Fortinet Document Library

Version:


Table of Contents

About FortiGate for OCI

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on OCI

Deploying FortiGate-VM using Terraform

Security Fabric Connector Integration with OCI

Resources

Upgrade Path Tool
6.0.0
Copy Link

Overview

FortiGate active-passive HA

FortiGate's native active-passive HA feature (without using an OCI supplementary mechanism such as load balancer) can be configured with two FortiGate instances: one acting as the primary node and the other as the secondary node, both located in the same region. In this guide, the primary and secondary nodes are referred to as FortiGate A and FortiGate B, respectively. This is called "unicast HA" and is specific to cloud environments, including OCI, to be compliant to their network restrictions in comparison to an equivalent feature provided by physical FortiGate units. The FortiGates run heartbeats between dedicated ports and synchronize OS configurations. When the primary node fails, the secondary node takes over as the primary node so endpoints continue to communicate with external resources over the FortiGate. Sessions are also synchronized at the time of failover.

FortiOS 6.0.1 and later versions support FortiGate A-P HA for OCI. Using the latest version of FortiGate-VM is always recommended.

Deploying and configuring FortiGate active-passive HA

For this HA deployment, you must manually deploy two FortiGate-VM instances on OCI, then manually configure each of them using CLI commands. Your deployment will have different IP addresses than in the diagram below.

note icon

You must configure primary private IP addresses, even where not mentioned in the diagram. Although not required for HA purposes, this must be done to comply with general networking requirements.

Resources

Overview

FortiGate active-passive HA

FortiGate's native active-passive HA feature (without using an OCI supplementary mechanism such as load balancer) can be configured with two FortiGate instances: one acting as the primary node and the other as the secondary node, both located in the same region. In this guide, the primary and secondary nodes are referred to as FortiGate A and FortiGate B, respectively. This is called "unicast HA" and is specific to cloud environments, including OCI, to be compliant to their network restrictions in comparison to an equivalent feature provided by physical FortiGate units. The FortiGates run heartbeats between dedicated ports and synchronize OS configurations. When the primary node fails, the secondary node takes over as the primary node so endpoints continue to communicate with external resources over the FortiGate. Sessions are also synchronized at the time of failover.

FortiOS 6.0.1 and later versions support FortiGate A-P HA for OCI. Using the latest version of FortiGate-VM is always recommended.

Deploying and configuring FortiGate active-passive HA

For this HA deployment, you must manually deploy two FortiGate-VM instances on OCI, then manually configure each of them using CLI commands. Your deployment will have different IP addresses than in the diagram below.

note icon

You must configure primary private IP addresses, even where not mentioned in the diagram. Although not required for HA purposes, this must be done to comply with general networking requirements.