Skip to main content
Pedro_FTNT
Staff
Pedro_FTNT
Staff
July 28, 2025

Technical Tip: How to guarantee that all elastic IP addresses (primary and secondary) migrate correctly when a failover is performed on a FortiGate cluster in AWS.

  • July 28, 2025
  • 0 replies
  • 667 views

 

Description This article describes how to guarantee that all elastic IP addresses (primary and secondary) migrate correctly when a failover is performed on a FortiGate cluster in AWS.
Scope FortiGate.
Solution
  1. Introduction: FortiGate SDN Connector (supported natively by FortiOS).
  2. Overview of Alternatives:
 
|    | Solution                              | Pros                                                    | Cons                                                |
|---|---------------------------------|----------------------------------------------|-------------------------------------------|
| 1 | SDN Connector                    | • Fortinet‑native, no extra services         | • Requires FortiOS ≥6.4                    |
|    |                                           | • Moves EIPs and routes automatically   | • Needs IAM role with broad perms    |
 
  1. Detailed Implementation Plans:
 
Prerequisites
  • FortiOS upper v6.4 under Fabric → Connectors → Public Cloud.
  • Active Support entitlement: BYOL (Bring Your Own License) or PAYG (Pay As You Go), including SDN connector features.
  • IAM role attached to both instances with the following minimum actions:  
 
"Describe*", "AssociateAddress", "DisassociateAddress", "ModifyNetworkInterfaceAttribute", "CreateRoute", "ReplaceRoute", "AssignPrivateIpAddresses", "UnassignPrivateIpAddresses", "DescribeCluster", "ListClusters", "BatchGetResourceConfig".
 
  • HA pair deployed in different Availability Zones using 'stand‑alone config‑sync' (interfaces and routes are not synchronized).
 
Step‑by‑Step:
  1. Confirm FortiOS version.  
 
get system status | grep Version
 
  1. Attach/validate IAM role: Use AWS Console under  EC2 → Actions → Security → Modify IAM Role.
  2. Create the SDN Connector (CLI).  
   
config system sdn-connector
    edit "aws-ha"
    set type was
    set use-metadata-iam enable     <----- Rely on instance profile.
    set update-interval 30          <----- Poll every 30 s.
    set update-elastic-ip enable    <----- Move ALL EIPs.
    set update-route enable         <----- Flip routes to new ENI.
next
end
 
  1. Verify discovery.
  
diagnose sys sdn-connector list
 
Ensure all ENIs (Elastic Network Interface) and EIPs (Elastic IP Address) appear.
 
  1. Adjust HA settings.  
   
config system ha
    set unicast-hb enable
    set standalone-config-sync disable
end
   
  1. Functional test in the laboratory.
  • Force fail‑over: 
   
diagnose system ha reset‑uptime.   
   
  • Run 'aws ec2 describe-addresses' to confirm re-association in 30 s.  
  • Generate external traffic to each EIP to verify continuity.
 
  1. Enable logging/monitoring: FortiOS Event Log filter: "message_id=0100042005"
  2. Production rollout: Schedule a maintenance window; repeat the validation; monitor.
  3. Rollback Procedure.
 
config system sdn-connector
    edit "aws-ha"
        set update-elastic-ip disable
        set update-route disable
      next
  end
 
  • Re-associate EIPs manually if needed:
"aws ec2 associate-address --allocation-id eipalloc-xxxx --network-interface-id eni-yyyy"
 
Related articles:

 

Terms & ConditionsAccessibility statement