Review the network failover diagram


This recipe is part of the process of deploying FortiGate HA for AWS. See below for the rest of the recipes in this process:

  1. Customize the CFT template
  2. Check the prerequisites
  3. Review the network failover diagram
  4. Invoke the CFT template
  5. Connect to the FortiGates
  6. [Connectivity test] Configure FortiGate firewall policy
  7. [Failover test] Shut down FortiGate A

The following network diagram illustrates a failover event. Note that the IP addresses shown here are only examples. You can modify them according to your environment:

When FortiGate A fails, its eth0’s secondary IP address,, which was originally assigned to FortiGate A’s port 1, moves to FortiGate B’s port 1. At the same time, eth1’s secondary IP address,, FortiGate A’s port 2, moves to FortiGate B’s port 2. These moves are represented as blue arrows in the diagram. An elastic IP address associated with is considered the front-end main public IP address, accessible even after the primary-secondary roles switch between the two FortiGates or when one FortiGate is shutdown.