This article describes how to configure Virtual IPs on the FortiGate VM Active-Passive HA Cluster to have no issues if failover happens.
Scope
FortiGate-VM, AWS-FortiGate, Azure-FortiGate, GCP-FortiGate, OCI-FortiGate, or any other FortiGate-VMs hosted on Public Cloud.
Solution
There are two different ways to implement VIPs on the FortiGate-VM HA cluster:
Step 1: Create two different VIPs for each FortiGate on the Primary FortiGate, and put both of them in the Firewall policy as the destination:
On Primary FortiGate:
- VIP1: FGT-A External IP:Port => Server IP:Port
- VIP2: FGT-B External IP:Port => Server IP:Port
Step 2: Add the VIP in the vdom-exception to prevent the VIPs from synching between the FortiGates, and then, create the VIPs separately on each FortiGate with the same name and put it in the Firewall policy as the destination:
config system vdom-exception edit 1 set object firewall.vip next end
On Primary FortiGate:
- VIP: FGT-A External IP:Port => Server IP:Port
On Secondary FortiGate:
- VIP: FGT-B External IP:Port => Server IP:Port