Fortinet Document Library

Version:


Table of Contents

About FortiGate for AWS

Deploying FortiGate on AWS

Deploying auto scaling on AWS

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on AWS

Security Fabric Connector Integration with AWS

Resources

Upgrade Path Tool
6.0.0
Copy Link

(Failover test) Shutting down FortiGate A

  1. Let's test the failover situation where FortiGate A fails to run. First, while the two FortiGate instances are running, log into FortiGate A by connecting to the front-end public IP address, which is https://18.217.217.193, associated with 192.168.1.13.
  2. Let's see if FortiGate B promotes itself to the primary when FortiGate A fails to run. On the EC2 console, shut down FortiGate A.

  3. Connect to the same public front-end IP address, https://18.217.217.193, by refreshing the browser. You have now successfully logged into FortiGate B, not FortiGate A, since the secondary IP address 192.168.1.13 has moved to FortiGate B’s public-facing port.

  4. Check FortiGate B’s secondary IP address in EC2 console.

    Any existing AWS routes are updated to reference the new primary FortiGate's ENI1/port2 instead of the original primary FortiGate's ENI1/port2. In this example, FortiGate B, which was originally the secondary FortiGate, is promoted to the role of primary FortiGate.

  5. Check the HA status while FortiGate A is down.

  6. Once FortiGate A comes back online, it runs as the secondary. It takes time for the HA to settle and the synchronization to function, as indicated by the green checkmarks.

Resources

(Failover test) Shutting down FortiGate A

  1. Let's test the failover situation where FortiGate A fails to run. First, while the two FortiGate instances are running, log into FortiGate A by connecting to the front-end public IP address, which is https://18.217.217.193, associated with 192.168.1.13.
  2. Let's see if FortiGate B promotes itself to the primary when FortiGate A fails to run. On the EC2 console, shut down FortiGate A.

  3. Connect to the same public front-end IP address, https://18.217.217.193, by refreshing the browser. You have now successfully logged into FortiGate B, not FortiGate A, since the secondary IP address 192.168.1.13 has moved to FortiGate B’s public-facing port.

  4. Check FortiGate B’s secondary IP address in EC2 console.

    Any existing AWS routes are updated to reference the new primary FortiGate's ENI1/port2 instead of the original primary FortiGate's ENI1/port2. In this example, FortiGate B, which was originally the secondary FortiGate, is promoted to the role of primary FortiGate.

  5. Check the HA status while FortiGate A is down.

  6. Once FortiGate A comes back online, it runs as the secondary. It takes time for the HA to settle and the synchronization to function, as indicated by the green checkmarks.