Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Active/Passive HA FortiGate Pair with External ...

Phil Huang
October 26, 2024

Active/Passive HA FortiGate Pair with External and Internal Azure Load Balancer

Phil Huang

October 26, 2024
Tweet

More Decks by Phil Huang

Other Decks in Technology

Transcript

  1. Active/Passive HA FortiGate Pair with External and Internal Azure Load

    Balancer Phil Huang <[email protected]> Sr. Cloud Solution Architect | CNCF Ambassador 2024/10/27 Fortinet on Azure
  2. Differences This templates mainly have internet capability, but I don't

    need internet connection here, so I added Private load balancer by myself.
  3. External/Internal Load Balancer: Health Probes The Health Probes will need

    to work with FGT’s internal setting “config system probe-respone” https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-ha.md
  4. External/Internal Load Balancer: Health Probe Status If the FGT are

    configured in Active-Passive mode, it is expected that the 2nd firewall WILL NOT respond to Load Balancer
  5. External/Internal Load Balancer: Rules External Private LB Internal Private LB

    External Private LB (172.16.0.10) Internal Private LB (172.16.0.68) Traffic transiting via FGT VMs https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-inbound-connections.md#when-to-enable-the-floating-ip-in-the-azure-load-balancing-rule Traffic transiting via FGT VMs If you will need to use Ipsec Tunnels, you will need to disable Floating IP
  6. Firewall Policy Should be disable NAT Since there is a

    need for East-West (Spoke to Spoke) Vnet traffic, this needs to be set specifically, otherwise the default will be denied !!! Please config the FGT Firewall Policy according to the actual situation
  7. Scenario 3: Latency Since all my testing VM are b1ms

    models and do not support accelerated network capability, I do not perform this test