Created on 01-26-2023 04:11 AM Edited on 01-26-2023 04:12 AM By Jean-Philippe_P
Description |
This article describes the case when it is impossible to have different IPs on WAN or LAN on both nodes because it is synced when trying to manually change the IP.
Example: FGT A - port1 - 10.0.0.13 FGT B - port1 - 10.0.0.12
This can cause issues in HA sync and failover may fail. Because in the public cloud, each node must have its one set of IP addresses. This behavior can sometimes be seen in new deployments or upgrades.
By default, the one-zone deployment may not contain exceptions for not syncing. |
Scope |
FortiGate Cluster on the public cloud (e.g. AWS or Azure) within the same zone (Network). |
Solution |
To avoid this issue, create an exception so the interface IPs will not sync.
This way it will be possible to apply correctly the IPs statically without being synced to the other member.
Apply these settings on both members of the cluster:
# created exception config system vdom-exception edit 1 set object system.interface next end
Note: further changes are required in the future of the interfaces, it must be validated by both members.
It is not necessary to have more expectations compared to a 'multi-zone deployment' because the routing and VIPs will be the same as it is the same network.
It is now possible to change the IP addresses.
Related documents: - Fortinet Docs: Deploying FortiGate-VM active-passive HA on AWS within one zone
- GitHub: FortiOS FGCP AP HA (Single AZ) in AWS Deployment templates for FortiGate | Microsoft Azure
- Other Knowledge Base Articles: Technical Tip: HA FortiGate configurations that will sync and will not sync |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.