Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Active-Passive HA support on AliCloud  6.2.1

This recipe shows how to set up FortiGate Active-Passive (A-P) High Availability (HA) on AliCloud.

Setup overview

The HA setup approach is similar to setting up HA on other cloud platforms such as AWS and is the same for both same zone and cross zone scenarios.

  1. Move elastic IP (EIP) address from old primary unit to the same port index in the new primary unit.
  2. Update all route table entries that pointed to the old primary unit and point them to the new primary unit.

    The nexthop route table entry cannot be a private IP, it must be an ENI (elastic network interface) ID.

  3. If the HA is on AliCloud, AliCloud does not rely on any configuration in the AliCloud SDN connector. You must associate a RAM role to a FortiGate instance. The RAM role must have at least the following policies:
    • AliyunECSFullAccess
    • AliyunVPCFullAccess
    • AliyunEIPFullAccess

Topology of failover event

Configuration

Configure an A-P HA cluster with four vNICs (port1 to port4) on each FortiGate VM.

Configure all network interfaces including AliCloud ENIs and FortiGate VM network interface. Select an AliCloud instance that supports at least four vNICs.

Configure the security group in each subnet for ingress and egress interfaces. The management interfaces must have egress internet access for API calls to the AliCloud metadata server.

Ensure the four vNICs are attached to each FortiGate and the static private address is assigned.

Ensure EIP1 is bound with FGT-A port4 management interface.

Ensure EIP3 is bound with FGT-A port1 external interface.

Note

As an alternative, instead of binding an EIP address with the FortiGate primary side interface, another option is to create an HAVIP (HA virtual IP) address in the VPC. Bind this HAVIP address with both the FGT-A and FGT-B external interface.

The benefit of this option is the HA doesn't need to call the VIP address to move the EIP address on the external interface so this shortens the failover time. For more information, see the AliCloud documentation.

To configure the FortiGate HA setting:
  1. Go to System > HA and set up the HA cluster.

To configure FGT-A in the CLI:
config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.11 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
To configure FGT-B in the CLI:
config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.12 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
To configure the FGT-A and FGT-B router in the CLI:
config router static
    edit 1
        set gateway 10.0.1.1
        set device "port1"
    next
end
To configure the FGT-A and FGT-B firewall policy in the CLI:
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
To configure the FGT-A HA settings in the CLI:
config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.1
        next
    end
    set priority 128
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.12
end
To configure the FGT-B HA settings in the CLI:
Caution

The FGT-B priority must be lower than the FGT-A priority. The node with the lower priority level is the secondary node.

config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.1
        next
    end
    set priority 64
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.21
end

Active-Passive HA support on AliCloud  6.2.1

This recipe shows how to set up FortiGate Active-Passive (A-P) High Availability (HA) on AliCloud.

Setup overview

The HA setup approach is similar to setting up HA on other cloud platforms such as AWS and is the same for both same zone and cross zone scenarios.

  1. Move elastic IP (EIP) address from old primary unit to the same port index in the new primary unit.
  2. Update all route table entries that pointed to the old primary unit and point them to the new primary unit.

    The nexthop route table entry cannot be a private IP, it must be an ENI (elastic network interface) ID.

  3. If the HA is on AliCloud, AliCloud does not rely on any configuration in the AliCloud SDN connector. You must associate a RAM role to a FortiGate instance. The RAM role must have at least the following policies:
    • AliyunECSFullAccess
    • AliyunVPCFullAccess
    • AliyunEIPFullAccess

Topology of failover event

Configuration

Configure an A-P HA cluster with four vNICs (port1 to port4) on each FortiGate VM.

Configure all network interfaces including AliCloud ENIs and FortiGate VM network interface. Select an AliCloud instance that supports at least four vNICs.

Configure the security group in each subnet for ingress and egress interfaces. The management interfaces must have egress internet access for API calls to the AliCloud metadata server.

Ensure the four vNICs are attached to each FortiGate and the static private address is assigned.

Ensure EIP1 is bound with FGT-A port4 management interface.

Ensure EIP3 is bound with FGT-A port1 external interface.

Note

As an alternative, instead of binding an EIP address with the FortiGate primary side interface, another option is to create an HAVIP (HA virtual IP) address in the VPC. Bind this HAVIP address with both the FGT-A and FGT-B external interface.

The benefit of this option is the HA doesn't need to call the VIP address to move the EIP address on the external interface so this shortens the failover time. For more information, see the AliCloud documentation.

To configure the FortiGate HA setting:
  1. Go to System > HA and set up the HA cluster.

To configure FGT-A in the CLI:
config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.11 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
To configure FGT-B in the CLI:
config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.12 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
To configure the FGT-A and FGT-B router in the CLI:
config router static
    edit 1
        set gateway 10.0.1.1
        set device "port1"
    next
end
To configure the FGT-A and FGT-B firewall policy in the CLI:
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
To configure the FGT-A HA settings in the CLI:
config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.1
        next
    end
    set priority 128
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.12
end
To configure the FGT-B HA settings in the CLI:
Caution

The FGT-B priority must be lower than the FGT-A priority. The node with the lower priority level is the secondary node.

config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.1
        next
    end
    set priority 64
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.21
end