Using standalone configuration synchronization
You can configure synchronization from one standalone FortiGate to another standalone FortiGate (
standalone-config-sync). With the exception of some configurations that do not sync (settings that identify the FortiGate to the network), the rest of the configurations are synced, such as firewall policies, firewall addresses, and UTM profiles.
This option is useful in situations when you need to set up FGSP peers, or when you want to quickly deploy several FortiGates with the same configurations. You can set up
standalone-config-sync for multiple members.
When standalone configuration synchronization is enabled, there are some limitations, including but not limited to the following:
- Network interruptions occur during firmware upgrades: when upgrading the firmware, all members in the
standalone-config-syncgroup are upgraded simultaneously. This creates downtime if the FortiGates are the only outgoing gateway in the network. We recommend disabling the option before upgrading firmware.
- Some unwanted configurations might be synced: the current design and implementation of
standalone-config-syncis based on requirements from specific customers. Thus, some users may find that unwanted parts of the configurations are synced. Should this occur, we recommend disabling the option and modifying those configurations manually.
- The wrong master device might be picked accidentally:
standalone-config-syncis derived from the HA primary unit selection mechanism. All members in the group will join the selection process in the same way as a the HA cluster selection process. It is important to select the correct device as the master, otherwise the wrong device could be selected and existing configurations could be overwritten.
- Layer 2 heartbeat connections must be present: similar to HA heartbeat requirements, one or more layer 2 heartbeat connections are needed to sync configurations between the master and slave devices.
Setting up standalone configuration synchronization
Two or more standalone FortiGates should be connected to each other with one or more heartbeat interfaces, either back-to-back or via a switch. In the following example, the device supplying the configurations is called "conf-master," and the devices receiving the configurations are called "conf-slaves."
To set up standalone configuration synchronization:
- Configure the conf-master device for the group:
config system ha set hbdev ha1 50 ha2 100 set priority 255 set override enable set standalone-config-sync enable end
- Configure the conf-master device as needed to be functional.
- Configure the other group members as conf-slaves:
config system ha set standalone-config-sync enable end
- Wait 10–15 minutes for the configurations to sync over.
- Verify the synchronization status:
get sys ha status path=system, objname=ha, tablename=(null), size=5912 HA Health Status: WARNING: FG201E4Q17900771 has hbdev down; WARNING: FG201ETK19900991 has hbdev down; Model: FortiGate-201E Mode: ConfigSync Group: 0 Debug: 0 Cluster Uptime: 0 days 0:0:51 Cluster state change time: 2019-09-03 17:46:07 Master selected using: <2019/09/03 17:46:07> FG201ETK19900991 is selected as the master because it has the largest value of override priority. ses_pickup: disable override: disable Configuration Status: FG201E4Q17900771(updated 3 seconds ago): out-of-syncFG201ETK19900991(updated 1 seconds ago): in-sync System Usage stats: FG201E4Q17900771(updated 3 seconds ago): sessions=1, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=16% FG201ETK19900991(updated 1 seconds ago): sessions=1, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=16% HBDEV stats: FG201E4Q17900771(updated 3 seconds ago): wan2: physical/1000auto, up, rx-bytes/packets/dropped/errors=114918/266/0/0, tx=76752/178/0/0 ha: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0 FG201ETK19900991(updated 1 seconds ago): wan2: physical/1000auto, up, rx-bytes/packets/dropped/errors=83024/192/0/0, tx=120216/278/0/0 ha: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0 Slave : FortiGate-201E, FG201E4Q17900771, HA cluster index = 1 Master: FortiGate-201E, FG201ETK19900991, HA cluster index = 0 number of vcluster: 1 vcluster 1: work 169.254.0.1 Slave : FG201E4Q17900771, HA operating index = 1 Master: FG201ETK19900991, HA operating index = 0
If all members are
in-sync, this means all members share the same configurations, except those that should not be synced. If any members are
out-of-sync, this means the member failed to sync with the master device.
Debugging is similar when a cluster is out of sync.