Fortinet black logo

FortiGate-7000 Release Notes

Home FortiGate-7000 6.2.4 FortiGate-7000 Release Notes

Example FortiGate-6000 inter-cluster session synchronization configuration

6.2.4
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.6.6
5.4.9
5.4.5
5.4.3
Copy Link
Copy Doc ID fe84993e-de6b-11ea-96b9-00505692583a:177140
Download PDF

Example FortiGate-6000 inter-cluster session synchronization configuration

This example shows how to configure inter-cluster session synchronization between two FortiGate-6301F FGCP clusters. The configuration synchronizes sessions for the root VDOM and for a VDOM named vdom-1. The mgmt3 session synchronization interfaces of each FortiGate-6301F are connected to the 172.25.177.0/24 network.

The FortiGate-6301F clusters must have their own IP addresses and their own network configurations. The clusters in this example are named cluster1 and cluster2. The FortiGate-6301Fs in cluster1 have host names cluster1-ch1 and cluster1-ch2. The FortiGate-6301Fs in cluster2 have host names cluster2-ch1 and cluster2-ch2.

Configuring inter-cluster session synchronization consists of logging into each cluster, configuring mgmt3 to connect to the 172.25.177.0/24 network, adding a cluster sync instance, and enabling inter-cluster session synchronization. The FGCP synchronizes these settings to the secondary FortiGate-6301Fs in each cluster.

Example FortiGate-6000 inter-cluster session synchronization configuration

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-6301F clusters.

  2. Change the host names of the FortiGate-6301Fs in the two clusters to cluster1-ch1, cluster1-ch2, cluster2-ch1, and cluster2-ch2.

  3. Configure VDOMs and network settings for each FortiGate-6301F to allow them to connect to their networks and route traffic.

    The names of the VDOMs and any VLANs and LAGs or other interfaces that you have added must be the same on both clusters, even though network addresses will be different. VLAN IDs can be different in each cluster as long as the names of the VLAN interfaces are the same.

  4. On cluster1, configure the mgmt3 interface with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit mgmt3

    set ip 172.25.177.10 255.255.255.0

    end

  5. On cluster1, add a session synchronization instance for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.20

    set syncvd root vdom-1

    end

    Where, peervd will always be mgmt-vdom and peerip is the IP address of the mgmt3 interface of cluster2.

    This configuration creates one cluster-sync instance that includes both VDOMs. You could have created a separate cluster-sync instance for each VDOM. If possible, however, avoid creating more than three cluster-sync instances. A fourth cluster-sync instance may experience reduced session synchronization performance.

  6. On cluster1, enable inter-cluster session synchronization.

    config system ha

    set session-pickup enable

    set inter-cluster-session-sync enable

    end

    Since FGCP HA is already configured on cluster1, all you have to do for inter-cluster session synchronization is to enable session-pickup and inter-cluster-session-sync. The complete HA FGCP and inter-cluster session synchronization configuration for cluster1-ch1 could look like the following:

    config system ha

    set group-id 16

    set group-name "fgsp-fgcp-cluster1"

    set mode a-p

    set password <password>

    set hbdev "ha1" 50 "ha2" 100

    set chassis-id 1

    set session-pickup enable

    set inter-cluster-session-sync enable

    end

  7. On cluster 2, configure the mgmt3 interface with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit mgmt3

    set ip 172.25.177.20 255.255.255.0

    end

  8. On cluster2, configure session synchronization for the root and vdom-1 VDOMs with the same configuration as cluster1.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.10

    set syncvd root vdom-1

    end

  9. On cluster2, enable inter-cluster session synchronization.

    config system ha

    set session-pickup enable

    set inter-cluster-session-sync enable

    end

    Since FGCP HA is already configured on cluster2, all you have to do for inter-cluster session synchronization is to enable session-pickup and inter-cluster-session-sync. The complete HA FGCP and inter-cluster session synchronization configuration for cluster2-ch1 could look like the following:

    config system ha

    set group-id 20

    set group-name "fgsp-fgcp-cluster2"

    set mode a-p

    set password <password>

    set hbdev "ha1" 50 "ha2" 100

    set chassis-id 1

    set session-pickup enable

    set inter-cluster-session-sync enable

    end

Previous
Next

Example FortiGate-6000 inter-cluster session synchronization configuration

This example shows how to configure inter-cluster session synchronization between two FortiGate-6301F FGCP clusters. The configuration synchronizes sessions for the root VDOM and for a VDOM named vdom-1. The mgmt3 session synchronization interfaces of each FortiGate-6301F are connected to the 172.25.177.0/24 network.

The FortiGate-6301F clusters must have their own IP addresses and their own network configurations. The clusters in this example are named cluster1 and cluster2. The FortiGate-6301Fs in cluster1 have host names cluster1-ch1 and cluster1-ch2. The FortiGate-6301Fs in cluster2 have host names cluster2-ch1 and cluster2-ch2.

Configuring inter-cluster session synchronization consists of logging into each cluster, configuring mgmt3 to connect to the 172.25.177.0/24 network, adding a cluster sync instance, and enabling inter-cluster session synchronization. The FGCP synchronizes these settings to the secondary FortiGate-6301Fs in each cluster.

Example FortiGate-6000 inter-cluster session synchronization configuration

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-6301F clusters.

  2. Change the host names of the FortiGate-6301Fs in the two clusters to cluster1-ch1, cluster1-ch2, cluster2-ch1, and cluster2-ch2.

  3. Configure VDOMs and network settings for each FortiGate-6301F to allow them to connect to their networks and route traffic.

    The names of the VDOMs and any VLANs and LAGs or other interfaces that you have added must be the same on both clusters, even though network addresses will be different. VLAN IDs can be different in each cluster as long as the names of the VLAN interfaces are the same.

  4. On cluster1, configure the mgmt3 interface with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit mgmt3

    set ip 172.25.177.10 255.255.255.0

    end

  5. On cluster1, add a session synchronization instance for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.20

    set syncvd root vdom-1

    end

    Where, peervd will always be mgmt-vdom and peerip is the IP address of the mgmt3 interface of cluster2.

    This configuration creates one cluster-sync instance that includes both VDOMs. You could have created a separate cluster-sync instance for each VDOM. If possible, however, avoid creating more than three cluster-sync instances. A fourth cluster-sync instance may experience reduced session synchronization performance.

  6. On cluster1, enable inter-cluster session synchronization.

    config system ha

    set session-pickup enable

    set inter-cluster-session-sync enable

    end

    Since FGCP HA is already configured on cluster1, all you have to do for inter-cluster session synchronization is to enable session-pickup and inter-cluster-session-sync. The complete HA FGCP and inter-cluster session synchronization configuration for cluster1-ch1 could look like the following:

    config system ha

    set group-id 16

    set group-name "fgsp-fgcp-cluster1"

    set mode a-p

    set password <password>

    set hbdev "ha1" 50 "ha2" 100

    set chassis-id 1

    set session-pickup enable

    set inter-cluster-session-sync enable

    end

  7. On cluster 2, configure the mgmt3 interface with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit mgmt3

    set ip 172.25.177.20 255.255.255.0

    end

  8. On cluster2, configure session synchronization for the root and vdom-1 VDOMs with the same configuration as cluster1.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.10

    set syncvd root vdom-1

    end

  9. On cluster2, enable inter-cluster session synchronization.

    config system ha

    set session-pickup enable

    set inter-cluster-session-sync enable

    end

    Since FGCP HA is already configured on cluster2, all you have to do for inter-cluster session synchronization is to enable session-pickup and inter-cluster-session-sync. The complete HA FGCP and inter-cluster session synchronization configuration for cluster2-ch1 could look like the following:

    config system ha

    set group-id 20

    set group-name "fgsp-fgcp-cluster2"

    set mode a-p

    set password <password>

    set hbdev "ha1" 50 "ha2" 100

    set chassis-id 1

    set session-pickup enable

    set inter-cluster-session-sync enable

    end

Previous
Next