Example FortiGate-7000F FGSP session synchronization with a data interface LAG
This example shows how to configure FGSP to synchronize sessions between two FortiGate-7121Fs for the root VDOM and for a second VDOM, named vdom-1. For FGSP session synchronization, the example uses a data interface LAG that includes the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces.
To set up the configuration, start by giving each FortiGate-7121F a different host name to make them easier to identify. This example uses peer_1 and peer_2. On each FortiGate-7121F, create a VDOM named fgsp-sync and move the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to this VDOM. Then create a LAG named Data-int-lag, also in the fgsp-sync VDOM, that includes the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces. The LAGs on both FortiGate-7121Fs are on the 172.25.177.0/24 network.
This example also adds standalone configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.
Example FortiGate-7000F FGSP configuration using data interface LAGs
-
Configure the routers or load balancers to distribute sessions to the two FortiGate-7121Fs.
- Change the host names of the FortiGate-7121Fs to peer_1 and peer_2.
- Configure network settings for each FortiGate-7121F to allow them to connect to their networks and route traffic.
- Add the vdom-1 and fgsp-sync VDOMs to each FortiGate-7121F.
- Also on each FortiGate-7121F, move the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to the fgsp-sync VDOM.
-
On peer_1, configure the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to be FGSP session synchronization data interfaces.
config system standalone-cluster
set standalone-group-id 7
set group-member-id 1
set data-intf-session-sync-dev 1-P17 1-P18 2-P17 2-P18
end
- On peer_1, add a data interface LAG to the fgsp-sync VDOM.
config system interface
edit Data-int-lag
set type aggregate
set vdom fgsp-sync
set member 1-P17 1-P18 2-P17 2-P18
set ip 172.25.177.110/24
set mtu-override enable
set mtu 9216
end
This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the four data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.
-
On peer_1, configure session synchronization for the root and vdom-1 VDOMs.
config system cluster-sync
edit 1
set peervd fgsp-sync
set peerip 172.25.177.120
set syncvd root vdom-1
end
peervd
isfgsp-sync
because the FGSP session synchronization data interfaces are in the fgsp-sync VDOM.peerip
is the IP address of the data interface LAG added to peer_2.This configuration creates one
cluster-sync
instance that includes both VDOMs. You could have created a separatecluster-sync
instance for each VDOM. If possible, however, avoid creating more than threecluster-sync
instances. A fourthcluster-sync
instance may experience reduced session synchronization performance. -
On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.
config system ha
set standalone-config-sync enable
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set priority 250
set hbdev 1-M3 100 2-M3 100
end
-
On peer_2, configure the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to be FGSP session synchronization data interfaces.
config system standalone-cluster
set standalone-group-id 7
set group-member-id 2
set data-intf-session-sync-dev 1-P17 1-P18 2-P17 2-P18
end
- On peer_2, add a data interface LAG to the fgsp-sync VDOM.
config system interface
edit Data-int-lag
set type aggregate
set vdom fgsp-sync
set member 1-P17 1-P18 2-P17 2-P18
set ip 172.25.177.120/24
set mtu-override enable
set mtu 9216
end
This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the four data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.
-
On peer_2, configure session synchronization for the root and vdom-1 VDOMs.
config system cluster-sync
edit 1
set peervd fgsp-sync
set peerip 172.25.177.110
set syncvd root vdom-1
end
-
On peer_2, enable configuration synchronization, configure the heartbeat interfaces, and leave the device priority set to the default value.
config system ha
set standalone-config-sync enable
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set hbdev 1-M3 100 2-M3 100
end
As sessions are forwarded by the routers or load balancers to one of the FortiGate-7121Fs, the FGSP synchronizes the sessions to the other FortiGate-7121F. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.