Fortinet black logo

GCP Administration Guide

Checking the prerequisites

Copy Link
Copy Doc ID 62d32ecf-687f-11ea-9384-00505692583a:478251
Download PDF

Checking the prerequisites

To deploy and configure the FortiGate-VM as an A-P HA solution, you need the following items:

  • Google Cloud command interface. Note that in this example, you will deploy two FortiGate-VMs using Google Cloud. For more information about how to deploy FortiGate-VM using Google Cloud, see Deploying FortiGate-VM using Google Cloud SDK.
  • Availability to accommodate the required GCP resources:
    • Four networks/subnets
      • Ensure that the two FortiGates have connectivity to each other on each network.
      • Appropriate ingress/egress firewall rules for relevant networks (same as a single FortiGate-VM deployment). For detail on open ports that the FortiGate requires, see FortiGate Open Ports.
    • Three public (external) IP addresses:
      • One for traffic to/through the active (primary) FortiGate. At the event of failover, this IP address will move from the primary FortiGate to the secondary. This must be a static external IP. It should be reserved/created before creating FortiGate instances, or promote an ephemeral IP to a static one after deployment. See Reserving a Static External IP Address.
      • Two for management access to each FortiGate. They can be ephemeral IP address, but static ones are highly recommended. See IP Addresses.
    • All internal IP addresses must be static, not DHCP. You should change ephemeral IP addresses to static ones after deployment. See Reserving a Static Internal IP Address.
    • Two FortiGate-VM instances:
      • The two nodes must be deployed in the same region/zone.
      • Each FortiGate-VM must have at least four network interfaces.
      • Each FortiGate-VM should have a log disk attached. Log disks should be created before deploying FortiGate instances. This is the same requirement as when deploying a single FortiGate-VM.
      • Machine types that support at least four network interfaces. See Creating Instances with Multiple Network Interfaces.
      • Two valid FortiGate-VM BYOL licenses. See Licensing.
  • You must configure an SDN connector with GCP on the primary FortiGate:

    config system sdn-connector

    edit "gcp_conn"

    set type gcp

    set ha-status enable

    config external-ip

    edit "reserve-fgthapublic"

    next

    end

    config route

    edit "route-internal"

    next

    end

    set use-metadata-iam disable

    set gcp-project "..."

    set service-account "..."

    set private-key "..."

    next

    end

Checking the prerequisites

To deploy and configure the FortiGate-VM as an A-P HA solution, you need the following items:

  • Google Cloud command interface. Note that in this example, you will deploy two FortiGate-VMs using Google Cloud. For more information about how to deploy FortiGate-VM using Google Cloud, see Deploying FortiGate-VM using Google Cloud SDK.
  • Availability to accommodate the required GCP resources:
    • Four networks/subnets
      • Ensure that the two FortiGates have connectivity to each other on each network.
      • Appropriate ingress/egress firewall rules for relevant networks (same as a single FortiGate-VM deployment). For detail on open ports that the FortiGate requires, see FortiGate Open Ports.
    • Three public (external) IP addresses:
      • One for traffic to/through the active (primary) FortiGate. At the event of failover, this IP address will move from the primary FortiGate to the secondary. This must be a static external IP. It should be reserved/created before creating FortiGate instances, or promote an ephemeral IP to a static one after deployment. See Reserving a Static External IP Address.
      • Two for management access to each FortiGate. They can be ephemeral IP address, but static ones are highly recommended. See IP Addresses.
    • All internal IP addresses must be static, not DHCP. You should change ephemeral IP addresses to static ones after deployment. See Reserving a Static Internal IP Address.
    • Two FortiGate-VM instances:
      • The two nodes must be deployed in the same region/zone.
      • Each FortiGate-VM must have at least four network interfaces.
      • Each FortiGate-VM should have a log disk attached. Log disks should be created before deploying FortiGate instances. This is the same requirement as when deploying a single FortiGate-VM.
      • Machine types that support at least four network interfaces. See Creating Instances with Multiple Network Interfaces.
      • Two valid FortiGate-VM BYOL licenses. See Licensing.
  • You must configure an SDN connector with GCP on the primary FortiGate:

    config system sdn-connector

    edit "gcp_conn"

    set type gcp

    set ha-status enable

    config external-ip

    edit "reserve-fgthapublic"

    next

    end

    config route

    edit "route-internal"

    next

    end

    set use-metadata-iam disable

    set gcp-project "..."

    set service-account "..."

    set private-key "..."

    next

    end