Fortigate Azure VM HA active/active SSL-VPN setup

JakeBlues · ‎03-01-2023

Hi,

I'm setting up a Fortigate on Azure in an HA active7active setup as described in the docs: https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/azure-administration-guide/983245/ha...

Specifically, i've followed the template here: https://github.com/40net-cloud/fortinet-azure-solutions/tree/main/FortiGate/Active-Active-ELB-ILB

What baffles me for this solution is that I have to set up on the external load balancer two inbound NAT rules per port, one for FW A and one for FW B, but the frontend ports have to be different.

Therefore, how can I set up a rule for SSL-VPN?

On each FW I've set up a SSLVPN on port 10443.

Then I've set up NAT rules as follows:

FW A: frontend port 60443, internal 10443

FW B: frontend port 60444 (it can't be the same as FW A), internal 10443

How can I set up Forticlient? If I say remote port 60443, then if FW A is down it doesn't work.

Am I missing something?

Thanks

gfleming · ‎03-01-2023

Are you sure you need to do it this way?

Azure LB handles traffic failover using a health probe towards the FortiGate-VM. So really you would just have one IP:Port definition for your SSL VPN and the Azure LB will forward it to the correct Firewall.

Cheers,
Graham

kanes39 · ‎04-04-2024

Hi @JakeBlues ,

Did you manage to solve it?
I have a similar problem where I have a NAT of port 443 to an internal server and it uses the same port on both firewall but once failover it does not work because the firewall A NAT is above the Firewall B nat. Can you shed some light if there is a way to do this?

Fortigate Azure VM HA active/active SSL-VPN setup

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website