FGSP session synchronization options
FortiGate-6000 FGSP supports the following session synchronization options:
config system ha
set session-pickup {disable | enable}
set session-pickup-connectionless {disable | enable}
set session-pickup-expectation {disable | enable}
set session-pickup-nat {disable | enable}
set session-pickup-delay {disable | enable}
end
Some notes:
- The
session-pickup-expectation
andsession-pickup-nat
options only apply to the FGSP. The FGCP synchronizes NAT sessions when you enablesession-pickup
. - The
session-pickup-delay
option applies to TCP sessions only and does not apply to connectionless and SCTP sessions. - The
session-pickup-delay
option should not be used in FGSP topologies where the traffic can take an asymmetric path (forward and reverse traffic going through different FortiGate-6000s).
Enabling session synchronization
Use the following command to synchronize TCP and SCTP sessions between FortiGate-6000s.
config system ha
set session-pickup enable
end
Enabling session-pickup
also enables session synchronization for connectionless protocol sessions, such as ICMP and UDP, by enabling session-pickup-connectionless
. If you don't want to synchronize connectionless sessions, you can manually disable session-pickup-connectionless
.
Synchronizing expectation sessions
Enable session-pickup-expectation
to synchronize expectation sessions.
FortiOS session helpers keep track of the communication of Layer-7 protocols such as FTP and SIP that have control sessions and expectation sessions. Usually the control sessions establish the link between server and client and negotiate the ports and protocols that will be used for data communications. The session helpers then create expectation sessions through the FortiGate for the ports and protocols negotiated by the control session.
The expectation sessions are usually the sessions that actually communicate data. For FTP, the expectation sessions transmit files being uploaded or downloaded. For SIP, the expectation sessions transmit voice and video data. Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.
Synchronizing NAT sessions
Enable session-pickup-nat
to synchronize NAT sessions.
Synchronizing sessions older than 30 seconds
Enable session-pickup-delay
to synchronize TCP sessions only if they remain active for more than 30 seconds. This option improves performance when session-pickup
is enabled by reducing the number of TCP sessions that are synchronized. This option does not affect SCTP or connectionless sessions.