Example FortiGate-6000 FGSP session synchronization using HA interfaces
This example shows how to configure FGSP to synchronize sessions between two FortiGate-6301s for the root VDOM and for a second VDOM, named vdom-1. The example uses the HA1 interfaces of each FortiGate-6301F for session synchronization. The HA1 interfaces are connected to the 172.25.177.0/24 network. You could also connect and configure the HA2 interfaces and use them for session synchronization.
The interfaces of the two FortiGate-6301Fs must have their own IP addresses and their own network configuration. You can give the FortiGate-6301Fs different host names. This example uses peer_1 and peer_2, to make the FortiGate-6301Fs easier to identify.
This example also adds configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.
Example FortiGate-6000 FGSP configuration
-
Configure the routers or load balancers to distribute sessions to the two FortiGate-6301Fs.
- Change the host names of the FortiGate-6301Fs to peer_1 and peer_2.
- Configure network settings for each FortiGate-6301F to allow them to connect to their networks and route traffic.
- Add the vdom-1 VDOM to each FortiGate-6301F.
-
On peer_1, set up the standalone-cluster configuration.
config system standalone-cluster
set standalone-group-id 3
set group-member-id 1
end
-
On peer_1, configure the HA1 interface of with an IP address on the 172.25.177.0/24 network:
config system interface
edit ha1
set ip 172.25.177.10 255.255.255.0
end
-
On peer_1, configure session synchronization for the root and vdom-1 VDOMs.
config system standalone-cluster
config cluster-peer
edit 1
set peervd mgmt-vdom
set peerip 172.25.177.20
set syncvd root vdom-1
end
Where,
peervd
will always bemgmt-vdom
andpeerip
is the IP address of the HA1 interface of peer_2.This configuration creates one
cluster-sync
instance that includes both VDOMs. You could have created a separatecluster-sync
instance for each VDOM. If possible, however, avoid creating more than threecluster-sync
instances. A fourthcluster-sync
instance may experience reduced session synchronization performance. -
On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.
config system ha
set standalone-config-sync enable
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set priority 250
set hbdev ha1 50 ha2 50
end
-
On peer_2, set up the standalone-cluster configuration.
config system standalone-cluster
set standalone-group-id 3
set group-member-id 2
end
-
On peer_2, configure the HA1 interface with an IP address on the 172.25.177.0/24 network:
config system interface
edit ha1
set ip 172.25.177.20 255.255.255.0
end
-
On peer_2, configure session synchronization for the root and vdom-1 VDOMs.
config system standalone-cluster
config cluster-peer
edit 1
set peervd mgmt-vdom
set peerip 172.25.177.10
set syncvd root vdom-1
end
-
On peer_2, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and leave the device priority set to the default value.
config system ha
set standalone-config-sync enable
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set hbdev ha1 50 ha2 50
end
As sessions are forwarded by the routers or load balancers to one of the FortiGate-6301Fs, the FGSP synchronizes the sessions to the other FortiGate-6301F. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.