Active-Passive HA support between Availability Zones 6.2.1
This recipe shows how to set up FortiGate Active-Passive (A-P) High Availability (HA) between Availability Zones (AZ) on AliCloud.
Setting up HA in different AZs gives the ability to recover in a catastrophic failure. With FortiGates in different AZs, one FortiGate can remain operational if the other AZ fails.
Setup overview
The HA setup approach is the same for both same zone and cross zone scenarios.
- Move elastic IP (EIP) address from old primary unit to the same port index in the new primary unit.
- Update all route table entries that pointed to the old primary unit and point them to the new primary unit.
The nexthop route table entry cannot be a private IP, it must be an ENI (elastic network interface) ID.
- If the HA is on AliCloud, AliCloud does not rely on any configuration in the AliCloud SDN connector. You must associate a RAM role to a FortiGate instance. The RAM role must have at least the following policies:
- AliyunECSFullAccess
- AliyunVPCFullAccess
- AliyunEIPFullAccess
Topology of failover event
Configuration
Configure an A-P HA cluster with four vNICs (port1 to port4) on each FortiGate VM.
Configure all network interfaces including AliCloud ENIs and FortiGate VM network interface. Select an AliCloud instance that supports at least four vNICs.
Configure the security group in each subnet for ingress and egress interfaces. The management interfaces must have egress internet access for API calls to the AliCloud metadata server.
Ensure the four vNICs are attached to each FortiGate and the static private address is assigned.
Ensure EIP1 is bound with FGT-A port4 management interface.
Ensure EIP3 is bound with FGT-A port1 external interface.
To configure the AliCloud instances:
- Create two FGT-ALI instances, each located at a different zone.
To configure the FortiGate HA setting:
- Go to System > HA and set up the HA cluster. Then check the HA status.
To configure FGT-A in the CLI:
config system interface edit "port1" set mode static set ip 10.0.11.11 255.255.255.0 set allowaccess ping https ssh snmp http fgfm next edit "port2" set ip 10.0.12.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port3" set ip 10.0.13.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port4" set ip 10.0.14.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next end
To configure FGT-B in the CLI:
config system interface edit "port1" set mode static set ip 10.0.21.12 255.255.255.0 set allowaccess ping https ssh snmp http fgfm next edit "port2" set ip 10.0.22.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port3" set ip 10.0.23.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port4" set ip 10.0.24.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next end
To configure the FGT-A and FGT-B router in the CLI:
config router static edit 1 set gateway 10.0.11.1 set device "port1" next end
To configure the FGT-A and FGT-B firewall policy in the CLI:
config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
To configure the FGT-A HA settings in the CLI:
config system ha set group-name "FGT-HA" set mode a-p set hbdev "port3" 50 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.0.14.1 next end set priority 192 set unicast-hb enable set unicast-hb-peerip 10.0.23.12 end
To configure the FGT-B HA settings in the CLI:
The FGT-B priority must be lower than the FGT-A priority. The node with the lower priority level is the secondary node. |
config system ha set group-name "FGT-HA" set mode a-p set hbdev "port3" 50 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.0.24.1 next end set priority 64 set unicast-hb enable set unicast-hb-peerip 10.0.13.11 end