FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 258574


This article describes how to deploy a FortiGate VM HA setup in NAT and in Transparent mode.




The HA FortiGate VM in this article is deployed in AZURE, but the steps described apply to any FortiGate VM HA deployment in any Cloud or Virtual Environment.


1) First deploy the FortiGate VM in NAT/routed operation mode as an HA cluster in active-passive. Refer to the links below to learn how that in Cloud infrastructure:







2) For Hypervisor/VM-Ware ESXi, it is necessary to first configure the VMware ESXi server's virtual switches to operate in promiscuous mode to allow traffic that is not addressed to the FortiGate VM to pass through it.

3) Once the HA setup in NAT mode is deployed, run the following configuration in the CLI to convert the FortiGate into Transparent mode:


config system settings
    set opmode transparent

Before saving it using 'end', set up a way to access the FortiGates once they are in Transparent mode.

A-> Management IP (Mandatory): configure a Management IP when converting the VMs into Transparent mode:



 B-> HA management Interface(optional): it is possible to configure the HA management interface to access the GUI/SSH of both the cluster units individually in Transparent mode:



4) Finally, type 'end' in the CLI to convert the FortiGates into Transparent mode. Sometimes the following error will occur:



To resolve this issue, simply delete any aggregate, Hardware/software switch, FortiLink, or other kinds of interface clustering/zones. See this article for more information:

'get system status' can be used to verify that the FortiGate VM is now in transparent mode. Also, the above-mentioned steps only need to be performed on the primary as the HA will take care of the configuration sync.