Fortinet white logo
Fortinet white logo

FortiGate-7000F Administration Guide

Example FortiGate 7000F FGSP session synchronization with a data interface LAG

Example FortiGate 7000F FGSP session synchronization with a data interface LAG

This example shows how to configure FGSP to synchronize sessions between two FortiGate-7121Fs for the root VDOM and for a second VDOM, named vdom-1. For FGSP session synchronization, the example uses a data interface LAG that includes the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces.

To set up the configuration, start by giving each FortiGate-7121F a different host name to make them easier to identify. This example uses peer_1 and peer_2. On each FortiGate-7121F, create a VDOM named fgsp-sync and move the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to this VDOM. Then create a LAG named Data-int-lag, also in the fgsp-sync VDOM, that includes the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces. The LAGs on both FortiGate-7121Fs are on the 172.25.177.0/24 network.

This example also adds standalone configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

Example FortiGate 7000F FGSP configuration using data interface LAGs

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-7121Fs.

  2. Change the host names of the FortiGate-7121Fs to peer_1 and peer_2.
  3. Configure network settings for each FortiGate-7121F to allow them to connect to their networks and route traffic.
  4. Add the vdom-1 and fgsp-sync VDOMs to each FortiGate-7121F.
  5. Also on each FortiGate-7121F, move the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to the fgsp-sync VDOM.
  6. On peer_1, configure the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to be FGSP session synchronization data interfaces.

    config system standalone-cluster

    set standalone-group-id 7

    set group-member-id 1

    set data-intf-session-sync-dev 1-P17 1-P18 2-P17 2-P18

    end

  7. On peer_1, add a data interface LAG to the fgsp-sync VDOM.

    config system interface

    edit Data-int-lag

    set type aggregate

    set vdom fgsp-sync

    set member 1-P17 1-P18 2-P17 2-P18

    set ip 172.25.177.110/24

    set mtu-override enable

    set mtu 9216

    end

    This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the four data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

  8. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd fgsp-sync

    set peerip 172.25.177.120

    set syncvd root vdom-1

    end

    peervd is fgsp-sync because the FGSP session synchronization data interfaces are in the fgsp-sync VDOM.

    peerip is the IP address of the data interface LAG added to peer_2.

    This configuration creates one cluster-sync instance that includes both VDOMs. You could have created a separate cluster-sync instance for each VDOM. If possible, however, avoid creating more than three cluster-sync instances. A fourth cluster-sync instance may experience reduced session synchronization performance.

  9. On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set priority 250

    set hbdev 1-M3 100 2-M3 100

    end

  10. On peer_2, configure the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to be FGSP session synchronization data interfaces.

    config system standalone-cluster

    set standalone-group-id 7

    set group-member-id 2

    set data-intf-session-sync-dev 1-P17 1-P18 2-P17 2-P18

    end

  11. On peer_2, add a data interface LAG to the fgsp-sync VDOM.

    config system interface

    edit Data-int-lag

    set type aggregate

    set vdom fgsp-sync

    set member 1-P17 1-P18 2-P17 2-P18

    set ip 172.25.177.120/24

    set mtu-override enable

    set mtu 9216

    end

    This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the four data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

  12. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd fgsp-sync

    set peerip 172.25.177.110

    set syncvd root vdom-1

    end

  13. On peer_2, enable configuration synchronization, configure the heartbeat interfaces, and leave the device priority set to the default value.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set hbdev 1-M3 100 2-M3 100

    end

    As sessions are forwarded by the routers or load balancers to one of the FortiGate-7121Fs, the FGSP synchronizes the sessions to the other FortiGate-7121F. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.

Example FortiGate 7000F FGSP session synchronization with a data interface LAG

Example FortiGate 7000F FGSP session synchronization with a data interface LAG

This example shows how to configure FGSP to synchronize sessions between two FortiGate-7121Fs for the root VDOM and for a second VDOM, named vdom-1. For FGSP session synchronization, the example uses a data interface LAG that includes the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces.

To set up the configuration, start by giving each FortiGate-7121F a different host name to make them easier to identify. This example uses peer_1 and peer_2. On each FortiGate-7121F, create a VDOM named fgsp-sync and move the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to this VDOM. Then create a LAG named Data-int-lag, also in the fgsp-sync VDOM, that includes the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces. The LAGs on both FortiGate-7121Fs are on the 172.25.177.0/24 network.

This example also adds standalone configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

Example FortiGate 7000F FGSP configuration using data interface LAGs

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-7121Fs.

  2. Change the host names of the FortiGate-7121Fs to peer_1 and peer_2.
  3. Configure network settings for each FortiGate-7121F to allow them to connect to their networks and route traffic.
  4. Add the vdom-1 and fgsp-sync VDOMs to each FortiGate-7121F.
  5. Also on each FortiGate-7121F, move the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to the fgsp-sync VDOM.
  6. On peer_1, configure the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to be FGSP session synchronization data interfaces.

    config system standalone-cluster

    set standalone-group-id 7

    set group-member-id 1

    set data-intf-session-sync-dev 1-P17 1-P18 2-P17 2-P18

    end

  7. On peer_1, add a data interface LAG to the fgsp-sync VDOM.

    config system interface

    edit Data-int-lag

    set type aggregate

    set vdom fgsp-sync

    set member 1-P17 1-P18 2-P17 2-P18

    set ip 172.25.177.110/24

    set mtu-override enable

    set mtu 9216

    end

    This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the four data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

  8. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd fgsp-sync

    set peerip 172.25.177.120

    set syncvd root vdom-1

    end

    peervd is fgsp-sync because the FGSP session synchronization data interfaces are in the fgsp-sync VDOM.

    peerip is the IP address of the data interface LAG added to peer_2.

    This configuration creates one cluster-sync instance that includes both VDOMs. You could have created a separate cluster-sync instance for each VDOM. If possible, however, avoid creating more than three cluster-sync instances. A fourth cluster-sync instance may experience reduced session synchronization performance.

  9. On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set priority 250

    set hbdev 1-M3 100 2-M3 100

    end

  10. On peer_2, configure the 1-P17, 1-P18, 2-P17, and 2-P18 interfaces to be FGSP session synchronization data interfaces.

    config system standalone-cluster

    set standalone-group-id 7

    set group-member-id 2

    set data-intf-session-sync-dev 1-P17 1-P18 2-P17 2-P18

    end

  11. On peer_2, add a data interface LAG to the fgsp-sync VDOM.

    config system interface

    edit Data-int-lag

    set type aggregate

    set vdom fgsp-sync

    set member 1-P17 1-P18 2-P17 2-P18

    set ip 172.25.177.120/24

    set mtu-override enable

    set mtu 9216

    end

    This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the four data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

  12. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd fgsp-sync

    set peerip 172.25.177.110

    set syncvd root vdom-1

    end

  13. On peer_2, enable configuration synchronization, configure the heartbeat interfaces, and leave the device priority set to the default value.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set hbdev 1-M3 100 2-M3 100

    end

    As sessions are forwarded by the routers or load balancers to one of the FortiGate-7121Fs, the FGSP synchronizes the sessions to the other FortiGate-7121F. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.