Fortinet white logo
Fortinet white logo

Azure vWAN SD-WAN NGFW Deployment Guide

7.2.0

Configuring FGSP on FortiGate NVAs (CLI)

Configuring FGSP on FortiGate NVAs (CLI)

In certain configurations, such as, redundant IPsec tunnels, traffic flow may return asymmetrically. When traffic returns asymmetrically, an initial connection could come in on one FortiGate, but the return packets might be sent to the other FortiGate. Supporting asymmetrical traffic requires FortiGate Session Life Support Protocol (also known as FGSP), which is a layer 3 session synchronization feature, to be enabled. Further, we must allow for rerouting of packets from one FortiGate to another in cases where IPS or other deep packet inspection is required.

Note

As an alternative to enabling FGSP, Source NAT (SNAT) can be used instead. For more information about Source NAT, see the FortiManager Administration Guide > SNAT Policy.

For more information about FGSP and the available options, see the FortiOS Administration Guide > FGSP.

To configure the first FortiGate:
  1. On FortiManager, use SSH to connect to the CLI of the first FortiGate.
    1. Go to Device Manger, and select the FortiGate in the tree menu. The Dashboard for the device is displayed.

    2. Go to Dashboard > Summary , and click Connect to CLI via SSH in the System Information widget. The Connect CLI via SSH dialog box is displayed.
    3. Enter the administrative name for the FortiGate, and click OK. The CLI Console for FortiGate is displayed.
    4. Enter the password for the FortiGate and press Enter. You are connected to the CLI of the FortiGate.
  2. On the first FortiGate, locate the IP address for port2 by running the get system interface command.

    In the following example, the IP address for port2 is 10.15.112.5.

  3. On the second FortiGate, repeat steps 1 and 2 to locate its IP address for port2.

    You now have the IP address for port2 for each FortiGate.

  4. On the first FortiGate, set the peerip option to the IP address of port2 of the second FortiGate.

    config system standalone-cluster set standalone-group-id 1 set group-member-id 1 config cluster-peer edit 1 set peerip < IP address for port2 of the peer FortiGate > next end end config system ha set session-pickup enable set session-pickup-nat enable set session-pickup-connectionless enable set override disable end

  5. On the second, FortiGate, set the peerip option to the IP address of port2 of the first (primary) FortiGate.

    The group-member-id on the second FortiGate is different from the primary FortiGate.

Configuring FGSP on FortiGate NVAs (CLI)

Configuring FGSP on FortiGate NVAs (CLI)

In certain configurations, such as, redundant IPsec tunnels, traffic flow may return asymmetrically. When traffic returns asymmetrically, an initial connection could come in on one FortiGate, but the return packets might be sent to the other FortiGate. Supporting asymmetrical traffic requires FortiGate Session Life Support Protocol (also known as FGSP), which is a layer 3 session synchronization feature, to be enabled. Further, we must allow for rerouting of packets from one FortiGate to another in cases where IPS or other deep packet inspection is required.

Note

As an alternative to enabling FGSP, Source NAT (SNAT) can be used instead. For more information about Source NAT, see the FortiManager Administration Guide > SNAT Policy.

For more information about FGSP and the available options, see the FortiOS Administration Guide > FGSP.

To configure the first FortiGate:
  1. On FortiManager, use SSH to connect to the CLI of the first FortiGate.
    1. Go to Device Manger, and select the FortiGate in the tree menu. The Dashboard for the device is displayed.

    2. Go to Dashboard > Summary , and click Connect to CLI via SSH in the System Information widget. The Connect CLI via SSH dialog box is displayed.
    3. Enter the administrative name for the FortiGate, and click OK. The CLI Console for FortiGate is displayed.
    4. Enter the password for the FortiGate and press Enter. You are connected to the CLI of the FortiGate.
  2. On the first FortiGate, locate the IP address for port2 by running the get system interface command.

    In the following example, the IP address for port2 is 10.15.112.5.

  3. On the second FortiGate, repeat steps 1 and 2 to locate its IP address for port2.

    You now have the IP address for port2 for each FortiGate.

  4. On the first FortiGate, set the peerip option to the IP address of port2 of the second FortiGate.

    config system standalone-cluster set standalone-group-id 1 set group-member-id 1 config cluster-peer edit 1 set peerip < IP address for port2 of the peer FortiGate > next end end config system ha set session-pickup enable set session-pickup-nat enable set session-pickup-connectionless enable set override disable end

  5. On the second, FortiGate, set the peerip option to the IP address of port2 of the first (primary) FortiGate.

    The group-member-id on the second FortiGate is different from the primary FortiGate.