Fortinet black logo

Azure Administration Guide

Verifying the deployment

Copy Link
Copy Doc ID a1b148db-687a-11ea-9384-00505692583a:972825
Download PDF

Verifying the deployment

FortiGate Autoscale for Azure deploys the following components:

  • 1 public load balancer. This load balancer is associated with the FortiGate subnet and the frontend public IP address to receive inbound traffic.
  • 1 network security group
  • 1 virtual machine scale set (VMSS) for bring your own license (BYOL)
  • 1 VMSS for pay as you go
  • 1 virtual network (VNet) (only if deployed with creating a new VNet)
  • 1 public IP address
  • 1 Azure Cosmos DB account
  • 1 function app
  • 1 application insights (automatically enabled if your region supports it)
  • 1 app service plan
  • 1 key vault
  • 1 storage account

If deploying with FortiAnalyzer integration, FortiGate Autoscale for Azure also deploys the following:

  • 1 VM for FortiAnalyzer
  • 1 network interface for FortiAnalyzer
  • 1 public IP address for FortiAnalyzer (only if FortiAnalyzer Public IP Address ID is left empty)
  • 2 disk components for use by FortiAnalyzer

For deployments that have two resource groups, FortiGate Autoscale for Azure deploys the network related components to the VNet resource group and the database (DB), storage account, and function app related components to the Autoscale resource group.

FortiGate Autoscale for Azure is fully deployed once you verify the following components:

To load a resource group:
  1. In the Azure console, from the left navigation column, select Resource groups.
  2. Locate the desired resource group by scrolling through the list or by using one or more of the name, subscription, and location filters. In the example, this is fgtasg-rg.

    Locate resource group

  3. Click the name to load the resource group Overview page. In the example deployment, the VNet resource group is the same as the Autoscale resource group.

    Resource group overview page

To verify the function app:
  1. From the autoscale resource group Overview page, load the function app by clicking the name of the item of type Function App.
  2. From the navigation column, select Functions.
    Function App overview page

You should see four functions on the right:

  • byol-license: function to distribute BYOL licenses.
  • faz-auth-handler: function to handle FortiGate authorization in FortiAnalyzer.
  • faz-auth-scheduler: function to handle FortiGate authorization in FortiAnalyzer on a timely basis.
  • fgt-as-handler: main autoscaling function.
To verify the database:
  1. From the Autoscale resource group Overview page, click the Azure Cosmos DB account name.
  2. From the navigation column, click Data Explorer.
  3. Expand the database FortiGateAutoscale.

You see the following database and tables:

  • Database: FortiGateAutoscale
  • Tables:
    • ApiRequestCache
    • Autoscale
    • CustomLog
    • FortiAnalyzer
    • LicenseStock
    • LicenseUsage
    • PrimaryElection
    • Settings

The database Data Explorer page looks as shown:

Database tables

To verify the primary election:

The elected primary FortiGate-VM is logged in the CosmosDB FortiGateAutoscale in the table FortiGatePrimaryElection.

  1. Expand the FortiGatePrimaryElection table and click on Items.
  2. Click the one item in the table.

Items page with the primary record

  • id is the unique identifier of a database record.
  • scalingGroupName is the name of the Scale Set in which the primary FortiGate-VM is located.
  • ip is the primary private IP address of the current primary FortiGate-VM.
  • vmId is the index of the FortiGate-VM in the Scale Set.
  • virtualNetworkID is the ID of the Virtual Network in which the primary FortiGate-VM instance is located.
  • subnetId is the ID of the subnet in which the primary FortiGate-VM is located.
  • voteEndTime is the Unix time stamp for when this primary election should expire if the vote state cannot change to done by this time.
  • voteState is the state of the voting process.
    • pending: election of the primary instance is still in progress. You should wait for its completion. At this point in time, the final primary instance is not yet known.
    • done: the primary election process has completed.

Verifying the deployment

FortiGate Autoscale for Azure deploys the following components:

  • 1 public load balancer. This load balancer is associated with the FortiGate subnet and the frontend public IP address to receive inbound traffic.
  • 1 network security group
  • 1 virtual machine scale set (VMSS) for bring your own license (BYOL)
  • 1 VMSS for pay as you go
  • 1 virtual network (VNet) (only if deployed with creating a new VNet)
  • 1 public IP address
  • 1 Azure Cosmos DB account
  • 1 function app
  • 1 application insights (automatically enabled if your region supports it)
  • 1 app service plan
  • 1 key vault
  • 1 storage account

If deploying with FortiAnalyzer integration, FortiGate Autoscale for Azure also deploys the following:

  • 1 VM for FortiAnalyzer
  • 1 network interface for FortiAnalyzer
  • 1 public IP address for FortiAnalyzer (only if FortiAnalyzer Public IP Address ID is left empty)
  • 2 disk components for use by FortiAnalyzer

For deployments that have two resource groups, FortiGate Autoscale for Azure deploys the network related components to the VNet resource group and the database (DB), storage account, and function app related components to the Autoscale resource group.

FortiGate Autoscale for Azure is fully deployed once you verify the following components:

To load a resource group:
  1. In the Azure console, from the left navigation column, select Resource groups.
  2. Locate the desired resource group by scrolling through the list or by using one or more of the name, subscription, and location filters. In the example, this is fgtasg-rg.

    Locate resource group

  3. Click the name to load the resource group Overview page. In the example deployment, the VNet resource group is the same as the Autoscale resource group.

    Resource group overview page

To verify the function app:
  1. From the autoscale resource group Overview page, load the function app by clicking the name of the item of type Function App.
  2. From the navigation column, select Functions.
    Function App overview page

You should see four functions on the right:

  • byol-license: function to distribute BYOL licenses.
  • faz-auth-handler: function to handle FortiGate authorization in FortiAnalyzer.
  • faz-auth-scheduler: function to handle FortiGate authorization in FortiAnalyzer on a timely basis.
  • fgt-as-handler: main autoscaling function.
To verify the database:
  1. From the Autoscale resource group Overview page, click the Azure Cosmos DB account name.
  2. From the navigation column, click Data Explorer.
  3. Expand the database FortiGateAutoscale.

You see the following database and tables:

  • Database: FortiGateAutoscale
  • Tables:
    • ApiRequestCache
    • Autoscale
    • CustomLog
    • FortiAnalyzer
    • LicenseStock
    • LicenseUsage
    • PrimaryElection
    • Settings

The database Data Explorer page looks as shown:

Database tables

To verify the primary election:

The elected primary FortiGate-VM is logged in the CosmosDB FortiGateAutoscale in the table FortiGatePrimaryElection.

  1. Expand the FortiGatePrimaryElection table and click on Items.
  2. Click the one item in the table.

Items page with the primary record

  • id is the unique identifier of a database record.
  • scalingGroupName is the name of the Scale Set in which the primary FortiGate-VM is located.
  • ip is the primary private IP address of the current primary FortiGate-VM.
  • vmId is the index of the FortiGate-VM in the Scale Set.
  • virtualNetworkID is the ID of the Virtual Network in which the primary FortiGate-VM instance is located.
  • subnetId is the ID of the subnet in which the primary FortiGate-VM is located.
  • voteEndTime is the Unix time stamp for when this primary election should expire if the vote state cannot change to done by this time.
  • voteState is the state of the voting process.
    • pending: election of the primary instance is still in progress. You should wait for its completion. At this point in time, the final primary instance is not yet known.
    • done: the primary election process has completed.