Fortinet black logo

Hyperscale Firewall Guide

FGCP HA hardware session synchronization

Copy Link
Copy Doc ID 412d132a-249e-11ed-9eba-fa163e15d75b:539300
Download PDF

FGCP HA hardware session synchronization

When configuring active-passive FGCP HA or active-passive virtual clustering for two FortiGates with hyperscale firewall support, you can use FGCP HA hardware session synchronization to synchronize NP7 sessions between the FortiGates in the cluster.

Note

HA hardware session synchronization is currently only supported between two FortiGates using a direct connection between the HA hardware session synchronization interfaces. You can't use a switch for this connection and you can't synchronize sessions between more than two FortiGates.

In an active-passive FGCP cluster, HA hardware session synchronization copies sessions from the primary FortiGate to the secondary FortGate. Both FortiGates maintain their own session tables with their own session timeouts. FGCP HA hardware session synchronization does not compare FortiGate session tables to keep them synchronized. In some cases you may notice that the secondary FortiGate in the HA cluster may have a lower session count than the primary FortiGate. This is a known limitation of FGCP HA hardware session synchronization. Normally the difference is session count is relatively minor and in practice could result in very few lost sessions after a failover.

In an active-passive FGCP virtual clustering configuration, FGCP HA hardware session synchronization copies sessions from VDOMs processing traffic to VDOMs on the other FortiGate in the virtual cluster that are not processing traffic. All VDOM instances maintain their own session tables with their own session timeouts. FGCP HA hardware session synchronization does not compare VDOM session tables between FortiGates to keep them synchronized.

FGCP HA hardware session synchronization packets are the same as standard session synchronization packets. For FGCP HA they are layer 2 TCP and UDP packets that use destination port 703. FGCP HA does not require you to add IP addresses to the interfaces that you use for FGCP HA hardware session synchronization.

HA hardware session synchronization is not supported for active-active FGCP HA or FGSP HA or for inter-cluster session synchronization (FGSP between FGCP clusters).

The HA Status dashboard widget shows hardware session synchronization status.

FGCP HA hardware session synchronization

When configuring active-passive FGCP HA or active-passive virtual clustering for two FortiGates with hyperscale firewall support, you can use FGCP HA hardware session synchronization to synchronize NP7 sessions between the FortiGates in the cluster.

Note

HA hardware session synchronization is currently only supported between two FortiGates using a direct connection between the HA hardware session synchronization interfaces. You can't use a switch for this connection and you can't synchronize sessions between more than two FortiGates.

In an active-passive FGCP cluster, HA hardware session synchronization copies sessions from the primary FortiGate to the secondary FortGate. Both FortiGates maintain their own session tables with their own session timeouts. FGCP HA hardware session synchronization does not compare FortiGate session tables to keep them synchronized. In some cases you may notice that the secondary FortiGate in the HA cluster may have a lower session count than the primary FortiGate. This is a known limitation of FGCP HA hardware session synchronization. Normally the difference is session count is relatively minor and in practice could result in very few lost sessions after a failover.

In an active-passive FGCP virtual clustering configuration, FGCP HA hardware session synchronization copies sessions from VDOMs processing traffic to VDOMs on the other FortiGate in the virtual cluster that are not processing traffic. All VDOM instances maintain their own session tables with their own session timeouts. FGCP HA hardware session synchronization does not compare VDOM session tables between FortiGates to keep them synchronized.

FGCP HA hardware session synchronization packets are the same as standard session synchronization packets. For FGCP HA they are layer 2 TCP and UDP packets that use destination port 703. FGCP HA does not require you to add IP addresses to the interfaces that you use for FGCP HA hardware session synchronization.

HA hardware session synchronization is not supported for active-active FGCP HA or FGSP HA or for inter-cluster session synchronization (FGSP between FGCP clusters).

The HA Status dashboard widget shows hardware session synchronization status.