Active/Passive HA FortiGate Pair with External and Internal Azure Load Balancer Phil Huang Sr. Cloud Solution Architect | CNCF Ambassador 2024/10/27 Fortinet on Azure 

Fortinet/azure-templates 

Base: Fortinet / azure-templates https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Passive-ELB-ILB 

Differences This templates mainly have internet capability, but I don't need internet connection here, so I added Private load balancer by myself. 

Azure 

Route Table View 

Effective Routes: vm-blue 

Effective Routes: vm-yellow Additional UDRs need to be written to override the Vnet Peering routes ILB 

Effective Routes: vm-red 

Effective Routes: vm-green Same as vm-red 

External/Internal Load Balancer: Health Probes The Health Probes will need to work with FGT’s internal setting “config system probe-respone” https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-ha.md 

External/Internal Load Balancer: Health Probe Status If the FGT are configured in Active-Passive mode, it is expected that the 2nd firewall WILL NOT respond to Load Balancer 

External/Internal Load Balancer: Rules External Private LB Internal Private LB External Private LB (172.16.0.10) Internal Private LB (172.16.0.68) Traffic transiting via FGT VMs https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-inbound-connections.md#when-to-enable-the-floating-ip-in-the-azure-load-balancing-rule Traffic transiting via FGT VMs If you will need to use Ipsec Tunnels, you will need to disable Floating IP 

FortiGate 

Interface View (FGT A) External Interface Internal Interface HA Sync Interface Mgmt Interface 

Enable Specific probe config on TCP/8008 https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-VM-probe-on-Azure-or-AWS-load-balancer/ta-p/250184 

Static Route: Static Route to Azure DNS https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address 168.63.129.16/32 Interface GW IP Interface Name You MUST ALLOW 168.63.129.16/32 in any Azure NSG and FortiGate Firewall Policy 

Static Route: Route via External Interface External CIDRs External Interface GW IP External Interface Name 

Static Route: Route via Internal Interface Internal CIDRs Internal Interface GW IP Internal Interface Name 

Firewall Policy Should be disable NAT Since there is a need for East-West (Spoke to Spoke) Vnet traffic, this needs to be set specifically, otherwise the default will be denied !!! Please config the FGT Firewall Policy according to the actual situation 

Scenario 1: FGT HA Failover Test 

Scenario 1: FGT HA Failover Test Before 

Scenario 1: FGT HA Failover After 

Scenario 1: FGT HA Result (failover) 

Scenario 1: FGT HA Result (failback) 

Scenario 2: Network Reachable 

Scenario 2: Network Reachability Test (Blue) 

Scenario 2: Network Reachability Test (Blue) 

Scenario 2: Network Reachability Test (Green / Red) 

Scenario 2: Network Reachability Test (Green / Red) 

Scenario 2: Network Reachability Test (Yellow) 

Scenario 2: Network Reachability Test (Yellow) 

Scenario 3: Latency 

Scenario 3: Latency Since all my testing VM are b1ms models and do not support accelerated network capability, I do not perform this test 

Thank you