Example FortiGate-7000E FGSP configuration using 1-M1 interfaces
This example shows how to configure FGSP to synchronize sessions between two FortiGate 7040Es for the root VDOM and for a second VDOM, named vdom-1. The example uses the 1-M1 interface for root session synchronization and the 1-M2 interface for vdom-1 session synchronization. The 1-M1 interfaces are connected to the 172.25.177.0/24 network and the 1-M2 interfaces are connected to the 172.25.178.0/24 network.
The interfaces of the two FortiGate 7040Es must have their own IP addresses and their own networking configuration. You can give the FortiGate 7040Es different host names, in this example, peer_1 and peer_2, to make them easier to identify.
This example also adds configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.
Example FortiGate 7000E FGSP configuration
-
Configure the routers or load balancers to distribute sessions to the two FortiGate-7040s.
-
Change the host names of the FortiGate 7040Es to peer_1 and peer_2.
-
Configure network settings for each FortiGate 7040E to allow them to connect to their networks and route traffic.
-
Add the vdom-1 VDOM to each FortiGate 7040E.
-
On peer_1, set up the standalone-cluster configuration.
config system standalone-cluster
set standalone-group-id 4
set group-member-id 1
end
-
On peer_1 configure the 1-M1 and 1-M2 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:
config system interface
edit 1-M1
set ip 172.25.177.30 255.255.255.0
next
edit 1-M2
set ip 172.25.178.35 255.255.255.0
end
-
On peer_1, configure session synchronization for the root and vdom-1 VDOMs.
config system cluster-sync
edit 1
set peervd mgmt-vdom
set peerip 172.25.177.40
set syncvd root
next
edit 2
set peervd mgmt-vdom
set peerip 172.25.178.45
set syncvd vdom-1
next
For the root vdom,
peervd
will always bemgmt-vdom
andpeerip
is the IP address of the 1-M1 interface of peer_2.For vdom-1,
peervd
will always bemgmt-vdom
andpeerip
is the IP address of the 1-M2 interface of peer_2. -
On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.
config system ha
set standalone-config-sync enable
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set priority 250
set hbdev 1-M1 50 1-M2 50
end
-
On peer_2, set up the standalone-cluster configuration.
config system standalone-cluster
set standalone-group-id 4
set group-member-id 2
end
-
On peer_2 configure the 1-M1 and 1-M2 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:
config system interface
edit 1-M1
set ip 172.25.177.40 255.255.255.0
next
edit 1-M2
set ip 172.25.178.45 255.255.255.0
end
-
On peer_2, configure session synchronization for the root and vdom-1 VDOMs.
config system cluster-sync
edit 1
set peervd mgmt-vdom
set peerip 172.25.177.30
set syncvd root
next
edit 2
set peervd mgmt-vdom
set peerip 172.25.178.35
set syncvd vdom-1
next
For the root VDOM,
peervd
will always bemgmt-vdom
andpeerip
is the IP address of the 1-M1 interface of peer_1.For vdom-1,
peervd
will always bemgmt-vdom
andpeerip
is the IP address of the 1-M2 interface of peer_1. -
On peer_2, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and leave the device priority set to the default value.
config system ha
set standalone-config-sync enable
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set hbdev 1-M1 50 1-M2 50
end
As sessions are forwarded by the routers or load balancers to one of the FortiGate 7040Es, the FGSP synchronizes the sessions to the other FortiGate 7040E. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.