Description | This article describes how to manually deploy a High Availability (HA) Active-Passive FortiGate cluster on AWS, ensuring proper configuration of management interfaces and VPC routing. Essential tests, including a simulated failover, guarantee robust performance and failover handling. |
Scope | FortiGate Cloud HA A-P. |
Solution |
Deploying a High Availability (HA) Active-Passive FortiGate manually can pose certain challenges. These challenges may result in malfunctions, but addressing them requires careful attention to the deployment and configuration of the cluster.
For this document, it is assumed that the cluster is not set up using Terraform or CloudFormation. The official documentation (ref: Deploying FortiGate-VM A-P HA on AWS within one zone) has been followed for deploying the cluster.
After the cluster is deployed, a simple yet effective test to ensure everything is functioning correctly is as follows: diagnose debug application awsd -1 If this does not happen and a message like the following arising : aws curl failed, 28
Before opening a ticket, check on each unit the HA configuration that should have the following form: config system ha
The 'config ha-mgmt-interfaces' section plays a crucial role in ensuring proper failover management. This management port is responsible for directing all API requests to AWS, facilitating failover, and managing the switch of the cluster's public IP.
However, verifying the configuration of the ha-mgmt-interface is not the sole consideration. Another vital aspect to confirm is the configuration of the VPC's routing table.
As outlined in the official documentation under the 'Configure the Routing Tables in AWS' section, the management network must have a route associated with the AWS Internet Gateway (IGW). This association enables the management network to send requests to the AWS API system. Another crucial test to conduct involves simulating a failover. To do this on the secondary unit, execute the following commands:
diagnose debug application awsd -1
Next, initiate the failover simulation by either restarting the primary unit, adjusting the priority of the unit, or, for a more controlled approach, executing the following command:
execute ha failover set 1
Once answered yes the secondary unit's shell will become very talkative and a debug flow is shown and should have the following form:
Note: to get back to the initial state of the cluster, on the unit where the execute command has been used to perform the following unset:
execute ha failover unset 1 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.