Fortinet black logo

Administration Guide

Layer 3 unicast standalone configuration synchronization

Layer 3 unicast standalone configuration synchronization

Unicast standalone configuration synchronization is supported on layer 3, allowing peers to be synchronized in cloud environments that do not support layer 2 networking. Configuring a unicast gateway allows peers to be in different subnets.

Example

In this example, two FortiGates in different subnets are connected through a unicast gateway. Both cluster members use the same port for the heartbeat interface.

To configure unicast synchronization between peers:
  1. Configure FortiGate A:

    config system ha
        set group-name "testcs"
        set hbdev "port3" 50
        set standalone-config-sync enable
        config unicast-peers
            edit 1
                set peer-ip 10.1.100.72
            next
        end
        set override enable
        set priority 200
        set unicast-status enable
        set unicast-gateway 172.16.200.74
    end
  2. Configure FortiGate B:

    config system ha
        set group-name "testcs"
        set hbdev "port3" 50
        set standalone-config-sync enable
        config unicast-peers
            edit 1
                set peer-ip 172.16.200.71
            next
        end
        set override enable
        set priority 100
        set unicast-status enable
        set unicast-gateway 10.1.100.74
    end
  3. Check the HA status on FortiGate A:

    # get system ha status
    HA Health Status: OK
    Model: FortiGate-VM64
    Mode: ConfigSync
    Group: 0
    Debug: 0
    Cluster Uptime: 2 days 3:40:25
    Cluster state change time: 2021-03-08 12:00:38
    Primary selected using:
        <2021/03/08 12:00:38> FGVMSLTM00000001 is selected as the primary because its override priority is larger than peer member FGVMSLTM00000002.
        <2021/03/06 11:50:35> FGVMSLTM00000001 is selected as the primary because it's the only member in the cluster.
    ses_pickup: disable
    override: enable
    Configuration Status:
        FGVMSLTM21000151(updated 5 seconds ago): in-sync
        FGVMSLTM21000152(updated 5 seconds ago): in-sync
    System Usage stats:
        FGVMSLTM21000151(updated 5 seconds ago):
            sessions=7, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=24%
        FGVMSLTM21000152(updated 5 seconds ago):
            sessions=5, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=23%
    HBDEV stats:
        FGVMSLTM21000151(updated 5 seconds ago):
            port3: physical/1000auto, up, rx-bytes/packets/dropped/errors=466060007/1049137/0/0, tx=429538329/953028/0/0
        FGVMSLTM21000152(updated 5 seconds ago):
            port3: physical/1000auto, up, rx-bytes/packets/dropped/errors=48805199/85441/0/0, tx=33470286/81425/0/0
    Primary     : FGT-71          , FGVMSLTM00000001, HA cluster index = 1
    Secondary   : FGT-72          , FGVMSLTM00000002, HA cluster index = 0
    number of vcluster: 1
    vcluster 1: work 0.0.0.0
    Primary: FGVMSLTM00000001, HA operating index = 0
    Secondary: FGVMSLTM00000002, HA operating index = 1
  4. Check the HA checksums on FortiGate A:

    # diagnose sys ha checksum cluster
    
    ================== FGVMSLTM00000001 ==================
    
    is_manage_primary()=1, is_root_primary()=1
    debugzone
    global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee
    root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc
    all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd
    
    checksum
    global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee
    root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc
    all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd
    
    ================== FGVMSLTM00000002 ==================
    
    is_manage_primary()=0, is_root_primary()=1
    debugzone
    global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee
    root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc
    all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd
    
    checksum
    global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee
    root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc
    all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd
  5. Verify that configuration changes on the primary FortiGate are synchronized to the secondary FortiGate:

    1. Adjust the administrator timeout value on FortiGate A:

      config system global
          set admintimeout 100
      end
    2. Check the debug messages on FortiGate B:

      # diagnose debug cli 7
      Debug messages will be on for 30 minutes.
      
      # diagnose debug enable
      
      create pid=15639, clictxno=0, last=1615246288
      0: conf sys global
      0: set admintimeout 100
      0: end

Layer 3 unicast standalone configuration synchronization

Unicast standalone configuration synchronization is supported on layer 3, allowing peers to be synchronized in cloud environments that do not support layer 2 networking. Configuring a unicast gateway allows peers to be in different subnets.

Example

In this example, two FortiGates in different subnets are connected through a unicast gateway. Both cluster members use the same port for the heartbeat interface.

To configure unicast synchronization between peers:
  1. Configure FortiGate A:

    config system ha
        set group-name "testcs"
        set hbdev "port3" 50
        set standalone-config-sync enable
        config unicast-peers
            edit 1
                set peer-ip 10.1.100.72
            next
        end
        set override enable
        set priority 200
        set unicast-status enable
        set unicast-gateway 172.16.200.74
    end
  2. Configure FortiGate B:

    config system ha
        set group-name "testcs"
        set hbdev "port3" 50
        set standalone-config-sync enable
        config unicast-peers
            edit 1
                set peer-ip 172.16.200.71
            next
        end
        set override enable
        set priority 100
        set unicast-status enable
        set unicast-gateway 10.1.100.74
    end
  3. Check the HA status on FortiGate A:

    # get system ha status
    HA Health Status: OK
    Model: FortiGate-VM64
    Mode: ConfigSync
    Group: 0
    Debug: 0
    Cluster Uptime: 2 days 3:40:25
    Cluster state change time: 2021-03-08 12:00:38
    Primary selected using:
        <2021/03/08 12:00:38> FGVMSLTM00000001 is selected as the primary because its override priority is larger than peer member FGVMSLTM00000002.
        <2021/03/06 11:50:35> FGVMSLTM00000001 is selected as the primary because it's the only member in the cluster.
    ses_pickup: disable
    override: enable
    Configuration Status:
        FGVMSLTM21000151(updated 5 seconds ago): in-sync
        FGVMSLTM21000152(updated 5 seconds ago): in-sync
    System Usage stats:
        FGVMSLTM21000151(updated 5 seconds ago):
            sessions=7, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=24%
        FGVMSLTM21000152(updated 5 seconds ago):
            sessions=5, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=23%
    HBDEV stats:
        FGVMSLTM21000151(updated 5 seconds ago):
            port3: physical/1000auto, up, rx-bytes/packets/dropped/errors=466060007/1049137/0/0, tx=429538329/953028/0/0
        FGVMSLTM21000152(updated 5 seconds ago):
            port3: physical/1000auto, up, rx-bytes/packets/dropped/errors=48805199/85441/0/0, tx=33470286/81425/0/0
    Primary     : FGT-71          , FGVMSLTM00000001, HA cluster index = 1
    Secondary   : FGT-72          , FGVMSLTM00000002, HA cluster index = 0
    number of vcluster: 1
    vcluster 1: work 0.0.0.0
    Primary: FGVMSLTM00000001, HA operating index = 0
    Secondary: FGVMSLTM00000002, HA operating index = 1
  4. Check the HA checksums on FortiGate A:

    # diagnose sys ha checksum cluster
    
    ================== FGVMSLTM00000001 ==================
    
    is_manage_primary()=1, is_root_primary()=1
    debugzone
    global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee
    root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc
    all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd
    
    checksum
    global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee
    root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc
    all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd
    
    ================== FGVMSLTM00000002 ==================
    
    is_manage_primary()=0, is_root_primary()=1
    debugzone
    global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee
    root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc
    all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd
    
    checksum
    global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee
    root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc
    all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd
  5. Verify that configuration changes on the primary FortiGate are synchronized to the secondary FortiGate:

    1. Adjust the administrator timeout value on FortiGate A:

      config system global
          set admintimeout 100
      end
    2. Check the debug messages on FortiGate B:

      # diagnose debug cli 7
      Debug messages will be on for 30 minutes.
      
      # diagnose debug enable
      
      create pid=15639, clictxno=0, last=1615246288
      0: conf sys global
      0: set admintimeout 100
      0: end