Created on 03-17-2024 06:22 PM Edited on 03-18-2024 02:24 AM By Jean-Philippe_P
This article describes steps to validate the license of the secondary node from an 'Active-passive with external and internal Azure load balancer (LB)'.
The idea is to break the cluster so the secondary node can reach the internet and get the license directly from the FortiGuard service.
FortiGate, FortiFlex, Azure v7.4.3.
On the active unit:
Be sure to have at least 'system.interface' on the 'vdom-exception' setting. Configure them as follows:
config system vdom-exception
edit 1
set object system.interface
next
end
This config will prevent the interfaces' configuration from syncing up, thus making it possible to configure different settings on each interface. In this case, it will make it possible to change interface settings on the secondary node without affecting active traffic on the primary + Azure LBs.
On the Passive secondary unit (with license issues):
config system interface
edit port1
unset allowaccess
next
edit port2
unset allowaccess
next
end
config system interface
edit port3
set status down
next
end
When disabling the HA port, both FortiGate devices will appear as primary units, but only the member with 'Probe-Response' enabled on interfaces port1 and port2 will handle the traffic.
Outlook example:
Both FortiGate devices should now have internet connectivity to validate the license. If a new token is required for any reason, it can be obtained through the FortiFlex portal.
The license status can be changed in the GUI or through the CLI:
get system status
diagnose debug vm-print-license
config system interface
edit port3
set status up
next
end
Confirm in the GUI that both members are synchronized, then enable the probe.
config system interface
edit port1
append allowaccess probe-response
next
edit port2
append allowaccess probe-response
next
end
Both cluster members should now have valid licenses and be synchronized.
Related documents:
Technical Tip: HA Public Cloud interface sync issue.
Technical Tip: Add a bigger log disk to FortiGate VM in Azure.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.