Example FortiGate-6000 inter-cluster session synchronization configuration
This example shows how to configure inter-cluster session synchronization between two FortiGate-6301F FGCP clusters. The configuration synchronizes sessions for the root VDOM and for a VDOM named vdom-1. The mgmt3 session synchronization interfaces of each FortiGate-6301F are connected to the 172.25.177.0/24 network.
The FortiGate-6301F clusters must have their own IP addresses and their own network configurations. The clusters in this example are named cluster1 and cluster2. The FortiGate-6301Fs in cluster1 have host names cluster1-ch1 and cluster1-ch2. The FortiGate-6301Fs in cluster2 have host names cluster2-ch1 and cluster2-ch2.
Configuring inter-cluster session synchronization consists of logging into each cluster, configuring mgmt3 to connect to the 172.25.177.0/24 network, adding a cluster sync instance, and enabling inter-cluster session synchronization. The FGCP synchronizes these settings to the secondary FortiGate-6301Fs in each cluster.
Example FortiGate-6000 inter-cluster session synchronization configuration
-
Configure the routers or load balancers to distribute sessions to the two FortiGate-6301F clusters.
- Change the host names of the FortiGate-6301Fs in the two clusters to cluster1-ch1, cluster1-ch2, cluster2-ch1, and cluster2-ch2.
-
Configure VDOMs and network settings for each FortiGate-6301F to allow them to connect to their networks and route traffic.
The names of the VDOMs and any VLANs and LAGs or other interfaces that you have added must be the same on both clusters, even though network addresses will be different. VLAN IDs can be different in each cluster as long as the names of the VLAN interfaces are the same.
-
On cluster1, configure the mgmt3 interface with an IP address on the 172.25.177.0/24 network:
config system interface
edit mgmt3
set ip 172.25.177.10 255.255.255.0
end
-
On cluster1, add a session synchronization instance for the root and vdom-1 VDOMs.
config system cluster-sync
edit 1
set peervd mgmt-vdom
set peerip 172.25.177.20
set syncvd root vdom-1
end
Where,
peervd
will always bemgmt-vdom
andpeerip
is the IP address of the mgmt3 interface of cluster2.This configuration creates one
cluster-sync
instance that includes both VDOMs. You could have created a separatecluster-sync
instance for each VDOM. If possible, however, avoid creating more than threecluster-sync
instances. A fourthcluster-sync
instance may experience reduced session synchronization performance. -
On cluster1, enable inter-cluster session synchronization.
config system ha
set session-pickup enable
set inter-cluster-session-sync enable
end
Since FGCP HA is already configured on cluster1, all you have to do for inter-cluster session synchronization is to enable
session-pickup
andinter-cluster-session-sync
. The complete HA FGCP and inter-cluster session synchronization configuration for cluster1-ch1 could look like the following:config system ha
set group-id 16
set group-name "fgsp-fgcp-cluster1"
set mode a-p
set password <password>
set hbdev "ha1" 50 "ha2" 100
set chassis-id 1
set session-pickup enable
set inter-cluster-session-sync enable
end
-
On cluster 2, configure the mgmt3 interface with an IP address on the 172.25.177.0/24 network:
config system interface
edit mgmt3
set ip 172.25.177.20 255.255.255.0
end
-
On cluster2, configure session synchronization for the root and vdom-1 VDOMs with the same configuration as cluster1.
config system cluster-sync
edit 1
set peervd mgmt-vdom
set peerip 172.25.177.10
set syncvd root vdom-1
end
-
On cluster2, enable inter-cluster session synchronization.
config system ha
set session-pickup enable
set inter-cluster-session-sync enable
end
Since FGCP HA is already configured on cluster2, all you have to do for inter-cluster session synchronization is to enable
session-pickup
andinter-cluster-session-sync
. The complete HA FGCP and inter-cluster session synchronization configuration for cluster2-ch1 could look like the following:config system ha
set group-id 20
set group-name "fgsp-fgcp-cluster2"
set mode a-p
set password <password>
set hbdev "ha1" 50 "ha2" 100
set chassis-id 1
set session-pickup enable
set inter-cluster-session-sync enable
end