Fortinet white logo
Fortinet white logo

FortiGate-7000E Administration Guide

Example FortiGate-7000E FGSP configuration using 1-M1 interfaces

Example FortiGate-7000E FGSP configuration using 1-M1 interfaces

This example shows how to configure FGSP to synchronize sessions between two FortiGate 7040Es for the root VDOM and for a second VDOM, named vdom-1. The example uses the 1-M1 interface for root session synchronization and the 1-M2 interface for vdom-1 session synchronization. The 1-M1 interfaces are connected to the 172.25.177.0/24 network and the 1-M2 interfaces are connected to the 172.25.178.0/24 network.

The interfaces of the two FortiGate 7040Es must have their own IP addresses and their own networking configuration. You can give the FortiGate 7040Es different host names, in this example, peer_1 and peer_2, to make them easier to identify.

This example also adds configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

Example FortiGate 7000E FGSP configuration

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-7040s.

  2. Change the host names of the FortiGate 7040Es to peer_1 and peer_2.

  3. Configure network settings for each FortiGate 7040E to allow them to connect to their networks and route traffic.

  4. Add the vdom-1 VDOM to each FortiGate 7040E.

  5. On peer_1, set up the standalone-cluster configuration.

    config system standalone-cluster

    set standalone-group-id 4

    set group-member-id 1

    end

  6. On peer_1 configure the 1-M1 and 1-M2 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.30 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.35 255.255.255.0

    end

  7. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.40

    set syncvd root

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.45

    set syncvd vdom-1

    next

    For the root vdom, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_2.

    For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M2 interface of peer_2.

  8. On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set priority 250

    set hbdev 1-M1 50 1-M2 50

    end

  9. On peer_2, set up the standalone-cluster configuration.

    config system standalone-cluster

    set standalone-group-id 4

    set group-member-id 2

    end

  10. On peer_2 configure the 1-M1 and 1-M2 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.40 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.45 255.255.255.0

    end

  11. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.30

    set syncvd root

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.35

    set syncvd vdom-1

    next

    For the root VDOM, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_1.

    For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M2 interface of peer_1.

  12. On peer_2, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and leave the device priority set to the default value.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set hbdev 1-M1 50 1-M2 50

    end

    As sessions are forwarded by the routers or load balancers to one of the FortiGate 7040Es, the FGSP synchronizes the sessions to the other FortiGate 7040E. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.

Example FortiGate-7000E FGSP configuration using 1-M1 interfaces

Example FortiGate-7000E FGSP configuration using 1-M1 interfaces

This example shows how to configure FGSP to synchronize sessions between two FortiGate 7040Es for the root VDOM and for a second VDOM, named vdom-1. The example uses the 1-M1 interface for root session synchronization and the 1-M2 interface for vdom-1 session synchronization. The 1-M1 interfaces are connected to the 172.25.177.0/24 network and the 1-M2 interfaces are connected to the 172.25.178.0/24 network.

The interfaces of the two FortiGate 7040Es must have their own IP addresses and their own networking configuration. You can give the FortiGate 7040Es different host names, in this example, peer_1 and peer_2, to make them easier to identify.

This example also adds configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

Example FortiGate 7000E FGSP configuration

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-7040s.

  2. Change the host names of the FortiGate 7040Es to peer_1 and peer_2.

  3. Configure network settings for each FortiGate 7040E to allow them to connect to their networks and route traffic.

  4. Add the vdom-1 VDOM to each FortiGate 7040E.

  5. On peer_1, set up the standalone-cluster configuration.

    config system standalone-cluster

    set standalone-group-id 4

    set group-member-id 1

    end

  6. On peer_1 configure the 1-M1 and 1-M2 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.30 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.35 255.255.255.0

    end

  7. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.40

    set syncvd root

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.45

    set syncvd vdom-1

    next

    For the root vdom, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_2.

    For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M2 interface of peer_2.

  8. On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set priority 250

    set hbdev 1-M1 50 1-M2 50

    end

  9. On peer_2, set up the standalone-cluster configuration.

    config system standalone-cluster

    set standalone-group-id 4

    set group-member-id 2

    end

  10. On peer_2 configure the 1-M1 and 1-M2 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.40 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.45 255.255.255.0

    end

  11. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.30

    set syncvd root

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.35

    set syncvd vdom-1

    next

    For the root VDOM, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M1 interface of peer_1.

    For vdom-1, peervd will always be mgmt-vdom and peerip is the IP address of the 1-M2 interface of peer_1.

  12. On peer_2, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and leave the device priority set to the default value.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set hbdev 1-M1 50 1-M2 50

    end

    As sessions are forwarded by the routers or load balancers to one of the FortiGate 7040Es, the FGSP synchronizes the sessions to the other FortiGate 7040E. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.