Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    6.2.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Active-Passive HA support on AliCloud  6.2.1

    Active-Passive HA support on AliCloud 6.2.1

    This recipe shows how to set up FortiGate Active-Passive (A-P) High Availability (HA) on AliCloud.

    Setup overview

    The HA setup approach is similar to setting up HA on other cloud platforms such as AWS and is the same for both same zone and cross zone scenarios.

    1. Move elastic IP (EIP) address from old primary unit to the same port index in the new primary unit.
    2. Update all route table entries that pointed to the old primary unit and point them to the new primary unit.

      The nexthop route table entry cannot be a private IP, it must be an ENI (elastic network interface) ID.

    3. If the HA is on AliCloud, AliCloud does not rely on any configuration in the AliCloud SDN connector. You must associate a RAM role to a FortiGate instance. The RAM role must have at least the following policies:
      • AliyunECSFullAccess
      • AliyunVPCFullAccess
      • AliyunEIPFullAccess

    Topology of failover event

    Configuration

    Configure an A-P HA cluster with four vNICs (port1 to port4) on each FortiGate VM.

    Configure all network interfaces including AliCloud ENIs and FortiGate VM network interface. Select an AliCloud instance that supports at least four vNICs.

    Configure the security group in each subnet for ingress and egress interfaces. The management interfaces must have egress internet access for API calls to the AliCloud metadata server.

    Ensure the four vNICs are attached to each FortiGate and the static private address is assigned.

    Ensure EIP1 is bound with FGT-A port4 management interface.

    Ensure EIP3 is bound with FGT-A port1 external interface.

    Note

    As an alternative, instead of binding an EIP address with the FortiGate primary side interface, another option is to create an HAVIP (HA virtual IP) address in the VPC. Bind this HAVIP address with both the FGT-A and FGT-B external interface.

    The benefit of this option is the HA doesn't need to call the VIP address to move the EIP address on the external interface so this shortens the failover time. For more information, see the AliCloud documentation.
    To configure the FortiGate HA setting:
    1. Go to System > HA and set up the HA cluster.

    To configure FGT-A in the CLI:
    config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.11 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
    To configure FGT-B in the CLI:
    config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.12 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
    To configure the FGT-A and FGT-B router in the CLI:
    config router static
    edit 1
        set gateway 10.0.1.1
        set device "port1"
    next
end
    To configure the FGT-A and FGT-B firewall policy in the CLI:
    config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
    To configure the FGT-A HA settings in the CLI:
    config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.1
        next
    end
    set priority 128
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.12
end
    To configure the FGT-B HA settings in the CLI:
    Caution

    The FGT-B priority must be lower than the FGT-A priority. The node with the lower priority level is the secondary node.

    		 
    config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.1
        next
    end
    set priority 64
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.21
end
    Previous
    Next

    Active-Passive HA support on AliCloud  6.2.1

    Active-Passive HA support on AliCloud 6.2.1

    This recipe shows how to set up FortiGate Active-Passive (A-P) High Availability (HA) on AliCloud.

    Setup overview

    The HA setup approach is similar to setting up HA on other cloud platforms such as AWS and is the same for both same zone and cross zone scenarios.

    1. Move elastic IP (EIP) address from old primary unit to the same port index in the new primary unit.
    2. Update all route table entries that pointed to the old primary unit and point them to the new primary unit.

      The nexthop route table entry cannot be a private IP, it must be an ENI (elastic network interface) ID.

    3. If the HA is on AliCloud, AliCloud does not rely on any configuration in the AliCloud SDN connector. You must associate a RAM role to a FortiGate instance. The RAM role must have at least the following policies:
      • AliyunECSFullAccess
      • AliyunVPCFullAccess
      • AliyunEIPFullAccess

    Topology of failover event

    Configuration

    Configure an A-P HA cluster with four vNICs (port1 to port4) on each FortiGate VM.

    Configure all network interfaces including AliCloud ENIs and FortiGate VM network interface. Select an AliCloud instance that supports at least four vNICs.

    Configure the security group in each subnet for ingress and egress interfaces. The management interfaces must have egress internet access for API calls to the AliCloud metadata server.

    Ensure the four vNICs are attached to each FortiGate and the static private address is assigned.

    Ensure EIP1 is bound with FGT-A port4 management interface.

    Ensure EIP3 is bound with FGT-A port1 external interface.

    Note

    As an alternative, instead of binding an EIP address with the FortiGate primary side interface, another option is to create an HAVIP (HA virtual IP) address in the VPC. Bind this HAVIP address with both the FGT-A and FGT-B external interface.

    The benefit of this option is the HA doesn't need to call the VIP address to move the EIP address on the external interface so this shortens the failover time. For more information, see the AliCloud documentation.
    To configure the FortiGate HA setting:
    1. Go to System > HA and set up the HA cluster.

    To configure FGT-A in the CLI:
    config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.11 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
    To configure FGT-B in the CLI:
    config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.12 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
    To configure the FGT-A and FGT-B router in the CLI:
    config router static
    edit 1
        set gateway 10.0.1.1
        set device "port1"
    next
end
    To configure the FGT-A and FGT-B firewall policy in the CLI:
    config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
    To configure the FGT-A HA settings in the CLI:
    config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.1
        next
    end
    set priority 128
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.12
end
    To configure the FGT-B HA settings in the CLI:
    Caution

    The FGT-B priority must be lower than the FGT-A priority. The node with the lower priority level is the secondary node.

    		 
    config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.1
        next
    end
    set priority 64
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.21
end
    Previous
    Next