Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JNDias
Staff & Editor
Staff & Editor

Created on ‎07-22-2024 01:09 AM Edited on ‎07-25-2024 09:58 PM By Community Manager

Article Id 326926

Technical Tip: Configuring Ip Pool on FortiGate HA in Azure with SDN Connector: Ensuring Seamless Failover

Description

 

This article describes how to configure an IP Pool on FortiGate HA (High Availability) deployed in Azure using the SDN connector. This is useful when having a specific internal host(s) that needs to be NATed with a different Public IP.

This article addresses the challenge of the different external private IPs on the port1 (WAN) interface of the primary and secondary FortiGate devices, ensuring seamless failover and traffic handling.

The article is related to Technical Tip: Configuring VIP on FortiGate HA in Azure with SDN Connector: Ensuring Seamless Failov... where both can be used together to achieve different traffic directions, VIP as inbound to expose a service and IP Pool to force outbound traffic to use a specific NAT IP to the internet.

 

Scope

 

FortiGate, Azure, Cluster, IP Pool

 

Solution

 

architecture-KB-ippool-fgt-ap-sdn.png

 

FortiGate Nic1 instance summary from Azure

 

VM Name IP Version Type Private IP Address Public IP Address
FGT-A ipconfig1 IPv4 Primary 172.16.32.4 (Static) 108.142.167.8 (jd-FGT-PIP)
FGT-A ipconfig2 IPv4 Secondary 172.16.32.10 (Static) 108.142.167.202 (pip-jd-vnet-westeurope-01)
FGT-B ipconfig1 IPv4 Primary 172.16.32.5 (Static) -
FGT-B ipconfig2 IPv4 Secondary 172.16.32.11 (Static) -

 

  1. Create a VDOM exemption on the active unit:

 

config system vdom-exception

edit 1

set object firewall.ippool

next

end

 

  1. Create an IP Pool with the same name on both cluster members, then on 'External IP Range' use the corresponding Private IP (ipconfig2).

 

FGT-B IP-pool.png

 

FGT-A IP-pool.png

 

  1. Add the new public IP to the SDN Connector on both FortiGates.

Example for the FGT-A:

 

config system sdn-connector

edit "AzureSDN"

set type azure
set ha-status enable
set subscription-id "a90dc88c-8dd5-4f94-a346-96eca9d90e0e"
set resource-group "diasj-ippoolkb"
config nic

edit "jd-FGT-A-Nic1"

config ip

edit "ipconfig1"

set public-ip "jd-FGT-PIP"

next

edit "ipconfig2"

set public-ip "pip-jd-vnet-westeurope-01"

next

end

next

end

.......

 

  1. The following image is a summary explanation of config in Azure vs both FortiGates.

 

az ippoolsdn connector.png

 

  1. Create the Firewall policy with the NAT IP Pool just created.

 

Firewall policy with IPpool.png

 

 

  1. Validate the outgoing IP address with a VM behind the cluster on a 'Protected network' with Windows CMD or Linux Bash:

 

curl ifconfig.me
108.142.167.202

 

If the SDN connector has the correct permission both public IPs will move in a fail-over event and be matched on the correct IP Pool configuration.

 

Related articles:

Technical Tip: FortiGate Azure resource list

Technical Tip Configure SDN Connector for Active-Passive HA failover in Azure

Technical Tip: Configuring VIP on FortiGate HA in Azure with SDN Connector: Ensuring Seamless Failov...

1142
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.