Fortinet white logo
Fortinet white logo

FortiGate-7000E Administration Guide

Synchronizing sessions between FortiGate-7000E FGCP clusters

Synchronizing sessions between FortiGate-7000E FGCP clusters

FortiGate-7000E supports using FGSP to synchronize sessions among up to four FortiGate-7000E FGCP clusters. All of the FortiGate-7000Es must be the same hardware model.

FGSP between FGCP clusters synchronizes sessions between the primary FortiGate-7000Es in each cluster. FGCP HA then handles session synchronization between FortiGate-7000Es in each FGCP cluster.

For details about FGSP between FGCP clusters, see: Synchronizing sessions between FGCP clusters.

You can use data interfaces or data interface LAGs as FGSP session synchronization interfaces. The M1 and M2 interfaces are used for FGCP HA heartbeat between the FortiGate-7000Es in each FGCP cluster.

FortiGate-7000E synchronizing sessions between FGCP clusters has the following limitations:

  • The FGCP clusters cannot be configured for virtual clustering.
  • NAT between the session synchronization interfaces is not supported.
  • Standalone configuration synchronization between the FCGP clusters is not supported.
  • Inter-cluster session synchronization doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • When ICMP load balancing is set to to-primary, ICMP packets are not installed on the DP processor. In an FGSP between FGCP session synchronization configuration with an asymmetry topology, synchronized ICMP packets will be dropped if the clusters have selected a different primary FPM. To avoid this possible traffic loss, set dp-icmp-distribution-method to src-ip, dst-ip, or src-dst-ip.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • FGSP IPsec tunnel synchronization is not supported.

  • Session synchronization packets cannot be fragmented. So the MTU for the session synchronization interface should be supported by the network.
  • To reduce the number of failovers and the amount of session synchronization traffic, configuring HA override on the FGCP clusters is not recommended.

Synchronizing sessions between FortiGate-7000E FGCP clusters

Synchronizing sessions between FortiGate-7000E FGCP clusters

FortiGate-7000E supports using FGSP to synchronize sessions among up to four FortiGate-7000E FGCP clusters. All of the FortiGate-7000Es must be the same hardware model.

FGSP between FGCP clusters synchronizes sessions between the primary FortiGate-7000Es in each cluster. FGCP HA then handles session synchronization between FortiGate-7000Es in each FGCP cluster.

For details about FGSP between FGCP clusters, see: Synchronizing sessions between FGCP clusters.

You can use data interfaces or data interface LAGs as FGSP session synchronization interfaces. The M1 and M2 interfaces are used for FGCP HA heartbeat between the FortiGate-7000Es in each FGCP cluster.

FortiGate-7000E synchronizing sessions between FGCP clusters has the following limitations:

  • The FGCP clusters cannot be configured for virtual clustering.
  • NAT between the session synchronization interfaces is not supported.
  • Standalone configuration synchronization between the FCGP clusters is not supported.
  • Inter-cluster session synchronization doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • When ICMP load balancing is set to to-primary, ICMP packets are not installed on the DP processor. In an FGSP between FGCP session synchronization configuration with an asymmetry topology, synchronized ICMP packets will be dropped if the clusters have selected a different primary FPM. To avoid this possible traffic loss, set dp-icmp-distribution-method to src-ip, dst-ip, or src-dst-ip.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • FGSP IPsec tunnel synchronization is not supported.

  • Session synchronization packets cannot be fragmented. So the MTU for the session synchronization interface should be supported by the network.
  • To reduce the number of failovers and the amount of session synchronization traffic, configuring HA override on the FGCP clusters is not recommended.