Using FGSP to load balance access to two active-active data centers
This advanced scenario describes how to configure FortiGate Session Life Support Protocol (FGSP) with four peer FortiGates protecting two active-active data centers.
FGSP supports up to 16 peer FortiGates.
In this example, two redundant active-active data centers process traffic from the Internet, distributing traffic to the FortiGates (named Peer-1, Peer-2, Peer-3 and Peer-4) by routers or load balancers. All the FortiGates are configured with two virtual domains: root and vdom1. All sessions processed by vdom1 are synchronized with all the FortiGates. The synchronization link interface is port 3 in the root virtual domain. The IP addresses of port 3 are different for each FortiGate:
- For Peer-1, the port 3 IP address is 10.10.10.1
- For Peer-2, the port 3 IP address is 10.10.10.2
- For Peer-3, the port 3 IP address is 10.10.10.3
- For Peer-4, the port 3 IP address is 10.10.10.4
The port 1 and port 2 interfaces are added to vdom1. To keep the configuration simple and applicable to different networks, port 1 and port 2 are added to a virtual wire pair so these interfaces do not have IP addresses. This example includes a policy that allows all traffic across the virtual wire pair. This example policy applies the default VoIP profile to all VoIP traffic and applies virus scanning and application control.
Although this architecture can support different configurations on each FortiGate, it is not recommended. Usually, all FortiGates in an FGSP deployment have the same configuration. This example assumes configuration synchronization is disabled in FortiOS and you are using FortiManager to keep the FortiGate configurations synchronized.