FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to deploy and configure active-passive HA within one zone.
Solution It is possible to configure FortiGate's native active-passive HA feature (without using an Azure supplementary mechanism such as Azure LB) with two FortiGate-VM instances: one acting as the primary node and the other as secondary node, both located in the same region. This is called unicast HA and is specific to Cloud environments including Azure.
Unicast HA complies with Clloud environments' network restrictions as compared to equivalent features provided by physical FortiGates. The FortiGate-VMs run heartbeats between dedicated ports and synchronize OS configurations. When the primary node (FortiGate Node-A in the diagram), the secondary node (FortiGate Node-B) takes over as the primary node so endpoints on a protected server continue to communicate with external resources over the FortiGate. The public IP addresses shown in the diagram will differ from the used IP, configured during deployment.
On Azure, FortiGate active-passive HA triggers two configurations while communicating with the Azure platform through APIs. - Mapping public IP addresses from a failing node to a healthy node interfaces. - Redefining user-defined routes (UDRs) from a failing node to a healthy node IP addresses.
HA failover time depends on the amount of public IP addresses and UDRs assigned to the FortiGate-VM and can be upwards of 20 seconds.
FortiOS 5.6.4+ and 6.0.0+ support FortiGate active-passive HA for Azure. Using the latest version of FortiGate-VM is recommended.
To deploy this HA, do not launch FortiGate and other related resources from marketplace product listings.
Instead, =manually kick off deployment using ARM templates.
See About the ARM template. The FortiGate product listings on the Azure marketplace are not used to configure active-passive HA.
Installing and configuring active-passive HA requires knowledge of the following. - Configuring the FortiGate using the CLI - Azure Portal. With an Azure account to perform a deployment. - Azure ARM templates. - Knowledge of software-defined network (SDN) connector.