This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
Hello team,
The attached file has the steps to show how to deploy a Hot Standby FortiGate HA in AWS using CloudFormation template. A simplistic diagram is also attached to visialize what is being deployed.
Since there is no access to Layer 2 in AWS, a workaround needs to be in place to have automated High Availability in HA.
-The CloudFormation template assumes that the account that is deploying this has a Route53 domain name. This is needed to access the active firewall using a DNS name.
-There is a t2.micro AWS instance(Worker Node) that gets created with the stack. This is where the python script to monitor the active firewall is run from.
-If the primary FortiGate becomes unavailable, the required AWS API calls are made to disassociate the subnets from the Primary Firewall's Route Table and associate them to the Backup Firewall's Route Table. Once this is done, a continious check is done to see if the Primary instance comes back up. Once it is backup, all the subnet associations are made back to the Primary Firewall's Route Table.
-(Optional) The Worker Node can also be made part of a AutoScaling Group.
-(Optional)The Worker node can be run from any server anywhere as long as it has AWS CLI tools and python loaded on it.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Thanks for the document. I do understand that this solution is targeted at providing HA within a VPC (eg. Providing redundancy between separate AZ). However, will this solution also work within a AZ. Eg. Route 53 redirect traffic to 2 FortiGate in a single AZ. As another alternative HA soluton, do we support running VRRP and session sync between two FG in the same AZ? Thanks.
Same questions as what Ker Ming Chooi asked ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.