Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hyperscale Firewall Guide

    Home FortiGate / FortiOS 7.4.0 Hyperscale Firewall Guide
    7.4.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.2.9
    6.2.7
    6.2.6

    Basic FGSP HA hardware session synchronization configuration example

    Basic FGSP HA hardware session synchronization configuration example

    The following steps describe how to set up a basic FGSP configuration to provide FGSP HA hardware session synchronization between one or more hyperscale firewall VDOMs in two FortiGate peers.

    Use the following steps to configure FGSP on both of the peers in the FGSP cluster.

    1. Enable FGSP for a hyperscale firewall VDOM, named MyCGN-hw12:

      config system standalone-cluster

      config cluster-peer

      edit 1

      set peerip 1.1.1.1

      set syncvd MyCGN-hw12

      end

      If your FortiGate has multiple hyperscale firewall VDOMs, you can add the names of the hyperscale VDOMs to be synchronized to the syncvd option. For example:

      config system standalone-cluster

      config cluster-peer

      edit 1

      set peerip 1.1.1.1

      set syncvd MyCGN-hw12, MyCGN-hw22

      end

      In most cases you should create only one cluster-sync instance. If you create multiple cluster-sync instances, all FGSP HA hardware session synchronization sessions will be sent to the interface used by each cluster-sync instance.

    2. Configure FGSP session synchronization as required. All session synchronization options are supported. For example:

      config system ha

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set session-pickup-nat enable

      end

    3. Configure networking on the FortiGate so that traffic to be forwarded to the peer IP address (in the example, 1.1.1.1) passes through a data interface or data interface LAG.

      This data interface or data interface LAG becomes the FGSP HA hardware session synchronization interface. If the data interface or data interface LAG is in the root VDOM, no additional configuration is required.

      If the data interface or data interface LAG is not in the root VDOM, you need to use the peervd option to specify the VDOM that the interface is in. For example, if the data interface or data interface LAG is in the MyCGN-hw12 VDOM:

      config system standalone-cluster

      config cluster-peer

      edit 1

      set peerip 1.1.1.1

      set syncvd MyCGN-hw12, MyCGN-hw22

      set peervd MyCGN-hw12

      end

    Previous
    Next

    Basic FGSP HA hardware session synchronization configuration example

    Basic FGSP HA hardware session synchronization configuration example

    The following steps describe how to set up a basic FGSP configuration to provide FGSP HA hardware session synchronization between one or more hyperscale firewall VDOMs in two FortiGate peers.

    Use the following steps to configure FGSP on both of the peers in the FGSP cluster.

    1. Enable FGSP for a hyperscale firewall VDOM, named MyCGN-hw12:

      config system standalone-cluster

      config cluster-peer

      edit 1

      set peerip 1.1.1.1

      set syncvd MyCGN-hw12

      end

      If your FortiGate has multiple hyperscale firewall VDOMs, you can add the names of the hyperscale VDOMs to be synchronized to the syncvd option. For example:

      config system standalone-cluster

      config cluster-peer

      edit 1

      set peerip 1.1.1.1

      set syncvd MyCGN-hw12, MyCGN-hw22

      end

      In most cases you should create only one cluster-sync instance. If you create multiple cluster-sync instances, all FGSP HA hardware session synchronization sessions will be sent to the interface used by each cluster-sync instance.

    2. Configure FGSP session synchronization as required. All session synchronization options are supported. For example:

      config system ha

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set session-pickup-nat enable

      end

    3. Configure networking on the FortiGate so that traffic to be forwarded to the peer IP address (in the example, 1.1.1.1) passes through a data interface or data interface LAG.

      This data interface or data interface LAG becomes the FGSP HA hardware session synchronization interface. If the data interface or data interface LAG is in the root VDOM, no additional configuration is required.

      If the data interface or data interface LAG is not in the root VDOM, you need to use the peervd option to specify the VDOM that the interface is in. For example, if the data interface or data interface LAG is in the MyCGN-hw12 VDOM:

      config system standalone-cluster

      config cluster-peer

      edit 1

      set peerip 1.1.1.1

      set syncvd MyCGN-hw12, MyCGN-hw22

      set peervd MyCGN-hw12

      end

    Previous
    Next