Description
This article describes how to adjust the AZURE Internal Load balancer algorithm to achieve successful failover in an HA deployment of FortiGate in Azure
Scope
Fortigate HA (active/passive) deployed in AZURE:
When an endpoint in the Protected A network is trying to reach out of the VNET through the FortiGate firewalls, it hits the FGT-A with NIC (.69) and is forwarded out.
When the FGT-A becomes unavailable, the traffic should be then forwarded by the Internal Load Balancer to the NIC (.70) attached to the FGT-B but, the load balancer still persists with the session and keeps on forwarding the traffic towards FGT-A even though the probes to the FGT-A have died.
Solution
- Access the Internal Load Balancer from the Resource Group Section of the AZURE Environment:
- On Opening the Internal Load Balancer, check if the probes have been set up by going to the HEALTH-PROBE section of the load balancer:
- Once the Health-Probe is configured, check if it is working on the Azure Load-Balancer by selecting the METRICS section inside the load-balancer:
Make sure to choose the scope and specify the same probe as seen in step 2:
- Verify the Probe Response under Administrative access is enabled and working on the FortiGate.
Also, run the following on both the active and the secondary unit:
diagnose sniffer packet any ‘port 8008’ 4 0 1
This will verify the probes are working. On the active one, an output like this should appear:
On the secondary firewall, the output should look like this:
- Check the load balancing rule on the Internal Load Balancer and verify that the session persistence is set to none (5 tuples).
Refer to the Microsoft Learn article on distribution mode concepts.
