Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Cross AZ High Availability support

FortiGate High Availability (Active/Passive) can be deployed in AWS across Availability Zones (AZs).

With FortiGates of an HA pair in separate AZs, one FortiGate can remain operational if the other AZ fails.

This configuration supports the following HA features:

  • Config synchronization
  • IP failover
  • Route failover

The following HA features are not supported with this configuration:

  • Session pickup
  • Session synchronization

Topology

FortiOS uses a normal HA configuration that uses unicast.

AWS uses the following configuration:

  • 1 VPC 10.0.0.0/16 CIDR
    • 8 Subnets
      • 4 in Availability Zone A - Primary FGTA has a NIC in each of these:
        • Public: 10.0.0.0/24 EIP
        • Internal: 10.0.1.0/24
        • Heartbeat: 10.0.2.0/24
        • Management: 10.0.3.0/24 EIP
      • 4 in Availability Zone B - Secondary FGTB has a NIC in each of these:
        • Public            10.0.10.0/24
        • Internal          10.0.11.0/24
        • Heartbeat      10.0.12.0/24
        • Management 10.0.13.0/24 EIP
  • 3 AWS UDR Routing Tables
    • For Public, add default route to Internet Gateway
    • For Internal, add default to primary FortiGate internal NIC
    • For all others, leave it default with AWS local address

Example

The configuration is the same as regular AWS HA unicast peering.

On the primary device:

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.0.0.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 1
        set mtu-override enable
        set mtu 9001
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.1.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 3
        set mtu-override enable
        set mtu 9001
    next
    edit "port3"
        set ip 10.0.2.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 4
    next
    edit "port4"
        set ip 10.0.3.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 5
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 2
    next
end
config router static
    edit 1
        set gateway 10.0.0.1
        set device "port1"
    next
    edit 2
        set dst 10.0.11.0 255.255.255.0
        set gateway 10.0.1.1
        set device "port2"
    next
end
config system ha
    set group-name "test"
    set mode a-p
    set hbdev "port3" 50
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.3.1
        next
    end
    set override disable
    set priority 255
    set unicast-hb enable
    set unicast-hb-peerip 10.0.12.11
end

On the secondary device:

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.0.10.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 1
        set mtu-override enable
        set mtu 9001
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.11.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 2
        set mtu-override enable
        set mtu 9001
    next
    edit "port3"
        set ip 10.0.12.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 3
        set mtu-override enable
        set mtu 9001
    next
    edit "port4"
        set ip 10.0.13.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 4
        set mtu-override enable
        set mtu 9001
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 5
    next
end
config router static
    edit 1
        set gateway 10.0.10.1
        set device "port1"
    next
    edit 2
        set dst 10.0.1.0 255.255.255.0
        set gateway 10.0.11.1
        set device "port2"
    next
end
config system ha
    set group-name "test"
    set mode a-p
    set hbdev "port3" 50
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.13.1
        next
    end
    set override disable
    set priority 1
    set unicast-hb enable
    set unicast-hb-peerip 10.0.2.11
end

When a failover is triggered, confirm that the secondary becomes the primary device:

# diagnose debug application awsd -1
# diagnose debug enable

Cross AZ High Availability support

FortiGate High Availability (Active/Passive) can be deployed in AWS across Availability Zones (AZs).

With FortiGates of an HA pair in separate AZs, one FortiGate can remain operational if the other AZ fails.

This configuration supports the following HA features:

  • Config synchronization
  • IP failover
  • Route failover

The following HA features are not supported with this configuration:

  • Session pickup
  • Session synchronization

Topology

FortiOS uses a normal HA configuration that uses unicast.

AWS uses the following configuration:

  • 1 VPC 10.0.0.0/16 CIDR
    • 8 Subnets
      • 4 in Availability Zone A - Primary FGTA has a NIC in each of these:
        • Public: 10.0.0.0/24 EIP
        • Internal: 10.0.1.0/24
        • Heartbeat: 10.0.2.0/24
        • Management: 10.0.3.0/24 EIP
      • 4 in Availability Zone B - Secondary FGTB has a NIC in each of these:
        • Public            10.0.10.0/24
        • Internal          10.0.11.0/24
        • Heartbeat      10.0.12.0/24
        • Management 10.0.13.0/24 EIP
  • 3 AWS UDR Routing Tables
    • For Public, add default route to Internet Gateway
    • For Internal, add default to primary FortiGate internal NIC
    • For all others, leave it default with AWS local address

Example

The configuration is the same as regular AWS HA unicast peering.

On the primary device:

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.0.0.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 1
        set mtu-override enable
        set mtu 9001
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.1.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 3
        set mtu-override enable
        set mtu 9001
    next
    edit "port3"
        set ip 10.0.2.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 4
    next
    edit "port4"
        set ip 10.0.3.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 5
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 2
    next
end
config router static
    edit 1
        set gateway 10.0.0.1
        set device "port1"
    next
    edit 2
        set dst 10.0.11.0 255.255.255.0
        set gateway 10.0.1.1
        set device "port2"
    next
end
config system ha
    set group-name "test"
    set mode a-p
    set hbdev "port3" 50
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.3.1
        next
    end
    set override disable
    set priority 255
    set unicast-hb enable
    set unicast-hb-peerip 10.0.12.11
end

On the secondary device:

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.0.10.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 1
        set mtu-override enable
        set mtu 9001
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.11.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 2
        set mtu-override enable
        set mtu 9001
    next
    edit "port3"
        set ip 10.0.12.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 3
        set mtu-override enable
        set mtu 9001
    next
    edit "port4"
        set ip 10.0.13.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 4
        set mtu-override enable
        set mtu 9001
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 5
    next
end
config router static
    edit 1
        set gateway 10.0.10.1
        set device "port1"
    next
    edit 2
        set dst 10.0.1.0 255.255.255.0
        set gateway 10.0.11.1
        set device "port2"
    next
end
config system ha
    set group-name "test"
    set mode a-p
    set hbdev "port3" 50
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.13.1
        next
    end
    set override disable
    set priority 1
    set unicast-hb enable
    set unicast-hb-peerip 10.0.2.11
end

When a failover is triggered, confirm that the secondary becomes the primary device:

# diagnose debug application awsd -1
# diagnose debug enable