Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Handbook

Download PDF
Copy Link

FortiGate-7000 FGSP

FortiGate-7000 supports the FortiGate Session Life Support Protocol (FGSP) (also called standalone session sync) to synchronize sessions among up to four FortiGate-7000s. All of the FortiGate-7000s must be the same model and running the same firmware and must have their own network configuration (interface IPs, routing, and so on). FGSP synchronizes individual VDOM sessions. All of the devices in an FGSP deployment must include the VDOMs to be synchronized and for each device the VDOMs must have the same firewall configuration.

For details about FGSP for FortiOS 6.0, see: FortiOS 6.0 Handbook: FGSP.

FortiGate-7000 FGSP support has the following limitations:

  • You can use configuration synchronization to synchronize the configurations of the FortiGate-7000s in the FGSP deployment (see Standalone configuration synchronization). You can also configure the FortiGate-7000s separately or use FortiManager to keep key parts of the configuration, such as security policies, synchronized.
  • FortiGate-7000 FGSP can use the 1-M1, 1-M2, 2-M1, and 2-M2 interfaces for session synchronization. Using multiple interfaces is recommended for redundancy. To use these interfaces for FGSP, you must give them IP addresses and optionally set up routing for them. Ideally the session synchronization interfaces of each device would be on the same network and that network would only be used for session synchronization traffic. However, you can configure routing to send session synchronization traffic between networks. NAT between session synchronization interfaces is not supported.
  • If you are also using configuration synchronization you can use the 1-M1, 1-M2, 2-M1, and 2-M2 interfaces for both session synchronization and configuration synchronization. If you encounter performance issues you can use data interfaces for session synchronization traffic.
  • Multiple VDOMs can be synchronized over the same session synchronization interface. You can also distribute synchronization traffic to multiple interfaces.
  • FortiGate-7000 FGSP doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • FGSP doesn't synchronize ICMP sessions when ICMP load balancing is set to to-master. If you want to synchronize ICMP sessions, set ICMP load balancing to either src-ip, dst-ip, or src-dst-ip. See ICMP load balancing for more information.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • Inter-cluster session synchronization, or FGSP between FGCP clusters, is not supported.
  • FGSP IPsec tunnel synchronization is not supported.
  • Fragmented packet synchronization is not supported.

FortiGate-7000 FGSP

FortiGate-7000 supports the FortiGate Session Life Support Protocol (FGSP) (also called standalone session sync) to synchronize sessions among up to four FortiGate-7000s. All of the FortiGate-7000s must be the same model and running the same firmware and must have their own network configuration (interface IPs, routing, and so on). FGSP synchronizes individual VDOM sessions. All of the devices in an FGSP deployment must include the VDOMs to be synchronized and for each device the VDOMs must have the same firewall configuration.

For details about FGSP for FortiOS 6.0, see: FortiOS 6.0 Handbook: FGSP.

FortiGate-7000 FGSP support has the following limitations:

  • You can use configuration synchronization to synchronize the configurations of the FortiGate-7000s in the FGSP deployment (see Standalone configuration synchronization). You can also configure the FortiGate-7000s separately or use FortiManager to keep key parts of the configuration, such as security policies, synchronized.
  • FortiGate-7000 FGSP can use the 1-M1, 1-M2, 2-M1, and 2-M2 interfaces for session synchronization. Using multiple interfaces is recommended for redundancy. To use these interfaces for FGSP, you must give them IP addresses and optionally set up routing for them. Ideally the session synchronization interfaces of each device would be on the same network and that network would only be used for session synchronization traffic. However, you can configure routing to send session synchronization traffic between networks. NAT between session synchronization interfaces is not supported.
  • If you are also using configuration synchronization you can use the 1-M1, 1-M2, 2-M1, and 2-M2 interfaces for both session synchronization and configuration synchronization. If you encounter performance issues you can use data interfaces for session synchronization traffic.
  • Multiple VDOMs can be synchronized over the same session synchronization interface. You can also distribute synchronization traffic to multiple interfaces.
  • FortiGate-7000 FGSP doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • FGSP doesn't synchronize ICMP sessions when ICMP load balancing is set to to-master. If you want to synchronize ICMP sessions, set ICMP load balancing to either src-ip, dst-ip, or src-dst-ip. See ICMP load balancing for more information.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • Inter-cluster session synchronization, or FGSP between FGCP clusters, is not supported.
  • FGSP IPsec tunnel synchronization is not supported.
  • Fragmented packet synchronization is not supported.