Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spathak
Staff
Staff

Created on ‎10-16-2020 03:31 AM Edited on ‎02-14-2025 05:36 AM By Community Manager

Article Id 196412

Technical Tip: Deploying and configuring active-passive HA within one zone

Description This article describes how to deploy and configure active-passive HA within one zone.
Scope FortiGate-VM on cloud
Solution

It is possible to configure FortiGate's native active-passive HA feature (without using an Azure supplementary mechanism such as Azure LB) with two FortiGate-VM instances: one acting as the primary node and the other as secondary node, both located in the same region.
This is called unicast HA and is specific to Cloud environments including Azure.

Unicast HA complies with Cloud environments' network restrictions as compared to equivalent features provided by physical FortiGates.
The FortiGate-VMs run heartbeats between dedicated ports and synchronize OS configurations.
When the primary node (FortiGate Node-A in the diagram), the secondary node (FortiGate Node-B) takes over as the primary node so endpoints on a protected server continue to communicate with external resources over the FortiGate.
The public IP addresses shown in the diagram will differ from the used IP, configured during deployment.


avinash_v_0-1739532766233.png

 

 
 
On Azure, FortiGate active-passive HA triggers two configurations while communicating with the Azure platform through APIs.
  • Mapping public IP addresses from a failing node to a healthy node interface.
  • Redefining user-defined routes (UDRs) from a failing node to a healthy node IP addresses.
 
HA, failover time depends on the amount of public IP addresses and UDRs assigned to the FortiGate-VM and can be upwards of 20 seconds.
 
v5.6.4+ and v6.0.0+ support FortiGate active-passive HA for Azure. Using the latest version of FortiGate-VM is recommended.
 
To deploy this HA, do not launch FortiGate and other related resources from marketplace product listings.
Instead, =manually kick off deployment using ARM templates.
See About the ARM template. The FortiGate product listings on the Azure marketplace are not used to configure active-passive HA.
 
Installing and configuring active-passive HA requires knowledge of the following.
  • Configuring the FortiGate using the CLI
  • Azure Portal. With an Azure account to perform a deployment.
  • Azure ARM templates.
  • Knowledge of software-defined network (SDN) connectors.

 

Related article:

Deploying Fortigate HA A-P setup with Azure LB 

 

Labels:
4157
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.