Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cm103
New Contributor

FortiGate Azure ExpressRoute Setup

Curious for a bit of input on how to make this work, as this is our first FortiGate deployment. Due to limitations in ability to use redundant static routes on Meraki, we are looking to set the FortiGates up in an Active-Passive cluster so we can create a VIP and have a single IP to create a static route to on the Meraki MX firewalls (our assumption is that the FortiGates have to be in a cluster to create a VIP). See setup A (attached) The problem is that my understanding is that once clustered, the FortiGate configs have to be identical, and that's an issue because the secondary ExpressRoute link from Azure is on a different /30 space and needs a different IP.

 

Also looked into configuring WAN 1 and WAN 2 in SD-WAN group with both FortiGates connected to both ExpressRoute circuits, but similarly this is not feasible because both ExpressRoute links are tagged with same VLAN (1003) so we cannot set the VLAN interface for the same VLAN to be both .1 and .5 for the WAN 1 and WAN 2 interfaces (if that makes sense).

 

Really appreciate any thoughts anyone may have. Also open to suggestions if we are approaching this from the wrong angle altogether.

4 REPLIES 4
cm103
New Contributor

Just realized that I may have a fundamental misunderstanding of a VIP in the FortiGate world. Perhaps it would simplify things to not have these clustered at all?

Toshi_Esumi
Esteemed Contributor III

HA especially a-p setup generally requires a switch on both WAN side and LAN side. You can of course use the same set of switches for both sides but separate them by VLANs. In a-p, the standby side is really standby and until it decides to take over the master role. Both needs to have the same VLANs, IPs.

So you need to terminate both primary and secondary circuits on both FGTs on the same ports, split by the switch(es). Then the FGTs can swap over whenever they need to independently from any circuit issues.

cm103
New Contributor

Thanks Toshi. This does make sense, I have tried to think of a way to make this work (see attached) but I ran into that issue mentioned related to the way the incoming Azure ExpressRoute circuits are tagged. Both are tagged with same VLAN (1003) so we cannot set the VLAN 1003 L3 interface to .1 for the WAN 1 connections and simultaneously set the VLAN 1003 L3 interface to .5 for the WAN 2 connections...

Toshi_Esumi
Esteemed Contributor III

Since you now have switches in front of FGTs, you can strip the tags.

Labels
Top Kudoed Authors