Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Autoscale with Transit GW support  6.2.1

FortiGate autoscaling on AWS with Transit Gateway is supported. FortiGate autoscaling on AWS supports Transit Gateway requirements. When a FortiGate is located at the VPN termination point in a Transit Gateway, it scales and dynamically changes the VPN and routing configurations as the Transit Gateway scales. At the same time, HA configuration synchronization is preserved.

The VPN and routing information can be configured by an administrator, or added by a Lambda function or other AWS component.

The following VDOM exception objects are now available:

config system vdom-exception
    edit <id>
        vpn.ipsec.phase1-interface
        vpn.ipsec.phase2-interface
        router.bgp
        router.route-map
        router.prefix-list
        firewall.ippool
    next
end
Note

Autoscale must be enabled for the VDOM exceptions to be available:

config system auto-scale
    set status enable
end

Autoscale cannot be disabled if the VDOM exceptions entries are in use.

To configure autoscaling on FortiGate devices in HA for AWS Transit Gateway:
  1. Configure VDOM exceptions on the primary FortiGate. These settings will also be propagated to the secondary HA device.
    config system vdom-exception
        edit 1
            set object vpn.ipsec.phase1-interface
        next
        edit 2
            set object vpn.ipsec.phase2-interface
        next
        edit 3
            set object router.bgp
        next
        edit 4
            set object router.route-map
        next
        edit 5
            set object router.prefix-list
        next
        edit 6
            set object firewall.ippool
        next
    end
  2. On the primary FortiGate, configure an item under the following CMDB paths:
    config vpn ipsec phase1-interface
        edit "1"
            set interface "port1"
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set remote-gw 2.2.2.2
            set psksecret ********
        next
    end
    config vpn ipsec phase2-interface
        edit "1"
            set phase1name "1"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        next
    end
    config router bgp
        config redistribute "connected"
            set status enable
        end
    end
    config router route-map
        edit "1"
        next
    end
    config router prefix-list
        edit "1"
        next
    end
    config firewall ippool
        edit "1"
            set startip 1.1.1.1
            set endip 1.1.1.10
        next
    end
  3. On the secondary device, confirm that the PMDB paths are not synchronized:
    show vpn ipsec phase1-interface
        config vpn ipsec phase1-interface
        end
    show vpn ipsec phase2-interface
        config vpn ipsec phase2-interface
        end
    show router bgp
        config router bgp
            config redistribute "connected"
            end
            ...
    show router route-map
        config router route-map
        end
    show router prefix-list
        config router prefix-list
        end
    show firewall ippool
        config firewall ippool
        end
  4. Confirm that the HS cluster-checksum is the same on both the primary and secondary devices:
    # diagnose sys ha checksum show
    # diagnose sys ha checksum show 

Autoscale with Transit GW support  6.2.1

FortiGate autoscaling on AWS with Transit Gateway is supported. FortiGate autoscaling on AWS supports Transit Gateway requirements. When a FortiGate is located at the VPN termination point in a Transit Gateway, it scales and dynamically changes the VPN and routing configurations as the Transit Gateway scales. At the same time, HA configuration synchronization is preserved.

The VPN and routing information can be configured by an administrator, or added by a Lambda function or other AWS component.

The following VDOM exception objects are now available:

config system vdom-exception
    edit <id>
        vpn.ipsec.phase1-interface
        vpn.ipsec.phase2-interface
        router.bgp
        router.route-map
        router.prefix-list
        firewall.ippool
    next
end
Note

Autoscale must be enabled for the VDOM exceptions to be available:

config system auto-scale
    set status enable
end

Autoscale cannot be disabled if the VDOM exceptions entries are in use.

To configure autoscaling on FortiGate devices in HA for AWS Transit Gateway:
  1. Configure VDOM exceptions on the primary FortiGate. These settings will also be propagated to the secondary HA device.
    config system vdom-exception
        edit 1
            set object vpn.ipsec.phase1-interface
        next
        edit 2
            set object vpn.ipsec.phase2-interface
        next
        edit 3
            set object router.bgp
        next
        edit 4
            set object router.route-map
        next
        edit 5
            set object router.prefix-list
        next
        edit 6
            set object firewall.ippool
        next
    end
  2. On the primary FortiGate, configure an item under the following CMDB paths:
    config vpn ipsec phase1-interface
        edit "1"
            set interface "port1"
            set peertype any
            set net-device disable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set remote-gw 2.2.2.2
            set psksecret ********
        next
    end
    config vpn ipsec phase2-interface
        edit "1"
            set phase1name "1"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        next
    end
    config router bgp
        config redistribute "connected"
            set status enable
        end
    end
    config router route-map
        edit "1"
        next
    end
    config router prefix-list
        edit "1"
        next
    end
    config firewall ippool
        edit "1"
            set startip 1.1.1.1
            set endip 1.1.1.10
        next
    end
  3. On the secondary device, confirm that the PMDB paths are not synchronized:
    show vpn ipsec phase1-interface
        config vpn ipsec phase1-interface
        end
    show vpn ipsec phase2-interface
        config vpn ipsec phase2-interface
        end
    show router bgp
        config router bgp
            config redistribute "connected"
            end
            ...
    show router route-map
        config router route-map
        end
    show router prefix-list
        config router prefix-list
        end
    show firewall ippool
        config firewall ippool
        end
  4. Confirm that the HS cluster-checksum is the same on both the primary and secondary devices:
    # diagnose sys ha checksum show
    # diagnose sys ha checksum show