Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nkorea
Staff
Staff

Created on ‎08-01-2023 11:27 PM

Article Id 267003

Technical Tip: How to setup FortiGate-VM A-P HA on AWS in different zones

Description This article describes how to setup FortiGate-VM A-P HA on AWS in different zones.
Scope

 

nkorea_0-1690931213796.png

 

  • Assuming that the VPC, Subnets (Subnet Association), Route Table, and Internet Gateway has already been configured and attached to the corresponding Entities.

Refer to the articles below:

Creating a VPC and subnets.

Attaching the new VPC Internet gateway.

Creating routing tables and associate subnets.

 

Layout :

Port1: External (Public) interface that is connected to the Internet.

Port2: Internal Interface that is connected to the Private network.

Port3: Dedicated HA Heartbeat Interface.

Port4: Dedicated Management Interface. It is not necessary but it allows to connect directly to individual devices in the cluster if the AWS Failover failed for any reason.

                                                

Note: To be able to attach at Least 4 Network Interface, the Instances ('VM') size in AWS Must contains at least 4 vCPUs.

Port 1 of the Primary FortiGate resides within one subnet, whereas Port 1 of the Secondary FortiGate belongs to a separate subnet.

Port 2 of the Primary FortiGate resides within one subnet, whereas Port 2 of the Secondary FortiGate belongs to a separate subnet.

Port 3 of the Primary FortiGate resides within one subnet, whereas Port 3 of the Secondary FortiGate belongs to a separate subnet.

Port 4 of the Primary FortiGate resides within one subnet, whereas Port 4 of the Secondary FortiGate belongs to a separate subnet.

 

  • Ensure that two FortiGates exist in the same VPC and AZ. The two FortiGates must also have the same build of FortiOS (FGT_VM64_AWS or FGT_VM64_AWSONDEMAND) installed.
  • If using FGT_VM64_AWS, ensure that both FortiGates have valid licenses.
Solution
  • Log in to the AWS management console and navigate to the EC2:

Refer to the article below:

Deploying FortiGate-VM from AWS marketplace.

 

  • Select 'EC2' followed by 'Instances', and then proceed to 'Launch an Instance'.
  • The EC2 Instance needs to be named, and in this case, the name assigned is 'Primary_Fortigate'.
  • Select the Application and OS Images (Amazon Machine Image) by selecting them.

 

nkorea_1-1690931286020.png

 

  • Explore additional AMIs and opt for the FortiGate from the AWS Marketplace AMIs.

 

nkorea_2-1690931286028.png

 

 

  • Select the Fortinet FortiGate (BYOL) next-Generation Firewall (BYOL/'Pay as you go').

 

nkorea_3-1690931286031.png

 

 

-After selecting the image mentioned above, all the parameters will be displayed as shown below.

 

nkorea_4-1690931286036.png

 

 

  • For the purpose of this demonstration, the c6i.xlarge instance has been automatically chosen, and it is important to ensure the same instance type is selected when configuring the Another Instance, which will serve as the Secondary FortiGate.

 

nkorea_5-1690931286038.png

 

  • The Key Pair name is selected appropriately to facilitate Instance management through Putty using the provided credentials. It is worth noting that no Key Pair has been used in this example.

 

nkorea_6-1690931286040.png

 

 

  • Choose the appropriate VPC, which is Fortinet_VPC, and then select the Public Subnet.
  • Disable the Auto-Assign Public IP option since, for this demonstration, it will explicitly provide the Elastic Public IP address.

 

nkorea_7-1690931286043.png

 

 

Note: The above image shows the Primary FortiGate is getting the IP address (Public) from US-EAST-1A.

While Launching the Secondary FortiGate, choose the appropriate Availability Zone as it should be from Another Availability Zone. In this case, let's choose US-EAST-1b.

 

  • Customize the Security Group based on the network requirements. The Security Group allows to control the incoming and outgoing traffic to and from the EC2 instances. In this example, all traffic is permitted from any source.

 

nkorea_8-1690931286050.png

 

nkorea_9-1690931286055.png

 

 

Refer to this article :

Adding network interfaces and elastic IP addresses to the FortiGate-VMs.

 

  • Launch the Primary EC2 instance.
  • Launch the Secondary EC2 instance following the above Steps but in a different Availability Zone.
  • To access the FortiGate, select the Primary EC2 Instance, and obtain the Public IPv4 address. Open the address in a browser.
  • Once accessed, use 'admin' as the default username and the instance ID as the password, which can be found under the Instance ID by selecting the respective Instance. It will prompt to change the password. Afterward, the License can be uploaded to the FortiGate.

The below example demonstrates both the FortiGate Instance state is running and the Status check 2/2 checks passed.

 

nkorea_10-1690931286060.png

 

HA Configuration.

Primary FGT HA configuration:

PrimaryFGT # config system ha

PrimaryFGT (ha) # set mode a-p

PrimaryFGT (ha) # set group-name TAC

PrimaryFGT (ha) # set hbdev port3 50

PrimaryFGT (ha) # set password fortinet

PrimaryFGT (ha) # set session-pickup enable

PrimaryFGT (ha) # set session-pickup-connectionless enable

PrimaryFGT (ha) # set ha-mgmt-status enable

PrimaryFGT (ha) # config ha-mgmt-interfaces

PrimaryFGT (0) # set interface port4 -> (Choose the port accordingly).

PrimaryFGT (0) # set gateway

<class_ip>    Class A,B,C ip xxx.xxx.xxx.xxx

PrimaryFGT (0) # set gateway x.x.x.x

PrimaryFGT (0) # show

config ha-mgmt-interfaces

    edit 1

        set interface "port4"

        set gateway x.x.x.x

    next

end

 

PrimaryFGT (0) # end

 

PrimaryFGT (ha) # set unicast-hb enable

PrimaryFGT (ha) # set unicast-hb-peerip y.y.y.y (It has to be peer FortiGate heart beat IP address).

PrimaryFGT (ha) # set priority 200  ->(Priority on the primary should be higher).

PrimaryFGT (ha) # end

 

Secondary Fortigate HA Configuration :

 

SecondaryFGT # config system ha

SecondaryFGT (ha) # set mode a-p

SecondaryFGT (ha) # set group-name TAC

SecondaryFGT(ha) # set hbdev port3 50

SecondaryFGT (ha) # set password fortinet

SecondaryFGT(ha) # set session-pickup enable

SecondaryFGT(ha) # set session-pickup-connectionless enable

SecondaryFGT(ha) # set ha-mgmt-status enable

SecondaryFGT(ha) # config ha-mgmt-interfaces

SecondaryFGT (0) # set interface port4 -> (Choose the same port above).

PrimaryFGT (0) # set gateway

<class_ip>    Class A,B,C ip xxx.xxx.xxx.xxx

SecondaryFGT(0) # set gateway x.x.x.x

SecondaryFGT (0) # show

config ha-mgmt-interfaces

    edit 1

        set interface "port4"

        set gateway x.x.x.x

    next

end

 

SecondaryFGT (0) # end

SecondaryFGT(ha) # set unicast-hb enable

SecondaryFGT(ha) # set unicast-hb-peerip x.x.x.x  (It has to be a peer FortiGate heartbeat IP address).

SecondaryFGT(ha) # set priority 100

SecondaryFGT(ha) # end

 

nkorea_11-1690931286064.png

 

FGVM08TM22005241 # diagnose sys ha status

HA information

Statistics

        traffic.local = s:0 p:76747 b:19422007

        traffic.total = s:0 p:76747 b:19423443

        activity.ha_id_changes = 2

        activity.fdb  = c:0 q:0

 

Model=80008, Mode=2 Group=0 Debug=0

nvcluster=1, ses_pickup=1, delay=0

 

[Debug_Zone HA information]

HA group member information: is_manage_primary=1.

FGVM08TM22005241:      Primary, serialno_prio=0, usr_priority=200, hostname=FGVM08TM22005241

FGVM08TM22005240:    Secondary, serialno_prio=1, usr_priority=100, hostname=FGVM08TM22005240

 

[Kernel HA information]

vcluster 1, state=work, primary_ip=10.1.3.189, primary_id=0

FGVM08TM22005241:      Primary, ha_prio/o_ha_prio=0/0

FGVM08TM22005240:    Secondary, ha_prio/o_ha_prio=1/1

 

FGVM08TM22005241 #

 

Related document:

Deploying FortiGate-VM active-passive HA AWS between multiple zones.
966
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.