Fortinet black logo

Administration Guide

FGSP four-member session synchronization and redundancy

FGSP four-member session synchronization and redundancy

By using session-sync-dev to offload session synchronization processing to the kernel, four-member FGSP session synchronization can be supported to handle heavy loads.

Topology

In this topology, there are three FGSP peer groups for each FortiGate. Sessions are synchronized between each FortiGate and its peer groups. Redundancy is achieved by using two dedicated session sync device links for each peer setup. There are a total of six peer IPs for each session synchronization device link in each FGSP peer. When one link is fails, session synchronization is not affected.

For optimization, sync-packet-balance is enabled to distribute synchronization packets processing to multiple CPUs. The session synchronization process is offloaded to the kernel, and sessions are synchronized over layer 2 over the connected interfaces (set session-sync-dev "port5" "port6"). Jumbo frame MTU 9216 is configured on each session synchronization device link to reduce the number of packets; however, setting MTU to 9216 is entirely optional.

To configure FGT_A:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.1/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.1/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.1.1.2
        next
        edit 2
            set peerip 10.2.2.2
        next
        edit 3
            set peerip 10.1.1.3
        next
        edit 4
            set peerip 10.2.2.3
        next
        edit 5
            set peerip 10.1.1.4
        next
        edit 6
            set peerip 10.2.2.4
        next
    end
To configure FGT_B:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.2/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.2/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.1.1.1
        next
        edit 2
            set peerip 10.2.2.1
        next
        edit 3
            set peerip 10.1.1.3
        next
        edit 4
            set peerip 10.2.2.3
        next
        edit 5
            set peerip 10.1.1.4
        next
        edit 6
            set peerip 10.2.2.4
        next
    end
To configure FGT_C:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.3/24
            set mtu-override enable
        set mtu 9216
        next
        edit port6
            set ip 10.2.2.3/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.1.1.1
        next
        edit 2
            set peerip 10.2.2.1
        next
        edit 3
            set peerip 10.1.1.2
        next
        edit 4
            set peerip 10.2.2.2
        next
        edit 5
            set peerip 10.1.1.4
        next
        edit 6
            set peerip 10.2.2.4
        next
    end
To configure FGT_D:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.4/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.4/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.1.1.1
        next
        edit 2
            set peerip 10.2.2.1
        next
        edit 3
            set peerip 10.1.1.2
        next
        edit 4
            set peerip 10.2.2.2
        next
        edit 5
            set peerip 10.1.1.3
        next
        edit 6
            set peerip 10.2.2.3
        next
    end

FGSP four-member session synchronization and redundancy

By using session-sync-dev to offload session synchronization processing to the kernel, four-member FGSP session synchronization can be supported to handle heavy loads.

Topology

In this topology, there are three FGSP peer groups for each FortiGate. Sessions are synchronized between each FortiGate and its peer groups. Redundancy is achieved by using two dedicated session sync device links for each peer setup. There are a total of six peer IPs for each session synchronization device link in each FGSP peer. When one link is fails, session synchronization is not affected.

For optimization, sync-packet-balance is enabled to distribute synchronization packets processing to multiple CPUs. The session synchronization process is offloaded to the kernel, and sessions are synchronized over layer 2 over the connected interfaces (set session-sync-dev "port5" "port6"). Jumbo frame MTU 9216 is configured on each session synchronization device link to reduce the number of packets; however, setting MTU to 9216 is entirely optional.

To configure FGT_A:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.1/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.1/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.1.1.2
        next
        edit 2
            set peerip 10.2.2.2
        next
        edit 3
            set peerip 10.1.1.3
        next
        edit 4
            set peerip 10.2.2.3
        next
        edit 5
            set peerip 10.1.1.4
        next
        edit 6
            set peerip 10.2.2.4
        next
    end
To configure FGT_B:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.2/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.2/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.1.1.1
        next
        edit 2
            set peerip 10.2.2.1
        next
        edit 3
            set peerip 10.1.1.3
        next
        edit 4
            set peerip 10.2.2.3
        next
        edit 5
            set peerip 10.1.1.4
        next
        edit 6
            set peerip 10.2.2.4
        next
    end
To configure FGT_C:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.3/24
            set mtu-override enable
        set mtu 9216
        next
        edit port6
            set ip 10.2.2.3/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.1.1.1
        next
        edit 2
            set peerip 10.2.2.1
        next
        edit 3
            set peerip 10.1.1.2
        next
        edit 4
            set peerip 10.2.2.2
        next
        edit 5
            set peerip 10.1.1.4
        next
        edit 6
            set peerip 10.2.2.4
        next
    end
To configure FGT_D:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.4/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.4/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.1.1.1
        next
        edit 2
            set peerip 10.2.2.1
        next
        edit 3
            set peerip 10.1.1.2
        next
        edit 4
            set peerip 10.2.2.2
        next
        edit 5
            set peerip 10.1.1.3
        next
        edit 6
            set peerip 10.2.2.3
        next
    end