Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

Reviewing the network failover diagram

The following network diagram illustrates a failover event from the current primary FortiGate (FortiGate A), to the current secondary FortiGate (FortiGate B).

Inbound failover is provided by reassigning the secondary IP addresses of ENI0\port1 from FortiGate A's public interface to FortiGate B's public interface. Additionally the EIPs associated to the secondary IP addresses of ENI0\port1 are reassociated from FortiGate A's public interface to FortiGate B's public interface.

Outbound failover is provided by reassigning the secondary IP addresses of ENI1\port2 from FortiGate A's private interface to FortiGate B's private interface. Additionally any route targets referencing FortiGate A’s private interface are updated to reference FortiGate B’s private interface.

The reassignment of secondary IP addresses is critical to allow synchronized sessions to resume traffic flow through FortiGate B.

The AWS API call updates are performed by FortiGate B initiating API calls from the dedicated HA management interface (ENI3\port4) through the AWS Internet Gateway.

When FortiGate A fails, its eth0’s secondary IP address, 192.168.1.13, which was originally assigned to FortiGate A’s port 1, moves to FortiGate B’s port 1. At the same time, eth1’s secondary IP address, 192.168.2.13, FortiGate A’s port 2, moves to FortiGate B’s port 2. These moves are represented as blue arrows in the diagram. An EIP associated with 192.168.1.13 is considered the front-end main public IP address, accessible even after the primary-secondary roles switch between the two FortiGates or when one FortiGate is shutdown.

Resources

Reviewing the network failover diagram

The following network diagram illustrates a failover event from the current primary FortiGate (FortiGate A), to the current secondary FortiGate (FortiGate B).

Inbound failover is provided by reassigning the secondary IP addresses of ENI0\port1 from FortiGate A's public interface to FortiGate B's public interface. Additionally the EIPs associated to the secondary IP addresses of ENI0\port1 are reassociated from FortiGate A's public interface to FortiGate B's public interface.

Outbound failover is provided by reassigning the secondary IP addresses of ENI1\port2 from FortiGate A's private interface to FortiGate B's private interface. Additionally any route targets referencing FortiGate A’s private interface are updated to reference FortiGate B’s private interface.

The reassignment of secondary IP addresses is critical to allow synchronized sessions to resume traffic flow through FortiGate B.

The AWS API call updates are performed by FortiGate B initiating API calls from the dedicated HA management interface (ENI3\port4) through the AWS Internet Gateway.

When FortiGate A fails, its eth0’s secondary IP address, 192.168.1.13, which was originally assigned to FortiGate A’s port 1, moves to FortiGate B’s port 1. At the same time, eth1’s secondary IP address, 192.168.2.13, FortiGate A’s port 2, moves to FortiGate B’s port 2. These moves are represented as blue arrows in the diagram. An EIP associated with 192.168.1.13 is considered the front-end main public IP address, accessible even after the primary-secondary roles switch between the two FortiGates or when one FortiGate is shutdown.