Fortinet Document Library

Version:

6.2.0
FortiGate / FortiOS FortiAnalyzer FortiManager FortiWeb FortiAuthenticator FortiSandbox FortiWeb Manager

Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool
Home Azure/Azure Stack FortiGate / FortiOS
6.2 6.0 5.6

Azure Cookbook

6.2.0
6.2.0
Download PDF
Copy Link

Deploying and configuring active-passive HA between multiple zones

To ensure availability in the event of a catastrophic failure to the Azure datacenter, you must configure FortiGate HA across zones. This solution takes advantage of Azure's ability to create instances and migrate public IP addresses across zones.

This configuration differs from the one described in Deploying and configuring active-passive HA within one zone in the following ways. You must do the following:

  • Create the primary and secondary instances in different AZs.
  • Set the management and public IP address SKUs to standard. See IP address types and allocation methods in Azure.
  • Configure a network security group (NSG) for NICS due to the usage of standard SKUs.
To configure multi-zone active-passive HA in Azure:
  1. Create a resource group using the az group create -l northeurope -n YourResourceGroup command. Pick the desired location and a name for your resource group.
  2. Create public IP addresses. A recommended installation requires four network interfaces per FortiGate-VM node. In addition to inbound and outbound data interfaces, two interfaces are used for internal operations. Choose Azure VM instance sizes that can equip four network interfaces. The table in Reviewing the network topology outlines how each port is used.

    az network public-ip create -g YourResourceGroup -n fgtamgmtip --sku Standard

    az network public-ip create -g YourResourceGroup -n fgtbmgmtip --sku Standard

    az network public-ip create -g YourResourceGroup -n tClusterPublicIP --sku Standard

    Create a public IP address with this command, specifying the resource group name, IP address name, and standard SKU.

  3. Create an NSG:

    az network nsg create -g YourResourceGroup -n allowallnsg

    az network nsg rule create -g YourResourceGroup --nsg-name allowallnsg -n allowall --priority 100 --direction inbound --protocol '*' --destination-port-ranges '*'

    az network nsg rule create -g YourResourceGroup --nsg-name allowallnsg -n allowall2 --priority 100 --direction outbound --protocol '*' --destination-port-ranges '*'

    This example creates an NSG with open rules, but you may want to restrict these to the commonly used management access ports such as 80, 443, and 22. You must specify the resource group name, name for the NSG, priority, direction, protocol, and destination port range.

  4. Create a VNet and route tables:
    1. Create the route table for internal protected clients:

      az network route-table create -g YourResourceGroup -n default-udr

    2. Create the route inside the newly created routing table. The address refers to the primary FortiGate's port2 IP address.

      az network route-table route create -g YourResourceGroup --route-table-name default-udr -n defaultroute --next-hop-type VirtualAppliance --address-prefix 0.0.0.0/0 --next-hop-ip-address 20.0.1.70

    3. Create the public access routing table:

      az network route-table create -g YourResourceGroup -n tooutside

    4. Create a route to the Internet:

      az network route-table route create -g YourResourceGroup --route-table-name tooutside -n toout --next-hop-type Internet --address-prefix 0.0.0.0/0

    5. Create a VNet with 20.0.0.0/16 CIDR:

      az network vnet create -n YourVNET -g YourResourceGroup --subnet-name public --address-prefix 20.0.0.0/16 --subnet-prefix 20.0.0.0/24

    6. Attach a route table to the public subnet:

      az network vnet subnet update -n public --vnet-name YourVNET -g YourResourceGroup --route-table tooutside

    7. Create an internal subnet with its route table:

      az network vnet subnet create -n internal --vnet-name YourVNET -g YourResourceGroup --address-prefixes 20.0.1.0/24 --route-table default-udr

    8. Create a heartbeat subnet:

      az network vnet subnet create -n heartbeat --vnet-name YourVNET -g YourResourceGroup --address-prefixes 20.0.2.0/24

    9. Create a management subnet with a route table to the Internet:

      az network vnet subnet create -n mgmt --vnet-name YourVNET -g YourResourceGroup --address-prefixes 20.0.3.0/24 --route-table tooutside

  5. Create instance with NICs:
    1. Create ports 1 to 4 for the primary instance. The NICs that need Internet access require an NSG.

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet public -n tfgtaport1 --private-ip-address 20.0.0.70 --network-security-group allowallnsg --public-ip-address tClusterPublicIP

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet internal -n tfgtaport2 --private-ip-address 20.0.1.70

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet heartbeat -n tfgtaport3 --private-ip-address 20.0.2.70

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet mgmt -n tfgtaport4 --private-ip-address 20.0.3.70 --public-ip-address fgtamgmtip --network-security-group allowallnsg

    2. Create ports 1 to 4 for the secondary instance:

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet public -n tfgtbport1 --private-ip-address 20.0.0.80 --network-security-group allowallnsg

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet internal -n tfgtbport2 --private-ip-address 20.0.1.80

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet heartbeat -n tfgtbport3 --private-ip-address 20.0.2.80

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet mgmt -n tfgtbport4 --private-ip-address 20.0.3.80 --public-ip-address fgtbmgmtip --network-security-group allowallnsg

    3. Create the primary instance using custom data attached below:

      az vm create --resource-group YourResourceGroup --name master{$build2} --image fortiosond{$build2} --admin-username azureadmin --admin-password Password123# --nsg "" --zone 1 --nics tfgtaport1 tfgtaport2 tfgtaport3 tfgtaport4 --size Standard_DS3_v2 --custom-data /home/azure/configs/custom-master-mime.txt

    4. Create the secondary instance:

      az vm create --resource-group YourResourceGroup --name slave{$build2} --image fortiosond{$build2} --admin-username azureadmin --admin-password Password123# --nsg "" --zone 2 --nics tfgtbport1 tfgtbport2 tfgtbport3 tfgtbport4 --size Standard_DS3_v2 --custom-data /home/azure/configs/custom-slave-mime.txt

To configure multi-zone active-passive HA in FortiOS:
  1. Configure the primary FortiGate:
    1. Configure the interface settings. Configure a static IP address for all ports matching Azure:

      config system global

      set hostname fgta

      set admintimeout 480

      end

      config system interface

      edit "port1"

      set vdom "root"

      set mode static

      set ip 20.0.0.70 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      set description "external"

      next

      edit "port2"

      set vdom "root"

      set mode static

      set ip 20.0.1.70 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      set description "internal"

      next

      edit "port3"

      set vdom "root"

      set mode static

      set ip 20.0.2.70 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      next

      edit "port4"

      set vdom "root"

      set mode static

      set ip 20.0.3.70 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      next

      end

    2. Configure the routing settings. In this example, 20.0.0.1 is the public subnet's Azure gateway.

      config router static

      edit 1

      set gateway 20.0.0.1

      set device port1

      next

      end

    3. Configure the Fabric connector, using your Azure environment's information as necessary. Note the following:
      • For the resource group, enter the name of the resource group that houses the instances.
      • For the NIC, enter the name of the NIC that contains the public IP address that will be moved upon failover.
      • For the public IP address, enter the public IP address to move upon failover.
      • For the route table, configure the route table of the internal subnet (for clients).
      • Point the next hop route to the primary FortiGate's port2 IP address.

      config system sdn-connector

      edit "azure"

      set type azure

      set ha-status enable

      set tenant-id "xxxx"

      set subscription-id "xxxx"

      set client-id "xxxx"

      set client-secret ENC xxxx

      set resource-group "YourResourceGroup"

      config nic

      edit "tfgtaport1"

      config ip

      edit "IpConfig-0"

      set public-ip "tClusterPublicIP"

      next

      end

      next

      end

      config route-table

      edit "default-udr"

      config route

      edit "defaultroute"

      set next-hop "20.0.1.70"

      next

      end

      next

      end

      next

      end

    4. Configure HA settings. Port4 is management port for the primary FortiGate. Ensure that you set the gateway to 20.0.3.1. Since Internet traffic for management is segregated to its own subnet, it is necessary to configure the gateway. For the unicast heartbeat peer IP address, enter the port3 heartbeat IP address of the secondary instance:

      config system ha

      set group-name "Test"

      set mode a-p

      set hbdev "port3" 100

      set session-pickup enable

      set session-pickup-connectionless enable

      set ha-mgmt-status enable

      config ha-mgmt-interfaces

      edit 1

      set interface "port4"

      set gateway 20.0.3.1

      next

      end

      set override disable

      set priority 255

      set unicast-hb enable

      set unicast-hb-peerip 20.0.2.80

      end

    5. Configure the firewall policy:

      config firewall policy

      edit 1

      set name "main"

      set srcintf "port2"

      set dstintf "port1"

      set srcaddr "all"

      set dstaddr "all"

      set action accept

      set status enable

      set schedule "always"

      set service "ALL"

      set logtraffic all

      set fsso disable

      set nat enable

      next

      end

  2. Configure the secondary FortiGate:
    1. Configure the interface settings. Configure a static IP address for all ports matching Azure:

      config system global

      set hostname fgtb

      set admintimeout 480

      end

      config system interface

      edit "port1"

      set vdom "root"

      set mode static

      set ip 20.0.0.80 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      set description "external"

      next

      edit "port2"

      set vdom "root"

      set mode static

      set ip 20.0.1.80 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      set description "internal"

      next

      edit "port3"

      set vdom "root"

      set mode static

      set ip 20.0.2.80 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      next

      edit "port4"

      set vdom "root"

      set mode static

      set ip 20.0.3.80 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      next

      end

    2. Configure the routing settings. In this example, 20.0.0.1 is the public subnet's Azure gateway.

      config router static

      edit 1

      set gateway 20.0.0.1

      set device port1

      next

      end

    3. Configure HA settings. For the unicast heartbeat peer IP address, enter the port3 heartbeat IP address of the primary instance:

      config system ha

      set group-name "Test"

      set mode a-p

      set hbdev "port3" 100

      set session-pickup enable

      set session-pickup-connectionless enable

      set ha-mgmt-status enable

      config ha-mgmt-interfaces

      edit 1

      set interface "port4"

      set gateway 20.0.3.1

      next

      end

      set override disable

      set priority 255

      set unicast-hb enable

      set unicast-hb-peerip 20.0.2.70

      end

    4. Configure the Fabric connector, using your Azure environment's information as necessary. Note the following:
      • For the NIC, enter the name of the NIC that contains the public IP address that will be moved upon failover.
      • For the public IP address, enter the public IP address to move upon failover.
      • For the route table, configure the route table of the internal subnet (for clients).
      • Point the next hop route to the secondary FortiGate's port2 IP address.

      config system sdn-connector

      edit "azure"

      set type azure

      set tenant-id "xxxx"

      set subscription-id "xxxx"

      set client-id "xxxx"

      set client-secret "xxxx"

      set resource-group "YourResourceGroup"

      config nic

      edit "tfgtbport1"

      config ip

      edit "IpConfigb-0"

      set public-ip "tClusterPublicIP"

      next

      end

      next

      end

      config route-table

      edit "default-udr"

      config route

      edit "defaultroute"

      set next-hop "20.0.1.80"

      next

      end

      next

      end

      next

      end

To troubleshoot this configuration, see Troubleshooting.

Resources

Upgrade Path Tool

Deploying and configuring active-passive HA between multiple zones

To ensure availability in the event of a catastrophic failure to the Azure datacenter, you must configure FortiGate HA across zones. This solution takes advantage of Azure's ability to create instances and migrate public IP addresses across zones.

This configuration differs from the one described in Deploying and configuring active-passive HA within one zone in the following ways. You must do the following:

  • Create the primary and secondary instances in different AZs.
  • Set the management and public IP address SKUs to standard. See IP address types and allocation methods in Azure.
  • Configure a network security group (NSG) for NICS due to the usage of standard SKUs.
To configure multi-zone active-passive HA in Azure:
  1. Create a resource group using the az group create -l northeurope -n YourResourceGroup command. Pick the desired location and a name for your resource group.
  2. Create public IP addresses. A recommended installation requires four network interfaces per FortiGate-VM node. In addition to inbound and outbound data interfaces, two interfaces are used for internal operations. Choose Azure VM instance sizes that can equip four network interfaces. The table in Reviewing the network topology outlines how each port is used.

    az network public-ip create -g YourResourceGroup -n fgtamgmtip --sku Standard

    az network public-ip create -g YourResourceGroup -n fgtbmgmtip --sku Standard

    az network public-ip create -g YourResourceGroup -n tClusterPublicIP --sku Standard

    Create a public IP address with this command, specifying the resource group name, IP address name, and standard SKU.

  3. Create an NSG:

    az network nsg create -g YourResourceGroup -n allowallnsg

    az network nsg rule create -g YourResourceGroup --nsg-name allowallnsg -n allowall --priority 100 --direction inbound --protocol '*' --destination-port-ranges '*'

    az network nsg rule create -g YourResourceGroup --nsg-name allowallnsg -n allowall2 --priority 100 --direction outbound --protocol '*' --destination-port-ranges '*'

    This example creates an NSG with open rules, but you may want to restrict these to the commonly used management access ports such as 80, 443, and 22. You must specify the resource group name, name for the NSG, priority, direction, protocol, and destination port range.

  4. Create a VNet and route tables:
    1. Create the route table for internal protected clients:

      az network route-table create -g YourResourceGroup -n default-udr

    2. Create the route inside the newly created routing table. The address refers to the primary FortiGate's port2 IP address.

      az network route-table route create -g YourResourceGroup --route-table-name default-udr -n defaultroute --next-hop-type VirtualAppliance --address-prefix 0.0.0.0/0 --next-hop-ip-address 20.0.1.70

    3. Create the public access routing table:

      az network route-table create -g YourResourceGroup -n tooutside

    4. Create a route to the Internet:

      az network route-table route create -g YourResourceGroup --route-table-name tooutside -n toout --next-hop-type Internet --address-prefix 0.0.0.0/0

    5. Create a VNet with 20.0.0.0/16 CIDR:

      az network vnet create -n YourVNET -g YourResourceGroup --subnet-name public --address-prefix 20.0.0.0/16 --subnet-prefix 20.0.0.0/24

    6. Attach a route table to the public subnet:

      az network vnet subnet update -n public --vnet-name YourVNET -g YourResourceGroup --route-table tooutside

    7. Create an internal subnet with its route table:

      az network vnet subnet create -n internal --vnet-name YourVNET -g YourResourceGroup --address-prefixes 20.0.1.0/24 --route-table default-udr

    8. Create a heartbeat subnet:

      az network vnet subnet create -n heartbeat --vnet-name YourVNET -g YourResourceGroup --address-prefixes 20.0.2.0/24

    9. Create a management subnet with a route table to the Internet:

      az network vnet subnet create -n mgmt --vnet-name YourVNET -g YourResourceGroup --address-prefixes 20.0.3.0/24 --route-table tooutside

  5. Create instance with NICs:
    1. Create ports 1 to 4 for the primary instance. The NICs that need Internet access require an NSG.

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet public -n tfgtaport1 --private-ip-address 20.0.0.70 --network-security-group allowallnsg --public-ip-address tClusterPublicIP

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet internal -n tfgtaport2 --private-ip-address 20.0.1.70

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet heartbeat -n tfgtaport3 --private-ip-address 20.0.2.70

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet mgmt -n tfgtaport4 --private-ip-address 20.0.3.70 --public-ip-address fgtamgmtip --network-security-group allowallnsg

    2. Create ports 1 to 4 for the secondary instance:

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet public -n tfgtbport1 --private-ip-address 20.0.0.80 --network-security-group allowallnsg

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet internal -n tfgtbport2 --private-ip-address 20.0.1.80

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet heartbeat -n tfgtbport3 --private-ip-address 20.0.2.80

      az network nic create -g YourResourceGroup --vnet-name YourVNET --subnet mgmt -n tfgtbport4 --private-ip-address 20.0.3.80 --public-ip-address fgtbmgmtip --network-security-group allowallnsg

    3. Create the primary instance using custom data attached below:

      az vm create --resource-group YourResourceGroup --name master{$build2} --image fortiosond{$build2} --admin-username azureadmin --admin-password Password123# --nsg "" --zone 1 --nics tfgtaport1 tfgtaport2 tfgtaport3 tfgtaport4 --size Standard_DS3_v2 --custom-data /home/azure/configs/custom-master-mime.txt

    4. Create the secondary instance:

      az vm create --resource-group YourResourceGroup --name slave{$build2} --image fortiosond{$build2} --admin-username azureadmin --admin-password Password123# --nsg "" --zone 2 --nics tfgtbport1 tfgtbport2 tfgtbport3 tfgtbport4 --size Standard_DS3_v2 --custom-data /home/azure/configs/custom-slave-mime.txt

To configure multi-zone active-passive HA in FortiOS:
  1. Configure the primary FortiGate:
    1. Configure the interface settings. Configure a static IP address for all ports matching Azure:

      config system global

      set hostname fgta

      set admintimeout 480

      end

      config system interface

      edit "port1"

      set vdom "root"

      set mode static

      set ip 20.0.0.70 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      set description "external"

      next

      edit "port2"

      set vdom "root"

      set mode static

      set ip 20.0.1.70 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      set description "internal"

      next

      edit "port3"

      set vdom "root"

      set mode static

      set ip 20.0.2.70 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      next

      edit "port4"

      set vdom "root"

      set mode static

      set ip 20.0.3.70 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      next

      end

    2. Configure the routing settings. In this example, 20.0.0.1 is the public subnet's Azure gateway.

      config router static

      edit 1

      set gateway 20.0.0.1

      set device port1

      next

      end

    3. Configure the Fabric connector, using your Azure environment's information as necessary. Note the following:
      • For the resource group, enter the name of the resource group that houses the instances.
      • For the NIC, enter the name of the NIC that contains the public IP address that will be moved upon failover.
      • For the public IP address, enter the public IP address to move upon failover.
      • For the route table, configure the route table of the internal subnet (for clients).
      • Point the next hop route to the primary FortiGate's port2 IP address.

      config system sdn-connector

      edit "azure"

      set type azure

      set ha-status enable

      set tenant-id "xxxx"

      set subscription-id "xxxx"

      set client-id "xxxx"

      set client-secret ENC xxxx

      set resource-group "YourResourceGroup"

      config nic

      edit "tfgtaport1"

      config ip

      edit "IpConfig-0"

      set public-ip "tClusterPublicIP"

      next

      end

      next

      end

      config route-table

      edit "default-udr"

      config route

      edit "defaultroute"

      set next-hop "20.0.1.70"

      next

      end

      next

      end

      next

      end

    4. Configure HA settings. Port4 is management port for the primary FortiGate. Ensure that you set the gateway to 20.0.3.1. Since Internet traffic for management is segregated to its own subnet, it is necessary to configure the gateway. For the unicast heartbeat peer IP address, enter the port3 heartbeat IP address of the secondary instance:

      config system ha

      set group-name "Test"

      set mode a-p

      set hbdev "port3" 100

      set session-pickup enable

      set session-pickup-connectionless enable

      set ha-mgmt-status enable

      config ha-mgmt-interfaces

      edit 1

      set interface "port4"

      set gateway 20.0.3.1

      next

      end

      set override disable

      set priority 255

      set unicast-hb enable

      set unicast-hb-peerip 20.0.2.80

      end

    5. Configure the firewall policy:

      config firewall policy

      edit 1

      set name "main"

      set srcintf "port2"

      set dstintf "port1"

      set srcaddr "all"

      set dstaddr "all"

      set action accept

      set status enable

      set schedule "always"

      set service "ALL"

      set logtraffic all

      set fsso disable

      set nat enable

      next

      end

  2. Configure the secondary FortiGate:
    1. Configure the interface settings. Configure a static IP address for all ports matching Azure:

      config system global

      set hostname fgtb

      set admintimeout 480

      end

      config system interface

      edit "port1"

      set vdom "root"

      set mode static

      set ip 20.0.0.80 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      set description "external"

      next

      edit "port2"

      set vdom "root"

      set mode static

      set ip 20.0.1.80 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      set description "internal"

      next

      edit "port3"

      set vdom "root"

      set mode static

      set ip 20.0.2.80 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      next

      edit "port4"

      set vdom "root"

      set mode static

      set ip 20.0.3.80 255.255.255.0

      set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

      next

      end

    2. Configure the routing settings. In this example, 20.0.0.1 is the public subnet's Azure gateway.

      config router static

      edit 1

      set gateway 20.0.0.1

      set device port1

      next

      end

    3. Configure HA settings. For the unicast heartbeat peer IP address, enter the port3 heartbeat IP address of the primary instance:

      config system ha

      set group-name "Test"

      set mode a-p

      set hbdev "port3" 100

      set session-pickup enable

      set session-pickup-connectionless enable

      set ha-mgmt-status enable

      config ha-mgmt-interfaces

      edit 1

      set interface "port4"

      set gateway 20.0.3.1

      next

      end

      set override disable

      set priority 255

      set unicast-hb enable

      set unicast-hb-peerip 20.0.2.70

      end

    4. Configure the Fabric connector, using your Azure environment's information as necessary. Note the following:
      • For the NIC, enter the name of the NIC that contains the public IP address that will be moved upon failover.
      • For the public IP address, enter the public IP address to move upon failover.
      • For the route table, configure the route table of the internal subnet (for clients).
      • Point the next hop route to the secondary FortiGate's port2 IP address.

      config system sdn-connector

      edit "azure"

      set type azure

      set tenant-id "xxxx"

      set subscription-id "xxxx"

      set client-id "xxxx"

      set client-secret "xxxx"

      set resource-group "YourResourceGroup"

      config nic

      edit "tfgtbport1"

      config ip

      edit "IpConfigb-0"

      set public-ip "tClusterPublicIP"

      next

      end

      next

      end

      config route-table

      edit "default-udr"

      config route

      edit "defaultroute"

      set next-hop "20.0.1.80"

      next

      end

      next

      end

      next

      end

To troubleshoot this configuration, see Troubleshooting.