Configuring multiple public IP addresses
When using multiple public IP address with an A-P cluster deployment, you must configure the same number of IP address configurations on the primary vNIC for both FortiGate-VMs. See Using public IP addresses. The current passive FortiGate-VM will only contain local IP addresses without public IP assignments. Additionally, you must add each public IP address to the Fabric connector configuration for failover:
config system sdn-connector
edit "AZConnector"
config nic
edit "FortiGate-A-NIC1"
config ip
edit "ipconfig2"
set public-ip "FGTAPClusterPublicIP2"
next
end
next
end
Since the virtual IP address only matches the local IP address destination, you must create a secondary virtual IP address that matches the local address assigned to the passive FortiGate-VM. Thus, at any given time, you have only one virtual IP address that matches an address on the currently active FortiGate-VM and another that would match traffic if a failover occurred. You should add both virtual IP addresses to the policy which allows the traffic. Additionally, since the configuration of the active FortiGate-VM does not replicate to the passive FortiGate-VM, you must complete configuration on both FortiGate-VMs.