Fortinet black logo

CLI Reference

config system cluster-sync

config system cluster-sync

Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

config system cluster-sync
    Description: Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.
    edit <sync-id>
        set down-intfs-before-sess-sync <name1>, <name2>, ...
        set hb-interval {integer}
        set hb-lost-threshold {integer}
        set ipsec-tunnel-sync [enable|disable]
        set peerip {ipv4-address}
        set peervd {string}
        config session-sync-filter
            Description: Add one or more filters if you only want to synchronize some sessions. Use the filter to configure the types of sessions to synchronize.
            set srcintf {string}
            set dstintf {string}
            set srcaddr {ipv4-classnet-any}
            set dstaddr {ipv4-classnet-any}
            set srcaddr6 {ipv6-network}
            set dstaddr6 {ipv6-network}
            config custom-service
                Description: Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custome services.
                edit <id>
                    set src-port-range {user}
                    set dst-port-range {user}
                next
            end
        end
        set slave-add-ike-routes [enable|disable]
        set syncvd <name1>, <name2>, ...
    next
end

config system cluster-sync

Parameter

Description

Type

Size

Default

down-intfs-before-sess-sync <name>

List of interfaces to be turned down before session synchronization is complete.

Interface name.

string

Maximum length: 79

hb-interval

Heartbeat interval. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 20

2

hb-lost-threshold

Lost heartbeat threshold. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 60

10

ipsec-tunnel-sync

Enable/disable IPsec tunnel synchronization.

option

-

enable

Option

Description

enable

Enable IPsec tunnel synchronization.

disable

Disable IPsec tunnel synchronization.

peerip

IP address of the interface on the peer unit that is used for the session synchronization link.

ipv4-address

Not Specified

0.0.0.0

peervd

VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd.

string

Maximum length: 31

root

slave-add-ike-routes

Enable/disable IKE route announcement on the backup unit.

option

-

enable

Option

Description

enable

Add IKE routes to the backup unit.

disable

Do not add IKE routes to the backup unit.

sync-id

Sync ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

syncvd <name>

Sessions from these VDOMs are synchronized using this session synchronization configuration.

VDOM name.

string

Maximum length: 79

config session-sync-filter

Parameter

Description

Type

Size

Default

srcintf

Only sessions from this interface are synchronized. You can only enter one interface name. To synchronize sessions for multiple source interfaces, add multiple filters.

string

Maximum length: 15

dstintf

Only sessions to this interface are synchronized. You can only enter one interface name. To synchronize sessions to multiple destination interfaces, add multiple filters.

string

Maximum length: 15

srcaddr

Only sessions from this IPv4 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dstaddr

Only sessions to this IPv4 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

srcaddr6

Only sessions from this IPv6 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.

ipv6-network

Not Specified

::/0

dstaddr6

Only sessions to this IPv6 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.

ipv6-network

Not Specified

::/0

config custom-service

Parameter

Description

Type

Size

Default

id

Custom service ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

src-port-range

Custom service source port range.

user

Not Specified

0-0

dst-port-range

Custom service destination port range.

user

Not Specified

0-0

config system cluster-sync

Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

config system cluster-sync
    Description: Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.
    edit <sync-id>
        set down-intfs-before-sess-sync <name1>, <name2>, ...
        set hb-interval {integer}
        set hb-lost-threshold {integer}
        set ipsec-tunnel-sync [enable|disable]
        set peerip {ipv4-address}
        set peervd {string}
        config session-sync-filter
            Description: Add one or more filters if you only want to synchronize some sessions. Use the filter to configure the types of sessions to synchronize.
            set srcintf {string}
            set dstintf {string}
            set srcaddr {ipv4-classnet-any}
            set dstaddr {ipv4-classnet-any}
            set srcaddr6 {ipv6-network}
            set dstaddr6 {ipv6-network}
            config custom-service
                Description: Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custome services.
                edit <id>
                    set src-port-range {user}
                    set dst-port-range {user}
                next
            end
        end
        set slave-add-ike-routes [enable|disable]
        set syncvd <name1>, <name2>, ...
    next
end

config system cluster-sync

Parameter

Description

Type

Size

Default

down-intfs-before-sess-sync <name>

List of interfaces to be turned down before session synchronization is complete.

Interface name.

string

Maximum length: 79

hb-interval

Heartbeat interval. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 20

2

hb-lost-threshold

Lost heartbeat threshold. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 60

10

ipsec-tunnel-sync

Enable/disable IPsec tunnel synchronization.

option

-

enable

Option

Description

enable

Enable IPsec tunnel synchronization.

disable

Disable IPsec tunnel synchronization.

peerip

IP address of the interface on the peer unit that is used for the session synchronization link.

ipv4-address

Not Specified

0.0.0.0

peervd

VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd.

string

Maximum length: 31

root

slave-add-ike-routes

Enable/disable IKE route announcement on the backup unit.

option

-

enable

Option

Description

enable

Add IKE routes to the backup unit.

disable

Do not add IKE routes to the backup unit.

sync-id

Sync ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

syncvd <name>

Sessions from these VDOMs are synchronized using this session synchronization configuration.

VDOM name.

string

Maximum length: 79

config session-sync-filter

Parameter

Description

Type

Size

Default

srcintf

Only sessions from this interface are synchronized. You can only enter one interface name. To synchronize sessions for multiple source interfaces, add multiple filters.

string

Maximum length: 15

dstintf

Only sessions to this interface are synchronized. You can only enter one interface name. To synchronize sessions to multiple destination interfaces, add multiple filters.

string

Maximum length: 15

srcaddr

Only sessions from this IPv4 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dstaddr

Only sessions to this IPv4 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

srcaddr6

Only sessions from this IPv6 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.

ipv6-network

Not Specified

::/0

dstaddr6

Only sessions to this IPv6 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.

ipv6-network

Not Specified

::/0

config custom-service

Parameter

Description

Type

Size

Default

id

Custom service ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

src-port-range

Custom service source port range.

user

Not Specified

0-0

dst-port-range

Custom service destination port range.

user

Not Specified

0-0