FortiGate's native HA feature (without using an AWS supplementary mechanism) can be configured with two FortiGate instances: one acting as the master/primary node and the other as the slave/secondary node, both located in the same AZ within a single VPC. This is called unicast HA specific to the AWS environment in comparison to an equivalent feature provided by physical FortiGate units. The FortiGates run heartbeats between dedicated ports and synchronize OS configurations and sessions. When the primary node fails, the secondary node takes over as the primary node so endpoints continue to communicate with external resources over the FortiGate.
These paired FortiGate instances act as a single logical instance and share interface IP addressing. The main benefits of this solution are:
- Fast and stateful failover of FortiOS and AWS SDN without external automation/services
- Automatic AWS SDN updates to EIPs, ENI secondary IPs, and route targets
- Native FortiOS session sync of firewall, IPsec/SSL VPN, and VOIP sessions
- Native FortiOS configuration sync
- Ease of use as the cluster is treated as single logical FortiGate
Previously Fortinet provided a solution to incorporate a worker node as another EC2 instance to monitor two FortiGates. This method is no longer used.