Fortinet white logo
Fortinet white logo

New FGCP HA hardware session synchronization timers

New FGCP HA hardware session synchronization timers

Hyperscale firewall for FortiOS 7.0.8 supports the following new CLI options to set timers associated with hardware session synchronization after an FGCP HA failover:

config system ha

set hw-session-sync-dev <interface-name>

set hw-session-hold-time <seconds>

set hw-session-sync-delay <seconds>

end

hw-session-hold-time the amount of time in seconds after a failover to hold hardware sessions before purging them from the new secondary FortiGate. The range is 0 to 180 seconds. The default is 10 seconds.

hw-session-sync-delay the amount of time to wait after a failover before the new primary FortiGate synchronizes hardware sessions to the new secondary FortiGate. The range is 0 - 3600 seconds. The default is 150 seconds.

After an HA failover, the new secondary FortiGate waits for the hw-session-hold-time and then purges all sessions and frees up all resources. Then, after the hw-session-sync-delay, the new primary FortiGate synchronizes all hardware sessions to the new secondary FortiGate. The hw-session-sync-delay gives the new secondary FortiGate enough time to finish purging sessions and freeing up resources before starting session synchronization.

The default configuration means that there is a 150 second delay before sessions are synchronized to the new secondary FortiGate. You can use the new options to adjust the timers depending on the requirements of your network conditions. For example, if you would rather not wait 150 seconds for hardware sessions to be synchronized to the new secondary FortiGate, you can adjust the hw-session-sync-delay timer.

New FGCP HA hardware session synchronization timers

New FGCP HA hardware session synchronization timers

Hyperscale firewall for FortiOS 7.0.8 supports the following new CLI options to set timers associated with hardware session synchronization after an FGCP HA failover:

config system ha

set hw-session-sync-dev <interface-name>

set hw-session-hold-time <seconds>

set hw-session-sync-delay <seconds>

end

hw-session-hold-time the amount of time in seconds after a failover to hold hardware sessions before purging them from the new secondary FortiGate. The range is 0 to 180 seconds. The default is 10 seconds.

hw-session-sync-delay the amount of time to wait after a failover before the new primary FortiGate synchronizes hardware sessions to the new secondary FortiGate. The range is 0 - 3600 seconds. The default is 150 seconds.

After an HA failover, the new secondary FortiGate waits for the hw-session-hold-time and then purges all sessions and frees up all resources. Then, after the hw-session-sync-delay, the new primary FortiGate synchronizes all hardware sessions to the new secondary FortiGate. The hw-session-sync-delay gives the new secondary FortiGate enough time to finish purging sessions and freeing up resources before starting session synchronization.

The default configuration means that there is a 150 second delay before sessions are synchronized to the new secondary FortiGate. You can use the new options to adjust the timers depending on the requirements of your network conditions. For example, if you would rather not wait 150 seconds for hardware sessions to be synchronized to the new secondary FortiGate, you can adjust the hw-session-sync-delay timer.