The FortiGate Session Life Support Protocol (FGSP) is a proprietary HA solution for only sharing sessions between two entities and is based on a peer-to-peer structure. The entities could be standalone FortiGates or an FGCP cluster.
Connect all necessary interfaces as per the topology diagram below. Interfaces may be changed depending on the models in use. Interface names in the topology diagram are for example purposes only.
To setup an FGSP peer through the CLI:
These instructions assume that the device has been connected to the console, the CLI is accessible, and that all FortiGates have been factory reset.
- Connect all necessary interfaces as per the topology diagram.
- Enter the following command to change the FortiGate unit host name:
config system global set hostname Example1_host(Example2_host, etc) end
- On each FGSP peer device, enter the following command:
config system cluster-sync set peerip xx.xx.xx.xx --->> peer's interface IP for session info to be passed. end
- Set up identical firewall policies.
FGSP peers share the same session information which goes from the same incoming interface (example: port1) to the outgoing interface (example: port2). Firewall policies should be identical as well, and can be copied from one device to its peer.
To test the setup:
- Initiate TCP traffic (like HTTP access) to go through FortiGateA.
- Check the session information.
diagnose sys session filter src xxx.xxx.xxx.xxx (your PCs IP)
diagnose sys session list
- Use the same command on FortiGateB to determine if the same session information appeared.