Fortinet white logo
Fortinet white logo

Administration Guide

Optimizing FGSP session synchronization and redundancy

Optimizing FGSP session synchronization and redundancy

In this example where standalone FortiGates are peered in FGSP, using session-sync-dev optimizes session synchronization as it eliminates UDP encapsulation and offloads session synchronization processing to the kernel. FGSP session synchronization can be supported to handle heavy loads.

For more information about session synchronization, see Session synchronization interfaces in FGSP.

Topology

In this topology, there are three FGSP peer groups for each FortiGate. Sessions are synchronized between each FortiGate and its peer groups. Redundancy is achieved by using two dedicated session sync device links for each peer setup. There are a total of six peer IPs for each session synchronization device link in each FGSP peer. When one link is fails, session synchronization is not affected.

For optimization, sync-packet-balance is enabled to distribute synchronization packets processing to multiple CPUs. The session synchronization process is offloaded to the kernel, and sessions are synchronized over layer 2 over the connected interfaces (set session-sync-dev "port5" "port6"). Jumbo frame MTU 9216 is configured on each session synchronization device link to reduce the number of packets; however, setting MTU to 9216 is entirely optional.

To configure FGT_A:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.1/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.1/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system standalone-cluster
        config cluster-peer
            edit 1
                set peerip 10.1.1.2
            next
            edit 2
                set peerip 10.2.2.2
            next
            edit 3
                set peerip 10.1.1.3
            next
            edit 4
                set peerip 10.2.2.3
            next
            edit 5
                set peerip 10.1.1.4
            next
            edit 6
                set peerip 10.2.2.4
            next
        end
    end
To configure FGT_B:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.2/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.2/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system standalone-cluster
        config cluster-peer
            edit 1
                set peerip 10.1.1.1
            next
            edit 2
                set peerip 10.2.2.1
            next
            edit 3
                set peerip 10.1.1.3
            next
            edit 4
                set peerip 10.2.2.3
            next
            edit 5
                set peerip 10.1.1.4
            next
            edit 6
                set peerip 10.2.2.4
            next
        end
    end
To configure FGT_C:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.3/24
            set mtu-override enable
        set mtu 9216
        next
        edit port6
            set ip 10.2.2.3/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system standalone-cluster
        config cluster-peer
            edit 1
                set peerip 10.1.1.1
            next
            edit 2
                set peerip 10.2.2.1
            next
            edit 3
                set peerip 10.1.1.2
            next
            edit 4
                set peerip 10.2.2.2
            next
            edit 5
                set peerip 10.1.1.4
            next
            edit 6
                set peerip 10.2.2.4
            next
        end
    end
To configure FGT_D:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.4/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.4/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system standalone-cluster
        config cluster-peer
            edit 1
                set peerip 10.1.1.1
            next
            edit 2
                set peerip 10.2.2.1
            next
            edit 3
                set peerip 10.1.1.2
            next
            edit 4
                set peerip 10.2.2.2
            next
            edit 5
                set peerip 10.1.1.3
            next
            edit 6
                set peerip 10.2.2.3
            next
        end
    end

Optimizing FGSP session synchronization and redundancy

Optimizing FGSP session synchronization and redundancy

In this example where standalone FortiGates are peered in FGSP, using session-sync-dev optimizes session synchronization as it eliminates UDP encapsulation and offloads session synchronization processing to the kernel. FGSP session synchronization can be supported to handle heavy loads.

For more information about session synchronization, see Session synchronization interfaces in FGSP.

Topology

In this topology, there are three FGSP peer groups for each FortiGate. Sessions are synchronized between each FortiGate and its peer groups. Redundancy is achieved by using two dedicated session sync device links for each peer setup. There are a total of six peer IPs for each session synchronization device link in each FGSP peer. When one link is fails, session synchronization is not affected.

For optimization, sync-packet-balance is enabled to distribute synchronization packets processing to multiple CPUs. The session synchronization process is offloaded to the kernel, and sessions are synchronized over layer 2 over the connected interfaces (set session-sync-dev "port5" "port6"). Jumbo frame MTU 9216 is configured on each session synchronization device link to reduce the number of packets; however, setting MTU to 9216 is entirely optional.

To configure FGT_A:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.1/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.1/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system standalone-cluster
        config cluster-peer
            edit 1
                set peerip 10.1.1.2
            next
            edit 2
                set peerip 10.2.2.2
            next
            edit 3
                set peerip 10.1.1.3
            next
            edit 4
                set peerip 10.2.2.3
            next
            edit 5
                set peerip 10.1.1.4
            next
            edit 6
                set peerip 10.2.2.4
            next
        end
    end
To configure FGT_B:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.2/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.2/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system standalone-cluster
        config cluster-peer
            edit 1
                set peerip 10.1.1.1
            next
            edit 2
                set peerip 10.2.2.1
            next
            edit 3
                set peerip 10.1.1.3
            next
            edit 4
                set peerip 10.2.2.3
            next
            edit 5
                set peerip 10.1.1.4
            next
            edit 6
                set peerip 10.2.2.4
            next
        end
    end
To configure FGT_C:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.3/24
            set mtu-override enable
        set mtu 9216
        next
        edit port6
            set ip 10.2.2.3/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system standalone-cluster
        config cluster-peer
            edit 1
                set peerip 10.1.1.1
            next
            edit 2
                set peerip 10.2.2.1
            next
            edit 3
                set peerip 10.1.1.2
            next
            edit 4
                set peerip 10.2.2.2
            next
            edit 5
                set peerip 10.1.1.4
            next
            edit 6
                set peerip 10.2.2.4
            next
        end
    end
To configure FGT_D:
  1. Configure HA:
    config system ha
        set sync-packet-balance enable
        set session-pickup enable
        set session-pickup-connectionless enable
        set session-pickup-expectation enable
        set session-pickup-nat enable
    end
  2. Configure the layer 2 session synchronization links:
    config system standalone-cluster
        set session-sync-dev "port5" "port6"
    end
  3. Configure the session TTL default timeout:
    config system session-ttl
        set default 300
    end
  4. Configure the interfaces:
    config system interface
        edit port5
            set ip 10.1.1.4/24
            set mtu-override enable
            set mtu 9216
        next
        edit port6
            set ip 10.2.2.4/24
            set mtu-override enable
            set mtu 9216
        next
    end
  5. Configure FGSP session synchronization:
    config system standalone-cluster
        config cluster-peer
            edit 1
                set peerip 10.1.1.1
            next
            edit 2
                set peerip 10.2.2.1
            next
            edit 3
                set peerip 10.1.1.2
            next
            edit 4
                set peerip 10.2.2.2
            next
            edit 5
                set peerip 10.1.1.3
            next
            edit 6
                set peerip 10.2.2.3
            next
        end
    end