Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Cross AZ High Availability Support

In 6.2, FortiGate High Availability (Active/Passive) can be deployed in AWS across Availability Zones (AZs).

With FortiGates of an HA pair in separate AZs, one FortiGate can remain operational if the other AZ fails.

This configuration supports the following HA features:

  • Config synchronization
  • IP failover
  • Route failover

The following HA features are not supported with this configuration:

  • Session pickup
  • Session synchronization

Topology

FortiOS uses a normal HA configuration that uses unicast.

AWS uses the following configuration:

  • 1 VPC 10.0.0.0/16 CIDR
    • 8 Subnets
      • 4 in Availability Zone A - Master FGTA has a NIC in each of these:
        • Public: 10.0.0.0/24 EIP
        • Internal: 10.0.1.0/24
        • Heartbeat: 10.0.2.0/24
        • Management: 10.0.3.0/24 EIP
      • 4 in Availability Zone B - Slave FGTB has a NIC in each of these:
        • Public            10.0.10.0/24
        • Internal          10.0.11.0/24
        • Heartbeat      10.0.12.0/24
        • Management 10.0.13.0/24 EIP
  • 3 AWS UDR Routing Tables
    • For Public, add default route to Internet Gateway
    • For Internal, add default to Master FortiGate internal NIC
    • For all others, leave it default with AWS local address

Example

* Same as regular AWS HA unicast peering

	##MASTER##
	​​​​​​​config system interface
	edit "port1"
	set vdom "root"
	set ip 10.0.0.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 1
	set mtu-override enable
	set mtu 9001
	next
	edit "port2"
	set vdom "root"
	set ip 10.0.1.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 3
	set mtu-override enable
	set mtu 9001
	next
	edit "port3"
	set ip 10.0.2.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 4
	next
	edit "port4"
	set ip 10.0.3.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 5
	next
	edit "ssl.root"
	set vdom "root"
	set type tunnel
	set alias "SSL VPN interface"
	set snmp-index 2
	next
	end
	config router static
	edit 1
	set gateway 10.0.0.1
	set device "port1"
	next
	edit 2
	set dst 10.0.11.0 255.255.255.0
	set gateway 10.0.1.1
	set device "port2"
	next
	end
	config system ha
	set group-name "test"
	set mode a-p
	set hbdev "port3" 50
	set session-pickup enable
	set ha-mgmt-status enable
	config ha-mgmt-interfaces
	edit 1
	set interface "port4"
	set gateway 10.0.3.1
	next
	end
	set override disable
	set priority 255
	set unicast-hb enable
	set unicast-hb-peerip 10.0.12.11
	end

	##SLAVE##
	config system interface
	edit "port1"
	set vdom "root"
	set ip 10.0.10.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 1
	set mtu-override enable
	set mtu 9001
	next
	edit "port2"
	set vdom "root"
	set ip 10.0.11.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 2
	set mtu-override enable
	set mtu 9001
	next
	edit "port3"
	set ip 10.0.12.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 3
	set mtu-override enable
	set mtu 9001
	next
	edit "port4"
	set ip 10.0.13.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 4
	set mtu-override enable
	set mtu 9001
	next
	edit "ssl.root"
	set vdom "root"
	set type tunnel
	set alias "SSL VPN interface"
	set snmp-index 5
	next
	end
	config router static
	edit 1
	set gateway 10.0.10.1
	set device "port1"
	next
	edit 2
	set dst 10.0.1.0 255.255.255.0
	set gateway 10.0.11.1
	set device "port2"
	next
	end
	config system ha
	set group-name "test"
	set mode a-p
	set hbdev "port3" 50
	set session-pickup enable
	set ha-mgmt-status enable
	config ha-mgmt-interfaces
	edit 1
	set interface "port4"
	set gateway 10.0.13.1
	next
	end
	set override disable
	set priority 1
	set unicast-hb enable
	set unicast-hb-peerip 10.0.2.11
	end

	##Trigger Failover##

	slave # Become HA master
	send_vip_arp: vd root master 1 intf port1 ip 10.0.10.11
	send_vip_arp: vd root master 1 intf port2 ip 10.0.11.11
	awsd get instance id i-0b29804fd38976af4
	awsd get iam role WikiDemoHARole
	awsd get region us-east-1
	awsd get vpc id vpc-0ade7ea6e64befbfc
	awsd doing ha failover for vdom root
	awsd associate elastic ip for port1
	awsd associate elastic ip allocation eipalloc-06b849dbb0f76555f to 10.0.10.11 of eni eni-0ab045a4d6dce664a
	awsd associate elastic ip successfully
	awsd update route table rtb-0a7b4fec57feb1a21, replace route of dst 0.0.0.0/0 to eni-0c4c085477aaff8c5
	awsd update route successfully

Cross AZ High Availability Support

In 6.2, FortiGate High Availability (Active/Passive) can be deployed in AWS across Availability Zones (AZs).

With FortiGates of an HA pair in separate AZs, one FortiGate can remain operational if the other AZ fails.

This configuration supports the following HA features:

  • Config synchronization
  • IP failover
  • Route failover

The following HA features are not supported with this configuration:

  • Session pickup
  • Session synchronization

Topology

FortiOS uses a normal HA configuration that uses unicast.

AWS uses the following configuration:

  • 1 VPC 10.0.0.0/16 CIDR
    • 8 Subnets
      • 4 in Availability Zone A - Master FGTA has a NIC in each of these:
        • Public: 10.0.0.0/24 EIP
        • Internal: 10.0.1.0/24
        • Heartbeat: 10.0.2.0/24
        • Management: 10.0.3.0/24 EIP
      • 4 in Availability Zone B - Slave FGTB has a NIC in each of these:
        • Public            10.0.10.0/24
        • Internal          10.0.11.0/24
        • Heartbeat      10.0.12.0/24
        • Management 10.0.13.0/24 EIP
  • 3 AWS UDR Routing Tables
    • For Public, add default route to Internet Gateway
    • For Internal, add default to Master FortiGate internal NIC
    • For all others, leave it default with AWS local address

Example

* Same as regular AWS HA unicast peering

	##MASTER##
	​​​​​​​config system interface
	edit "port1"
	set vdom "root"
	set ip 10.0.0.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 1
	set mtu-override enable
	set mtu 9001
	next
	edit "port2"
	set vdom "root"
	set ip 10.0.1.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 3
	set mtu-override enable
	set mtu 9001
	next
	edit "port3"
	set ip 10.0.2.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 4
	next
	edit "port4"
	set ip 10.0.3.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 5
	next
	edit "ssl.root"
	set vdom "root"
	set type tunnel
	set alias "SSL VPN interface"
	set snmp-index 2
	next
	end
	config router static
	edit 1
	set gateway 10.0.0.1
	set device "port1"
	next
	edit 2
	set dst 10.0.11.0 255.255.255.0
	set gateway 10.0.1.1
	set device "port2"
	next
	end
	config system ha
	set group-name "test"
	set mode a-p
	set hbdev "port3" 50
	set session-pickup enable
	set ha-mgmt-status enable
	config ha-mgmt-interfaces
	edit 1
	set interface "port4"
	set gateway 10.0.3.1
	next
	end
	set override disable
	set priority 255
	set unicast-hb enable
	set unicast-hb-peerip 10.0.12.11
	end

	##SLAVE##
	config system interface
	edit "port1"
	set vdom "root"
	set ip 10.0.10.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 1
	set mtu-override enable
	set mtu 9001
	next
	edit "port2"
	set vdom "root"
	set ip 10.0.11.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 2
	set mtu-override enable
	set mtu 9001
	next
	edit "port3"
	set ip 10.0.12.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 3
	set mtu-override enable
	set mtu 9001
	next
	edit "port4"
	set ip 10.0.13.11 255.255.255.0
	set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
	set type physical
	set snmp-index 4
	set mtu-override enable
	set mtu 9001
	next
	edit "ssl.root"
	set vdom "root"
	set type tunnel
	set alias "SSL VPN interface"
	set snmp-index 5
	next
	end
	config router static
	edit 1
	set gateway 10.0.10.1
	set device "port1"
	next
	edit 2
	set dst 10.0.1.0 255.255.255.0
	set gateway 10.0.11.1
	set device "port2"
	next
	end
	config system ha
	set group-name "test"
	set mode a-p
	set hbdev "port3" 50
	set session-pickup enable
	set ha-mgmt-status enable
	config ha-mgmt-interfaces
	edit 1
	set interface "port4"
	set gateway 10.0.13.1
	next
	end
	set override disable
	set priority 1
	set unicast-hb enable
	set unicast-hb-peerip 10.0.2.11
	end

	##Trigger Failover##

	slave # Become HA master
	send_vip_arp: vd root master 1 intf port1 ip 10.0.10.11
	send_vip_arp: vd root master 1 intf port2 ip 10.0.11.11
	awsd get instance id i-0b29804fd38976af4
	awsd get iam role WikiDemoHARole
	awsd get region us-east-1
	awsd get vpc id vpc-0ade7ea6e64befbfc
	awsd doing ha failover for vdom root
	awsd associate elastic ip for port1
	awsd associate elastic ip allocation eipalloc-06b849dbb0f76555f to 10.0.10.11 of eni eni-0ab045a4d6dce664a
	awsd associate elastic ip successfully
	awsd update route table rtb-0a7b4fec57feb1a21, replace route of dst 0.0.0.0/0 to eni-0c4c085477aaff8c5
	awsd update route successfully