search

fortinetsolutions / Azure-Templates

Azure Templates for Fortinet Solutions
https://www.fortinet.com/azure
62 stars 63 forks source link

Fabric connector API call not working #19

Open asichaib opened 4 years ago

asichaib commented 4 years ago

Hello, I'm configuring 2-VMs Fortigate HA in different zone with active-passive configuration. Using sdn connector, I've configured everything as described in documentation but when testing, the Public IP and route table are not updated even assigning the right permissions to the azure ad app and the VMs identities. What am I missing !!! ? Thanks for your support

HassanFTNT commented 4 years ago

Hello,

Logs from the following commands should indicate the issue: diag de app azd -1 diag de en

Next try to failover.

between the issue with route table not updated is solved in version 6.4.0

asichaib commented 4 years ago

Hello, Thanks for your answer. I did the steps above and got this (a loop):

Become HA master mode 2 azd sdn connector FortiFabricA prepare to update azd sdn connector FortiFabricA getting token token size:1156 token expire on:1585927176 azd sdn connector FortiFabricA start updater process 3310 azd sdn connector FortiFabricA start updating azd sdn connector FortiFabricA start updating IP addresses azd checking firewall address object AzureA, vd 0 azd checking firewall address object AzureB, vd 0 azd sdn connector FortiFabricA finish updating IP addresses azd reap child pid: 3310 azd sdn connector FortiFabricA prepare to update azd sdn connector FortiFabricA start updater process 3315 azd sdn connector FortiFabricA start updating IP addresses azd checking firewall address object AzureA, vd 0 azd checking firewall address object AzureB, vd 0 azd sdn connector FortiFabricA finish updating IP addresses azd reap child pid: 3315

Unfortunately, in Azure nothing is updated. However, when a public ip is already assigned to the interface of the primary FTG, even manually I couldn't assign it to the intefrace of secondary FTG. I need to dissociate it then associate it.

Is there something we should do in FTG ? like in virtual IP ?

Thanks again for your help.

HassanFTNT commented 4 years ago

Moving routes is done by SDN connector, should not be manually.

check under

config sys sdn-connector if has status is enabled.

( set ha-status enable)

HassanFTNT commented 4 years ago

config system sdn-connector edit (SDN-name) set ha-status enable <---------- end

asichaib commented 4 years ago

It's working !!! the command was missing and you've got it. Thank you so much for your support.

gvazquezsnk commented 3 years ago

Hello guys,

I deployed a fortigate HA Active+Passive with NLB. When I trigger the failover, the public IP didn't move to the secondary VM. I activated the debug in fortigate and it show me this message:

azd api failed, url = https://management.azure.com/subscriptions/#########/resourceGroups/########/providers/Microsoft.Network/publicIPAddresses/Fortigate-A-Out?api-version=2018-06-01, rc = -1,

In the detail, there's another message:

{"error":{"code":"AuthenticationFailed","message":"Authentication` failed. The 'Authorization' header is missing."}}

I checked the API's permissions in the Resource Group, where the fortigate objects are, and all are correctly configured. As well I did a test enviroment in different subscription and it works well with the same configuration.

regards,