Fortinet Document Library

Version:


Table of Contents

FortiSandbox VM on Azure

3.1.0
Download PDF
Copy Link

Optional: Using high availability

You can set up multiple FortiSandbox instances in a load-balancing HA (high availability) cluster.

For information on using HA clusters, see the FortiSandbox Administration Guide.

Configuring an HA cluster

To create FortiSandbox instances on Azure:
  1. Create at least two network interfaces on Azure.

    The second network interface is for HA communication. If you use custom VMs, you might need more interfaces.

    See Creating network interfaces.

  2. In Network security group, open these ports for HA communication.
    TCP 2015 0.0.0.0/0
    TCP 2018 0.0.0.0/0
  3. Create the master instance first.

    This example creates a PAYG master instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312 \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_port1 demo_test312_port2 demo_test312_port3 demo_test312_port4 \
      --generate-ssh-keys --verbose
    
  4. Create more pairs of network interfaces on the same subnet as the master instance, with a different public IP address for each interface so that you can access them.
    • Create one pair for the primary slave.
    • Create one or more pairs for the regular slave.
  5. Create the primary slave instance.

    If you want clustering without HA, the primary slave is optional.

    This example creates a PAYG primary slave instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312MS \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_MSport1 demo_test312_MSport2 demo_test312_MSport3 demo_test312_MSport4 \
      --generate-ssh-keys --verbose
    
  6. Create one or more instances for the regular slave.

    This example creates a PAYG regular slave instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312PS1 \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_PS1port1 demo_test312_PS1port2 demo_test312_PS1port3 demo_test312_PS1port4 \
      --generate-ssh-keys --verbose
  7. In Azure, add a secondary IP address on the master instance for HA.
    1. In the master instance VM, go to the master instance's Network interface page.
    2. Go to IP configurations and click Add.
    3. Add a secondary static Private IP address.
    4. If you wish, you can add a new static Public IP address for HA public access.

To configure the FortiSandbox instances on Azure:
  1. Log into the FSA WebGUI using the EIPs and download the latest FSA Azure firmware.

    FSA HA features are support on firmware v3.1.2 or higher.

  2. Follow the instructions on Importing Azure settings into FortiSandbox to configure the Azure Config page for both the master and primary slave.

    If you are not using custom VMs, then the Vnet, Snet, and VM type settings are optional.

  3. Go to Virtual Machine > VM Images and update the WindowsCloudVM Clone #.

    HA mode only supports WindowsCloudVM.

To configure the HA cluster in FortiSandbox:

In this example, 10.37.0.100 is an HA external communication IP address.

  1. Configure the master node using these CLI commands:
    hc-settings -sc -tM -nMyHAMaster -cClusterName -p123 -iport2
    hc-settings -si -iport1 -a10.37.0.100/24
    
  2. Configure the primary slave:
    hc-settings -sc -tP -nMyPSlave -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
  3. Configure the first regular slave:
    hc-settings -sc -tR -nMyRSlave1 -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
  4. If needed, configure additional regular slaves:
    hc-settings -sc -tR -nMyRSlave2 -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
To check the status of the HA cluster:
  1. On the master node, enter this command.
    hc-status -l

    The status of all units in the cluster appears. If the clone number for any instance is 0 or not displayed, the instance is not correctly set up with WindowsCloudVM.

Note

When a master fails over to a primary slave, the public IP address (if set) follows the secondary IP address binding, and both automatically switch to the primary slave.

Optional: Using high availability

You can set up multiple FortiSandbox instances in a load-balancing HA (high availability) cluster.

For information on using HA clusters, see the FortiSandbox Administration Guide.

Configuring an HA cluster

To create FortiSandbox instances on Azure:
  1. Create at least two network interfaces on Azure.

    The second network interface is for HA communication. If you use custom VMs, you might need more interfaces.

    See Creating network interfaces.

  2. In Network security group, open these ports for HA communication.
    TCP 2015 0.0.0.0/0
    TCP 2018 0.0.0.0/0
  3. Create the master instance first.

    This example creates a PAYG master instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312 \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_port1 demo_test312_port2 demo_test312_port3 demo_test312_port4 \
      --generate-ssh-keys --verbose
    
  4. Create more pairs of network interfaces on the same subnet as the master instance, with a different public IP address for each interface so that you can access them.
    • Create one pair for the primary slave.
    • Create one or more pairs for the regular slave.
  5. Create the primary slave instance.

    If you want clustering without HA, the primary slave is optional.

    This example creates a PAYG primary slave instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312MS \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_MSport1 demo_test312_MSport2 demo_test312_MSport3 demo_test312_MSport4 \
      --generate-ssh-keys --verbose
    
  6. Create one or more instances for the regular slave.

    This example creates a PAYG regular slave instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312PS1 \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_PS1port1 demo_test312_PS1port2 demo_test312_PS1port3 demo_test312_PS1port4 \
      --generate-ssh-keys --verbose
  7. In Azure, add a secondary IP address on the master instance for HA.
    1. In the master instance VM, go to the master instance's Network interface page.
    2. Go to IP configurations and click Add.
    3. Add a secondary static Private IP address.
    4. If you wish, you can add a new static Public IP address for HA public access.

To configure the FortiSandbox instances on Azure:
  1. Log into the FSA WebGUI using the EIPs and download the latest FSA Azure firmware.

    FSA HA features are support on firmware v3.1.2 or higher.

  2. Follow the instructions on Importing Azure settings into FortiSandbox to configure the Azure Config page for both the master and primary slave.

    If you are not using custom VMs, then the Vnet, Snet, and VM type settings are optional.

  3. Go to Virtual Machine > VM Images and update the WindowsCloudVM Clone #.

    HA mode only supports WindowsCloudVM.

To configure the HA cluster in FortiSandbox:

In this example, 10.37.0.100 is an HA external communication IP address.

  1. Configure the master node using these CLI commands:
    hc-settings -sc -tM -nMyHAMaster -cClusterName -p123 -iport2
    hc-settings -si -iport1 -a10.37.0.100/24
    
  2. Configure the primary slave:
    hc-settings -sc -tP -nMyPSlave -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
  3. Configure the first regular slave:
    hc-settings -sc -tR -nMyRSlave1 -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
  4. If needed, configure additional regular slaves:
    hc-settings -sc -tR -nMyRSlave2 -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
To check the status of the HA cluster:
  1. On the master node, enter this command.
    hc-status -l

    The status of all units in the cluster appears. If the clone number for any instance is 0 or not displayed, the instance is not correctly set up with WindowsCloudVM.

Note

When a master fails over to a primary slave, the public IP address (if set) follows the secondary IP address binding, and both automatically switch to the primary slave.