Fortinet Document Library

Version:


Table of Contents

About FortiGate for Azure

Deploying FortiGate on Azure

Deploying auto scaling on Azure

Single FortiGate-VM Deployment

Use case: High availability for FortiGate on Azure

Use case: Automatically updating dynamic addresses using Fabric connector

Resources

Upgrade Path Tool
6.0.0
Copy Link

Cloud-init

In autoscaling, FortiGate uses the cloud-init feature to preconfigure the instances when they first come up. During template deployment, you were required to enter a value for the EndPoints parameter. The example is as follows:

EndPoints: https://dchao-auto-scale-func.azurewebsites.net/api/GetConfig

FortiGate uses this parameter value to send requests to endpoints to retrieve necessary configurations after initialization. This is an example from the primary unit:

dchao-ha-0000009 # diag debug cloudinit show

>> Checking metadata source azure

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure customdata file found

>> Azure cloudinit decryp successfully

>> Azure couldn't find mime link

>> Azure trying to get config script from https://dchao-auto-scale-func.azurewebsites.net/api/GetConfig

>> Azure download config script successfully

>> Azure customdata processed successfully

>> Run config script

>> Finish running script

>> dchao-ha-0000009 $ diag sys ha hadiff log enable

>> dchao-ha-0000009 $ diag debug app hasync -1

>> Debug messages will be on for 30 minutes.

>> dchao-ha-0000009 $ diag debug enable

>> dchao-ha-0000009 $ config system dns

>> dchao-ha-0000009 (dns) $ unset primary

>> dchao-ha-0000009 (dns) $ unset secondary

>> dchao-ha-0000009 (dns) $ end

>> dchao-ha-0000009 $ config system auto-scale

>> dchao-ha-0000009 (auto-scale) $ set status enable

>> dchao-ha-0000009 (auto-scale) $ set sync-interface port1

>> dchao-ha-0000009 (auto-scale) $ set role master

>> dchao-ha-0000009 (auto-scale) $ set callback-url https://dchao-auto-scale-func.azurewebsites.net/api/GetConfig

>> dchao-ha-0000009 (auto-scale) $ set psksecret 12345678

>> dchao-ha-0000009 (auto-scale) $ end

>> dchao-ha-0000009 $ config system global

>> dchao-ha-0000009 (global) $ set admin-sport 8443

>> dchao-ha-0000009 (global) $ end

>> dchao-ha-0000009 $ config system interface

>> dchao-ha-0000009 (interface) $ edit port1

>> dchao-ha-0000009 (port1) $ set description ext

>> dchao-ha-0000009 (port1) $ next

>> dchao-ha-0000009 (interface) $ edit port2

>> dchao-ha-0000009 (port2) $ set description int

>> dchao-ha-0000009 (port2) $ set mode dhcp

>> dchao-ha-0000009 (port2) $ set defaultgw disable

>> dchao-ha-0000009 (port2) $ next

>> dchao-ha-0000009 (interface) $ end

The below is from the secondary unit:

dchao-ha-000000A # diag debug cloudinit show

>> Checking metadata source azure

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure customdata file found

>> Azure cloudinit decryp successfully

>> Azure couldn't find mime link

>> Azure trying to get config script from https://dchao-auto-scale-func.azurewebsites.net/api/GetConfig

>> Azure download config script successfully

>> Azure customdata processed successfully

>> Run config script

>> Finish running script

>> dchao-ha-000000A $

>> dchao-ha-000000A $ diag sys ha hadiff log enable

>> dchao-ha-000000A $ diag debug app hasync -1

>> Debug messages will be on for 30 minutes.

>> dchao-ha-000000A $ diag debug enable

>> dchao-ha-000000A $ config system auto-scale

>> dchao-ha-000000A (auto-scale) $ set status enable

>> dchao-ha-000000A (auto-scale) $ set sync-interface port1

>> dchao-ha-000000A (auto-scale) $ set role slave

>> dchao-ha-000000A (auto-scale) $ set master-ip 10.0.1.5

>> dchao-ha-000000A (auto-scale) $ set callback-url https://dchao-auto-scale-func.azurewebsites.net/api/GetConfig

>> dchao-ha-000000A (auto-scale) $ set psksecret 12345678

>> dchao-ha-000000A (auto-scale) $ end

>> dchao-ha-000000A $ config system dns

>> dchao-ha-000000A (dns) $ unset primary

>> dchao-ha-000000A (dns) $ unset secondary

>> dchao-ha-000000A (dns) $ end

>> dchao-ha-000000A $ config system global

>> dchao-ha-000000A (global) $ set admin-console-timeout 300

>> dchao-ha-000000A (global) $ end

>> dchao-ha-000000A $ config system global

>> dchao-ha-000000A (global) $ set admin-sport 8443

>> dchao-ha-000000A (global) $ end

>> dchao-ha-000000A $

When both units are up, they behave as in an HC scenario with syncing configuration, and so on. However, the Azure load balancing mechanism handles the traffic allocation. It is up to the load balancer to decide which instance to allocate the traffic to based on the load balancing rules.

You are expected to configure any necessary FortiGate settings on the primary unit, which sync to the secondary unit(s), if any.

Resources

Cloud-init

In autoscaling, FortiGate uses the cloud-init feature to preconfigure the instances when they first come up. During template deployment, you were required to enter a value for the EndPoints parameter. The example is as follows:

EndPoints: https://dchao-auto-scale-func.azurewebsites.net/api/GetConfig

FortiGate uses this parameter value to send requests to endpoints to retrieve necessary configurations after initialization. This is an example from the primary unit:

dchao-ha-0000009 # diag debug cloudinit show

>> Checking metadata source azure

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure customdata file found

>> Azure cloudinit decryp successfully

>> Azure couldn't find mime link

>> Azure trying to get config script from https://dchao-auto-scale-func.azurewebsites.net/api/GetConfig

>> Azure download config script successfully

>> Azure customdata processed successfully

>> Run config script

>> Finish running script

>> dchao-ha-0000009 $ diag sys ha hadiff log enable

>> dchao-ha-0000009 $ diag debug app hasync -1

>> Debug messages will be on for 30 minutes.

>> dchao-ha-0000009 $ diag debug enable

>> dchao-ha-0000009 $ config system dns

>> dchao-ha-0000009 (dns) $ unset primary

>> dchao-ha-0000009 (dns) $ unset secondary

>> dchao-ha-0000009 (dns) $ end

>> dchao-ha-0000009 $ config system auto-scale

>> dchao-ha-0000009 (auto-scale) $ set status enable

>> dchao-ha-0000009 (auto-scale) $ set sync-interface port1

>> dchao-ha-0000009 (auto-scale) $ set role master

>> dchao-ha-0000009 (auto-scale) $ set callback-url https://dchao-auto-scale-func.azurewebsites.net/api/GetConfig

>> dchao-ha-0000009 (auto-scale) $ set psksecret 12345678

>> dchao-ha-0000009 (auto-scale) $ end

>> dchao-ha-0000009 $ config system global

>> dchao-ha-0000009 (global) $ set admin-sport 8443

>> dchao-ha-0000009 (global) $ end

>> dchao-ha-0000009 $ config system interface

>> dchao-ha-0000009 (interface) $ edit port1

>> dchao-ha-0000009 (port1) $ set description ext

>> dchao-ha-0000009 (port1) $ next

>> dchao-ha-0000009 (interface) $ edit port2

>> dchao-ha-0000009 (port2) $ set description int

>> dchao-ha-0000009 (port2) $ set mode dhcp

>> dchao-ha-0000009 (port2) $ set defaultgw disable

>> dchao-ha-0000009 (port2) $ next

>> dchao-ha-0000009 (interface) $ end

The below is from the secondary unit:

dchao-ha-000000A # diag debug cloudinit show

>> Checking metadata source azure

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure waiting for customdata file

>> Azure customdata file found

>> Azure cloudinit decryp successfully

>> Azure couldn't find mime link

>> Azure trying to get config script from https://dchao-auto-scale-func.azurewebsites.net/api/GetConfig

>> Azure download config script successfully

>> Azure customdata processed successfully

>> Run config script

>> Finish running script

>> dchao-ha-000000A $

>> dchao-ha-000000A $ diag sys ha hadiff log enable

>> dchao-ha-000000A $ diag debug app hasync -1

>> Debug messages will be on for 30 minutes.

>> dchao-ha-000000A $ diag debug enable

>> dchao-ha-000000A $ config system auto-scale

>> dchao-ha-000000A (auto-scale) $ set status enable

>> dchao-ha-000000A (auto-scale) $ set sync-interface port1

>> dchao-ha-000000A (auto-scale) $ set role slave

>> dchao-ha-000000A (auto-scale) $ set master-ip 10.0.1.5

>> dchao-ha-000000A (auto-scale) $ set callback-url https://dchao-auto-scale-func.azurewebsites.net/api/GetConfig

>> dchao-ha-000000A (auto-scale) $ set psksecret 12345678

>> dchao-ha-000000A (auto-scale) $ end

>> dchao-ha-000000A $ config system dns

>> dchao-ha-000000A (dns) $ unset primary

>> dchao-ha-000000A (dns) $ unset secondary

>> dchao-ha-000000A (dns) $ end

>> dchao-ha-000000A $ config system global

>> dchao-ha-000000A (global) $ set admin-console-timeout 300

>> dchao-ha-000000A (global) $ end

>> dchao-ha-000000A $ config system global

>> dchao-ha-000000A (global) $ set admin-sport 8443

>> dchao-ha-000000A (global) $ end

>> dchao-ha-000000A $

When both units are up, they behave as in an HC scenario with syncing configuration, and so on. However, the Azure load balancing mechanism handles the traffic allocation. It is up to the load balancer to decide which instance to allocate the traffic to based on the load balancing rules.

You are expected to configure any necessary FortiGate settings on the primary unit, which sync to the secondary unit(s), if any.