Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate-7000E Administration Guide

    Home FortiGate / FortiOS 7.2.7 FortiGate-7000E Administration Guide
    7.2.7
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5

    Example FortiGate 7000E FGSP session synchronization with a data interface LAG

    Example FortiGate 7000E FGSP session synchronization with a data interface LAG

    This example shows how to configure FGSP to synchronize sessions between two FortiGate 7040Es for the root VDOM and for a second VDOM, named vdom-1. For FGSP session synchronization, the example uses a data interface LAG that includes the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces.

    To set up the configuration, start by giving each FortiGate 7040E a different host name to make them easier to identify. This example uses peer_1 and peer_2. On each FortiGate 7040E, create a VDOM named fgsp-sync and move the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to this VDOM. Then create a LAG named Data-int-lag, also in the fgsp-sync VDOM, that includes the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces. The LAGs on both FortiGate 7040Es are on the 172.25.177.0/24 network.

    This example also adds standalone configuration synchronization using the 1-M1 and 1-M2 interfaces and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

    Example FortiGate 7000E FGSP configuration using data interface LAGs

    1. Configure the routers or load balancers to distribute sessions to the two FortiGate 7040Es.

    2. Change the host names of the FortiGate 7040Es to peer_1 and peer_2.
    3. Configure network settings for each FortiGate 7040E to allow them to connect to their networks and route traffic.
    4. Add the vdom-1 and fgsp-sync VDOMs to each FortiGate 7040E.

    5. Also on each FortiGate 7040E, move the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to the fgsp-sync VDOM.

    6. On peer_1, configure the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to be FGSP session synchronization data interfaces.

      config system standalone-cluster

      set standalone-group-id 6

      set group-member-id 1

      set data-intf-session-sync-dev 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

      end

    7. On peer_1, add a data interface LAG to the fgsp-sync VDOM.

      config system interface

      edit Data-int-lag

      set type aggregate

      set vdom fgsp-sync

      set member 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

      set ip 172.25.177.70/24

      set mtu-override enable

      set mtu 9216

      end

      This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the eight data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

    8. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

      config system cluster-sync

      edit 1

      set peervd fgsp-sync

      set peerip 172.25.177.80

      set syncvd root vdom-1

      end

      peervd is fgsp-sync because the FGSP session synchronization data interfaces are in the fgsp-sync VDOM.

      peerip is the IP address of the data interface LAG added to peer_2.

      This configuration creates one cluster-sync instance that includes both VDOMs. You could have created a separate cluster-sync instance for each VDOM. If possible, however, avoid creating more than three cluster-sync instances. A fourth cluster-sync instance may experience reduced session synchronization performance.

    9. On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

      config system ha

      set standalone-config-sync enable

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set session-pickup-nat enable

      set priority 250

      set hbdev 1-M1 50 1-M2 50

      end

    10. On peer_2, configure the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to be FGSP session synchronization data interfaces.

      config system standalone-cluster

      set standalone-group-id 6

      set group-member-id 2

      set data-intf-session-sync-dev 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

      end

    11. On peer_2, add a data interface LAG to the fgsp-sync VDOM:

      config system interface

      edit Data-int-lag

      set type aggregate

      set vdom fgsp-sync

      set member 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

      set ip 172.25.177.80/24

      set mtu-override enable

      set mtu 9216

      end

      This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the eight data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

    12. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

      config system cluster-sync

      edit 1

      set peervd fgsp-sync

      set peerip 172.25.177.70

      set syncvd root vdom-1

      end

    13. On peer_2, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and leave the device priority set to the default value.

      config system ha

      set standalone-config-sync enable

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set session-pickup-nat enable

      set hbdev 1-M1 50 1-M2 50

      end

      As sessions are forwarded by the routers or load balancers to one of the FortiGate 7040Es, the FGSP synchronizes the sessions to the other FortiGate 7040E. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.

    Previous
    Next

    Example FortiGate 7000E FGSP session synchronization with a data interface LAG

    Example FortiGate 7000E FGSP session synchronization with a data interface LAG

    This example shows how to configure FGSP to synchronize sessions between two FortiGate 7040Es for the root VDOM and for a second VDOM, named vdom-1. For FGSP session synchronization, the example uses a data interface LAG that includes the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces.

    To set up the configuration, start by giving each FortiGate 7040E a different host name to make them easier to identify. This example uses peer_1 and peer_2. On each FortiGate 7040E, create a VDOM named fgsp-sync and move the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to this VDOM. Then create a LAG named Data-int-lag, also in the fgsp-sync VDOM, that includes the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces. The LAGs on both FortiGate 7040Es are on the 172.25.177.0/24 network.

    This example also adds standalone configuration synchronization using the 1-M1 and 1-M2 interfaces and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

    Example FortiGate 7000E FGSP configuration using data interface LAGs

    1. Configure the routers or load balancers to distribute sessions to the two FortiGate 7040Es.

    2. Change the host names of the FortiGate 7040Es to peer_1 and peer_2.
    3. Configure network settings for each FortiGate 7040E to allow them to connect to their networks and route traffic.
    4. Add the vdom-1 and fgsp-sync VDOMs to each FortiGate 7040E.

    5. Also on each FortiGate 7040E, move the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to the fgsp-sync VDOM.

    6. On peer_1, configure the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to be FGSP session synchronization data interfaces.

      config system standalone-cluster

      set standalone-group-id 6

      set group-member-id 1

      set data-intf-session-sync-dev 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

      end

    7. On peer_1, add a data interface LAG to the fgsp-sync VDOM.

      config system interface

      edit Data-int-lag

      set type aggregate

      set vdom fgsp-sync

      set member 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

      set ip 172.25.177.70/24

      set mtu-override enable

      set mtu 9216

      end

      This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the eight data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

    8. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

      config system cluster-sync

      edit 1

      set peervd fgsp-sync

      set peerip 172.25.177.80

      set syncvd root vdom-1

      end

      peervd is fgsp-sync because the FGSP session synchronization data interfaces are in the fgsp-sync VDOM.

      peerip is the IP address of the data interface LAG added to peer_2.

      This configuration creates one cluster-sync instance that includes both VDOMs. You could have created a separate cluster-sync instance for each VDOM. If possible, however, avoid creating more than three cluster-sync instances. A fourth cluster-sync instance may experience reduced session synchronization performance.

    9. On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

      config system ha

      set standalone-config-sync enable

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set session-pickup-nat enable

      set priority 250

      set hbdev 1-M1 50 1-M2 50

      end

    10. On peer_2, configure the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to be FGSP session synchronization data interfaces.

      config system standalone-cluster

      set standalone-group-id 6

      set group-member-id 2

      set data-intf-session-sync-dev 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

      end

    11. On peer_2, add a data interface LAG to the fgsp-sync VDOM:

      config system interface

      edit Data-int-lag

      set type aggregate

      set vdom fgsp-sync

      set member 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

      set ip 172.25.177.80/24

      set mtu-override enable

      set mtu 9216

      end

      This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the eight data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

    12. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

      config system cluster-sync

      edit 1

      set peervd fgsp-sync

      set peerip 172.25.177.70

      set syncvd root vdom-1

      end

    13. On peer_2, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and leave the device priority set to the default value.

      config system ha

      set standalone-config-sync enable

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set session-pickup-nat enable

      set hbdev 1-M1 50 1-M2 50

      end

      As sessions are forwarded by the routers or load balancers to one of the FortiGate 7040Es, the FGSP synchronizes the sessions to the other FortiGate 7040E. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.

    Previous
    Next