Fortinet black logo

New Features

High Availability between Availability Domains

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:546834
Download PDF

High Availability between Availability Domains

Support for Active-Passive HA (High Availability) between Availability Domains (ADs) in Oracle Cloud.

This feature adds another layer of redundancy to ensure uptime if a catastrophic failure occurs to an entire availability zone. You can now deploy FortiGate units across Availability Domains in HA A-P configurations.

Following is an example structure:

  • 1 VCN 10.0.0.0/16 CIDR:
    • 8 Subnets:
      • 4 in Availability Domain 1 - Primary FGTA has a NIC in each of these:
        • Public - 10.0.0.0/24 EIP
        • Internal - 10.0.1.0/24
        • Heartbeat - 10.0.2.0/24
        • Management - 10.0.3.0/24 EIP
      • 4 in Availability Domain 2 - Secondary FGTB has a NIC in each of these:
        • Public - 10.0.10.0/24
        • Internal - 10.0.11.0/24
        • Heartbeat - 10.0.12.0/24
        • Management - 10.0.13.0/24 EIP
  • 3 OCI Routing Tables:
    • For Public, add default route to Internet Gateway
    • For Internal, add default to Primary FGT internal NIC
    • For all others, use a default route table with no rules, but a local peering gateway so traffic can traverse across subnets in the same VCN

Following is a sample configuration:

config system ha

set group-name "test"

set mode a-p

set hbdev "port3" 50

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port4"

set gateway 10.0.103.1

next

end

set override disable

set priority 1

set unicast-hb enable

set unicast-hb-peerip 10.0.2.11 <--- IP of other FortiGate for heartbeat and sync

end

After HA has synchronized, shut down the primary to trigger a failover. The following example shows that the failover was successful. Note that the failover public IP moves from primary to secondary, and the routing table for internal addresses are also moved.

High Availability between Availability Domains

Support for Active-Passive HA (High Availability) between Availability Domains (ADs) in Oracle Cloud.

This feature adds another layer of redundancy to ensure uptime if a catastrophic failure occurs to an entire availability zone. You can now deploy FortiGate units across Availability Domains in HA A-P configurations.

Following is an example structure:

  • 1 VCN 10.0.0.0/16 CIDR:
    • 8 Subnets:
      • 4 in Availability Domain 1 - Primary FGTA has a NIC in each of these:
        • Public - 10.0.0.0/24 EIP
        • Internal - 10.0.1.0/24
        • Heartbeat - 10.0.2.0/24
        • Management - 10.0.3.0/24 EIP
      • 4 in Availability Domain 2 - Secondary FGTB has a NIC in each of these:
        • Public - 10.0.10.0/24
        • Internal - 10.0.11.0/24
        • Heartbeat - 10.0.12.0/24
        • Management - 10.0.13.0/24 EIP
  • 3 OCI Routing Tables:
    • For Public, add default route to Internet Gateway
    • For Internal, add default to Primary FGT internal NIC
    • For all others, use a default route table with no rules, but a local peering gateway so traffic can traverse across subnets in the same VCN

Following is a sample configuration:

config system ha

set group-name "test"

set mode a-p

set hbdev "port3" 50

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port4"

set gateway 10.0.103.1

next

end

set override disable

set priority 1

set unicast-hb enable

set unicast-hb-peerip 10.0.2.11 <--- IP of other FortiGate for heartbeat and sync

end

After HA has synchronized, shut down the primary to trigger a failover. The following example shows that the failover was successful. Note that the failover public IP moves from primary to secondary, and the routing table for internal addresses are also moved.