Fortinet Document Library

Version:


Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool

Azure Cookbook

6.2.0
Download PDF
Copy Link

Configuring the network via the CLI

Immediately after initial deployment, your new FortiGate-VMs have only one interface (port1) active with the IP address provided via DHCP. However, your should configure your new firewalls to use static IP addresses instead. FortiGate-VM HA configuration relies on static settings, which are invalidated if DHCP is used. You must change your network configuration to use static IP addresses. You can accomplish this using the FortiGate-VM's CLI or GUI.

Connect via SSH to the IP address associated with FortiGate A's port1. The login credentials are those issued in Template parameters. The example values were fortiadmin and MyPassword12. You cannot login by supplying the username "admin" with no password.

note icon

Changing the port1 IP address mode from DHCP to static terminates your SSH session. To avoid this, port1 configuration is reserved for a later step. If you block your SSH access, Azure also supports virtual serial console connection. Serial console requires activating boot diagnostics.

note icon

You must configure SDN Connector. See the CLI configuration provided in Checking the prerequisites.

The below are configurations made in the CLI before changing port1 to a static IP address. The variables are based on the example diagram. Replace these with your own values.

FortiGate A:

config system interface

edit "port2"

set mode static

set ip 10.0.2.4 255.255.255.0

set allowaccess ping ssh

set alias "internal"

next

edit "port3"

set mode static

set ip 10.0.3.4 255.255.255.0

set allowaccess ping probe-response

set alias "hasyncport"

next

edit "port4"

set mode static

set ip 10.0.4.4 255.255.255.0

set allowaccess ping https ssh snmp fgfm radius-acct capwap ftm

set alias "management"

next

end

config router static

edit 1

set gateway 10.0.1.1

set device port1

next

edit 2

set dst 10.0.5.0 255.255.255.0

set gateway 10.0.2.1

set device "port2"

next

end

config system ha

set group-name "HAtest"

set mode a-p

set hbdev "port3" 100

set session-pickup enable

set session-pickup-connectionless enable

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port4"

set gateway 10.0.4.1

next

end

set override disable

set priority 200

set unicast-hb enable

set unicast-hb-peerip 10.0.3.5

end

The italicized commands were introduced to Unicast HA for public cloud FortiGate-VM. When these lines are present, the FGCP cluster does not use virtual IP and MAC addresses. Instead, both firewall nodes have distinguished IP addresses that point to the counterpart's Heartbeat IP address.

After finishing the configuration on FortiGate A, connect via SSH to FortiGate B:

# exec ssh 10.0.1.5

FortiGate B:

config system interface

edit "port2"

set mode static

set ip 10.0.2.5 255.255.255.0

set allowaccess ping ssh

set alias "internal"

next

edit "port3"

set mode static

set ip 10.0.3.5 255.255.255.0

set allowaccess ping probe-response

set alias "hasyncport"

next

edit "port4"

set mode static

set ip 10.0.4.5 255.255.255.0

set allowaccess ping https ssh snmp fgfm radius-acct capwap ftm

set alias "management"

next

end

config router static

edit 1

set gateway 10.0.1.1

set device port1

next

edit 2

set dst 10.0.5.0 255.255.255.0

set gateway 10.0.2.1

set device "port2"

next

end

config system ha

set group-name "HAtest"

set mode a-p

set hbdev "port3" 100

set session-pickup enable

set session-pickup-connectionless enable

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port4"

set gateway 10.0.4.1

next

end

set override disable

set priority 200

set unicast-hb enable

set unicast-hb-peerip 10.0.3.4

end

The FortiGate with the lower set priority value is determined as the secondary node, as FortiGate B is in the example.

Since your HA configuration has now specified your port4 as the dedicated management interface, you can exist the current SSH session and start a new one to your dedicated management IP address, FGTAMgmtPublicIp. You can also now change the port1 IP address to a static IP address.

FortiGate A:

config system interface

edit "port1"

set mode static

set ip 10.0.1.4 255.255.255.0

set allowaccess ping ssh

set alias "external"

next

end

FortiGate B is available via its own dedicated management IP address, FGTBMgmtPublicIP:

FortiGate B:

config system interface

edit "port1"

set mode static

set ip 10.0.1.5 255.255.255.0

set allowaccess ping ssh

set alias "external"

next

end

Resources

Configuring the network via the CLI

Immediately after initial deployment, your new FortiGate-VMs have only one interface (port1) active with the IP address provided via DHCP. However, your should configure your new firewalls to use static IP addresses instead. FortiGate-VM HA configuration relies on static settings, which are invalidated if DHCP is used. You must change your network configuration to use static IP addresses. You can accomplish this using the FortiGate-VM's CLI or GUI.

Connect via SSH to the IP address associated with FortiGate A's port1. The login credentials are those issued in Template parameters. The example values were fortiadmin and MyPassword12. You cannot login by supplying the username "admin" with no password.

note icon

Changing the port1 IP address mode from DHCP to static terminates your SSH session. To avoid this, port1 configuration is reserved for a later step. If you block your SSH access, Azure also supports virtual serial console connection. Serial console requires activating boot diagnostics.

note icon

You must configure SDN Connector. See the CLI configuration provided in Checking the prerequisites.

The below are configurations made in the CLI before changing port1 to a static IP address. The variables are based on the example diagram. Replace these with your own values.

FortiGate A:

config system interface

edit "port2"

set mode static

set ip 10.0.2.4 255.255.255.0

set allowaccess ping ssh

set alias "internal"

next

edit "port3"

set mode static

set ip 10.0.3.4 255.255.255.0

set allowaccess ping probe-response

set alias "hasyncport"

next

edit "port4"

set mode static

set ip 10.0.4.4 255.255.255.0

set allowaccess ping https ssh snmp fgfm radius-acct capwap ftm

set alias "management"

next

end

config router static

edit 1

set gateway 10.0.1.1

set device port1

next

edit 2

set dst 10.0.5.0 255.255.255.0

set gateway 10.0.2.1

set device "port2"

next

end

config system ha

set group-name "HAtest"

set mode a-p

set hbdev "port3" 100

set session-pickup enable

set session-pickup-connectionless enable

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port4"

set gateway 10.0.4.1

next

end

set override disable

set priority 200

set unicast-hb enable

set unicast-hb-peerip 10.0.3.5

end

The italicized commands were introduced to Unicast HA for public cloud FortiGate-VM. When these lines are present, the FGCP cluster does not use virtual IP and MAC addresses. Instead, both firewall nodes have distinguished IP addresses that point to the counterpart's Heartbeat IP address.

After finishing the configuration on FortiGate A, connect via SSH to FortiGate B:

# exec ssh 10.0.1.5

FortiGate B:

config system interface

edit "port2"

set mode static

set ip 10.0.2.5 255.255.255.0

set allowaccess ping ssh

set alias "internal"

next

edit "port3"

set mode static

set ip 10.0.3.5 255.255.255.0

set allowaccess ping probe-response

set alias "hasyncport"

next

edit "port4"

set mode static

set ip 10.0.4.5 255.255.255.0

set allowaccess ping https ssh snmp fgfm radius-acct capwap ftm

set alias "management"

next

end

config router static

edit 1

set gateway 10.0.1.1

set device port1

next

edit 2

set dst 10.0.5.0 255.255.255.0

set gateway 10.0.2.1

set device "port2"

next

end

config system ha

set group-name "HAtest"

set mode a-p

set hbdev "port3" 100

set session-pickup enable

set session-pickup-connectionless enable

set ha-mgmt-status enable

config ha-mgmt-interfaces

edit 1

set interface "port4"

set gateway 10.0.4.1

next

end

set override disable

set priority 200

set unicast-hb enable

set unicast-hb-peerip 10.0.3.4

end

The FortiGate with the lower set priority value is determined as the secondary node, as FortiGate B is in the example.

Since your HA configuration has now specified your port4 as the dedicated management interface, you can exist the current SSH session and start a new one to your dedicated management IP address, FGTAMgmtPublicIp. You can also now change the port1 IP address to a static IP address.

FortiGate A:

config system interface

edit "port1"

set mode static

set ip 10.0.1.4 255.255.255.0

set allowaccess ping ssh

set alias "external"

next

end

FortiGate B is available via its own dedicated management IP address, FGTBMgmtPublicIP:

FortiGate B:

config system interface

edit "port1"

set mode static

set ip 10.0.1.5 255.255.255.0

set allowaccess ping ssh

set alias "external"

next

end