Cross AZ High Availability support
FortiGate High Availability (Active/Passive) can be deployed in AWS across Availability Zones (AZs).
With FortiGates of an HA pair in separate AZs, one FortiGate can remain operational if the other AZ fails.
This configuration supports the following HA features:
- Config synchronization
- IP failover
- Route failover
The following HA features are not supported with this configuration:
- Session pickup
- Session synchronization
Topology
FortiOS uses a normal HA configuration that uses unicast.
AWS uses the following configuration:
- 1 VPC 10.0.0.0/16 CIDR
- 8 Subnets
- 4 in Availability Zone A - Primary FGTA has a NIC in each of these:
- Public: 10.0.0.0/24 EIP
- Internal: 10.0.1.0/24
- Heartbeat: 10.0.2.0/24
- Management: 10.0.3.0/24 EIP
- 4 in Availability Zone B - Secondary FGTB has a NIC in each of these:
- Public 10.0.10.0/24
- Internal 10.0.11.0/24
- Heartbeat 10.0.12.0/24
- Management 10.0.13.0/24 EIP
- 3 AWS UDR Routing Tables
- For Public, add default route to Internet Gateway
- For Internal, add default to primary FortiGate internal NIC
- For all others, leave it default with AWS local address
Example
The configuration is the same as regular AWS HA unicast peering.
On the primary device:
config system interface edit "port1" set vdom "root" set ip 10.0.0.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm set type physical set snmp-index 1 set mtu-override enable set mtu 9001 next edit "port2" set vdom "root" set ip 10.0.1.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm set type physical set snmp-index 3 set mtu-override enable set mtu 9001 next edit "port3" set ip 10.0.2.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm set type physical set snmp-index 4 next edit "port4" set ip 10.0.3.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm set type physical set snmp-index 5 next edit "ssl.root" set vdom "root" set type tunnel set alias "SSL VPN interface" set snmp-index 2 next end config router static edit 1 set gateway 10.0.0.1 set device "port1" next edit 2 set dst 10.0.11.0 255.255.255.0 set gateway 10.0.1.1 set device "port2" next end config system ha set group-name "test" set mode a-p set hbdev "port3" 50 set session-pickup enable set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.0.3.1 next end set override disable set priority 255 set unicast-hb enable set unicast-hb-peerip 10.0.12.11 end
On the secondary device:
config system interface edit "port1" set vdom "root" set ip 10.0.10.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm set type physical set snmp-index 1 set mtu-override enable set mtu 9001 next edit "port2" set vdom "root" set ip 10.0.11.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm set type physical set snmp-index 2 set mtu-override enable set mtu 9001 next edit "port3" set ip 10.0.12.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm set type physical set snmp-index 3 set mtu-override enable set mtu 9001 next edit "port4" set ip 10.0.13.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm set type physical set snmp-index 4 set mtu-override enable set mtu 9001 next edit "ssl.root" set vdom "root" set type tunnel set alias "SSL VPN interface" set snmp-index 5 next end config router static edit 1 set gateway 10.0.10.1 set device "port1" next edit 2 set dst 10.0.1.0 255.255.255.0 set gateway 10.0.11.1 set device "port2" next end config system ha set group-name "test" set mode a-p set hbdev "port3" 50 set session-pickup enable set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.0.13.1 next end set override disable set priority 1 set unicast-hb enable set unicast-hb-peerip 10.0.2.11 end
When a failover is triggered, confirm that the secondary becomes the primary device:
# diagnose debug application awsd -1 # diagnose debug enable