Fortinet black logo

Handbook

NAT sessions

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:939433
Download PDF

By default, NAT sessions are not synchronized. However, the FGSP can synchronize NAT sessions if you enter the following:

config system ha

set session-pickup enable

set session-pickup-nat enable

end

However, if you want NAT sessions to resume after a failover, you should not configure NAT to use the destination interface IP address since the FGSP FortiGates have different IP addresses. With this configuration, after a failover all sessions that include the IP addresses of interfaces on the failed FortiGate will have nowhere to go since the IP addresses of the failed FortiGate will no longer be on the network.

Instead, in an FGSP configuration, if you want NAT sessions to failover, you should use IP pools with the type set to overload (which is the default IP pool type). For example:

config firewall ippool

edit FGSP-pool

set type overload

set startip 172.20.120.10

set endip 172.20.120.20

end

Then when you configure NAT firewall policies, turn on NAT and select to use dynamic IP pool and select the IP pool that you added.

By default, NAT sessions are not synchronized. However, the FGSP can synchronize NAT sessions if you enter the following:

config system ha

set session-pickup enable

set session-pickup-nat enable

end

However, if you want NAT sessions to resume after a failover, you should not configure NAT to use the destination interface IP address since the FGSP FortiGates have different IP addresses. With this configuration, after a failover all sessions that include the IP addresses of interfaces on the failed FortiGate will have nowhere to go since the IP addresses of the failed FortiGate will no longer be on the network.

Instead, in an FGSP configuration, if you want NAT sessions to failover, you should use IP pools with the type set to overload (which is the default IP pool type). For example:

config firewall ippool

edit FGSP-pool

set type overload

set startip 172.20.120.10

set endip 172.20.120.20

end

Then when you configure NAT firewall policies, turn on NAT and select to use dynamic IP pool and select the IP pool that you added.