Fortinet FortiGate Next-Generation Firewall (PAYG)

Threats. You should see the attempted file download.   Testing application control for outgoing traffic To test application control for outgoing traffic:  1. In FortiOS, go to Security Profiles > Application Control. Under Categories, block Video/Audio and Social Media.  Click OK.    2. On the ECS, attempt to access Facebook and YouTube. It should not be able to connect. FortiOS shows the client  FortiOS 7.4 AliCloud Administration Guide 16 Fortinet Inc.Securing instances on AliCloud trying to connect to Facebook and YouTube.   Enabling NAT inbound protection in FortiOS In this example, you enable the FortiGate-VM to protect inbound RDP traffic. The same concept can be applied to  HTTP/HTTPS and other services. This demonstrates how to configure the FortiGate-VM to monitor inbound and  outbound traffic. To enable NAT inbound protection in FortiOS:  1. Create the virtual IP address:  a. In FortiOS, go to Policy & Objects > Virtual IPs.  b. Click Create New.    c. From the Interface dropdown list, select port1.  d. In the Mapped IP address/range field, enter 192.168.1.36, the ECS IP address.  e. Enable Port Forwarding.  f. In the External service port and Map to port fields, enter 3389.  g. Click OK.  2. Configure the inbound policy for the RDP redirection. Go to Policy & Objects > Firewall Policy, then click Create New.    3. In the Destination field, select the virtual IP address that you created in step 1.    4. Enable the desired security profiles, then log all sessions for demonstration purposes.  5. Click OK.   You can now use the FortiGate public address to RDP into the ECS. You can also view the logs and session information in FortiOS. FortiOS 7.4 AliCloud Administration Guide 17 Fortinet Inc.HA for FortiGate-VM on AliCloud There are different ways to configure active-passive high availability (HA) on FortiGate-VM for AliCloud. The first deployment scenario, as Deploying and configuring FortiGate-VM on AliCloud using HAVIP on page 18  describes, depends on the HA virtual IP address function that AliCloud provides. In this scenario, you must locate both  the internal and external interface at port1. The primary and secondary FortiGates share the same IP address. Failover  may be quicker than in the second scenario, since there are no elastic IP (EIP) addresses or route tables to update. This  scenario natively supports session pickup. The second deployment scenario, as Deploying FortiGate-VM HA on AliCloud using routing tables and EIPs on page 40  describes, achieves HA by introducing EIP moving and route table updating capabilities. In this scenario, you can locate  the internal and external interface on different interfaces. Optionally, you can also leverage an HA virtual IP address  (HAVIP) for external traffic on port1 and internal traffic on port2 for increased efficiency and flexibility. This scenario  supports session pickup, but in a more limited way than in the first scenario. Consider the following when deciding which HA scenario to deploy:  l If you need session pickup capabilities and cannot disable NAT for incoming firewall policies, you must use the first  scenario.  l If you need session pickup capabilities and can disable NAT for incoming firewall policies, you can use the second  scenario with HAVIP on port1 and attach an EIP to the HAVIP. This scenario does not require EIP moving but does  require route table updating for internal traffic. This scenario provides the best balance between flexibility and  efficiency.  l If you cannot use port1 for external traffic, you must use the second scenario with EIP moving and route table  updating. This may require more failover time. Deploying and configuring FortiGate-VM on AliCloud using HAVIP You can configure active-passive high availability (HA) with two FortiGate-VM instances using HA virtual IP addresses  (HAVIP), which is configurable on the AliCloud platform. FortiGate-VM configuration is synchronized between the two  instances. When a primary FortiGate-VM is down, a failover to a secondary FortiGate-VM occurs while sessions are  kept, and the secondary unit is promoted to become the primary unit. HAVIP forwards traffic to the new primary  FortiGate-VM while keeping switching time minimal. In this scenario, the AliCloud VPC cannot create multiple route tables, and the VPC only supports one-arm deployment  mode.  HAVIP covers an inter-VPC service, and the VPC default route points to the HAVIP. VPC outbound traffic  forwards to the HAVIP, then forwards to the primary FortiGate-VM. You must bind the HAVIP to an elastic IP address for  VPC inbound traffic. FortiOS 7.4 AliCloud Administration Guide 18 Fortinet Inc.HA for FortiGate-VM on AliCloud Setting up the VPC To set up the VPC:  1. Assuming this is a new environment, the first step is to create the virtual private cloud (VPC). Click Create VPC.    2. Name the VPC TP_FortiVPC.    3. In this scenario, you need at least three VSwitches: one for the ECS, one for the FortiGate-VM inbound/outbound  interface, and one for the FortiGate-VM high availability interface. You can also create a fourth VSwitch for the  FortiOS 7.4 AliCloud Administration Guide 19 Fortinet Inc.HA for FortiGate-VM on AliCloud FortiGate reserved management interface. Create the ECS VSwitch first, as shown.   FortiOS 7.4 AliCloud Administration Guide 20 Fortinet Inc.HA for FortiGate-VM on AliCloud  4. Create the VSwitch for the FortiGate-VM inbound/outbound interface, as shown.   FortiOS 7.4 AliCloud Administration Guide 21 Fortinet Inc.HA for FortiGate-VM on AliCloud  5. Create the VSwitch for the FortiGate-VM HA interface, as shown.   FortiOS 7.4 AliCloud Administration Guide 22 Fortinet Inc.HA for FortiGate-VM on AliCloud  6. (Optional) Create the VSwitch for the FortiGate reserved management interface.   The VPC is now ready.   FortiOS 7.4 AliCloud Administration Guide 23 Fortinet Inc.HA for FortiGate-VM on AliCloud Subscribing to the FortiGate-VM in the marketplace To subscribe to the FortiGate-VM in the marketplace:  1. Go to the AliCloud Marketplace and search for Fortinet.    2. You now create the FortiGate-VM instance. If you have your own FortiGate-VM license, select the BYOL image.  Otherwise, select the on-demand image.  FortiOS 7.4 AliCloud Administration Guide 24 Fortinet Inc.HA for FortiGate-VM on AliCloud  a. Click Choose Your Plan.  b. This example selects PAYG, China East 1 (Hangzhou), and Zone F for the pricing plan, region, and zone,  respectively. Zone F is the location of the VPC and VSwitches. Click ECS Advance Purchase page to  customize the data disk and VPC information.    c. Click the ECS type with 4 vCPU to launch the FortiGate instance. The 4 vCPU ECS can support a maximum of  3 NIC, while the 2 vCPU ECS can support 2 NIC. If the FortiGate reserved management interface is required,  select the 4 vCPU ECS type.   FortiOS 7.4 AliCloud Administration Guide 25 Fortinet Inc.HA for FortiGate-VM on AliCloud  d. Add a data disk for logs. Using SSD i s recommended for better performance.  e. In the Network section, select TP_FortiVPC and Forti_internet_SW. Assign a public IP address to the image.  This NIC is port1 on the FortiGate-VM, the default ENI.  f. Leave the HTTPS, ICMP, and SSH ports and protocols open to allow connection. Add another ENI on  FortiGate_HA_SW. This ENI is port2 on the FortiGate.    g. In the Host field, enter the FortiGate hostname.   FortiOS 7.4 AliCloud Administration Guide 26 Fortinet Inc.HA for FortiGate-VM on AliCloud  h. Click ECS Service Terms.    3. Click Console to return to the ECS instance list.    4. You can see that the VM has been created. Mark down the public IP address and the instance ID for later use. The  instance ID is the FortiGate default password.    5. Repeat steps 1  and 2 to create another FortiGate instance, named FGT-Slave.   FortiOS 7.4 AliCloud Administration Guide 27 Fortinet Inc.HA for FortiGate-VM on AliCloud  6. You can create two ENI and attach them to the FortiGate instances. This step is optional.  a. Stop the two FortiGate instances.    b. Go to Networks & Security > Network Interfaces and create two ENI.   FortiOS 7.4 AliCloud Administration Guide 28 Fortinet Inc.HA for FortiGate-VM on AliCloud FortiOS 7.4 AliCloud Administration Guide 29 Fortinet Inc.HA for FortiGate-VM on AliCloud  c. Attach the two new ENI to the two FortiGate instances.   FortiOS 7.4 AliCloud Administration Guide 30 Fortinet Inc.HA for FortiGate-VM on AliCloud FortiOS 7.4 AliCloud Administration Guide 31 Fortinet Inc.HA for FortiGate-VM on AliCloud  d. Restart the two FortiGate instances.    7. You can now access the FortiGate-VM in a web browser using the username "admin". The password is the instance  ID.    8. Change the password after the initial login.    9. Set the IP address on three interfaces on the FortiGate.   Configuring the HAVIP on the AliCloud web console To configure the HAVIP on the AliCloud web console:  1. Create a new high availability virtual IP (HAVIP) address. Select the virtual private cloud (VPC) and FortiGate-VM  port1 VSwitch, and set the HAVIP address.   FortiOS 7.4 AliCloud Administration Guide 32 Fortinet Inc.HA for FortiGate-VM on AliCloud FortiOS 7.4 AliCloud Administration Guide 33 Fortinet Inc.HA for FortiGate-VM on AliCloud  2. Set the HA configuration on the FortiGate via the VNC console on the AliCloud Web GUI, or via SSH.  a. Set the configuration on the primary FortiGate-As follows. In this example, 192.168.3.253 is the gateway on the  VSwitch, while 192.168.1.250 is the secondary FortiGate''s port2''s IP address. The FortiGate with the higher  priority value is the primary FortiGate.   config system ha set group-name "ha" set mode a-p set hbdev "port2" 0 set session-pickup enable set ha-mgmt-status enable config ha-mgmt-interface edit 1 set interface “port3” set gateway 192.168.3.253 next end set priority 200 set monitor "port1" set unicast-hb enable set unicast-hb-peerip 192.168.1.250 end  b. Set the configuration on the secondary FortiGate-As follows. Here, 192.168.1.249 is the primary FortiGate''s  port2''s IP address.   config system ha set group-name "ha" set mode a-p set hbdev "port2" 0 set session-pickup enable set ha-mgmt-status enable config ha-mgmt-interface edit 1 set interface “port3” set gateway 192.168.3.253 next end set priority 100 set monitor "port1" set unicast-hb enable set unicast-hb-peerip 192.168.1.249 end  3. Reboot the two FortiGates. FortiOS 7.4 AliCloud Administration Guide 34 Fortinet Inc.HA for FortiGate-VM on AliCloud  4. Check the HA status by running diagnose sys ha status in the CLI. It should show the following:    5. Set the HAVIP address to the port1 secondary IP address on the two FortiGates. On both FortiGates, configure the  following. The secondary IP address configured should be the same as the HAVIP address.   config system interface edit "port1" set secondary-IP enable config secondaryip edit 1 set ip 192.168.0.252 255.255.255.0 set allowaccess ping https ssh next end next end  6. Bind the elastic IP address and the two FortiGate ECS to HAVIP.  a. Create a new EIP.   FortiOS 7.4 AliCloud Administration Guide 35 Fortinet Inc.HA for FortiGate-VM on AliCloud FortiOS 7.4 AliCloud Administration Guide 36 Fortinet Inc.HA for FortiGate-VM on AliCloud  b. Bind the EIP to the HAVIP.    c. Bind the two FortiGates to the HAVIP.   FortiOS 7.4 AliCloud Administration Guide 37 Fortinet Inc.HA for FortiGate-VM on AliCloud FortiOS 7.4 AliCloud Administration Guide 38 Fortinet Inc.HA for FortiGate-VM on AliCloud  7. You must add the route entry to the FortiGate to ensure all outgoing traffic from ECS goes through the FortiGate.   FortiOS 7.4 AliCloud Administration Guide 39 Fortinet Inc.HA for FortiGate-VM on AliCloud Connectivity test You can test whether you configured the FortiGate-VM instances and VPC properly. See Connectivity test on page 14. Deploying FortiGate-VM HA on AliCloud using routing tables and EIPs This guide provides a sample configuration of active-passive FortiGate-VM HA on AliCloud within one availability zone. The following depicts the network topology for this sample deployment: FortiOS 7.4 AliCloud Administration Guide 40 Fortinet Inc.HA for FortiGate-VM on AliCloud The following lists the IP address assignments for this sample deployment for FortiGate-A: Port AliCloud primary address Subnet port1 10.0.1.11 10.0.1.0/24 EIP3 port2 10.0.2.11 10.0.2.0/24 port3 10.0.3.11 10.0.3.0/24 port4 10.0.4.11 10.0.4.0/24 EIP1 The following lists the IP address assignments for this sample deployment for FortiGate-B: Port AliCloud primary address Subnet port1 10.0.1.12 10.0.1.0/24 port2 10.0.2.12 10.0.2.0/24 port3 10.0.3.12 10.0.3.0/24 port4 10.0.4.12 10.0.4.0/24 To check the prerequisites: The following prerequisites must be met for this deployment: FortiOS 7.4 AliCloud Administration Guide 41 Fortinet Inc.HA for FortiGate-VM on AliCloud  l One VPC with one subnet each for management, external, internal, and heartbeat purposes  l Three public IP addresses:  l EIP1 and EIP2 for FortiGate-A and FortiGate-B management  l EIP3 for the HA external traffic IP address  l Two FortiGate-VM instances, both PAYG or BYOL  l The following summarizes minimum sufficient RAM roles for this deployment:  l AliyunECSFullAccess  l AliyunEIPFullAccess  l AliyunVPCFullAccess Actual role configurations may differ depending on your environments. Check with your  company''s public cloud administrators for details. To configure FortiGate-VM HA in AliCloud:  1. In the AliCloud management console, create a VPC with four VSwitches:   VSwitch Purpose net1-external External data traffic on the public network-facing side. net2-internal External data traffic on the private network-facing side. net3-heartbeat Heartbeat between two FortiGate nodes. This is unicast communication. net4-mgmt Dedicated management interface. FortiOS 7.4 AliCloud Administration Guide 42 Fortinet Inc.HA for FortiGate-VM on AliCloud  2. Add six ENIs.    3. Create two routing tables:  a. Create a routing table called "rtb-internal" for the net2-internal VSwitch. Set the NIC2''s IP address (10.0.2.11)  as rtb-internal''s default gateway. You can create this routing table after configuring NIC2 on FortiGate-A.  Ensure that the default gateway is FortiGate-A''s port2 ENI.    b. Create a routing table called "rtb-external" for the remaining VSwitches. Set this VPC''s Internet gateway as its  FortiOS 7.4 AliCloud Administration Guide 43 Fortinet Inc.HA for FortiGate-VM on AliCloud default gateway. Ensure that this routing table can access the Internet. To deploy the FortiGate-VMs in AliCloud: To take advantage of A-P HA, you need four vNICs (port1 to port4) on each FortiGate-VM that constitutes an A-P HA  cluster. Configure all required network interfaces (AliCloud ENIs and FortiGate-VM network interface configuration) that  support A-P HA. You must choose an AliCloud instance type that supports at least four vNICs. Ensure the following:  l You have configured the security group on each subnet for egress and ingress interfaces appropriately. It is  particularly important that the management interfaces have egress Internet access for API calls to the AliCloud  metadata server.  l You attached four NICs for each FortiGate-VM, and assigned the static private IP address.  l EIP1 was bound to the FortiGate-A port4 management interface.  l EIP3 was bound to the FortiGate-A port1 external interface.  l EIP2 was bound to the FortiGate-B port4 management interface. You can attach a public IP address on the primary FortiGate-VM''s external interface instead of  an EIP by creating an HAVIP address in the VPC, then binding this HAVIP address to both  FortiGates'' external interfaces. This approach may shorten the failover time depending on the  network environment. FortiOS 7.4 AliCloud Administration Guide 44 Fortinet Inc.HA for FortiGate-VM on AliCloud To configure FortiGate-A using the CLI: The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH,  the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended. config system interface edit "port1" set mode static set ip 10.0.1.11 255.255.255.0 set allowaccess ping https ssh snmp http fgfm next edit "port2" set ip 10.0.2.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port3" set ip 10.0.3.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port4" set ip 10.0.4.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next end config router static edit 1 set gateway 10.0.1.253 set device "port1" next end config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable FortiOS 7.4 AliCloud Administration Guide 45 Fortinet Inc.HA for FortiGate-VM on AliCloud next end config system ha set group-name "FGT-HA" set mode a-p set hbdev "port3" 50 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.0.4.253 next end set priority 128 set unicast-hb enable set unicast-hb-peerip 10.0.3.12 end To configure FortiGate-B using the CLI: The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH,  the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended. config system interface edit "port1" set mode static set ip 10.0.1.12 255.255.255.0 set allowaccess ping https ssh snmp http fgfm next edit "port2" set ip 10.0.2.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port3" set ip 10.0.3.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port4" set ip 10.0.4.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next end config router static edit 1 set gateway 10.0.1.253 set device "port1" next end config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept FortiOS 7.4 AliCloud Administration Guide 46 Fortinet Inc.HA for FortiGate-VM on AliCloud set schedule "always" set service "ALL" set nat enable next end config system ha set group-name "FGT-HA" set mode a-p set hbdev "port3" 50 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.0.4.253 next end set priority 64 set unicast-hb enable set unicast-hb-peerip 10.0.3.11 end You must set the FortiGate-B HA priority to a value lower than FortiGate-A''s priority level. The  node with the lower priority level is determined as the secondary node. To check the HA status and function:  1. In FortiOS on the primary FortiGate, go to System > HA. Check that the HA status is synchronized.    2. Log into a PC that is located in the internal subnet. Verify that the PC can access the Internet via FortiGate-A when  FortiGate-A is the primary node.  3. Shut down FortiGate-A. Verify that FortiGate-B becomes the primary node. Use an API call to verify that the  secondary private IP address moves to FortiGate-B.  4. Log into the PC. Verify that the PC can access the Internet via FortiGate-B when FortiGate-B is the primary node.  5. You can use the following diagnose commands to see if the secondary private IP address moves from FortiGate- A to FortiGate-B during failover:   FGT-B # diagnose debug application alicloud-ha -1 Debug messages will be on for 30 minutes. FGT-B # Become HA master mode 2 ===== start acs ha failover ===== send_vip_arp: vd root master 1 intf port1 ip 10.0.1.12 send_vip_arp: vd root master 1 intf port2 ip 10.0.2.12 acs meta info [instance id]: i-rj9f5xs9cp9xsweedlcs acs meta info [ram role]: fhua-ecs-role acs meta info [region]: us-west-1 acs meta info [vpc id]: vpc-rj9h5m14eo5lu97hjaptw acs ecs endpoint is resolved at ecs.us-west-1.aliyuncs.com:47.88.73.18 acs vpc endpoint is resolved at vpc.aliyuncs.com:106.11.61.112 acs is parsing page 1 of total 3(1 page) instances FortiOS 7.4 AliCloud Administration Guide 47 Fortinet Inc.HA for FortiGate-VM on AliCloud acs is checking tags on instance FGT-A Tag.FGT_port1: eni-rj9dirnvg0hykoddvv7z Tag.FGT_port2: eni-rj94jig06fag0v1jneyv Tag.FGT_port3: eni-rj91wj13vwjs7y1n25ow Tag.FGT_port4: eni-rj9il1iuoh9t3qd5doe3 acs is checking tags on instance FGT-B Tag.FGT_port1: eni-rj9f5xs9cp9xswekw6zh Tag.FGT_port2: eni-rj9j4eztzg3bv65yqd6x Tag.FGT_port3: eni-rj9ga16wcti7anp0ot7m Tag.FGT_port4: eni-rj9dirnvg0hykei8bl8o acs is parsing page 1 of total 13(1 page) EIPs acs local instance: FGT-B(i-rj9f5xs9cp9xsweedlcs) eni: 0, 10.0.1.12(eni-rj9f5xs9cp9xswekw6zh, port1) eni: 1, 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x, port2) eni: 2, 10.0.3.12(eni-rj9ga16wcti7anp0ot7m, port3) eni: 3, 10.0.4.12(eni-rj9dirnvg0hykei8bl8o, port4) <--- eip(47.254.42.40) acs peer instance: FGT-A(i-rj9il1iuoh9t408i1a60) eni: 0, 10.0.1.11(eni-rj9dirnvg0hykoddvv7z, port1) <--- eip(47.251.3.246) eni: 1, 10.0.2.11(eni-rj94jig06fag0v1jneyv, port2) eni: 2, 10.0.3.11(eni-rj91wj13vwjs7y1n25ow, port3) eni: 3, 10.0.4.11(eni-rj9il1iuoh9t3qd5doe3, port4) <--- eip(47.254.46.147) acs is moving eip(47.251.3.246) from eni0(10.0.1.11) to eni0(10.0.1.12) acs eip(47.251.3.246) status: Unassociating acs eip(47.251.3.246) status: Unassociating acs eip(47.251.3.246) status: Available acs unassociated eip(47.251.3.246) from instance FGT-A successfully acs eip(47.251.3.246) status: Associating acs eip(47.251.3.246) status: Associating acs eip(47.251.3.246) status: InUse acs associated eip(47.251.3.246) to instance FGT-B successfully acs local instance: FGT-B(i-rj9f5xs9cp9xsweedlcs) eni: 0, 10.0.1.12(eni-rj9f5xs9cp9xswekw6zh, port1) <--- eip(47.251.3.246) eni: 1, 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x, port2) eni: 2, 10.0.3.12(eni-rj9ga16wcti7anp0ot7m, port3) eni: 3, 10.0.4.12(eni-rj9dirnvg0hykei8bl8o, port4) <--- eip(47.254.42.40) acs peer instance: FGT-A(i-rj9il1iuoh9t408i1a60) eni: 0, 10.0.1.11(eni-rj9dirnvg0hykoddvv7z, port1) eni: 1, 10.0.2.11(eni-rj94jig06fag0v1jneyv, port2) eni: 2, 10.0.3.11(eni-rj91wj13vwjs7y1n25ow, port3) eni: 3, 10.0.4.11(eni-rj9il1iuoh9t3qd5doe3, port4) <--- eip(47.254.46.147) acs route table: vtb-rj9q1tgufwqqe5ps3q60i rule: cidr: 0.0.0.0/0, nexthop: 10.0.2.11(eni-rj94jig06fag0v1jneyv) acs is deleting route table entry: 0.0.0.0/0 via 10.0.2.11 acs route table entry deleting acs route table entry deleted acs deleted route table entry: 0.0.0.0/0 via 10.0.2.11 successfully acs is creating route table entry: 0.0.0.0/0 via 10.0.2.12 acs route table entry created FortiOS 7.4 AliCloud Administration Guide 48 Fortinet Inc.HA for FortiGate-VM on AliCloud acs created route table entry: 0.0.0.0/0 via 10.0.2.12 successfully acs route table: vtb-rj9q1tgufwqqe5ps3q60i rule: cidr: 0.0.0.0/0, nexthop: 10.0.2.12(eni-rj9j4eztzg3bv65yqd6x) ===== exit acs ha failover ===== Deploying FortiGate-VM HA on AliCloud between availability zones This guide provides sample manual configuration of active-passive FortiGate-VM HA on AliCloud between availability  zones (AZ)s in a single region. The following depicts the network topology for this sample deployment: The following lists the IP address assignments for this sample deployment for FortiGate-A: Port AliCloud primary address Subnet port1 10.0.11.11 10.0.11.0/24 EIP3 port2 10.0.12.11 10.0.12.0/24 port3 10.0.13.11 10.0.13.0/24 port4 10.0.14.11 10.0.14.0/24 EIP1 The following lists the IP address assignments for this sample deployment for FortiGate-B: FortiOS 7.4 AliCloud Administration Guide 49 Fortinet Inc.HA for FortiGate-VM on AliCloud Port AliCloud primary address Subnet port1 10.0.21.12 10.0.21.0/24  port2 10.0.22.12 10.0.22.0/24 port3 10.0.23.12 10.0.23.0/24 port4 10.0.24.12 10.0.24.0/24 EIP2 IPsec VPN phase 1 configuration does not synchronize between primary and secondary  FortiGates across AZs. Phase 2 configuration does synchronize. To check the prerequisites: The following prerequisites must be met for this deployment:  l One VPC with one subnet each for management, external, internal, and heartbeat purposes for each AZ  l Three public IP addresses:  l EIP1 and EIP2 for FortiGate-A and FortiGate-B management  l EIP3 for the HA external traffic IP address  l Two FortiGate-VM instances of the same instance type. Select a type that supports at least four network interfaces.  l The following summarizes minimum sufficient RAM roles for this deployment:  l AliyunECSFullAccess  l AliyunEIPFullAccess  l AliyunVPCFullAccess Actual role configurations may differ depending on your environments. Check with your  company''s public cloud administrators for details. FortiOS 7.4 AliCloud Administration Guide 50 Fortinet Inc.HA for FortiGate-VM on AliCloud To configure FortiGate-VM HA in AliCloud:  1. In the AliCloud management console, create a VPC with eight VSwitches (four for each AZ):   VSwitch Purpose net1-external-za External data traffic on the public network-facing side. net2-internal-za Internal data traffic interface on the protected/trusted network-facing side. net3-heartbeat-za Heartbeat between two FortiGate nodes. Unicast communication. net4-mgmt-za Dedicated management interface. net1-external-zb External data traffic on the public network-facing side. net2-internal-zb Internal data traffic interface on the protected/trusted network-facing side. net3-heartbeat-zb Heartbeat between two FortiGate nodes. Unicast communication. net4-mgmt-zb Dedicated management interface.  2. Add six ENIs: three for each AZ:    3. Create two routing tables:  a. Create a routing table called "rtb-internal" for the net2-internal VSwitch. Set the NIC2 IP address (10.0.12.11)  as rtb-internal''s default gateway. You can create this routing table after configuring NIC2 on FortiGate-A.  Ensure that the default gateway is FortiGate-A''s port2 ENI.   FortiOS 7.4 AliCloud Administration Guide 51 Fortinet Inc.HA for FortiGate-VM on AliCloud  b. Create a routing table called "rtb-external" for the remaining VSwitches. Set this VCN''s Internet gateway as its  default gateway. Ensure that this routing table can access the Internet. To deploy the FortiGate-VMs in AliCloud: To take advantage of A-P HA, you need four vNICs (port1 to port4) on each FortiGate-VM that constitutes an A-P HA  cluster. Configure all required network interfaces (AliCloud ENIs and FortiGate-VM network interface configuration) that  support A-P HA. You must choose an AliCloud instance type that supports at least four vNICs. Ensure the following:  l You have configured the security group on each subnet for egress and ingress interfaces appropriately. It is  particularly important that the management interfaces have egress Internet access for API calls to the AliCloud  metadata server.  l You attached four NICs for each FortiGate-VM, and assigned the static private IP address.  l EIP1 was bound to the FortiGate-A port4 management interface.  l EIP3 was bound to the FortiGate-A port1 external interface.  l EIP2 was bound to the FortiGate-B port4 management interface. FortiOS 7.4 AliCloud Administration Guide 52 Fortinet Inc.HA for FortiGate-VM on AliCloud To configure FortiGate-A using the CLI: The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH,  the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended. config system interface edit "port1" set mode static set ip 10.0.11.11 255.255.255.0 set allowaccess ping https ssh snmp http fgfm next edit "port2" set ip 10.0.12.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port3" set ip 10.0.13.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port4" set ip 10.0.14.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet next end config router static edit 1 set gateway 10.0.11.253 set device "port1" next end config firewall policy edit 1 set srcintf "port2" set dstintf "port1" FortiOS 7.4 AliCloud Administration Guide 53 Fortinet Inc.HA for FortiGate-VM on AliCloud set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end config system ha set group-name "FGT-HA" set mode a-p set hbdev "port3" 50 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.0.14.253 next end set priority 192 set unicast-hb enable set unicast-hb-peerip 10.0.23.12 end To configure FortiGate-B using the CLI: The next steps show you how to configure A-P HA settings by using CLI commands on the GUI or via SSH. If using SSH,  the FortiGate may lose connection due to routing table changes, so configuring HA via the GUI is recommended. config system interface edit "port1" set mode static set ip 10.0.21.12 255.255.255.0 set allowaccess ping https ssh snmp http fgfm next edit "port2" set ip 10.0.22.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port3" set ip 10.0.23.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next edit "port4" set ip 10.0.24.12 255.255.255.0 set allowaccess ping https ssh snmp http telnet next end config router static edit 1 set gateway 10.0.21.253 set device "port1" next end FortiOS 7.4 AliCloud Administration Guide 54 Fortinet Inc.HA for FortiGate-VM on AliCloud config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end config system ha set group-name "FGT-HA" set mode a-p set hbdev "port3" 50 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port4" set gateway 10.0.24.253 next end set priority 64 set unicast-hb enable set unicast-hb-peerip 10.0.13.11 end You must set the FortiGate-B HA priority to a value lower than FortiGate-A''s priority level. The  node with the lower priority level is determined as the secondary node. To check the HA status and function:  1. In FortiOS on the primary FortiGate, go to System > HA. Check that the HA status is synchronized.    2. Log into a PC that is located in the internal subnet. Verify that the PC can access the Internet via FortiGate-A when  FortiGate-A is the primary node.  3. Shut down FortiGate-A. Verify that FortiGate-B becomes the primary node.  4. Log into the PC. Verify that the PC can access the Internet via FortiGate-B when FortiGate-B is the primary node.  5. You can use the diagnose debug application alicloud-ha -1 command to see if the secondary private  IP address moves from FortiGate-A to FortiGate-B during failover.  FortiOS 7.4 AliCloud Administration Guide 55 Fortinet Inc.HA for FortiGate-VM on AliCloud Configuring FortiGate-VM active-active HA See Active-active egress route failover for AliCloud. FortiOS 7.4 AliCloud Administration Guide 56 Fortinet Inc.Deploying auto scaling on AliCloud You can deploy FortiGate-VM to support Auto Scaling on AliCloud. Multiple FortiGate-VM instances can form an Auto Scaling group t o provide highly efficient clustering at times of high  workloads. FortiGate-VM instances are scaled out automatically according to predefined workload levels. Auto Scaling  is achieved by using FortiGate-native high availability (HA) features such as config-sync, which synchronizes  operating system (OS) configurations across multiple FortiGate-VM instances at the time of scale-out events. FortiGate Autoscale for AliCloud is available with FortiOS 6.2 and later versions for On-Demand (PAYG) instances. The  standard deployment contains the following:  l A highly available architecture that spans two Availability Zones (AZs).  l A virtual private cloud (VPC) configured with public and private subnets.  l A NAT gateway allowing egress traffic from the protected servers.  l An external facing network load balancer is created as part of the deployment process. An internal facing network  load balancer is optional.  l AliCloud Function Compute, which runs Fortinet-provided scripts  for running Auto Scaling. Functions are used to  handle Auto Scaling and failover management.  l An Open Table Service or TableStore (OTS), a NoSQL database which stores information on the Auto Scaling  configurations such as the primary or secondary IP addresses. Planning The easiest way to deploy FortiGate Autoscale for AliCloud is with Terraform. This deployment was tested using:  l Terraform 0.11  l Terraform provider for AliCloud 1.48.0 Requirements Installing and configuring FortiGate Autoscale for AliCloud requires knowledge of the following:  l Configuring a FortiGate using the CLI  l AliCloud services  l Terraform It is expected that FortiGate Autoscale for AliCloud will be deployed by DevOps engineers or advanced system  administrators who are familiar with the above. FortiOS 7.4 AliCloud Administration Guide 57 Fortinet Inc.Deploying auto scaling on AliCloud RAM account permissions The solution can be deployed with an administrator account. As an administrator account has full permission to all  resources under your AliCloud account, you may wish to create a separate Resource Access Management (RAM)  account with the following minimum required permissions:  l AliyunVPCFullAccess  l AliyunEIPFullAccess  l AliyunOSSFullAccess  l AliyunECSFullAccess  l AliyunSLBFullAccess  l AliyunOTSFullAccess  l AliyunESSFullAccess  l AliyunFCFullAccess  l AliyunRAMFullAccess  l AliyunBSSOrderAccess Region requirements To deploy a F  ortiGate Auto Scaling cluster in AliCloud the region must support the following:  l TableStore  l OSS  l Function Compute  l Auto Scaling  l NAT Gateway Supported regions The following regions contain all of the necessary services to run FortiGate Autoscale for AliCloud: Acronym Expansion Asia Pacific NE 1 (Tokyo) m-6weakry8j13jxmjlmi4o Asia Pacific SE 2 (Sydney) m-p0wb4dw13d6qc1sndaj6 Asia Pacific SOU 1 (Mumbai) m-a2dbkrpr8wsobn9ygddc EU Central 1 (Frankfurt) m-gw8cizn7dguyeikpgozb US East 1 (Virginia) m-0xif6xxwhjlqhoaqjrr6 US West 1 (Silicon Valley) m-rj91iqplyxdp7crb0gvj Deployment information Terraform will deploy the following resources: FortiOS 7.4 AliCloud Administration Guide 58 Fortinet Inc.Deploying auto scaling on AliCloud  l A VPC with two subnets split over two zones  l Two vswitches  l A NAT gateway  l An AutoScale cluster  l An AutoScale configuration  l Two AutoScale rules: Scale in and Scale out  l An Object Storage Service (OSS) bucket  l A Function Compute service, function and HTTP trigger  l Two security groups: Allow all, and Allow only internal connections  l A TableStore instance and 5 tables  l Three Elastic IP (EIP) addresses  l A RAM role with the ability to describe and create Elastic Network Interfaces (ENIs)  l An external-facing server load balancer FortiOS 7.4 AliCloud Administration Guide 59 Fortinet Inc.Deployment  1. Log into your AliCloud account. If you do not already have one, create one by following the instructions in the  AliCloud article  Create a RAM user. The RAM account must have the minimum required permissions as listed in the  section RAM account permissions on page 58.  2. Create an AliCloud AccessKey. For details on creating one, refer to the AliCloud article Create an AccessKey. This  will create an AccessKeyID and an AccessKeySecret.  3. Install Terraform. For installation details, refer to the HashiCorp article Install Terraform.  4. Obtain the FortiGate Autoscale for AliCloud deployment package. Visit the GitHub project release page and  download the fortigate-autoscale-alicloud.zip release for the version you want to use.  5. Unzip the file on your local PC. The following files and folders will be extracted:   ├── alicloud_function_compute ├── alicloud_terraform ├── core ├── dist ├── LICENSE ├── node_modules ├── package.json ├── scripts └── test  6. In your terminal, change to the alicloud_terraform folder:   cd alicloud_terraform The alicloud_terraform folder contains the following files: ├── assets │ └── configset │ ├── baseconfig │ ├── httproutingpolicy │ ├── httpsroutingpolicy │ ├── internalelbweb │ └── storelogtofaz ├── main.tf └── vars.tf  l baseconfig contains the cloud-init configuration for the FortiGate-VM and can be adjusted to support more  advanced setups.  l main.tf contains the majority of the deployment code. As part of the deployment it will upload the baseconfig to  an OSS bucket to be used by the FortiGate-VM instances.  l vars.tf contains the variables required  for the deployment. For example: image ID (instance_ami), cluster  name, instance, region, etc. For descriptions of the included variables, refer to the section Terraform variables  on page 61.  7. Edit the vars.tf file and customize variables for the deployment.   The OSS bucket name must be lowercase. The Function Compute URL may not be more than 127 characters. The variable cluster_ name is used to create this URL. FortiOS 7.4 AliCloud Administration Guide 60 Fortinet Inc. 8. Initialize the providers and modules with the command terraform init:   terraform init  9. Submit the Terraform plan using the command:   terraform plan -var "access_key=" -var "secret_key=" -var "region="  10. Confirm and apply the plan:   terraform apply -var "access_key=" -var "secret_key=" -var "region=" Output will be similar to the following. A randomly generated three letter suffix is added to all resources and can be  used to help identify your cluster resources. Apply complete! Resources: 48 added, 0 changed, 0 destroyed. Outputs: Auto Scaling Group ID = asg-0xi1g2hk9z048yn6cuu1 AutoScale External Load Balancer IP = 47.89.136.18 PSK Secret = !_YfA7FQ@b_aYuei Scale In Threshold = 35 Scale Out Threshold = 70 VPC name = FortigateAutoScale-rrr Terraform variables Following are variables listed in the vars.tf file. They can be changed to suit the needs of your cluster. Resource Default Description access_key Requires input AliCloud AccessKey. For details on creating an AccessKey, refer to the AliCloud article  Create an AccessKey. secret_key Requires input AliCloud Secret key created with the AccessKey. Used to access the  API. region us-east-1 The AliCloud Region. scale_in_ 35 Default aggregate CPU threshold (percentage) to scale in (remove) 1  threshold instance. scale_out_ 70 Default aggregate CPU threshold (percentage) to scale out (add) 1  threshold instance. alicloud_account AliCloud account  (datatype) number cluster_name FortigateAutoScale Name of the cluster to be used across objects. bucket_name fortigateautoscale Name of the OSS bucket. Must be lowercase. FortiOS 7.4 AliCloud Administration Guide 61 Fortinet Inc.Resource Default Description instance_ami Requires input If specified, this will be the image used by the build. Otherwise, the  script will obtain the latest FortiGate AMI. instance ecs.sn1ne The instance Family type to be used by the Auto Saling configuration. vpc_cidr 172.16.0.0/16 VPC Classless Inter-Domain Routing (CIDR) block, it is divided into two  /21 subnets. vswitch_cidr_1 172.16.0.0/21 First Vswitch located in zone A of the region. vswitch_cidr_2 172.16.8.0/21 Second Vswitch located in zone B of the region. table_store_ Capacity Accepted values are HighPerformance or Capacity. instance_type Variables can also be referenced from the command line using: terraform plan -var "=" FortiOS 7.4 AliCloud Administration Guide 62 Fortinet Inc.Verify the deployment  1. Log in to the AliCloud console and go to TableStore.  2. Go to the FortiGateMasterElection table.  3. Make note of the primary FortiGate-VM IP address and ensure the voteState is done. See the following for an  example:    4. Go to the FortiGateAutoscale table and confirm that instances that have been added to the cluster. Following is an  example of a healthy cluster:   The MasterIp column displays the IP address of the primary FortiGate-VM. When an instance is removed from a cluster its record will not be erased from this table.  5. Log in to the primary FortiGate-VM instance using the public IP address from step 3. The default admin port is 8443  and the default username/password will be admin/. FortiOS 7.4 AliCloud Administration Guide 63 Fortinet Inc. 6. From the web interface you can tell the Instance role and current cluster size:    7. From the CLI type the following to get the role status and current callback-url:   get system auto-scale Output will be similar to the following: status : enable role : master sync-interface : port1 callback-url : https://***********.ap-southeast-5-internal.fc.aliyuncs.com/2016- 08-15/proxy/FortigateAutoScale-smc/FortiGateASG-rrr/ hb-interval : 10 psksecret : * FortiOS 7.4 AliCloud Administration Guide 64 Fortinet Inc.Destroying the cluster To destroy the cluster, first enter and verify: terraform destroy -var "access_key=" -var "secret_key=" -var "region=" There are restrictions on deleting tables when they have data. As such, TableStore must then be deleted manually from  the console.   To remove TableStore:  1. Go to your Table and click Delete for each table:   FortiOS 7.4 AliCloud Administration Guide 65 Fortinet Inc. 2. After deleting the tables, return to the Instance page and click Release:   Troubleshooting Debugging cloud-init Retrieving the cloud-init log can be useful when issues are occurring at boot up. To retrieve the log, log in to the  FortiGate-VM and type the following into the CLI: diag debug cloudinit show Output will look similar to the following: >> Checking metadata source ali >> ALI user data obtained >> Fos-instance-id: i-p0w3dr3bf9rck4jub4vb >> Cloudinit trying to get config script from https://************.ap-southeast-2- internal.fc.aliyuncs.com/2016-08-15/proxy/FortigateAutoScale-wke/FortigateAutoScale-rrr/ >> Cloudinit download config script successfully >> Found metadata source: ali >> Run config script >> Finish running script >> FortiGate-VM64-ALI $ config system dns >> FortiGate-VM64-ALI (dns) $ unset primary >> FortiGate-VM64-ALI (dns) $ unset secondary >> FortiGate-VM64-ALI (dns) $ end >> FortiGate-VM64-ALI $ config system auto-scale >> FortiGate-VM64-ALI (auto-scale) $ set status enable >> FortiGate-VM64-ALI (auto-scale) $ set sync-interface port 1 >> FortiGate-VM64-ALI (auto-scale) $ set role master >> FortiGate-VM64-ALI (auto-scale) $ set callback-url https://************.ap-southeast-2-internal.fc.aliyuncs.com/2016-08- 15/proxy/FortigateAutoScale-wke/FortigateAutoScale-rrr/ TableStore destroy time TableStore deletion can take up to 10 minutes and may appear as follows: alicloud_ots_instance.tablestore: Still destroying... (ID: FortiGateASG-rrr, 7m0s elapsed) alicloud_ots_instance.tablestore: Still destroying... (ID: FortiGateASG-rrr, 7m10s elapsed) alicloud_ots_instance.tablestore: Still destroying... (ID: FortiGateASG-rrr, 7m20s elapsed) If you are seeing these messages after 10 minutes, it is likely that TableStore contains data. You will need to manually  delete TableStore and then re-run the terraform destroy command. For details on manually deleting TableStore,  refer to the section Destroying the cluster on page 65. FortiOS 7.4 AliCloud Administration Guide 66 Fortinet Inc.Resource availability If a region runs out of a specified resource an error like the following displays. In this case the cluster will need to be  deployed into a different region. 1 error occurred: * alicloud_slb.default: 1 error occurred: * alicloud_slb.default: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_ slb.go:324: Resource alicloud_slb CreateLoadBalancer Failed!!! [SDK alibaba-cloud-sdk-go ERROR]: SDK.ServerError ErrorCode: OperationFailed.ZoneResourceLimit Recommend: RequestId: 83972A94-0640-49DA-8586-DCF535D14886 Message: The operation failed because of resource limit of the specified zone. Timeout If a timeout such as the following occurs, rerun the command. Error: Error applying plan: 1 error occurred: * alicloud_vswitch.vsw2: 1 error occurred: * alicloud_vswitch.vsw2: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_ vswitch.go:58: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_vswitch.go:170: [ERROR] terraform-provider-alicloud/alicloud/service_alicloud_ecs.go:51: Resource us-east-1b DescribeZones Failed!!! [SDK alibaba-cloud-sdk-go ERROR]: net/http: request canceled (Client.Timeout exceeded while reading body) How to reset the elected primary FortiGate To reset the elected primary FortiGate, go to TableStore > FortiGateMasterElection  and delete the only item. A new  primary FortiGate will be elected and a new record will be created as a result. For details on locating TableStore > FortiGateMasterElection , refer to the section Verify the deployment on page 63. FortiOS 7.4 AliCloud Administration Guide 67 Fortinet Inc.Appendix FortiGate Autoscale for AliCloud features Major components  l The Auto Scaling group. The Auto Scaling group contains one to many FortiGate-VMs (PAYG licensing model).  This Auto Scaling group will dynamically scale-out or scale-in based on the scaling metrics specified in the scaling  rules.  l The configset folder contains files that are loaded as the initial configuration for a new FortiGate-VM instance.  l baseconfig is the base configuration. This file can be modified as needed to meet your network requirements.  Placeholders such as {SYNC_INTERFACE} are explained in the Configset placeholders on page 68 table.  l Tables in TableStore. These tables are required to store information such as health check monitoring, primary  election, state transitions, etc. These records should not be modified unless required for troubleshooting purposes. Configset placeholders When the FortiGate-VM requests the configuration from the Auto Scaling function, the placeholders in the table will be  replaced with associated environment variables stored in Function Compute. Placeholder Type Description {SYNC_ Text The interface for FortiGate-VMs to synchronize information. INTERFACE} All characters must be lowercase. {CALLBACK_URL} URL The endpoint URL to interact with the Auto Scaling handler script. Automatically generated during the Terraform deployment. {PSK_SECRET} Text The Pre-Shared key used in FortiOS. Randomly generated during the Terraform deployment. Changes to the PSK secret after FortiGate Autoscale for  AliCloud has been deployed are not reflected here. For new  instances to be spawned with the changed PSK secret, this  environment variable must be manually updated. {ADMIN_PORT} Number A port number specified for administration login. A positive integer such as 443 etc. Default value: 8443. Changes to the admin port after deployment are not reflected  here. For new instances to be spawned with the changed admin  port, this environment variable must be updated. FortiOS 7.4 AliCloud Administration Guide 68 Fortinet Inc.Architectural diagram Election of the primary instance Manual deployment of auto scaling on AliCloud Following is a sample configuration for deploying Auto Scaling on AliCloud: FortiOS 7.4 AliCloud Administration Guide 69 Fortinet Inc. 1. Create a scaling group in the AliCloud console.  2. Create a scaling configuration in the AliCloud console.  3. Create scaling rules in the AliCloud console.  4. Configure a FortiGate-VM in the Auto Scaling group as the primary member.  5. Scale out a new FortiGate-VM, configure it as a secondary member, and synchronize the configuration from the  primary to the secondary FortiGate-VM.  6. Run diagnose commands to confirm that Auto Scaling is functioning. To create a scaling group in the AliCloud console:  1. Log into the AliCloud console.  2. Go to Auto Scaling > Scaling Groups > Create Scaling Group.  3. Set the following parameters for the Auto Scaling group:    a. Scaling Group Name: Enter a name for the scaling group. The sample configuration is named FGT-ASG.  b. Maximum Instances: Enter the maximum number of instances that can comprise the group. In the sample  configuration, four (4) is the maximum number.  c. Minimum Instances: Enter the minimum number of instances that can comprise the group. In the sample  configuration, one (1) is the minimum number.  d. Instance Configuration Source: Leave at the default value.  e. Network Type: Leave at the default value, which is VPC.  f. Select the VPC and VSwitch as desired. FortiOS 7.4 AliCloud Administration Guide 70 Fortinet Inc. 4. Click OK. To create a scaling configuration in the AliCloud console:  1. After creating an Auto Scaling group, AliCloud displays a popup for creating a new scaling configuration before  activating Auto Scaling. In the popup, click Create Now.  2. Select the instance type.  3. Select the desired FortiGate-VM image.  4. Ensure that Assign Public IP is selected.  5. Select the desired security group. FortiOS 7.4 AliCloud Administration Guide 71 Fortinet Inc. 6. Click Next: System Configurations.    7. (Optional) set the key pair.   FortiOS 7.4 AliCloud Administration Guide 72 Fortinet Inc. 8. Preview the scaling configuration, then click Create and Enable Configuration.    9. Go to Auto Scaling > Scaling Groups to ensure that AliCloud has created the Auto Scaling group and that the first  FortiGate-VM has been automatically launched under the group.   To create scaling rules in the AliCloud console:  1. In Auto Scaling > Scaling Groups, click the group name.  2. Click Scaling Rules from the right-side menu.  3. In the Create Scaling Rule dialog, enter a scaling rule name.  4. Configure an action. In the sample configuration, the scaling rule is configured to add one (1) FortiGate- VM instance.  5. Enter a cool down time, then click Create Scaling Rule. You could also configure another scaling rule which can be  FortiOS 7.4 AliCloud Administration Guide 73 Fortinet Inc.executed to remove one (1) FortiGate-VM instance.   To configure a FortiGate-VM in the Auto Scaling group as the primary member:  1. Log into the FortiGate-VM.  2. Run the following commands in the CLI to enable Auto Scaling and configure this FortiGate-VM as the primary  member of the Auto Scaling group:   config system auto-scale set status enable set role master set sync-interface "port1" set psksecret xxxxxx end To scale out a new FortiGate-VM, configure it as a secondary member, and synchronize the configuration:  1. In Auto Scaling > Scaling Groups, click the group name, then execute the scaling rule created earlier. AliCloud  creates a new FortiGate-VM instance.  2. Log into the new FortiGate-VM.  3. Run the following commands in the CLI to enable Auto Scaling and configure this FortiGate-VM as the secondary  member of the Auto Scaling group. The master-ip value should be the primary FortiGate-VM''s private IP address:    config system auto-scale set status enable set role slave set sync-interface "port1" set master-ip 192.168.1.204 set psksecret xxxxxx end The secondary FortiGate-VM is synced with the primary FortiGate-VM. The secondary FortiGate-VM can receive  configurations from the primary FortiGate-VM. To run diagnose commands: You can run the following diagnose commands to determine if the primary and secondary FortiGate-VMs are able to  synchronize configurations: FortiGate-VM64-ALION~AND # diag deb app hasync -1 FortiOS 7.4 AliCloud Administration Guide 74 Fortinet Inc.slave''s configuration is not in sync with master''s, sequence:0 slave''s configuration is not in sync with master''s, sequence:1 slave''s configuration is not in sync with master''s, sequence:2 slave''s configuration is not in sync with master''s, sequence:3 slave''s configuration is not in sync with master''s, sequence:4 slave starts to sync with master logout all admin users FortiOS 7.4 AliCloud Administration Guide 75 Fortinet Inc.SDN connector integration with AliCloud Configuring AliCloud SDN connector using RAM roles See the FortiOS Administration Guide for information on the AliCloud SDN connector. The following summarizes minimum sufficient RAM roles for SDN connector integration with AliCloud:  l AliyunECSReadOnlyAccess  l AliyunEIPReadOnlyAccess  l AliyunVPCReadOnlyAccess Actual role configurations may differ depending on your environments. Check with your  company''s public cloud administrators for details. Pipelined automation using AliCloud Function Compute See GitHub. FortiOS 7.4 AliCloud Administration Guide 76 Fortinet Inc.VPN for FortiGate-VM on AliCloud Connecting a local FortiGate to an AliCloud VPC VPN This guide provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AliCloud VPC  VPN via IPsec VPN with static routing. Instances that you launch into an AliCloud VPC can communicate with your own remote network via a site-to-site VPN  between your on-premise FortiGate and AliCloud VPC VPN. You can enable access to your remote network from your  VPC by configuring a VPN gateway and customer gateway to the VPC, then configuring the site-to-site VPC VPN. This configuration requires the following prerequisites be met:  l AliCloud VPC with some configured subnets, routing tables, security group rules, and so on  l On-premise FortiGate with an external IP address This guide consists of the following steps:  1. Create a VPN gateway.  2. Create a customer gateway.  3. Create a site-to-site VPN connection on AliCloud.  4. Configure the on-premise FortiGate.   5. Run diagnose commands. To create a VPN gateway:  1. In the AliCloud management console, go to VPN > VPN Gateways.  2. Click Create VPN Gateway.  3. Create a virtual private gateway and attach it to the VPC from which you want to create the site-to-site VPN  connection.   To create a customer gateway: This example refers to the on-premise FortiGate for the VPC VPN to connect to as the customer gateway. FortiOS 7.4 AliCloud Administration Guide 77 Fortinet Inc.VPN for FortiGate-VM on AliCloud  1. Go to VPN > Customer Gateways.  2. Click Create Customer Gateway.  3. Configure the customer gateway as shown: To create a site-to-site VPN connection on AliCloud:  1. Go to VPN > IPsec Connections.  2. Click Create IPsec Connection.  3. Create an IPsec connection between the VPN and customer gateways.  4. Under Actions, click Download Configuration.    5. Note the IPsec-related parameters. You use these parameters to configure the on-premise FortiGate in the next  step: { "LocalSubnet": "0.0.0.0/0", "RemoteSubnet": "0.0.0.0/0", "IpsecConfig": { "IpsecPfs": "group2", "IpsecEncAlg": "aes", "IpsecAuthAlg": "sha1", "IpsecLifetime": 86400 }, "Local": "x.x.x.x", "Remote": "47.88.4.89", "IkeConfig": { "IkeAuthAlg": "sha1", "LocalId": "x.x.x.x", "IkeEncAlg": "aes", "IkeVersion": "ikev1", "IkeMode": "main", "IkeLifetime": 86400, "RemoteId": "47.88.4.89", "Psk": "xxxxxxxxxxxxxxxx", "IkePfs": "group2" FortiOS 7.4 AliCloud Administration Guide 78 Fortinet Inc.VPN for FortiGate-VM on AliCloud } } To configure t he on-premise FortiGate:  1. In the FortiOS CLI, configure the on-premise FortiGate with the above IPsec-related parameters. When setting  remote-gw and psksecret, use the values found for RemoteId and Psk above, respectively. The example on- premise FortiGate uses port9 as its external interface:   config vpn ipsec phase1-interface edit "AliCloudVPN" set interface "port9" set keylife 86400 set peertype any set net-device enable set proposal aes128-sha1 set dhgrp 14 2 set remote-gw 47.88.4.89 set psksecret xxxxxxxxxxxxxxxx next end config vpn ipsec phase2-interface edit "AliCloudVPN" set phase1name "AliCloudVPN" set proposal aes128-sha1 set dhgrp 14 2 set keepalive enable set keylifeseconds 3600 next end config firewall address edit "AliCloudVPN-local-subnet-1" set allow-routing enable set subnet 10.6.30.0 255.255.255.0 next end config firewall address edit "AliCloudVPN-remote-subnet-1" set allow-routing enable set subnet 10.0.1.0 255.255.255.0 next end config router static edit 2 set device "AliCloudVPN" set dstaddr "AliCloudVPN-remote-subnet-1" next end config firewall policy edit 10 FortiOS 7.4 AliCloud Administration Guide 79 Fortinet Inc.VPN for FortiGate-VM on AliCloud set name "AliCloudVPN-local-ali" set srcintf "mgmt1" set dstintf "AliCloudVPN" set srcaddr "AliCloudVPN-local-subnet-1" set dstaddr "AliCloudVPN-remote-subnet-1" set action accept set schedule "always" set service "ALL" next edit 20 set name "AliCloudVPN-ali-local" set srcintf "AliCloudVPN" set dstintf "mgmt1" set srcaddr "AliCloudVPN-remote-subnet-1" set dstaddr "AliCloudVPN-local-subnet-1" set action accept set schedule "always" set service "ALL" next end  2. If the IPsec tunnel does not appear automatically, run the diagnose vpn tunnel up AliCloudVPN  command.  3. In the FortiOS GUI, go to VPN > IPsec Tunnels. Verify that the tunnel is up. The on-premise FortiGate can now  access the AliCloud VM with its private IP address. The AliCloud VM can also access the on-premise FortiGate with  its private IP address.   To run diagnose commands: FGT600D_B # diagnose vpn ike gateway list vd: root/0 name: AliCloudVPN version: 1 interface: port9 10 addr: 172.16.200.212:4500 -> 47.88.4.89:4500 created: 1087s ago nat: me peer IKE SA: created 1/1 established 1/1 time 9110/9110/9110 ms IPsec SA: created 1/2 established 1/1 time 30/30/30 ms id/spi: 0 d9d4ae9111a51b0b/de39f4ac9deffc18 direction: initiator status: established 1087-1078s ago = 9110ms proposal: aes128-sha1 key: 9bf9b58431949e77-a0c21ded48368db1 lifetime/rekey: 28800/27421 DPD sent/recv: 00000000/00000000 FGT600D_B # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=AliCloudVPN ver=1 serial=1 172.16.200.212:4500->47.88.4.89:4500 dst_mtu=1500 bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev FortiOS 7.4 AliCloud Administration Guide 80 Fortinet Inc.VPN for FortiGate-VM on AliCloud frag-rfc accept_traffic=1 proxyid_num=1 child_num=0 refcnt=14 ilast=1084 olast=270 ad=/0 stat: rxp=1 txp=43 rxb=16452 txb=4389 dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=AliCloudVPN proto=0 sa=1 ref=2 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=6 options=10227 type=00 soft=0 mtu=1422 expire=2399/0B replaywin=2048 seqno=2c esn=0 replaywin_lastseq=00000001 itn=0 qat=0 life: type=01 bytes=0/0 timeout=3298/3600 dec: spi=ac5426a9 esp=aes key=16 417b83810bf1f17b30e8b0974716d37d ah=sha1 key=20 a3e1d5ca5d85907a35c7720e9c640d0fafbb0ee3 enc: spi=c999e156 esp=aes key=16 837b20f727c957f700f6c89acbb9e9a9 ah=sha1 key=20 7f4634601d6962575c00761f7270d36a683c3d65 dec:pkts/bytes=1/16376, enc:pkts/bytes=43/7648 npu_flag=03 npu_rgwy=47.88.4.89 npu_lgwy=172.16.200.212 npu_selid=0 dec_npuid=1 enc_ npuid=1 Connecting a local FortiGate to an AliCloud FortiGate via site-to-site VPN This guide provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AliCloud FortiGate  via site-to-site IPsec VPN with static routing. The following depicts the network topology for this sample deployment: The following prerequisites must be met for this configuration:  l A FortiGate located on AliCloud with port1 connected to local LAN and a public IP address mapped to port1.  l A local FortiGate in a local environment. Determine if your FortiGate has a publicly accessible IP address or if it is  behind NAT. In this example, the on-premise FortiGate is behind NAT. This guide consists of the following steps:  1. Configure the local FortiGate.  2. Configure the AliCloud FortiGate.  3. Establish a VPN connection between the local and AliCloud FortiGates.  4. Run diagnose commands. FortiOS 7.4 AliCloud Administration Guide 81 Fortinet Inc.VPN for FortiGate-VM on AliCloud Configuring the local FortiGate To configure the local FortiGate using the GUI:  1. Configure the interfaces:  a. In FortiOS, go to Network > Interfaces.  b. Edit port1. From the Role dropdown list, select WAN. In the IP/Network Mask field, enter  10.6.30.194/255.255.255.0 for the interface that is connected to the Internet.  c. Edit port4. From the Role dropdown list, select LAN. In the IP/Network Mask field, enter  192.168.4.194/255.255.255.0 for the interface that is connected to the local subnet.  2. Configure a static route to connect to the Internet:  a. Go to Network > Static Routes.  b. Click Create New.  c. In the Destination field, enter 0.0.0.0/0.0.0.0.  d. From the Interface dropdown list, select port1.  e. In the Gateway Address field, enter 10.6.30.254.  3. Configure IPsec VPN:  a. Go to VPN > IPsec Wizard.  b. Configure VPN Setup:  i. In the Name field, enter the desired name.  ii. For Template Type, select Site to Site.  iii. For Remote Device Type, select FortiGate.  iv. For NAT Configuration, select This site is behind NAT. Click Next. For non-dialup situations where the  local FortiGate has an external IP address, select No NAT between sites.  c. Configure Authentication:  i. For Remote Device, select IP Address.  ii. In the IP Address field, enter 47.254.43.106. This is the AliCloud FortiGate port1 public IP address.  iii. From the Outgoing Interface dropdown list, select port1.  iv. For Authentication Method, select Pre-shared Key.  v. In the Pre-shared Key field, enter 123456. Click Next.  d. Configure Policy & Routing:  i. From the Local Interface dropdown list, select port4. This autofills the Local Subnets field with  192.168.4.0/24.  ii. In the Remote Subnets field, enter 192.168.4.0/24. This is the AliCloud FortiGate port1 subnet.  iii. For Internet Access, select None. Click Create. To configure the local FortiGate using the CLI:  1. Configure the interfaces:   config system interface edit "port1" set vdom "root" set ip 10.6.30.194 255.255.255.0 set allowaccess ping https ssh http fgfm set type physical set role wan FortiOS 7.4 AliCloud Administration Guide 82 Fortinet Inc.VPN for FortiGate-VM on AliCloud set snmp-index 1 next edit "port4 set vdom "root" set ip 192.168.4.194 255.255.255.0 set allowaccess ping https ssh snmp fgfm ftm set type physical set device-identification enable set lldp-transmission enable set role lan set snmp-index 4 next end  2. Configure a static route to connect to the Internet:   config router static edit 1 set gateway 10.6.30.254 set device "port1" next end  3. Configure IPsec VPN:   config vpn ipsec phase1-interface edit "to_ali" set interface "port1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: to_ali (Created by VPN wizard)" set wizard-type static-fortigate set remote-gw 47.254.43.106 set psksecret xxxxxx next end config vpn ipsec phase2-interface edit "to_ali" set phase1name "to_ali" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: to_ali (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "to_ali_local" set dst-name "to_ali_remote" next end config router static edit 2 FortiOS 7.4 AliCloud Administration Guide 83 Fortinet Inc.VPN for FortiGate-VM on AliCloud set device "to_ali" set comment "VPN: to_ali (Created by VPN wizard)" set dstaddr "to_ali_remote" next edit 3 set distance 254 set comment "VPN: to_ali (Created by VPN wizard)" set blackhole enable set dstaddr "to_ali_remote" next end config firewall policy edit 1 set name "vpn_to_ali_local" set uuid c6b2d36e-6c65-51e9-5a78-9a0881a0b07c set srcintf "port4" set dstintf "to_ali" set srcaddr "to_ali_local" set dstaddr "to_ali_remote" set action accept set schedule "always" set service "ALL" set comments "VPN: to_ali (Created by VPN wizard)" next edit 2 set name "vpn_to_ali_remote" set uuid c6bf126e-6c65-51e9-8652-cb88546929b4 set srcintf "to_ali" set dstintf "port4" set srcaddr "to_ali_remote" set dstaddr "to_ali_local" set action accept set schedule "always" set service "ALL" set comments "VPN: to_ali (Created by VPN wizard)" next end Configuring the AliCloud FortiGate To configure the AliCloud FortiGate using the GUI:  1. Configure the interface:  a. In FortiOS, go to Network > Interfaces.  b. Edit port1.  c. From the Role dropdown list, select LAN.  d. Ensure that Addressing mode is set to DHCP and that the FortiGate can list the assigned IP address. FortiOS 7.4 AliCloud Administration Guide 84 Fortinet Inc.VPN for FortiGate-VM on AliCloud  2. Configure IPsec VPN:  a. Go to VPN > IPsec Wizard.  b. Configure VPN Setup:  i. In the Name field, enter the desired name.  ii. For Template Type, select Site to Site.  iii. For Remote Device Type, select FortiGate.  iv. For NAT Configuration, select The remote site is behind NAT. Click Next.  c. Configure Authentication:  i. From the Incoming Interface dropdown list, select port1.  ii. For Authentication Method, select Pre-shared Key.  iii. In the Pre-shared Key field, enter 123456. Click Next.  d. Configure Policy & Routing:  i. From the Local Interface dropdown list, select port1. This autofills the Local Subnets field with  192.168.4.0/24.  ii. In the Remote Subnets field, enter 192.168.4.0/24. This is the local FortiGate port4 subnet.  iii. For Internet Access, select None. Click Create. To configure the AliCloud FortiGate using the CLI:  1. Configure the interface and ensure that the FortiGate can list the assigned IP address:   config system interface edit "port1" set vdom "root" set mode dhcp set allowaccess ping https ssh fgfm set type physical set device-identification enable set lldp-transmission enable set role lan set snmp-index 1 next end diagnose ip address list IP=192.168.0.177->192.168.0.177/255.255.255.0 index=3 devname=port1  2. Configure IPsec VPN:   config vpn ipsec phase1-interface edit "to_local" set type dynamic set interface "port1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set comments "VPN: to_local (Created by VPN wizard)" set wizard-type dialup-fortigate set psksecret xxxxxx FortiOS 7.4 AliCloud Administration Guide 85 Fortinet Inc.VPN for FortiGate-VM on AliCloud set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit "to_local" set phase1name "to_local" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: to_local (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "to_local_local" set dst-name "to_local_remote" next end config firewall policy edit 1 set name "vpn_to_local_local" set uuid e07aaa72-833c-51e9-ad33-4c1e96b656da set srcintf "port1" set dstintf "to_local" set srcaddr "to_local_local" set dstaddr "to_local_remote" set action accept set schedule "always" set service "ALL" set comments "VPN: to_local (Created by VPN wizard)" next edit 2 set name "vpn_to_local_remote" set uuid e086b2b8-833c-51e9-3aaf-49e3cd4c5c70 set srcintf "to_local" set dstintf "port1" set srcaddr "to_local_remote" set dstaddr "to_local_local" set action accept set schedule "always" set service "ALL" set comments "VPN: to_local (Created by VPN wizard)" next end To establish the VPN connection between the FortiGates: The tunnel is down until you initiate connection from the local FortiGate.  1. In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor.  2. Click the created tunnel. FortiOS 7.4 AliCloud Administration Guide 86 Fortinet Inc.VPN for FortiGate-VM on AliCloud  3. Click Bring Up. The tunnel is up.    4. In FortiOS on the AliCloud FortiGate, go to Monitor > IPsec Monitor to verify that the tunnel is up.   To run diagnose commands:  1. Show the local FortiGate VPN status:   FGT-194-Level1 # diagnose vpn ike gateway list vd: root/0 name: to_ali version: 1 interface: port1 3 addr: 10.6.30.194:4500 -> 47.254.43.106:4500 created: 4057s ago nat: me peer IKE SA: created 1/1 established 1/1 time 21180/21180/21180 ms IPsec SA: created 1/3 established 1/3 time 20/26/30 ms id/spi: 2 fd018d163ea303aa/9d7a245f889ee6c4 direction: initiator status: established 4057-4036s ago = 21180ms proposal: aes128-sha256 key: c7bab4dd8883b727-3b249220088216f8 lifetime/rekey: 86400/82063 DPD sent/recv: 00000000/00000009 FGT-194-Level1 # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=to_ali ver=1 serial=1 10.6.30.194:4500->47.254.43.106:4500 dst_mtu=1500 bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options [0210]=create_dev frag-rfc accept_traffic=1 proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0 stat: rxp=3382 txp=3404 rxb=432896 txb=204240 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=to_ali proto=0 sa=1 ref=2 serial=3 src: 0:192.168.4.0/255.255.255.0:0 dst: 0:192.168.0.0/255.255.255.0:0 SA: ref=3 options=10226 type=00 soft=0 mtu=1422 expire=39471/0B replaywin=2048 seqno=d14 esn=0 replaywin_lastseq=00000d0d itn=0 qat=0 life: type=01 bytes=0/0 timeout=42903/43200 dec: spi=8427ce41 esp=aes key=16 961323608ef02c111ce4cc393cd79293 ah=sha1 key=20 9cffabaa0163df6a92e1917efa333148b58ff9da enc: spi=e2723047 esp=aes key=16 f93b233906039c179924923a4f09ebae ah=sha1 key=20 c2c6225e26927de6381bf44c6ccd6d0a325e2e27 FortiOS 7.4 AliCloud Administration Guide 87 Fortinet Inc.VPN for FortiGate-VM on AliCloud dec:pkts/bytes=3325/199500, enc:pkts/bytes=3347/428416  2. Show the AliCloud FortiGate VPN status:   FGT-ALIONDEMAND # diagnose vpn ike gateway list vd: root/0 name: to_local_0 version: 1 interface: port1 3 addr: 192.168.0.177:4500 -> 208.91.114.1:64916 created: 4103s ago nat: me peer IKE SA: created 1/1 established 1/1 time 120/120/120 ms IPsec SA: created 1/3 established 1/3 time 20/26/30 ms id/spi: 0 fd018d163ea303aa/9d7a245f889ee6c4 direction: responder status: established 4103-4103s ago = 120ms proposal: aes128-sha256 key: c7bab4dd8883b727-3b249220088216f8 lifetime/rekey: 86400/82026 DPD sent/recv: 00000009/00000000 FGT-ALIONDEMAND # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=to_local ver=1 serial=1 192.168.0.177:0->0.0.0.0:0 dst_mtu=0 bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/528 options [0210]=create_dev frag-rfc accept_traffic=1 proxyid_num=0 child_num=1 refcnt=11 ilast=4118 olast=4118 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 ------------------------------------------------------ name=to_local_0 ver=1 serial=2 192.168.0.177:4500->208.91.114.1:64916 dst_mtu=1500 bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/976 options [03d0]=create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1 parent=to_local index=0 proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0 stat: rxp=3459 txp=3459 rxb=442752 txb=207540 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=9 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=to_local proto=0 sa=1 ref=2 serial=3 add-route src: 0:192.168.0.0/255.255.255.0:0 dst: 0:192.168.4.0/255.255.255.0:0 SA: ref=3 options=282 type=00 soft=0 mtu=1422 expire=39694/0B replaywin=2048 seqno=d4b esn=0 replaywin_lastseq=00000d52 itn=0 qat=0 life: type=01 bytes=0/0 timeout=43187/43200 dec: spi=e2723047 esp=aes key=16 f93b233906039c179924923a4f09ebae ah=sha1 key=20 c2c6225e26927de6381bf44c6ccd6d0a325e2e27 enc: spi=8427ce41 esp=aes key=16 961323608ef02c111ce4cc393cd79293 ah=sha1 key=20 9cffabaa0163df6a92e1917efa333148b58ff9da FortiOS 7.4 AliCloud Administration Guide 88 Fortinet Inc.VPN for FortiGate-VM on AliCloud dec:pkts/bytes=3402/204120, enc:pkts/bytes=3402/435456 FortiOS 7.4 AliCloud Administration Guide 89 Fortinet Inc.Change log Date Change Description 2023-05-11 Initial release. FortiOS 7.4 AliCloud Administration Guide 90 Fortinet Inc.www.fortinet.com Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.">