Fortinet white logo
Fortinet white logo

FortiGate-7000 Handbook

Example FortiGate-7000 FGSP configuration

Example FortiGate-7000 FGSP configuration

This example shows how to configure FGSP to synchronize sessions between two FortiGate-7040Es for the root VDOM and for a second VDOM, named-vdom-1. The example uses the 1-M1 interface for root session synchronization and the 1-M2 interface for vdom-1 session synchronization. The 1-M1 interfaces are connected to the 172.25.177.0/24 network and the 1-M2 interfaces are connected to the 172.25.178.0/24 network.

The interfaces of the two FortiGate-7040Es must have their own IP addresses and their own networking configuration. You can give the FortiGate-7040Es different host names, in this example, peer_1 and peer_2, to make them easier to identify.

This example also adds configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync master. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

Example FortiGate-7000 FGSP configuration

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-7040s.

  2. Change the host names of the FortiGate-7040Es to peer_1 and peer_2.

  3. Configure network settings for each FortiGate-7040E to allow them to connect to their networks and route traffic.

  4. Add the vdom-1 VDOM to each FortiGate-7040E.

  5. Configure the 1-M1 and 1-M2 interfaces of peer_1 with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.30 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.35 255.255.255.0

    end

  6. Configure the 1-M1 and 1-M2 interfaces of peer_2 with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.40 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.45 255.255.255.0

    end

  7. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.40

    set syncvd root

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.45

    set syncvd vdom-1

    next

    For the root vdom, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_2.

    For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M2 interface of peer_2.

  8. On peer_1, enable configuration synchronization, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync master.

    config system ha

    set standalone-config-sync enable

    set priority 250

    set hbdev 1-M1 50 1-M2 50

    end

  9. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.30

    set syncvd root

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.35

    set syncvd vdom-1

    next

    For the root VDOM, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_1.

    For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M2 interface of peer_1.

  10. On peer_2, enable configuration synchronization, configure the heartbeat interfaces, and leave the device priority set to the default value.

    config system ha

    set standalone-config-sync enable

    set hbdev 1-M1 50 1-M2 50

    end

    As sessions are forwarded by the routers or load balancers to one of the FortiGate-7040Es, the FGSP synchronizes the sessions to the other FortiGate-7040E. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.

Example FortiGate-7000 FGSP configuration

Example FortiGate-7000 FGSP configuration

This example shows how to configure FGSP to synchronize sessions between two FortiGate-7040Es for the root VDOM and for a second VDOM, named-vdom-1. The example uses the 1-M1 interface for root session synchronization and the 1-M2 interface for vdom-1 session synchronization. The 1-M1 interfaces are connected to the 172.25.177.0/24 network and the 1-M2 interfaces are connected to the 172.25.178.0/24 network.

The interfaces of the two FortiGate-7040Es must have their own IP addresses and their own networking configuration. You can give the FortiGate-7040Es different host names, in this example, peer_1 and peer_2, to make them easier to identify.

This example also adds configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync master. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

Example FortiGate-7000 FGSP configuration

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-7040s.

  2. Change the host names of the FortiGate-7040Es to peer_1 and peer_2.

  3. Configure network settings for each FortiGate-7040E to allow them to connect to their networks and route traffic.

  4. Add the vdom-1 VDOM to each FortiGate-7040E.

  5. Configure the 1-M1 and 1-M2 interfaces of peer_1 with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.30 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.35 255.255.255.0

    end

  6. Configure the 1-M1 and 1-M2 interfaces of peer_2 with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.40 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.45 255.255.255.0

    end

  7. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.40

    set syncvd root

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.45

    set syncvd vdom-1

    next

    For the root vdom, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_2.

    For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M2 interface of peer_2.

  8. On peer_1, enable configuration synchronization, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync master.

    config system ha

    set standalone-config-sync enable

    set priority 250

    set hbdev 1-M1 50 1-M2 50

    end

  9. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.30

    set syncvd root

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.35

    set syncvd vdom-1

    next

    For the root VDOM, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_1.

    For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M2 interface of peer_1.

  10. On peer_2, enable configuration synchronization, configure the heartbeat interfaces, and leave the device priority set to the default value.

    config system ha

    set standalone-config-sync enable

    set hbdev 1-M1 50 1-M2 50

    end

    As sessions are forwarded by the routers or load balancers to one of the FortiGate-7040Es, the FGSP synchronizes the sessions to the other FortiGate-7040E. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.