Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hassan09
Staff
Staff

Created on ‎02-28-2023 06:41 AM Edited on ‎03-11-2024 02:44 AM By Community Manager

Article Id 247524

Technical Tip: During an HA failover on OCI, the API may return the error 'NotAuthorizedOrNotFound'

Description

This article discusses an error that may occur during a high availability (HA) failover event of FortiGate instances on Oracle Cloud Infrastructure (OCI).

 

In particular, it explains the potential cause and solution for the error message 'NotAuthorizedOrNotFound' that may occur when the public IP addresses fail to shift to the secondary node.
Scope FortiGate, OCI.
Solution

When an active firewall goes down, the floating IP address must be moved from the active to the passive firewall so that the passive firewall can seamlessly secure traffic as soon as it becomes the active peer.

 

However, during an HA failover on OCI, the new active firewall may lose internet access due to insufficient IAM rules on the OCI side. This occurs because the floating IP has not been detached from the previously active FortiGate peer and attached to the new active FortiGate peer.

 

To ensure that FortiGate instances can transfer the floating IP address seamlessly during a failover event, it is essential to include all FortiGate instances in a dynamic group within OCI.

 

This dynamic group facilitates the grouping of instances as primary actors and enables the creation of policies that allow FortiGate instances in the dynamic group to make API calls to OCI services.

 

Matching rules will be applied to include the HA peer instances in the dynamic group. Once all the FortiGate instances have been added to the dynamic group, a policy can be created to manage the transfer of the floating IP from one Virtual Network Interface Card (VNIC) to another.

 

To ensure that the IAM roles and policies are configured correctly in OCI, it is possible to use the following commands to check the API call against OCI:

 

diagnose debug application ocid -1

diagnose debug en

diagnose test application ocid 4

 

An example of the API error message for insufficient permissions of the IAM role :

 

diagnose test application ocid 4

HTTP response error: 404
{
'code': 'NotAuthorizedOrNotFound',
'message': 'Authorization failed or requested resource not found'
}

 

To ensure sufficient roles and policies are in place on the OCI side, refer to the Fortinet OCI administration guide.

The guide provides detailed instructions on how to configure an OCI SDN connector using IAM roles.

 

When using Dynamic Group there could be an issue where OCI is not matching the group, where the same error will occur.

To overcome this, use the full path of the Dynamic Group

 

Allow dynamic-group DomainName/DynamicGroupName to manage all-resources in tenancy

 

Following these steps will help ensure seamless failover events on OCI:

Configuring an OCI SDN connector using IAM roles
Labels:
733
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.