Fortinet black logo

Hyperscale Firewall Guide

FGCP HA hardware session synchronization timers

FGCP HA hardware session synchronization timers

You can use the following options to set timers associated with hardware session synchronization after an FGCP HA failover:

config system ha

set hw-session-hold-time <seconds>

set hw-session-sync-delay <seconds>

end

hw-session-hold-time the amount of time in seconds after a failover to hold hardware sessions before purging them from the new secondary FortiGate. The range is 0 to 180 seconds. The default is 10 seconds.

hw-session-sync-delay the amount of time to wait after a failover before the new primary FortiGate synchronizes hardware sessions to the new secondary FortiGate. The range is 0 - 3600 seconds. The default is 150 seconds.

After an HA failover, the new secondary FortiGate waits for the hw-session-hold-time and then purges all sessions and frees up all resources. Then, after the hw-session-sync-delay, the new primary FortiGate synchronizes all hardware sessions to the new secondary FortiGate. The hw-session-sync-delay gives the new secondary FortiGate enough time to finish purging sessions and freeing up resources before starting session synchronization.

The default configuration means that there is a 150 second delay before sessions are synchronized to the new secondary FortiGate. You can use the new options to adjust the timers depending on the requirements of your network conditions. For example, if you would rather not wait 150 seconds for hardware sessions to be synchronized to the new secondary FortiGate, you can adjust the hw-session-sync-delay timer.

FGCP HA hardware session synchronization timers

You can use the following options to set timers associated with hardware session synchronization after an FGCP HA failover:

config system ha

set hw-session-hold-time <seconds>

set hw-session-sync-delay <seconds>

end

hw-session-hold-time the amount of time in seconds after a failover to hold hardware sessions before purging them from the new secondary FortiGate. The range is 0 to 180 seconds. The default is 10 seconds.

hw-session-sync-delay the amount of time to wait after a failover before the new primary FortiGate synchronizes hardware sessions to the new secondary FortiGate. The range is 0 - 3600 seconds. The default is 150 seconds.

After an HA failover, the new secondary FortiGate waits for the hw-session-hold-time and then purges all sessions and frees up all resources. Then, after the hw-session-sync-delay, the new primary FortiGate synchronizes all hardware sessions to the new secondary FortiGate. The hw-session-sync-delay gives the new secondary FortiGate enough time to finish purging sessions and freeing up resources before starting session synchronization.

The default configuration means that there is a 150 second delay before sessions are synchronized to the new secondary FortiGate. You can use the new options to adjust the timers depending on the requirements of your network conditions. For example, if you would rather not wait 150 seconds for hardware sessions to be synchronized to the new secondary FortiGate, you can adjust the hw-session-sync-delay timer.