Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nkorea
Staff
Staff

Created on ‎08-05-2024 09:45 PM

Article Id 330623

Technical Tip: Custom Security Group for UDP Port 4789 for HA FortiGate Deployment in Cloud

Description This article outlines the need to allow UDP port 4789 in the security group when forming HA in the cloud using a custom security group.
Scope FortiGate.
Solution

Diagram:

Deploying FortiGate-VM A-P HA on AWS within one zone

 

By default, the security group allows all the traffic from all protocol/port ranges as below:

 

nkorea_1-1722882155967.png

 

If the custom security group is not allowed to permit the VXLAN traffic( UDP port 4789), the HA will not be formed

Below are the Packet captures stating that not receiving any ARP entry replies from the other unit.

 

nkorea_2-1722882155973.png

 

When using the custom Security group, it is essential to permit VXLAN traffic (UDP port 4789) to form the HA.

 

Reference Articles :

Deploying FortiGate-VM A-P HA on AWS within one zone

Deploying FortiGate-VM active-passive HA AWS between multiple zones
242
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.