Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.2.1
Copy Link

Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

  config system cluster-sync
      Description: Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.
      edit <sync-id>
          set peervd {string}
          set peerip {ipv4-address}
          set syncvd <name1>, <name2>, ...
          set down-intfs-before-sess-sync <name1>, <name2>, ...
          set hb-interval {integer}
          set hb-lost-threshold {integer}
          set ipsec-tunnel-sync [enable|disable]
          set slave-add-ike-routes [enable|disable]
          config session-sync-filter
              Description: Add one or more filters if you only want to synchronize some sessions. Use the filter to configure the types of sessions to synchronize.
              set srcintf {string}
              set dstintf {string}
              set srcaddr {ipv4-classnet-any}
              set dstaddr {ipv4-classnet-any}
              set srcaddr6 {ipv6-network}
              set dstaddr6 {ipv6-network}
              config custom-service
                  Description: Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custome services.
                  edit <id>
                      set src-port-range {user}
                      set dst-port-range {user}
                  next
              end
          end
      next
  end

config system cluster-sync

Parameter Name Description Type Size
peervd VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd. string Maximum length: 31
peerip IP address of the interface on the peer unit that is used for the session synchronization link. ipv4-address Not Specified
syncvd <name> Sessions from these VDOMs are synchronized using this session synchronization configuration.
VDOM name.
string Maximum length: 79
down-intfs-before-sess-sync <name> List of interfaces to be turned down before session synchronization is complete.
Interface name.
string Maximum length: 79
hb-interval Heartbeat interval (1 - 10 sec). integer Minimum value: 1 Maximum value: 10
hb-lost-threshold Lost heartbeat threshold (1 - 10). integer Minimum value: 1 Maximum value: 10
ipsec-tunnel-sync Enable/disable IPsec tunnel synchronization.
enable: Enable IPsec tunnel synchronization.
disable: Disable IPsec tunnel synchronization.
option -
slave-add-ike-routes Enable/disable IKE route announcement on the backup unit.
enable: Add IKE routes to the backup unit.
disable: Do not add IKE routes to the backup unit.
option -

config session-sync-filter

Parameter Name Description Type Size
srcintf Only sessions from this interface are synchronized. You can only enter one interface name. To synchronize sessions for multiple source interfaces, add multiple filters. string Maximum length: 15
dstintf Only sessions to this interface are synchronized. You can only enter one interface name. To synchronize sessions to multiple destination interfaces, add multiple filters. string Maximum length: 15
srcaddr Only sessions from this IPv4 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters. ipv4-classnet-any Not Specified
dstaddr Only sessions to this IPv4 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters. ipv4-classnet-any Not Specified
srcaddr6 Only sessions from this IPv6 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters. ipv6-network Not Specified
dstaddr6 Only sessions to this IPv6 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters. ipv6-network Not Specified

config custom-service

Parameter Name Description Type Size
src-port-range Custom service source port range. user Not Specified
dst-port-range Custom service destination port range. user Not Specified

Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

  config system cluster-sync
      Description: Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.
      edit <sync-id>
          set peervd {string}
          set peerip {ipv4-address}
          set syncvd <name1>, <name2>, ...
          set down-intfs-before-sess-sync <name1>, <name2>, ...
          set hb-interval {integer}
          set hb-lost-threshold {integer}
          set ipsec-tunnel-sync [enable|disable]
          set slave-add-ike-routes [enable|disable]
          config session-sync-filter
              Description: Add one or more filters if you only want to synchronize some sessions. Use the filter to configure the types of sessions to synchronize.
              set srcintf {string}
              set dstintf {string}
              set srcaddr {ipv4-classnet-any}
              set dstaddr {ipv4-classnet-any}
              set srcaddr6 {ipv6-network}
              set dstaddr6 {ipv6-network}
              config custom-service
                  Description: Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custome services.
                  edit <id>
                      set src-port-range {user}
                      set dst-port-range {user}
                  next
              end
          end
      next
  end

config system cluster-sync

Parameter Name Description Type Size
peervd VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd. string Maximum length: 31
peerip IP address of the interface on the peer unit that is used for the session synchronization link. ipv4-address Not Specified
syncvd <name> Sessions from these VDOMs are synchronized using this session synchronization configuration.
VDOM name.
string Maximum length: 79
down-intfs-before-sess-sync <name> List of interfaces to be turned down before session synchronization is complete.
Interface name.
string Maximum length: 79
hb-interval Heartbeat interval (1 - 10 sec). integer Minimum value: 1 Maximum value: 10
hb-lost-threshold Lost heartbeat threshold (1 - 10). integer Minimum value: 1 Maximum value: 10
ipsec-tunnel-sync Enable/disable IPsec tunnel synchronization.
enable: Enable IPsec tunnel synchronization.
disable: Disable IPsec tunnel synchronization.
option -
slave-add-ike-routes Enable/disable IKE route announcement on the backup unit.
enable: Add IKE routes to the backup unit.
disable: Do not add IKE routes to the backup unit.
option -

config session-sync-filter

Parameter Name Description Type Size
srcintf Only sessions from this interface are synchronized. You can only enter one interface name. To synchronize sessions for multiple source interfaces, add multiple filters. string Maximum length: 15
dstintf Only sessions to this interface are synchronized. You can only enter one interface name. To synchronize sessions to multiple destination interfaces, add multiple filters. string Maximum length: 15
srcaddr Only sessions from this IPv4 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters. ipv4-classnet-any Not Specified
dstaddr Only sessions to this IPv4 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters. ipv4-classnet-any Not Specified
srcaddr6 Only sessions from this IPv6 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters. ipv6-network Not Specified
dstaddr6 Only sessions to this IPv6 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters. ipv6-network Not Specified

config custom-service

Parameter Name Description Type Size
src-port-range Custom service source port range. user Not Specified
dst-port-range Custom service destination port range. user Not Specified