Fortinet black logo

AWS Administration Guide

Home FortiManager Public Cloud 7.4.0 AWS Administration Guide
7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

AWS FortiManager-VM HA and EIP

AWS FortiManager-VM HA and EIP

This feature addresses an issue of service disruption in the event of a FortiManager-VM cluster member failing. VRRP detects the failure of the member FortiManager-VM and triggers a failover to the standby member. The movement of the Elastic IP ensures that the customer's applications or services continue to use the active FortiManager-VM cluster member.

This example walk through assumes that AWS resources such as VPCs, networks, subnets, and security groups have been created and you have familiarity with the AWS FortiManager-VM GUI and CLI.

To configure AWS FortiManager-VM HA with EIP:
  1. Create an AWS IAM Role.

    During a failover event the role permissions will be used to enumerate and assign an EIP from the Primary FortiManager-VM to the Secondary FortiManager-VM.

    {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Action": [

    "ec2:AssignPrivateIpAddresses",

    "ec2:DescribeSubnets",

    "ec2:DescribeNetworkInterfaces",

    "ec2:DescribeAddresses",

    "ec2:AssociateAddress",

    "ec2:CreateTags",

    "s3:GetObject"

    ],

    "Resource": "*",

    "Effect": "Allow"

    }

    ]

    }

    Note

    This Role is an example role used for explanation purposes only and is not fit for production environments.

  2. Create an Elastic IP (EIP).

    For more information on creating and associating an Elastic IP address, see: Allocate an Elastic IP address.

  3. Edit or create a security group for VRRP (TCP 112).
    In order to make the Primary and Secondary connect, a Security Group needs to allow TCP access to port 112 (VRRP port).
    Caution

    Without the TCP 112 port open between the two FortiManager-VMs, a "split-brain" configuration may occur resulting in both FortiManagers assuming the Primary role.

  4. Create the FortiManagers.
    1. Create two new FortiManager-VM AWS instances in the same VPC. In this example, both FortiManager-VMs are in the same subnet.
    2. Allocate the Elastic IP created previously to the Primary FortiManager-VM. This EIP will be the Primary IP address that will move between the FortiManager-VMs on failover.
    3. Assign the Role created previously to each of the FortiManager-VMs. For more information about assigning a role to an AWS VM instance, see: IAM roles for Amazon EC2.

    For more information on deploying a FortiManager-VM on AWS, see: Deploying FortiManager on AWS.

  5. Configure the FortiManagers.
    1. On the FortiManagers, navigate to System Settings > HA.
    2. Configure the following information:
    Failover ModeSelect VRRP.
    Peer IP and Peer SN

    Enter the IP address and serial number of the other FortiManager.

    Click the add icon (+) to add additional FortiManagers if required.

    Group PasswordEnter the password for the HA cluster.
    VIPEnter the Elastic IP details from AWS.
    UnicastEnable Unicast in order to send keepalive signals.

    Monitor IP

    Enter FortiManager's IP address or the FortiManager's gateway depending on the setup.

    1. Follow the same steps above for the Secondary FortiManager, and press apply to create the HA cluster.
Configuration verification

Run the following command in the FortiManager CLI: diagnose ha force-vrrp-election

This command forces the current Primary to release the role. A new election is carried out to find the new Primary. This command is also used to test the VRRP failover. Regardless of the priority, if this command is run on the Primary then it will become a Secondary.

Troubleshooting

Run the following command in the FortiManager CLI: diagnose debug app keepalived 255

This command enables the keepalived debug message on the CLI console.

Previous
Next

AWS FortiManager-VM HA and EIP

This feature addresses an issue of service disruption in the event of a FortiManager-VM cluster member failing. VRRP detects the failure of the member FortiManager-VM and triggers a failover to the standby member. The movement of the Elastic IP ensures that the customer's applications or services continue to use the active FortiManager-VM cluster member.

This example walk through assumes that AWS resources such as VPCs, networks, subnets, and security groups have been created and you have familiarity with the AWS FortiManager-VM GUI and CLI.

To configure AWS FortiManager-VM HA with EIP:
  1. Create an AWS IAM Role.

    During a failover event the role permissions will be used to enumerate and assign an EIP from the Primary FortiManager-VM to the Secondary FortiManager-VM.

    {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Action": [

    "ec2:AssignPrivateIpAddresses",

    "ec2:DescribeSubnets",

    "ec2:DescribeNetworkInterfaces",

    "ec2:DescribeAddresses",

    "ec2:AssociateAddress",

    "ec2:CreateTags",

    "s3:GetObject"

    ],

    "Resource": "*",

    "Effect": "Allow"

    }

    ]

    }

    Note

    This Role is an example role used for explanation purposes only and is not fit for production environments.

  2. Create an Elastic IP (EIP).

    For more information on creating and associating an Elastic IP address, see: Allocate an Elastic IP address.

  3. Edit or create a security group for VRRP (TCP 112).
    In order to make the Primary and Secondary connect, a Security Group needs to allow TCP access to port 112 (VRRP port).
    Caution

    Without the TCP 112 port open between the two FortiManager-VMs, a "split-brain" configuration may occur resulting in both FortiManagers assuming the Primary role.

  4. Create the FortiManagers.
    1. Create two new FortiManager-VM AWS instances in the same VPC. In this example, both FortiManager-VMs are in the same subnet.
    2. Allocate the Elastic IP created previously to the Primary FortiManager-VM. This EIP will be the Primary IP address that will move between the FortiManager-VMs on failover.
    3. Assign the Role created previously to each of the FortiManager-VMs. For more information about assigning a role to an AWS VM instance, see: IAM roles for Amazon EC2.

    For more information on deploying a FortiManager-VM on AWS, see: Deploying FortiManager on AWS.

  5. Configure the FortiManagers.
    1. On the FortiManagers, navigate to System Settings > HA.
    2. Configure the following information:
    Failover ModeSelect VRRP.
    Peer IP and Peer SN

    Enter the IP address and serial number of the other FortiManager.

    Click the add icon (+) to add additional FortiManagers if required.

    Group PasswordEnter the password for the HA cluster.
    VIPEnter the Elastic IP details from AWS.
    UnicastEnable Unicast in order to send keepalive signals.

    Monitor IP

    Enter FortiManager's IP address or the FortiManager's gateway depending on the setup.

    1. Follow the same steps above for the Secondary FortiManager, and press apply to create the HA cluster.
Configuration verification

Run the following command in the FortiManager CLI: diagnose ha force-vrrp-election

This command forces the current Primary to release the role. A new election is carried out to find the new Primary. This command is also used to test the VRRP failover. Regardless of the priority, if this command is run on the Primary then it will become a Secondary.

Troubleshooting

Run the following command in the FortiManager CLI: diagnose debug app keepalived 255

This command enables the keepalived debug message on the CLI console.

Previous
Next