Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManpreetSingh
Staff
Staff

Created on ‎05-19-2024 11:51 PM Edited on ‎07-27-2025 10:35 PM

Article Id 315908

Technical Tip: How to Configure VIP on FortiGate HA in Azure : Ensuring Seamless Failover

Description

This article describes a detailed guide on configuring a Virtual IP (VIP) on FortiGate HA (High Availability) deployed in Azure. The guide addresses the challenge of the different external private IPs on the port1 (WAN) interface of the primary and secondary FortiGate devices, ensuring seamless failover and traffic handling.
Scope FortiGate.
Solution

When FortiGate HA is deployed in Azure using an SDN connector or ILB-ELB deployment, the external private IPs on the port1 (WAN) interface differ between the primary and secondary firewalls. For example, the primary firewall might have an IP of 172.16.0.4, and the secondary firewall might have an IP of 172.16.0.5.

 

When creating VIPs to forward traffic to an internal RDP server (e.g., 172.16.1.4), it is necessary to account for both external IPs. However, during a failover, the return traffic might be incorrectly handled, causing packet drops because of the wrong SNAT.

 

To avoid packet drops during failover, create VIPs with the same name on both firewalls but with different external IPs, and use a single firewall policy.

 

Step-by-Step Configuration:

 

Create VIP Entries.

First, create VIP entries with the same name but different external IPs on each firewall.

 

Primary Firewall (172.16.0.4):

 

config firewall vip

    edit "RDP-VIP"

        set extip 172.16.0.4

        set extintf "port1"

        set mappedip 172.16.1.4

        set extport 13389

        set mappedport 3389

    next

end

 

Secondary Firewall (172.16.0.5):

 

config firewall vip

    edit "RDP-VIP"

        set extip 172.16.0.5

        set extintf "port1"

        set mappedip 172.16.1.4

        set extport 13389

        set mappedport 3389

    next

end

 

Apply VIP to Policy.

Create a single firewall policy that will be consistent across both firewalls.

 

config firewall policy

    edit 1

        set srcintf "port1"

        set dstintf "port2"

        set srcaddr "all"

        set dstaddr "RDP-VIP"

        set action accept

        set schedule "always"

        set service "ALL"

    next

end

 

Enable VDOM Exception.

To exclude the VIP config to sync, it is necessary to enable the Vdom-Exception for VIP.

 

config system vdom-exception

    edit 1

        set object firewall.vip 

    next

end

 

Testing and Validation.

 

Verify VIP Functionality: Test accessing the internal RDP server using the external IP and port (13389) to ensure proper forwarding.

Failover Testing: Simulate a failover by manually triggering the secondary firewall to become active. Verify that the VIP continues to work without packet drops.

 

Related documents:   

Technical Tip: Configuring ippool on FortiGate HA in Azure with SDN Connector: Ensuring Seamless Fai...

Technical Tip: FortiGate Azure resource list

HA for FortiGate-VM on Azure

Technical Tip: VIP Configuration on the FortiGate VM Active-Passive HA Cluster

 

2758
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.