Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Cross AZ High Availability support

FortiGate High Availability (Active/Passive) can be deployed in AWS across Availability Zones (AZs).

With FortiGates of an HA pair in separate AZs, one FortiGate can remain operational if the other AZ fails.

This configuration supports the following HA features:

  • Config synchronization
  • IP failover
  • Route failover

The following HA features are not supported with this configuration:

  • Session pickup
  • Session synchronization

Topology

FortiOS uses a normal HA configuration that uses unicast.

AWS uses the following configuration:

  • 1 VPC 10.0.0.0/16 CIDR
    • 8 Subnets
      • 4 in Availability Zone A - Primary FGTA has a NIC in each of these:
        • Public: 10.0.0.0/24 EIP
        • Internal: 10.0.1.0/24
        • Heartbeat: 10.0.2.0/24
        • Management: 10.0.3.0/24 EIP
      • 4 in Availability Zone B - Secondary FGTB has a NIC in each of these:
        • Public            10.0.10.0/24
        • Internal          10.0.11.0/24
        • Heartbeat      10.0.12.0/24
        • Management 10.0.13.0/24 EIP
  • 3 AWS UDR Routing Tables
    • For Public, add default route to Internet Gateway
    • For Internal, add default to primary FortiGate internal NIC
    • For all others, leave it default with AWS local address

Example

The configuration is the same as regular AWS HA unicast peering.

On the primary device:

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.0.0.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 1
        set mtu-override enable
        set mtu 9001
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.1.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 3
        set mtu-override enable
        set mtu 9001
    next
    edit "port3"
        set ip 10.0.2.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 4
    next
    edit "port4"
        set ip 10.0.3.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 5
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 2
    next
end
config router static
    edit 1
        set gateway 10.0.0.1
        set device "port1"
    next
    edit 2
        set dst 10.0.11.0 255.255.255.0
        set gateway 10.0.1.1
        set device "port2"
    next
end
config system ha
    set group-name "test"
    set mode a-p
    set hbdev "port3" 50
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.3.1
        next
    end
    set override disable
    set priority 255
    set unicast-hb enable
    set unicast-hb-peerip 10.0.12.11
end

On the secondary device:

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.0.10.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 1
        set mtu-override enable
        set mtu 9001
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.11.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 2
        set mtu-override enable
        set mtu 9001
    next
    edit "port3"
        set ip 10.0.12.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 3
        set mtu-override enable
        set mtu 9001
    next
    edit "port4"
        set ip 10.0.13.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 4
        set mtu-override enable
        set mtu 9001
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 5
    next
end
config router static
    edit 1
        set gateway 10.0.10.1
        set device "port1"
    next
    edit 2
        set dst 10.0.1.0 255.255.255.0
        set gateway 10.0.11.1
        set device "port2"
    next
end
config system ha
    set group-name "test"
    set mode a-p
    set hbdev "port3" 50
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.13.1
        next
    end
    set override disable
    set priority 1
    set unicast-hb enable
    set unicast-hb-peerip 10.0.2.11
end

When a failover is triggered, the secondary becomes the primary device:

slave # Become HA master
send_vip_arp: vd root master 1 intf port1 ip 10.0.10.11
send_vip_arp: vd root master 1 intf port2 ip 10.0.11.11
awsd get instance id i-0b29804fd38976af4
awsd get iam role WikiDemoHARole
awsd get region us-east-1
awsd get vpc id vpc-0ade7ea6e64befbfc
awsd doing ha failover for vdom root
awsd associate elastic ip for port1
awsd associate elastic ip allocation eipalloc-06b849dbb0f76555f to 10.0.10.11 of eni eni-0ab045a4d6dce664a
awsd associate elastic ip successfully
awsd update route table rtb-0a7b4fec57feb1a21, replace route of dst 0.0.0.0/0 to eni-0c4c085477aaff8c5
awsd update route successfully

Cross AZ High Availability support

FortiGate High Availability (Active/Passive) can be deployed in AWS across Availability Zones (AZs).

With FortiGates of an HA pair in separate AZs, one FortiGate can remain operational if the other AZ fails.

This configuration supports the following HA features:

  • Config synchronization
  • IP failover
  • Route failover

The following HA features are not supported with this configuration:

  • Session pickup
  • Session synchronization

Topology

FortiOS uses a normal HA configuration that uses unicast.

AWS uses the following configuration:

  • 1 VPC 10.0.0.0/16 CIDR
    • 8 Subnets
      • 4 in Availability Zone A - Primary FGTA has a NIC in each of these:
        • Public: 10.0.0.0/24 EIP
        • Internal: 10.0.1.0/24
        • Heartbeat: 10.0.2.0/24
        • Management: 10.0.3.0/24 EIP
      • 4 in Availability Zone B - Secondary FGTB has a NIC in each of these:
        • Public            10.0.10.0/24
        • Internal          10.0.11.0/24
        • Heartbeat      10.0.12.0/24
        • Management 10.0.13.0/24 EIP
  • 3 AWS UDR Routing Tables
    • For Public, add default route to Internet Gateway
    • For Internal, add default to primary FortiGate internal NIC
    • For all others, leave it default with AWS local address

Example

The configuration is the same as regular AWS HA unicast peering.

On the primary device:

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.0.0.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 1
        set mtu-override enable
        set mtu 9001
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.1.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 3
        set mtu-override enable
        set mtu 9001
    next
    edit "port3"
        set ip 10.0.2.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 4
    next
    edit "port4"
        set ip 10.0.3.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 5
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 2
    next
end
config router static
    edit 1
        set gateway 10.0.0.1
        set device "port1"
    next
    edit 2
        set dst 10.0.11.0 255.255.255.0
        set gateway 10.0.1.1
        set device "port2"
    next
end
config system ha
    set group-name "test"
    set mode a-p
    set hbdev "port3" 50
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.3.1
        next
    end
    set override disable
    set priority 255
    set unicast-hb enable
    set unicast-hb-peerip 10.0.12.11
end

On the secondary device:

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.0.10.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 1
        set mtu-override enable
        set mtu 9001
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.11.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 2
        set mtu-override enable
        set mtu 9001
    next
    edit "port3"
        set ip 10.0.12.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 3
        set mtu-override enable
        set mtu 9001
    next
    edit "port4"
        set ip 10.0.13.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
        set type physical
        set snmp-index 4
        set mtu-override enable
        set mtu 9001
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 5
    next
end
config router static
    edit 1
        set gateway 10.0.10.1
        set device "port1"
    next
    edit 2
        set dst 10.0.1.0 255.255.255.0
        set gateway 10.0.11.1
        set device "port2"
    next
end
config system ha
    set group-name "test"
    set mode a-p
    set hbdev "port3" 50
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.13.1
        next
    end
    set override disable
    set priority 1
    set unicast-hb enable
    set unicast-hb-peerip 10.0.2.11
end

When a failover is triggered, the secondary becomes the primary device:

slave # Become HA master
send_vip_arp: vd root master 1 intf port1 ip 10.0.10.11
send_vip_arp: vd root master 1 intf port2 ip 10.0.11.11
awsd get instance id i-0b29804fd38976af4
awsd get iam role WikiDemoHARole
awsd get region us-east-1
awsd get vpc id vpc-0ade7ea6e64befbfc
awsd doing ha failover for vdom root
awsd associate elastic ip for port1
awsd associate elastic ip allocation eipalloc-06b849dbb0f76555f to 10.0.10.11 of eni eni-0ab045a4d6dce664a
awsd associate elastic ip successfully
awsd update route table rtb-0a7b4fec57feb1a21, replace route of dst 0.0.0.0/0 to eni-0c4c085477aaff8c5
awsd update route successfully