FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
RuiChang
Staff
Staff
Article Id 267503
Description

 

This article describes guidance to configure FortiManager VRRP HA in Azure Public Cloud Environment.

 

Scope

 

FortiManager.

 

Solution

 

The architecture of the Azure environment is designed as illustrated below:

 

RuiChang_1-1691138476016.png

 

  1. In Azure Public Cloud, go to the search bar, look for FortiManager Centralized Security Management, and create a new VM. Fill in all the requirements for FortiManager Azure:

 

RuiChang_0-1691136767351.png

 

  1. After the FortiManager VM is deployed successfully, go to the FortiManager VM -> Networking -> Attach network interface -> Create a second interface with Private Subnet. Repeat the same for the second FortiManager VM:

     

    RuiChang_0-1691136789131.png

     

    Note:

    FortiManager port 1 is NIC 1 with a Public subnet & Public IP. FortiManager port 2 is NIC 2 with a Private subnet.

     

  2. Go to the Azure search bar, look for the load balancer, and create a new load balancer. Refer to the article below for the Azure configuration guide:

    Quickstart: Create a public load balancer to load balance VMs using the Azure portal.

     

    Note:

    Azure Load Balancer Rules & Health Probes will monitor TCP port 443 to access FortiManager Cluster:

     

    RuiChang_0-1691136808968.png

     

     

  3. Go to FortiManager Azure VM and configure the interface & VRRP HA as shown below:

     

    Primary FortiManager Azure:

     

    RuiChang_0-1691136831425.png

     

    Interface configuration:

     


    config system interface

        edit "port1"

            set mode dhcp

            set ip <Public Subnet of Azure NIC 1>

            set allowaccess ping https ssh

            set type physical

        next

        edit "port2"

            set ip <Private subnet of Azure NIC 2>

            set allowaccess ping https ssh

            set type physical

    end

     

    VRRP HA Configuration:

    config system ha

        set failover-mode vrrp

        set hb-interval 5

        set hb-lost-threshold 10

        set mode primary

            config monitored-ips

                edit 1

                    set interface "port2"

                    set ip <Secondary FMG port 2 IP>

                next

            end

        set password <password>

            config peer

                edit 1

                    set ip <Secondary FMG port 1 IP>

                    set serial-number "<Secondary FMG SN>"

                next

            end

        set priority 100

        set unicast enable

        set vip “<Azure Load Balance Public IP>"

        set vrrp-interface "port1"

    end

     

    Secondary FortiManager Azure:

     

    RuiChang_0-1691136858263.png

     

    Interface configuration:

    config system interface

        edit "port1"

            set mode dhcp

            set ip <Public Subnet of Azure NIC 1>

            set allowaccess ping https ssh

            set type physical

        next

        edit "port2"

            set ip <Private Subnet of Azure NIC 2>

            set allowaccess ping https ssh

            set type physical

    end

     

    VRRP HA configuration:

    config system ha

        set failover-mode vrrp

        set hb-interval 5

        set hb-lost-threshold 10

        set mode secondary

            config monitored-ips

                edit 1

                    set interface "port2"

                    set ip <Primary FMG port 2 IP>

                next

            end

        set password <password>

            config peer

                edit 1

                    set ip “<Primary FortiManager port 1 IP>”

                    set serial-number "<Primary FortiManager SN>"

                next

            end

        set priority 1

        set unicast enable

        set vip "<Azure Load Balance Public IP>"

        set vrrp-interface "port1"

    end

     

    Note:

    After VRRP HA is established between both FortiManager, the FortiManager with the highest priority will become the Primary FortiManager. Note that FortiManager will use VRRP protocol number 112 for monitoring. Ensure Protocol 112 is enabled in Azure for failover.

     

  4. After the FortiManager VRRP HA Cluster is up and in-synchronized, users can access the FortiManager Azure from the Load Balancer Public IP and it will direct the traffic to Primary FortiManager Azure:

     

    RuiChang_0-1691136893778.png

     

     

    Note:

    If the Load Balancer is not working ideally, proceed to login both FortiManager port 1 with each of the Public IPs respectively and run the debug command below:

     

    1. Check Load Balancer login into which FortiManager instance, run the debug on both FortiManager:

      diagnose debug application authentication 255

      diagnose debug enable

       

       

    2. Check FortiManager HA status:

      diagnose ha stats

      diagnose debug application ha 255

      diagnose debug enable

       

Related documents:

Quickstart: Create a public load balancer to load balance VMs using the Azure portal.

FortiManager-HA automatic failover enhancement.