Description
This article describes how to adjust the AZURE Internal Load balancer algorithm to achieve successful failover in an HA deployment of FortiGate in Azure
Scope
Fortigate HA (active/passive) deployed in AZURE:
When an endpoint in the Protected A network is trying to reach out of the VNET through the FortiGate firewalls, it hits the FGT-A with NIC (.69) and is forwarded out.
When the FGT-A becomes unavailable, the traffic should be then forwarded by the Internal Load Balancer to the NIC (.70) attached to the FGT-B but, the load balancer still persists with the session and keeps on forwarding the traffic towards FGT-A even though the probes to the FGT-A have died.
Solution
1) Access the Internal Load Balancer from the Resource Group Section of the AZURE Environment:
2) On Opening the Internal Load Balancer, check if the probes have been set up by going to the HEALTH-PROBE section of the load balancer:
3) Once the Health-Probe is configured, check if it is working on the Azure Load-Balancer by selecting the METRICS section inside the load-balancer:
Make sure to choose the scope and specify the same probe as seen in step 2:
4) Verify the Probe Response under Administrative access is enabled and working on the FortiGate.
Also, run on both the active and the secondary unit:
# diag sniffer packet any ‘port 8008’ 4 0 1
This will verify the probes are working. On the active one, an output like this should appear:
On the secondary firewall, the output should look like this:
5) Check the load balancing rule on the Internal Load Balancer and verify that the session persistence is set to none (5 tuples).
Refer to the link below from Microsoft:
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
