Fortinet FCP_ZCS_AD-7.4 - FCP - Azure Cloud Security 7.4 Administrator

Since port 80 traffic is reaching the FortiGate (as shown in the sniffer output) but port 22 traffic is not, the issue lies before the FortiGate, at the Azure Load Balancer level. Azure Load Balancers require an Inbound NAT rule to forward specific ports (like SSH on port 22) to a specific backend VM. Creating a new Inbound NAT rule for port 22 will allow SSH traffic to be properly routed to the FortiGate VM.

The first and most direct diagnostic step is to verify the BGP peering status on both the FortiGate VM and Azure Route Server. If BGP peering is not established or is in an idle or down state, route propagation will fail. This check confirms whether the two systems are communicating and exchanging routes as expected.

In an active-active FortiGate cluster deployment in Azure, you must assign the public IP address to an Azure load balancer. This is required because Azure does not support multiple VMs sharing a single public IP directly. The Azure Load Balancer handles inbound traffic and distributes it to the active FortiGate instances.

The debug output shows that the UbuntuServer address object successfully resolved an IP, while the webServer did not. The most likely cause is a mismatch in the dynamic address filter or missing tags on the target VM.

Verify the filter used for the dynamic firewall address – The filter category=windows may not match any VM metadata, resulting in no matched addresses.

Verify the tags on the target VM – Ensure that the VM has the correct tags (e.g., category=windows) that match the dynamic address filter to enable resolution.

Azure Route Server enables dynamic route exchange using BGP between your Azure virtual network and network virtual appliances (NVAs) or on-premises networks. It provides a centralized and scalable solution for route management, allowing seamless integration of routing updates without manual configuration changes.

Azure does not allow you to view an existing client secret’s value after creation for security reasons. If you did not save the client secret when it was first generated, the quickest and only option is to create a new client secret under the existing app registration and use the new value in your FortiGate configuration.

Azure Firewall Premium includes advanced features not available in the Standard tier, such as enhanced URL filtering and web categories, TLS inspection, IDPS (intrusion detection and prevention system), and support for private certificate authorities. These enable more granular and secure traffic inspection and control.

Enhanced protection for application and data in a single Azure region – Availability Zones provide physical separation of infrastructure within a single Azure region, protecting against datacenter-level failures.

Protect applications and data through high availability with fault isolation and redundancy – They offer fault isolation and redundancy, enabling high availability for applications and services by distributing them across multiple zones within the same region.

In a FortiGate active-active HA deployment in Azure, synchronization between instances is achieved using:

FortiGate Clustering Protocol (FGCP) – This is the primary protocol used to synchronize configuration and session information between HA peers.

Heartbeat interfaces – These interfaces are specifically configured to exchange HA state and sync data between the FortiGate VMs, ensuring cluster consistency.