Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

system cluster-sync

Use this command to configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

In a network that already includes load balancing (either with load balancers or routers) for traffic redundancy, two or more FortiGates can be integrated into the load balancing configuration using the FGSP. The external load balancers or routers can distribute sessions among the FortiGates and the FGSP performs session synchronization of IPv4 and IPv6 TCP, UDP, ICMP, expectation, and NAT sessions and IPsec tunnels to keep the session tables of the FortiGates synchronized. If one of the FortiGates fails, session failover occurs and active sessions fail over to the FortiGates that are still operating. This failover occurs without any loss of data. As well, the external routers or load balancers will detect the failover and redistribute all sessions to the peers that are still operating.

FGSP with FortiOS Carrier also supports GTP session synchronization.

config system cluster-sync
    edit {sync-id}
    # Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.
        set sync-id {integer}   Sync ID. range[0-4294967295]
        set peervd {string}   VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd. size[31] - datasource(s): system.vdom.name
        set peerip {ipv4 address}   IP address of the interface on the peer unit that is used for the session synchronization link.
        config syncvd
            edit {name}
            # Sessions from these VDOMs are synchronized using this session synchronization configuration.
                set name {string}   VDOM name. size[64] - datasource(s): system.vdom.name
            next
        config down-intfs-before-sess-sync
            edit {name}
            # List of interfaces to be turned down before session synchronization is complete.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name
            next
        set hb-interval {integer}   Heartbeat interval (1 - 10 sec). range[1-10]
        set hb-lost-threshold {integer}   Lost heartbeat threshold (1 - 10). range[1-10]
        set slave-add-ike-routes {enable | disable}   Enable/disable IKE route announcement on the backup unit.
        config session-sync-filter
            set srcintf {string}   Only sessions from this interface are synchronized. You can only enter one interface name. To synchronize sessions for multiple source interfaces, add multiple filters. size[15] - datasource(s): system.interface.name
            set dstintf {string}   Only sessions to this interface are synchronized. You can only enter one interface name. To synchronize sessions to multiple destination interfaces, add multiple filters. size[15] - datasource(s): system.interface.name
            set srcaddr {ipv4 classnet any}   Only sessions from this IPv4 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.
            set dstaddr {ipv4 classnet any}   Only sessions to this IPv4 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.
            set srcaddr6 {ipv6 network}   Only sessions from this IPv6 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.
            set dstaddr6 {ipv6 network}   Only sessions to this IPv6 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.
            config custom-service
                edit {id}
                # Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custome services.
                    set id {integer}   Custom service ID. range[0-4294967295]
                    set src-port-range {string}   Custom service source port range.
                    set dst-port-range {string}   Custom service destination port range.
                next
    next
end

Additional information

The following section is for those options that require additional explanation.

<sync_id>

Enter the unique ID number for the session synchronization configuration to edit. The session synchronization configuration ID can be any number between 1 and 200. The session synchronization configuration IDs of the peers do not have to match.

peervd <vd_name>

Enter the name of the virtual domain that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd. Multiple session synchronization configurations can use the same peervd. The default VDOM name is root.

syncvd <vd_name>

Enter the names of one or more VDOMs that should be synchronized by this cluster-sync instance. If multiple VDOMs are not enabled, syncvd should be set to root, which is the default setting.

config custom-service

Add a service filter for session sync.

config filter

Add a filter to a standalone session synchronization configuration. You can add a filter if you want to only synchronize some TCP sessions. Using a filter you can configure synchronization to only synchronize sessions according to source and destination address, source and destination interface, and predefined firewall TCP service. You can only add one filter to a standalone session synchronization configuration.

dstaddr <dst_ip_ipv4> <dst_mask_ipv4>

dstaddr6 <dst_ip_ipv6>

Enter the destination IP address (or range) and netmask of the sessions to synchronize. For IPv4 addresses, use

dstaddr. For IPv6 addresses, use dstaddr6. The default IP address and netmask (0.0.0.0 / 0.0.0.0 or ::/0) synchronizes sessions for all destination address. If you want to specify multiple IP addresses or address ranges you can add multiple standalone session synchronization configurations.

dstintf <interface_name>

Enter the name of a FortiGate interface (this can be any interface including a VLAN interface, aggregate interface, redundant interface, virtual SSL VPN interface, or inter- VDOM link interface). Only sessions destined for this interface are synchronized. You can only enter one interface name. If you want to synchronize sessions for multiple interfaces you can add multiple standalone session synchronization configurations. The default dstintf setting synchronizes sessions for all interfaces.

dst-port-range <xxx-yyy>

Enter the destination port range for the service filter.

service <string>

Enter the name of a FortiGate firewall predefined service. Only sessions that use this predefined service are synchronized. You can only enter one predefined service name. If you want to synchronize sessions for multiple services you can add multiple standalone session synchronization configurations.

srcaddr <src_ip_ipv4> <src_mask_ipv4>

srcaddr6 <src_ip_ipv6>

Enter the source IP address and netmask of the sessions to synchronize. For IPv4 addresses, use srcaddr. For IPv6 addresses, use srcaddr6. The default IP address and netmask (0.0.0.0 / 0.0.0.0 or ::/0) synchronizes sessions for all source address. If you want to specify multiple IP addresses or address ranges you can add multiple standalone session synchronization configurations.

srcintf <interface_name>

Enter the name of a FortiGate interface (this can be any interface including a VLAN interface, aggregate interface, redundant interface, virtual SSL VPN interface, or inter- VDOM link interface). Only sessions from this interface are synchronized. You can only enter one interface name. If you want to synchronize sessions for multiple interfaces you can add multiple standalone session synchronization configurations. The default srcintf setting synchronizes sessions for all interfaces.

src-port-range <xxx-yyy>

Enter the source port range for the service filter.

system cluster-sync

Use this command to configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

In a network that already includes load balancing (either with load balancers or routers) for traffic redundancy, two or more FortiGates can be integrated into the load balancing configuration using the FGSP. The external load balancers or routers can distribute sessions among the FortiGates and the FGSP performs session synchronization of IPv4 and IPv6 TCP, UDP, ICMP, expectation, and NAT sessions and IPsec tunnels to keep the session tables of the FortiGates synchronized. If one of the FortiGates fails, session failover occurs and active sessions fail over to the FortiGates that are still operating. This failover occurs without any loss of data. As well, the external routers or load balancers will detect the failover and redistribute all sessions to the peers that are still operating.

FGSP with FortiOS Carrier also supports GTP session synchronization.

config system cluster-sync
    edit {sync-id}
    # Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.
        set sync-id {integer}   Sync ID. range[0-4294967295]
        set peervd {string}   VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd. size[31] - datasource(s): system.vdom.name
        set peerip {ipv4 address}   IP address of the interface on the peer unit that is used for the session synchronization link.
        config syncvd
            edit {name}
            # Sessions from these VDOMs are synchronized using this session synchronization configuration.
                set name {string}   VDOM name. size[64] - datasource(s): system.vdom.name
            next
        config down-intfs-before-sess-sync
            edit {name}
            # List of interfaces to be turned down before session synchronization is complete.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name
            next
        set hb-interval {integer}   Heartbeat interval (1 - 10 sec). range[1-10]
        set hb-lost-threshold {integer}   Lost heartbeat threshold (1 - 10). range[1-10]
        set slave-add-ike-routes {enable | disable}   Enable/disable IKE route announcement on the backup unit.
        config session-sync-filter
            set srcintf {string}   Only sessions from this interface are synchronized. You can only enter one interface name. To synchronize sessions for multiple source interfaces, add multiple filters. size[15] - datasource(s): system.interface.name
            set dstintf {string}   Only sessions to this interface are synchronized. You can only enter one interface name. To synchronize sessions to multiple destination interfaces, add multiple filters. size[15] - datasource(s): system.interface.name
            set srcaddr {ipv4 classnet any}   Only sessions from this IPv4 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.
            set dstaddr {ipv4 classnet any}   Only sessions to this IPv4 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.
            set srcaddr6 {ipv6 network}   Only sessions from this IPv6 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.
            set dstaddr6 {ipv6 network}   Only sessions to this IPv6 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.
            config custom-service
                edit {id}
                # Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custome services.
                    set id {integer}   Custom service ID. range[0-4294967295]
                    set src-port-range {string}   Custom service source port range.
                    set dst-port-range {string}   Custom service destination port range.
                next
    next
end

Additional information

The following section is for those options that require additional explanation.

<sync_id>

Enter the unique ID number for the session synchronization configuration to edit. The session synchronization configuration ID can be any number between 1 and 200. The session synchronization configuration IDs of the peers do not have to match.

peervd <vd_name>

Enter the name of the virtual domain that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd. Multiple session synchronization configurations can use the same peervd. The default VDOM name is root.

syncvd <vd_name>

Enter the names of one or more VDOMs that should be synchronized by this cluster-sync instance. If multiple VDOMs are not enabled, syncvd should be set to root, which is the default setting.

config custom-service

Add a service filter for session sync.

config filter

Add a filter to a standalone session synchronization configuration. You can add a filter if you want to only synchronize some TCP sessions. Using a filter you can configure synchronization to only synchronize sessions according to source and destination address, source and destination interface, and predefined firewall TCP service. You can only add one filter to a standalone session synchronization configuration.

dstaddr <dst_ip_ipv4> <dst_mask_ipv4>

dstaddr6 <dst_ip_ipv6>

Enter the destination IP address (or range) and netmask of the sessions to synchronize. For IPv4 addresses, use

dstaddr. For IPv6 addresses, use dstaddr6. The default IP address and netmask (0.0.0.0 / 0.0.0.0 or ::/0) synchronizes sessions for all destination address. If you want to specify multiple IP addresses or address ranges you can add multiple standalone session synchronization configurations.

dstintf <interface_name>

Enter the name of a FortiGate interface (this can be any interface including a VLAN interface, aggregate interface, redundant interface, virtual SSL VPN interface, or inter- VDOM link interface). Only sessions destined for this interface are synchronized. You can only enter one interface name. If you want to synchronize sessions for multiple interfaces you can add multiple standalone session synchronization configurations. The default dstintf setting synchronizes sessions for all interfaces.

dst-port-range <xxx-yyy>

Enter the destination port range for the service filter.

service <string>

Enter the name of a FortiGate firewall predefined service. Only sessions that use this predefined service are synchronized. You can only enter one predefined service name. If you want to synchronize sessions for multiple services you can add multiple standalone session synchronization configurations.

srcaddr <src_ip_ipv4> <src_mask_ipv4>

srcaddr6 <src_ip_ipv6>

Enter the source IP address and netmask of the sessions to synchronize. For IPv4 addresses, use srcaddr. For IPv6 addresses, use srcaddr6. The default IP address and netmask (0.0.0.0 / 0.0.0.0 or ::/0) synchronizes sessions for all source address. If you want to specify multiple IP addresses or address ranges you can add multiple standalone session synchronization configurations.

srcintf <interface_name>

Enter the name of a FortiGate interface (this can be any interface including a VLAN interface, aggregate interface, redundant interface, virtual SSL VPN interface, or inter- VDOM link interface). Only sessions from this interface are synchronized. You can only enter one interface name. If you want to synchronize sessions for multiple interfaces you can add multiple standalone session synchronization configurations. The default srcintf setting synchronizes sessions for all interfaces.

src-port-range <xxx-yyy>

Enter the source port range for the service filter.