Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
j_hodges
New Contributor

Created on ‎02-22-2022 11:33 PM

Security Fabric Connection with Active/Passive HA

I am using the Active/Passive template from https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Passive-ELB-ILB

 

The diagram below illustrates the setup which I have in three different Azure regions. The primary region is setup as the fabric root but the other fortigate clusters cannot connect to the  root via the internal load balancer (.68 in the diagram below). If I use .69 this works until the B firewall becomes active and then I need to manually change this to .70 on the downstream Fortigates. How can I setup downstream fortigates to use the ILB address (.68). 

fgt-ap

 

I

Labels:
2474
0 Kudos
6 REPLIES 6
Anonymous
Not applicable

Created on ‎02-25-2022 10:26 AM

Hello @j_hodges ,

 

Thanks for posting to Fortinet Community Forums. We appreciate your patience.
We will soon have someone helping you with this query.

 

2413
0 Kudos
akristof
Staff
Staff

Created on ‎02-25-2022 10:45 AM

Hello,

 

Thank you for your question. I am not entirely sure what am I looking at. If I understand correctly, FortiGates with IPs .69 and .70 are the primary and secondary devices of one cluster, correct? If this is correct, what kind of interfaces have .69 and .70 IPs? Normal LAN interfaces or HA out-of-band management interface? Because if these interfaces are normal LAN interfaces, only interface on primary device is active and can manage fabric. 

Another question, this load balancer is Azure load-balancer that is load-balancing traffic from .68 IP address to .69 and .70. Is this load-balancer also doing DNAT? Maybe I am missing something, but I don't understand the need for load-balancer as cluster is working in Active-passive. 

Adrian
2409
0 Kudos
j_hodges
New Contributor
In response to akristof

Created on ‎02-27-2022 05:34 PM

Thanks for your response @akristof. As I mentioned this topology is supplied by Fortinet at https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Passive-ELB-ILB. It's also documented at https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/azure-administration-guide/983245/ha...

 

To answer your question, .69 and .70 are internal (LAN) interfaces. The Azure load balancer is required in this setup as described at https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/nva-ha. As a summary this is how Azure implements Active/Passive for Network Virtual Appliances (NVAs).

 

In theory I should be able to use .68 as the fabric connection target in downstream Fortigates. The Azure Load Balancer will simply send it to the active Fortigate. For reason I can't explain the Fortigate ignores the connection.

2397
0 Kudos
akristof
Staff
Staff
In response to j_hodges

Created on ‎02-27-2022 11:33 PM

Hi,

 

Thanks for reply. In that case I will let anyone else reply who has more experience with Azure deployments.

Adrian
2392
0 Kudos
bwebb
New Contributor
In response to akristof

Created on ‎06-28-2023 03:18 PM

Adrian,

 

Is anyone with experience in these deployments able to elaborate on security fabric connectivity to Azure HA firewalls or is this something that is still unknown?  I know this is an old post but I can't really find any other information out there about this.

 

Blake

1097
0 Kudos
bwebb
New Contributor

Created on ‎06-28-2023 03:19 PM

@j_hodges were you able to get this figured out?

 

Blake

1094
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.