Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

plokesh
Staff
Staff

Created on ‎07-22-2016 12:10 PM

FortiGate HA in AWS


Hello team,

    The attached file has the steps to show how to deploy a Hot Standby FortiGate HA in AWS using CloudFormation template. A simplistic diagram is also attached to visialize what is being deployed.

    Since there is no access to Layer 2 in AWS, a workaround needs to be in place to have automated High Availability in HA.

   -The CloudFormation template assumes that the account that is deploying this has a Route53 domain name. This is needed to access the active firewall using a DNS name. 

   -There is a  t2.micro AWS instance(Worker Node) that gets created with the stack. This is where the python script to monitor the active firewall is run from. 

   -If the primary FortiGate becomes unavailable, the required AWS API calls are made to disassociate the subnets from the Primary Firewall's Route Table and associate them to the Backup Firewall's Route Table. Once this is done, a continious check is done to see if the Primary instance comes back up. Once it is backup, all the subnet associations are made back to the Primary Firewall's Route Table. 

  -(Optional) The Worker Node can also be made part of a AutoScaling Group. 

   -(Optional)The Worker node can be run from any server anywhere as long as it has AWS CLI tools and python loaded on it. 

   

Preview file
2096 KB
Preview file
232 KB
Labels:
844
0 Kudos
2 REPLIES 2
kchooi_FTNT
Staff
Staff

Created on ‎10-20-2016 03:44 PM

Hi,

  Thanks for the document.  I do understand that this solution is targeted at providing HA within a VPC (eg. Providing redundancy between separate AZ).  However, will this solution also work within a AZ.  Eg.  Route 53 redirect traffic to 2 FortiGate in a single AZ.  As another alternative HA soluton, do we support running VRRP and session sync between two FG in the same AZ? Thanks.

  

834
0 Kudos
fortikey_FTNT
Staff
Staff
In response to kchooi_FTNT

Created on ‎01-12-2017 10:55 PM

Same questions as what Ker Ming Chooi asked ?

834
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.