Fortinet white logo
Fortinet white logo

AliCloud Administration Guide

Deploying FortiGate-VM HA on AliCloud using routing tables and EIPs

Deploying FortiGate-VM HA on AliCloud using routing tables and EIPs

This guide provides a sample configuration of active-passive FortiGate-VM HA on AliCloud within one availability zone.

The following depicts the network topology for this sample deployment:

The following lists the IP address assignments for this sample deployment for FortiGate-A:

Port

AliCloud primary address

Subnet

port1

10.0.1.11

10.0.1.0/24 EIP3

port2

10.0.2.11

10.0.2.0/24

port3

10.0.3.11

10.0.3.0/24

port4

10.0.4.11

10.0.4.0/24 EIP1

The following lists the IP address assignments for this sample deployment for FortiGate-B:

Port

AliCloud primary address

Subnet

port1

10.0.1.12

10.0.24.0

port2

10.0.2.12

10.0.21.0/24

port3

10.0.3.12

10.0.22.0/24

port4

10.0.4.12

10.0.23.0/24

To check the prerequisites:

The following prerequisites must be met for this deployment:

  • One VPC with one subnet each for management, external, internal, and heartbeat purposes
  • Three public IP addresses:
    • EIP1 and EIP2 for FortiGate-A and FortiGate-B management
    • EIP3 for the HA external traffic IP address
  • Two FortiGate-VM instances, both PAYG or BYOL
  • The following summarizes minimum sufficient RAM roles for this deployment:
    • AliyunECSFullAccess
    • AliyunEIPFullAccess
    • AliyunVPCFullAccess
    Note

    Actual role configurations may differ depending on your environments. Check with your company's public cloud administrators for more details.

To configure FortiGate-VM HA in AliCloud:
  1. In the AliCloud management console, create a VPC with four VSwitches:

    VSwitch

    Purpose

    net1-external

    External data traffic on the public network-facing side.

    net2-internal

    External data traffic on the public network-facing side.

    net3-heartbeat

    Heartbeat between two FortiGate nodes. This is unicast communication.

    net4-mgmt

    Dedicated management interface.

  2. Add six ENIs.

  3. Create two routing tables:
    1. Create a routing table called "rtb-internal" for the net2-internal VSwitch. Set the NIC2 secondary IP address (10.0.2.23) as rtb-internal's default gateway. You can create this routing table after configuring NIC2 on FortiGate-A. Ensure that the default gateway is FortiGate-A's port2 ENI.

    2. Create a routing table called "rtb-external" for the remaining VSwitches. Set this VCN's Internet gateway as its default gateway. Ensure that this routing table can access the Internet.

To deploy the FortiGate-VMs in AliCloud:

To take advantage of A-P HA, you need four vNICs (port1 to port4) on each FortiGate-VM that constitutes an A-P HA cluster. Configure all required network interfaces (AliCloud ENIs and FortiGate-VM network interface configuration) that support A-P HA. You must choose an AliCloud instance type that supports at least four vNICs.

Ensure the following:

  • You have configured the security group on each subnet for egress and ingress interfaces appropriately. It is particularly important that the management interfaces have egress Internet access for API calls to the AliCloud metadata server.
  • You attached four NICs for each FortiGate-VM, and assigned the static private IP address.
  • EIP1 was bound to the FortiGate-A port4 management interface.
  • EIP3 was bound to the FortiGate-A port1 external interface.
  • EIP2 was bound to the FortiGate-B port4 management interface.
Note

You can attach a public IP address on the primary FortiGate-VM's external interface instead of an EIP by creating an HAVIP address in the VPC, then binding this HAVIP address to both FortiGates' external interfaces. This approach may shorten the failover time depending on the network environment.

To configure FortiGate-A using the CLI:

The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.

config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.11 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
config router static
    edit 1
        set gateway 10.0.1.253
        set device "port1"
    next
end
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.253
        next
    end
    set priority 128
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.12
end
To configure FortiGate-B using the CLI:

The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.

config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.12 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
config router static
    edit 1
        set gateway 10.0.1.253
        set device "port1"
    next
end
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.253
        next
    end
    set priority 64
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.21
end
Note

You must set the FortiGate-B HA priority to a value lower than FortiGate-A's priority level. The node with the lower priority level is determined as the secondary node.

To check the HA status and function:
  1. In FortiOS on the primary FortiGate, go to System > HA. Check that the HA status is synchronized.

  2. Log into a PC that is located in the internal subnet. Verify that the PC can access the Internet via FortiGate-A when FortiGate-A is the primary node.
  3. Shut down FortiGate-A. Verify that FortiGate-B becomes the primary node. Use an API call to verify that the secondary private IP address moves to FortiGate-B.
  4. Log into the PC. Verify that the PC can access the Internet via FortiGate-B when FortiGate-B is the primary node.
  5. You can use the following diagnose commands to see if the secondary private IP address moves from FortiGate-A to FortiGate-B during failover:

    FGT-B # diagnose debug application alicloud-ha -1 Debug messages will be on for 30 minutes. FGT-B # Become HA master mode 2 ===== start acs ha failover ===== send_vip_arp: vd root master 1 intf port1 ip 10.0.1.12 send_vip_arp: vd root master 1 intf port2 ip 10.0.2.12 acs meta info [instance id]: i-rj9f5xs9cp9xsweedlcs acs meta info [ram role]: fhua-ecs-role acs meta info [region]: us-west-1 acs meta info [vpc id]: vpc-rj9h5m14eo5lu97hjaptw acs ecs endpoint is resolved at ecs.us-west-1.aliyuncs.com:47.88.73.18 acs vpc endpoint is resolved at vpc.aliyuncs.com:106.11.61.112 acs is parsing page 1 of total 3(1 page) instances acs is checking tags on instance FGT-A Tag.FGT_port1: eni-rj9dirnvg0hykoddvv7z Tag.FGT_port2: eni-rj94jig06fag0v1jneyv Tag.FGT_port3: eni-rj91wj13vwjs7y1n25ow Tag.FGT_port4: eni-rj9il1iuoh9t3qd5doe3 acs is checking tags on instance FGT-B Tag.FGT_port1: eni-rj9f5xs9cp9xswekw6zh Tag.FGT_port2: eni-rj9j4eztzg3bv65yqd6x Tag.FGT_port3: eni-rj9ga16wcti7anp0ot7m Tag.FGT_port4: eni-rj9dirnvg0hykei8bl8o acs is parsing page 1 of total 13(1 page) EIPs acs local instance: FGT-B(i-rj9f5xs9cp9xsweedlcs) eni: 0, 10.0.1.12(eni-rj9f5xs9cp9xswekw6zh, port1) eni: 1, 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x, port2) eni: 2, 10.0.3.12(eni-rj9ga16wcti7anp0ot7m, port3) eni: 3, 10.0.4.12(eni-rj9dirnvg0hykei8bl8o, port4) <--- eip(47.254.42.40) acs peer instance: FGT-A(i-rj9il1iuoh9t408i1a60) eni: 0, 10.0.1.11(eni-rj9dirnvg0hykoddvv7z, port1) <--- eip(47.251.3.246) eni: 1, 10.0.2.11(eni-rj94jig06fag0v1jneyv, port2) eni: 2, 10.0.3.11(eni-rj91wj13vwjs7y1n25ow, port3) eni: 3, 10.0.4.11(eni-rj9il1iuoh9t3qd5doe3, port4) <--- eip(47.254.46.147) acs is moving eip(47.251.3.246) from eni0(10.0.1.11) to eni0(10.0.1.12) acs eip(47.251.3.246) status: Unassociating acs eip(47.251.3.246) status: Unassociating acs eip(47.251.3.246) status: Available acs unassociated eip(47.251.3.246) from instance FGT-A successfully acs eip(47.251.3.246) status: Associating acs eip(47.251.3.246) status: Associating acs eip(47.251.3.246) status: InUse acs associated eip(47.251.3.246) to instance FGT-B successfully acs local instance: FGT-B(i-rj9f5xs9cp9xsweedlcs) eni: 0, 10.0.1.12(eni-rj9f5xs9cp9xswekw6zh, port1) <--- eip(47.251.3.246) eni: 1, 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x, port2) eni: 2, 10.0.3.12(eni-rj9ga16wcti7anp0ot7m, port3) eni: 3, 10.0.4.12(eni-rj9dirnvg0hykei8bl8o, port4) <--- eip(47.254.42.40) acs peer instance: FGT-A(i-rj9il1iuoh9t408i1a60) eni: 0, 10.0.1.11(eni-rj9dirnvg0hykoddvv7z, port1) eni: 1, 10.0.2.11(eni-rj94jig06fag0v1jneyv, port2) eni: 2, 10.0.3.11(eni-rj91wj13vwjs7y1n25ow, port3) eni: 3, 10.0.4.11(eni-rj9il1iuoh9t3qd5doe3, port4) <--- eip(47.254.46.147) acs route table: vtb-rj9q1tgufwqqe5ps3q60i rule: cidr: 0.0.0.0/0, nexthop: 10.0.2.11(eni-rj94jig06fag0v1jneyv) acs is deleting route table entry: 0.0.0.0/0 via 10.0.2.11 acs route table entry deleting acs route table entry deleted acs deleted route table entry: 0.0.0.0/0 via 10.0.2.11 successfully acs is creating route table entry: 0.0.0.0/0 via 10.0.2.12 acs route table entry created acs created route table entry: 0.0.0.0/0 via 10.0.2.12 successfully acs route table: vtb-rj9q1tgufwqqe5ps3q60i rule: cidr: 0.0.0.0/0, nexthop: 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x) ===== exit acs ha failover =====

Deploying FortiGate-VM HA on AliCloud using routing tables and EIPs

Deploying FortiGate-VM HA on AliCloud using routing tables and EIPs

This guide provides a sample configuration of active-passive FortiGate-VM HA on AliCloud within one availability zone.

The following depicts the network topology for this sample deployment:

The following lists the IP address assignments for this sample deployment for FortiGate-A:

Port

AliCloud primary address

Subnet

port1

10.0.1.11

10.0.1.0/24 EIP3

port2

10.0.2.11

10.0.2.0/24

port3

10.0.3.11

10.0.3.0/24

port4

10.0.4.11

10.0.4.0/24 EIP1

The following lists the IP address assignments for this sample deployment for FortiGate-B:

Port

AliCloud primary address

Subnet

port1

10.0.1.12

10.0.24.0

port2

10.0.2.12

10.0.21.0/24

port3

10.0.3.12

10.0.22.0/24

port4

10.0.4.12

10.0.23.0/24

To check the prerequisites:

The following prerequisites must be met for this deployment:

  • One VPC with one subnet each for management, external, internal, and heartbeat purposes
  • Three public IP addresses:
    • EIP1 and EIP2 for FortiGate-A and FortiGate-B management
    • EIP3 for the HA external traffic IP address
  • Two FortiGate-VM instances, both PAYG or BYOL
  • The following summarizes minimum sufficient RAM roles for this deployment:
    • AliyunECSFullAccess
    • AliyunEIPFullAccess
    • AliyunVPCFullAccess
    Note

    Actual role configurations may differ depending on your environments. Check with your company's public cloud administrators for more details.

To configure FortiGate-VM HA in AliCloud:
  1. In the AliCloud management console, create a VPC with four VSwitches:

    VSwitch

    Purpose

    net1-external

    External data traffic on the public network-facing side.

    net2-internal

    External data traffic on the public network-facing side.

    net3-heartbeat

    Heartbeat between two FortiGate nodes. This is unicast communication.

    net4-mgmt

    Dedicated management interface.

  2. Add six ENIs.

  3. Create two routing tables:
    1. Create a routing table called "rtb-internal" for the net2-internal VSwitch. Set the NIC2 secondary IP address (10.0.2.23) as rtb-internal's default gateway. You can create this routing table after configuring NIC2 on FortiGate-A. Ensure that the default gateway is FortiGate-A's port2 ENI.

    2. Create a routing table called "rtb-external" for the remaining VSwitches. Set this VCN's Internet gateway as its default gateway. Ensure that this routing table can access the Internet.

To deploy the FortiGate-VMs in AliCloud:

To take advantage of A-P HA, you need four vNICs (port1 to port4) on each FortiGate-VM that constitutes an A-P HA cluster. Configure all required network interfaces (AliCloud ENIs and FortiGate-VM network interface configuration) that support A-P HA. You must choose an AliCloud instance type that supports at least four vNICs.

Ensure the following:

  • You have configured the security group on each subnet for egress and ingress interfaces appropriately. It is particularly important that the management interfaces have egress Internet access for API calls to the AliCloud metadata server.
  • You attached four NICs for each FortiGate-VM, and assigned the static private IP address.
  • EIP1 was bound to the FortiGate-A port4 management interface.
  • EIP3 was bound to the FortiGate-A port1 external interface.
  • EIP2 was bound to the FortiGate-B port4 management interface.
Note

You can attach a public IP address on the primary FortiGate-VM's external interface instead of an EIP by creating an HAVIP address in the VPC, then binding this HAVIP address to both FortiGates' external interfaces. This approach may shorten the failover time depending on the network environment.

To configure FortiGate-A using the CLI:

The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.

config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.11 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.11 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
config router static
    edit 1
        set gateway 10.0.1.253
        set device "port1"
    next
end
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.253
        next
    end
    set priority 128
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.12
end
To configure FortiGate-B using the CLI:

The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH, the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended.

config system interface
    edit "port1"
        set mode static
        set ip 10.0.1.12 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
    next
    edit "port2"
        set ip 10.0.2.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port3"
        set ip 10.0.3.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
    edit "port4"
        set ip 10.0.4.12 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end
config router static
    edit 1
        set gateway 10.0.1.253
        set device "port1"
    next
end
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
config system ha
    set group-name "FGT-HA"
    set mode a-p
    set hbdev "port3" 50
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.0.4.253
        next
    end
    set priority 64
    set unicast-hb enable
    set unicast-hb-peerip 10.0.3.21
end
Note

You must set the FortiGate-B HA priority to a value lower than FortiGate-A's priority level. The node with the lower priority level is determined as the secondary node.

To check the HA status and function:
  1. In FortiOS on the primary FortiGate, go to System > HA. Check that the HA status is synchronized.

  2. Log into a PC that is located in the internal subnet. Verify that the PC can access the Internet via FortiGate-A when FortiGate-A is the primary node.
  3. Shut down FortiGate-A. Verify that FortiGate-B becomes the primary node. Use an API call to verify that the secondary private IP address moves to FortiGate-B.
  4. Log into the PC. Verify that the PC can access the Internet via FortiGate-B when FortiGate-B is the primary node.
  5. You can use the following diagnose commands to see if the secondary private IP address moves from FortiGate-A to FortiGate-B during failover:

    FGT-B # diagnose debug application alicloud-ha -1 Debug messages will be on for 30 minutes. FGT-B # Become HA master mode 2 ===== start acs ha failover ===== send_vip_arp: vd root master 1 intf port1 ip 10.0.1.12 send_vip_arp: vd root master 1 intf port2 ip 10.0.2.12 acs meta info [instance id]: i-rj9f5xs9cp9xsweedlcs acs meta info [ram role]: fhua-ecs-role acs meta info [region]: us-west-1 acs meta info [vpc id]: vpc-rj9h5m14eo5lu97hjaptw acs ecs endpoint is resolved at ecs.us-west-1.aliyuncs.com:47.88.73.18 acs vpc endpoint is resolved at vpc.aliyuncs.com:106.11.61.112 acs is parsing page 1 of total 3(1 page) instances acs is checking tags on instance FGT-A Tag.FGT_port1: eni-rj9dirnvg0hykoddvv7z Tag.FGT_port2: eni-rj94jig06fag0v1jneyv Tag.FGT_port3: eni-rj91wj13vwjs7y1n25ow Tag.FGT_port4: eni-rj9il1iuoh9t3qd5doe3 acs is checking tags on instance FGT-B Tag.FGT_port1: eni-rj9f5xs9cp9xswekw6zh Tag.FGT_port2: eni-rj9j4eztzg3bv65yqd6x Tag.FGT_port3: eni-rj9ga16wcti7anp0ot7m Tag.FGT_port4: eni-rj9dirnvg0hykei8bl8o acs is parsing page 1 of total 13(1 page) EIPs acs local instance: FGT-B(i-rj9f5xs9cp9xsweedlcs) eni: 0, 10.0.1.12(eni-rj9f5xs9cp9xswekw6zh, port1) eni: 1, 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x, port2) eni: 2, 10.0.3.12(eni-rj9ga16wcti7anp0ot7m, port3) eni: 3, 10.0.4.12(eni-rj9dirnvg0hykei8bl8o, port4) <--- eip(47.254.42.40) acs peer instance: FGT-A(i-rj9il1iuoh9t408i1a60) eni: 0, 10.0.1.11(eni-rj9dirnvg0hykoddvv7z, port1) <--- eip(47.251.3.246) eni: 1, 10.0.2.11(eni-rj94jig06fag0v1jneyv, port2) eni: 2, 10.0.3.11(eni-rj91wj13vwjs7y1n25ow, port3) eni: 3, 10.0.4.11(eni-rj9il1iuoh9t3qd5doe3, port4) <--- eip(47.254.46.147) acs is moving eip(47.251.3.246) from eni0(10.0.1.11) to eni0(10.0.1.12) acs eip(47.251.3.246) status: Unassociating acs eip(47.251.3.246) status: Unassociating acs eip(47.251.3.246) status: Available acs unassociated eip(47.251.3.246) from instance FGT-A successfully acs eip(47.251.3.246) status: Associating acs eip(47.251.3.246) status: Associating acs eip(47.251.3.246) status: InUse acs associated eip(47.251.3.246) to instance FGT-B successfully acs local instance: FGT-B(i-rj9f5xs9cp9xsweedlcs) eni: 0, 10.0.1.12(eni-rj9f5xs9cp9xswekw6zh, port1) <--- eip(47.251.3.246) eni: 1, 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x, port2) eni: 2, 10.0.3.12(eni-rj9ga16wcti7anp0ot7m, port3) eni: 3, 10.0.4.12(eni-rj9dirnvg0hykei8bl8o, port4) <--- eip(47.254.42.40) acs peer instance: FGT-A(i-rj9il1iuoh9t408i1a60) eni: 0, 10.0.1.11(eni-rj9dirnvg0hykoddvv7z, port1) eni: 1, 10.0.2.11(eni-rj94jig06fag0v1jneyv, port2) eni: 2, 10.0.3.11(eni-rj91wj13vwjs7y1n25ow, port3) eni: 3, 10.0.4.11(eni-rj9il1iuoh9t3qd5doe3, port4) <--- eip(47.254.46.147) acs route table: vtb-rj9q1tgufwqqe5ps3q60i rule: cidr: 0.0.0.0/0, nexthop: 10.0.2.11(eni-rj94jig06fag0v1jneyv) acs is deleting route table entry: 0.0.0.0/0 via 10.0.2.11 acs route table entry deleting acs route table entry deleted acs deleted route table entry: 0.0.0.0/0 via 10.0.2.11 successfully acs is creating route table entry: 0.0.0.0/0 via 10.0.2.12 acs route table entry created acs created route table entry: 0.0.0.0/0 via 10.0.2.12 successfully acs route table: vtb-rj9q1tgufwqqe5ps3q60i rule: cidr: 0.0.0.0/0, nexthop: 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x) ===== exit acs ha failover =====