Skip to main content
j_hodges
j_hodges
New Member
February 23, 2022
Question

Security Fabric Connection with Active/Passive HA

  • February 23, 2022
  • 3 replies
  • 5916 views

I am using the Active/Passive template from https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Passive-ELB-ILB

 

The diagram below illustrates the setup which I have in three different Azure regions. The primary region is setup as the fabric root but the other fortigate clusters cannot connect to the  root via the internal load balancer (.68 in the diagram below). If I use .69 this works until the B firewall becomes active and then I need to manually change this to .70 on the downstream Fortigates. How can I setup downstream fortigates to use the ILB address (.68). 

fgt-ap

 

I

3 replies

A
Anonymous_User
New Contributor III
February 25, 2022

Hello @j_hodges ,

 

Thanks for posting to Fortinet Community Forums. We appreciate your patience.
We will soon have someone helping you with this query.

 

akristof
Staff
akristof
Staff
February 25, 2022

Hello,

 

Thank you for your question. I am not entirely sure what am I looking at. If I understand correctly, FortiGates with IPs .69 and .70 are the primary and secondary devices of one cluster, correct? If this is correct, what kind of interfaces have .69 and .70 IPs? Normal LAN interfaces or HA out-of-band management interface? Because if these interfaces are normal LAN interfaces, only interface on primary device is active and can manage fabric. 

Another question, this load balancer is Azure load-balancer that is load-balancing traffic from .68 IP address to .69 and .70. Is this load-balancer also doing DNAT? Maybe I am missing something, but I don't understand the need for load-balancer as cluster is working in Active-passive. 

j_hodges
j_hodgesAuthor
New Member
February 28, 2022

Thanks for your response @akristof. As I mentioned this topology is supplied by Fortinet at https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Passive-ELB-ILB. It's also documented at https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/azure-administration-guide/983245/ha-for-fortigate-vm-on-azure

 

To answer your question, .69 and .70 are internal (LAN) interfaces. The Azure load balancer is required in this setup as described at https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/nva-ha. As a summary this is how Azure implements Active/Passive for Network Virtual Appliances (NVAs).

 

In theory I should be able to use .68 as the fabric connection target in downstream Fortigates. The Azure Load Balancer will simply send it to the active Fortigate. For reason I can't explain the Fortigate ignores the connection.

akristof
Staff
akristof
Staff
February 28, 2022

Hi,

 

Thanks for reply. In that case I will let anyone else reply who has more experience with Azure deployments.

bwebb
bwebb
New Member
June 28, 2023

@j_hodges were you able to get this figured out?

 

Blake

Terms & ConditionsAccessibility statement