Skip to Content

How to Configure Ip Pool on FortiGate HA in Azure with SDN Connector to Ensure Seamless Failover

By: Author Alex Lim

Posted on

Categories Uncategorized

This article describes how to configure an IP Pool on FortiGate HA (High Availability) deployed in Azure using the SDN connector. This is useful when having a specific internal host(s) that needs to be NATed with a different Public IP.

This article addresses the challenge of the different external private IPs on the port1 (WAN) interface of the primary and secondary FortiGate devices, ensuring seamless failover and traffic handling article is unrelated to Technical Tip: Configuring VIP on FortiGate HA in Azure with SDN Connector: Ensuring Seamless Failov…

Both articles can be used together to achieve different traffic directions, VIP as inbound to expose a service and IP Pool to force output to use a specific NAT IP to the internet.

Scope

FortiGate, Azure, Cluster, IP Pool

Solution

How to Configure Ip Pool on FortiGate HA in Azure with SDN Connector to Ensure Seamless Failover

FortiGate Nic1 instance summary from Azure

VM Name IP Version Type Private IP Address Public IP Address
FGT-A ipconfig1 IPv4 Primary 172.16.32.4 (Static) 108.142.167.8 (jd-FGT-PIP)
FGT-A ipconfig2 IPv4 Secondary 172.16.32.10 (Static) 108.142.167.202 (pip-jd-vnet-westeurope-01)
FGT-B ipconfig1 IPv4 Primary 172.16.32.5 (Static) –
FGT-B ipconfig2 IPv4 Secondary 172.16.32.11 (Static) –

Step 1: Create a VDOM exemption on the active unit:

config system vdom-exception
edit 1
set object firewall.ippool
next
end

Step 2: Create an IP Pool with the same name on both cluster members, then on ‘External IP Range’ use the corresponding Private IP (ipconfig2).

FGT-A IP-pool

FGT-B IP-pool

Step 3: Add the new public IP to the SDN Connector on both FortiGates.
Example for the FGT-A:

config system sdn-connector
edit "AzureSDN"
set type azure
set ha-status enable
set subscription-id "a90dc88c-8dd5-4f94-a346-96eca9d90e0e"
set resource-group "diasj-ippoolkb"
config nic
edit "jd-FGT-A-Nic1"
config ip
edit "ipconfig1"
set public-ip "jd-FGT-PIP"
next
edit "ipconfig2"
set public-ip "pip-jd-vnet-westeurope-01"
next
end
next
end
.......

Step 4: The following image is a summary explanation of config in Azure vs both FortiGates.

The following image is a summary explanation of config in Azure vs both FortiGates.

Step 5: Create the Firewall policy with the NAT IP Pool just created.

Create the Firewall policy with the NAT IP Pool just created.

Step 6: Validate the outgoing IP address with a VM behind the cluster on a ‘Protected network’ with Windows CMD or Linux Bash:

curl ifconfig.me
108.142.167.202

If the SDN connector has the correct permission both public IPs will move in a fail-over event and be matched on the correct IP Pool configuration.