NAT sessions
By default, NAT sessions are not synchronized. However, the FGSP can synchronize NAT sessions if you enter the following:
config system ha
set session-pickup enable
set session-pickup-nat enable
end
However, if you want NAT sessions to resume after a failover, you should not configure NAT to use the destination interface IP address since the FGSP FortiGates have different IP addresses. With this configuration, after a failover all sessions that include the IP addresses of interfaces on the failed FortiGate will have nowhere to go since the IP addresses of the failed FortiGate will no longer be on the network.
Instead, in an FGSP configuration, if you want NAT sessions to failover, you should use IP pools with the type set to overload (which is the default IP pool type). For example:
config firewall ippool
edit FGSP-pool
set type overload
set startip 172.20.120.10
set endip 172.20.120.20
end
Then when you configure NAT firewall policies, turn on NAT and select to use dynamic IP pool and select the IP pool that you added.