Technical Tip: HA Public Cloud interface sync issue ‌

This article describes the case when it is impossible to have different IPs on WAN or LAN on both nodes because it is synced when trying to manually change the IP.

Example:

FGT A - port1 - 10.0.0.13

FGT B - port1 - 10.0.0.12

This can cause issues in HA sync and failover may fail. Because in the public cloud, each node must have its one set of IP addresses.

This behavior can sometimes be seen in new deployments or upgrades.

By default, the one-zone deployment may not contain exceptions for not syncing.

FortiGate Cluster on the public cloud (e.g. AWS or Azure) within the same zone (Network).

To avoid this issue, create an exception so the interface IPs will not sync.

This way it will be possible to apply correctly the IPs statically without being synced to the other member.

Apply these settings on both members of the cluster:

# created exception

config system vdom-exception

    edit 1

        set object system.interface

    next

end

Note: further changes are required in the future of the interfaces, it must be validated by both members.

It is not necessary to have more expectations compared to a 'multi-zone deployment' because the routing and VIPs will be the same as it is the same network.

It is now possible to change the IP addresses.

Related documents:

- Fortinet Docs:

Deploying FortiGate-VM active-passive HA on AWS within one zone

HA for FortiGate-VM on Azure

- GitHub:

FortiOS FGCP AP HA (Single AZ) in AWS

Deployment templates for FortiGate | Microsoft Azure

Terraform Deployment Scripts

- Other Knowledge Base Articles:

Technical Tip: HA FortiGate configurations that will sync and will not sync