Fortinet white logo
Fortinet white logo

Administration Guide

Session failover

Session failover

Session failover means that after the primary unit fails, communications sessions resume on the new primary unit with minimal or no interruption. Two categories of sessions need to be resumed after a failover:

  • Sessions passing through the cluster

  • Sessions terminated by the cluster

Session failover (also called session-pickup) is not enabled by default for FortiGate. See Session pickup for more information

Using the session-sync-dev option, you can select one or more FortiGate interfaces to use for synchronizing sessions as required for session pickup. See Improving session sync performance for more information.

After a failover the new primary unit recognizes open sessions that were being handled by the cluster. The sessions continue to be processed by the new primary unit and are handled according to their last known state.

Note

Session-pickup has some limitations. For example, session failover is not supported for sessions being scanned by proxy-based security profiles. Session failover is supported for sessions being scanned by flow-based security profiles; however, flow-based sessions that fail over are not inspected after they fail over. For more limitations, see Pass-through sessions.

Sessions terminated by the cluster do not failover and have to be restarted. There are some exceptions though, particularly for IPsec and SSL VPN. For more information, see Terminated sessions.

Session failover

Session failover

Session failover means that after the primary unit fails, communications sessions resume on the new primary unit with minimal or no interruption. Two categories of sessions need to be resumed after a failover:

  • Sessions passing through the cluster

  • Sessions terminated by the cluster

Session failover (also called session-pickup) is not enabled by default for FortiGate. See Session pickup for more information

Using the session-sync-dev option, you can select one or more FortiGate interfaces to use for synchronizing sessions as required for session pickup. See Improving session sync performance for more information.

After a failover the new primary unit recognizes open sessions that were being handled by the cluster. The sessions continue to be processed by the new primary unit and are handled according to their last known state.

Note

Session-pickup has some limitations. For example, session failover is not supported for sessions being scanned by proxy-based security profiles. Session failover is supported for sessions being scanned by flow-based security profiles; however, flow-based sessions that fail over are not inspected after they fail over. For more limitations, see Pass-through sessions.

Sessions terminated by the cluster do not failover and have to be restarted. There are some exceptions though, particularly for IPsec and SSL VPN. For more information, see Terminated sessions.