Fortinet black logo

Hyperscale Firewall Guide

HA hardware session synchronization

HA hardware session synchronization

When configuring active-passive FGCP HA or active-passive virtual clustering for two FortiGates with hyperscale firewall support, you can use HA hardware session synchronization to synchronize NP7 sessions between the FortiGates in the cluster.

Note

HA hardware session synchronization is currently only supported between two FortiGates using a direct connection between the HA hardware session synchronization interfaces. You can't use a switch for this connection and you can't synchronize sessions between more than two FortiGates.

In an active-passive FGCP cluster, HA hardware session synchronization copies sessions from the primary FortiGate to the secondary FortGate. Both FortiGates maintain their own session tables with their own session timeouts. HA hardware session synchronization does not compare FortiGate session tables to keep them synchronized. In some cases you may notice that the secondary FortiGate in the HA cluster may have a lower session count than the primary FortiGate. This is a known limitation of FGCP HA for hardware session synchronization. Normally the difference is session count is relatively minor and in practice could result in very few lost sessions after a failover.

In an active-passive virtual clustering configuration, HA hardware session synchronization copies sessions from VDOMs processing traffic to VDOMs on the other FortiGate in the virtual cluster that are not processing traffic. All VDOM instances maintain their own session tables with their own session timeouts. HA hardware session synchronization does not compare VDOM session tables between FortiGates to keep them synchronized.

HA hardware session synchronization packets are the same as standard session synchronization packets. For FGCP HA they are layer 2 TCP and UDP packets that use destination port 703. FGCP HA does not require you to add IP addresses to the interfaces that you use for HA hardware session synchronization.

HA hardware session synchronization is not supported for active-active HA or FGSP HA or for inter-cluster session synchronization (FGSP between FGCP clusters).

The HA Status dashboard widget shows hardware session synchronization status.

HA hardware session synchronization

When configuring active-passive FGCP HA or active-passive virtual clustering for two FortiGates with hyperscale firewall support, you can use HA hardware session synchronization to synchronize NP7 sessions between the FortiGates in the cluster.

Note

HA hardware session synchronization is currently only supported between two FortiGates using a direct connection between the HA hardware session synchronization interfaces. You can't use a switch for this connection and you can't synchronize sessions between more than two FortiGates.

In an active-passive FGCP cluster, HA hardware session synchronization copies sessions from the primary FortiGate to the secondary FortGate. Both FortiGates maintain their own session tables with their own session timeouts. HA hardware session synchronization does not compare FortiGate session tables to keep them synchronized. In some cases you may notice that the secondary FortiGate in the HA cluster may have a lower session count than the primary FortiGate. This is a known limitation of FGCP HA for hardware session synchronization. Normally the difference is session count is relatively minor and in practice could result in very few lost sessions after a failover.

In an active-passive virtual clustering configuration, HA hardware session synchronization copies sessions from VDOMs processing traffic to VDOMs on the other FortiGate in the virtual cluster that are not processing traffic. All VDOM instances maintain their own session tables with their own session timeouts. HA hardware session synchronization does not compare VDOM session tables between FortiGates to keep them synchronized.

HA hardware session synchronization packets are the same as standard session synchronization packets. For FGCP HA they are layer 2 TCP and UDP packets that use destination port 703. FGCP HA does not require you to add IP addresses to the interfaces that you use for HA hardware session synchronization.

HA hardware session synchronization is not supported for active-active HA or FGSP HA or for inter-cluster session synchronization (FGSP between FGCP clusters).

The HA Status dashboard widget shows hardware session synchronization status.