Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

EricBocl
New Contributor

Created on ‎10-12-2016 12:19 PM

Routing to 2 Fortigate VM in Azure for outbound connections

We have 2 Fortigate VM in Azure.

They are stand alone. The Azure load balancer makes the "HA" for inbound connections.

We want to route our subnets in Azure to both Fortigate for outbound connections.

We can do it to one Fortigate at a time, but in case it is down...

How can we route to both Fortigate the 0 route dynamically?

We tried to add an Azure load balancer and chose the internal NIC of the Fortigate, but it is not visible.

I saw in a doc, that we can add an Ubuntu VM and a scipt.

Is there another secure way to do it?

Labels:
498
0 Kudos
2 REPLIES 2
oholecek_FTNT
Community Manager
Community Manager

Created on ‎10-13-2016 05:18 AM

Hi Eric,

this is not the authoritative answer, but I tried to setup a similar scenario and came to the conclusion that it is not possible - broadcast and multicast are not supported in Azure, which means that protocols like VRRP or FGCP cannot be used. Some other solutions that I have seen utilize Azure API directly to change the Azure routing table and IP assignment after failover, which FortiGate cannot do AFAIK.

Regarding the LB idea: You should be able to create a new private Load balancer and use the FGTs as backend servers, but that's probably not what you want, because it is not a generic router but rather port forwarder where you need to configure specific ports manually.

As far as I know, the only solution is another VM checking FortiGates periodically and reconfiguring Azure appropriately.

492
0 Kudos
MartTwom
Staff
Staff

Created on ‎10-13-2016 06:19 AM

Hi Eric,

Azure doesn't provide a mechanism from within a Virtual Network to provide more than a single user defined route to any given destination.  And, as Ondrej mentioned VRRP or other first hop redundancy is not possible. 

There are some designs where using the Azure load balancer might work (assuming you don't need it on the outside as you can only use it on the primary interfaces), but also as Ondrej already said, it's not a router and needs config per IP and port at layer 4.

So, within a VNet, some programatic solution is necessary to provide redundancy.  A sample shell script is attached to this post:
https://fusecommunity.fortinet.com/p/fo/st/thread=2787

You could accomplish the same thing from powershell, and something similar with powershell and an Azure automation account. 

Another option is to give up on intra-VNet routing, and move to a design where each VNet is it's own security zone and is connected to FortiGates in a hub type VNet via IPSec.  The reason for doing this, is that if you have an IPSec tunnel to an Azure VPN Gateway, you can configure BGP for dynamic route advertizement, and if you're advertizing BGP routes, you can advertize 2 (or more) paths to the same network.

See here:

https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-bgp-overview/

Also, attached is a diagram of a three-tier web app using this type of design.

Preview file
739 KB
492
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.