Autoscale with Transit GW support 6.2.1
FortiGate autoscaling on AWS with Transit Gateway is supported. FortiGate autoscaling on AWS supports Transit Gateway requirements. When a FortiGate is located at the VPN termination point in a Transit Gateway, it scales and dynamically changes the VPN and routing configurations as the Transit Gateway scales. At the same time, HA configuration synchronization is preserved.
The VPN and routing information can be configured by an administrator, or added by a Lambda function or other AWS component.
The following VDOM exception objects are now available:
config system vdom-exception edit <id> vpn.ipsec.phase1-interface vpn.ipsec.phase2-interface router.bgp router.route-map router.prefix-list firewall.ippool next end
Autoscale must be enabled for the VDOM exceptions to be available: config system auto-scale set status enable end Autoscale cannot be disabled if the VDOM exceptions entries are in use. |
To configure autoscaling on FortiGate devices in HA for AWS Transit Gateway:
- Configure VDOM exceptions on the primary FortiGate. These settings will also be propagated to the secondary HA device.
config system vdom-exception edit 1 set object vpn.ipsec.phase1-interface next edit 2 set object vpn.ipsec.phase2-interface next edit 3 set object router.bgp next edit 4 set object router.route-map next edit 5 set object router.prefix-list next edit 6 set object firewall.ippool next end
- On the primary FortiGate, configure an item under the following CMDB paths:
config vpn ipsec phase1-interface edit "1" set interface "port1" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 2.2.2.2 set psksecret ******** next end config vpn ipsec phase2-interface edit "1" set phase1name "1" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end config router bgp config redistribute "connected" set status enable end end config router route-map edit "1" next end config router prefix-list edit "1" next end config firewall ippool edit "1" set startip 1.1.1.1 set endip 1.1.1.10 next end
- On the secondary device, confirm that the PMDB paths are not synchronized:
show vpn ipsec phase1-interface config vpn ipsec phase1-interface end show vpn ipsec phase2-interface config vpn ipsec phase2-interface end show router bgp config router bgp config redistribute "connected" end ... show router route-map config router route-map end show router prefix-list config router prefix-list end show firewall ippool config firewall ippool end
- Confirm that the HS cluster-checksum is the same on both the primary and secondary devices:
# diagnose sys ha checksum show
# diagnose sys ha checksum show