腾讯云跨AZ部署FortigateHA备忘录

随时保存配置

config system global
    set admintimeout 480
    set alias "FortiGate-VM64-KVM"
    set gui-auto-upgrade-setup-warning disable
    set hostname "FG-Slave"
    set revision-backup-on-logout enable
    set revision-image-auto-backup enable
    set timezone "Asia/Shanghai"
end

因为不同 AZ 的地址段是不一样的，因此下面的配置不需要同步

config system vdom-exception
    edit 1
        set object system.interface
    next
    edit 2
        set object router.static
    next
    edit 3
        set object firewall.vip
    next
    edit 4
        set object firewall.ippool
    next
end

FortiGate port1 是外网接口，对应的是由外向内的数据；
FortiGate port2 对应的是由内向外的数据，安全组要全放通；
FortiGate port3 是 HA 接口，互通的是 HA 交换的数据，安全组；
FortiGate port4 是 MGMT 接口，用于管理，放通 HTTPS，SSH 和 ICMP。

config system ha
    set group-id 10
    set group-name "fgha"
    set mode a-p
    set password fortinet
    set hbdev "port3" 50 
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.197.3.1
        next
    end
    set override disable
    set priority 200
    set unicast-hb enable
    set unicast-hb-peerip 10.197.2.1
end

config system ha
    set group-id 10
    set group-name "fgha"
    set mode a-p
    set password fortinet
    set hbdev "port3" 50 
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 10.197.13.1
        next
    end
    set override disable
    set priority 100
    set unicast-hb enable
    set unicast-hb-peerip 10.197.12.1
end