I'm currently deploying FGT cluster inside Azure (A/P with ELB/ILB) like the following
Inside Fortigate HUI, I can see session replicated to the slave (fortiview session).
When I perform a failover, the ILB doesn't seems to "redirected" existing sessions from the active to the slave, so session died and must be restarted.
New session can be initialised without any issue...
Like mentioned in the following document, I disabled session persistency (set to None)
I don't think it's an issue on the Fortigate. Is it the normal behaviour inside Azure ?
PS: It's seems to be the same with Palo Alto
Existing sessions need to be re-established.
Any idea ??
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
We are still looking for an answer to your question.
We will come back to you ASAP.
You have an A-P High Availability solution with ELB/ILB.
External Azure Standard Load balancer is for communication with the internet
Internal Azure Standard load balancer to receive all internal traffic and forward it to its destination.
Normally, the Azure load balancer (LB) should be able to identify the master unit after an HA failover.
The Azure LB handles traffic failover using a health probe towards the FortiGate-VMs based on the failover times defined.
As per the below document from Microsoft:-
"New TCP connections will succeed in remaining healthy backend endpoint.If a backend endpoint's health probe fails, established TCP connections to this backend endpoint continue."
As per the below document on GitHub for config east-west-connections, there is a limitation:-
In case of failover, the Azure Load Balancer will send existing sessions to the failed VM as explained.
HA A-P with ELB/ILB will be a good option for a short failover time and HA A-P SDN connector will be a better option for session failover.
As a general rule, it is important to deploy the FortiGate while following the guidelines recommended in official Fortinet documentation:
Fortinet cannot deny nor guarantee that any other unusual deployment can run correctly, but most variations are unlikely to be supported.
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.