Standalone configuration synchronization

You can configure synchronization from one standalone FortiGate to another standalone FortiGate (standalone-config-sync). With the exception of some configurations that do not sync (settings that identify the FortiGate to the network), the rest of the configurations are synced, such as firewall policies, firewall addresses, and UTM profiles.

This option is useful in situations when you need to set up FGSP peers, or when you want to quickly deploy several FortiGates with the same configurations. You can set up standalone-config-sync for multiple members.


standalone-config-sync is an independent feature and should be used with caution as there are some limitations. We recommend disabling it once the configurations have been synced over.


When standalone configuration synchronization is enabled, there are some limitations, including but not limited to the following:

  • Network interruptions occur during firmware upgrades: when upgrading the firmware, all members in the standalone-config-sync group are upgraded simultaneously. This creates downtime if the FortiGates are the only outgoing gateway in the network. We recommend disabling the option before upgrading firmware.
  • Some unwanted configurations might be synced: the current design and implementation of standalone-config-sync is based on requirements from specific customers. Thus, some users may find that unwanted parts of the configurations are synced. Should this occur, we recommend disabling the option and modifying those configurations manually.
  • The wrong primary device might be selected accidentally: standalone-config-sync is derived from the HA primary unit selection mechanism. All members in the group will join the selection process in the same way as a the HA cluster selection process. It is important to select the correct device as the primary, otherwise the wrong device could be selected and existing configurations could be overwritten.

Setting up standalone configuration synchronization

Two or more standalone FortiGates should be connected to each other with one or more heartbeat interfaces, either back-to-back or via a switch. In the following example, the device supplying the configurations is called "conf-prim," and the devices receiving the configurations are called "conf-secos."

To set up standalone configura