Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

FortiGate-6000 FGSP

FortiGate-6000 supports the FortiGate Session Life Support Protocol (FGSP) (also called standalone session sync) to synchronize sessions among up to four FortiGate-6000s. All of the FortiGate-6000s must be the same model and be running the same firmware and must have their own network configuration (interface IPs, routing, and so on). FGSP synchronizes individual VDOM sessions.

All of the devices in an FGSP deployment must include the VDOMs to be synchronized and for each device the VDOMs must have the same firewall configuration. Multiple VDOMs can be synchronized over the same session synchronization interface. You can also distribute synchronization traffic to multiple interfaces.

The configurations should use the same interfaces on each device. If the configuration includes VLANs, the VLANs on each device should have the same names and VLAN IDs. Finally, if the configuration includes LAGs, they should have the same names and include the same interfaces on each device.

For details about FGSP for FortiOS 6.0, see: FortiOS 6.0 Handbook: FGSP.

FortiGate-6000 FGSP support has the following limitations:

  • FortiGate-6000 FGSP can use either the HA1 or the HA2 interface (but not both) for session synchronization. To use one these interfaces for session synchronization, you must give it an IP address and optionally set up routing for the interface as required. Ideally the session synchronization interface of each FortiGate-6000 would be on the same network and that network would only be used for session synchronization traffic. However, you can configure routing to send session synchronization traffic between networks. NAT between session synchronization interfaces is not supported.
  • You can't use data interfaces for FGSP session synchronization.
  • If you encounter performance issues because of the HA1/HA2 bandwidth limit of 10 Gbps, you can create a LAG consisting of the HA1 and HA2 interfaces to increase the bandwidth capacity to 20 Gbps. See Creating an HA1/HA2 LAG for FGSP session synchronization .
  • You can use configuration synchronization to synchronize the configurations of the FortiGate-6000s in the FGSP deployment (see Standalone configuration synchronization). You can also configure the FortiGate-6000s separately or use FortiManager to keep key parts of the configuration, such as security policies, synchronized. You can use the HA1 and HA2 interfaces for configuration synchronization.
  • FortiGate-6000 FGSP doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • Inter-cluster session synchronization, or FGSP between FGCP clusters, is supported, see Inter-cluster session synchronization.
  • FGSP IPsec tunnel synchronization is not supported.
  • Fragmented packet synchronization is not supported.

FortiGate-6000 FGSP

FortiGate-6000 supports the FortiGate Session Life Support Protocol (FGSP) (also called standalone session sync) to synchronize sessions among up to four FortiGate-6000s. All of the FortiGate-6000s must be the same model and be running the same firmware and must have their own network configuration (interface IPs, routing, and so on). FGSP synchronizes individual VDOM sessions.

All of the devices in an FGSP deployment must include the VDOMs to be synchronized and for each device the VDOMs must have the same firewall configuration. Multiple VDOMs can be synchronized over the same session synchronization interface. You can also distribute synchronization traffic to multiple interfaces.

The configurations should use the same interfaces on each device. If the configuration includes VLANs, the VLANs on each device should have the same names and VLAN IDs. Finally, if the configuration includes LAGs, they should have the same names and include the same interfaces on each device.

For details about FGSP for FortiOS 6.0, see: FortiOS 6.0 Handbook: FGSP.

FortiGate-6000 FGSP support has the following limitations:

  • FortiGate-6000 FGSP can use either the HA1 or the HA2 interface (but not both) for session synchronization. To use one these interfaces for session synchronization, you must give it an IP address and optionally set up routing for the interface as required. Ideally the session synchronization interface of each FortiGate-6000 would be on the same network and that network would only be used for session synchronization traffic. However, you can configure routing to send session synchronization traffic between networks. NAT between session synchronization interfaces is not supported.
  • You can't use data interfaces for FGSP session synchronization.
  • If you encounter performance issues because of the HA1/HA2 bandwidth limit of 10 Gbps, you can create a LAG consisting of the HA1 and HA2 interfaces to increase the bandwidth capacity to 20 Gbps. See Creating an HA1/HA2 LAG for FGSP session synchronization .
  • You can use configuration synchronization to synchronize the configurations of the FortiGate-6000s in the FGSP deployment (see Standalone configuration synchronization). You can also configure the FortiGate-6000s separately or use FortiManager to keep key parts of the configuration, such as security policies, synchronized. You can use the HA1 and HA2 interfaces for configuration synchronization.
  • FortiGate-6000 FGSP doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • Inter-cluster session synchronization, or FGSP between FGCP clusters, is supported, see Inter-cluster session synchronization.
  • FGSP IPsec tunnel synchronization is not supported.
  • Fragmented packet synchronization is not supported.