Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
garlicbread
New Contributor II

Created on ‎01-30-2025 04:57 PM

Fortigate HA High Availability with 3 network ports

Hi,

I've been attempting to setup a High Availability pair of virtual Fortigate firewalls under AWS.

https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/aws-administration-guide/229470/depl...

 

From what I can gather the normal approach is to have 4 network ports to do this

WAN, LAN, HA, Management.

However I've been attempting to set this up on a c6in.large image which is limited to 3 network ports (because c6in.xlarge is double the cost)

 

I nearly got this to work by avoiding the use of a management port and logging onto the secondary firewall using the virtual serial port via the EC2 Serial port console under AWS. This allowed me to setup both firewalls with ports for WAN, LAN, HA only.

 

I found that switching from the Primary to the Secondary works, but switching back from the Secondary to the Primary fails to call the AWS API calls to update the routing tables / elastic ips

Based on this link it's probably because I'm missing the management port

https://community.fortinet.com/t5/FortiGate-Cloud/Technical-Tip-Ensuring-Smooth-HA-A-P-FortiGate-Dep...

 

Does anyone know if there's a way to get this to work with just 3 network ports?

It seems as if there should be an option to tell the firewall which port to use to make the api calls, such as just fire them out the HA or WAN port for example.

Labels:
254
0 Kudos
2 REPLIES 2
Toshi_Esumi
SuperUser
SuperUser

Created on ‎01-30-2025 05:59 PM

Is it not possible to set up VLANs on the same port for WAN, LAN and Management?

Toshi

231
0 Kudos
garlicbread
New Contributor II
In response to Toshi_Esumi

Created on ‎01-31-2025 02:56 AM Edited on ‎01-31-2025 03:25 AM

I don't think so because this is a virtual firewall running under AWS

and I don't think AWS supports VLANs or VLAN tagged packets.

 

They do support multiple ips for a given network interface, but I'm not sure if there's a way to get the fortigate to see this as a separate network port

 

Edit

One possibility although I've not tested this might be the use of a VXLAN as a way to expand a single interface into multiple ones

https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/154471/interfaces

but I suspect you'd need a separate EC2 instance to act as a router possibly and would defeat the purpose of redundancy

204
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.