FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hassan09
Staff
Staff
Article Id 199551
Description

This article describes, the issue with Floating IP not shift from FortiGate previous Master VM, to the new active firewall, during the HA failover.

 

The debug logs from AZD process on the new active firewall VM during the time of failover, shows, azd api failed with error: 403 'AuthorizationFailed':

 

AZD debug on the Slave VM, during the HA Failover:

 

FGT-HA-Slave # diag debug application azd -1 <-----Debug messages will be on for 30 minutes.
FGT-HA-Slave # diag de en
FGT-HA-Slave # azd running in secondary mode, will notupdate
HA event
HA state: primary
azd sdn connector 'AZ-Connector' getting token
token size: 1268
token expire in: 3600 seconds
AZ-Connector: resourcegroup: FGT-HA-RG, sub: "<Removed string>"
Disable interface: port1
Disable interface: port2
get pubip FGTAPClusterPublicIP in resource group FGT-HA-RG
azd api failed, url =

https://management.azure.com/subscriptions/<Removed String>/resourceGroups/FGT-HA-RG/providers/Microsoft.Network/publicIPAddres
ses/FGTAPClusterPublicIP?api-version=2018-06-01, rc = 403, {"error":{"code":"AuthorizationFailed","message":"The client '<Removed String>' with obj
ect id '<Removed String>' does not have authorization to perform action 'Microsoft.Network/publicIPAddresses/read' over scope '/subscriptions/<Removed String>/resourceGroups/FGT-HA-RG/providers/Microsoft.Network/publicIPAddresses/FGTAPClusterPublicIP' or the scope is invalid. If access was recen
tly granted, please refresh your credentials."}}

 

Scope FortiOS.
Solution

In case the Azure SDN connector configured with service principal, make sure to have assigned the 'Contributor' role to the service principal account, under the IAM settings of Microsoft Azure.

 

If the Azure SDN connector has managed identity enabled instead of service principal, make sure the system assigned managed identity is enabled for the VMs.