Checking the prerequisites
To deploy and configure the FortiGate-VM as an A-P HA solution, you need the following items:
- Google Cloud command interface. Note that in this example, you will deploy two FortiGate-VMs using Google Cloud. For more information about how to deploy FortiGate-VM using Google Cloud, see Deploying FortiGate-VM using Google Cloud SDK.
- Availability to accommodate the required GCP resources:
- Four networks/subnets
- Ensure that the two FortiGates have connectivity to each other on each network.
- Appropriate ingress/egress firewall rules for relevant networks (same as a single FortiGate-VM deployment). For detail on open ports that the FortiGate requires, see FortiGate Open Ports.
- Three public (external) IP addresses:
- One for traffic to/through the active (primary) FortiGate. At the event of failover, this IP address will move from the primary FortiGate to the secondary. This must be a static external IP. It should be reserved/created before creating FortiGate instances, or promote an ephemeral IP to a static one after deployment. See Reserving a Static External IP Address.
- Two for management access to each FortiGate. They can be ephemeral IP address, but static ones are highly recommended. See IP Addresses.
- All internal IP addresses must be static, not DHCP. You should change ephemeral IP addresses to static ones after deployment. See Reserving a Static Internal IP Address.
- Two FortiGate-VM instances:
- The two nodes must be deployed in the same region/zone.
- Each FortiGate-VM must have at least four network interfaces.
- Each FortiGate-VM should have a log disk attached. Log disks should be created before deploying FortiGate instances. This is the same requirement as when deploying a single FortiGate-VM.
- Machine types that support at least four network interfaces. See Creating Instances with Multiple Network Interfaces.
- Two valid FortiGate-VM BYOL licenses. See Licensing.
- Four networks/subnets
- You must configure an SDN connector with GCP on the primary FortiGate:
config system sdn-connector
edit "gcp_conn"
set type gcp
set ha-status enable
config external-ip
edit "reserve-fgthapublic"
next
end
config route
edit "route-internal"
next
end
set use-metadata-iam disable
set gcp-project "..."
set service-account "..."
set private-key "..."
next
end