Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mrashidi
Staff
Staff

Created on ‎04-23-2024 09:32 PM Edited on ‎04-25-2024 10:03 PM By Community Manager

Article Id 311172

Technical Tip: VIP Configuration on the FortiGate VM Active-Passive HA Cluster

Description This article describes how to configure Virtual IPs on the FortiGate VM Active-Passive HA Cluster to have no issues if failover happens.
Scope FortiGate-VM, AWS-FortiGate, Azure-FortiGate, GCP-FortiGate, OCI-FortiGate, or any other FortiGate-VMs hosted on Public Cloud.
Solution

There are two different ways to implement VIPs on the FortiGate-VM HA cluster.

 

Diagram:

 

diagram.png

 

  1. Create two different VIPs for each FortiGate on the Primary FortiGate, and put both of them in the Firewall policy as the destination:

On Primary FortiGate:

  • VIP1: FGT-A External IP:Port => Server IP:Port
  • VIP2: FGT-B External IP:Port => Server IP:Port

Example1:

On the Primary FortiGate (FGT-A):

  • VIPs.

 

ex1-2.png

 

  • Firewall Policy.

 

ex1-1.png

 

  1. Add the VIP in the vdom-exception to prevent the VIPs from synching between the FortiGates, and then, create the VIPs separately on each FortiGate with the same name and put it in the Firewall policy as the destination:

 

config system vdom-exception

edit 1

set object firewall.vip

next

end

 

On Primary FortiGate:

  • VIP: FGT-A External IP:Port => Server IP:Port

On Secondary FortiGate:

  • VIP: FGT-B External IP:Port => Server IP:Port
  •  

Example2:

On the Primary FortiGate (FGT-A):

  • VIP.

 

ex2-1.png

 

  • Firewall Policy.

 

ex2-3.png

 

On the Secondary FortiGate (FGT-B):

  • VIP.

 

ex2-2.png

 

Related documents:

Technical Tip: How to fix the failover issue when there is a FortiGate-VM HA cluster with multiple I....

VDOM exceptions | FortiGate / FortiOS 7.4.3 | Fortinet Document Library.

Virtual IPs with port forwarding | FortiGate / FortiOS 7.4.3 | Fortinet Document Library.
887
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.