Fortinet black logo

GCP Administration Guide

Home FortiGate Public Cloud 7.0.0 GCP Administration Guide

Deploying the secondary FortiGate

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 2a566884-8679-11eb-9995-00505692583a:340635
Download PDF

Deploying the secondary FortiGate

Create the secondary FortiGate B in zone us-central1-a by changing the zone variable to us-central1-a. The following command uses previously declared variables. See the prerequisites section for Configuring GCP SDN connector using metadata IAM.

Note

Port1 on FortiGate B does not have a reserved public IP address, as it is reassigned the port1/WAN reserved public IP address. Use the FortiGate B port1 ephemeral public IP address to license and configure the FortiGate, then release the ephemeral public IP address after you have configured high availability (HA) and before a failover is initiated.
To deploy the secondary FortiGate-VM instance:
  1. Edit and run the following commands in GCP: 
    gcloud compute instances create fortigate-b \ 
--project=$project \
--zone=$zone2 \
--machine-type=e2-custom-4-8192 \
--network-interface=network-tier=PREMIUM,private-network-ip=10.0.1.11,subnet=unprotected-public-subnet \
--network-interface=private-network-ip=10.0.2.11,subnet=protected-private-subnet,no-address \
--network-interface=private-network-ip=10.0.3.11,subnet=ha-sync-subnet,no-address \
--network-interface=address=$reservedfgtbhamgmtip,network-tier=PREMIUM,private-network-ip=10.0.4.11,subnet=ha-mgmt-subnet --can-ip-forward 
--service-account=$serviceaccount \
--scopes=https://www.googleapis.com/auth/cloud-platform \
--create-disk=auto-delete=yes,boot=yes,device-name=fortigate-b,image=projects/fortigcp-project-001/global/images/fortinet-fgt-723-20221110-001-w-license,mode=rw,size=10,type=projects/$project/zones/$zone2/diskTypes/pd-balanced \
--create-disk=auto-delete=yes,device-name=fgt-b-log,mode=rw,name=fgt-secondary-log,size=10,type=projects/$project/zones/$zone2/diskTypes/pd-balanced
  2. Gain access to the FortiGate-VM and license the VM.
  3. Edit and run the following commands on FortiGate B:

    config system global

    set hostname fortigate-b

    end

    config system ha

    set group-id 21

    set group-name <Name of Cluster>

    set mode a-p

    set hbdev "port3" 50

    set session-pickup enable

    set session-pickup-connectionless enable

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

    edit 1

    set interface "port4"

    set gateway <Gateway Address of the MGMT subnet>

    next

    end

    set override enable

    set priority 150

    set unicast-hb enable

    set unicast-hb-peerip <HA Sync network Address of the First Fortigate>

    set unicast-hb-netmask <subnet mask of the hasync network>

    end

    Caution

    After you have configured HA on the secondary FortiGate, you must remove the ephemeral public IP address from port1 from the secondary FortiGate. Otherwise, the HA failover and elastic IP address move fails due to the interface already having an assigned public IP address.

  4. Configure a virtual domain (VDOM) exception. You must configure a VDOM exception to prevent interface synchronization between the two FortiGates:

    config system vdom-exception

    edit 1

    set object system.interface

    next

    edit 2

    set object router.static

    next

    edit 3

    set object firewall.vip

    next

    end

Previous
Next

Deploying the secondary FortiGate

Create the secondary FortiGate B in zone us-central1-a by changing the zone variable to us-central1-a. The following command uses previously declared variables. See the prerequisites section for Configuring GCP SDN connector using metadata IAM.

Note

Port1 on FortiGate B does not have a reserved public IP address, as it is reassigned the port1/WAN reserved public IP address. Use the FortiGate B port1 ephemeral public IP address to license and configure the FortiGate, then release the ephemeral public IP address after you have configured high availability (HA) and before a failover is initiated.
To deploy the secondary FortiGate-VM instance:
  1. Edit and run the following commands in GCP: 
    gcloud compute instances create fortigate-b \ 
--project=$project \
--zone=$zone2 \
--machine-type=e2-custom-4-8192 \
--network-interface=network-tier=PREMIUM,private-network-ip=10.0.1.11,subnet=unprotected-public-subnet \
--network-interface=private-network-ip=10.0.2.11,subnet=protected-private-subnet,no-address \
--network-interface=private-network-ip=10.0.3.11,subnet=ha-sync-subnet,no-address \
--network-interface=address=$reservedfgtbhamgmtip,network-tier=PREMIUM,private-network-ip=10.0.4.11,subnet=ha-mgmt-subnet --can-ip-forward 
--service-account=$serviceaccount \
--scopes=https://www.googleapis.com/auth/cloud-platform \
--create-disk=auto-delete=yes,boot=yes,device-name=fortigate-b,image=projects/fortigcp-project-001/global/images/fortinet-fgt-723-20221110-001-w-license,mode=rw,size=10,type=projects/$project/zones/$zone2/diskTypes/pd-balanced \
--create-disk=auto-delete=yes,device-name=fgt-b-log,mode=rw,name=fgt-secondary-log,size=10,type=projects/$project/zones/$zone2/diskTypes/pd-balanced
  2. Gain access to the FortiGate-VM and license the VM.
  3. Edit and run the following commands on FortiGate B:

    config system global

    set hostname fortigate-b

    end

    config system ha

    set group-id 21

    set group-name <Name of Cluster>

    set mode a-p

    set hbdev "port3" 50

    set session-pickup enable

    set session-pickup-connectionless enable

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

    edit 1

    set interface "port4"

    set gateway <Gateway Address of the MGMT subnet>

    next

    end

    set override enable

    set priority 150

    set unicast-hb enable

    set unicast-hb-peerip <HA Sync network Address of the First Fortigate>

    set unicast-hb-netmask <subnet mask of the hasync network>

    end

    Caution

    After you have configured HA on the secondary FortiGate, you must remove the ephemeral public IP address from port1 from the secondary FortiGate. Otherwise, the HA failover and elastic IP address move fails due to the interface already having an assigned public IP address.

  4. Configure a virtual domain (VDOM) exception. You must configure a VDOM exception to prevent interface synchronization between the two FortiGates:

    config system vdom-exception

    edit 1

    set object system.interface

    next

    edit 2

    set object router.static

    next

    edit 3

    set object firewall.vip

    next

    end

Previous
Next