Fortinet Document Library

Version:


Table of Contents

About FortiGate for OCI

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on OCI

Deploying FortiGate-VM using Terraform

Security Fabric Connector Integration with OCI

Resources

Upgrade Path Tool
6.0.0
Copy Link

Configuring the OCI HA interface

OCI recommends leaving VM NIC interfaces set to DHCP. This is to avoid potential misaligned configurations. However, when configuring an NVA, you may need to ignore this recommendation. When doing so, ensure that the IP addresses correspond with those intended, so that to the extent required, the configurations match.

In the case of HA, it is necessary that the FortiGates have the correct IP information statically configured in order to provide proper failover between the two devices. OCI API calls enable this type of failover through the OCI SDN, but only for IP addresses configured as secondary in the OCI vNIC configuration. Also, OCI API calls, if initiated from within a VCN, must be made by a primary interface with a public address. Thus, the network configuration for OCI HA will be unique and very specific.

port1

The primary vNIC associated with the FortiGate NVA must have a primary IP address with a corresponding public IP address, and so needs to be configured in a public subnet. This will be used as a management interface and the interface from which API calls are made (this will be assigned in the HA configuration). See the below images for this interface's OCI configuration, then the corresponding FortiGate configuration.

port2

Beyond port1 (also the primary vNIC), interface order is arbitrary and can be rearranged. In this example, port2 is assumed to be a public/WAN-facing interface. The FortiGate configuration below does not use the primary address, shown in the OCI configuration below. This is because this IP address is not relocatable to the secondary FortiGate in the event of failure. As such, neither FortiGate will use it. In this example, the FortiGate uses only a single secondary IP address. You can add multiple secondary IP addresses. In the case of a failover, all secondary IP addresses and any associated public IP addresses are transferred to the other FortiGate. These can be referenced explicitly in the interface configuration by enabling secondary IP addresses (see the port3 FortiGate configuration) or by creating VIPs or load balancer rules to forward using PAT/DNAT.

port3

In this example, port3 is configured as the internal port, which is used to connect to internal resources on local subnets, peered VCNs, and so on. In this case, port3 has two secondary IP addresses in OCI and the same two IP addresses configured on the interface in the FortiGate configuration. However, as mentioned earlier, FortiGate does not use the primary IP address.

port4

In this example, port4 is used as the HA interface for heartbeat and configuration synchronization. As such, it only needs a single private IP address.

Additional configuration

For any unconnected subnets or networks, the FortiGate needs a route assigned to know how to get to them. Typically, these will be connected via the internal designated interface. In this case, this is port3. Therefore, a route with a next-hop or gateway of the first IP address of the subnet to which port3 belongs is necessary. This can be a specific host route or summary route of some sort.

See below, where a summary route is configured for 10.0.0.0/8. If this route is not added, the FortiGate communicates with any unconnected routes through the default (0.0.0.0/0) route, which typically should be out the WAN interface (port2 in this example). Since all interfaces are being configured statically and no default route will be configured through DHCP, you must also add this default route. In FortiOS, if no destination is set, the default route of 0.0.0.0/0 is assumed. Therefore, the 2 configuration below is the default route.

Resources

Configuring the OCI HA interface

OCI recommends leaving VM NIC interfaces set to DHCP. This is to avoid potential misaligned configurations. However, when configuring an NVA, you may need to ignore this recommendation. When doing so, ensure that the IP addresses correspond with those intended, so that to the extent required, the configurations match.

In the case of HA, it is necessary that the FortiGates have the correct IP information statically configured in order to provide proper failover between the two devices. OCI API calls enable this type of failover through the OCI SDN, but only for IP addresses configured as secondary in the OCI vNIC configuration. Also, OCI API calls, if initiated from within a VCN, must be made by a primary interface with a public address. Thus, the network configuration for OCI HA will be unique and very specific.

port1

The primary vNIC associated with the FortiGate NVA must have a primary IP address with a corresponding public IP address, and so needs to be configured in a public subnet. This will be used as a management interface and the interface from which API calls are made (this will be assigned in the HA configuration). See the below images for this interface's OCI configuration, then the corresponding FortiGate configuration.

port2

Beyond port1 (also the primary vNIC), interface order is arbitrary and can be rearranged. In this example, port2 is assumed to be a public/WAN-facing interface. The FortiGate configuration below does not use the primary address, shown in the OCI configuration below. This is because this IP address is not relocatable to the secondary FortiGate in the event of failure. As such, neither FortiGate will use it. In this example, the FortiGate uses only a single secondary IP address. You can add multiple secondary IP addresses. In the case of a failover, all secondary IP addresses and any associated public IP addresses are transferred to the other FortiGate. These can be referenced explicitly in the interface configuration by enabling secondary IP addresses (see the port3 FortiGate configuration) or by creating VIPs or load balancer rules to forward using PAT/DNAT.

port3

In this example, port3 is configured as the internal port, which is used to connect to internal resources on local subnets, peered VCNs, and so on. In this case, port3 has two secondary IP addresses in OCI and the same two IP addresses configured on the interface in the FortiGate configuration. However, as mentioned earlier, FortiGate does not use the primary IP address.

port4

In this example, port4 is used as the HA interface for heartbeat and configuration synchronization. As such, it only needs a single private IP address.

Additional configuration

For any unconnected subnets or networks, the FortiGate needs a route assigned to know how to get to them. Typically, these will be connected via the internal designated interface. In this case, this is port3. Therefore, a route with a next-hop or gateway of the first IP address of the subnet to which port3 belongs is necessary. This can be a specific host route or summary route of some sort.

See below, where a summary route is configured for 10.0.0.0/8. If this route is not added, the FortiGate communicates with any unconnected routes through the default (0.0.0.0/0) route, which typically should be out the WAN interface (port2 in this example). Since all interfaces are being configured statically and no default route will be configured through DHCP, you must also add this default route. In FortiOS, if no destination is set, the default route of 0.0.0.0/0 is assumed. Therefore, the 2 configuration below is the default route.