Fortinet Document Library

Version:


Table of Contents

About FortiGate for Azure

Deploying FortiGate on Azure

Deploying auto scaling on Azure

Single FortiGate-VM Deployment

Use case: High availability for FortiGate on Azure

Use case: Automatically updating dynamic addresses using Fabric connector

Resources

Upgrade Path Tool
6.0.0
Copy Link

FortiGate Autoscale for Azure features

Major components

  • The Function App. The Function App handles all the autoscaling features including: master/slave role assignment, license distribution, and failover management.
  • The BYOL Scale Set (hybrid licensing only)This scale set contains 1 to many FortiGate-VMs of the BYOL licensing model. For High Availability, ensure at least 2 FortiGate-VMs are in the group. These FortiGate-VMs are the main instances and are fixed and running 7x24. For each instance you must provide a valid license purchased from FortiCare.
  • The PAYG Scale Set The Scale Set contains 0 to many FortiGate-VMs of the PAYG licensing model. This scale set is scalable and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale Out Threshold and Scale In Threshold. As such, this Scale Set may initially have no instances.
  • The Blob Containers.
    •  The configset container contains files that are loaded as the initial configuration of a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
    • The fgt-asg-license container (hybrid licensing only) contains the BYOL license files.
  • Database tables. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components These are the load-balancing rules, auto-scaling settings, virtual network, and routing-related components). You are expected to create your own client and server instances that you want protected by the FortiGate-VM.

Configset placeholders

When the FortiGate-VM requests the configuration from the autoscaling handler function, the placeholders in the table below will be replaced with actual values for the Autoscaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The full URL of the autoscaling handler function.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

{ADMIN_PORT}

Number

The admin port will be replaced with 443.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

This placeholder is only in the hybrid licensing deployment.

Function App environment variables for the PAYG deployment

Variable name

Description

RESOURCE_GROUP

Name of the resource group where the Scale Set is deployed in.

SCALING_GROUP_NAME_PAYG

Name of the PAYG VMSS. This name is made by adding "payg" to the value of the related parameter Scaling Group Name Prefix.

SCALING_GROUP_NAME_BYOL

Name of the BYOL VMSS. This name is made by adding "payg" to the value of the related parameter Scaling Group Name Prefix.

MASTER_SCALING_GROUP_NAME

This takes the value of SCALING_GROUP_NAME_PAYG.

REST_APP_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

REST_APP_SECRET

WEBSITE_RUN_FROM_ZIP

SCALESET_DB_ACCOUNT

TENANT_ID

HEART_BEAT_LOSS_COUNT

FORTIGATE_PSKSECRET

SCRIPT_TIMEOUT

ELECTION_WAIT_TIME

SUBSCRIPTION_ID

REST_API_MASTER_KEY

This is the CosmosDB account access key automatically created with the CosmosDB account.

REQUIRED_CONFIG_SET

This is a comma delimited string for additional configsets to load. (Reserved for future use.)

UNIQUE_ID

This variable must be left blank (empty).

CUSTOM_ID

This variable must be left blank (empty).

AZURE_STORAGE_ACCOUNT

This is the Blob Storage account name automatically created during the deployment.

AZURE_STORAGE_ACCESS_KEY

This is the Blob Storage account access key automatically created with the Blob Storage account.

DEBUG_SAVE_CUSTOM_LOG

A troubleshooting variable.

Set to true to save script logs to the DB table CUSTOM_LOG. This is the default behavior.

Set to false to disable this feature.

DEBUG_LOGGER_OUTPUT_QUEUE_ENABLED

A troubleshooting variable.

Set to true to concatenate all log output into one (1) log item in the Azure logging system.

Set to false for every log output to have its own log item in the Azure logging system. This is the default behavior.

Function App environment variables for the hybrid licensing deployment

Variable name

Description

RESOURCE_GROUP

Name of the resource group where the template is deployed in.

PAYG_SCALING_GROUP_NAME

Name of the PAYG VMSS. This name is made by adding "payg" to the value of the related parameter Resource Name Prefix.

BYOL_SCALING_GROUP_NAME

Name of the BYOL VMSS. This name is made by adding "byol" to the value of the related parameter Resource Name Prefix.

MASTER_SCALING_GROUP_NAME

This takes the value of BYOL_SCALING_GROUP_NAME.

REST_APP_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

REST_APP_SECRET

WEBSITE_RUN_FROM_ZIP

HEART_BEAT_LOSS_COUNT

FORTIGATE_PSK_SECRET

SCRIPT_TIMEOUT

MASTER_ELECTION_TIMEOUT

REST_API_MASTER_KEY

This is the CosmosDB account access key automatically created with the CosmosDB account.

REQUIRED_CONFIG_SET

This is a comma delimited string for additional configsets to load. (Reserved for future use.)

UNIQUE_ID

This variable must be left blank (empty).

CUSTOM_ID

This variable must be left blank (empty).

AZURE_STORAGE_ACCOUNT

This is the Blob Storage account name automatically created during the deployment.

AZURE_STORAGE_ACCESS_KEY

This is the Blob Storage account access key automatically created with the Blob Storage account.

DEBUG_SAVE_CUSTOM_LOG

A troubleshooting variable.

Set to true to save script logs to the DB table CUSTOM_LOG. This is the default behavior.

Set to false to disable this feature.

DEBUG_LOGGER_OUTPUT_QUEUE_ENABLED

A troubleshooting variable.

Set to true to concatenate all log output into one (1) log item in the Azure logging system.

Set to false for every log output to have its own log item in the Azure logging system. This is the default behavior.

DEBUG_LOGGER_TIMEZONE_OFFSET

A troubleshooting variable. Set it to the UTC offset of the current deployment location for a better logging display time.

ASSET_STORAGE_KEY_PREFIX

The logical hierarchy of the Autoscale assets in the blob storage. This variable must be left blank (empty).

ASSET_STORAGE_NAME

The physical path to the Autoscale assets in the blob storage. This variable must be left blank (empty).

AUTOSCALE_HANDLER_URL

Automatically created with function app name.

BYOL_SCALING_GROUP_DESIRED_CAPACITY

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

BYOL_SCALING_GROUP_MAX_SIZE

BYOL_SCALING_GROUP_MIN_SIZE

DEPLOYMENT_SETTINGS_SAVED

A deployment status related variable. Should always be true (string literal).

ENABLE_DYNAMIC_NAT_GATEWAY

These are Autoscaling feature toggles. Do not change the default values.

ENABLE_FORTIGATE_ELB

ENABLE_HYBRID_LICENSING

ENABLE_INTERNAL_ELB

ENABLE_SECOND_NIC

ENABLE_VM_INFO_CACHE

FORTIGATE_ADMIN_PORT

NAT admin port on the FortiGate-VM. Default is 8443. Do not change it without instructions from advanced users.

FORTIGATE_AUTOSCALE_VPC_ID

The Autoscale virtual network name, automatically created.

FORTIGATE_LICENSE_STORAGE_KEY_PREFIX

Logical hierarchy of the path to BYOL license files in the blob storage account. No leading nor trailing / (slash).

DYNAMIC_NAT_GATEWAY_ROUTE_TABLES

These are Autoscaling feature variables that are automatically created. These variables are reserved for future use.

FORTIGATE_AUTOSCALE_ELB_DNS

FORTIGATE_AUTOSCALE_PROTECTED_SUBNET1

FORTIGATE_AUTOSCALE_PROTECTED_SUBNET2

FORTIGATE_AUTOSCALE_SUBNET1

FORTIGATE_AUTOSCALE_SUBNET2

FORTIGATE_PROTECTED_INTERNAL_ELB_DNS

RESOURCE_TAG_PREFIX

FORTIGATE_SYNC_INTERFACE

The FortiGate-VM interface used to synchronize configurations between FortiGate-VM devices. Do not change it without instructions from advanced users.

MASTER_ELECTION_NO_WAIT

These are Autoscaling feature variables. Do not change these variables without instructions from advanced users.

REQUIRED_DB_TABLE

VM_INFO_CACHE_TIME

GET_LICENSE_GRACE_PERIOD

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

HEARTBEAT_INTERVAL

HEART_BEAT_DELAY_ALLOWANCE

SCALING_GROUP_DESIRED_CAPACITY:

SCALING_GROUP_MAX_SIZE

SCALING_GROUP_MIN_SIZE

Resources

FortiGate Autoscale for Azure features

Major components

  • The Function App. The Function App handles all the autoscaling features including: master/slave role assignment, license distribution, and failover management.
  • The BYOL Scale Set (hybrid licensing only)This scale set contains 1 to many FortiGate-VMs of the BYOL licensing model. For High Availability, ensure at least 2 FortiGate-VMs are in the group. These FortiGate-VMs are the main instances and are fixed and running 7x24. For each instance you must provide a valid license purchased from FortiCare.
  • The PAYG Scale Set The Scale Set contains 0 to many FortiGate-VMs of the PAYG licensing model. This scale set is scalable and will dynamically scale-out or scale-in based on the scaling metrics specified by the parameters Scale Out Threshold and Scale In Threshold. As such, this Scale Set may initially have no instances.
  • The Blob Containers.
    •  The configset container contains files that are loaded as the initial configuration of a new FortiGate-VM instance.
      • baseconfig is the base configuration. This file can be modified as needed to meet your network requirements. Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders table below.
    • The fgt-asg-license container (hybrid licensing only) contains the BYOL license files.
  • Database tables. These tables are required to store information such as health check monitoring, master election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes.
  • Networking Components These are the load-balancing rules, auto-scaling settings, virtual network, and routing-related components). You are expected to create your own client and server instances that you want protected by the FortiGate-VM.

Configset placeholders

When the FortiGate-VM requests the configuration from the autoscaling handler function, the placeholders in the table below will be replaced with actual values for the Autoscaling group.

Placeholder

Type

Description

{SYNC_INTERFACE}

Text

The interface for FortiGate-VMs to synchronize information.

Specify as port1, port2, port3, etc.

All characters must be lowercase.

{CALLBACK_URL}

URL

The full URL of the autoscaling handler function.

{PSK_SECRET}

Text

The Pre-Shared Key used in FortiOS.

{ADMIN_PORT}

Number

The admin port will be replaced with 443.

{HEART_BEAT_INTERVAL}

Number

The time interval (in seconds) that the FortiGate-VM waits between sending heartbeat requests to the Autoscale handler function.

This placeholder is only in the hybrid licensing deployment.

Function App environment variables for the PAYG deployment

Variable name

Description

RESOURCE_GROUP

Name of the resource group where the Scale Set is deployed in.

SCALING_GROUP_NAME_PAYG

Name of the PAYG VMSS. This name is made by adding "payg" to the value of the related parameter Scaling Group Name Prefix.

SCALING_GROUP_NAME_BYOL

Name of the BYOL VMSS. This name is made by adding "payg" to the value of the related parameter Scaling Group Name Prefix.

MASTER_SCALING_GROUP_NAME

This takes the value of SCALING_GROUP_NAME_PAYG.

REST_APP_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

REST_APP_SECRET

WEBSITE_RUN_FROM_ZIP

SCALESET_DB_ACCOUNT

TENANT_ID

HEART_BEAT_LOSS_COUNT

FORTIGATE_PSKSECRET

SCRIPT_TIMEOUT

ELECTION_WAIT_TIME

SUBSCRIPTION_ID

REST_API_MASTER_KEY

This is the CosmosDB account access key automatically created with the CosmosDB account.

REQUIRED_CONFIG_SET

This is a comma delimited string for additional configsets to load. (Reserved for future use.)

UNIQUE_ID

This variable must be left blank (empty).

CUSTOM_ID

This variable must be left blank (empty).

AZURE_STORAGE_ACCOUNT

This is the Blob Storage account name automatically created during the deployment.

AZURE_STORAGE_ACCESS_KEY

This is the Blob Storage account access key automatically created with the Blob Storage account.

DEBUG_SAVE_CUSTOM_LOG

A troubleshooting variable.

Set to true to save script logs to the DB table CUSTOM_LOG. This is the default behavior.

Set to false to disable this feature.

DEBUG_LOGGER_OUTPUT_QUEUE_ENABLED

A troubleshooting variable.

Set to true to concatenate all log output into one (1) log item in the Azure logging system.

Set to false for every log output to have its own log item in the Azure logging system. This is the default behavior.

Function App environment variables for the hybrid licensing deployment

Variable name

Description

RESOURCE_GROUP

Name of the resource group where the template is deployed in.

PAYG_SCALING_GROUP_NAME

Name of the PAYG VMSS. This name is made by adding "payg" to the value of the related parameter Resource Name Prefix.

BYOL_SCALING_GROUP_NAME

Name of the BYOL VMSS. This name is made by adding "byol" to the value of the related parameter Resource Name Prefix.

MASTER_SCALING_GROUP_NAME

This takes the value of BYOL_SCALING_GROUP_NAME.

REST_APP_ID

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

REST_APP_SECRET

WEBSITE_RUN_FROM_ZIP

HEART_BEAT_LOSS_COUNT

FORTIGATE_PSK_SECRET

SCRIPT_TIMEOUT

MASTER_ELECTION_TIMEOUT

REST_API_MASTER_KEY

This is the CosmosDB account access key automatically created with the CosmosDB account.

REQUIRED_CONFIG_SET

This is a comma delimited string for additional configsets to load. (Reserved for future use.)

UNIQUE_ID

This variable must be left blank (empty).

CUSTOM_ID

This variable must be left blank (empty).

AZURE_STORAGE_ACCOUNT

This is the Blob Storage account name automatically created during the deployment.

AZURE_STORAGE_ACCESS_KEY

This is the Blob Storage account access key automatically created with the Blob Storage account.

DEBUG_SAVE_CUSTOM_LOG

A troubleshooting variable.

Set to true to save script logs to the DB table CUSTOM_LOG. This is the default behavior.

Set to false to disable this feature.

DEBUG_LOGGER_OUTPUT_QUEUE_ENABLED

A troubleshooting variable.

Set to true to concatenate all log output into one (1) log item in the Azure logging system.

Set to false for every log output to have its own log item in the Azure logging system. This is the default behavior.

DEBUG_LOGGER_TIMEZONE_OFFSET

A troubleshooting variable. Set it to the UTC offset of the current deployment location for a better logging display time.

ASSET_STORAGE_KEY_PREFIX

The logical hierarchy of the Autoscale assets in the blob storage. This variable must be left blank (empty).

ASSET_STORAGE_NAME

The physical path to the Autoscale assets in the blob storage. This variable must be left blank (empty).

AUTOSCALE_HANDLER_URL

Automatically created with function app name.

BYOL_SCALING_GROUP_DESIRED_CAPACITY

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

BYOL_SCALING_GROUP_MAX_SIZE

BYOL_SCALING_GROUP_MIN_SIZE

DEPLOYMENT_SETTINGS_SAVED

A deployment status related variable. Should always be true (string literal).

ENABLE_DYNAMIC_NAT_GATEWAY

These are Autoscaling feature toggles. Do not change the default values.

ENABLE_FORTIGATE_ELB

ENABLE_HYBRID_LICENSING

ENABLE_INTERNAL_ELB

ENABLE_SECOND_NIC

ENABLE_VM_INFO_CACHE

FORTIGATE_ADMIN_PORT

NAT admin port on the FortiGate-VM. Default is 8443. Do not change it without instructions from advanced users.

FORTIGATE_AUTOSCALE_VPC_ID

The Autoscale virtual network name, automatically created.

FORTIGATE_LICENSE_STORAGE_KEY_PREFIX

Logical hierarchy of the path to BYOL license files in the blob storage account. No leading nor trailing / (slash).

DYNAMIC_NAT_GATEWAY_ROUTE_TABLES

These are Autoscaling feature variables that are automatically created. These variables are reserved for future use.

FORTIGATE_AUTOSCALE_ELB_DNS

FORTIGATE_AUTOSCALE_PROTECTED_SUBNET1

FORTIGATE_AUTOSCALE_PROTECTED_SUBNET2

FORTIGATE_AUTOSCALE_SUBNET1

FORTIGATE_AUTOSCALE_SUBNET2

FORTIGATE_PROTECTED_INTERNAL_ELB_DNS

RESOURCE_TAG_PREFIX

FORTIGATE_SYNC_INTERFACE

The FortiGate-VM interface used to synchronize configurations between FortiGate-VM devices. Do not change it without instructions from advanced users.

MASTER_ELECTION_NO_WAIT

These are Autoscaling feature variables. Do not change these variables without instructions from advanced users.

REQUIRED_DB_TABLE

VM_INFO_CACHE_TIME

GET_LICENSE_GRACE_PERIOD

Descriptions of these variables are identical to those of the related parameters which are described in the section Configurable variables.

HEARTBEAT_INTERVAL

HEART_BEAT_DELAY_ALLOWANCE

SCALING_GROUP_DESIRED_CAPACITY:

SCALING_GROUP_MAX_SIZE

SCALING_GROUP_MIN_SIZE