• Log in to the AWS management console and navigate to the EC2: Refer to the article below: Deploying FortiGate-VM from AWS marketplace.

• Select 'EC2' followed by 'Instances', and then proceed to 'Launch an Instance'.
• The EC2 Instance needs to be named, and in this case, the name assigned is 'Primary_Fortigate'.
• Select the Application and OS Images (Amazon Machine Image) by selecting them.

• Explore additional AMIs and opt for the FortiGate from the AWS Marketplace AMIs.

• Select the Fortinet FortiGate (BYOL) next-Generation Firewall (BYOL/'Pay as you go').

-After selecting the image mentioned above, all the parameters will be displayed as shown below.

• For this demonstration, the c6i.xlarge instance has been automatically chosen, and it is important to ensure the same instance type is selected when configuring the Another Instance, which will serve as the Secondary FortiGate.

• The Key Pair name is selected appropriately to facilitate Instance management through Putty using the provided credentials. It is worth noting that no Key Pair has been used in this example.

• Choose the appropriate VPC, which is Fortinet_VPC, and then select the Public Subnet.
• Disable the Auto-Assign Public IP option since, for this demonstration, it will explicitly provide the Elastic Public IP address.

Note:

The above image shows that the Primary FortiGate is getting the IP address (Public) from US-EAST-1A.

While launching the Secondary FortiGate, choose the appropriate Availability Zone as it should be from another Availability Zone. In this case, let's choose US-EAST-1b.

• Customize the Security Group based on the network requirements. The Security Group allows to control the incoming and outgoing traffic to and from the EC2 instances. In this example, all traffic is permitted from any source.

• Assign the rule to all interfaces on both FortiGate-VMs. The next step in the process, Adding network interfaces and elastic IP addresses to the FortiGate-VMs, explains creating additional network interfaces and tightening the security group later.

Refer to this document: Adding network interfaces and elastic IP addresses to the FortiGate-VMs.

• Launch the Primary EC2 instance.
• Launch the Secondary EC2 instance following the above Steps but in a different Availability Zone.
• To access the FortiGate, select the Primary EC2 Instance and obtain the Public IPv4 address. Open the address in a browser.
• Once accessed, use 'admin' as the default username and the instance ID as the password, which can be found under the Instance ID by selecting the respective Instance. It will prompt to change the password. Afterward, the License can be uploaded to the FortiGate.
  
  

The example below demonstrates that both the FortiGate Instance state is running and the Status check 2/2 checks passed.

HA Configuration.

Primary FGT HA configuration:

PrimaryFGT # config system ha

PrimaryFGT (ha) # set mode a-p

PrimaryFGT (ha) # set group-name TAC

PrimaryFGT (ha) # set hbdev port3 50

PrimaryFGT (ha) # set password fortinet

PrimaryFGT (ha) # set session-pickup enable

PrimaryFGT (ha) # set session-pickup-connectionless enable

PrimaryFGT (ha) # set ha-mgmt-status enable

PrimaryFGT (ha) # config ha-mgmt-interfaces

PrimaryFGT (0) # set interface port4 -> (Choose the port accordingly).

PrimaryFGT (0) # set gateway

<class_ip>    Class A,B,C ip xxx.xxx.xxx.xxx

PrimaryFGT (0) # set gateway x.x.x.x

PrimaryFGT (0) # show

config ha-mgmt-interfaces

    edit 1

        set interface "port4"

        set gateway x.x.x.x

    next

end

PrimaryFGT (0) # end

PrimaryFGT (ha) # set unicast-hb enable

PrimaryFGT (ha) # set unicast-hb-peerip y.y.y.y (It has to be the peer FortiGate heartbeat IP address).

PrimaryFGT (ha) # set priority 200  ->(Priority on the primary should be higher).

PrimaryFGT (ha) # end

Secondary Fortigate HA Configuration :

SecondaryFGT # config system ha

SecondaryFGT (ha) # set mode a-p

SecondaryFGT (ha) # set group-name TAC

SecondaryFGT(ha) # set hbdev port3 50

SecondaryFGT (ha) # set password fortinet

SecondaryFGT(ha) # set session-pickup enable

SecondaryFGT(ha) # set session-pickup-connectionless enable

SecondaryFGT(ha) # set ha-mgmt-status enable

SecondaryFGT(ha) # config ha-mgmt-interfaces

SecondaryFGT (0) # set interface port4 -> (Choose the same port above).

PrimaryFGT (0) # set gateway

<class_ip>    Class A,B,C ip xxx.xxx.xxx.xxx

SecondaryFGT(0) # set gateway x.x.x.x

SecondaryFGT (0) # show

config ha-mgmt-interfaces

    edit 1

        set interface "port4"

        set gateway x.x.x.x

    next

end

SecondaryFGT (0) # end

SecondaryFGT(ha) # set unicast-hb enable

SecondaryFGT(ha) # set unicast-hb-peerip x.x.x.x  (It has to be a peer FortiGate heartbeat IP address).

SecondaryFGT(ha) # set priority 100

SecondaryFGT(ha) # end

FGVM08TM22005241 # diagnose sys ha status

HA information

Statistics

        traffic.local = s:0 p:76747 b:19422007

        traffic.total = s:0 p:76747 b:19423443

        activity.ha_id_changes = 2

        activity.fdb  = c:0 q:0

Model=80008, Mode=2 Group=0 Debug=0

nvcluster=1, ses_pickup=1, delay=0

[Debug_Zone HA information]

HA group member information: is_manage_primary=1.

FGVM08TM22005241:      Primary, serialno_prio=0, usr_priority=200, hostname=FGVM08TM22005241

FGVM08TM22005240:    Secondary, serialno_prio=1, usr_priority=100, hostname=FGVM08TM22005240

[Kernel HA information]

vcluster 1, state=work, primary_ip=10.1.3.189, primary_id=0

FGVM08TM22005241:      Primary, ha_prio/o_ha_prio=0/0

FGVM08TM22005240:    Secondary, ha_prio/o_ha_prio=1/1

FGVM08TM22005241 #

A dual Availability Zone can also be deployed with CloudFormation templates. These can be found in the Fortinet AWS-CloudFormation-Templates GitHub Repository. Select the relevant version and then select Dual-AZ.

Related documents:

Deploying FortiGate-VM active-passive HA AWS between multiple zones.

Technical Tip: Ensuring Smooth HA A-P FortiGate Deployment on AWS and Testing Failover