Description |
This article describes the issue with Floating IP not shifting from FortiGate's previous Master VM to the new active firewall, during the HA failover.
The debug logs from the AZD process on the new active firewall VM during the time of failover show, AZD API failed with error: 403 'AuthorizationFailed':
- AZD debug on the Slave VM, during the HA Failover:
FGT-HA-Slave # diag debug application azd -1 <-----Debug messages will be on for 30 minutes. https://management.azure.com/subscriptions/<Removed String>/resourceGroups/FGT-HA-RG/providers/Microsoft.Network/publicIPAddres
|
Scope | FortiOS. |
Solution |
In case the Azure SDN connector is configured with the service principal, make sure to assign the 'Contributor' role to the service principal account, under the IAM settings of Microsoft Azure.
If the Azure SDN connector has a managed identity enabled instead of a service principal, make sure the system-assigned managed identity is enabled for the VMs.
Related documents: Technical Tip: Configure SDN Connector for Active-Passive HA failover in Azure |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.