Fortinet Document Library

Version:


Table of Contents

About FortiGate for GCP

Deploying FortiGate-VM on Google Cloud Marketplace

Deploying FortiGate-VM on Google Cloud Compute Engine

Deploying FortiGate-VM Using Google Cloud SDK

Use Case: High Availability for FortiGate on GCP

Security Fabric Connector Integration with GCP

Resources

Upgrade Path Tool
6.0.0
Copy Link

Checking the prerequisites

To deploy and configure the FortiGate-VM as an A-P high availability (HA) solution, you need the following items:

  • Google Cloud command interface. In this example, you will deploy two FortiGate-VMs using Google Cloud. For more information about how to deploy FortiGate-VM using Google Cloud, see Using the Google Cloud SDK to Deploy FortiGate-VM.
  • Availability to accommodate the required GCP resources:
    • Four networks/subnets
      • Ensure that the two FortiGates have connectivity to each other on each network.
      • Appropriate ingress/egress firewall rules for relevant networks (same as a single FortiGate-VM deployment). For detail on open ports that the FortiGate requires, see FortiGate Open Ports.
    • Three public (external) IP addresses:
      • One for traffic to/through the active (primary) FortiGate. At the event of failover, this IP address moves from the primary FortiGate to the secondary. This must be a static external IP. You should reserve/create it before creating FortiGate instances, or promote an ephemeral IP to a static one after deployment. See Reserving a Static External IP Address.
      • Two for management access to each FortiGate. They can be ephemeral IP address, but static ones are highly recommended. See IP Addresses.
    • All internal IP addresses must be static, not DHCP. You should change ephemeral IP addresses to static ones after deployment. See Reserving a Static Internal IP Address.
    • Two FortiGate-VM instances:
      • The two nodes must be deployed in the same region/zone.
      • Each FortiGate-VM must have at least four network interfaces.
      • Each FortiGate-VM should have a log disk attached. Log disks should be created before deploying FortiGate instances. This is the same requirement as when deploying a single FortiGate-VM.
      • Machine types that support at least four network interfaces. See Creating Instances with Multiple Network Interfaces.
      • Two valid FortiGate-VM BYOL licenses. See Licensing.
  • Configuration of SDN Connector with GCP is required. See Configuring GCP SDN Connector on FortiGate for GCP.

Resources

Checking the prerequisites

To deploy and configure the FortiGate-VM as an A-P high availability (HA) solution, you need the following items:

  • Google Cloud command interface. In this example, you will deploy two FortiGate-VMs using Google Cloud. For more information about how to deploy FortiGate-VM using Google Cloud, see Using the Google Cloud SDK to Deploy FortiGate-VM.
  • Availability to accommodate the required GCP resources:
    • Four networks/subnets
      • Ensure that the two FortiGates have connectivity to each other on each network.
      • Appropriate ingress/egress firewall rules for relevant networks (same as a single FortiGate-VM deployment). For detail on open ports that the FortiGate requires, see FortiGate Open Ports.
    • Three public (external) IP addresses:
      • One for traffic to/through the active (primary) FortiGate. At the event of failover, this IP address moves from the primary FortiGate to the secondary. This must be a static external IP. You should reserve/create it before creating FortiGate instances, or promote an ephemeral IP to a static one after deployment. See Reserving a Static External IP Address.
      • Two for management access to each FortiGate. They can be ephemeral IP address, but static ones are highly recommended. See IP Addresses.
    • All internal IP addresses must be static, not DHCP. You should change ephemeral IP addresses to static ones after deployment. See Reserving a Static Internal IP Address.
    • Two FortiGate-VM instances:
      • The two nodes must be deployed in the same region/zone.
      • Each FortiGate-VM must have at least four network interfaces.
      • Each FortiGate-VM should have a log disk attached. Log disks should be created before deploying FortiGate instances. This is the same requirement as when deploying a single FortiGate-VM.
      • Machine types that support at least four network interfaces. See Creating Instances with Multiple Network Interfaces.
      • Two valid FortiGate-VM BYOL licenses. See Licensing.
  • Configuration of SDN Connector with GCP is required. See Configuring GCP SDN Connector on FortiGate for GCP.