HA Pair Template - FortiGate Terraform Web UI

UI Deployment

Mon, 01 Jan 0001 00:00:00 +0000

Overview This guide walks you through configuring the ha_pair template using the Web UI. This template deploys a FortiGate Active-Passive HA pair using FGCP (FortiGate Clustering Protocol). Warning Prerequisites: Deploy existing_vpc_resources first with HA Pair Deployment mode enabled Record the cp, env, and tgw_name values from existing_vpc_resources outputs Step 1: Select Template Open the UI at http://localhost:3000 In the Template dropdown at the top, select ha_pair The form will load with inherited values from existing_vpc_resources {{% notice note %}} TODO: Add diagram - template-dropdown-ha

Deployment Guide

Mon, 01 Jan 0001 00:00:00 +0000

Deployment Workflow Step 1: Deploy existing_vpc_resources cd terraform/aws/existing_vpc_resources # Copy and edit configuration cp terraform.tfvars.example terraform.tfvars # IMPORTANT: Set deployment mode to HA Pair # edit terraform.tfvars: enable_autoscale_deployment = false enable_ha_pair_deployment = true # Deploy terraform init terraform plan terraform apply # Save outputs terraform output Key Outputs to Note: ha_sync_subnet_az1_id - HA sync subnet in AZ1 ha_sync_subnet_az2_id - HA sync subnet in AZ2 attach_to_tgw_name - Transit Gateway name fortimanager_private_ip - FortiManager IP (if enabled) fortianalyzer_private_ip - FortiAnalyzer IP (if enabled) Step 2: Configure ha_pair Template cd terraform/aws/ha_pair # Copy example configuration cp terraform.tfvars.example terraform.tfvars # Edit terraform.tfvars # REQUIRED: Match these values with existing_vpc_resources aws_region = "us-west-2" # MUST MATCH availability_zone_1 = "a" # MUST MATCH availability_zone_2 = "c" # MUST MATCH cp = "acme" # MUST MATCH env = "test" # MUST MATCH # Configure FortiGate keypair = "my-keypair" fortigate_admin_password = "SecureP@ssw0rd!" ha_password = "HASecretPass!" ha_group_name = "ha-cluster" # Choose licensing mode license_type = "payg" # or "byol" or "fortiflex" # Optional: FortiManager integration enable_fortimanager = true fortimanager_ip = "10.3.0.10" # From existing_vpc_resources output # Optional: Management EIP enable_management_eip = true Step 3: Deploy HA Pair # Initialize Terraform terraform init # Review plan terraform plan # Deploy terraform apply # Save outputs terraform output > ha_pair_outputs.txt Deployment Time: ~15-20 minutes

Operations & Testing

Mon, 01 Jan 0001 00:00:00 +0000

Transit Gateway Routing Two-Stage Routing Approach The ha_pair template implements automatic TGW route updates: Stage 1: After existing_vpc_resources deployment East/West spoke VPC default routes –> Management VPC attachment Allows spoke instances to bootstrap via jump box NAT Stage 2: After ha_pair deployment ha_pair template deletes old default routes from east/west TGW route tables Creates new default routes –> Inspection VPC attachment Traffic now flows through FortiGate HA pair Management VPC routes remain for ongoing access This two-stage approach is handled automatically by tgw_routes.tf.

Troubleshooting & Comparison

Mon, 01 Jan 0001 00:00:00 +0000

Troubleshooting HA Pair Not Forming Symptoms: FortiGates don’t see each other in HA status Checks: # Verify HA sync connectivity execute ping-options source execute ping # Check HA configuration show system ha # Check security group rules # Ensure UDP 23/703 and all TCP allowed on HA sync subnet Resolution: Verify HA sync subnets were created Check security group allows all traffic between HA sync IPs Verify unicast heartbeat configuration matches AWS API Calls Failing Symptoms: Failover doesn’t update EIPs or routes