- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fotigate VM 7.2.4 HA in OVH Cloud
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fotigate VM 7.2.4 HA in OVH Cloud
Hi Community,
I am trying to set up HA for my two FortiGate VMs running on VMware environment on OVH cloud dedicated servers. The FortiGate VMs are running on diffrenet datacenters in OVH.
Problem I am running is automatic move of the WAN/failover IP from one dedicated server to another. OVH recommends use of:
- Custom script to detect downtime on one firewall and move the IP via API (API failover IP move takes about 50-55 seconds to finish which means i will have up to 1minute downtime)
- Common Address Redundancy Protocol or CARP. (They don't seem to know if this works with FortiGate or how to set it up)
My goal is to achieve active-passive failover between the two FortiGate while maintaining the same public IP.
There is no issue is configuring the VMs from the VMware side to accept promiscuous mode, issue is on the cloud provider on how they handle the WAN/failover IP.
Question: Has anyone encountered such a design? Is CARP feasible? Any idea on how to set up the this HA
Labels:
- Labels:
-
FortiGate
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello techdsmart,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello techdsmart,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FGT does not support CARP. It uses its own proprietary—but very similar—protocol, FGCP.
FGCP works by using a virtual MAC address on the interfaces that is shared between the two FortiGates. This vMAC will ARP for the IP address configured on that interface. So if you have two FortiGates at two different data centers with two different public IPs it will be difficult to get this right.
Can you explain how the public IP moves from one DC to the other?
OVH recommends CARP. Can you get them to explain how CARP can be used in this scenario? Beacuse if so we can very likely translate it to FGCP.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sorry for late reply.
IP move is done via an API (internal to OVH), customers have a control panel where they can do it manually or via an API. More info here: https://help.ovhcloud.com/csm/en-dedicated-servers-ip-fo-move?id=kb_article_view&sysparm_article=KB0...
They seem to support CARP and from the KB articles shared by them, CAAR seems to work for NetGate Firewalls since they even have a dedicated interface that works for CARRP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see anything in that link that talks about CARP. CARP works pretty much the same as Fortinet's FGCP. Again it uses a virtual MAC to assign an IP address to a specific box that is active. Can you point to OVH documentation where they talk about using CARP in this scenario? We can extraoplate from that for FGCP.
If you are using OVH Cloud to move an IP address from one instance to another instance via API then very likely these two FortiGates will need to operate independently.
There might be other options though. Do you run the same internal subnet between the two OVH Datacenters? Or is it completely separate on both sides?
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OVH doesn't provide any documentation on CARP but its pretty much active since at this point we always associate (from OVH control panel) the FGT WAN interface MAC to the IP we need to use. So if i move the IP to another box, i have to associate another MAC to the IP. The main issue here is currently if we set up HA between the FGT instances, we have to move the WAN IP one instance to another instance via API or manually. The IP move in OVH is not instant meaning a downtime of up to 5 minutes would be experienced; looking for a set up that would avoid moving the IP altogether since they don't provide any other option.
Yes, i run the same internal subnet between the two OVH Datacenters all traffic controlled by one FGT box.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have previously said:
"OVH recommends use of...Common Address Redundancy Protocol or CARP"
and
"They seem to support CARP and from the KB articles shared by them, CAAR seems to work for NetGate Firewalls since they even have a dedicated interface that works for CARRP."
And now you say "OVH doesn't provide any documentation on CARP".
So which one is it?
But do keep in mind if you enable FGCP and put the FGTs into HA mode, they will create a new viftual MAC on the WAN interface that you can associate the public IP to. That virtual MAC will automatically shift to the secondary node during failover.
Now, I have no idea if OVH Cloud will automatically move the public IP to the other DC for you..... they probably won't.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Graham,
In response to "OVH doesn't provide any documentation on CARP", i meant there is no official documentation apart from discussions on their community pages and the discussion was in response to NetGate customer.
Thanks for the response . I will try to set up the FGTs in HA and try associating the virtual mac with the public IP and see if it works
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am really running out of options since this OVH Cloud set up is really f***d up. Do you think its possible to achieve HA with two FGTs with different WAN IPs and a Load Balancer?
Related Posts
- FortiMangaer and FGT Hub migration issues... 55 Views
- Public Key login not working on... 100 Views
- FortiMail Licensing when just using rewrite... 134 Views
- failed to load fortianalyzer 110 Views
- How could i suspend mail transport... 121 Views
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.