Deploying FortiGate Active-Passive HA for AWS (Unicast HA)


This recipe introduces the process of deploying FortiGate Active-Passive High Availability (HA) for AWS. See below for recipes in this process:

  1. Customize the CFT template
  2. Check the prerequisites
  3. Review the network failover diagram
  4. Invoke the CFT template
  5. Connect to the FortiGates
  6. [Connectivity test] Configure FortiGate firewall policy
  7. [Failover test] Shut down FortiGate A

FortiGate supports Active-Passive HA on AWS, with two FortiGate instances synchronizing configuration and sessions with FortiOS versions 5.4.5 and 5.6.3+. This FortiGate native mechanism achieves HA without using AWS clustering/balancing technologies. One instance runs as the primary/master, while the other runs as the secondary/slave (hereafter referred to as “primary”/”FortiGate A” and “secondary”/”FortiGate B”, respectively). When the primary fails to operate, the secondary automatically promotes itself to the primary.

To deploy this HA, you will generally not subscribe FortiGate EC2 instances from the AWS marketplace portal. Instead, you will kick off deployment using CloudFormation templates (CFT).

See below for FortiGate product listings on AWS:

  • BYOL:
  • On-Demand: