Connect to the FortiGates

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

This recipe is part of the process of deploying FortiGate HA for AWS. See below for the rest of the recipes in this process:

  1. Customize the CFT template
  2. Check the prerequisites
  3. Review the network failover diagram
  4. Invoke the CFT template
  5. Connect to the FortiGates
  6. [Connectivity test] Configure FortiGate firewall policy
  7. [Failover test] Shut down FortiGate A
  1. Let’s log into FortiGate A by specifying https://18.216.237.187, which is associated with its management port. Your IP address will be different. The default username is admin, and the password is its instance ID, which you can find in the EC2 Console.
  2. Check the license has been properly activated. This indicates that invoking the CFT template with the .lic file worked.

    If not, manually load the license in System > FortiGuard > FortiGate VM License. Ensure you have registered in your serial numbers on https://support.fortinet.com and obtained the .lic files.
  3. Navigate to Network > Interfaces to see network configurations. These are the EC2 instance’s secondary interfaces.
  4. Navigate to System > HA. An active-passive cluster has been formed.
  5. Double-click the entry or click Edit to see the configuration page.

    If you do not see the proper configuration, it is highly likely that the two FortiGate configuration files were not properly triggered when the CFT deployment template was invoked. In this case, open the CLI console by clicking the icon in the top right corner and run the command manually. Depending on the failure situation, you may need to log into FortiGate B first, then run SSH to connect to FortiGate A if you are not able to connect to FortiGate A even though it is up and running. You can run SSH by entering exec ssh admin@192.168.3.11 in the CLI.
    When HA is configured properly, the configuration output appears in the screenshot below after running show system ha. This matches the primary FortiGate configuration file.

    If HA failed to be configured, you may see the following:

    In this case, you can manually run the commands shown below on FortiGate A. If you make a mistake, run abort instead of end, then reenter the commands. After configuring FortiGate A, wait until the system settles, then repeat the configuration on FortiGate B. Note the primary and secondary configurations differ in the priority values and the heartbeat peer IP addresses.

    FortiOS 5.6.3 and later:

    config system ha
         set group-name "test001”
         set mode a-p
         set hbdev "port3" 50 
         set session-pickup enable
         set ha-mgmt-status enable
         config ha-mgmt-interface 
              edit 1
                   set interface port4
                   set gateway 192.168.4.1
              next
         end
         set override disable
         set priority 255
         set unicast-hb enable
         set unicast-hb-peerip 192.168.3.12
    end

    FortiOS 5.4.5:

    config system ha
         set group-name "test001"
         set mode a-p
         set hbdev "port3" 50
         set session-pickup enable
         set ha-mgmt-status enable
         set ha-mgmt-interface "port4"
         set ha-mgmt-interface-gateway 192.168.4.1
         set override disable
         set priority 255
         set unicast-hb enable
         set unicast-hb peerip 192.168.3.12
    end

  6. Navigate to Policy & Objects > IPv4 Policy and ensure a firewall policy was automatically created. This can also be seen in the primary FortiGate configuration file.

Latest posts by In Hye Lee (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
  • Was this helpful?
  • Yes   No