Fortinet white logo
Fortinet white logo

FortiGate-6000 Handbook

Session failover

Session failover

If you enable session failover (also called session pickup) for the cluster, during cluster operation the primary FortiGate-6000 informs the secondary FortiGate-6000 of changes to the primary FortiGate-6000 connection and state tables, keeping the secondary FortiGate-6000 up-to-date with the traffic currently being processed by the cluster.

Session synchronization traffic uses the HA1 and HA2 interfaces. FortiGate-6000 does not support using the session-sync-dev option to use data interfaces for session synchronization. The HA1 and HA2 interfaces provide enough bandwidth for both HA heartbeat and session synchronization traffic, so additional session synchronization devices are not required. As well, keeping session synchronization traffic on the HA1 and HA2 interfaces separates session synchronization traffic from data traffic.

After a failover the new primary FortiGate-6000 recognizes open sessions that were being handled by the cluster. The sessions continue to be processed by the new primary FortiGate-6000 and are handled according to their last known state.

If you leave session pickup disabled, the cluster does not keep track of sessions and after a failover, active sessions have to be restarted or resumed.

Session failover

Session failover

If you enable session failover (also called session pickup) for the cluster, during cluster operation the primary FortiGate-6000 informs the secondary FortiGate-6000 of changes to the primary FortiGate-6000 connection and state tables, keeping the secondary FortiGate-6000 up-to-date with the traffic currently being processed by the cluster.

Session synchronization traffic uses the HA1 and HA2 interfaces. FortiGate-6000 does not support using the session-sync-dev option to use data interfaces for session synchronization. The HA1 and HA2 interfaces provide enough bandwidth for both HA heartbeat and session synchronization traffic, so additional session synchronization devices are not required. As well, keeping session synchronization traffic on the HA1 and HA2 interfaces separates session synchronization traffic from data traffic.

After a failover the new primary FortiGate-6000 recognizes open sessions that were being handled by the cluster. The sessions continue to be processed by the new primary FortiGate-6000 and are handled according to their last known state.

If you leave session pickup disabled, the cluster does not keep track of sessions and after a failover, active sessions have to be restarted or resumed.