Description
This article describes how to configure the FortiAnalyzer HA instance in the Google Cloud Platform (GCP).
Scope
FortiAnalyzer-VM for GCP.
Important note:
- Ensure the user has Google Cloud platform accounts, projects, and permissions to the resources.
- All FortiAnalyzer HA instances must be in the Google Cloud Platform (GCP).
- All FortiAnalyzer HA instances must be in the same Firmware version.
- All FortiAnalyzer HA instances must be running in the same Region with the same/different Zone.
|
FortiAnalyzer HA instances |
Region |
|
faz-a-vm |
asia-southeast1-a |
|
faz-b-vm |
asia-southeast1-a |
|
faz-c-vm |
asia-southeast1-b |
- The external IP address will be used as the Virtual IP address for the HA cluster.
- FortiAnalyzer v7.4.2 will be used as an example throughout this article.
Solution
Google Cloud Platform (GCP):
- Proceed to deploy all FortiAnalyzer-VM instances by referring to the following document: About FortiAnalyzer for GCP.
-
Make sure all FortiAnalyzer-VM instances have set Cloud API -> Compute Engine access to Read Write
GPC Portal -> Compute Engine -> VM instances -> Select the VM instance -> Details -> Edit -> Cloud API access -> Compute Engine -> Read Write -> Save.
Note:
Cloud API access can only be changed when the VM instance is stopped/shutdown.
- Make sure the GCP VM network subnet used by all FortiAnalyzer-VM instances has enabled Private Google Access
GPC Portal -> VPC network -> Select the subnet -> Edit -> Turn on Private Google Access -> Save.
- Make sure the GCP network firewall has allowed all the required policies and ports between all FortiAnalyzer-VM instances. The following firewall policy is required to establish an HA cluster:
|
GCP Firewall Policy |
Description |
|
protocol 112 |
For HA keepalive / VRRP |
|
tcp 514 |
For initial log sync |
|
tcp 5199 |
For Configuration sync |
GPC Portal -> VPC network -> Select the network -> Firewall -> Edit/Add Firewall rule -> Save/Create.
Note:
Ensure the firewall policy target is set correctly.
- Next, make sure the Virtual IP is a static IP address under GPC Portal -> VPC network -> IP address -> select the Virtual IP -> select Promote to the static IP address.
Note:
If the External IP is used as a Virtual IP, like in this example, the network tier must be Premium.
FortiAnalyzer:
- Download Google Root CA from https://pki.goog/repository/
- Import all Google Root CA to all FortiAnalyzer-VM instances under GUI -> System Settings -> Certificates -> Import -> CA Certificates.
- Proceed to configure HA settings in the FortiAnalyzer instance.
Primary and Secondary VM:
- During the HA negotiation and synchronization, Secondary-VM will be disconnected and reconnected.
- Once all the FortiAnalyzer HA instances are up, verify the HA status: FortiAnalyzer GUI -> System Settings -> HA.
Test failover:
- During HA failover, FortiAnalyzer-VM Virtual IP will be transitioned to the new FortiAnalyzer-Primary.
- To test failover, run the below CLI command on FortiAnalyzer-primary:
FAZ-A # diagnose ha failover
Related articles:
Technical Tip: FortiAnalyzer HA Configuration and Troubleshooting
Troubleshooting Tip: FortiAnalyzer HA configurations that will not synchronize
