Fortinet black logo

Administration Guide

Synchronizing sessions between FGCP clusters

Synchronizing sessions between FGCP clusters

Synchronizing sessions between FGCP clusters is useful when data centers in different locations are used for load-balancing, and traffic must be shared and flow freely based on demand.

There are some limitations when synchronizing sessions between FGCP clusters:

  • All FortiGates must have the same model and generation, hardware configuration, and FortiOS version.
  • Currently, a total of four clusters can share sessions.
To configure session synchronization between two clusters:
  1. Configure the two clusters (see HA active-passive cluster setup or HA active-active cluster setup).
  2. On cluster A, configure the peer IP for the interface:
    config system interface
        edit "port5"
            set vdom "root"
            set ip 10.10.10.1 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
        next
    end

    In this example, cluster A uses port5 and its IP address, 10.10.10.1, is reachable from another cluster.

  3. On cluster A, configure cluster and session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.10.10.2
        next
    end
  4. On cluster A, configure additional FGSP attributes as needed:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 0
        set session-sync-dev <interface>
    end

    The standalone-group-id must match between FGSP members. The group-member-id is unique for each FGCP cluster. session-sync-dev is an optional command to specify the interfaces to sync sessions.

  5. On cluster B, configure the peer IP for the interface:
    config system interface
        edit "port5"
            set vdom "root"
            set ip 10.10.10.2 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
        next
    end

    In this example, cluster B uses port5 and its IP address, 10.10.10.2, is reachable from another cluster.

  6. On cluster B, configure cluster and session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.10.10.1
        next
    end
  7. On cluster B, configure additional FGSP attributes as needed:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 1
        set session-sync-dev <interface>
    end

Synchronizing sessions between FGCP clusters

Synchronizing sessions between FGCP clusters is useful when data centers in different locations are used for load-balancing, and traffic must be shared and flow freely based on demand.

There are some limitations when synchronizing sessions between FGCP clusters:

  • All FortiGates must have the same model and generation, hardware configuration, and FortiOS version.
  • Currently, a total of four clusters can share sessions.
To configure session synchronization between two clusters:
  1. Configure the two clusters (see HA active-passive cluster setup or HA active-active cluster setup).
  2. On cluster A, configure the peer IP for the interface:
    config system interface
        edit "port5"
            set vdom "root"
            set ip 10.10.10.1 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
        next
    end

    In this example, cluster A uses port5 and its IP address, 10.10.10.1, is reachable from another cluster.

  3. On cluster A, configure cluster and session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.10.10.2
        next
    end
  4. On cluster A, configure additional FGSP attributes as needed:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 0
        set session-sync-dev <interface>
    end

    The standalone-group-id must match between FGSP members. The group-member-id is unique for each FGCP cluster. session-sync-dev is an optional command to specify the interfaces to sync sessions.

  5. On cluster B, configure the peer IP for the interface:
    config system interface
        edit "port5"
            set vdom "root"
            set ip 10.10.10.2 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
        next
    end

    In this example, cluster B uses port5 and its IP address, 10.10.10.2, is reachable from another cluster.

  6. On cluster B, configure cluster and session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.10.10.1
        next
    end
  7. On cluster B, configure additional FGSP attributes as needed:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 1
        set session-sync-dev <interface>
    end