Fortinet white logo
Fortinet white logo

FortiGate-6000 Release Notes

Standalone configuration synchronization

Standalone configuration synchronization

FortiGate-6000 and 7000 for FortiOS 6.0.6 supports configuration synchronization (also called standalone configuration synchronization) for two FortiGate-6000s or two FortiGate-7000s. Configuration synchronization means that most configuration changes made to one of the FortiGate-6000s or 7000s are automatically synchronized to the other one.

Use the following command on both FortiGates to enable configuration synchronization:

config system ha

set standalone-config-sync enable

end

In addition to enabling configuration synchronization, you must set up HA heartbeat connections between the FortiGate-6000s or 7000s. One HA heartbeat connection is required, two are recommended. Use the following command to enable heartbeat configuration for the FortiGate-6000 HA1 and HA2 interfaces. The FortiGate-7000 configuration would include the 1-M1, 1-M2, 2-M1, and 2-M2 interfaces.

config system ha

set hbdev ha1 50 ha2 50

end

When you enable configuration synchronization and configure and connect the heartbeat devices, FGCP primary unit selection criteria selects a config sync primary (or master) FortiGate. Normally, the FortiGate with the highest serial number becomes the config sync primary and the other FortiGate becomes the config sync secondary.

All configuration changes that you make to the primary are synchronized to the secondary. To avoid synchronization problems, Fortinet recommends making all configuration changes to the primary.

Selecting the config sync primary

You can use device priority to select one of the FortiGates to become the config sync primary. For example, the following command enables configuration synchronization and sets a higher device priority than the default of 128 to make sure that this FortiGate becomes the primary.

config system ha

set standalone-config-sync enable

set priority 250

end

Settings that are not synchronized

Configuration synchronization does not synchronize settings that identify the FortiGate to the network. The following settings are not synchronized:

  • Transparent mode management IPv4 and IPv6 IP addresses and default gateways.
  • All config system cluster-sync settings.
  • All config system interface settings except vdom, vlanid, type and interface.
  • All config firewall sniffer settings.
  • All router BFD and BFD6 settings.
  • The following BGP settings: as, router-id, aggregate-address, aggregate-address6, neighbor-group, neighbor, network, and network6.
  • The following OSPF settings: router-id, area, ospf-interface, network, neighbor, and summary-address.
  • The following OSPF6 settings: router-id, area, and ospf6-interface.
  • All RIP settings.
  • All policy routing settings.
  • All static routing settings.

Limitations

When configuration synchronization is enabled, there are some limitations, including but not limited to the following:

  • Configuration synchronization does not support graceful HA firmware upgrades. If you upgrade the firmware of the config sync primary, the secondary also upgrades at the same time, disrupting network traffic. You can avoid traffic interruptions by disabling configuration synchronization and upgrading the firmware of each FortiGate separately.
  • The configuration settings that are synchronized might not match your requirements. The current design and implementation of configuration synchronization is based on requirements from specific customers and might not work for your implementation.
  • It can be difficult to control which FortiGate-6000 becomes the config sync primary and the config sync primary can dynamically change without notice. This could result in accidentally changing the configuration of the secondary or overwriting the configuration of the intended primary.

Standalone configuration synchronization

Standalone configuration synchronization

FortiGate-6000 and 7000 for FortiOS 6.0.6 supports configuration synchronization (also called standalone configuration synchronization) for two FortiGate-6000s or two FortiGate-7000s. Configuration synchronization means that most configuration changes made to one of the FortiGate-6000s or 7000s are automatically synchronized to the other one.

Use the following command on both FortiGates to enable configuration synchronization:

config system ha

set standalone-config-sync enable

end

In addition to enabling configuration synchronization, you must set up HA heartbeat connections between the FortiGate-6000s or 7000s. One HA heartbeat connection is required, two are recommended. Use the following command to enable heartbeat configuration for the FortiGate-6000 HA1 and HA2 interfaces. The FortiGate-7000 configuration would include the 1-M1, 1-M2, 2-M1, and 2-M2 interfaces.

config system ha

set hbdev ha1 50 ha2 50

end

When you enable configuration synchronization and configure and connect the heartbeat devices, FGCP primary unit selection criteria selects a config sync primary (or master) FortiGate. Normally, the FortiGate with the highest serial number becomes the config sync primary and the other FortiGate becomes the config sync secondary.

All configuration changes that you make to the primary are synchronized to the secondary. To avoid synchronization problems, Fortinet recommends making all configuration changes to the primary.

Selecting the config sync primary

You can use device priority to select one of the FortiGates to become the config sync primary. For example, the following command enables configuration synchronization and sets a higher device priority than the default of 128 to make sure that this FortiGate becomes the primary.

config system ha

set standalone-config-sync enable

set priority 250

end

Settings that are not synchronized

Configuration synchronization does not synchronize settings that identify the FortiGate to the network. The following settings are not synchronized:

  • Transparent mode management IPv4 and IPv6 IP addresses and default gateways.
  • All config system cluster-sync settings.
  • All config system interface settings except vdom, vlanid, type and interface.
  • All config firewall sniffer settings.
  • All router BFD and BFD6 settings.
  • The following BGP settings: as, router-id, aggregate-address, aggregate-address6, neighbor-group, neighbor, network, and network6.
  • The following OSPF settings: router-id, area, ospf-interface, network, neighbor, and summary-address.
  • The following OSPF6 settings: router-id, area, and ospf6-interface.
  • All RIP settings.
  • All policy routing settings.
  • All static routing settings.

Limitations

When configuration synchronization is enabled, there are some limitations, including but not limited to the following:

  • Configuration synchronization does not support graceful HA firmware upgrades. If you upgrade the firmware of the config sync primary, the secondary also upgrades at the same time, disrupting network traffic. You can avoid traffic interruptions by disabling configuration synchronization and upgrading the firmware of each FortiGate separately.
  • The configuration settings that are synchronized might not match your requirements. The current design and implementation of configuration synchronization is based on requirements from specific customers and might not work for your implementation.
  • It can be difficult to control which FortiGate-6000 becomes the config sync primary and the config sync primary can dynamically change without notice. This could result in accidentally changing the configuration of the secondary or overwriting the configuration of the intended primary.