×
Community Blog Deploy and Configure FortiGate A-P HA Cross AZ: Part 3

Deploy and Configure FortiGate A-P HA Cross AZ: Part 3

This is the third article of a 3-part series that provides step-by-step guide for deploying FortiGate HA on Alibaba Cloud between availability zones.

Get Fortinet FortiGate on Alibaba Cloud by visiting our Marketplace:
Fortinet FortiGate (PAYG) Next-Generation Firewall (4 vCPUs)
Fortinet FortiGate (PAYG) Next-Generation Firewall (8 vCPUs)

In this 3-part article series, we will show you in detail the steps for deploying and configuring Fortinet FortiGate (FGT) A-P High Availability (HA) on Alibaba Cloud between availability zones (AZ).

Verify HA on Fortigate

Verify the HA result on both Fortigate. You can use EIP1 and EIP2 to remotely access Fortigate.

1

Create web-a Workload VM for Testing

Create a Linux WebServer VM in zone a called web-a to verify the HA. Choose VPC and zone A internal-a switch. Setup your username and password.

2

Use Cloud Dashboard Console to Access web-a VM

After starting this instance, you can access this web-a console via alicloud vnc console connect.

3

4

Start Web Server on web-a VM

The next step is to start the web server. This web-a VM comes with python installed, so we will just use python as web server for testing.

5

You can use a browser to curl to access this web server via FGT-1 EIP3 address from your local PC. EIP3 is currently associated with FGT-1 as FGT-1 is master.

Verify the web server can be accessed from the internet.

6

On the FGT-1 log & Report menu, you can see the access log.

7

The web server will dump the access information.

8

Verify Egress Traffic

Let's now verify the egress traffic. Since web-a is able to access the internet, we can use ping to verify that.

9

You can also show traffic logs from FGT-1.

10

Check Failover Interrupt Time

Keep on pinging web-a, and let's reboot FGT-1 to trigger a switchover. Record the switch-over time and change of VPC routing table and EIP moving to new master.

Start ping from web-a console.

11

Reboot FGT-1 from FGT-1 menu.

Choose Restart FGT-1.

12

Ping will interrupt around 24 seconds.

13

Web service should start to work again at a similar time interruption.

14

Verify the Changes Due to Failover

Now let's take a look at the master slave change as well as the routing table and EIP3 moving.

Master and Slave Role Change

FGT-1 now becomes slave, FGT-2 becomes master.

15

16

EIP3 Moving

EIP3 is associated with the Secondary Fortigate instance which is FGT-2.

17

VPC Custom Routing Table Update

VPC custom routing table 0.0.0.0/0 now points to ENI that is attached to zone B internal-B switch.

18

Terraform Code for Automating the Deployment

If you want to use terraform instead GUI to deploy the resource, clone the code in the following link: https://github.com/yagosys/fortigate_aliyun/tree/master/AP-CrossZone

Optional

Connect Fortigate to FortiManager Cloud

Obtain FortiManager Cloud license.

19

Set up FortiGate.

20

21

22

Configure FortiManager

Then go to FortiManager Cloud to configure FortiManager to authorize this Fortigate.

23

References

https://docs.fortinet.com/vm/alicloud/fortigate/6.4/alicloud-cookbook/6.4.0/967820/deploying-fortigate-vm-ha-on-alicloud-between-availability-zones

https://github.com/yagosys/fortigate_aliyun/tree/master/AP-CrossZone

Get Fortinet FortiGate on Alibaba Cloud by visiting our Marketplace:
Fortinet FortiGate (PAYG) Next-Generation Firewall (4 vCPUs)
Fortinet FortiGate (PAYG) Next-Generation Firewall (8 vCPUs)

0 0 0
Share on

Marketplace

15 posts | 9 followers

You may also like

Comments