FGSP basic peer setup

The FortiGate Session Life Support Protocol (FGSP) is a proprietary HA solution for only sharing sessions between entities based on peer-to-peer communications. The entities could be standalone FortiGates or an FGCP cluster. This example uses two peer FortiGates. The load balancer is configured to send all sessions to Peer_1, and if Peer_1 fails, all traffic is sent to Peer_2.

To configure a basic FGSP peer setup:

These instructions assume that all FortiGates have been factory reset.

  1. Make all the necessary connections as shown in the topology diagram.
  2. On Peer_1, configure the peer IP in which this device will peer with:
    config system cluster-sync
        edit 1
            set peerip 10.10.10.2
        next
    end
    

    If there are multiple peer IPs from the same peer, enter them as separate entries. If there are multiple peers, enter the IP of each peer in separate entries. See FGSP four-member session synchronization and redundancy for an example.

    Sessions by default will be synchronized over layer 3 on the interface in which the current unit connects to the peer's IP.

  3. On Peer_2, configure session synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.10.10.1
        next
    end
  4. Configure identical firewall policies on each peer, such as for traffic going from the same incoming interface (port1) to the outgoing interface (port2).
To test the FGSP peer setup:
  1. Initiate TCP traffic (like HTTP access) to go through Peer_1.
  2. Check the session information:
    # diagnose sys session filter src <IP_address>
    # diagnose sys session list
  3. Enter the same commands on Peer_2 to verify if the same session information appears.

Optional filters

Filters can be added to synchronize certain types of sessions that meet the filter criteria.

To add filters for session synchronization:
config system cluster-sync
    edit <id>
        config session-sync-filter
            set srcintf <interface>
            set dstintf <interface>
            set srcaddr <IPv4_address>
            set dstaddr <IPv4_address>
            set srcaddr6 <IPv6_address>
            set dstaddr6 <IPv6_address>
        end
    next
end

Filter examples

To synchronize only sessions with a particular source subnet:
config system cluster-sync
    edit 1
        config session-sync-filter
            set srcaddr 192.168.20.0/24
        end
    next
end
To synchronize only sessions with a particular source address range:
config system cluster-sync
    edit 1
        config session-sync-filter
            set srcaddr 192.168.20.10 192.168.20.20
        end
    next
end
To synchronize only sessions with a particular destination address range:
config system cluster-sync
    edit 1
        config session-sync-filter
            set dstaddr6 2001:db8:0:2::/64
        end
    next
end