Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Using standalone configuration synchronization

You can configure synchronization from one standalone FortiGate to another standalone FortiGate (standalone-config-sync). With the exception of some configurations that do not sync (settings that identify the FortiGate to the network), the rest of the configurations are synced, such as firewall policies, firewall addresses, and UTM profiles.

This option is useful in situations when you need to set up FGSP peers, or when you want to quickly deploy several FortiGates with the same configurations. You can set up standalone-config-sync for multiple members.

Caution

standalone-config-sync is an independent feature and should be used with caution as there are some limitations. We recommend disabling it once the configurations have been synced over.

Limitations

When standalone configuration synchronization is enabled, there are some limitations, including but not limited to the following:

  • Network interruptions occur during firmware upgrades: when upgrading the firmware, all members in the standalone-config-sync group are upgraded simultaneously. This creates downtime if the FortiGates are the only outgoing gateway in the network. We recommend disabling the option before upgrading firmware.
  • Some unwanted configurations might be synced: the current design and implementation of standalone-config-sync is based on requirements from specific customers. Thus, some users may find that unwanted parts of the configurations are synced. Should this occur, we recommend disabling the option and modifying those configurations manually.
  • The wrong master device might be picked accidentally: standalone-config-sync is derived from the HA primary unit selection mechanism. All members in the group will join the selection process in the same way as a the HA cluster selection process. It is important to select the correct device as the master, otherwise the wrong device could be selected and existing configurations could be overwritten.
  • Layer 2 heartbeat connections must be present: similar to HA heartbeat requirements, one or more layer 2 heartbeat connections are needed to sync configurations between the master and slave devices.

Setting up standalone configuration synchronization

Two or more standalone FortiGates should be connected to each other with one or more heartbeat interfaces, either back-to-back or via a switch. In the following example, the device supplying the configurations is called "conf-master," and the devices receiving the configurations are called "conf-slaves."

To set up standalone configuration synchronization:
  1. Configure the conf-master device for the group:
    config system ha
        set hbdev ha1 50 ha2 100
        set priority 255
        set override enable
        set standalone-config-sync enable
    end
  2. Configure the conf-master device as needed to be functional.
  3. Configure the other group members as conf-slaves:
    config system ha
        set standalone-config-sync enable
    end
  4. Wait 10–15 minutes for the configurations to sync over.
  5. Verify the synchronization status:
    get sys ha status
    path=system, objname=ha, tablename=(null), size=5912
    HA Health Status:
      WARNING: FG201E4Q17900771 has hbdev down;
      WARNING: FG201ETK19900991 has hbdev down;
    Model: FortiGate-201E
    Mode: ConfigSync
    Group: 0
    Debug: 0
    Cluster Uptime: 0 days 0:0:51
    Cluster state change time: 2019-09-03 17:46:07
    Master selected using:
      <2019/09/03 17:46:07> FG201ETK19900991 is selected as the master because it has the largest value of override priority.
    ses_pickup: disable
    override: disable
    Configuration Status:
      FG201E4Q17900771(updated 3 seconds ago): out-of-syncFG201ETK19900991(updated 1 seconds ago): in-sync
    System Usage stats:
      FG201E4Q17900771(updated 3 seconds ago):
        sessions=1, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=16%
      FG201ETK19900991(updated 1 seconds ago):
        sessions=1, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=16%
    HBDEV stats:
      FG201E4Q17900771(updated 3 seconds ago):
        wan2: physical/1000auto, up, rx-bytes/packets/dropped/errors=114918/266/0/0, tx=76752/178/0/0
        ha: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
      FG201ETK19900991(updated 1 seconds ago):
        wan2: physical/1000auto, up, rx-bytes/packets/dropped/errors=83024/192/0/0, tx=120216/278/0/0
        ha: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
    Slave : FortiGate-201E, FG201E4Q17900771, HA cluster index = 1
    Master: FortiGate-201E, FG201ETK19900991, HA cluster index = 0
    number of vcluster: 1
    vcluster 1: work 169.254.0.1
    Slave : FG201E4Q17900771, HA operating index = 1
    Master: FG201ETK19900991, HA operating index = 0

    If all members are in-sync, this means all members share the same configurations, except those that should not be synced. If any members are out-of-sync, this means the member failed to sync with the master device.

Note

Debugging is similar when a cluster is out of sync.

Using standalone configuration synchronization

You can configure synchronization from one standalone FortiGate to another standalone FortiGate (standalone-config-sync). With the exception of some configurations that do not sync (settings that identify the FortiGate to the network), the rest of the configurations are synced, such as firewall policies, firewall addresses, and UTM profiles.

This option is useful in situations when you need to set up FGSP peers, or when you want to quickly deploy several FortiGates with the same configurations. You can set up standalone-config-sync for multiple members.

Caution

standalone-config-sync is an independent feature and should be used with caution as there are some limitations. We recommend disabling it once the configurations have been synced over.

Limitations

When standalone configuration synchronization is enabled, there are some limitations, including but not limited to the following:

  • Network interruptions occur during firmware upgrades: when upgrading the firmware, all members in the standalone-config-sync group are upgraded simultaneously. This creates downtime if the FortiGates are the only outgoing gateway in the network. We recommend disabling the option before upgrading firmware.
  • Some unwanted configurations might be synced: the current design and implementation of standalone-config-sync is based on requirements from specific customers. Thus, some users may find that unwanted parts of the configurations are synced. Should this occur, we recommend disabling the option and modifying those configurations manually.
  • The wrong master device might be picked accidentally: standalone-config-sync is derived from the HA primary unit selection mechanism. All members in the group will join the selection process in the same way as a the HA cluster selection process. It is important to select the correct device as the master, otherwise the wrong device could be selected and existing configurations could be overwritten.
  • Layer 2 heartbeat connections must be present: similar to HA heartbeat requirements, one or more layer 2 heartbeat connections are needed to sync configurations between the master and slave devices.

Setting up standalone configuration synchronization

Two or more standalone FortiGates should be connected to each other with one or more heartbeat interfaces, either back-to-back or via a switch. In the following example, the device supplying the configurations is called "conf-master," and the devices receiving the configurations are called "conf-slaves."

To set up standalone configuration synchronization:
  1. Configure the conf-master device for the group:
    config system ha
        set hbdev ha1 50 ha2 100
        set priority 255
        set override enable
        set standalone-config-sync enable
    end
  2. Configure the conf-master device as needed to be functional.
  3. Configure the other group members as conf-slaves:
    config system ha
        set standalone-config-sync enable
    end
  4. Wait 10–15 minutes for the configurations to sync over.
  5. Verify the synchronization status:
    get sys ha status
    path=system, objname=ha, tablename=(null), size=5912
    HA Health Status:
      WARNING: FG201E4Q17900771 has hbdev down;
      WARNING: FG201ETK19900991 has hbdev down;
    Model: FortiGate-201E
    Mode: ConfigSync
    Group: 0
    Debug: 0
    Cluster Uptime: 0 days 0:0:51
    Cluster state change time: 2019-09-03 17:46:07
    Master selected using:
      <2019/09/03 17:46:07> FG201ETK19900991 is selected as the master because it has the largest value of override priority.
    ses_pickup: disable
    override: disable
    Configuration Status:
      FG201E4Q17900771(updated 3 seconds ago): out-of-syncFG201ETK19900991(updated 1 seconds ago): in-sync
    System Usage stats:
      FG201E4Q17900771(updated 3 seconds ago):
        sessions=1, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=16%
      FG201ETK19900991(updated 1 seconds ago):
        sessions=1, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=16%
    HBDEV stats:
      FG201E4Q17900771(updated 3 seconds ago):
        wan2: physical/1000auto, up, rx-bytes/packets/dropped/errors=114918/266/0/0, tx=76752/178/0/0
        ha: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
      FG201ETK19900991(updated 1 seconds ago):
        wan2: physical/1000auto, up, rx-bytes/packets/dropped/errors=83024/192/0/0, tx=120216/278/0/0
        ha: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
    Slave : FortiGate-201E, FG201E4Q17900771, HA cluster index = 1
    Master: FortiGate-201E, FG201ETK19900991, HA cluster index = 0
    number of vcluster: 1
    vcluster 1: work 169.254.0.1
    Slave : FG201E4Q17900771, HA operating index = 1
    Master: FG201ETK19900991, HA operating index = 0

    If all members are in-sync, this means all members share the same configurations, except those that should not be synced. If any members are out-of-sync, this means the member failed to sync with the master device.

Note

Debugging is similar when a cluster is out of sync.