Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Handbook

Download PDF
Copy Link

FGSP session synchronization options

FortiGate-7000 FGSP supports the following HA session synchronization options:

config system ha

set session-pickup {disable | enable}

set session-pickup-connectionless {disable | enable}

set session-pickup-expectation {disable | enable}

set session-pickup-nat {disable | enable}

set session-pickup-delay {disable | enable}

end

Some notes:

  • The session-pickup-expectation and session-pickup-nat options only apply to the FGSP. FGCP synchronizes NAT sessions when you enable session-pickup.
  • The session-pickup-delay option applies to TCP sessions only and does not apply to connectionless and SCTP sessions.
  • The session-pickup-delay option should not be used in FGSP topologies where the traffic can take an asymmetric path (forward and reverse traffic going through different FortiGate-7000ss).

Enabling session synchronization

Use the following command to synchronize TCP and SCTP sessions between FortiGate-7000s.

config system ha

set session-pickup enable

end

Enabling session-pickup also enables session synchronization for connectionless protocol sessions, such as ICMP and UDP, by enabling session-pickup-connectionless. If you don't want to synchronize connectionless sessions, you can manually disable session-pickup-connectionless.

Synchronizing expectation sessions

Enable session-pickup-expectation to synchronize expectation sessions. FortiOS session helpers keep track of the communication of Layer-7 protocols such as FTP and SIP that have control sessions and expectation sessions. Usually the control sessions establish the link between server and client and negotiate the ports and protocols that will be used for data communications. The session helpers then create expectation sessions through the FortiGate for the ports and protocols negotiated by the control session.

The expectation sessions are usually the sessions that actually communicate data. For FTP, the expectation sessions transmit files being uploaded or downloaded. For SIP, the expectation sessions transmit voice and video data. Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.

Synchronizing NAT sessions

Enable session-pickup-nat to synchronize NAT sessions in an FGSP deployment.

Synchronizing TCP sessions older than 30 seconds

Enable session-pickup-delay to synchronize TCP sessions only if they remain active for more than 30 seconds. This option improves performance when session-pickup is enabled by reducing the number of sessions that are synchronized. This option does not affect SCTP or connectionless sessions.

Synchronizing sessions older than 30 seconds

Enable session-pickup-delay to synchronize TCP sessions only if they remain active for more than 30 seconds. This option improves performance when session-pickup is enabled by reducing the number of TCP sessions that are synchronized. This option does not affect SCTP or connectionless sessions.

FGSP session synchronization options

FortiGate-7000 FGSP supports the following HA session synchronization options:

config system ha

set session-pickup {disable | enable}

set session-pickup-connectionless {disable | enable}

set session-pickup-expectation {disable | enable}

set session-pickup-nat {disable | enable}

set session-pickup-delay {disable | enable}

end

Some notes:

  • The session-pickup-expectation and session-pickup-nat options only apply to the FGSP. FGCP synchronizes NAT sessions when you enable session-pickup.
  • The session-pickup-delay option applies to TCP sessions only and does not apply to connectionless and SCTP sessions.
  • The session-pickup-delay option should not be used in FGSP topologies where the traffic can take an asymmetric path (forward and reverse traffic going through different FortiGate-7000ss).

Enabling session synchronization

Use the following command to synchronize TCP and SCTP sessions between FortiGate-7000s.

config system ha

set session-pickup enable

end

Enabling session-pickup also enables session synchronization for connectionless protocol sessions, such as ICMP and UDP, by enabling session-pickup-connectionless. If you don't want to synchronize connectionless sessions, you can manually disable session-pickup-connectionless.

Synchronizing expectation sessions

Enable session-pickup-expectation to synchronize expectation sessions. FortiOS session helpers keep track of the communication of Layer-7 protocols such as FTP and SIP that have control sessions and expectation sessions. Usually the control sessions establish the link between server and client and negotiate the ports and protocols that will be used for data communications. The session helpers then create expectation sessions through the FortiGate for the ports and protocols negotiated by the control session.

The expectation sessions are usually the sessions that actually communicate data. For FTP, the expectation sessions transmit files being uploaded or downloaded. For SIP, the expectation sessions transmit voice and video data. Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.

Synchronizing NAT sessions

Enable session-pickup-nat to synchronize NAT sessions in an FGSP deployment.

Synchronizing TCP sessions older than 30 seconds

Enable session-pickup-delay to synchronize TCP sessions only if they remain active for more than 30 seconds. This option improves performance when session-pickup is enabled by reducing the number of sessions that are synchronized. This option does not affect SCTP or connectionless sessions.

Synchronizing sessions older than 30 seconds

Enable session-pickup-delay to synchronize TCP sessions only if they remain active for more than 30 seconds. This option improves performance when session-pickup is enabled by reducing the number of TCP sessions that are synchronized. This option does not affect SCTP or connectionless sessions.