Fortinet black logo

Hyperscale Firewall Guide

Home FortiGate / FortiOS 6.2.6 Hyperscale Firewall Guide

Optimizing HA hardware session synchronization performance

6.2.6
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6
Copy Link
Copy Doc ID 5ba8dcf8-7095-11eb-9995-00505692583a:310979
Download PDF

Optimizing HA hardware session synchronization performance

The FortiGate-4200F, 4201F, 4400F, and 4401F models include HA1, HA2, AUX1, and AUX2 interfaces that can be used to optimize HA hardware session synchronization performance. For optimal HA hardware session sync performance, make sure the interface you assign to hw-session-sync-dev is included in the following configuration:

config system npu

config port-path-option

set ports-using-npu {ha1 ha2 aux1 aux2}

end

ports-using-npu select one or more interfaces to use for HA hardware session synchronization or hardware logging.

Note

Changing the port-path-option configuration restarts the FortiGate, temporarily interrupting traffic. You should remove the backup FortiGate from the cluster, change this configuration on both FortiGates, and then after they restart, add the backup FortiGate back to the cluster. If a new FortiGate joins an HA cluster where the primary FortiGate has a different port-path-option configuration, the new FortiGate will reboot before joining the cluster.

When you add an interface to this list, HA hardware session synchronization or hardware logging packets can be sent directly from NP7 processors over the ISF to that interface, bypassing the CPU. If you don't add interfaces to this list, the CPU is not bypassed, resulting in lower HA hardware session synchronization or hardware logging performance.

Note

You can also use this command to improve hardware logging performance. See Optimizing hardware logging performance using AUX interfaces.

Interfaces added to the ports-using-npu list should not be used for other traffic. For example, if you use ha1 and ha2 as HA heartbeat interfaces, use aux1 or aux2 for HA hardware session synchronization.

For example, create the following configuration to use ha1 and ha2 as the HA heartbeat interfaces and aux1 as the HA hardware session synchronization interface:

config system ha

set hbdev ha1 100 ha2 100

set session-pickup enable

set hw-session-sync-dev aux1

end

config system npu

config port-path-option

set ports-using-npu aux1

end

You can use ha1 or ha2 for HA hardware session synchronization if you use different interfaces for the HA heartbeat. Only one interface can be used as the hardware session synchronization interface and this interface cannot be a LAG.

You can also configure a data interface to be the hardware session synchronization interface, for example:

config system ha

set hw-session-sync-dev port5

end

No special configuration is required if you use a data interface. However, the data interface should not be used for any other traffic. Hardware session sync performance is optimal if you use one of the ha1, ha2, aux1 or aux2 interfaces.

Previous
Next

Optimizing HA hardware session synchronization performance

The FortiGate-4200F, 4201F, 4400F, and 4401F models include HA1, HA2, AUX1, and AUX2 interfaces that can be used to optimize HA hardware session synchronization performance. For optimal HA hardware session sync performance, make sure the interface you assign to hw-session-sync-dev is included in the following configuration:

config system npu

config port-path-option

set ports-using-npu {ha1 ha2 aux1 aux2}

end

ports-using-npu select one or more interfaces to use for HA hardware session synchronization or hardware logging.

Note

Changing the port-path-option configuration restarts the FortiGate, temporarily interrupting traffic. You should remove the backup FortiGate from the cluster, change this configuration on both FortiGates, and then after they restart, add the backup FortiGate back to the cluster. If a new FortiGate joins an HA cluster where the primary FortiGate has a different port-path-option configuration, the new FortiGate will reboot before joining the cluster.

When you add an interface to this list, HA hardware session synchronization or hardware logging packets can be sent directly from NP7 processors over the ISF to that interface, bypassing the CPU. If you don't add interfaces to this list, the CPU is not bypassed, resulting in lower HA hardware session synchronization or hardware logging performance.

Note

You can also use this command to improve hardware logging performance. See Optimizing hardware logging performance using AUX interfaces.

Interfaces added to the ports-using-npu list should not be used for other traffic. For example, if you use ha1 and ha2 as HA heartbeat interfaces, use aux1 or aux2 for HA hardware session synchronization.

For example, create the following configuration to use ha1 and ha2 as the HA heartbeat interfaces and aux1 as the HA hardware session synchronization interface:

config system ha

set hbdev ha1 100 ha2 100

set session-pickup enable

set hw-session-sync-dev aux1

end

config system npu

config port-path-option

set ports-using-npu aux1

end

You can use ha1 or ha2 for HA hardware session synchronization if you use different interfaces for the HA heartbeat. Only one interface can be used as the hardware session synchronization interface and this interface cannot be a LAG.

You can also configure a data interface to be the hardware session synchronization interface, for example:

config system ha

set hw-session-sync-dev port5

end

No special configuration is required if you use a data interface. However, the data interface should not be used for any other traffic. Hardware session sync performance is optimal if you use one of the ha1, ha2, aux1 or aux2 interfaces.

Previous
Next