Notes and limitations
FGSP has the following limitations:
- The FGSP is a global configuration option. As a result, you can only add one service to a filter configuration. You cannot add custom services or service groups even if virtual domains are not enabled.
- You can only add one filter configuration to a given FGSP configuration. However, you can add multiple filters by adding multiple identical FGSP configurations, each one with a different filter configuration.
- Sessions accepted by security policies with security profiles configured are not synchronized.
- FGSP is configured from the CLI.
- FGSP is available for FortiGates or virtual domains operating in NAT or transparent mode. NAT sessions are not synchronized in either mode (unless NAT synchronization is enabled as described in NAT sessions). In NAT mode, only sessions for route mode security policies are synchronized. In transparent mode, only sessions for normal transparent mode policies are synchronized.
- FGSP is supported for traffic on physical interfaces, VLAN interfaces, zones, aggregate interfaces, and NPx (NP4, NP6 etc.) accelerated interfaces. The FGSP has not been tested for inter-vdom links or for redundant interfaces.
- The names of the matching interfaces, including VLAN interfaces, aggregate interfaces and so on, must be the same on both peers.
- An FGSP deployment can include 2 to 4 standalone FortiGates, or 2 to 4 FortiGate FGCP clusters of 2 members each. Adding more FortiGates increases the CPU and memory required to keep all of the FortiGates synchronized.