Technical Tip: Configuring SNAT with IP Pools in an Active-Passive FortiGate-VM HA Setup on AWS Across Multiple Zones
| Description | This article explains how to configure SNAT using an IP pool in an active-passive FortiGate-VM high availability (HA) setup on AWS across multiple zones. |
| Scope | FortiGate VM in AWS. |
| Solution | This article outlines the configuration of IP pools for Source NAT (SNAT) when deploying FortiGate-VM in an Active-Passive HA setup across multiple Availability Zones within the same AWS VPC.
In this architecture, the Elastic Public IP is initially associated with the primary FortiGate instance (FortiGate A) on Port1. During a failover event, this Elastic IP is automatically reattached to the secondary FortiGate instance, ensuring uninterrupted access. To facilitate independent management of each FortiGate instance, additional Elastic IPs can be allocated to their respective management interfaces.
For detailed guidance on configuring FortiGate in an Active-Passive HA deployment across multiple AWS Availability Zones, please refer to the associated reference documentation.
Below are the steps required for SNAT IP Pool configuration.
Step 1: VDOM Exceptions: Create the following VDOM Exceptions. When a VDOM exception is configured, the object will not be synchronized between the primary and secondary devices when the HA forms. config system vdom-exception edit 1 set object system.interface next edit 2 set object router.static next edit 3 set object firewall.vip next edit 4 set object firewall.ippool next end Step 2: Configure the objects that are not going to sync between Primary and Secondary, which include System interfaces, Static Routes, Any VIP object, Firewall IP pool, etc , as described in the VDOM exceptions defined above. Configure Interface on Firewall A: config system interface edit "port1" set vdom "root" set ip 10.0.10.11 255.255.255.0 set alias "public" next edit "port2" set vdom "root" set ip 10.0.11.11 255.255.255.0 set alias "private" next edit "port3" set vdom "root" set ip 10.0.12.11 255.255.255.0 set alias "hasync" next edit "port4" set vdom "root" set ip 10.0.13.11 255.255.255.0 set alias "hamgmt" next end Configure Interface on Firewall B: config system interface edit "port1" set vdom "root" set ip 10.0.20.11 255.255.255.0 set alias "public" set mtu 9001 next edit "port2" set vdom "root" set ip 10.0.21.11 255.255.255.0 set alias "private" next edit "port3" set vdom "root" set ip 10.0.22.11 255.255.255.0 set alias "hasync" next edit "port4" set vdom "root" set ip 10.0.23.11 255.255.255.0 set alias "hamgmt" next end Configure the IP pool in Firewall A: config firewall ippool edit "ippool-1" set startip 10.0.10.12 set endip 10.0.10.12 next edit "ippool-2" set startip 10.0.10.13 set endip 10.0.10.20 next end Configure the IP pool in Firewall B: config firewall ippool edit "ippool-1" set startip 10.0.20.12 set endip 10.0.20.12 next edit "ippool-2" set startip 10.0.20.13 set endip 10.0.20.13 next end Configure Route in Firewall A: config router static edit 1 set gateway 10.0.10.1 set device "port1" next edit 2 set dst 10.0.0.0 255.0.0.0 set gateway 10.0.11.1 set device "port2" next end Configure the Route in Firewall B: config router static edit 1 set gateway 10.0.20.1 set device "port1" next edit 2 set dst 10.0.0.0 255.0.0.0 set gateway 10.0.21.1 set device "port2" next end Step 3: Configure the Firewall Policy, which references the IP-POOL defined in Firewall A or Firewall B. Note: Pool Name configured on both Firewall A and Firewall B should be the same, so that they can be called under the Firewall policy, which will get synchronized between Firewall A and Firewall B config firewall policy edit 1 set name "INTERNET POLICY-1" set uuid 511dbe9e-3a12-51f0-4c5e-dd430271cfaf set srcintf "port2" set dstintf "port1" set action accept set srcaddr "LAN1" set dstaddr "all" set service "ALL" set nat enable set ippool enable set poolname "ippool-1" next edit 2 set name "INTERNET POLICY-2" set uuid 511dbe9e-3a12-51f0-4c5e-dd430271cfaf set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set service "ALL" set nat enable set ippool enable set poolname "ippool-1" next end Related documents: |