FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Hassan09
Staff
Staff
Article Id 199551
Description

This article describes the issue with Floating IP not shifting from FortiGate's previous Master VM to the new active firewall, during the HA failover.

 

The debug logs from the AZD process on the new active firewall VM during the time of failover show, AZD API failed with error: 403 'AuthorizationFailed':

 

AZD debug on the Slave VM, during the HA Failover:

 

FGT-HA-Slave # diag debug application azd -1 <-----Debug messages will be on for 30 minutes.
FGT-HA-Slave # diag de en
FGT-HA-Slave # azd running in secondary mode, will notupdate
HA event
HA state: primary
azd sdn connector 'AZ-Connector' getting token
token size: 1268
token expire in: 3600 seconds
AZ-Connector: resourcegroup: FGT-HA-RG, sub: "<Removed string>"
Disable interface: port1
Disable interface: port2
get pubip FGTAPClusterPublicIP in resource group FGT-HA-RG
azd api failed, url =

https://management.azure.com/subscriptions/<Removed String>/resourceGroups/FGT-HA-RG/providers/Microsoft.Network/publicIPAddres
ses/FGTAPClusterPublicIP?api-version=2018-06-01, rc = 403, {"error":{"code":"AuthorizationFailed","message":"The client '<Removed String>' with obj
ect id '<Removed String>' does not have authorization to perform action 'Microsoft.Network/publicIPAddresses/read' over scope '/subscriptions/<Removed String>/resourceGroups/FGT-HA-RG/providers/Microsoft.Network/publicIPAddresses/FGTAPClusterPublicIP' or the scope is invalid. If access was recen
tly granted, please refresh your credentials."}}

 

Scope FortiOS.
Solution

In case the Azure SDN connector is configured with the service principal, make sure to assign the 'Contributor' role to the service principal account, under the IAM settings of Microsoft Azure.

 

If the Azure SDN connector has a managed identity enabled instead of a service principal, make sure the system-assigned managed identity is enabled for the VMs.

 

Related documents:

Technical Tip: Configure SDN Connector for Active-Passive HA failover in Azure 

Access control on Azure for active-passive failover