Fortinet black logo

FortiGate-6000 Handbook

FortiGate-6000 FGSP HA

FortiGate-6000 FGSP HA

FortiGate-6000 supports the FortiGate Session Life Support Protocol (FGSP) (also called standalone session sync) HA to synchronize sessions among up to four FortiGate-6000s. All of the FortiGate-6000s in the FGSP cluster must be the same model and running the same firmware. All of the devices in an FGSP cluster must have their own network configuration (interface IPs, routing, and so on). FGSP synchronizes individual VDOM sessions. All of the devices in an FGSP cluster must include the VDOMs to be synchronized and for each device the VDOMs must have the same firewall configuration.

For details about FGSP for FortiOS 6.0, see: FortiOS 6.0 Handbook: FGSP.

FortiGate-6000 FGSP support has the following limitations:

  • Configuration synchronization is currently not supported, you must configure all of the devices in the FGSP cluster separately or use FortiManager to keep key parts of the configuration, such as security policies, synchronized on the devices in the FGSP cluster.
  • FortiGate-6000 FGSP can use the HA1 and HA2 interfaces for session synchronization. Using multiple interfaces is recommended for redundancy. To use these interfaces for FGSP, you must give them IP addresses and optionally set up routing for them. Ideally the session synchronization interfaces of each device in the FGSP cluster would be on the same network and that network would only be used for session synchronization traffic. However, you can configure routing to send session synchronization traffic between networks. NAT between session synchronization interfaces is not supported.
  • Multiple VDOMs can be synchronized over the same session synchronization interface. You can also distribute synchronization traffic to multiple interfaces.
  • FortiGate-6000 FGSP doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • FGSP doesn't synchronize ICMP sessions when ICMP load balancing is set to to-master. If you want to synchronize ICMP sessions, set ICMP load balancing to either src-ip, dst-ip, or src-dst-ip. See ICMP load balancing for more information.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • Inter-cluster session synchronization, or FGSP between FGCP clusters, is not supported.
  • FGSP IPsec tunnel synchronization is not supported.
  • Fragmented packet synchronization is not supported.

FGSP session synchronization options

FortiGate-6000 FGSP supports the following HA session synchronization options:

config system ha

set session-pickup {disable | enable}

set session-pickup-connectionless {disable | enable}

set session-pickup-expectation {disable | enable}

set session-pickup-nat {disable | enable}

set session-pickup-delay {disable | enable}

end

Some notes:

  • The session-pickup-expectation and session-pickup-nat options only apply to FGSP HA. FGCP HA synchronizes NAT sessions when you enable session-pickup.
  • The session-pickup-delay option applies to TCP sessions only and does not apply to connectionless and SCTP sessions.
  • The session-pickup-delay option should not be used in FGSP topologies where the traffic can take an asymmetric path (forward and reverse traffic going through different FortiGates).

Enabling session synchronization

Enable session-pickup to synchronize sessions between the FortiGate-6000s in an FGSP cluster. Turning on session synchronization for TCP and SCTP sessions by enabling session-pickup also turns on session synchronization for connectionless protocol sessions, such as ICMP and UDP, by enabling session-pickup-connectionless. If you don't want to synchronize connectionless sessions, you can manually disable session-pickup-connectionless.

Synchronizing expectation sessions

Enable session-pickup-expectation to synchronize expectation sessions. FortiOS session helpers keep track of the communication of Layer-7 protocols such as FTP and SIP that have control sessions and expectation sessions. Usually the control sessions establish the link between server and client and negotiate the ports and protocols that will be used for data communications. The session helpers then create expectation sessions through the FortiGate for the ports and protocols negotiated by the control session.

The expectation sessions are usually the sessions that actually communicate data. For FTP, the expectation sessions transmit files being uploaded or downloaded. For SIP, the expectation sessions transmit voice and video data. Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.

Synchronizing NAT sessions

Enable session-pickup-nat to synchronize NAT sessions in an FGSP cluster.

Synchronizing sessions older than 30 seconds

Enable session-pickup-delay to synchronize TCP sessions only if they remain active for more than 30 seconds. This option improves performance when session-pickup is enabled by reducing the number of TCP sessions that are synchronized. This option does not affect SCTP or connectionless sessions.

Example FortiGate-6000 FGSP configuration

This example shows how to configure an FGSP cluster to synchronize root VDOM sessions between two FortiGate-6301Fs. The example uses the HA1 interfaces of each FortiGate-6301F for session synchronization. The HA1 interfaces are connected to the 172.25.177.0/24 network.

Because configuration synchronization is not supported for FGSP you must set up both FortiGate-6000s with the same configuration, including the same VDOMs (although in this example, the root VDOM is synchronized) and the root VDOM must have the same firewall policies. The two FortiGate-6301Fs must have their own IP addresses and their own networking configuration. In addition, you can give the FortiGate-6301Fs different host names to make them easier to identify.

Example FortiGate-6000 FGSP configuration

  1. Configure the routers or load balancers to send all sessions to peer_1.

  2. Configure the routers or load balancers to send all traffic to peer_2 if peer_1 fails.

  3. Give each FortiGate-6301F a different host name (in this case peer_1 and peer_2).
  4. Configure network settings for each FortiGate-6301F to allow them to connect to their networks and route traffic.
  5. Configure the root VDOM on each FortiGate-6301F with the same firewall policies.
  6. Configure the HA1 interface of the peer_1 FortiGate-6301F with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit ha1

    set ip 172.25.177.10 255.255.255.0

    end

  7. Configure the HA1 interface of the peer_2 FortiGate-6301F with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit ha1

    set ip 172.25.177.20 255.255.255.0

    end

  8. On the peer_1 FortiGate-6301F, configure session synchronization for the root VDOM.

    config system cluster-sync

    edit 0

    set peervd mgmt-vdom

    set peerip 172.25.177.20

    set syncvd root

    next

    Where, peervd will always be mgmt-vdom, the peerip is the IP address of the HA1 interface of the peer_2 FortiGate-6301F, and syncvd is the VDOM for which to synchronize sessions, in this case the root VDOM.

  9. On the peer_2 FortiGate-6301F, configure session synchronization for the root VDOM.

    config system cluster-sync

    edit 0

    set peervd mgmt-vdom

    set peerip 172.25.177.10

    set syncvd root

    next

    Where, peervd will always be mgmt-vdom, the peerip is the IP address of the HA1 interface of the peer_1 FortiGate-6301F, and syncvd is the VDOM for which to synchronize sessions, in this case the root VDOM.

FortiGate-6000 FGSP HA

FortiGate-6000 supports the FortiGate Session Life Support Protocol (FGSP) (also called standalone session sync) HA to synchronize sessions among up to four FortiGate-6000s. All of the FortiGate-6000s in the FGSP cluster must be the same model and running the same firmware. All of the devices in an FGSP cluster must have their own network configuration (interface IPs, routing, and so on). FGSP synchronizes individual VDOM sessions. All of the devices in an FGSP cluster must include the VDOMs to be synchronized and for each device the VDOMs must have the same firewall configuration.

For details about FGSP for FortiOS 6.0, see: FortiOS 6.0 Handbook: FGSP.

FortiGate-6000 FGSP support has the following limitations:

  • Configuration synchronization is currently not supported, you must configure all of the devices in the FGSP cluster separately or use FortiManager to keep key parts of the configuration, such as security policies, synchronized on the devices in the FGSP cluster.
  • FortiGate-6000 FGSP can use the HA1 and HA2 interfaces for session synchronization. Using multiple interfaces is recommended for redundancy. To use these interfaces for FGSP, you must give them IP addresses and optionally set up routing for them. Ideally the session synchronization interfaces of each device in the FGSP cluster would be on the same network and that network would only be used for session synchronization traffic. However, you can configure routing to send session synchronization traffic between networks. NAT between session synchronization interfaces is not supported.
  • Multiple VDOMs can be synchronized over the same session synchronization interface. You can also distribute synchronization traffic to multiple interfaces.
  • FortiGate-6000 FGSP doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • FGSP doesn't synchronize ICMP sessions when ICMP load balancing is set to to-master. If you want to synchronize ICMP sessions, set ICMP load balancing to either src-ip, dst-ip, or src-dst-ip. See ICMP load balancing for more information.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • Inter-cluster session synchronization, or FGSP between FGCP clusters, is not supported.
  • FGSP IPsec tunnel synchronization is not supported.
  • Fragmented packet synchronization is not supported.

FGSP session synchronization options

FortiGate-6000 FGSP supports the following HA session synchronization options:

config system ha

set session-pickup {disable | enable}

set session-pickup-connectionless {disable | enable}

set session-pickup-expectation {disable | enable}

set session-pickup-nat {disable | enable}

set session-pickup-delay {disable | enable}

end

Some notes:

  • The session-pickup-expectation and session-pickup-nat options only apply to FGSP HA. FGCP HA synchronizes NAT sessions when you enable session-pickup.
  • The session-pickup-delay option applies to TCP sessions only and does not apply to connectionless and SCTP sessions.
  • The session-pickup-delay option should not be used in FGSP topologies where the traffic can take an asymmetric path (forward and reverse traffic going through different FortiGates).

Enabling session synchronization

Enable session-pickup to synchronize sessions between the FortiGate-6000s in an FGSP cluster. Turning on session synchronization for TCP and SCTP sessions by enabling session-pickup also turns on session synchronization for connectionless protocol sessions, such as ICMP and UDP, by enabling session-pickup-connectionless. If you don't want to synchronize connectionless sessions, you can manually disable session-pickup-connectionless.

Synchronizing expectation sessions

Enable session-pickup-expectation to synchronize expectation sessions. FortiOS session helpers keep track of the communication of Layer-7 protocols such as FTP and SIP that have control sessions and expectation sessions. Usually the control sessions establish the link between server and client and negotiate the ports and protocols that will be used for data communications. The session helpers then create expectation sessions through the FortiGate for the ports and protocols negotiated by the control session.

The expectation sessions are usually the sessions that actually communicate data. For FTP, the expectation sessions transmit files being uploaded or downloaded. For SIP, the expectation sessions transmit voice and video data. Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.

Synchronizing NAT sessions

Enable session-pickup-nat to synchronize NAT sessions in an FGSP cluster.

Synchronizing sessions older than 30 seconds

Enable session-pickup-delay to synchronize TCP sessions only if they remain active for more than 30 seconds. This option improves performance when session-pickup is enabled by reducing the number of TCP sessions that are synchronized. This option does not affect SCTP or connectionless sessions.

Example FortiGate-6000 FGSP configuration

This example shows how to configure an FGSP cluster to synchronize root VDOM sessions between two FortiGate-6301Fs. The example uses the HA1 interfaces of each FortiGate-6301F for session synchronization. The HA1 interfaces are connected to the 172.25.177.0/24 network.

Because configuration synchronization is not supported for FGSP you must set up both FortiGate-6000s with the same configuration, including the same VDOMs (although in this example, the root VDOM is synchronized) and the root VDOM must have the same firewall policies. The two FortiGate-6301Fs must have their own IP addresses and their own networking configuration. In addition, you can give the FortiGate-6301Fs different host names to make them easier to identify.

Example FortiGate-6000 FGSP configuration

  1. Configure the routers or load balancers to send all sessions to peer_1.

  2. Configure the routers or load balancers to send all traffic to peer_2 if peer_1 fails.

  3. Give each FortiGate-6301F a different host name (in this case peer_1 and peer_2).
  4. Configure network settings for each FortiGate-6301F to allow them to connect to their networks and route traffic.
  5. Configure the root VDOM on each FortiGate-6301F with the same firewall policies.
  6. Configure the HA1 interface of the peer_1 FortiGate-6301F with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit ha1

    set ip 172.25.177.10 255.255.255.0

    end

  7. Configure the HA1 interface of the peer_2 FortiGate-6301F with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit ha1

    set ip 172.25.177.20 255.255.255.0

    end

  8. On the peer_1 FortiGate-6301F, configure session synchronization for the root VDOM.

    config system cluster-sync

    edit 0

    set peervd mgmt-vdom

    set peerip 172.25.177.20

    set syncvd root

    next

    Where, peervd will always be mgmt-vdom, the peerip is the IP address of the HA1 interface of the peer_2 FortiGate-6301F, and syncvd is the VDOM for which to synchronize sessions, in this case the root VDOM.

  9. On the peer_2 FortiGate-6301F, configure session synchronization for the root VDOM.

    config system cluster-sync

    edit 0

    set peervd mgmt-vdom

    set peerip 172.25.177.10

    set syncvd root

    next

    Where, peervd will always be mgmt-vdom, the peerip is the IP address of the HA1 interface of the peer_1 FortiGate-6301F, and syncvd is the VDOM for which to synchronize sessions, in this case the root VDOM.