Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
saneeshpv_FTNT
Staff
Staff

Created on ‎06-18-2025 02:14 AM

Article Id 396932

Technical Tip: Configuring SNAT with IP Pools in an Active-Passive FortiGate-VM HA Setup on AWS Across Multiple Zones

Description This article explains how to configure SNAT using an IP pool in an active-passive FortiGate-VM high availability (HA) setup on AWS across multiple zones.
Scope FortiGate VM in AWS.
Solution

This article outlines the configuration of IP pools for Source NAT (SNAT) when deploying FortiGate-VM in an Active-Passive HA setup across multiple Availability Zones within the same AWS VPC.

 

In this architecture, the Elastic Public IP is initially associated with the primary FortiGate instance (FortiGate A) on Port1. During a failover event, this Elastic IP is automatically reattached to the secondary FortiGate instance, ensuring uninterrupted access. To facilitate independent management of each FortiGate instance, additional Elastic IPs can be allocated to their respective management interfaces.

 

For detailed guidance on configuring FortiGate in an Active-Passive HA deployment across multiple AWS Availability Zones, please refer to the associated reference documentation.

 

Below are the steps required for SNAT IP Pool configuration.

 

Step 1
VDOM Exceptions: Create the following VDOM Exceptions. When a VDOM exception is configured, the object will not be synchronized between the primary and secondary devices when the HA forms.
 
config system vdom-exception
    edit 1
        set object system.interface
    next
    edit 2
        set object router.static
    next
edit 3
        set object firewall.vip
    next
    edit 4
        set object firewall.ippool
    next
end
 
Step 2
Configure the objects that are not going to sync between Primary and Secondary, which include System interfaces, Static Routes, Any VIP object, Firewall IP pool, etc , as described in the VDOM exceptions defined above.
 
Configure Interface on Firewall A:
 
config system interface
    edit "port1"
        set vdom "root" 
        set ip 10.0.10.11 255.255.255.0
        set alias "public"
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.11.11 255.255.255.0
        set alias "private"
    next
    edit "port3"
        set vdom "root"
        set ip 10.0.12.11 255.255.255.0
        set alias "hasync"
    next
    edit "port4"
        set vdom "root"
        set ip 10.0.13.11 255.255.255.0
        set alias "hamgmt"
    next
end
 
Configure Interface on Firewall B:
 
config system interface
    edit "port1"
        set vdom "root"
        set ip 10.0.20.11 255.255.255.0
        set alias "public"
        set mtu 9001
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.21.11 255.255.255.0
        set alias "private"
    next
    edit "port3"
        set vdom "root"
        set ip 10.0.22.11 255.255.255.0
        set alias "hasync"
    next
    edit "port4"
        set vdom "root"
        set ip 10.0.23.11 255.255.255.0
        set alias "hamgmt"
    next
end
 
Configure the IP pool in Firewall A:
 
config firewall ippool
    edit "ippool-1"
        set startip 10.0.10.12
        set endip 10.0.10.12
    next
    edit "ippool-2"
        set startip 10.0.10.13
        set endip 10.0.10.20
    next
end
 
Configure the IP pool in Firewall B:
 
config firewall ippool
    edit "ippool-1"
        set startip 10.0.20.12
        set endip 10.0.20.12
    next
    edit "ippool-2"
        set startip 10.0.20.13
        set endip 10.0.20.13
    next
end
 
Configure Route in Firewall A:
 
config router static
    edit 1
        set gateway 10.0.10.1
        set device "port1"
    next
    edit 2
        set dst 10.0.0.0 255.0.0.0
        set gateway 10.0.11.1
        set device "port2"
    next
end
 
Configure the Route in Firewall B:
 
config router static
    edit 1
        set gateway 10.0.20.1
        set device "port1"
    next
    edit 2
        set dst 10.0.0.0 255.0.0.0
        set gateway 10.0.21.1
        set device "port2"
    next
end
 
Step 3:
Configure the Firewall Policy, which references the IP-POOL defined in Firewall A or Firewall B.
 
Note:
Pool Name configured on both Firewall A and Firewall B should be the same, so that they can be called under the Firewall policy, which will get synchronized between Firewall A and Firewall B
 
config firewall policy
    edit 1
    set name "INTERNET POLICY-1"
        set uuid 511dbe9e-3a12-51f0-4c5e-dd430271cfaf
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "LAN1"
        set dstaddr "all"
        set service "ALL"
        set nat enable
        set ippool enable
        set poolname "ippool-1"
   next
   edit 2
    set name "INTERNET POLICY-2"
        set uuid 511dbe9e-3a12-51f0-4c5e-dd430271cfaf
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set nat enable
        set ippool enable
        set poolname "ippool-1"
   next
end
 
Related documents:
228
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.