Fortinet black logo

GCP Administration Guide

Deploying FortiGate-VM HA with SDN connector

Copy Link
Copy Doc ID 2a566884-8679-11eb-9995-00505692583a:698355
Download PDF

Deploying FortiGate-VM HA with SDN connector

FortiGate-VM for Google Cloud Marketplace supports using the FortiGate Clustering Protocol (FGCP) in unicast form to provide an active-passive (A-P) high availability (HA) clustering solution for deployments in GCP. This feature shares a majority of the functionality, including configuration and session synchronization, that FGCP on FortiGate hardware provides with key changes to support GCP software-defined networking (SDN).

This solution works with two FortiGate instances configured as a primary and secondary pair, and requires that you deploy each instance with four network interfaces, within the same availability zone. These FortiGate instances act as a single logical instance and transfer interface Public IP addressing.

note icon

When deploying a FortiGate-VM HA cluster, choose a VM type that supports four or more network interfaces for each FortiGate-VM instance, as GCP does not allow adding network interfaces after you deploy the VMs. You can attach multiple network interfaces only when creating the VM instance on GCP.

Two FortiGate-VM instances must be the same machine type.

The main benefits of this solution are:

  • Fast and stateful failover of FortiOS without external automation/services
  • Automatic updates to route targets and IP addresses
  • Native FortiOS session synchronization of firewall, IPsec/SSL VPN, and voice over IP sessions
  • Native FortiOS configuration synchronization
  • Ease of use as the cluster is treated as a single logical FortiGate

The following shows a network diagram of this deployment:

note icon

IPsec VPN phase 1 configuration does not synchronize between primary and secondary FortiGates across zones. Phase 2 configuration does synchronize.

This example uses four networks for the described purposes:

Network

Purpose

Default network (subnet default)

External Internet-facing network. This uses port1 on the FortiGate.

VPC2 (subnet internal)

Internal network where protected VMs are located. This uses port2 on the FortiGate.

VPC3 (subnet 3)

A subnet dedicated to the heartbeat between two FortiGates. This uses port3 on the FortiGate.

VPC4 (subnet 4)

A subnet dedicated to management access to the two FortiGates. This uses port4 on the FortiGate.

The following summarizes minimum sufficient roles for active-passive high availability deployments:

  • Compute Instance Admin (v1)
  • Compute Network Admin

The following summarizes bash environment variables used in the following gcloud commands:

project=<GCP project ID>

zone1=<zone for fortigate-a or primary/active FortiGate>

zone2=<zone for fortigate-b or secondary/passive FortiGate>

reservedhaip=<HA Cluster IP to be moved in Failover event>

reservedfgtahamgmtip=<Public IP to manage fortigate-a >

reservedfgtbhamgmtip=<Public IP to manage fortigate-b >

serviceaccount=<your designated services account with correct permissions>

note icon

You must set the aforementioned variables in the Linux bash environment before you can use them in gcloud SDK commands.

Check the prerequisites prior to attempting this deployment. This deployment method uses the SDN configuration that Configuring GCP SDN connector using metadata IAM describes.

Deploying FortiGate-VM HA with SDN connector

FortiGate-VM for Google Cloud Marketplace supports using the FortiGate Clustering Protocol (FGCP) in unicast form to provide an active-passive (A-P) high availability (HA) clustering solution for deployments in GCP. This feature shares a majority of the functionality, including configuration and session synchronization, that FGCP on FortiGate hardware provides with key changes to support GCP software-defined networking (SDN).

This solution works with two FortiGate instances configured as a primary and secondary pair, and requires that you deploy each instance with four network interfaces, within the same availability zone. These FortiGate instances act as a single logical instance and transfer interface Public IP addressing.

note icon

When deploying a FortiGate-VM HA cluster, choose a VM type that supports four or more network interfaces for each FortiGate-VM instance, as GCP does not allow adding network interfaces after you deploy the VMs. You can attach multiple network interfaces only when creating the VM instance on GCP.

Two FortiGate-VM instances must be the same machine type.

The main benefits of this solution are:

  • Fast and stateful failover of FortiOS without external automation/services
  • Automatic updates to route targets and IP addresses
  • Native FortiOS session synchronization of firewall, IPsec/SSL VPN, and voice over IP sessions
  • Native FortiOS configuration synchronization
  • Ease of use as the cluster is treated as a single logical FortiGate

The following shows a network diagram of this deployment:

note icon

IPsec VPN phase 1 configuration does not synchronize between primary and secondary FortiGates across zones. Phase 2 configuration does synchronize.

This example uses four networks for the described purposes:

Network

Purpose

Default network (subnet default)

External Internet-facing network. This uses port1 on the FortiGate.

VPC2 (subnet internal)

Internal network where protected VMs are located. This uses port2 on the FortiGate.

VPC3 (subnet 3)

A subnet dedicated to the heartbeat between two FortiGates. This uses port3 on the FortiGate.

VPC4 (subnet 4)

A subnet dedicated to management access to the two FortiGates. This uses port4 on the FortiGate.

The following summarizes minimum sufficient roles for active-passive high availability deployments:

  • Compute Instance Admin (v1)
  • Compute Network Admin

The following summarizes bash environment variables used in the following gcloud commands:

project=<GCP project ID>

zone1=<zone for fortigate-a or primary/active FortiGate>

zone2=<zone for fortigate-b or secondary/passive FortiGate>

reservedhaip=<HA Cluster IP to be moved in Failover event>

reservedfgtahamgmtip=<Public IP to manage fortigate-a >

reservedfgtbhamgmtip=<Public IP to manage fortigate-b >

serviceaccount=<your designated services account with correct permissions>

note icon

You must set the aforementioned variables in the Linux bash environment before you can use them in gcloud SDK commands.

Check the prerequisites prior to attempting this deployment. This deployment method uses the SDN configuration that Configuring GCP SDN connector using metadata IAM describes.