Fortinet Document Library

Version:


Table of Contents

About FortiGate for OCI

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on OCI

Deploying FortiGate-VM using Terraform

Security Fabric Connector Integration with OCI

Resources

Upgrade Path Tool
6.0.0
Copy Link

Reviewing the network topology

A recommended installation requires four network interfaces per FortiGate-VM node. In addition to inbound and outbound data interfaces, two interfaces are used for internal operations: management and heartbeat. Ensure you choose OCI VM instance sizes that can equip four network interfaces.

Below describes the usage of each port. Port 1 and 2 are on public (or untrusted) subnets, and public IP addresses are allocated to them.

Port

Description

Port 1

Dedicated management interface. In case of heartbeat failure, the passive firewall needs a dedicated port through which to communicate with OCI to issue failover-related commands. This port is always available, regardless of node status (active/passive), except when a node is down.

Port 2

External data interface on the public network-facing side. A public IP address for the protected server is associated with the active node's private IP address. FortiGate performs NAT for inbound traffic and outbound traffic.

Port 3

Internal data traffic interface on the protected/trusted network-facing side.

Port 4

Heartbeat between two FortiGate nodes. This is unicast communication. This heartbeat interface has its dedicated "hbdev" VDOM and cannot be used for any other purpose.

You must configure Port 1 as the management interface, while the other ports are interchangeable. The best practice is to locate each port in a different subnet.

note icon

You must configure primary private IP addresses, even where not mentioned in the diagram. Although not required for HA purposes, this must be done to comply with general networking requirements.

Resources

Reviewing the network topology

A recommended installation requires four network interfaces per FortiGate-VM node. In addition to inbound and outbound data interfaces, two interfaces are used for internal operations: management and heartbeat. Ensure you choose OCI VM instance sizes that can equip four network interfaces.

Below describes the usage of each port. Port 1 and 2 are on public (or untrusted) subnets, and public IP addresses are allocated to them.

Port

Description

Port 1

Dedicated management interface. In case of heartbeat failure, the passive firewall needs a dedicated port through which to communicate with OCI to issue failover-related commands. This port is always available, regardless of node status (active/passive), except when a node is down.

Port 2

External data interface on the public network-facing side. A public IP address for the protected server is associated with the active node's private IP address. FortiGate performs NAT for inbound traffic and outbound traffic.

Port 3

Internal data traffic interface on the protected/trusted network-facing side.

Port 4

Heartbeat between two FortiGate nodes. This is unicast communication. This heartbeat interface has its dedicated "hbdev" VDOM and cannot be used for any other purpose.

You must configure Port 1 as the management interface, while the other ports are interchangeable. The best practice is to locate each port in a different subnet.

note icon

You must configure primary private IP addresses, even where not mentioned in the diagram. Although not required for HA purposes, this must be done to comply with general networking requirements.