Troubleshooting & Comparison

Troubleshooting

HA Pair Not Forming

Symptoms: FortiGates don’t see each other in HA status

Checks:

# Verify HA sync connectivity
execute ping-options source <port3-ip>
execute ping <peer-port3-ip>

# Check HA configuration
show system ha

# Check security group rules
# Ensure UDP 23/703 and all TCP allowed on HA sync subnet

Resolution:

• Verify HA sync subnets were created
• Check security group allows all traffic between HA sync IPs
• Verify unicast heartbeat configuration matches

AWS API Calls Failing

Symptoms: Failover doesn’t update EIPs or routes

Checks:

# Test AWS connectivity
diag test app awsd 4

# Verify IAM role
diag deb app awsd -1
diag deb enable
# Trigger failover and watch logs

Resolution:

• Verify VPC endpoint exists in HA sync subnets
• Check IAM role has required permissions
• Verify Private DNS enabled on VPC endpoint

Session Synchronization Not Working

Symptoms: Active sessions drop during failover

Checks:

# Verify session pickup enabled
show system ha | grep session-pickup

# Check current sessions
diag sys session list

Resolution:

config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
end

TGW Routes Not Updating

Symptoms: Spoke VPC traffic not reaching FortiGates

Checks:

# Verify update_tgw_routes is enabled
terraform show | grep update_tgw_routes

# Check TGW route tables manually
aws ec2 search-transit-gateway-routes \
  --transit-gateway-route-table-id <rtb-id> \
  --filters "Name=type,Values=static"

Resolution:

• Set update_tgw_routes = true in terraform.tfvars
• Run terraform apply to update routes
• Or manually update TGW route tables

Cost Optimization

Estimated Monthly Costs

Minimum Configuration (PAYG):

• 2x FortiGate c5n.xlarge: ~$350/month
• 4-6x Elastic IPs: ~$15-20/month
• VPC Interface Endpoint: ~$7/month
• Total: ~$370-380/month

With Management (BYOL):

• 2x FortiGate c5n.xlarge (compute only): ~$140/month
• FortiManager m5.xlarge: ~$73/month
• FortiAnalyzer m5.xlarge: ~$73/month
• EIPs and VPC endpoint: ~$22/month
• Total: ~$310/month + BYOL licenses

Cost Savings Tips

1. Use BYOL for long-term deployments (break-even ~6-8 months)
2. Stop non-production environments when not in use
3. Right-size instance types based on throughput requirements
4. Disable management EIPs if using management VPC with VPN
5. Use NAT Gateway mode for predictable egress costs

Comparison: HA Pair vs AutoScale

Choose HA Pair When:

• Workload is predictable and consistent
• Stateful failover is critical
• Simplicity preferred over elastic scaling
• Cost predictability important
• Standard FortiOS HA experience desired

Choose AutoScale When:

• Workload varies significantly
• Need to scale beyond 2 instances
• Cost optimization through scaling down
• Can tolerate stateless failover
• Want AWS-native auto scaling

Additional Resources

Related Documentation

• existing_vpc_resources Template - Required prerequisite
• autoscale_template - Alternative deployment mode
• Licensing Options - BYOL, PAYG, FortiFlex guidance
• Solution Components - Deep dive into architecture

FortiGate HA Documentation

• FortiOS HA Cookbook
• AWS HA Configuration
• FGCP Active-Passive

Terraform Documentation

• ha_pair README
• Variables Reference

Summary

The ha_pair template provides a robust Active-Passive FortiGate HA deployment using native FortiOS clustering:

Key Capabilities:

• FGCP Active-Passive with automatic failover
• Session synchronization for stateful inspection
• Native AWS integration (EIP/route reassignment)
• VPC endpoint for private AWS API access
• Automatic Transit Gateway routing updates
• Support for PAYG, BYOL, and FortiFlex licensing
• FortiManager/FortiAnalyzer integration

Deployment Time: 20-30 minutes after existing_vpc_resources

Next Steps:

1. Deploy existing_vpc_resources with HA Pair mode
2. Configure ha_pair terraform.tfvars
3. Deploy ha_pair template
4. Verify HA status and test failover
5. Configure policies and begin production traffic