Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config system standalone-cluster

Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.

config system standalone-cluster

Description: Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.

set standalone-group-id {integer}

set group-member-id {integer}

set layer2-connection [available|unavailable]

set session-sync-dev {user}

set encryption [enable|disable]

set psksecret {password-3}

config cluster-peer

Description: Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

edit <sync-id>

set peervd {string}

set peerip {ipv4-address}

set syncvd <name1>, <name2>, ...

set down-intfs-before-sess-sync <name1>, <name2>, ...

set hb-interval {integer}

set hb-lost-threshold {integer}

set ipsec-tunnel-sync [enable|disable]

set secondary-add-ipsec-routes [enable|disable]

config session-sync-filter

Description: Add one or more filters if you only want to synchronize some sessions. Use the filter to configure the types of sessions to synchronize.

set srcintf {string}

set dstintf {string}

set srcaddr {ipv4-classnet-any}

set dstaddr {ipv4-classnet-any}

set srcaddr6 {ipv6-network}

set dstaddr6 {ipv6-network}

config custom-service

Description: Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custom services.

edit <id>

set src-port-range {user}

set dst-port-range {user}

next

end

end

next

end

end

config system standalone-cluster

Parameter

Description

Type

Size

Default

standalone-group-id

Cluster group ID . Must be the same for all members.

integer

Minimum value: 0 Maximum value: 255

0

group-member-id

Cluster member ID .

integer

Minimum value: 0 Maximum value: 15

0

layer2-connection

Indicate whether layer 2 connections are present among FGSP members.

option

-

unavailable

 

Option

Description

available

There exist layer 2 connections among FGSP members.

unavailable

There does not exist layer 2 connection among FGSP members.

session-sync-dev

Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

user

Not Specified

encryption

Enable/disable encryption when synchronizing sessions.

option

-

disable

 

Option

Description

enable

Enable encryption when synchronizing sessions.

disable

Disable encryption when synchronizing sessions.

psksecret

Pre-shared secret for session synchronization (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

config cluster-peer

Parameter

Description

Type

Size

Default

peervd

VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd.

string

Not Specified

root

peerip

IP address of the interface on the peer unit that is used for the session synchronization link.

ipv4-address

Not Specified

0.0.0.0

syncvd <name>

Sessions from these VDOMs are synchronized using this session synchronization configuration.

VDOM name.

string

Maximum length: 79

down-intfs-before-sess-sync <name>

List of interfaces to be turned down before session synchronization is complete.

Interface name.

string

Maximum length: 79

hb-interval

Heartbeat interval . Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 20

2

hb-lost-threshold

Lost heartbeat threshold . Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 60

10

ipsec-tunnel-sync

Enable/disable IPsec tunnel synchronization.

option

-

enable

 

Option

Description

enable

Enable IPsec tunnel synchronization.

disable

Disable IPsec tunnel synchronization.

secondary-add-ipsec-routes

Enable/disable IKE route announcement on the backup unit.

option

-

enable

 

Option

Description

enable

Add IKE routes to the backup unit.

disable

Do not add IKE routes to the backup unit.

config session-sync-filter

Parameter

Description

Type

Size

Default

srcintf

Only sessions from this interface are synchronized.

string

Not Specified

dstintf

Only sessions to this interface are synchronized.

string

Not Specified

srcaddr

Only sessions from this IPv4 address are synchronized.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dstaddr

Only sessions to this IPv4 address are synchronized.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

srcaddr6

Only sessions from this IPv6 address are synchronized.

ipv6-network

Not Specified

::/0

dstaddr6

Only sessions to this IPv6 address are synchronized.

ipv6-network

Not Specified

::/0

config custom-service

Parameter

Description

Type

Size

Default

src-port-range

Custom service source port range.

user

Not Specified

0-0

dst-port-range

Custom service destination port range.

user

Not Specified

0-0

config system standalone-cluster

Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.

config system standalone-cluster

Description: Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.

set standalone-group-id {integer}

set group-member-id {integer}

set layer2-connection [available|unavailable]

set session-sync-dev {user}

set encryption [enable|disable]

set psksecret {password-3}

config cluster-peer

Description: Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

edit <sync-id>

set peervd {string}

set peerip {ipv4-address}

set syncvd <name1>, <name2>, ...

set down-intfs-before-sess-sync <name1>, <name2>, ...

set hb-interval {integer}

set hb-lost-threshold {integer}

set ipsec-tunnel-sync [enable|disable]

set secondary-add-ipsec-routes [enable|disable]

config session-sync-filter

Description: Add one or more filters if you only want to synchronize some sessions. Use the filter to configure the types of sessions to synchronize.

set srcintf {string}

set dstintf {string}

set srcaddr {ipv4-classnet-any}

set dstaddr {ipv4-classnet-any}

set srcaddr6 {ipv6-network}

set dstaddr6 {ipv6-network}

config custom-service

Description: Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custom services.

edit <id>

set src-port-range {user}

set dst-port-range {user}

next

end

end

next

end

end

config system standalone-cluster

Parameter

Description

Type

Size

Default

standalone-group-id

Cluster group ID . Must be the same for all members.

integer

Minimum value: 0 Maximum value: 255

0

group-member-id

Cluster member ID .

integer

Minimum value: 0 Maximum value: 15

0

layer2-connection

Indicate whether layer 2 connections are present among FGSP members.

option

-

unavailable

 

Option

Description

available

There exist layer 2 connections among FGSP members.

unavailable

There does not exist layer 2 connection among FGSP members.

session-sync-dev

Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

user

Not Specified

encryption

Enable/disable encryption when synchronizing sessions.

option

-

disable

 

Option

Description

enable

Enable encryption when synchronizing sessions.

disable

Disable encryption when synchronizing sessions.

psksecret

Pre-shared secret for session synchronization (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

config cluster-peer

Parameter

Description

Type

Size

Default

peervd

VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd.

string

Not Specified

root

peerip

IP address of the interface on the peer unit that is used for the session synchronization link.

ipv4-address

Not Specified

0.0.0.0

syncvd <name>

Sessions from these VDOMs are synchronized using this session synchronization configuration.

VDOM name.

string

Maximum length: 79

down-intfs-before-sess-sync <name>

List of interfaces to be turned down before session synchronization is complete.

Interface name.

string

Maximum length: 79

hb-interval

Heartbeat interval . Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 20

2

hb-lost-threshold

Lost heartbeat threshold . Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 60

10

ipsec-tunnel-sync

Enable/disable IPsec tunnel synchronization.

option

-

enable

 

Option

Description

enable

Enable IPsec tunnel synchronization.

disable

Disable IPsec tunnel synchronization.

secondary-add-ipsec-routes

Enable/disable IKE route announcement on the backup unit.

option

-

enable

 

Option

Description

enable

Add IKE routes to the backup unit.

disable

Do not add IKE routes to the backup unit.

config session-sync-filter

Parameter

Description

Type

Size

Default

srcintf

Only sessions from this interface are synchronized.

string

Not Specified

dstintf

Only sessions to this interface are synchronized.

string

Not Specified

srcaddr

Only sessions from this IPv4 address are synchronized.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dstaddr

Only sessions to this IPv4 address are synchronized.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

srcaddr6

Only sessions from this IPv6 address are synchronized.

ipv6-network

Not Specified

::/0

dstaddr6

Only sessions to this IPv6 address are synchronized.

ipv6-network

Not Specified

::/0

config custom-service

Parameter

Description

Type

Size

Default

src-port-range

Custom service source port range.

user

Not Specified

0-0

dst-port-range

Custom service destination port range.

user

Not Specified

0-0