Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ChrisTan
Staff
Staff

Created on ‎11-19-2024 09:56 PM

Article Id 358535

Technical Tip: How the secondary IPs assgined when FortiGate active-passive HA in AWS between multiple zones

Description

This article describes how to re-assign multiple secondary public IPs when  FortiGate HA failover in an AWS between multiple zones environment.
Scope FortiGate HA in AWS.
Solution

 In the AWS multiple zones environment, the FortiGate HA A-P has different IP address ranges, so the failover differs from that of a one-zone environment, especially when the FortiGate has multiple public IPs mapping to private IPs.

 

The below shows the FortiGate HA had two secondary IPs and public IPs.

 

2024-11-19_15h29_52.png

 

Those secondary IPs are also configured on both FortiGate:

 

2024-11-19_16h03_40.png

 

The secondary FortiGate:

 

2024-11-19_16h03_52.png

 

The primary FortiGate's secondary IPs must be allocated with the public IPs:

 

2024-11-19_16h13_35.png

 

The IP mapping is also attached to the network interfaces of primary FortiGate:

 

2024-11-19_16h18_55.png

 

The secondary FortiGate does not need public IP mapping. It will happen when the HA failover:

 

2024-11-19_16h21_00.png

 

The failover debug logs showed:

 

AWS-HA-Passive # diagnose debug application awsd -1
Debug messages will be on for 30 minutes.
AWS-HA-Passive # diagnose debug en

AWS-HA-Passive #
AWS-HA-Passive # awsd running in secondary mode, won't update
HA event
HA state: primary
awsd get iam role FGT
awsd get instance id i-0c8142bfab1f75965
awsd get region eu-west-1
awsd get vpc id vpc-0d1db20d9605c85e9
awsd checking ha status for vdom root
awsd checking elastic ip for port1
awsd associate elastic ip 99.80.137.76 to 20.1.10.10 of eni eni-0ce1b9cb367288704
awsd associate elastic ip 99.80.137.76 successfully
awsd associate elastic ip 34.240.130.181 to 20.1.10.13 of eni eni-0ce1b9cb367288704
awsd associate elastic ip 34.240.130.181 successfully
awsd associate elastic ip 54.217.211.204 to 20.1.10.14 of eni eni-0ce1b9cb367288704
awsd associate elastic ip 54.217.211.204 successfully
awsd checking elastic ip for port2
send_vip_arp: vd root primary 1 intf port1 ip 20.1.10.10
send_vip_arp: vd root primary 1 intf port1 ip 20.1.10.13
send_vip_arp: vd root primary 1 intf port1 ip 20.1.10.14
send_vip_arp: vd root primary 1 intf port2 ip 20.1.11.10
send_vip_arp: vd root primary 1 intf fortilink ip 10.255.1.1
awsd checking route table rtb-02da8acdea8ea35ec
awsd update route table rtb-02da8acdea8ea35ec, replace route of dst 0.0.0.0/0 to eni-095e75d0652715772
awsd update route successfully

 

2024-11-19_17h27_14.png

 

The public IP mapping is by sequence and must be considered before applying.

 

Related document:

Deploying FortiGate-VM active-passive HA AWS between multiple zones.

 

 

 

671
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.