| Description | This article describes the port4 interface on Azure FortiGate-VMs, including why it is critical for it to be configured properly when using the Azure SDN fabric connector on the FortiGate. This article will also link to a number of related articles that describe situations related to port4 misconfiguration. |
| Scope | FortiGate, Azure, High Availability. |
| Solution |
When deploying FortiGate-VMs on Azure, administrators have the option of deploying from several established designs, including Single VM, Active-passive with Azure Load Balancers, Active-passive with Azure SDN connector failover, and Active-active with Azure Load Balancers. Along with these established designs are GitHub templates that can be used to easily deploy these setups to Azure, which can be found here:
Azure FortiGate-VMs in general may utilize the Azure SDN connector for multiple functions, but one design in particular requires this SDN connector to communicate reliably with Azure, that being Active-passive with Azure SDN connector failover. Other configurations also require the SDN connector to function, such as Configuring Azure SDN connector to move private IP address on trusted NIC during A-P HA failover as of FortiOS v7.6.1 and later.
Critically, the SDN connector for Azure-based FortiGate HA clusters utilizes the port4 interface to handle all FortiGate/Azure communication. This means that port4 is required to meet the following design requirements; otherwise, communication will fail:
config system ha set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface 'port4' next end end
For the Azure SDN connector specifically, the FortiGate uses the port4 interface to initiate HTTPS connections to management.azure.com as well as an Azure-specific special IP address of 169.254.169.254 (see also: Azure Instance Metadata Service).
The Fortinet-provided templates include these port4 configurations, and so administrators who deploy via the templates rarely encounter issues with port4/SDN connector communication. However, administrators who manually configure Azure and the FortiGate-VMs need to check for the above conditions carefully during initial setup. If port4 does not meet the above conditions, then SDN connectivity will not function correctly (even if diagnose sys sdn status indicates that the connectivity is up). For more KB articles related to SDN connectivity issues between the FortiGate and Azure, refer to the Related Documents linked below.
Note: A quick way to validate SDN connectivity is to use the command execute update-eip, as it should execute relatively quickly if SDN connectivity is functioning (the command has the FortiGate-VM reach out to Azure via the SDN connector to update the list of associated interface IP addresses and Azure PIPs. Live debugging of the azd daemon will also show more information regarding the state of Azure SDN communication (including messages like 'azd connection timeout: management.azure.com:443:4.150.240.10', which indicate that port4 connectivity is not configured correctly):
diagnose debug application azd -1 diagnose debug console timestamp enable diagnose debug enable
Related articles: Troubleshooting Tip: SDN connector is not connecting due to DNS lookup failure Technical Tip: Configuring Azure Cluster Failover with FortiGate: a comprehensive walkthrough Troubleshooting Tip: Fixing failover issues in FortiGate Azure-HA configured using AZURE SDN Technical Tip: Configure SDN Connector for Active-Passive HA failover in Azure Technical Tip: Azure VM authorization problem in SDN connector Technical Tip: A first steps troubleshooting guide for Azure FortiGate |
