Deploying and configuring active-passive HA between multiple zones
To ensure availability in the event of a catastrophic failure to the Azure datacenter, you must configure FortiGate HA across zones. This solution takes advantage of Azure's ability to create instances and migrate public IP addresses across zones.
This configuration differs from the one described in Deploying and configuring active-passive HA within one zone in the following ways. You must do the following:
- Create the primary and secondary instances in different AZs.
- Set the management and public IP address SKUs to standard. See IP address types and allocation methods in Azure.
- Configure a network security group (NSG) for NICS due to the usage of standard SKUs.
To configure multizone active-passive HA in Azure:
- Create a resource group using the
az group create -l northeurope -n YourResourceGroupcommand. Pick the desired location and name for your resource group. - Create public IP addresses. A recommended installation requires four network interfaces per FortiGate-VM node. In addition to inbound and outbound data interfaces, this deployment uses two interfaces for internal operations. Choose Azure VM instance sizes that can equip four network interfaces. The table in Reviewing the network topology outlines how the deployment uses each port.
az network public-ip create -g YourResourceGroup -n fgtamgmtip --sku Standard
az network public-ip create -g YourResourceGroup -n fgtbmgmtip --sku Standard
az network public-ip create -g YourResourceGroup -n tClusterPublicIP --sku Standard
Create a public IP address with this command, specifying the resource group name, IP address name, and standard SKU.
- Create an NSG:
az network nsg create -g YourResourceGroup -n allowallnsg
az network nsg rule create -g YourResourceGroup --nsg-name allowallnsg -n allowall --priority 100 --direction inbound --protocol '*' --destination-port-ranges '*'
az network nsg rule create -g YourResourceGroup --nsg-name allowallnsg -n allowall2 --priority 100 --direction outbound --protocol '*' --destination-port-ranges '*'
This example creates an NSG with open rules, but you may want to restrict these to the commonly used management access ports such as 80, 443, and 22. You must specify the resource group name, name for the NSG, priority, direction, protocol, and destination port range.
- Create a VNet and route tables:
- Create the route table for internal protected clients:
az network route-table create -g YourResourceGroup -n default-udr
- Create the route inside the newly created routing table. The address refers to the primary FortiGate's port2 IP address.
az network route-table route create -g YourResourceGroup --route-table-name default-udr -n defaultroute --next-hop-type VirtualAppliance --address-prefix 0.0.0.0/0 --next-hop-ip-address 20.0.1.70
- Create the public access routing table:
az network route-table create -g YourResourceGroup -n tooutside
- Create a route to the Internet:
az network route-table route create -g YourResourceGroup --route-table-name tooutside -n toout --next-hop-type Internet --address-prefix 0.0.0.0/0
- Create a VNet with 20.0.0.0/16 CIDR:
az network vnet create -n YourVNET -g YourResourceGroup --subnet-name public --address-prefix 20.0.0.0/16 --subnet-prefix 20.0.0.0/24
- Attach a route table to the public subnet:
az network vnet subnet update -n public --vnet-name YourVNET -g YourResourceGroup --route-table tooutside
- Create an internal subnet with its route table:
az network vnet subnet create -n internal --vnet-name YourVNET -g YourResourceGroup --address-prefixes 20.0.1.0/24 --route-table default-udr
- Create a heartbeat subnet:
az network vnet subnet create -n heartbeat --vnet-name YourVNET -g YourResourceGroup --address-prefixes 20.0.2.0/24
- Create a management subnet with a route table to the Internet:
az network vnet subnet create -n mgmt --vnet-name YourVNET -g YourResourceGroup --address-prefixes 20.0.3.0/24 --route-table tooutside
- Create the route table for internal protected clients:
- Create instance with NICs:
- Create ports 1 to 4 for the primary instance. The NICs that need Internet access require an NSG.
az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet public -n tfgtaport1 --private-ip-address 20.0.0.70 --network-security-group allowallnsg --public-ip-address tClusterPublicIP
az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet internal -n tfgtaport2 --private-ip-address 20.0.1.70
az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet heartbeat -n tfgtaport3 --private-ip-address 20.0.2.70
az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet mgmt -n tfgtaport4 --private-ip-address 20.0.3.70 --public-ip-address fgtamgmtip --network-security-group allowallnsg
- Create ports 1 to 4 for the secondary instance:
az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet public -n tfgtbport1 --private-ip-address 20.0.0.80 --network-security-group allowallnsg
az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet internal -n tfgtbport2 --private-ip-address 20.0.1.80
az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet heartbeat -n tfgtbport3 --private-ip-address 20.0.2.80
az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet mgmt -n tfgtbport4 --private-ip-address 20.0.3.80 --public-ip-address fgtbmgmtip --network-security-group allowallnsg
- Create the primary instance using custom data attached below:
az vm create --resource-group YourResourceGroup --name master --image fortiosimage --admin-username administratoruser --admin-password administratorpassword --nsg "" --zone 1 --nics tfgtaport1 tfgtaport2 tfgtaport3 tfgtaport4 --size Standard_DS3_v2 --custom-data /path/to/configfile/master.txt
- Create the secondary instance:
az vm create --resource-group YourResourceGroup --name slave --image fortiosimage --admin-username administratoruser --admin-password administratorpassword --nsg "" --zone 2 --nics tfgtbport1 tfgtbport2 tfgtbport3 tfgtbport4 --size Standard_DS3_v2 --custom-data /path/to/configfile/master.txt
- Create ports 1 to 4 for the primary instance. The NICs that need Internet access require an NSG.
To configure multizone active-passive HA in FortiOS:
- Configure the primary FortiGate:
- Configure the interface settings. Configure a static IP address for all ports matching Azure:
config system global
set hostname fgta
set admintimeout 480
end
config system interface
edit "port1"
set vdom "root"
set mode static
set ip 20.0.0.70 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
set description "external"
next
edit "port2"
set vdom "root"
set mode static
set ip 20.0.1.70 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
set description "internal"
next
edit "port3"
set vdom "root"
set mode static
set ip 20.0.2.70 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
next
edit "port4"
set vdom "root"
set mode static
set ip 20.0.3.70 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
next
end
- Configure the routing settings. In this example, 20.0.0.1 is the public subnet's Azure gateway.
config router static
edit 1
set gateway 20.0.0.1
set device port1
next
end
- Configure the Fabric connector, using your Azure environment's information as necessary. Note the following:
- For the resource group, enter the name of the resource group that houses the instances.
- For the NIC, enter the name of the NIC that contains the public IP address that will be moved upon failover.
- For the public IP address, enter the public IP address to move upon failover.
- For the route table, configure the route table of the internal subnet (for clients).
- Point the next hop route to the primary FortiGate's port2 IP address.
FortiOS 6.2.5 and later versions support the
subscription-idattribute underconfig route-table. This attribute allows you to update the route table for a different subscription.config system sdn-connector
edit "azure"
set type azure
set ha-status enable
set tenant-id "xxxx"
set subscription-id "xxxx"
set client-id "xxxx"
set client-secret ENC xxxx
set resource-group "YourResourceGroup"
config nic
edit "tfgtaport1"
config ip
edit "IpConfig-0"
set public-ip "tClusterPublicIP"
next
end
next
end
config route-table
edit "default-udr"
set subscription-id "XXXXXX"
config route
edit "defaultroute"
set next-hop "20.0.1.70"
next
end
next
end
next
end
- Configure HA settings. Port4 is management port for the primary FortiGate. Ensure that you set the gateway to 20.0.3.1. Since Internet traffic for management is segregated to its own subnet, configuring the gateway is necessary. For the unicast heartbeat peer IP address, enter the port3 heartbeat IP address of the secondary instance:
config system ha
set group-name "Test"
set mode a-p
set hbdev "port3" 100
set session-pickup enable
set session-pickup-connectionless enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port4"
set gateway 20.0.3.1
next
end
set override disable
set priority 255
set unicast-hb enable
set unicast-hb-peerip 20.0.2.80
end
- Configure the firewall policy:
config firewall policy
edit 1
set name "main"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
set nat enable
next
end
- Configure the interface settings. Configure a static IP address for all ports matching Azure:
- Configure the secondary FortiGate:
- Configure the interface settings. Configure a static IP address for all ports matching Azure:
config system global
set hostname fgtb
set admintimeout 480
end
config system interface
edit "port1"
set vdom "root"
set mode static
set ip 20.0.0.80 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
set description "external"
next
edit "port2"
set vdom "root"
set mode static
set ip 20.0.1.80 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
set description "internal"
next
edit "port3"
set vdom "root"
set mode static
set ip 20.0.2.80 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
next
edit "port4"
set vdom "root"
set mode static
set ip 20.0.3.80 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
next
end
- Configure the routing settings. In this example, 20.0.0.1 is the public subnet's Azure gateway.
config router static
edit 1
set gateway 20.0.0.1
set device port1
next
end
- Configure HA settings. For the unicast heartbeat peer IP address, enter the port3 heartbeat IP address of the primary instance:
config system ha
set group-name "Test"
set mode a-p
set hbdev "port3" 100
set session-pickup enable
set session-pickup-connectionless enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port4"
set gateway 20.0.3.1
next
end
set override disable
set priority 200
set unicast-hb enable
set unicast-hb-peerip 20.0.2.70
end
- Configure the Fabric connector, using your Azure environment's information as necessary. Note the following:
- For the NIC, enter the name of the NIC that contains the public IP address that will be moved upon failover.
- For the public IP address, enter the public IP address to move upon failover.
- For the route table, configure the route table of the internal subnet (for clients).
- Point the next hop route to the secondary FortiGate's port2 IP address.
config system sdn-connector
edit "azure"
set type azure
set tenant-id "xxxx"
set subscription-id "xxxx"
set client-id "xxxx"
set client-secret "xxxx"
set resource-group "YourResourceGroup"
config nic
edit "tfgtbport1"
config ip
edit "IpConfigb-0"
set public-ip "tClusterPublicIP"
next
end
next
end
config route-table
edit "default-udr"
set subscription-id "XXXXXX"
config route
edit "defaultroute"
set next-hop "20.0.1.80"
next
end
next
end
next
end
- Configure the interface settings. Configure a static IP address for all ports matching Azure:
To troubleshoot this configuration, see Troubleshooting.