Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

Checking the prerequisites

Prior to invoking the CFT on the AWS portal, verify the AWS EC2 instance type and complete the following prerequisites.

The unicast HA solution requires four units of ENIs. Choose an instance type that provides four ENIs. See Instance type support.

For a graphical presentation of ENIs and mapped ports on FortiGates, see Reviewing the network failover diagram.

Note

All IP addresses must be static, not DHCP.

ENI0/port1

An external/public interface which is used to receive inbound application traffic through the HA cluster. A cluster EIP is associated with the secondary IP of the primary FortiGate ENI and is moved over automatically on FortiGate HA failover. Also each FortiGate instance has an EIP associated to the primary IP address of the ENI for bootstrapping each of the FortiGate instances during initial deployment.

ENI1/port2

An internal/private interface which is used to receive outbound application traffic through the HA cluster. This interface is referenced in AWS route table routes for forwarding egress traffic from protected EC2 instances and other private resources.

ENI2/port3

A dedicated HA sync interface which is used strictly for HA communication between HA members. This interface provides a method for HA member discovery, primary/secondary selection, as well as configuration and session synchronization. This interface must be a dedicated interface that cannot be used for forwarding inbound/outbound application traffic.

ENI3/port4

A dedicated HA management interface which is used for both FortiGates as a dedicated interface to access either FortiGate regardless of HA role (primary or secondary). This is necessary to access the secondary FortiGate as it is not responding to traffic on other interfaces such as ENI0/port1 or ENI1/port2. This interface also serves as an interface for the FortiGate instances to make AWS API calls to facilitate AWS SDN failover. This interface must be a dedicated interface that cannot be used for forwarding inbound/outbound application traffic.

For data plane functions, the FortiGates uses two dedicated ENIs, one for a public interface (ENI0/port1) and another for a private interface (ENI1/port2). These ENIs use secondary IP addressing to allow both FortiGate instances to share the same IP address within the actual FortiOS configuration and sync sessions natively. AWS does not allow modification of an ENI’s primary IP, thus secondary IP addressing must be used. For further information, see AWS documentation.

The secondary IP addresses of the data plane ENIs are assigned to the current primary FortiGate’s ENIs and are reassigned to another instance when a new primary FortiGate instance is elected. Additionally a cluster EIP is associated to the secondary IP of the public interface (ENI0/port1) of the current primary FortiGate instance and is re-associated to a new primary FortiGate instance as well.

For control plane functions, the FortiGates use a dedicated ENI (ENI2/port3) for unicast A-P HA communication to perform tasks such as heartbeat checks, configuration sync, and session sync. A dedicated ENI is used as this is best practice for unicast A-P HA as it ensures the FortiGate instances have ample bandwidth for all critical HA communications.

The FortiGates also use another dedicated ENI (ENI3/port4) for HA management access to each instance and also allow each instance to independently and directly communicate with the public AWS EC2 API. This dedicated interface is critical to failing over AWS SDN properly when a new HA master is elected and is the only method of access available to the current slave FortiGate instance.

Five EIPs are automatically created and consumed to deploy and run FortiGate instances in the HA. By default, one AWS region usually allows a maximum of five EIPs. Choose a region with no existing EIP. You may think five public IP addresses are too many, but in the case there are communication issues due to an incorrect setup, you still can access FortiGate A and B for the repair with at least one or two IP addresses.

Ensure you have an existing key pair in the region.

If these prerequisites are not met when invoking the CFT, the deployment operation fails. In this case, the AWS process automatically revokes the failure and rolls back to the beginning by deleting all in-progress resources. Fix the error and invoke the CFT again.

Ensure your AWS EC2 instance type matches your needs according to your FortiGate license entitlement. Refer to Elastic Network Interfaces.

At least four network interfaces per FortiGate instance must be supported in forming this HA.

When invoking the CFT, AWS instance types FortiGate supports show up. Select one from the list. The supported type is written in the CFT. Do not manually rewrite these with other types, as these have been testified and verified by Fortinet.

Resources

Checking the prerequisites

Prior to invoking the CFT on the AWS portal, verify the AWS EC2 instance type and complete the following prerequisites.

The unicast HA solution requires four units of ENIs. Choose an instance type that provides four ENIs. See Instance type support.

For a graphical presentation of ENIs and mapped ports on FortiGates, see Reviewing the network failover diagram.

Note

All IP addresses must be static, not DHCP.

ENI0/port1

An external/public interface which is used to receive inbound application traffic through the HA cluster. A cluster EIP is associated with the secondary IP of the primary FortiGate ENI and is moved over automatically on FortiGate HA failover. Also each FortiGate instance has an EIP associated to the primary IP address of the ENI for bootstrapping each of the FortiGate instances during initial deployment.

ENI1/port2

An internal/private interface which is used to receive outbound application traffic through the HA cluster. This interface is referenced in AWS route table routes for forwarding egress traffic from protected EC2 instances and other private resources.

ENI2/port3

A dedicated HA sync interface which is used strictly for HA communication between HA members. This interface provides a method for HA member discovery, primary/secondary selection, as well as configuration and session synchronization. This interface must be a dedicated interface that cannot be used for forwarding inbound/outbound application traffic.

ENI3/port4

A dedicated HA management interface which is used for both FortiGates as a dedicated interface to access either FortiGate regardless of HA role (primary or secondary). This is necessary to access the secondary FortiGate as it is not responding to traffic on other interfaces such as ENI0/port1 or ENI1/port2. This interface also serves as an interface for the FortiGate instances to make AWS API calls to facilitate AWS SDN failover. This interface must be a dedicated interface that cannot be used for forwarding inbound/outbound application traffic.

For data plane functions, the FortiGates uses two dedicated ENIs, one for a public interface (ENI0/port1) and another for a private interface (ENI1/port2). These ENIs use secondary IP addressing to allow both FortiGate instances to share the same IP address within the actual FortiOS configuration and sync sessions natively. AWS does not allow modification of an ENI’s primary IP, thus secondary IP addressing must be used. For further information, see AWS documentation.

The secondary IP addresses of the data plane ENIs are assigned to the current primary FortiGate’s ENIs and are reassigned to another instance when a new primary FortiGate instance is elected. Additionally a cluster EIP is associated to the secondary IP of the public interface (ENI0/port1) of the current primary FortiGate instance and is re-associated to a new primary FortiGate instance as well.

For control plane functions, the FortiGates use a dedicated ENI (ENI2/port3) for unicast A-P HA communication to perform tasks such as heartbeat checks, configuration sync, and session sync. A dedicated ENI is used as this is best practice for unicast A-P HA as it ensures the FortiGate instances have ample bandwidth for all critical HA communications.

The FortiGates also use another dedicated ENI (ENI3/port4) for HA management access to each instance and also allow each instance to independently and directly communicate with the public AWS EC2 API. This dedicated interface is critical to failing over AWS SDN properly when a new HA master is elected and is the only method of access available to the current slave FortiGate instance.

Five EIPs are automatically created and consumed to deploy and run FortiGate instances in the HA. By default, one AWS region usually allows a maximum of five EIPs. Choose a region with no existing EIP. You may think five public IP addresses are too many, but in the case there are communication issues due to an incorrect setup, you still can access FortiGate A and B for the repair with at least one or two IP addresses.

Ensure you have an existing key pair in the region.

If these prerequisites are not met when invoking the CFT, the deployment operation fails. In this case, the AWS process automatically revokes the failure and rolls back to the beginning by deleting all in-progress resources. Fix the error and invoke the CFT again.

Ensure your AWS EC2 instance type matches your needs according to your FortiGate license entitlement. Refer to Elastic Network Interfaces.

At least four network interfaces per FortiGate instance must be supported in forming this HA.

When invoking the CFT, AWS instance types FortiGate supports show up. Select one from the list. The supported type is written in the CFT. Do not manually rewrite these with other types, as these have been testified and verified by Fortinet.