Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

High Availability Between Availability Domains

Support for Active-Passive HA (High Availability) between Availability Domains (ADs) in Oracle Cloud.

This feature adds another layer of redundancy to ensure uptime if a catastrophic failure occurs to an entire availability zone. You can now deploy FortiGate units across Availability Domains in HA A-P configurations.

Following is an example structure:

  • 1 VCN 10.0.0.0/16 CIDR:
    • 8 Subnets:
      • 4 in Availability Domain 1 - Master FGTA has a NIC in each of these:
        • Public - 10.0.0.0/24 EIP
        • Internal - 10.0.1.0/24
        • Heartbeat - 10.0.2.0/24
        • Management - 10.0.3.0/24 EIP
      • 4 in Availability Domain 2 - Slave FGTB has a NIC in each of these:
        • Public - 10.0.10.0/24
        • Internal - 10.0.11.0/24
        • Heartbeat - 10.0.12.0/24
        • Management - 10.0.13.0/24 EIP
  • 3 OCI Routing Tables:
    • For Public, add default route to Internet Gateway
    • For Internal, add default to Master FGT internal nic
    • For all others, use a default route table with no rules, but a local peering gateway so traffic can traverse across subnets in the same VCN

Following is a sample configuration:

config system ha

set group-name "test"

set mode a-p

set hbdev "port3" 50

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port4"

set gateway 10.0.103.1

next

end

set override disable

set priority 1

set unicast-hb enable

set unicast-hb-peerip 10.0.2.11 <--- IP of other FortiGate for heartbeat and sync

end

After HA has synchronized, shut down the master to trigger a failover. The following example shows that the failover was successful. Note that the failover public IP moves from master to slave, and the routing table for internal addresses are also moved.

High Availability Between Availability Domains

Support for Active-Passive HA (High Availability) between Availability Domains (ADs) in Oracle Cloud.

This feature adds another layer of redundancy to ensure uptime if a catastrophic failure occurs to an entire availability zone. You can now deploy FortiGate units across Availability Domains in HA A-P configurations.

Following is an example structure:

  • 1 VCN 10.0.0.0/16 CIDR:
    • 8 Subnets:
      • 4 in Availability Domain 1 - Master FGTA has a NIC in each of these:
        • Public - 10.0.0.0/24 EIP
        • Internal - 10.0.1.0/24
        • Heartbeat - 10.0.2.0/24
        • Management - 10.0.3.0/24 EIP
      • 4 in Availability Domain 2 - Slave FGTB has a NIC in each of these:
        • Public - 10.0.10.0/24
        • Internal - 10.0.11.0/24
        • Heartbeat - 10.0.12.0/24
        • Management - 10.0.13.0/24 EIP
  • 3 OCI Routing Tables:
    • For Public, add default route to Internet Gateway
    • For Internal, add default to Master FGT internal nic
    • For all others, use a default route table with no rules, but a local peering gateway so traffic can traverse across subnets in the same VCN

Following is a sample configuration:

config system ha

set group-name "test"

set mode a-p

set hbdev "port3" 50

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port4"

set gateway 10.0.103.1

next

end

set override disable

set priority 1

set unicast-hb enable

set unicast-hb-peerip 10.0.2.11 <--- IP of other FortiGate for heartbeat and sync

end

After HA has synchronized, shut down the master to trigger a failover. The following example shows that the failover was successful. Note that the failover public IP moves from master to slave, and the routing table for internal addresses are also moved.