Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate-7000F Handbook

    Home FortiGate-7000 7.0.5 FortiGate-7000F Handbook
    7.0.5
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.10
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.10
    6.4.8
    6.4.6
    6.2.16
    6.2.16
    6.2.15
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.7
    6.2.6

    Example FortiGate-7000F FGSP configuration using 1-M1 and 2-M1 interfaces

    Example FortiGate-7000F FGSP configuration using 1-M1 and 2-M1 interfaces

    This example shows how to configure FGSP to synchronize sessions between two FortiGate-7121Fs for the root VDOM and for a second VDOM, named vdom-1. The example uses the 1-M1 interface for root session synchronization and the 2-M1 interface for vdom-1 session synchronization. The 1-M1 interfaces are connected to the 172.25.177.0/24 network and the 2-M1 interfaces are connected to the 172.25.178.0/24 network.

    The interfaces of the two FortiGate-7121Fs must have their own IP addresses and their own networking configuration. You can give the FortiGate-7121Fs different host names, in this example, peer_1 and peer_2, to make them easier to identify.

    This example also adds configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

    Example FortiGate-7121F FGSP configuration

    1. Configure the routers or load balancers to distribute sessions to the two FortiGate-7121Fs.

    2. Change the host names of the FortiGate-7121Fs to peer_1 and peer_2.

    3. Configure network settings for each FortiGate-7121F to allow them to connect to their networks and route traffic.

    4. Add the vdom-1 VDOM to each FortiGate-7121F.

    5. On peer_1, set up the standalone-cluster configuration to use 1-M1 and 2-M1 as the FGSP session synchronization interfaces.

      config system standalone-cluster

      set standalone-group-id 8

      set group-member-id 1

      set session-sync-dev 1-M1 2-M1

      end

    6. On peer_1 configure the 1-M1 and 2-M1 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

      config system interface

      edit 1-M1

      set ip 172.25.177.30 255.255.255.0

      next

      edit 2-M1

      set ip 172.25.178.35 255.255.255.0

      end

    7. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

      config system cluster-sync

      edit 1

      set peervd mgmt-vdom

      set peerip 172.25.177.40

      set syncvd root

      next

      edit 2

      set peervd mgmt-vdom

      set peerip 172.25.178.45

      set syncvd vdom-1

      next

      For the root vdom, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_2.

      For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 2-M1 interface of peer_2.

    8. On peer_1, enable configuration synchronization, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

      config system ha

      set standalone-config-sync enable

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set session-pickup-nat enable

      set priority 250

      set hbdev 1-M1 50 2-M1 50

      end

    9. On peer_2, set up the standalone-cluster configuration to use 1-M1 and 2-M1 as the FGSP session synchronization interfaces.

      config system standalone-cluster

      set standalone-group-id 8

      set group-member-id 2

      set session-sync-dev 1-M1 2-M1

      end

    10. On peer_2 configure the 1-M1 and 2-M1 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

      config system interface

      edit 1-M1

      set ip 172.25.177.40 255.255.255.0

      next

      edit 2-M1

      set ip 172.25.178.45 255.255.255.0

      end

    11. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

      config system cluster-sync

      edit 1

      set peervd mgmt-vdom

      set peerip 172.25.177.30

      set syncvd root

      next

      edit 2

      set peervd mgmt-vdom

      set peerip 172.25.178.35

      set syncvd vdom-1

      next

      For the root VDOM, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_1.

      For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 2-M1 interface of peer_1.

    12. On peer_2, enable configuration synchronization, configure the heartbeat interfaces, and leave the device priority set to the default value.

      config system ha

      set standalone-config-sync enable

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set session-pickup-nat enable

      set hbdev 1-M1 50 2-M1 50

      end

      As sessions are forwarded by the routers or load balancers to one of the FortiGate-7121Fs, the FGSP synchronizes the sessions to the other FortiGate-7121F. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.

    Previous
    Next

    Example FortiGate-7000F FGSP configuration using 1-M1 and 2-M1 interfaces

    Example FortiGate-7000F FGSP configuration using 1-M1 and 2-M1 interfaces

    This example shows how to configure FGSP to synchronize sessions between two FortiGate-7121Fs for the root VDOM and for a second VDOM, named vdom-1. The example uses the 1-M1 interface for root session synchronization and the 2-M1 interface for vdom-1 session synchronization. The 1-M1 interfaces are connected to the 172.25.177.0/24 network and the 2-M1 interfaces are connected to the 172.25.178.0/24 network.

    The interfaces of the two FortiGate-7121Fs must have their own IP addresses and their own networking configuration. You can give the FortiGate-7121Fs different host names, in this example, peer_1 and peer_2, to make them easier to identify.

    This example also adds configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

    Example FortiGate-7121F FGSP configuration

    1. Configure the routers or load balancers to distribute sessions to the two FortiGate-7121Fs.

    2. Change the host names of the FortiGate-7121Fs to peer_1 and peer_2.

    3. Configure network settings for each FortiGate-7121F to allow them to connect to their networks and route traffic.

    4. Add the vdom-1 VDOM to each FortiGate-7121F.

    5. On peer_1, set up the standalone-cluster configuration to use 1-M1 and 2-M1 as the FGSP session synchronization interfaces.

      config system standalone-cluster

      set standalone-group-id 8

      set group-member-id 1

      set session-sync-dev 1-M1 2-M1

      end

    6. On peer_1 configure the 1-M1 and 2-M1 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

      config system interface

      edit 1-M1

      set ip 172.25.177.30 255.255.255.0

      next

      edit 2-M1

      set ip 172.25.178.35 255.255.255.0

      end

    7. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

      config system cluster-sync

      edit 1

      set peervd mgmt-vdom

      set peerip 172.25.177.40

      set syncvd root

      next

      edit 2

      set peervd mgmt-vdom

      set peerip 172.25.178.45

      set syncvd vdom-1

      next

      For the root vdom, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_2.

      For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 2-M1 interface of peer_2.

    8. On peer_1, enable configuration synchronization, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

      config system ha

      set standalone-config-sync enable

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set session-pickup-nat enable

      set priority 250

      set hbdev 1-M1 50 2-M1 50

      end

    9. On peer_2, set up the standalone-cluster configuration to use 1-M1 and 2-M1 as the FGSP session synchronization interfaces.

      config system standalone-cluster

      set standalone-group-id 8

      set group-member-id 2

      set session-sync-dev 1-M1 2-M1

      end

    10. On peer_2 configure the 1-M1 and 2-M1 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

      config system interface

      edit 1-M1

      set ip 172.25.177.40 255.255.255.0

      next

      edit 2-M1

      set ip 172.25.178.45 255.255.255.0

      end

    11. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

      config system cluster-sync

      edit 1

      set peervd mgmt-vdom

      set peerip 172.25.177.30

      set syncvd root

      next

      edit 2

      set peervd mgmt-vdom

      set peerip 172.25.178.35

      set syncvd vdom-1

      next

      For the root VDOM, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_1.

      For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 2-M1 interface of peer_1.

    12. On peer_2, enable configuration synchronization, configure the heartbeat interfaces, and leave the device priority set to the default value.

      config system ha

      set standalone-config-sync enable

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set session-pickup-nat enable

      set hbdev 1-M1 50 2-M1 50

      end

      As sessions are forwarded by the routers or load balancers to one of the FortiGate-7121Fs, the FGSP synchronizes the sessions to the other FortiGate-7121F. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.

    Previous
    Next