Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Pedro_FTNT
Staff
Staff

Created on ‎07-27-2025 09:35 PM Edited on ‎07-28-2025 05:46 AM By Staff

Article Id 403671

Technical Tip: How to guarantee that all elastic IP addresses (primary and secondary) migrate correctly when a failover is performed on a FortiGate cluster in AWS.

 

Description This article describes how to guarantee that all elastic IP addresses (primary and secondary) migrate correctly when a failover is performed on a FortiGate cluster in AWS.
Scope FortiGate.
Solution
  1. Introduction: FortiGate SDN Connector (supported natively by FortiOS).
  2. Overview of Alternatives:
 
|    | Solution                              | Pros                                                    | Cons                                                |
|---|---------------------------------|----------------------------------------------|-------------------------------------------|
| 1 | SDN Connector                    | • Fortinet‑native, no extra services         | • Requires FortiOS ≥6.4                    |
|    |                                           | • Moves EIPs and routes automatically   | • Needs IAM role with broad perms    |
 
  1. Detailed Implementation Plans:
 
Prerequisites
  • FortiOS upper v6.4 under Fabric → Connectors → Public Cloud.
  • Active Support entitlement: BYOL (Bring Your Own License) or PAYG (Pay As You Go), including SDN connector features.
  • IAM role attached to both instances with the following minimum actions:  
 
"Describe*", "AssociateAddress", "DisassociateAddress", "ModifyNetworkInterfaceAttribute", "CreateRoute", "ReplaceRoute", "AssignPrivateIpAddresses", "UnassignPrivateIpAddresses", "DescribeCluster", "ListClusters", "BatchGetResourceConfig".
 
  • HA pair deployed in different Availability Zones using 'stand‑alone config‑sync' (interfaces and routes are not synchronized).
 
Step‑by‑Step:
  1. Confirm FortiOS version.  
 
get system status | grep Version
 
  1. Attach/validate IAM role: Use AWS Console under  EC2 → Actions → Security → Modify IAM Role.
  2. Create the SDN Connector (CLI).  
   
config system sdn-connector
    edit "aws-ha"
    set type was
    set use-metadata-iam enable     <----- Rely on instance profile.
    set update-interval 30          <----- Poll every 30 s.
    set update-elastic-ip enable    <----- Move ALL EIPs.
    set update-route enable         <----- Flip routes to new ENI.
next
end
 
  1. Verify discovery.
  
diagnose sys sdn-connector list
 
Ensure all ENIs (Elastic Network Interface) and EIPs (Elastic IP Address) appear.
 
  1. Adjust HA settings.  
   
config system ha
    set unicast-hb enable
    set standalone-config-sync disable
end
   
  1. Functional test in the laboratory.
  • Force fail‑over: 
   
diagnose system ha reset‑uptime.   
   
  • Run 'aws ec2 describe-addresses' to confirm re-association in 30 s.  
  • Generate external traffic to each EIP to verify continuity.
 
  1. Enable logging/monitoring: FortiOS Event Log filter: "message_id=0100042005"
  2. Production rollout: Schedule a maintenance window; repeat the validation; monitor.
  3. Rollback Procedure.
 
config system sdn-connector
    edit "aws-ha"
        set update-elastic-ip disable
        set update-route disable
      next
  end
 
  • Re-associate EIPs manually if needed:
"aws ec2 associate-address --allocation-id eipalloc-xxxx --network-interface-id eni-yyyy"
 
Related articles:

 

Labels:
224
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.