Fortinet Document Library

Version:

6.4.0
6.2.0
FortiVoice / FortiFone FortiGate / FortiOS FortiAnalyzer FortiManager FortiWeb FortiTester FortiProxy FortiAuthenticator FortiADC FortiSandbox FortiWeb Manager

Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool
Home Azure/Azure Stack FortiGate / FortiOS
6.4 6.2 6.0 5.6

Azure Cookbook

6.2.0
6.4.0
6.2.0
Download PDF
Copy Link

Checking the prerequisites

You will invoke the ARM template on the Azure portal. The following are required for a successful deployment:

  • An Azure account to log into the Azure portal with. If you do not have an Azure account, follow these instructions.
  • An Azure subscription that allows you to purchase the FortiGate-VM and launch in a desired location
  • Availability to accommodate required Azure resources
    • VNet with five subnets (new or existing)
    • Three public IP addresses
      • One for traffic to/through the active (primary) FortiGate-VM
      • Two for management access to each FortiGate-VM
    • All IP addresses should be static, not DHCP.
    • Two FortiGate-VM instances
      • You must deploy the two nodes in the same region and under the same VNet. See Region support.
      • Each FortiGate-VM must have at least four network interfaces. See Instance type support.
      • Decide the FortiGate-VM login username and password. The username cannot be "admin" or "root".
  • IMPORTANT: Before setting up active-passive HA, you must have the Fabric connector configured on each FortiGate node. Without a Fabric connector, the FortiGate-VM cannot make API calls to change the route tables and the elastic IP address during a failover. To configure a Fabric Connector, see Configuring a Fabric connector in Azure.

    Once licensed and rebooted, you can proceed to configure the Azure settings to enable the cluster IP and route table failover.

    By default, FortiOS 6.2 disables HA status for Fabric connectors. As shown in the example configurations, you must enable the HA status and configure the NICs and route tables for HA failover to function.

    If you configured a Fabric connector with an NIC and route table in an earlier FortiOS version, then upgraded to FortiOS 6.2, FortiOS enables that connector's HA status after the upgrade. Otherwise, HA status remains disabled until you enable it.

    The following provides example configurations for the primary and secondary FortiGate-VMs:

    note icon

    FortiOS 6.2.5 and later versions support the subscription-id attribute under config route-table. This attribute allows you to update the route table for a different subscription.

    FortiGate A (Most of this configuration will be specific to your environment and so must be modified):

    config system sdn-connector

    edit "AZConnector"

    set type azure

    set ha-status enable

    set tenant-id "<tenant_ID>"

    set subscription-id "<subscription ID>"

    set resource-group "<resource group name>"

    set client-id "<client ID>"

    set client-secret <client secret key>

    config nic

    edit "FortiGate-A-NIC1"

    config ip

    edit "ipconfig1"

    set public-ip "FGTAPClusterPublicIP"

    next

    end

    next

    end

    config route-table

    edit "FortiGateDefaultAPRouteTable"

    set subscription-id "XXXXXX"

    config route

    edit "toDefault"

    set next-hop "10.0.2.4"

    next

    end

    next

    end

    end

    FortiGate B:

    config system sdn-connector

    edit "AZConnector"

    set type azure

    set ha-status enable

    set tenant-id "<tenant_ID>"

    set subscription-id "<subscription ID>"

    set resource-group "<resource group name>"

    set client-id "<client ID>"

    set client-secret <client secret key>

    config nic

    edit "FortiGate-B-NIC1"

    config ip

    edit "ipconfig1"

    set public-ip "FGTAPClusterPublicIP"

    next

    end

    next

    end

    config route-table

    edit "FortiGateDefaultAPRouteTable"

    set subscription-id "XXXXXX"

    config route

    edit "toDefault"

    set next-hop "10.0.2.5"

    next

    end

    next

    end

    end

  • To use FortiGate-VM (BYOL), you need two valid FortiGate-VM licenses. See Order types.

Resources

Upgrade Path Tool

Checking the prerequisites

You will invoke the ARM template on the Azure portal. The following are required for a successful deployment:

  • An Azure account to log into the Azure portal with. If you do not have an Azure account, follow these instructions.
  • An Azure subscription that allows you to purchase the FortiGate-VM and launch in a desired location
  • Availability to accommodate required Azure resources
    • VNet with five subnets (new or existing)
    • Three public IP addresses
      • One for traffic to/through the active (primary) FortiGate-VM
      • Two for management access to each FortiGate-VM
    • All IP addresses should be static, not DHCP.
    • Two FortiGate-VM instances
      • You must deploy the two nodes in the same region and under the same VNet. See Region support.
      • Each FortiGate-VM must have at least four network interfaces. See Instance type support.
      • Decide the FortiGate-VM login username and password. The username cannot be "admin" or "root".
  • IMPORTANT: Before setting up active-passive HA, you must have the Fabric connector configured on each FortiGate node. Without a Fabric connector, the FortiGate-VM cannot make API calls to change the route tables and the elastic IP address during a failover. To configure a Fabric Connector, see Configuring a Fabric connector in Azure.

    Once licensed and rebooted, you can proceed to configure the Azure settings to enable the cluster IP and route table failover.

    By default, FortiOS 6.2 disables HA status for Fabric connectors. As shown in the example configurations, you must enable the HA status and configure the NICs and route tables for HA failover to function.

    If you configured a Fabric connector with an NIC and route table in an earlier FortiOS version, then upgraded to FortiOS 6.2, FortiOS enables that connector's HA status after the upgrade. Otherwise, HA status remains disabled until you enable it.

    The following provides example configurations for the primary and secondary FortiGate-VMs:

    note icon

    FortiOS 6.2.5 and later versions support the subscription-id attribute under config route-table. This attribute allows you to update the route table for a different subscription.

    FortiGate A (Most of this configuration will be specific to your environment and so must be modified):

    config system sdn-connector

    edit "AZConnector"

    set type azure

    set ha-status enable

    set tenant-id "<tenant_ID>"

    set subscription-id "<subscription ID>"

    set resource-group "<resource group name>"

    set client-id "<client ID>"

    set client-secret <client secret key>

    config nic

    edit "FortiGate-A-NIC1"

    config ip

    edit "ipconfig1"

    set public-ip "FGTAPClusterPublicIP"

    next

    end

    next

    end

    config route-table

    edit "FortiGateDefaultAPRouteTable"

    set subscription-id "XXXXXX"

    config route

    edit "toDefault"

    set next-hop "10.0.2.4"

    next

    end

    next

    end

    end

    FortiGate B:

    config system sdn-connector

    edit "AZConnector"

    set type azure

    set ha-status enable

    set tenant-id "<tenant_ID>"

    set subscription-id "<subscription ID>"

    set resource-group "<resource group name>"

    set client-id "<client ID>"

    set client-secret <client secret key>

    config nic

    edit "FortiGate-B-NIC1"

    config ip

    edit "ipconfig1"

    set public-ip "FGTAPClusterPublicIP"

    next

    end

    next

    end

    config route-table

    edit "FortiGateDefaultAPRouteTable"

    set subscription-id "XXXXXX"

    config route

    edit "toDefault"

    set next-hop "10.0.2.5"

    next

    end

    next

    end

    end

  • To use FortiGate-VM (BYOL), you need two valid FortiGate-VM licenses. See Order types.