fortinet / azure-templates Goto Github PK

Fabric Connector section - this link is 404 not found
(https://docs.fortinet.com/vm/azure/fortigate/7.0/azure-administration-guide/7.0.0/236610/creating-a-fabric-connector-using-a-managed-identity)

I've tried to find out which format to pass the license to the template when using BYOL. So far I've been unsuccessful and have had to manually upload the .lic file after the initial deployment. I've been deploying the following offering: https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Passive-ELB-ILB

Tried the following things:

• Deployed the template manually providing the license as a string input to the parameter file.
• Deployed FortiGate Active/Passive offering using the Azure Portal and Marketplace and uploading the license file in the portal wizard.

None of the above works. I have to manually add the license to the FortiGate nodes at first sign-in. Do I need to convert the license to any specific format?

Hello,
I have configured session and configuration synchronization as mentioned in the last section in article below, but my changes in the Primary (creation Policy or other) are not synchronized in the secondary, do you know please this is the raison? is there anything else to configure?
for information:
I configured session synchronization in Port1, and config synchronization in port2.
another question: what are the troubchoot commands to check if my synchro config is well configured?

https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Active-ELB-ILB

It would be much appreciated if you could update FortiGate/AvailabilityZones/Active-Passive-ELB-ILB-AZ/ to be in line with /FortiGate/Active-Passive-ELB-ILB

i.e. add support for FortiOS versions:
6.4.6,
6.4.7,
7.0.0,
7.0.1.

And the following instance types:
Standard_F1s
Standard_F2s
Standard_F1
Standard_F2
Standard_F2s_v2
Standard_F4s_v2
Standard_DS1_v2
Standard_DS2_v2
Standard_D2s_v3
Standard_D4s_v3

Trying to deploy A_P SDN and getting the following validation error. Azure support advising this is using the wrong API version.

Should this be updated to "apiVersion": "2021-08-01" from "apiVersion": "2020-04-01",

“ Template validation failed while deploying the Fortigate VMs with the following error. {'code':'InvalidTemplate','message':'Deployment template validation failed: 'The template output reference to 'Microsoft.Network/publicIPAddresses/FW_Pub_IP' requires an API version. Please see https://aka.ms/arm-template for usage details.'.

currently the fortigate single VM template creates a static route to 172.16.136.65 (which doesn't appear to exist in this scenario). Am I missing something or does a 172.16.136.65 interface exist somewhere?

current relevant config from the deployed VM:
config system interface
edit "port1"
set vdom "root"
set ip 172.16.136.4 255.255.255.192
set allowaccess ping http ssh
set type physical
set description "external"
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 172.16.136.68 255.255.255.192
set allowaccess ping http ssh
set type physical
set description "internal"
set snmp-index 2
next
end
config router static
edit 1
set gateway 172.16.136.1
set device "port1"
next
edit 2
set dst 172.16.136.0 255.255.252.0
set gateway 172.16.136.65
set device "port2"
next
end

Hi

I am trying to deploy Scenario 1, but I am getting the below error. Any help to resolve this would be greatly appreciated.

"There was an error downloading the template from URI 'https://raw.githubusercontent.com/40net-cloud/fortinet-azure-solutions/main/FortiGate/Active-Passive-APPGW/scenario1/azuredeploy.json'. Ensure that the template is publicly accessible and that the publisher has enabled CORS policy on the endpoint. To deploy this template, download the template manually and paste the contents in the 'Build your own template in the editor' option below."

https://github.com/jvhoof/fortinet-azure-solutions/tree/main/FortiGate/AzureApplicationGateway

I have an issue that my VM's in any of the default spokes with default configuration can not reach the internet.

Checking the firewall logs i can see SENT traffic but 0 bytes received on the same session.

To add also that any traffic HTTPS/HTTP/NTP etc that is going over the same policy but to azure or Microsoft IP's has traffic flowing both sent and received in the same session.

My routes are good but i feel like i missed something during deployment

Hi,

We have succesfully created several HA setups in active / passive mode thanks to your work.

We are currently struggeling with some VPN setup. We would like to use the fortigate instances to hold VPN connections with on premises networks.
We would like to have only one tunnel with one peer IP towards Azure that fails over in case of failure of the master member of the fortigate cluster.
We did not managed to get a successful setup, do you have any clue on this ?

Best regards,

We recently had an issue where the heartbeat was lost between both fortigates, the main reason was due to a vnet network update within the Microsoft backend one machine had a total loss of connectivity.

This can happen from time to time, a reason why Microsoft of course only gives an SLA on a zonal VM deployment or availability set deployment.

In our case the SDWAN was borked and the tunnel needed to be reset, similar to the following issue:
#51

In general I would assume that in order to prevent a split brain condition between the machines there would be the need for some sort of Quorum. However link monitor can't be used for that purpose, since Microsoft has no single service that answers to ICMP and is highly available.

However a Storage Account could be used (similar to Windows Failover Cluster Cloud Witness) in order to achieve Quorum.
Is there a best practice in this regard how to solve a split brain condition, without having the need to deploy a third Fortigate.

(Setup is Active-Passive, a third Fortigate would incur extra license/compute costs creating an Active-Passive-Passive configuration only in order to achieve Quorum)

We have deployed A/A FortiGate's on Azure and configuration synchronization works fine until the Secondary VM is rebooted. To fix it, we have to disable the auto-scale and re-enable on the Secondary.

This is really affecting our production and we would like to request Fortinet to provide us with a fix or at-least acknowledge the issue and work on the fix.

There is a mistake in line 398: "protocol": "ll"

when the correct one is: "protocol": "all"

It's not possible to deploy it correctly in Azure as a template due to this issue.

Hello,

I am trying to create a new Fortigate from Azure Marketplace with Active/Passive High Available FortiGate pair with Fabric Connector Failover configuration.

When using three existing Standard public IPs , Public IP Verification is all good, however on the review screen the following error is occuring :

{"code":"InvalidTemplate","message":"Deployment template validation failed: 'The template output reference to 'Microsoft.Network/publicIPAddresses/pip-fg-cluster-dsi-prd' requires an API version. Please see https://aka.ms/arm-syntax for usage details.'."}

Seems to be related to same context to the closed issue (#46)

Kind regards,

The fortigates has routes to 168.63.129.16 pre configured. What is this ip use for?

azure-templates/FortiGate/AvailabilityZones/Active-Passive-ELB-ILB-AZ/

HI,

Ive deployed the active / passive template with 4NIC on each VM and ELB and ILB.

I want to secure the remote management PORT (NIC4) externally, using the NSG.
In the template deployment there is only 1 NSG (externally) assigned to all the NIC

I believe there should be a second NSG for the Management Ports in the templates?

Hi @jvhoof !

I'm currently trying to setup an active-passive ELB/ILB FG cluster in our Azure tenant,
Thanks for the work and the procedures & templates provided.

In general order, i got some doubts about the routes & outbound connections established from the FG instances themselves;

• Which interface is used by the Fortigate to access internet ? (to update definitions, licences, Azure SDN fabric connectors...) In any procedures, i couldn't find something about that (following that document).
• To establish IPSec tunnel, we use the external LB Public IP address (one of...). As far as i understood, the IPsec connection is coming from the on-premise firewall ? The FG instances in Azure cannot dial-up the tunnel ? (if yes, which interface is used ?)
• What's the private IP defined as a default gateway on external interface ?... i explain:

After the deployment, the two Fortigate have set an private IP as a default gateway on them external NIC (external LB subnet).

Assuming that my external load-balancer subnet is 172.17.240.240/28, first Fortigate has an IP 172.17.240.245/28, second has the 172.17.240.246/28.

There is a 172.17.240.241/28 IP which as been configured as a default gateway on the WAN interface, and i couldn't find that IP somewhere else in Azure ! (not in external LB config, not in subnet/vnet configs... ?!).

It looks like that's the private implicit IP which is carried by the external loadbalancer. From the two Fortigate, i can't ping that IP, i can't even reach the public IP carried by the external loadbalancer, because the route to it has as gateway that 172.17.240.241 !

... So, from the Fortigate themselves, it looks like i can't reach internet, because of that default route.

Here is the NIC 1 (external interface) conf from FG-1;

And it's static route table;

Trying to outcome:

Do you have any informations about that?

Thanks in advance!
Arnaud

Hi I have a A/A Setup
[https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Active-ELB-ILB]
We like to Terminate a Site 2 Site Tunnel on the Fortis.
The Tunnel is comming up and the Sessen Sync is enabaled .
But not all sessions are sucessfuly thorught the ELB Forti ILB Server ILB Forti.

I see in the Monitroing that on one Forit only traffic is outgoing to the tunnel but not incomming.

If i disable one of the Fortis or the Internal interface of one of the the VPN is working as expected.

We're experiencing an issue when deploying the active/active with ELB and ILB configuration using Terraform as the deployment method.

We can execute the deployment fine but are unable to connect to either FortiGate via the web GUI or FortiManager afterwards. Web GUI just times out and FortiManager just responds with Probe Failure. In both scenarios, we are trying to connect to them from within the internal network (i.e. - to the FortiGate IPs on the internal subnet). I have also tried connect to them using the public IP address with the port suffix (i.e. - using the inbound NAT rules of 40030, 40031).

I've deployed this solution (using the same code) within two separate Tenants and it works in one (a test Sub) but doesn't in the other (customer Sub). The only thing that stands out is that the FortiGate's (where the issue occurs) are reporting "virtual machine agent status is not ready" but in the working Sub I don't receive this error.

So it would seem that the agent hasn't installed/enabled on one set of FortiGates but has on the others, but I cannot see any obviously reason why? The two deployments are almost identical (the only difference is the naming of the subnets).

Any guidance on what maybe causing this would be fabulous! Please shout if you require any additional info.

Deployment fails with following error . Tried both Azure & Custom templates in Github & Marketplace , no good . Azure support couldn't assist further as they advised the template owner must fix the issues with the template. Tried multiple options by allowing template to create Public ip-address & by creating custom Public-IP Address . Azure support informed about similar issue with another customer in June that was due to obsolete template. Our Fortinet deployment for Accenture projects cannot continue until this problem is fixed .
Have discussed this issue with Ben Russell from Fortinet . Please fix these issues on priority .
{
"code": "InvalidTemplate",
"message": "Deployment template validation failed: 'The template output reference to 'Microsoft.Network/publicIPAddresses/testfortinet' requires an API version. Please see [https://aka.ms/arm-template for usage details.'."
}

I have been using the FortiGate/Active-Active-ELB-ILB ARM template to deploy firewall pairs into Azure. I have noticed that once deployed with the auto-scale Configuration synchronization applied, the window for the secondary firewall doesn't stay open for vary long.
The Idle Timeout will be set for 15 minutes, but sometimes within 30 seconds, the connection will close without warning or explanation. The Primary will stay open for as long as the Idle Timeout is set for.

Hi Team,

I am trying to deploy fortigate on azure automatically via Terraform. I leveraged the code from the repository and added my own configuration, fitting my environment. Using a byol-template, it works fine and the system comes up without issues.

# set firewall specific parameters as variables
locals {
    vm_name_prefix = "confgt${var.ENVIRONMENT_SHORT}"
    admin_name ="fgtadmin"
    publisher = "fortinet"
    offer     = "fortinet_fortigate-vm_v5"

    sku_byol       = "fortinet_fg-vm"
    sku_payg  = "fortinet_fg-vm_payg_20190624"
    version   = "7.0.0"
}

resource "azurerm_virtual_machine" "Connectivity_VM_FGT1" {
  name                         ="${local.vm_name_prefix}001" 
  resource_group_name      = azurerm_resource_group.Connectivity_RG.name
  location                 = azurerm_resource_group.Connectivity_RG.location
  network_interface_ids        = [azurerm_network_interface.Connectivity_NIC_Port1_FGT1.id, azurerm_network_interface.Connectivity_NIC_Port2_FGT1.id, azurerm_network_interface.Connectivity_NIC_Port3_FGT1.id]
  primary_network_interface_id = azurerm_network_interface.Connectivity_NIC_Port1_FGT1.id
  vm_size                      = "Standard_F4s"
  availability_set_id = azurerm_availability_set.Connectivity-AVAIL.id

  storage_image_reference {
    publisher = local.publisher
    offer     = local.offer
    sku       = var.LICENSE_TYPE == "byol" ? local.sku_byol : local.sku_payg
    version   = local.version
  }

  plan {
    name      = var.LICENSE_TYPE == "byol" ? local.sku_byol : local.sku_payg
    publisher = local.publisher
    product   = local.offer
  }

  storage_os_disk {
    name              = "osdisk-${local.vm_name_prefix}001"
    caching           = "ReadWrite"
    managed_disk_type = "StandardSSD_LRS"
    create_option     = "FromImage"
  }

  storage_data_disk {
    name              = "datadisk-${local.vm_name_prefix}001"
    managed_disk_type = "StandardSSD_LRS"
    create_option     = "Empty"
    lun               = 0
    disk_size_gb      = "30"
  }

  os_profile {
    computer_name  = "${local.vm_name_prefix}001" 
    admin_username = local.admin_name
    admin_password = data.azurerm_key_vault_secret.Connectivity_KVS_FGTSecret.value
    #custom_data = base64encode(data.azurerm_key_vault_secret.Connectivity_KVS_FGTLicense.value)
    custom_data    = data.template_file.Connectivity_TEMPLATE_CONF_FGT1.rendered
  }

  os_profile_linux_config {
    disable_password_authentication = false
  }

  boot_diagnostics {
    enabled     = true
    storage_uri = azurerm_storage_account.Connectivity_ST.primary_blob_endpoint
  }
}

However, for the testing environment I try to bring the same setup online, but using a payg-template. Unfortunately I am facing a strange issue. Wenn bringing up the VM, it comes up with an imcomplete configuration. Analysing the logs, it looked like that cloud-init is executing the script twice, so that the second execution overlaps the inital one:

Fortigate1 # diagnose debug cloudinit show
 >> Checking metadata source azure
 >> Azure waiting for customdata file
 >> Azure waiting for customdata file
 >> Azure waiting for customdata file
 >> Azure customdata file found
 >> Azure cloudinit decrypt successfully
 >> MIME parsed config script
 >> Azure customdata processed successfully
 >> Run config script
 >> Finish running script
 >> confgttst001 $  config system probe-response
 >> confgttst001 (probe-response) $  set http-probe-value OK
 >> confgttst001 (probe-response) $  set mode http-probe
 >> confgttst001 (probe-response) $  end
 >> confgttst001 $  config system global
 >> confgttst001 (global) $  set admintimeout 15
 >> confgttst001 (global) $  set alias "Fortigate1"
 >> confgttst001 (global) $  set allow-traffic-redirect disable
[...]
 >> Fortigate1 (filters) $  edit 7
 >> Fortigate1 (7) $  set category 59
 >> Fortigate1 (7) $  set action block
 >> Fortigate1 (7) $  next
 >> Fortigate1 (filters) $  edit 8
 >> Fortigate1 (8) $  sconfig system interface   <-- here it seems like it is overlapping, since it starts set action, but also starts config
 >> Unknown action 0
 >> Fortigate1 (8) $  edit port1
 >> Unknown action 0
 >> Fortigate1 (8) $  set alias Public
 >> command parse error before 'alias'
 >> Command fail. Return code -61
 >> Fortigate1 (8) $  set mode dhcp
 >> command parse error before 'mode'

What could cause this behavior? Is this expected (e.g. since the config is too long) or is there a workaround?

Many thanks for the support!

Best regards
Martin

I've spent the past couple days [unsuccessfully] trying to get an FGT VM working in azure for evaluation.

Can I request there be an evaluation license option for these azure templates? as the eval license only allows 1cpu and 1gb ram and no https, it would have to be used with a B1s VM and set the external interface to allow http.

currently I can "deploy to azure", and then change the vm size to B1s, and the appliance boots but console says invalid license as 'Vcpu exceed 0'.

It would make things so much easier for those working with an Azure visual studio subscription or trial azure subscription... those subscriptions don't allow the azure credit to be used on non-ms services from the marketplace. Making these templates eval license compatible would also be a great resource for those studying for NSE exams.

Hello,

Deployed the template and both VMs show to be in AZ 2, template says A will be deployed in AZ 1 and B will be deployed in AZ 2,

Am I missing something?

Thanks,
Neil

During testing the failover ha between 2x FortiGate and shutdown the active FG , we found the IPsec vpn tunnel for the secondary is up but no traffic, we must establish the IPsec tunnel manually to traffic work again

For the time being we still facing an issue in the network landing zone as when we try to takeover to the secondary FortiGate the traffic is not routed automatically and we have to restart the tunnel manually.

Accordingly, we are going to investigate the FortiGate as well as the external load balancer configurations to be able to detect the root cause of the issue.

Please keep us updated if you have any news regarding the above mentioned issue, Thanks.

I deployed this from the active/active design and all I have done is license and sign in and have no access from he CLI to ping 8.8.8.8. Am I missing something else I need to configure on the external Load Balancer?

Thanks

Hi,

I have deployed the Fortigate vm in active passive ha configuration with load balancers using the template provided in this git repo. After the deployment i can access the firewalls from a jump server using the private management IPs in the NIC4 in each firewall. But the public IPs associated with NIC4 in both the firewalls are not reachable. Could you please help me with the troubleshooting steps.

Thanks,
Jerald

ComputeResourceZoneConstraintDoesNotMatchPublicIPAddressZoneConstraint

-FGT-A has a zone constraint 1 but the PublicIPAddress FGTAPClusterPublicIP used by the compute resource via NetworkInterface or LoadBalancer has a different zone constraint Regional.",

Hi All,

I faced the below Error-01, seems to be VM (Standard_F4) Unavailability in US North Central. Then, i checked the availability of DS3_v2 and tried to change the Instance Type to "DS3_v2" and "Standard_DS3_v2" and i got the error (Error-02) pasted at the last section of this page.

Kindly assist, if possible..

Error-01:

{"telemetryId":"5a7caecf-ff2e-4a59-b4c7-cca981674c70","bladeInstanceId":"Blade_50ef9c8683b64730985998e7c95db548_0_0","galleryItemId":"Microsoft.Template","createBlade":"DeployToAzure","code":"MultipleErrorsOccurred","message":"Multiple error occurred: BadRequest,BadRequest. Please see details.","details":[{"code":"InvalidTemplateDeployment","message":"The template deployment failed with error: 'The resource with id: '/subscriptions/efbc14f0-5afe-4e56-92db-6b2fe58a43a4/resourceGroups/RGRP_AZ_LCL_USNC_CORE/providers/Microsoft.Compute/virtualMachines/fw_az_lcl_usnc_prod_01-A' failed validation with message: 'The requested size for resource '/subscriptions/efbc14f0-5afe-4e56-92db-6b2fe58a43a4/resourceGroups/RGRP_AZ_LCL_USNC_CORE/providers/Microsoft.Compute/virtualMachines/fw_az_lcl_usnc_prod_01-A' is currently not available in location 'North Central US' zones '' for subscription 'efbc14f0-5afe-4e56-92db-6b2fe58a43a4'. Please try another size or deploy to a different location or zones. See https://aka.ms/azureskunotavailable for details.'.'."},{"code":"InvalidTemplateDeployment","message":"The template deployment failed with error: 'The resource with id: '/subscriptions/efbc14f0-5afe-4e56-92db-6b2fe58a43a4/resourceGroups/RGRP_AZ_LCL_USNC_CORE/providers/Microsoft.Compute/virtualMachines/fw_az_lcl_usnc_prod_01-B' failed validation with message: 'The requested size for resource '/subscriptions/efbc14f0-5afe-4e56-92db-6b2fe58a43a4/resourceGroups/RGRP_AZ_LCL_USNC_CORE/providers/Microsoft.Compute/virtualMachines/fw_az_lcl_usnc_prod_01-B' is currently not available in location 'North Central US' zones '' for subscription 'efbc14f0-5afe-4e56-92db-6b2fe58a43a4'. Please try another size or deploy to a different location or zones. See https://aka.ms/azureskunotavailable for details.'.'."}]}

Error-02:

Deployment validation failed.
Additional details from the underlying API that might be helpful: The template deployment 'Microsoft.Template' is not valid according to the validation procedure. The tracking id is '29f7560a-2973-419c-9525-1687acfaa56a'. See inner errors for details.

Hey,

When you deploy any of the templates that support putting the Virtual Machines in Availability zones, the standard load balancer that is deployed with it is deployed into "No Zone" which kind of makes the whole purpose of Zonal redundancy pointless.

Could you add the Zones into the front-end configuration of the load balancers the same way you do for the Virtual machines.

https://github.com/fortinet/azure-templates/blob/main/FortiGate/AvailabilityZones/Active-Active-ELB-ILB-AZ/azuredeploy.json

line 263, contains
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deplymentTemplate.json#"

which should be

"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"

Hi Trying to execute code with few customization but not able to set all variables given in tpl file .

fortigate.zip

I have an issue deploying a FortiGate NVA in Azure.
I attepmted to deploy the NVA for Azure Virtual WAN Secured by Fortinet FortiGate.
The deployement went through ok, but the managed application now shows the following message:
"The application failed to provision. Contact application support for more information"

If I try and delete the managed application to then attempt to redeploy I get the following message:

Failed to delete managed application
Failed to delete managed application 'fgngfw01'. Error: Deletion of resource group
'mrg-fortigate_vwan_nva-XXXXXXXXXXXX' failed as resources with identifiers
'Microsoft.Network/networkVirtualAppliances/fgngfw-XXXXXXX-XXXXXXX' could not be deleted.
The provisioning state of the resource group will be rolled back. The tracking Id is
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. Please check audit logs for more details.

Any one come across this before or know how to resolve.

I contact Fortinet TAC and they said they don't support deployments.
I also have an open case with Microsoft in case it is platform related.

The link on https://github.com/fortinet/azure-templates/tree/main/FortiGate to https://docs.fortinet.com/vm/azure/fortigate/7.0/azure-administration-guide/7.0.0/161167/deploying-auto-scaling-on-azure does not take you to a page for deploying auto scaling on 7.0. I can find auto-scaling information on the 6.4 documentation, but not 7.0.

Hi,

When using the template "Active-Passive-ELB-ILB" Backend Pool is named ILB instead of ELB.

Best regards,

Hello,
While testing deployment, I noticed a typo, in Fortimanager TF deployment in the file "02-fortinet.tf"
https://github.com/fortinet/azure-templates/tree/main/FortiManager/Terraform/single-1nic/terraform)
/02-fortinet.tf
Original : Line 103 : private_ip_address_allocation = "static"
Suggest : Line 103 : private_ip_address_allocation = "Static"
"Static" with upper "S" is expected

Receiving error during template deployment.

"message": "Deployment template validation failed: 'The value for the template paramater 'fortiGateNamePrefix' at line '17' and column '28' is not provided. Please see htpps...... for usage details

Unable to deploy due to this error and change has been submitted to modify the validation UI, please review and approve.

Receiving errors by deploying this template.
Error details say that the networkInterfaces was not found. Please make sure that the referenced resource exists
Not sure why I get this error since I would expect the template to roll it out.
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InvalidResourceReference","message":"Resource /subscriptions/81bfabXX53fd6b/resourceGroups/rg_twin_fortigate/providers/Microsoft.Network/virtualNetworks/vn_twin_01/subnets/ManagementSubnet referenced by resource /subscriptions/81bXfd6b/resourceGroups/rg_twin_fortigate/providers/Microsoft.Network/networkInterfaces/twinpfw--FGT-B-Nic4 was not found. Please make sure that the referenced resource exists, and that both resources are in the same region."},

etc etc

Rolling out the custom deployment by using
Fortigate Name Prefix: twinpfw-

Appears that API template version is incorrect on Active-Active ELB-ILB. Please see error below:

Deployment template validation failed: 'The template resource 'xxx-fortinetdeployment-xxx' at line '553' and column '5' is invalid. 'ApiVersion' property is invalid. The supported versions are '2024-03-01,2023-07-01,2023-07-01-preview,2023-03-01-preview,2022-12-01,2022-11-01-preview,2022-09-01,2022-06-01,2022-05-01,2022-03-01-preview,2022-01-01,2021-04-01,2021-01-01,2020-10-01,2020-09-01,2020-08-01,2020-07-01,2020-06-01,2020-05-01,2020-01-01,2019-11-01,2019-10-01,2019-09-01,2019-08-01,2019-07-01,2019-06-01,2019-05-10,2019-05-01,2019-03-01,2018-11-01,2018-09-01,2018-08-01,2018-07-01,2018-06-01,2018-05-01,2018-02-01,2018-01-01,2017-12-01,2017-08-01,2017-06-01,2017-05-10,2017-05-01,2017-03-01,2016-09-01,2016-07-01,2016-06-01,2016-02-01,2015-11-01,2015-01-01,2014-04-01-preview,2014-04-01,2014-01-01,2013-03-01,2014-02-26,2014-04'. Please see https://aka.ms/arm-syntax-resources for usage details.'. (Code: InvalidTemplate)

Deployment attempts fail with this error - The template output reference to "" requires an API version when using with an already existing PublicIP in the same resource group.

If you choose to deploy the template using new PIPs for the 3 instead of existing, and you select "BASIC" for all 3, PIP3 always deploys with the SKU type set to Standard, thereby causing the deployment to fail due to incompatible configurations of IPs as the Cluster PIP SKU would be basic and the FGT-B mgmt PIP SKU would be Standard.

I have successfully deployed this template in the past, but since the last commit it is failing.

Hi.
I was trying to install FortiGate at Azure marketplace and found something strange.

If the VNET address space is prefix25-32, VNET selection is disabled.
And prefix28-32 doesn't appear on the selection list either.
Please refer to the picture.

I want to use VNET address range as prefix26.

Please let me know why VNET selection is disabled.
Also, I wonder if it is Azure or Fortinet restrictions.

I look forward to hearing from you.
Have a nice day

Hi,

Knowing that AzureLoad balancer is in only as A/A mode how we would manage A/P on Fortiweb ?
is there any way to force this to LB?

regards
Adi

I followed the implementation of: https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-outbound-nat-considerations.md

However, as soon as the IP-Pool is configured on the primary fortigate, it's synced to the failover system. As a consequence, it is not possible to create an IP-Pool with the same name but a different ip on the failover system. The failover is therefore effectively not working.

UDR is only applied when the VNET is created as part of the deployment due to the condition statement "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]" - when selecting existing vnet created earlier, the UDR is never associated to the subnet. Any chance to correct via additional logic please?

Hi all,

by deploying the mainTemplate.json there are no NICs created, thus the VNET has been created successfully.
Region is Central US or East, no difference.

Can anyone give some advise? thank you!

{"code":"InvalidResourceReference","message":"Resource /subscriptions/39cfd568-df05-4a1d-90d1-f9608c9edd0f/resourceGroups//providers/Microsoft.Network/virtualNetworks/fgtlab/subnets/HASyncSubnet referenced by resource /subscriptions/39cfd568-df05-4a1d-90d1-f9608c9edd0f/resourceGroups/fgthaap2/providers/Microsoft.Network/networkInterfaces/fgt-A-Nic3 was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.","details":[]}

Hi

I notice the option to add a VM to an availability set is gone. Can we add it back?

I have a single VM that currently belongs to an availability set and I'd like to add a second VM to the same availability set but the template does not have an option for it.

In single FG deployments within Azure, we create an additional ipconfig on the external interface and associate that with a public IP resource. Then on the FG, we have a NAT that ties that external subnet IP to the actual IP of the server. When we failover from one FG to the other, how do we get that ipconfig to move from FG-A's vNIC to FG-B's vNIC? We tested that the public IP detaches from the A vNIC and re-attaches to the B vNIC with no problem. However, the public IP resource for this NAT external IP is still only attached to the vNIC on FG-A.