Standalone configuration synchronization
FortiGate-7000 supports configuration synchronization (also called standalone configuration synchronization) for two FortiGate-7000s. Configuration synchronization means that most configuration changes made to one of the FortiGate-7000s are automatically synchronized to the other one.
For details about standalone configuration synchronization for FortiOS 6.0, see: Standalone configuration sync.
Use the following command on both FortiGate-7000s to enable configuration synchronization:
config system ha
set standalone-config-sync enable
end
In addition to enabling configuration synchronization, you must set up HA heartbeat connections between the FortiGate-7000s using the 1-M1, 1-M2, 2-M1, and 2-M2 interfaces. One HA heartbeat connection is required, two are recommended. Use the following command to enable heartbeat configuration for the 1-M1 and 1-M2 interfaces. This command gives both heartbeat interfaces the same priority. You can choose to select different priorities for each heartbeat interface:
config system ha
set hbdev 1-M1 50 1-M2 50
end
When you enable configuration synchronization, configure and connect the heartbeat devices, FGCP primary unit selection criteria selects a config sync primary (or master) FortiGate-7000. Normally, the FortiGate-7000 with the highest serial number becomes the config sync primary and the other FortiGate-7000 becomes the config sync secondary.
All configuration changes that you make to the primary are synchronized to the secondary. To avoid synchronization problems, Fortinet recommends making all configuration changes to the primary.
See Limitations for a list of limitations of the configuration synchronization feature. Fortinet recommends disabling configuration synchronization once the configurations of the FortiGate-7000s have been synchronized. |
Config sync primary FortiGate-7000 selection
You can use device priority to select one of the FortiGate-7000s to become the config sync primary. For example, the following command enables configuration synchronization and sets a higher device priority than the default of 128 to make sure that this FortiGate-7000 becomes the primary.
config system ha
set standalone-config-sync enable
set priority 250
end
Settings that are not synchronized
Configuration synchronization does not synchronize settings that identify the FortiGate-7000 to the network. The following settings are not synchronized:
- Transparent mode management IPv4 and IPv6 IP addresses and default gateways.
- All
config system cluster-sync
settings. - All
config system interface
settings exceptvdom
,vlanid
,type
andinterface
. - All
config firewall sniffer
settings. - All router BFD and BFD6 settings.
- The following BGP settings:
as
,router-id
,aggregate-address
,aggregate-address6
,neighbor-group
,neighbor
,network
, andnetwork6
. - The following OSPF settings:
router-id
,area
,ospf-interface
,network
,neighbor
, andsummary-address
. - The following OSPF6 settings:
router-id
,area
, andospf6-interface
. - All RIP settings.
- All policy routing settings.
- All static routing settings.
Limitations
When configuration synchronization is enabled, there are some limitations, including but not limited to the following:
- Configuration synchronization does not support graceful HA firmware upgrades. If you upgrade the firmware of the primary, the secondary also upgrades at the same time, disrupting network traffic. You can avoid traffic interruptions by disabling configuration synchronization and upgrading the firmware of each FortiGate-7000 separately.
- The configuration settings that are synchronized might not match your requirements. The current design and implementation of configuration synchronization is based on requirements from specific customers and might not work for your implementation.
- It can be difficult to control which FortiGate-7000 becomes the config sync primary and the config sync primary can dynamically change without notice. This could result in accidentally changing the configuration of the secondary or overwriting the configuration of the intended primary.