FortiGate Cloud
FortiGate Cloud provides cloud-based management for FortiGate devices.
lpizziniaco
Staff
Staff
Article Id 278476
Description

This article describes how to configure failover handling in an Azure cluster using FortiGate. It covers essential aspects such as public IP associations, routing table adjustments, and device-specific configurations, offering a comprehensive scope for establishing a robust and reliable system.

 

FortiGate's Azure cluster failover setup, covers public IP associations, routing table adjustments, and device-specific configurations for a robust and reliable system.

Scope FortiGate.
Solution

This article outlines the process of configuring the SDN Connector within an AZURE-deployed cluster to ensure proper failover handling. The document focuses on an A-P cluster utilizing the Fabric Connector for failover, as detailed in the documentation on HA for FortiGate-VM on Azure.

 

Additionally, see the corresponding GitHub repository.

 

Once the subscription configuration is complete, the next step involves deploying an HA A-P cluster, wherein the handover is effectively managed by the SDN connector.

Here below is an external fabric SDN connector configuration working or a cluster composed of two hosts, in which at the startup Host 1 is the primary and Host 2 is the secondary.  The Azure SDN configuration is structured into three main sections:

 

Main Configuration: Represents the primary settings for the Azure SDN connector, defining the type, high-availability status, subscription ID, and resource group.

 

Network Interface Configuration ('config nic'): Details the network interface settings, including the association of public IP addresses. In this case, it sets the public IP 'piz-FGT-PIP' for 'piz-FGT-A-Nic1'. or in case of failover sets the public IP 'piz-FGT-PIP' for 'piz-FGT-B-Nic1'.

 

Route Table Configuration ('config route-table'): Outlines the route table adjustments necessary for failover scenarios. It includes modifications to the 'piz-RouteTable-ProtectedSubnet', adjusting the next-hop IP address in the 'toDefault' route entry.

 

The cluster's public IP address is identified as piz-FGT-PIP, it is defined in Azure and is associated with the primary device's port1. The configuration within the route-table section encompasses all Azure-defined route tables that undergo modification in the event of failover.

 

In this scenario, the piz-RouteTable-ProtectedSubnet in Azure sees its default entry's next hop adjusted to the specified IP in the configuration.

 

It is important to note that Host 2's routing table configuration differs between the primary and secondary devices due to their distinct IP addresses. Consequently, the route must be directed to the IP of the currently active device.

 

Additionally, the names of FortiGate's interfaces for public IP addresses differ because the Network Interface objects assigned to each device have distinct names in Azure. The update of the public IP address and gateway IP addresses of the routes takes a few seconds for Azure to complete.

 

Host 1 SDN Configuration

Host 2 SDN Configuration

config system sdn-connector

    edit "AzureSDN"

        set type azure

        set ha-status enable

        set subscription-id "xxx"

        set resource-group "piz-test"

      config nic

          edit "piz-FGT-A-Nic1"

              config ip

                  edit "ipconfig1"

                      set public-ip "piz-FGT-PIP"

                  next

              end

          next

      end

          config route-table

              edit "piz-RouteTable-ProtectedSubnet"

                  config route

                      edit "toDefault"

                          set next-hop "10.1.9.4"

                      next

                  end

              next

          end

    next

end

config system sdn-connector

    edit "AzureSDN"

        set type azure

        set ha-status enable

        set subscription-id "xxx"

        set resource-group "piz-test"

            config nic

                edit "piz-FGT-B-Nic1"

                    config ip

                        edit "ipconfig1"

                            set public-ip "piz-FGT-PIP"

                        next

                    end

                next

            end

            config route-table

                edit "piz-RouteTable-ProtectedSubnet"

                    config route

                        edit "toDefault"

                            set next-hop "10.1.9.5"

                        next

                    end

                next

            end

next

end

 

To sum it up with the provided configuration: When Host 1 acts as the active FortiGate, the Azure Public IP address object, 'piz-FGT-PIP', is linked to its corresponding Azure Network Interface object, 'piz-FGT-A-Nic1'. This signifies that internet traffic directed to this public IP will be routed to the first network interface of Host 1.

 

The management interface (by default port4) plays a crucial role in communicating with Azure infrastructure. Management port is responsible for directing all API requests to Azure, to resolve the Microsoft specific URLs for API requests and managing the switch of the cluster's public IP facilitating failover, this need the management port to be able accessing internet. 

 

During failover, the previously passive FortiGate takes control, becomes active, and triggers API calls to Azure.

These calls modify the association of the public IP address; now, 'piz-FGT-PIP' is linked to 'piz-FGT-B-Nic1' and the internal user-defined routing declared in Azure is updated to direct traffic to itself. This effectively redirects both internal and external traffic to Host 2.