FortiGate Deployment

In this section, we'll deploy FortiGate firewalls in a high-availability configuration with load balancers to provide robust security for your connectivity hub. You may have heard of the name Load Balancer (LB) sandwich - we are deploying the firewalls between two LB instances to ensure symetric flows of traffic between services behind and infront of the firewalls.

On this page

• High Availability Overview
• Understanding Availability Zones
• Template Deployment
• Configuration Parameters
• Load Balancer Setup
• Licensing Configuration
• Deployment Verification

High Availability Overview

We are now ready to deploy the HA FortiGates using a template. For additional information regarding the various templates available and their respective SLAs for failover please see FortiGate Azure Addministration Guide.

Template Deployment

1. In the top left corner of the screen click on rg-hub-azlab in the breadcrumb trail.

   

2. Click on Create.

   

3. Enter Fortigate in the search box then click on Fortinet FortiGate Next-Generation Firewall.

   

4. Click on the dropdown for Create for Fortinet FortiGate Next-Generation Firewall (not the option that ends with VM)

5. Click on Active-Passive HA with ELB/ILB in the drop down menu.

   

Configuration Parameters

1. Select rg-hub-azlab in the Resource group drop down.

2. Set region to Central Canada.

3. Set the FortiGate administrative username to fortinetuser

4. Set the password to PizzaDay12345!

5. Type the same password in the Confirm password box: PizzaDay12345!

6. Set the FortiGate Name Prefix to azlab

7. Click Next.

   

8. Ensure FortiGate Image Version is set to 7.4.8.

9. Ensure Availability Option is set to Availability Zones.

   

Understanding Availability Zones

What are availability zones?

Wouldn't it be nice if we all had a spare home if something were to happen to one of them? Availability zones help create redundancy and high availability.

According to learn.microsoft.com, Availability Zones are separated groups of datacenters within a region. Each availability zone has independent power, cooling, and networking infrastructure, so that if one zone experiences an outage, then regional services, capacity, and high availability are supported by the remaining zones.

Need to replicate the diagram below.

Licensing Configuration

1. Scroll down.

2. Check the 'My organization is using the FortiFlex subscription service' box.

3. You were provided FortFlex tokens you will use those tokens to license these firewalls. Do not copy the tokens in the screenshot below.

4. Enter one of the provided tokens for FortiGate A.

5. Enter one of the provided tokens for FortiGate B.

6. Click Next.

   

7. Click Next.

8. We will now map the subnets we created earlier to the FortiGate.

9. Click on the drop down menu beside Virtual network and select vnet-hub-azlab.

10. Click on the dropdown menu beside External subnet and select Public.

11. Click on the dropdown menu beside Internal subnet and select Private

12. Click on the HA Sync subnet dropdown and select HA_Intra-Cluster.

13. Click on the HA Management subnet dropdown and select Management.

14. Notice we are also creating a new subnet called Protected A subnet; leave it a the default setting.

15. If needed, scroll down the Accelerated networking and select disabled

16. Confirm your configuration looks like the screenshot below.

    

    

Load Balancer Setup

1. Now we will create public IP addresses for the external load balancer and FortiGate management interfaces.

2. Click create new under the External Load Balancer and edit the name to match the screenshot below.

   

3. Click OK at the bottom of the screen.

4. Repeat this process for FortiGate A and B management and match the name in the screen shots below.

   FortiGate A and FortiGate B:

   

   

5. When you are finished, ensure your configuration looks like the screenshot below.

   

6. Click Next at the bottom of the page until you reach the Review and create page.

7. Allow the final validation to run. This may take up to 30 seconds.

8. Click Create at the bottom of the page.

Deployment Verification

1. Eventually your screen will refresh show something similar to the one below.

   config system ha
   set group-name "azure-ha-cluster"
   set mode a-p
   set hbdev "port3" 50
   set ha-mgmt-status enable
   ha-direct
   

   

2. When your deployment is complete it will look similar to the screen shot below. This can take a few minutes to display.

   

---

Next Step: Testing & Validation to validate your deployment and test connectivity flows.