Checking the prerequisites
You invoke the ARM template on the Azure portal. The following are required for a successful deployment:
- An Azure account to log into the Azure portal with. If you do not have an Azure account, follow these instructions.
- An Azure subscription that allows you to purchase the FortiGate-VM and launch in a desired location
- Availability to accommodate required Azure resources
- VNet with five subnets (new or existing)
- Three public IP addresses
- One for traffic to/through the active (primary) FortiGate-VM
- Two for management access to each FortiGate-VM
- All IP addresses should be static, not DHCP.
- Two FortiGate-VM instances
- You must deploy the two nodes in the same region and under the same VNet. See Region support.
- Each FortiGate-VM must have at least four network interfaces. See Instance type support.
- Decide the FortiGate-VM login username and password. The username cannot be "admin" or "root".
-
IMPORTANT: Before setting up active-passive HA, you must have the Fabric connector configured on each FortiGate node. Without a Fabric connector, the FortiGate-VM cannot make API calls to change the route tables and the elastic IP address during a failover. To configure a Fabric Connector, see Configuring a Fabric connector in Azure.
Once licensed and rebooted, you can proceed to configure the Azure settings to enable the cluster IP and route table failover.
By default, FortiOS 6.2 disables HA status for Fabric connectors. As shown in the example configurations, you must enable the HA status and configure the NICs and route tables for HA failover to function.
If you configured a Fabric connector with an NIC and route table in an earlier FortiOS version, then upgraded to FortiOS 6.2, FortiOS enables that connector's HA status after the upgrade. Otherwise, HA status remains disabled until you enable it.
The following provides example configurations for the primary and secondary FortiGate-VMs:
FortiOS 6.2.5 and later versions support the
subscription-id
attribute underconfig route-table
. This attribute allows you to update the route table for a different subscription.FortiGate A (Most of this configuration will be specific to your environment and so must be modified):
config system sdn-connector
edit "AZConnector"
set type azure
set ha-status enable
set tenant-id "<tenant_ID>"
set subscription-id "<subscription ID>"
set resource-group "<resource group name>"
set client-id "<client ID>"
set client-secret <client secret key>
config nic
edit "FortiGate-A-NIC1"
config ip
edit "ipconfig1"
set public-ip "FGTAPClusterPublicIP"
next
end
next
end
config route-table
edit "FortiGateDefaultAPRouteTable"
set subscription-id "XXXXXX"
config route
edit "toDefault"
set next-hop "10.0.2.4"
next
end
next
end
end
FortiGate B:
config system sdn-connector
edit "AZConnector"
set type azure
set ha-status enable
set tenant-id "<tenant_ID>"
set subscription-id "<subscription ID>"
set resource-group "<resource group name>"
set client-id "<client ID>"
set client-secret <client secret key>
config nic
edit "FortiGate-B-NIC1"
config ip
edit "ipconfig1"
set public-ip "FGTAPClusterPublicIP"
next
end
next
end
config route-table
edit "FortiGateDefaultAPRouteTable"
set subscription-id "XXXXXX"
config route
edit "toDefault"
set next-hop "10.0.2.5"
next
end
next
end
end
- To use FortiGate-VM (BYOL), you need two valid FortiGate-VM licenses. See Order types.