Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
singhl
Staff
Staff

Created on ‎09-24-2025 11:13 AM

Article Id 411685

Technical Tip: Configuring FortiManager HA in AWS with VRRP and no internet access

Description

 

This article describes how to configure an HA cluster in AWS using VRRP mode, when EC2 instances are in private network and do not have a public IP address or internet access.

 

Scope

 

FortiManager, AWS.

 

Solution
  1. Launch EC2 instances running FortiManager, See the deployment guide for reference.
  2. License both instances and perform initial password reset operation. If possible allow temporary internet access i.e. via Elastic IP, for quick registration with FortiCloud. Otherwise, need to import Entitlement file as mentioned in Licensing in an Air Gap environment - FortiManager administration guide.
  3. Verify the security group assigned to instances has rules allowing Custom Protocol 112(VRRP) and TCP 5199 between the two FortiManager-VMs.
  4. Set the Secondary IP on the NIC of one of the FortiManager. See the AWS guide for setting instance secondary IP addresses for reference. This IP will be used as VIP in HA config.
  5. Create an IAM role with following permissions to manage Elastic Network Interfaces (ENIs), private IPs, and Elastic IPs, plus read objects from S3.

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAddresses",
"ec2:AssociateAddress",
"ec2:CreateTags",
"s3:GetObject"
],
"Resource": "*",
"Effect": "Allow"
}
]
}

 

  1. Create a VPC endpoint to allow FortiManager instances to connect with AWS API.
    1. Open AWS Console -> VPC -> Endpoints - Create Endpoint.
    2. For the Type, choose 'AWS Services'.
    3. Search 'EC2' under Services and select com.amazonaws.<region>.ec2
    4. Select VPC, Subnet, and the Security group hosting FortiManager instances.
    5. Leave 'Full Access' under Policy ('Custom' can be used, but it is necessary to make sure EC2 instances can reach the AWS API endpoints).

FMG_HA_AWS.gif

 

Note: The VPC Endpoint is necessary because VIP transfer to the secondary unit only happens when FortiManager can reach the AWS API, which is accessible via the internet. So when FortiManager instances do not have internet access, it is necessary to use this private link via a VPC endpoint.

 

  1. Configure HA settings on both FortiManager instances. Keep the priority higher for the instance where the secondary IP address is set in step 4 and make sure unicast is enabled on both.

fmg_ha.png

  1. Once the HA cluster has been built, test failover by running 'diag ha force-vrrp-election' on the primary unit. The secondary unit will become the new primary unit, and the secondary IP set in step 4 will be moved to the other EC2 instance.
137
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.