X

Best Practices from Oracle Development's A‑Team

Fortinet FortiGate on OCI - High Availability (HA)

Ionut Neubauer
Principal Solutions Architect

Overview

The purpose of this document is to help in configuring Fortigate HA on Oracle Cloud Infrastructure(OCI). Basic OCI and FortiGate experience is recommended.

This configuration was validated using FortiGate version 6.2.0.

For more details on how to use FortiGate products, please visit their official site. FortiGate documentation for HA or manual deployment can be found at https://docs2.fortinet.com/vm/oci/fortigate/6.2/oci-cookbook/6.2.0/138784/ha-for-fortigate-vm-on-oci.

Caveats and Limitations

FortiGate on OCI Marketplace

At this moment, OCI Marketplace contains two versions of FortiGate. FortiGate version 6.0.4, 6.0.5 and version 6.2.0. Each version has two working modes, Paravirtualized Mode and Emulated Mode. It is recommended to use the latest version in Paravirtualized Mode.

The license for FortiGate on OCI changed with version 6.0.2. The licensing for FortiGate-VM does not restrict whether the FortiGate can work on a VM instance in a public cloud that uses more vCPUs than the license allows. The number of vCPUs indicated by the license does not restrict the FortiGate from working, regardless of how many vCPUs are included in the virtual instance. However, only the licensed number of vCPUs process traffic and management. The rest of the vCPUs are unused.

https://docs2.fortinet.com/vm/oci/fortigate/6.0/about-fortigate-for-oci/6.0.0/43335/models

This new license model works only on version 6. An active FortiGate-VM license can work on version 5 and version 6.

A trial or permanent license needs to be used to be able to configure FortiGate.

For installing FortiGate-VM on OCI read this page:

https://www.ateam-oracle.com/fortinet-fortigate-oci-installation

 

FortiGate-VM in HA - Configuration

 

Step by step

 

Step 1. Solution description.

Step 2. Configure Fortinet Fabric Connectors.

Step 3. Configure FortiGate-VM in HA mode

Step 4. Test

 

 

Step 1. Solution description.

 

Fortinet uses a solution called Fabric Connectors to interact with Oracle Cloud Infrastructure(OCI) API. This will allow to read data and modify different objects in each OCI tenancy where FortiGate-VM is deployed.

More details can be found at Fortinet official site https://www.fortinet.com/solutions/enterprise-midsize-business/fabric-connectors.html.

 

To give an example, when creating an "Address" in "Policy & Objects", Fabric Connectors can read data from each OCI Instance and display all IP addresses assigned.

From "Policy & Objects" ===> "Addresses" click on button "Create New" and select "Address".

 

In the new window select and add the following details:

"Name" ==> A name for the new Address" object.

"Type" ==> Select "Fabric Connector Address".

"SDN Connector" ==> Select Fabric Connector. We will describe later how to create one.

"SDN address type" ==> This will gather private, public or both types of IP addresses.

"Filter" ==> Can filter by multiple OCI objects (Compartment ID< Compartment Name, Defined Tag, Instance ID, Namespace, VM Name).

 

 

Save configuration by clicking on the OK button.

 

The new "Address" object created will display an error at beginning until data is read from OCI. Usually this takes 5-10 seconds until data is collected. Need to update with refresh period for collecting data.

 

After data is collected, you can see all IP addresses if you put your mouse cursor over the object name. In our case, the object contains private and public IP addresses because we selected the "All" option in "SDN address type".

 

 

This was just an example on how you can use Fortinet Fabric Connectors to read data in OCI. We will get in more details on how to create a FortiGate-VM cluster with HA using Fabric Connectors.

 

Step 2. Configure Fortinet Fabric Connectors.

 

To be able to provide HA for traffic inside OCI, FortiGate uses a feature called Floating IP address. This solution ca work only in Active-Passive mode. This VIP is an IP address configured on LAN interface that will be switched from one FortiGate VM to another in case of failover. basically by using the Fabric Connectors and OCI API, OCI natively can move a secondary IP address from one VM to another. Keep in mind that each OCI VM interface(primary or secondaries) has a primary IP address. This primary IP address can not be moved between VMs. For each interface(primary or secondaries) you can assign one or multiple secondary IP addresses. Only secondary IP addresses can be moved between VMs.

More details about OCI secondary IP addresses can be found at https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingIPaddresses.htm.

 

Before starting, keep in mind that all requests from Fabric Connectors are done using the Management interface. The Management interface, by default, is considered to be port1 on FortiGate. This port uses by default DHCP and has a primary interface assigned by default by OCI. All other interfaces (except the primary interface) on OCI will not offer DHCP so manual IP address need to be assigned for each FortiGate port.

FortiGate-VM HA uses at least 2 interfaces. Port1(Management interface) is used to access FortiGate over SSH or GUI. A second port (doesn't have to be port2) needs to be used for each FortiGate to synchronise each other and to send heartbeats(keep-alive packets). All other interfaces will be used as a gateway for OCI VMs or to connect to the Internet.

 

To start configuring the Fabric Connectors we need to select "Security Fabric" ==> "Fabric Connectors" and "Create New" button.

 

 

This will display a list with different Providers.

 

 

Select "Oracle Cloud Infrastructure(OCI)" from "Public SDN" list. The configuration page for a "New Fabric Connector" will be displayed.

Before starting the configuration, we need to describe the "Use metadata IAM" option. This is the option that will change how the Fabric Connector will authenticate to OCI API. OCI uses two different methods for API authentication. 

 

One authentication method is using a native OCI feature called "Dynamic groups" ("Instance Principals") or by using "API Signing Keys".

 

More details can be found at the official OCI documentation:

 

 

Without "Use metadata IAM" option.

 

 

After configuring the Fabric Connector, the "OCI Connector" will be displayed in the "Fabric Connectors" page. The "OCI Connector" has the following options:

  •  ==> Enable or disable the Fabric Connector.
  •  ==> Refresh the status of the Fabric Connector.
  •  ==> The Fabric Connector has successfully connected to the OCI API. This will change to colour red in case of not being able to connect to the OCI API.

 

 

Step 3. Configure FortiGate-VM in HA mode

 

Before starting remember that you need a second port (doesn't have to be port2) to synchronise each FortiGate and to send heartbeats(keep-alive packets).

To add a secondary interface on OCI, select "Compute" ==> "Instance" ==> "Instance Details" ==> "Attached VNICs". Here you need to create a new vNIC that will be part of a specific subnet/VCN. Remember that you can add a vNIC in an already used subnet/VCN.

 

 

Now we need to configure each new OCI interface added on FortiGate.

 

 

Select the new interface and click on "Edit" button. On the "Edit Interface" page we need to add the following details:

  • "Alias" ==> A name for the selected interface.
  • "Addressing mode" ==> Select "Manual" because all other interfaces (except the primary interface) on OCI will not offer DHCP.
  • "IP/Network Mask" ==> IP address assigned by OCI.

 

 

Save settings by clicking on OK button.

 

Now we need to configure FortiGate in HA mode. To do this, we need to go to "System" ==> "HA". Here we need to add the following details:

  • "Mode" ==> Select "Active-Passive" mode.
  • "Device priority" ==> By default it has a priority of 100. A bigger value will be used for the Master node.
  • "Group name" ==> A name to describe the cluster group.
  • "Password" ==> Used to protect the link between the two FortiGate VMs participating in HA.
  • "Session pickup" ==> Synchronises the primary unit's TCP session table to all cluster units.
  • "Heartbeat interfaces" ==> Interface dedicated for heartbeat.
  • "Interface" ==> Select the Management interface used to connect to the OCI API.
  • "Gateway" ==> Add the gateway used for the Management interface.
  • "Peer IP" ==> IP address from the second FortiGate VM.

 

 

The same setup needs to be done on the second FortiGate VM participating in HA.

 

After finishing the configuration, the 2 FortiGates VMs should be in sync and the one with the highest priority will be the Master. A successful sync state is represented by  symbol.

 

 

This is the end of the configuration. Please conduct basic test scenarios.

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha