10.0.1.15,no-address --network-interface subnet=fhua-hapvc-port3heartbeat,private-network-ip=10.0.2.15,no-address --network-interface subnet=fhua-hapvc-port4mgmt,private-network-ip=10.0.3.15,address=104.154.25.116 --metadata-from-file user-data=/home/gcloud/config/master.conf

    gcloud beta compute --project=dev-project-001-166400 instances create fhua-fgt-b --zone=us-central1-a --machine-type=n1-standard-4 --network-tier=PREMIUM --can-ip-forward --maintenance-policy=MIGRATE --service-account=966517025500-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=fhua-ond-0804 --image-project=dev-project-001-166400 --boot-disk-type=pd-standard --boot-disk-device-name=fhua-fgt-0804 --network-interface subnet=fhua-hapvc-port1external,private-network-ip=10.0.0.16,no-address --network-interface subnet=fhua-hapvc-port2internal,private-network-ip=10.0.1.16,no-address --network-interface subnet=fhua-hapvc-port3heartbeat,private-network-ip=10.0.2.16,no-address --network-interface subnet=fhua-hapvc-port4mgmt,private-network-ip=10.0.3.16,address=35.226.235.236 --metadata-from-file user-data=/home/gcloud/config/slave.conf

    After the FGT-VM-GCP is set up, you can view it in the FortiOS GUI:

  6. Configure FGT-A:

    config system ha

    set group-id 21

    set group-name "cluster1"

    set mode a-p

    set hbdev "port3" 50

    set session-pickup enable

    set session-pickup-connectionless enable

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

    edit 1

    set interface "port4"

    set gateway 10.0.3.1

    next

    end

    set override enable

    set priority 200

    set unicast-hb enable

    set unicast-hb-peerip 10.0.2.16

    set unicast-hb-netmask 255.255.255.0

    end

    config system sdn-connector

    edit "gcp_conn"

    set type gcp

    set ha-status enable

    config external-ip

    edit "fhua-reserve-fgthapublic"

    next

    end

    config route

    edit "fhua-route-internal"

    next

    end

    set use-metadata-iam disable

    set gcp-project "..."

    set service-account "..."

    set private-key "..."

    next

    end

  7. Configure FGT-B:

    config system ha

    set group-id 21

    set group-name "cluster1"

    set mode a-p set hbdev "port3" 50

    set session-pickup enable

    set session-pickup-connectionless enable

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

    edit 1

    set interface "port4"

    set gateway 10.0.3.1

    next

    end

    set override enable

    set priority 20

    set unicast-hb enable

    set unicast-hb-peerip 10.0.2.15

    set unicast-hb-netmask 255.255.255.0

    end

  8. Create a PC that can access the Internet via FGT-HA.

HA Between Zones

6.2 supports auto-scaling HA (High Availability) between Zones in Google Cloud environments.

Example

Following is an overview of how the feature works:

  1. Create FGT-A as a primary on one zone with metadata that has ha-primary configuration.
  2. Create FGT-B as a secondary on another zone with metadata that has ha-secondary configuration.
  3. Create a PC that can access the Internet via FGT-HA.
  4. Shut down FGT-A, and FGT-B become the primary to handle traffic. The public EIP will attach to FGT-B.

To configure HA between zones:
  1. Create 4 VPC networks in region, such as us-central1.

  2. Create routes for each network.

  3. Create firewall rules for each network.

  4. Reserve three external IP addresses for convenience.

  5. Create both FGT-A and FGT-B in GCP:

    gcloud beta compute --project=dev-project-001-166400 instances create fhua-fgt-a --zone=us-central1-c --machine-type=n1-standard-4 --network-tier=PREMIUM --can-ip-forward --maintenance-policy=MIGRATE --service-account=966517025500-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=fhua-ond-0804 --image-project=dev-project-001-166400 --boot-disk-type=pd-standard --boot-disk-device-name=fhua-fgt-0804 --network-interface subnet=fhua-hapvc-port1external,private-network-ip=10.0.0.15,address=104.154.241.0 --network-interface subnet=fhua-hapvc-port2internal,private-network-ip=10.0.1.15,no-address --network-interface subnet=fhua-hapvc-port3heartbeat,private-network-ip=10.0.2.15,no-address --network-interface subnet=fhua-hapvc-port4mgmt,private-network-ip=10.0.3.15,address=104.154.25.116 --metadata-from-file user-data=/home/gcloud/config/master.conf

    gcloud beta compute --project=dev-project-001-166400 instances create fhua-fgt-b --zone=us-central1-a --machine-type=n1-standard-4 --network-tier=PREMIUM --can-ip-forward --maintenance-policy=MIGRATE --service-account=966517025500-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --image=fhua-ond-0804 --image-project=dev-project-001-166400 --boot-disk-type=pd-standard --boot-disk-device-name=fhua-fgt-0804 --network-interface subnet=fhua-hapvc-port1external,private-network-ip=10.0.0.16,no-address --network-interface subnet=fhua-hapvc-port2internal,private-network-ip=10.0.1.16,no-address --network-interface subnet=fhua-hapvc-port3heartbeat,private-network-ip=10.0.2.16,no-address --network-interface subnet=fhua-hapvc-port4mgmt,private-network-ip=10.0.3.16,address=35.226.235.236 --metadata-from-file user-data=/home/gcloud/config/slave.conf

    After the FGT-VM-GCP is set up, you can view it in the FortiOS GUI:

  6. Configure FGT-A:

    config system ha

    set group-id 21

    set group-name "cluster1"

    set mode a-p

    set hbdev "port3" 50

    set session-pickup enable

    set session-pickup-connectionless enable

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

    edit 1

    set interface "port4"

    set gateway 10.0.3.1

    next

    end

    set override enable

    set priority 200

    set unicast-hb enable

    set unicast-hb-peerip 10.0.2.16

    set unicast-hb-netmask 255.255.255.0

    end

    config system sdn-connector

    edit "gcp_conn"

    set type gcp

    set ha-status enable

    config external-ip

    edit "fhua-reserve-fgthapublic"

    next

    end

    config route

    edit "fhua-route-internal"

    next

    end

    set use-metadata-iam disable

    set gcp-project "..."

    set service-account "..."

    set private-key "..."

    next

    end

  7. Configure FGT-B:

    config system ha

    set group-id 21

    set group-name "cluster1"

    set mode a-p set hbdev "port3" 50

    set session-pickup enable

    set session-pickup-connectionless enable

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

    edit 1

    set interface "port4"

    set gateway 10.0.3.1

    next

    end

    set override enable

    set priority 20

    set unicast-hb enable

    set unicast-hb-peerip 10.0.2.15

    set unicast-hb-netmask 255.255.255.0

    end

  8. Create a PC that can access the Internet via FGT-HA.