Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.0.15 Administration Guide
7.0.15
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Session pickup

Session pickup

When session-pickup is enabled, the FGCP synchronizes the primary unit's TCP session table to all cluster units. As soon as a new TCP session is added to the primary unit’s session table, that session is synchronized to all cluster units. This synchronization happens as quickly as possible to ensure the session tables remain synchronized.

If the primary unit fails, the new primary unit uses its synchronized session table to resume all TCP sessions that were being processed by the former primary unit, resulting in only minimal interruption. Under ideal conditions, all TCP sessions should be resumed. However, this is not guaranteed, and under less than ideal conditions, some TCP sessions may need to be restarted.

To enable session pickup in the GUI:

  1. Go to System > HA.

  2. Select the Primary FortiGate and click Edit.

  3. Under Cluster Settings, enable Session pickup.

  4. Click OK to save the setting.

To enable session pickup in the CLI:
config system ha
    set session-pickup enable
end

Enabling UDP, ICMP and broadcast packet session failover

By default, the FGCP does not maintain a session table for UDP, ICMP, or broadcast packets, even when session pickup is enabled. This means that the cluster does not specifically support the failover of these types of packets. However, it is possible to enable session pickup for UDP and ICMP packets. To do this, you must first enable session pickup for TCP sessions. After that, you can enable session pickup for connectionless sessions:

config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
end

This configuration causes the cluster units to synchronize UDP and ICMP session tables and if a failover occurs UDP and ICMP sessions are maintained.

Enabling multicast session failover

To configure multicast session failover, use the following command to change the multicast TTL timer to a smaller value than the default. The recommended setting to support multicast session failover is 120 seconds (2 minutes). The default setting is 600 seconds (10 minutes).

config system ha
    set multicast-ttl 120
end

The multicast TTL timer controls how long to keep synchronized multicast routes on the backup unit, ensuring they are present on the backup unit when it becomes the new primary unit after a failover. If you set the multicast TTL lower, the multicast routes on the backup unit are refreshed more often, and are therefore more likely to be accurate. However reducing this time causes route synchronization to happen more often, which could affect performance.

Disabling session pickup

If you leave session pickup disabled, the cluster doesn’t track sessions, and active sessions must be restarted or resumed after a failover. This is usually handled by TCP/IP communications.

Note

The session-pickup setting does not affect session failover for sessions terminated by the cluster.

Disabling session pickup can reduce CPU and network bandwidth usage, especially if your cluster is mainly used for unsynchronized traffic. However, if session pickup is not enabled, sessions won’t resume after a failover, causing a brief interruption. Most protocols can restart sessions with minimal data loss. For instance, web users can refresh their browsers to resume browsing, but large file downloads may need to be restarted. Some protocols may require manual session restarts, like FTP file downloads.

Previous
Next

Session pickup

When session-pickup is enabled, the FGCP synchronizes the primary unit's TCP session table to all cluster units. As soon as a new TCP session is added to the primary unit’s session table, that session is synchronized to all cluster units. This synchronization happens as quickly as possible to ensure the session tables remain synchronized.

If the primary unit fails, the new primary unit uses its synchronized session table to resume all TCP sessions that were being processed by the former primary unit, resulting in only minimal interruption. Under ideal conditions, all TCP sessions should be resumed. However, this is not guaranteed, and under less than ideal conditions, some TCP sessions may need to be restarted.

To enable session pickup in the GUI:

  1. Go to System > HA.

  2. Select the Primary FortiGate and click Edit.

  3. Under Cluster Settings, enable Session pickup.

  4. Click OK to save the setting.

To enable session pickup in the CLI:
config system ha
    set session-pickup enable
end

Enabling UDP, ICMP and broadcast packet session failover

By default, the FGCP does not maintain a session table for UDP, ICMP, or broadcast packets, even when session pickup is enabled. This means that the cluster does not specifically support the failover of these types of packets. However, it is possible to enable session pickup for UDP and ICMP packets. To do this, you must first enable session pickup for TCP sessions. After that, you can enable session pickup for connectionless sessions:

config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
end

This configuration causes the cluster units to synchronize UDP and ICMP session tables and if a failover occurs UDP and ICMP sessions are maintained.

Enabling multicast session failover

To configure multicast session failover, use the following command to change the multicast TTL timer to a smaller value than the default. The recommended setting to support multicast session failover is 120 seconds (2 minutes). The default setting is 600 seconds (10 minutes).

config system ha
    set multicast-ttl 120
end

The multicast TTL timer controls how long to keep synchronized multicast routes on the backup unit, ensuring they are present on the backup unit when it becomes the new primary unit after a failover. If you set the multicast TTL lower, the multicast routes on the backup unit are refreshed more often, and are therefore more likely to be accurate. However reducing this time causes route synchronization to happen more often, which could affect performance.

Disabling session pickup

If you leave session pickup disabled, the cluster doesn’t track sessions, and active sessions must be restarted or resumed after a failover. This is usually handled by TCP/IP communications.

Note

The session-pickup setting does not affect session failover for sessions terminated by the cluster.

Disabling session pickup can reduce CPU and network bandwidth usage, especially if your cluster is mainly used for unsynchronized traffic. However, if session pickup is not enabled, sessions won’t resume after a failover, causing a brief interruption. Most protocols can restart sessions with minimal data loss. For instance, web users can refresh their browsers to resume browsing, but large file downloads may need to be restarted. Some protocols may require manual session restarts, like FTP file downloads.

Previous
Next