Fortinet black logo

GCP Administration Guide

Deploying the primary FortiGate

Copy Link
Copy Doc ID 2a566884-8679-11eb-9995-00505692583a:986123
Download PDF

Deploying the primary FortiGate

Create the primary FortiGate A in zone1. The following command uses previously declared variables. See the prerequisites section for Configuring GCP SDN connector using metadata IAM.

To deploy the primary FortiGate-VM instance:
  1. Edit and run the following commands in GCP:

    gcloud compute instances create fortigate-a \

    --project=$project \

    --zone=$zone1 \

    --machine-type=e2-custom-4-8192 \

    --network-interface=address=$reservedhaip,network-tier=PREMIUM,private-network-ip=10.0.1.10,subnet=unprotected-public-subnet \

    --network-interface=private-network-ip=10.0.2.10,subnet=protected-private-subnet,no-address \

    --network-interface=private-network-ip=10.0.3.10,subnet=ha-sync-subnet,no-address \

    --network-interface=address=$reservedfgtahamgmtip,network-tier=PREMIUM,private-network-ip=10.0.4.10,subnet=ha-mgmt-subnet \

    --can-ip-forward \

    --service-account=$serviceaccount \

    --scopes=https://www.googleapis.com/auth/cloud-platform \

    --create-disk=auto-delete=yes,boot=yes,device-name=fortigate-a,image=projects/fortigcp-project-001/global/images/fortinet-fgt-723-20221110-001-w-license,mode=rw,size=10,type=projects/$project/zones/$zone1/diskTypes/pd-balanced \

    --create-disk=auto-delete=yes,device-name=fgt-a-log,mode=rw,name=fgt-primary-log,size=10,type=projects/$project/zones/$zone1/diskTypes/pd-balanced

  2. Gain access to the FortiGate-VM and license the VM.
  3. Edit and run the following commands on FortiGate A:

    config system global

    set hostname fortigate-a

    end

    config system ha

    set group-id 21

    set group-name <Name of Cluster>

    set mode a-p

    set hbdev "port3" 50

    set session-pickup enable

    set session-pickup-connectionless enable

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

    edit 1

    set interface "port4"

    set gateway <Gateway Address of the MGMT subnet>

    next

    end

    set override enable

    set priority 200

    set unicast-hb enable

    set unicast-hb-peerip <HA Sync network Address of the First Fortigate>

    set unicast-hb-netmask <subnet mask of the hasync network>

    end

    config system sdn-connector

    edit "gcp_ha"

    set type gcp

    set ha-status enable

    config external-ip

    edit "reserved-fgt-port1public"

    next

    end

    config route

    edit " protected-private-rt"

    next

    end

    set use-metadata-iam enable

    next

    end

  4. Configure a virtual domain (VDOM) exception. You must configure a VDOM exception to prevent interface synchronization between the two FortiGates:

    config system vdom-exception

    edit 1

    set object system.interface

    next

    edit 2

    set object router.static

    next

    edit 3

    set object firewall.vip

    next

    end

Deploying the primary FortiGate

Create the primary FortiGate A in zone1. The following command uses previously declared variables. See the prerequisites section for Configuring GCP SDN connector using metadata IAM.

To deploy the primary FortiGate-VM instance:
  1. Edit and run the following commands in GCP:

    gcloud compute instances create fortigate-a \

    --project=$project \

    --zone=$zone1 \

    --machine-type=e2-custom-4-8192 \

    --network-interface=address=$reservedhaip,network-tier=PREMIUM,private-network-ip=10.0.1.10,subnet=unprotected-public-subnet \

    --network-interface=private-network-ip=10.0.2.10,subnet=protected-private-subnet,no-address \

    --network-interface=private-network-ip=10.0.3.10,subnet=ha-sync-subnet,no-address \

    --network-interface=address=$reservedfgtahamgmtip,network-tier=PREMIUM,private-network-ip=10.0.4.10,subnet=ha-mgmt-subnet \

    --can-ip-forward \

    --service-account=$serviceaccount \

    --scopes=https://www.googleapis.com/auth/cloud-platform \

    --create-disk=auto-delete=yes,boot=yes,device-name=fortigate-a,image=projects/fortigcp-project-001/global/images/fortinet-fgt-723-20221110-001-w-license,mode=rw,size=10,type=projects/$project/zones/$zone1/diskTypes/pd-balanced \

    --create-disk=auto-delete=yes,device-name=fgt-a-log,mode=rw,name=fgt-primary-log,size=10,type=projects/$project/zones/$zone1/diskTypes/pd-balanced

  2. Gain access to the FortiGate-VM and license the VM.
  3. Edit and run the following commands on FortiGate A:

    config system global

    set hostname fortigate-a

    end

    config system ha

    set group-id 21

    set group-name <Name of Cluster>

    set mode a-p

    set hbdev "port3" 50

    set session-pickup enable

    set session-pickup-connectionless enable

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

    edit 1

    set interface "port4"

    set gateway <Gateway Address of the MGMT subnet>

    next

    end

    set override enable

    set priority 200

    set unicast-hb enable

    set unicast-hb-peerip <HA Sync network Address of the First Fortigate>

    set unicast-hb-netmask <subnet mask of the hasync network>

    end

    config system sdn-connector

    edit "gcp_ha"

    set type gcp

    set ha-status enable

    config external-ip

    edit "reserved-fgt-port1public"

    next

    end

    config route

    edit " protected-private-rt"

    next

    end

    set use-metadata-iam enable

    next

    end

  4. Configure a virtual domain (VDOM) exception. You must configure a VDOM exception to prevent interface synchronization between the two FortiGates:

    config system vdom-exception

    edit 1

    set object system.interface

    next

    edit 2

    set object router.static

    next

    edit 3

    set object firewall.vip

    next

    end