Fortinet Document Library

Version:


Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool

Azure Cookbook

6.2.0
Download PDF
Copy Link

Reviewing the network topology

The diagram below shows the FortiGate-VM HA topology with the recommended four interfaces. FortiGate Node-A has interface private IP addresses ending with .4, while FortiGate Node-B's end with .5. Replace the subnets and IP addresses with your own.

A recommended installation requires four network interfaces per FortiGate-VM node. In addition to inbound and outbound data interfaces, this configuration uses two interfaces for internal operations. Choose Azure VM instance sizes that can equip four network interfaces. The table below outlines each port's usage.

Port

Description

Port1

External data interface on the public network-facing side, 10.0.1.0/24. A public IP address (1.1.1.1) is associated with the active node's private IP address. FortiGate performs NAT for inbound and outbound traffic.

Port2

Internal data traffic interface on the protected network-facing side, 10.0.2.0/24. UDRs for networks behind the firewalls point to the active node Port2 IP address.

Port3

Used for heartbeat between two FortiGate nodes on 10.0.3.0/24. This is the Unicast communication. This heartbeat interface has its dedicated hbdev VDOM and cannot be used for another purpose.

Port4

Dedicated management interface, placed on the subnet 10.0.4.0/24, to each FortiGate (2.2.2.2 for FortiGate A and 3.3.3.3 for FortiGate B) so that you can access them over the Internet for management purposes, such as logging into the FortiGate via SSH or the GUI and making configuration changes. In case of heartbeat failure, a passive firewall needs a dedicated port to communicate with Azure to issue failover-related commands. This port should always be available, regardless of the node status (active or passive), except when the node is unexpectedly down.

note icon

These port numbers are specified the ARM deployment template. You can edit the template and change port assignment, but it is recommended to keep them unchanged to avoid making mistakes.

Resources

Reviewing the network topology

The diagram below shows the FortiGate-VM HA topology with the recommended four interfaces. FortiGate Node-A has interface private IP addresses ending with .4, while FortiGate Node-B's end with .5. Replace the subnets and IP addresses with your own.

A recommended installation requires four network interfaces per FortiGate-VM node. In addition to inbound and outbound data interfaces, this configuration uses two interfaces for internal operations. Choose Azure VM instance sizes that can equip four network interfaces. The table below outlines each port's usage.

Port

Description

Port1

External data interface on the public network-facing side, 10.0.1.0/24. A public IP address (1.1.1.1) is associated with the active node's private IP address. FortiGate performs NAT for inbound and outbound traffic.

Port2

Internal data traffic interface on the protected network-facing side, 10.0.2.0/24. UDRs for networks behind the firewalls point to the active node Port2 IP address.

Port3

Used for heartbeat between two FortiGate nodes on 10.0.3.0/24. This is the Unicast communication. This heartbeat interface has its dedicated hbdev VDOM and cannot be used for another purpose.

Port4

Dedicated management interface, placed on the subnet 10.0.4.0/24, to each FortiGate (2.2.2.2 for FortiGate A and 3.3.3.3 for FortiGate B) so that you can access them over the Internet for management purposes, such as logging into the FortiGate via SSH or the GUI and making configuration changes. In case of heartbeat failure, a passive firewall needs a dedicated port to communicate with Azure to issue failover-related commands. This port should always be available, regardless of the node status (active or passive), except when the node is unexpectedly down.

note icon

These port numbers are specified the ARM deployment template. You can edit the template and change port assignment, but it is recommended to keep them unchanged to avoid making mistakes.