Fortinet Document Library

Version:


Table of Contents

FortiSandbox VM on Azure

3.1.0
Download PDF
Copy Link

Optional: Using HA-Cluster

You can set up multiple FortiSandbox instances in a load-balancing HA (high availability) cluster.

For information on using HA clusters, see the FortiSandbox Administration Guide.

Configuring an HA cluster

To create FortiSandbox instances on Azure:
  1. Create at least two network interfaces on Azure.

    The second network interface is for HA communication. If you use custom VMs, you might need more interfaces.

    See Creating network interfaces.

  2. In Network security group, open these ports for HA communication.
    TCP 2015 0.0.0.0/0
    TCP 2018 0.0.0.0/0
  3. Create the primary (formerly master) instance first.

    This example uses a PAYG primary instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312 \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_port1 demo_test312_port2 demo_test312_port3 demo_test312_port4 \
      --generate-ssh-keys --verbose
    
  4. Create more pairs of network interfaces on the same subnet as the primary instance using a different public IP address for each interface so that you can access them.
    • Create one pair for the secondary (formerly primary slave) instance.
    • Create one or more pairs for the worker (formerly slave or regular slave).
  5. Create the secondary instance.

    If you want clustering without HA, the secondary is optional.

    This example uses a PAYG secondary instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312MS \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_MSport1 demo_test312_MSport2 demo_test312_MSport3 demo_test312_MSport4 \
      --generate-ssh-keys --verbose
    
  6. Create one or more instances for the worker.

    This example uses a PAYG worker instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312PS1 \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_PS1port1 demo_test312_PS1port2 demo_test312_PS1port3 demo_test312_PS1port4 \
      --generate-ssh-keys --verbose
  7. In Azure, add a secondary IP address on the primary instance for HA.
    1. In the primary instance VM, go to the primary instance's Network interface page.
    2. Go to IP configurations and click Add.
    3. Add a secondary static Private IP address.
    4. If you wish, you can add a new static Public IP address for HA public access.

To configure the FortiSandbox instances on Azure:
  1. Log into the FortiSandbox web GUI using the EIP and download the latest FortiSandbox Azure firmware.

    FortiSandbox 3.1.2 or later supports HA features.

  2. Follow the instructions on Importing Azure settings into FortiSandbox to configure the Azure Config page for both the primary and secondary.

    If you are not using custom VMs, then the Vnet, Snet, and VM type settings are optional.

  3. Go to Virtual Machine > VM Images and update the WindowsCloudVM Clone #.

    HA mode only supports WindowsCloudVM.

To configure the HA cluster in FortiSandbox:

In this example, 10.37.0.100 is an HA external communication IP address.

  1. Configure the primary node using these CLI commands:
    hc-settings -sc -tM -nMyHAMaster -cClusterName -p123 -iport2
    hc-settings -si -iport1 -a10.37.0.100/24
    
  2. Configure the secondary node:
    hc-settings -sc -tP -nMyPSlave -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
  3. Configure the first worker:
    hc-settings -sc -tR -nMyRSlave1 -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
  4. If needed, configure additional workers:
    hc-settings -sc -tR -nMyRSlave2 -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
To check the status of the HA cluster:
  1. On the primary node, enter this command.
    hc-status -l

    The status of all units in the cluster appears. If the clone number for any instance is 0 or not displayed, the instance is not correctly set up with WindowsCloudVM.

Note

When a primary node fails over to a secondary node, the public IP address (if set) follows the secondary IP address binding, and both automatically switch to the secondary node.

Optional: Using HA-Cluster

You can set up multiple FortiSandbox instances in a load-balancing HA (high availability) cluster.

For information on using HA clusters, see the FortiSandbox Administration Guide.

Configuring an HA cluster

To create FortiSandbox instances on Azure:
  1. Create at least two network interfaces on Azure.

    The second network interface is for HA communication. If you use custom VMs, you might need more interfaces.

    See Creating network interfaces.

  2. In Network security group, open these ports for HA communication.
    TCP 2015 0.0.0.0/0
    TCP 2018 0.0.0.0/0
  3. Create the primary (formerly master) instance first.

    This example uses a PAYG primary instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312 \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_port1 demo_test312_port2 demo_test312_port3 demo_test312_port4 \
      --generate-ssh-keys --verbose
    
  4. Create more pairs of network interfaces on the same subnet as the primary instance using a different public IP address for each interface so that you can access them.
    • Create one pair for the secondary (formerly primary slave) instance.
    • Create one or more pairs for the worker (formerly slave or regular slave).
  5. Create the secondary instance.

    If you want clustering without HA, the secondary is optional.

    This example uses a PAYG secondary instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312MS \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_MSport1 demo_test312_MSport2 demo_test312_MSport3 demo_test312_MSport4 \
      --generate-ssh-keys --verbose
    
  6. Create one or more instances for the worker.

    This example uses a PAYG worker instance using four network interfaces.

    az vm create --resource-group demo_testfsa312ha --location eastus --name demofsaazure312PS1 \
      --boot-diagnostics-storage demotmpdiagno312 --image "fortinet:fortinet_fortisandbox_vm:fortinet_fsa-vm_payg:3.1.00"
      --size Standard_A4_V2 \
      --nics demo_test312_PS1port1 demo_test312_PS1port2 demo_test312_PS1port3 demo_test312_PS1port4 \
      --generate-ssh-keys --verbose
  7. In Azure, add a secondary IP address on the primary instance for HA.
    1. In the primary instance VM, go to the primary instance's Network interface page.
    2. Go to IP configurations and click Add.
    3. Add a secondary static Private IP address.
    4. If you wish, you can add a new static Public IP address for HA public access.

To configure the FortiSandbox instances on Azure:
  1. Log into the FortiSandbox web GUI using the EIP and download the latest FortiSandbox Azure firmware.

    FortiSandbox 3.1.2 or later supports HA features.

  2. Follow the instructions on Importing Azure settings into FortiSandbox to configure the Azure Config page for both the primary and secondary.

    If you are not using custom VMs, then the Vnet, Snet, and VM type settings are optional.

  3. Go to Virtual Machine > VM Images and update the WindowsCloudVM Clone #.

    HA mode only supports WindowsCloudVM.

To configure the HA cluster in FortiSandbox:

In this example, 10.37.0.100 is an HA external communication IP address.

  1. Configure the primary node using these CLI commands:
    hc-settings -sc -tM -nMyHAMaster -cClusterName -p123 -iport2
    hc-settings -si -iport1 -a10.37.0.100/24
    
  2. Configure the secondary node:
    hc-settings -sc -tP -nMyPSlave -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
  3. Configure the first worker:
    hc-settings -sc -tR -nMyRSlave1 -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
  4. If needed, configure additional workers:
    hc-settings -sc -tR -nMyRSlave2 -cClusterName -p123 -iport2
    hc-slave -a -sMASTER_Port2_IP -p123
    
To check the status of the HA cluster:
  1. On the primary node, enter this command.
    hc-status -l

    The status of all units in the cluster appears. If the clone number for any instance is 0 or not displayed, the instance is not correctly set up with WindowsCloudVM.

Note

When a primary node fails over to a secondary node, the public IP address (if set) follows the secondary IP address binding, and both automatically switch to the secondary node.