- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate Azure VM HA active/active SSL-VPN setup
Hi,
I'm setting up a Fortigate on Azure in an HA active7active setup as described in the docs: https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/azure-administration-guide/983245/ha...
Specifically, i've followed the template here: https://github.com/40net-cloud/fortinet-azure-solutions/tree/main/FortiGate/Active-Active-ELB-ILB
What baffles me for this solution is that I have to set up on the external load balancer two inbound NAT rules per port, one for FW A and one for FW B, but the frontend ports have to be different.
Therefore, how can I set up a rule for SSL-VPN?
On each FW I've set up a SSLVPN on port 10443.
Then I've set up NAT rules as follows:
FW A: frontend port 60443, internal 10443
FW B: frontend port 60444 (it can't be the same as FW A), internal 10443
How can I set up Forticlient? If I say remote port 60443, then if FW A is down it doesn't work.
Am I missing something?
Thanks
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure you need to do it this way?
Azure LB handles traffic failover using a health probe towards the FortiGate-VM. So really you would just have one IP:Port definition for your SSL VPN and the Azure LB will forward it to the correct Firewall.
Graham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JakeBlues ,
Did you manage to solve it?
I have a similar problem where I have a NAT of port 443 to an internal server and it uses the same port on both firewall but once failover it does not work because the firewall A NAT is above the Firewall B nat. Can you shed some light if there is a way to do this?
