Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JNDias
Staff
Staff

Created on ‎03-17-2024 06:22 PM Edited on ‎03-18-2024 02:24 AM By Moderator

Article Id 304425

Troubleshooting Tip: Not able to validate FortiFlex license on an HA FortiGate behind load balance - Azure LB and FortiGate (A-P) Cluster

Description

 

This article describes steps to validate the license of the secondary node from an 'Active-passive with external and internal Azure load balancer (LB)'.

 

The idea is to break the cluster so the secondary node can reach the internet and get the license directly from the FortiGuard service.

 

Scope

 

FortiGate, FortiFlex, Azure v7.4.3.

 

Solution

 

  • Before proceeding, backup both FortiGate node configurations.
  • In the following example, the secondary unit name is 'test-FGT-A'.

 

On the active unit:

 

Be sure to have at least 'system.interface' on the 'vdom-exception' setting. Configure them as follows:

 

config system vdom-exception

    edit 1

        set object system.interface

    next

end

 

This config will prevent the interfaces' configuration from syncing up, thus making it possible to configure different settings on each interface. In this case, it will make it possible to change interface settings on the secondary node without affecting active traffic on the primary + Azure LBs.

 

On the Passive secondary unit (with license issues):

 

  1. Disable Probe Response on both port1 (External) and port2 (Internal). This will prevent the Azure LBs from registering the unit as active. This can be done through GUI in the interface setting or CLI.

 

config system interface

    edit port1

        unset allowaccess

    next

    edit port2

        unset allowaccess

    next

end

 

  1. Disable the HA port. (Split cluster.)

 

config system interface

    edit port3

        set status down

    next

end

 

When disabling the HA port, both FortiGate devices will appear as primary units, but only the member with 'Probe-Response' enabled on interfaces port1 and port2 will handle the traffic.

 

Outlook example:

 

Example01.png

 

Example02.png

 


Both FortiGate devices should now have internet connectivity to validate the license. If a new token is required for any reason, it can be obtained through the FortiFlex portal.

 

The license status can be changed in the GUI or through the CLI: 

 

get system status

diagnose debug vm-print-license

 

  1. Now with the license as 'valid', configure the secondary unit to join the cluster and enable the probe-response for the Azure LB.

 

config system interface
    edit port3
        set status up
    next

end

 

Confirm in the GUI that both members are synchronized, then enable the probe.

 

config system interface
    edit port1
        append allowaccess probe-response
    next
    edit port2
        append allowaccess probe-response
    next
end

 

Both cluster members should now have valid licenses and be synchronized.

 

Related documents:

Docs about VM license.

FortiFlex Docs.

Technical Tip: HA Public Cloud interface sync issue.

Technical Tip: Add a bigger log disk to FortiGate VM in Azure.

Technical Tip: Resizing an Azure FortiGate VM instance.

168
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.