FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jstan
Staff
Staff
Article Id 190294
Description

This article describes the steps that need to be taken in order to migrate existing VM running on an obsolete product code to a new VM running on new product code.

This document focuses on migrating Fortigate VM but the steps are pretty much similar for any other Fortinet products running in Alicloud.


Solution
1) Deploying new instance (BYOL/PAYG) with the same amount of vCPU and RAM by navigating to Elastic Compute Service -> Instances.
Ensure to select the appropriate region.

Under Instance type, select the desired instance size.

Note.
For HA deployment, minimum requirement is VM08 as it requires at least 4 NICs for the HA failover deployment.






2) Under image, select 'Marketplace' image and look for Fortinet.




Step 3 – Locate the desired product (Eg. Fortigate PAYG – 8 vCPU), and select the desired firmware version (it is also possible to check the available firmware versions to decide which firmware to upgrade on the existing Fortigate VM).
Once done, select 'Next' to proceed to the Networking section.




4) Under networking tab, select the desired VPC and VSWITCH settings. Assign public IP as required.




5) Under Elastic network interface section, add new ENIs as desired. Select 'Next' to proceed to the System Configurations tab.





6) Under System Configurations tab, select 'Set Later' for logon credentials and give the FortiGate a desired name. Select 'next' to proceed to Grouping tab.




7) Under grouping tab, select the desired resource group or leave it blank. Select 'Next' to proceed to preview tab.





8) Review the settings and deploy the VM once the reviewing is done.

9) Optional) – Add additional ENIs as required to the VM as Alicloud only allows to register a maximum of 2 ENIs during deployment phase.

10) Before the migration, it is necessary to verify whether the interfaces are configured in static or DHCP addressing on the FortiGate. If it is DHCP, no changes need to be taken for the migration as the FortiGate will retrieve an IP address from new FortiGate with new NIC attached.




If the IP address is static, it is necesary to take note of the new IP address of the new ENI attached to the new VM and modify it accordingly on the configuration file, based on the IP address assigned on Alicloud for the specific ENI.
Port1 is usually configured in DHCP addressing, the rest of the ports are usually static.
DHCP can be used for the rest of the ports as well, ensure that the option 'Retrieve default gateway from server' is disabled to prevent unwanted default routes to be inserted.

It is possible to can verify the IP address of the Fortigate ENI by navigating to the ENIs tab on Alicloud console.
If there are multiple ENIs attached to the FortiGate, it will be possible to see multiple entries and to take note of the IP address assigned to port1-port4 (If you are running HA).





11) For HA, if there is a change in terms of IP address or subnet of port3/port4, the HA config needs to be modified manually via config file, before restoring the configuration to the new VM. The same applies for port1/port2. Sample config as follows:

Primary.

# config system ha
    set group-name "fgtha2"
    set mode a-p
    set hbdev "port3" 0
    set session-pickup enable
    set ha-mgmt-status enable
# config ha-mgmt-interface
    edit 1
        set interface "port4"
        set gateway 10.10.4.253
    next
end
    set priority 200
    set monitor "port1"
    set unicast-hb enable
    set unicast-hb-peerip 10.10.3.11
end
Secondary.
# config system ha
    set group-name "fgtha2"
    set mode a-p
    set hbdev "port3" 0
    set session-pickup enable
    set ha-mgmt-status enable
# config ha-mgmt-interface
    edit 1
        set interface "port4"
        set gateway 10.10.4.253
    next
end
    set priority 100
    set monitor "port1"
    set unicast-hb enable
    set unicast-hb-peerip 10.10.3.10
end
Note.
Configuration file for master and slave needs to be backed up and modified separately, as the HA setting and hostname varies between the 2 units.

12) After booting up the FortiGates, restore the modified configuration file (the configuration file backed up from the old VM) to the new VM accordingly, verify that the HA is being formed.

13) For HA in Alicloud, it does not rely on any configuration in the AliCloud SDN connector. Associate a RAM role to a FortiGate instance. The RAM role must have at least the following policies:
l AliyunECSFullAccess
l AliyunVPCFullAccess
l AliyunEIPFullAccess
Check below deployment guide for FortiGate HA deployment in Alicloud:
https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/alicloud-administration-guide/310017...

14) If the ENIs were being assigned a new elastic IP, do ensure that the relevant Alibaba cloud DNS and load balancer (if any) is being updated to point to the new IP/ENI.

Check below for more information regarding Alibaba cloud DNS/load balancer:
https://www.alibabacloud.com/product/dns
https://www.alibabacloud.com/product/server-load-balancer


Contributors