Fortinet black logo

OCI Administration Guide

Deploying FortiGate-VM HA on OCI between multiple ADs

Copy Link
Copy Doc ID ec495562-6887-11ea-9384-00505692583a:886134
Download PDF

Deploying FortiGate-VM HA on OCI between multiple ADs

When deploying FortiGate-VM active-passive HA on OCI between multiple ADs, the following differs from when deploying within one AD:

  • You do not need to allocate a secondary private IP address for the OCI NIC because a private IP address cannot be moved across ADs.
  • During failover, the public IP address detaches from the old primary FortiGate NIC and attaches to the new primary FortiGate NIC.
  • Route next hop updates to point to the new primary FortiGate NIC's primary private IP address.
  • System interfaces, static route configurations, and sessions do not sync between FortiGates when deployed between multiple ADs. They do sync when deploying within one AD.

This guide refers to the primary FortiGate in AD 1 as "FGT-A-AD1" and the secondary FortiGate, located in AD2, as "FGT-B-AD2".

Note

IPsec VPN phase 1 configuration does not synchronize between primary and secondary FortiGates across ADs. Phase 2 configuration does synchronize.

Deploying FortiGate-VM HA on OCI between multiple ADs

When deploying FortiGate-VM active-passive HA on OCI between multiple ADs, the following differs from when deploying within one AD:

  • You do not need to allocate a secondary private IP address for the OCI NIC because a private IP address cannot be moved across ADs.
  • During failover, the public IP address detaches from the old primary FortiGate NIC and attaches to the new primary FortiGate NIC.
  • Route next hop updates to point to the new primary FortiGate NIC's primary private IP address.
  • System interfaces, static route configurations, and sessions do not sync between FortiGates when deployed between multiple ADs. They do sync when deploying within one AD.

This guide refers to the primary FortiGate in AD 1 as "FGT-A-AD1" and the secondary FortiGate, located in AD2, as "FGT-B-AD2".

Note

IPsec VPN phase 1 configuration does not synchronize between primary and secondary FortiGates across ADs. Phase 2 configuration does synchronize.