Fortinet white logo
Fortinet white logo

FortiGate-6000 Administration Guide

Example FortiGate-6000 FGSP session synchronization using HA interfaces

Example FortiGate-6000 FGSP session synchronization using HA interfaces

This example shows how to configure FGSP to synchronize sessions between two FortiGate-6301s for the root VDOM and for a second VDOM, named vdom-1. The example uses the HA1 interfaces of each FortiGate-6301F for session synchronization. The HA1 interfaces are connected to the 172.25.177.0/24 network. You could also connect and configure the HA2 interfaces and use them for session synchronization.

The interfaces of the two FortiGate-6301Fs must have their own IP addresses and their own network configuration. You can give the FortiGate-6301Fs different host names. This example uses peer_1 and peer_2, to make the FortiGate-6301Fs easier to identify.

This example also adds configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

Example FortiGate-6000 FGSP configuration

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-6301Fs.

  2. Change the host names of the FortiGate-6301Fs to peer_1 and peer_2.
  3. Configure network settings for each FortiGate-6301F to allow them to connect to their networks and route traffic.
  4. Add the vdom-1 VDOM to each FortiGate-6301F.
  5. On peer_1, set up the standalone-cluster configuration.

    config system standalone-cluster

    set standalone-group-id 3

    set group-member-id 1

    end

  6. On peer_1, configure the HA1 interface of with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit ha1

    set ip 172.25.177.10 255.255.255.0

    end

  7. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

    config system standalone-cluster

    config cluster-peer

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.20

    set syncvd root vdom-1

    end

    Where, peervd will always be mgmt-vdom and peerip is the IP address of the HA1 interface of peer_2.

    This configuration creates one cluster-sync instance that includes both VDOMs. You could have created a separate cluster-sync instance for each VDOM. If possible, however, avoid creating more than three cluster-sync instances. A fourth cluster-sync instance may experience reduced session synchronization performance.

  8. On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set priority 250

    set hbdev ha1 50 ha2 50

    end

  9. On peer_2, set up the standalone-cluster configuration.

    config system standalone-cluster

    set standalone-group-id 3

    set group-member-id 2

    end

  10. On peer_2, configure the HA1 interface with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit ha1

    set ip 172.25.177.20 255.255.255.0

    end

  11. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

    config system standalone-cluster

    config cluster-peer

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.10

    set syncvd root vdom-1

    end

  12. On peer_2, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and leave the device priority set to the default value.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set hbdev ha1 50 ha2 50

    end

    As sessions are forwarded by the routers or load balancers to one of the FortiGate-6301Fs, the FGSP synchronizes the sessions to the other FortiGate-6301F. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.

Example FortiGate-6000 FGSP session synchronization using HA interfaces

Example FortiGate-6000 FGSP session synchronization using HA interfaces

This example shows how to configure FGSP to synchronize sessions between two FortiGate-6301s for the root VDOM and for a second VDOM, named vdom-1. The example uses the HA1 interfaces of each FortiGate-6301F for session synchronization. The HA1 interfaces are connected to the 172.25.177.0/24 network. You could also connect and configure the HA2 interfaces and use them for session synchronization.

The interfaces of the two FortiGate-6301Fs must have their own IP addresses and their own network configuration. You can give the FortiGate-6301Fs different host names. This example uses peer_1 and peer_2, to make the FortiGate-6301Fs easier to identify.

This example also adds configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

Example FortiGate-6000 FGSP configuration

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-6301Fs.

  2. Change the host names of the FortiGate-6301Fs to peer_1 and peer_2.
  3. Configure network settings for each FortiGate-6301F to allow them to connect to their networks and route traffic.
  4. Add the vdom-1 VDOM to each FortiGate-6301F.
  5. On peer_1, set up the standalone-cluster configuration.

    config system standalone-cluster

    set standalone-group-id 3

    set group-member-id 1

    end

  6. On peer_1, configure the HA1 interface of with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit ha1

    set ip 172.25.177.10 255.255.255.0

    end

  7. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

    config system standalone-cluster

    config cluster-peer

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.20

    set syncvd root vdom-1

    end

    Where, peervd will always be mgmt-vdom and peerip is the IP address of the HA1 interface of peer_2.

    This configuration creates one cluster-sync instance that includes both VDOMs. You could have created a separate cluster-sync instance for each VDOM. If possible, however, avoid creating more than three cluster-sync instances. A fourth cluster-sync instance may experience reduced session synchronization performance.

  8. On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set priority 250

    set hbdev ha1 50 ha2 50

    end

  9. On peer_2, set up the standalone-cluster configuration.

    config system standalone-cluster

    set standalone-group-id 3

    set group-member-id 2

    end

  10. On peer_2, configure the HA1 interface with an IP address on the 172.25.177.0/24 network:

    config system interface

    edit ha1

    set ip 172.25.177.20 255.255.255.0

    end

  11. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

    config system standalone-cluster

    config cluster-peer

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.10

    set syncvd root vdom-1

    end

  12. On peer_2, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and leave the device priority set to the default value.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set hbdev ha1 50 ha2 50

    end

    As sessions are forwarded by the routers or load balancers to one of the FortiGate-6301Fs, the FGSP synchronizes the sessions to the other FortiGate-6301F. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.