Slide 1

Slide 1 text

Active/Passive HA FortiGate Pair with External and Internal Azure Load Balancer Phil Huang Sr. Cloud Solution Architect | CNCF Ambassador 2024/10/27 Fortinet on Azure

Slide 2

Slide 2 text

Fortinet/azure-templates

Slide 3

Slide 3 text

Base: Fortinet / azure-templates https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Passive-ELB-ILB

Slide 4

Slide 4 text

Differences This templates mainly have internet capability, but I don't need internet connection here, so I added Private load balancer by myself.

Slide 5

Slide 5 text

Azure

Slide 6

Slide 6 text

Route Table View

Slide 7

Slide 7 text

Effective Routes: vm-blue

Slide 8

Slide 8 text

Effective Routes: vm-yellow Additional UDRs need to be written to override the Vnet Peering routes ILB

Slide 9

Slide 9 text

Effective Routes: vm-red

Slide 10

Slide 10 text

Effective Routes: vm-green Same as vm-red

Slide 11

Slide 11 text

External/Internal Load Balancer: Health Probes The Health Probes will need to work with FGT’s internal setting “config system probe-respone” https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-ha.md

Slide 12

Slide 12 text

External/Internal Load Balancer: Health Probe Status If the FGT are configured in Active-Passive mode, it is expected that the 2nd firewall WILL NOT respond to Load Balancer

Slide 13

Slide 13 text

External/Internal Load Balancer: Rules External Private LB Internal Private LB External Private LB (172.16.0.10) Internal Private LB (172.16.0.68) Traffic transiting via FGT VMs https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-inbound-connections.md#when-to-enable-the-floating-ip-in-the-azure-load-balancing-rule Traffic transiting via FGT VMs If you will need to use Ipsec Tunnels, you will need to disable Floating IP

Slide 14

Slide 14 text

FortiGate

Slide 15

Slide 15 text

Interface View (FGT A) External Interface Internal Interface HA Sync Interface Mgmt Interface

Slide 16

Slide 16 text

Enable Specific probe config on TCP/8008 https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-VM-probe-on-Azure-or-AWS-load-balancer/ta-p/250184

Slide 17

Slide 17 text

Static Route: Static Route to Azure DNS https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address 168.63.129.16/32 Interface GW IP Interface Name You MUST ALLOW 168.63.129.16/32 in any Azure NSG and FortiGate Firewall Policy

Slide 18

Slide 18 text

Static Route: Route via External Interface External CIDRs External Interface GW IP External Interface Name

Slide 19

Slide 19 text

Static Route: Route via Internal Interface Internal CIDRs Internal Interface GW IP Internal Interface Name

Slide 20

Slide 20 text

Firewall Policy Should be disable NAT Since there is a need for East-West (Spoke to Spoke) Vnet traffic, this needs to be set specifically, otherwise the default will be denied !!! Please config the FGT Firewall Policy according to the actual situation

Slide 21

Slide 21 text

Scenario 1: FGT HA Failover Test

Slide 22

Slide 22 text

Scenario 1: FGT HA Failover Test Before

Slide 23

Slide 23 text

Scenario 1: FGT HA Failover After

Slide 24

Slide 24 text

Scenario 1: FGT HA Result (failover)

Slide 25

Slide 25 text

Scenario 1: FGT HA Result (failback)

Slide 26

Slide 26 text

Scenario 2: Network Reachable

Slide 27

Slide 27 text

Scenario 2: Network Reachability Test (Blue)

Slide 28

Slide 28 text

Scenario 2: Network Reachability Test (Blue)

Slide 29

Slide 29 text

Scenario 2: Network Reachability Test (Green / Red)

Slide 30

Slide 30 text

Scenario 2: Network Reachability Test (Green / Red)

Slide 31

Slide 31 text

Scenario 2: Network Reachability Test (Yellow)

Slide 32

Slide 32 text

Scenario 2: Network Reachability Test (Yellow)

Slide 33

Slide 33 text

Scenario 3: Latency

Slide 34

Slide 34 text

Scenario 3: Latency Since all my testing VM are b1ms models and do not support accelerated network capability, I do not perform this test

Slide 35

Slide 35 text

Thank you