Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Configuring FGCP HA hardware session synchronization

Configuring FGCP HA hardware session synchronization

Use the following command to configure FGCP HA hardware session synchronization.

config system ha

set session-pickup enable

set hw-session-sync-dev <interface>

end

session-pickup must be enabled for FGCP HA hardware session synchronization.

hw-session-sync-dev select an interface to use to synchronize hardware sessions between the FortiGates in an FGCP cluster. Fortinet recommends using a data interface or a data interface LAG as the FGCP HA hardware session synchronization interface. The interface or LAG can only be used for FGCP HA hardware session synchronization. See Recommended interface use for an FGCP HA hyperscale firewall cluster.

Use the following configuration to create a data interface LAG. The members of the LAG can be any data interfaces that can be added to LAGs as supported by your FortiGate model.

config system interface

edit HA-session-lag

set member port13 port14 port15 port16

end

Note

You can only use a static mode LAG as the hardware session synchronization interface. When configuring the hw-session-sync-dev from the CLI, along with physical interfaces, only LAGs with lacp-mode set to static will appear in the list of interfaces that you can select.

The CLI blocks you from changing the lacp-mode of the hw-session-sync-dev LAG to dynamic or passive.

Use the following command to set the LAG as the FGCP HA hardware session synchronization interface.

config system ha

set session-pickup enable

set hw-session-sync-dev HA-session-lag

end

Note

If you use a LAG as the hardware session synchronization interface, the LAG cannot be monitored by FGCP HA interface monitoring.

For some FortiGates there is a limitation on the interfaces that can be used for hardware session synchronization. For example, for the FortiGate-1800F and 1801F you can only use the port25 to port40 interfaces as FGCP HA hardware session synchronization interfaces.

Hardware session synchronization can use a lot of bandwidth so you should use a dedicated data interface or data interface LAG. Both FortiGates in the FGCP HA cluster must use the same data interface or data interface LAG for FGCP HA hardware session synchronization and these interfaces must be directly connected.

Configuring FGCP HA hardware session synchronization

Configuring FGCP HA hardware session synchronization

Use the following command to configure FGCP HA hardware session synchronization.

config system ha

set session-pickup enable

set hw-session-sync-dev <interface>

end

session-pickup must be enabled for FGCP HA hardware session synchronization.

hw-session-sync-dev select an interface to use to synchronize hardware sessions between the FortiGates in an FGCP cluster. Fortinet recommends using a data interface or a data interface LAG as the FGCP HA hardware session synchronization interface. The interface or LAG can only be used for FGCP HA hardware session synchronization. See Recommended interface use for an FGCP HA hyperscale firewall cluster.

Use the following configuration to create a data interface LAG. The members of the LAG can be any data interfaces that can be added to LAGs as supported by your FortiGate model.

config system interface

edit HA-session-lag

set member port13 port14 port15 port16

end

Note

You can only use a static mode LAG as the hardware session synchronization interface. When configuring the hw-session-sync-dev from the CLI, along with physical interfaces, only LAGs with lacp-mode set to static will appear in the list of interfaces that you can select.

The CLI blocks you from changing the lacp-mode of the hw-session-sync-dev LAG to dynamic or passive.

Use the following command to set the LAG as the FGCP HA hardware session synchronization interface.

config system ha

set session-pickup enable

set hw-session-sync-dev HA-session-lag

end

Note

If you use a LAG as the hardware session synchronization interface, the LAG cannot be monitored by FGCP HA interface monitoring.

For some FortiGates there is a limitation on the interfaces that can be used for hardware session synchronization. For example, for the FortiGate-1800F and 1801F you can only use the port25 to port40 interfaces as FGCP HA hardware session synchronization interfaces.

Hardware session synchronization can use a lot of bandwidth so you should use a dedicated data interface or data interface LAG. Both FortiGates in the FGCP HA cluster must use the same data interface or data interface LAG for FGCP HA hardware session synchronization and these interfaces must be directly connected.