Fortinet black logo

FortiGate-6000 Handbook

Home FortiGate-6000 6.4.2 FortiGate-6000 Handbook

Synchronizing sessions between FGCP clusters

6.4.2
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.10
Copy Link
Copy Doc ID bd3ddb90-2b7a-11eb-96b9-00505692583a:34458
Download PDF

Synchronizing sessions between FGCP clusters

FortiGate-6000 supports using FGSP to synchronize sessions among up to four FortiGate-6000 FGCP clusters. All of the FortiGate-6000s must be the same hardware model.

FGSP between FGCP clusters synchronizes sessions between the primary FortiGate-6000s in each cluster. FGCP HA then handles session synchronization between FortiGate-6000s in each FGCP cluster.

For details about FGSP between FGCP clusters, see: Synchronizing sessions between FGCP clusters.

You can use the mgmt3 interface for FGSP session synchronization. The HA1 and HA2 interfaces are used for FGCP HA heartbeat between the FortiGate-6000s in each FGCP cluster.

FortiGate-6000 synchronizing sessions between FGCP clusters has the following limitations:

  • Synchronizing sessions between FGCP clusters is available only for the FortiGate-6000 (and not the FortiGate-7000).
  • The FGCP clusters cannot be configured for virtual clustering.
  • NAT between mgmt3 interfaces is not supported.
  • Standalone configuration synchronization between the FCGP clusters is not supported.
  • Synchronizing sessions between FGCP clusters doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • When ICMP load balancing is set to to-master, ICMP packets are not installed on the DP processor. In an inter-cluster session synchronization configuration with an asymmetry topology, synchronized ICMP packets will be dropped if the clusters have selected a different primary FPC. To avoid this possible traffic loss, set dp-load-distribution-method to src-ip, dst-ip, or src-dst-ip.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.

  • FGSP IPsec tunnel synchronization is not supported.

  • Session synchronization packets cannot be fragmented. So the MTU for the mgmt3 interface should be supported by the network.
  • Jumbo frames on the mgmt3 interface are not supported.
  • To reduce the number of failovers and the amount of session synchronization traffic, configuring HA override on the FGCP clusters is not recommended.
Previous
Next

Synchronizing sessions between FGCP clusters

FortiGate-6000 supports using FGSP to synchronize sessions among up to four FortiGate-6000 FGCP clusters. All of the FortiGate-6000s must be the same hardware model.

FGSP between FGCP clusters synchronizes sessions between the primary FortiGate-6000s in each cluster. FGCP HA then handles session synchronization between FortiGate-6000s in each FGCP cluster.

For details about FGSP between FGCP clusters, see: Synchronizing sessions between FGCP clusters.

You can use the mgmt3 interface for FGSP session synchronization. The HA1 and HA2 interfaces are used for FGCP HA heartbeat between the FortiGate-6000s in each FGCP cluster.

FortiGate-6000 synchronizing sessions between FGCP clusters has the following limitations:

  • Synchronizing sessions between FGCP clusters is available only for the FortiGate-6000 (and not the FortiGate-7000).
  • The FGCP clusters cannot be configured for virtual clustering.
  • NAT between mgmt3 interfaces is not supported.
  • Standalone configuration synchronization between the FCGP clusters is not supported.
  • Synchronizing sessions between FGCP clusters doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • When ICMP load balancing is set to to-master, ICMP packets are not installed on the DP processor. In an inter-cluster session synchronization configuration with an asymmetry topology, synchronized ICMP packets will be dropped if the clusters have selected a different primary FPC. To avoid this possible traffic loss, set dp-load-distribution-method to src-ip, dst-ip, or src-dst-ip.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.

  • FGSP IPsec tunnel synchronization is not supported.

  • Session synchronization packets cannot be fragmented. So the MTU for the mgmt3 interface should be supported by the network.
  • Jumbo frames on the mgmt3 interface are not supported.
  • To reduce the number of failovers and the amount of session synchronization traffic, configuring HA override on the FGCP clusters is not recommended.
Previous
Next