Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config system cluster-sync

Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

config system cluster-sync

Description: Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

edit <sync-id>

set peervd {string}

set peerip {ipv4-address}

set syncvd <name1>, <name2>, ...

set down-intfs-before-sess-sync <name1>, <name2>, ...

set hb-interval {integer}

set hb-lost-threshold {integer}

set ipsec-tunnel-sync [enable|disable]

set ike-monitor [enable|disable]

set ike-monitor-interval {integer}

set ike-heartbeat-interval {integer}

set secondary-add-ipsec-routes [enable|disable]

config session-sync-filter

Description: Add one or more filters if you only want to synchronize some sessions. Use the filter to configure the types of sessions to synchronize.

set srcintf {string}

set dstintf {string}

set srcaddr {ipv4-classnet-any}

set dstaddr {ipv4-classnet-any}

set srcaddr6 {ipv6-network}

set dstaddr6 {ipv6-network}

config custom-service

Description: Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custome services.

edit <id>

set src-port-range {user}

set dst-port-range {user}

next

end

end

next

end

config system cluster-sync

Parameter

Description

Type

Size

Default

peervd

VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd.

string

Maximum length: 31

root

peerip

IP address of the interface on the peer unit that is used for the session synchronization link.

ipv4-address

Not Specified

0.0.0.0

syncvd <name>

Sessions from these VDOMs are synchronized using this session synchronization configuration.

VDOM name.

string

Maximum length: 79

down-intfs-before-sess-sync <name>

List of interfaces to be turned down before session synchronization is complete.

Interface name.

string

Maximum length: 79

hb-interval

Heartbeat interval .

integer

Minimum value: 1 Maximum value: 10

2

hb-lost-threshold

Lost heartbeat threshold .

integer

Minimum value: 1 Maximum value: 10

3

ipsec-tunnel-sync

Enable/disable IPsec tunnel synchronization.

option

-

enable

 

Option

Description

enable

Enable IPsec tunnel synchronization.

disable

Disable IPsec tunnel synchronization.

ike-monitor

Enable/disable IKE HA monitor.

option

-

disable

 

Option

Description

enable

Enable IKE HA monitor.

disable

Disable IKE HA monitor.

ike-monitor-interval

IKE HA monitor interval .

integer

Minimum value: 10 Maximum value: 300

15

ike-heartbeat-interval

IKE heartbeat interval .

integer

Minimum value: 1 Maximum value: 60

3

secondary-add-ipsec-routes

Enable/disable IKE route announcement on the backup unit.

option

-

enable

 

Option

Description

enable

Add IKE routes to the backup unit.

disable

Do not add IKE routes to the backup unit.

config session-sync-filter

Parameter

Description

Type

Size

Default

srcintf

Only sessions from this interface are synchronized. You can only enter one interface name. To synchronize sessions for multiple source interfaces, add multiple filters.

string

Maximum length: 15

dstintf

Only sessions to this interface are synchronized. You can only enter one interface name. To synchronize sessions to multiple destination interfaces, add multiple filters.

string

Maximum length: 15

srcaddr

Only sessions from this IPv4 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dstaddr

Only sessions to this IPv4 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

srcaddr6

Only sessions from this IPv6 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.

ipv6-network

Not Specified

::/0

dstaddr6

Only sessions to this IPv6 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.

ipv6-network

Not Specified

::/0

config custom-service

Parameter

Description

Type

Size

Default

src-port-range

Custom service source port range.

user

Not Specified

0-0

dst-port-range

Custom service destination port range.

user

Not Specified

0-0

config system cluster-sync

Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

config system cluster-sync

Description: Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

edit <sync-id>

set peervd {string}

set peerip {ipv4-address}

set syncvd <name1>, <name2>, ...

set down-intfs-before-sess-sync <name1>, <name2>, ...

set hb-interval {integer}

set hb-lost-threshold {integer}

set ipsec-tunnel-sync [enable|disable]

set ike-monitor [enable|disable]

set ike-monitor-interval {integer}

set ike-heartbeat-interval {integer}

set secondary-add-ipsec-routes [enable|disable]

config session-sync-filter

Description: Add one or more filters if you only want to synchronize some sessions. Use the filter to configure the types of sessions to synchronize.

set srcintf {string}

set dstintf {string}

set srcaddr {ipv4-classnet-any}

set dstaddr {ipv4-classnet-any}

set srcaddr6 {ipv6-network}

set dstaddr6 {ipv6-network}

config custom-service

Description: Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custome services.

edit <id>

set src-port-range {user}

set dst-port-range {user}

next

end

end

next

end

config system cluster-sync

Parameter

Description

Type

Size

Default

peervd

VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd.

string

Maximum length: 31

root

peerip

IP address of the interface on the peer unit that is used for the session synchronization link.

ipv4-address

Not Specified

0.0.0.0

syncvd <name>

Sessions from these VDOMs are synchronized using this session synchronization configuration.

VDOM name.

string

Maximum length: 79

down-intfs-before-sess-sync <name>

List of interfaces to be turned down before session synchronization is complete.

Interface name.

string

Maximum length: 79

hb-interval

Heartbeat interval .

integer

Minimum value: 1 Maximum value: 10

2

hb-lost-threshold

Lost heartbeat threshold .

integer

Minimum value: 1 Maximum value: 10

3

ipsec-tunnel-sync

Enable/disable IPsec tunnel synchronization.

option

-

enable

 

Option

Description

enable

Enable IPsec tunnel synchronization.

disable

Disable IPsec tunnel synchronization.

ike-monitor

Enable/disable IKE HA monitor.

option

-

disable

 

Option

Description

enable

Enable IKE HA monitor.

disable

Disable IKE HA monitor.

ike-monitor-interval

IKE HA monitor interval .

integer

Minimum value: 10 Maximum value: 300

15

ike-heartbeat-interval

IKE heartbeat interval .

integer

Minimum value: 1 Maximum value: 60

3

secondary-add-ipsec-routes

Enable/disable IKE route announcement on the backup unit.

option

-

enable

 

Option

Description

enable

Add IKE routes to the backup unit.

disable

Do not add IKE routes to the backup unit.

config session-sync-filter

Parameter

Description

Type

Size

Default

srcintf

Only sessions from this interface are synchronized. You can only enter one interface name. To synchronize sessions for multiple source interfaces, add multiple filters.

string

Maximum length: 15

dstintf

Only sessions to this interface are synchronized. You can only enter one interface name. To synchronize sessions to multiple destination interfaces, add multiple filters.

string

Maximum length: 15

srcaddr

Only sessions from this IPv4 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dstaddr

Only sessions to this IPv4 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

srcaddr6

Only sessions from this IPv6 address are synchronized. You can only enter one address. To synchronize sessions from multiple source addresses, add multiple filters.

ipv6-network

Not Specified

::/0

dstaddr6

Only sessions to this IPv6 address are synchronized. You can only enter one address. To synchronize sessions for multiple destination addresses, add multiple filters.

ipv6-network

Not Specified

::/0

config custom-service

Parameter

Description

Type

Size

Default

src-port-range

Custom service source port range.

user

Not Specified

0-0

dst-port-range

Custom service destination port range.

user

Not Specified

0-0