Basic FGSP HA hardware session synchronization configuration example
The following steps describe how to set up a basic FGSP configuration to provide FGSP HA hardware session synchronization between one or more hyperscale firewall VDOMs in two FortiGate peers.
Use the following steps to configure FGSP on both of the peers in the FGSP cluster.
-
Enable FGSP for a hyperscale firewall VDOM, named MyCGN-hw12:
config system cluster-sync
edit 1
set peerip 1.1.1.1
set syncvd MyCGN-hw12
end
If your FortiGate has multiple hyperscale firewall VDOMs, you can add the names of the hyperscale VDOMs to be synchronized to the
syncvd
option. For example:config system cluster-sync
edit 1
set peerip 1.1.1.1
set syncvd MyCGN-hw12, MyCGN-hw22
end
In most cases you should create only one cluster-sync instance. If you create multiple cluster-sync instances, all FGSP HA hardware session synchronization sessions will be sent to the interface used by each cluster-sync instance.
-
Configure FGSP session synchronization as required. All session synchronization options are supported. For example:
config system ha
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
end
-
Configure networking on the FortiGate so that traffic to be forwarded to the peer IP address (in the example, 1.1.1.1) passes through a data interface or data interface LAG.
This data interface or data interface LAG becomes the FGSP HA hardware session synchronization interface. If the data interface or data interface LAG is in the root VDOM, no additional configuration is required.
If the data interface or data interface LAG is not in the root VDOM, you need to use the
peervd
option to specify the VDOM that the interface is in. For example, if the data interface or data interface LAG is in the MyCGN-hw12 VDOM:config system cluster-sync
edit 1
set peerip 1.1.1.1
set syncvd MyCGN-hw12, MyCGN-hw22
set peervd MyCGN-hw12
end