Description
This article describes guidance to configure FortiManager VRRP HA in Azure Public Cloud Environment.
Scope
FortiManager.
Solution
The architecture of the Azure environment is designed as illustrated below:
- In Azure Public Cloud, go to the search bar, look for FortiManager Centralized Security Management, and create a new VM. Fill in all the requirements for FortiManager Azure:
-
After the FortiManager VM is deployed successfully, go to the FortiManager VM -> Networking -> Attach network interface -> Create a second interface with Private Subnet. Repeat the same for the second FortiManager VM:
Note:
FortiManager port 1 is NIC 1 with a Public subnet & Public IP. FortiManager port 2 is NIC 2 with a Private subnet.
-
Go to the Azure search bar, look for the load balancer, and create a new load balancer. Refer to the article below for the Azure configuration guide:
Quickstart: Create a public load balancer to load balance VMs using the Azure portal.
Note:
Azure Load Balancer Rules & Health Probes will monitor TCP port 443 to access FortiManager Cluster:
-
Go to FortiManager Azure VM and configure the interface & VRRP HA as shown below:
Primary FortiManager Azure:
Interface configuration:
config system interfaceedit "port1"
set mode dhcp
set ip <Public Subnet of Azure NIC 1>
set allowaccess ping https ssh
set type physical
next
edit "port2"
set ip <Private subnet of Azure NIC 2>
set allowaccess ping https ssh
set type physical
end
VRRP HA Configuration:
config system ha
set failover-mode vrrp
set hb-interval 5
set hb-lost-threshold 10
set mode primary
config monitored-ips
edit 1
set interface "port2"
set ip <Secondary FMG port 2 IP>
next
end
set password <password>
config peer
edit 1
set ip <Secondary FMG port 1 IP>
set serial-number "<Secondary FMG SN>"
next
end
set priority 100
set unicast enable
set vip “<Azure Load Balance Public IP>"
set vrrp-interface "port1"
end
Secondary FortiManager Azure:
Interface configuration:
config system interface
edit "port1"
set mode dhcp
set ip <Public Subnet of Azure NIC 1>
set allowaccess ping https ssh
set type physical
next
edit "port2"
set ip <Private Subnet of Azure NIC 2>
set allowaccess ping https ssh
set type physical
end
VRRP HA configuration:
config system ha
set failover-mode vrrp
set hb-interval 5
set hb-lost-threshold 10
set mode secondary
config monitored-ips
edit 1
set interface "port2"
set ip <Primary FMG port 2 IP>
next
end
set password <password>
config peer
edit 1
set ip “<Primary FortiManager port 1 IP>”
set serial-number "<Primary FortiManager SN>"
next
end
set priority 1
set unicast enable
set vip "<Azure Load Balance Public IP>"
set vrrp-interface "port1"
end
Note:
After VRRP HA is established between both FortiManager, the FortiManager with the highest priority will become the Primary FortiManager. Note that FortiManager will use VRRP protocol number 112 for monitoring. Ensure Protocol 112 is enabled in Azure for failover.
-
After the FortiManager VRRP HA Cluster is up and in-synchronized, users can access the FortiManager Azure from the Load Balancer Public IP and it will direct the traffic to Primary FortiManager Azure:
Note:
If the Load Balancer is not working ideally, proceed to login both FortiManager port 1 with each of the Public IPs respectively and run the debug command below:
-
Check Load Balancer login into which FortiManager instance, run the debug on both FortiManager:
diagnose debug application authentication 255
diagnose debug enable
-
Check FortiManager HA status:
diagnose ha stats
diagnose debug application ha 255
diagnose debug enable
-
Related documents:
Quickstart: Create a public load balancer to load balance VMs using the Azure portal.
