Description |
This article discusses an error that may occur during a high availability (HA) failover event of FortiGate instances on Oracle Cloud Infrastructure (OCI).
In particular, it explains the potential cause and solution for the error message 'NotAuthorizedOrNotFound' that may occur when the public IP addresses fail to shift to the secondary node. |
Scope | FortiGate, OCI. |
Solution |
When an active firewall goes down, the floating IP address must be moved from the active to the passive firewall so that the passive firewall can seamlessly secure traffic as soon as it becomes the active peer.
However, during an HA failover on OCI, the new active firewall may lose internet access due to insufficient IAM rules on the OCI side. This occurs because the floating IP has not been detached from the previously active FortiGate peer and attached to the new active FortiGate peer.
To ensure that FortiGate instances can transfer the floating IP address seamlessly during a failover event, it is essential to include all FortiGate instances in a dynamic group within OCI.
This dynamic group facilitates the grouping of instances as primary actors and enables the creation of policies that allow FortiGate instances in the dynamic group to make API calls to OCI services.
Matching rules will be applied to include the HA peer instances in the dynamic group. Once all the FortiGate instances have been added to the dynamic group, a policy can be created to manage the transfer of the floating IP from one Virtual Network Interface Card (VNIC) to another.
To ensure that the IAM roles and policies are configured correctly in OCI, it is possible to use the following commands to check the API call against OCI:
diagnose debug application ocid -1 diagnose debug en diagnose test application ocid 4
An example of the API error message for insufficient permissions of the IAM role :
diagnose test application ocid 4 HTTP response error: 404
To ensure sufficient roles and policies are in place on the OCI side, refer to the Fortinet OCI administration guide. The guide provides detailed instructions on how to configure an OCI SDN connector using IAM roles.
When using Dynamic Group there could be an issue where OCI is not matching the group, where the same error will occur. To overcome this, use the full path of the Dynamic Group
Allow dynamic-group DomainName/DynamicGroupName to manage all-resources in tenancy
Following these steps will help ensure seamless failover events on OCI: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.