Fortinet Document Library

Version:

6.4.0
6.2.0
FortiGate / FortiOS FortiAnalyzer FortiManager FortiWeb FortiTester FortiAuthenticator FortiADC FortiSandbox FortiWeb Manager

Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool
Home Azure/Azure Stack FortiGate / FortiOS
6.4 6.2 6.0 5.6

Azure Cookbook

6.2.0
6.4.0
6.2.0
Download PDF
Copy Link

Configuring multiple public IP addresses

When using multiple public IP address with an A-P cluster deployment, you must configure the same number of IP address configurations on the primary vNIC for both FortiGate-VMs. See Using public IP addresses. The current passive FortiGate-VM will only contain local IP addresses without public IP assignments. Additionally, you must add each public IP address to the Fabric connector configuration for failover:

config system sdn-connector

edit "AZConnector"

config nic

edit "FortiGate-A-NIC1"

config ip

edit "ipconfig2"

set public-ip "FGTAPClusterPublicIP2"

next

end

next

end

Since the virtual IP address only matches the local IP address destination, you must create a secondary virtual IP address that matches the local address assigned to the passive FortiGate-VM. Thus, at any given time, you have only one virtual IP address that matches an address on the currently active FortiGate-VM and another that would match traffic if a failover occurred. You should add both virtual IP addresses to the policy which allows the traffic. Additionally, since the configuration of the active FortiGate-VM is replicated to the passive FortiGate-VM, you can complete both configurations on the current active FortiGate-vM.

Resources

Upgrade Path Tool

Configuring multiple public IP addresses

When using multiple public IP address with an A-P cluster deployment, you must configure the same number of IP address configurations on the primary vNIC for both FortiGate-VMs. See Using public IP addresses. The current passive FortiGate-VM will only contain local IP addresses without public IP assignments. Additionally, you must add each public IP address to the Fabric connector configuration for failover:

config system sdn-connector

edit "AZConnector"

config nic

edit "FortiGate-A-NIC1"

config ip

edit "ipconfig2"

set public-ip "FGTAPClusterPublicIP2"

next

end

next

end

Since the virtual IP address only matches the local IP address destination, you must create a secondary virtual IP address that matches the local address assigned to the passive FortiGate-VM. Thus, at any given time, you have only one virtual IP address that matches an address on the currently active FortiGate-VM and another that would match traffic if a failover occurred. You should add both virtual IP addresses to the policy which allows the traffic. Additionally, since the configuration of the active FortiGate-VM is replicated to the passive FortiGate-VM, you can complete both configurations on the current active FortiGate-vM.