Fortinet white logo
Fortinet white logo

FortiGate-7000E Administration Guide

Example FortiGate 7000E FGSP session synchronization with a data interface LAG

Example FortiGate 7000E FGSP session synchronization with a data interface LAG

This example shows how to configure FGSP to synchronize sessions between two FortiGate-7040Es for the root VDOM and for a second VDOM, named vdom-1. For FGSP session synchronization, the example uses a data interface LAG that includes the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces.

To set up the configuration, start by giving each FortiGate-7040E a different host name to make them easier to identify. This example uses peer_1 and peer_2. On each FortiGate-7040E, create a VDOM named fgsp-sync and move the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to this VDOM. Then create a LAG named Data-int-lag, also in the fgsp-sync VDOM, that includes the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces. The LAGs on both FortiGate-7040Es are on the 172.25.177.0/24 network.

This example also adds standalone configuration synchronization using the 1-M1 and 1-M2 interfaces and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

Example FortiGate-7000 FGSP configuration using data interface LAGs

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-7040Es.

  2. Change the host names of the FortiGate-7040Es to peer_1 and peer_2.
  3. Configure network settings for each FortiGate-7040E to allow them to connect to their networks and route traffic.
  4. Add the vdom-1 and fgsp-sync VDOMs to each FortiGate-7040E.
  5. Also on each FortiGate-7040E, move the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to the fgsp-sync VDOM.

  6. On peer_1, configure the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to be FGSP session synchronization data interfaces.

    config system standalone-cluster

    set standalone-group-id 6

    set group-member-id 1

    set data-intf-session-sync-dev 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

    end

  7. On peer_1, add a data interface LAG to the fgsp-sync VDOM.

    config system interface

    edit Data-int-lag

    set type aggregate

    set vdom fgsp-sync

    set member 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

    set ip 172.25.177.70/24

    set mtu-override enable

    set mtu 9216

    end

    This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the eight data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

  8. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd fgsp-sync

    set peerip 172.25.177.80

    set syncvd root vdom-1

    end

    peervd is fgsp-sync because the FGSP session synchronization data interfaces are in the fgsp-sync VDOM.

    peerip is the IP address of the data interface LAG added to peer_2.

    This configuration creates one cluster-sync instance that includes both VDOMs. You could have created a separate cluster-sync instance for each VDOM. If possible, however, avoid creating more than three cluster-sync instances. A fourth cluster-sync instance may experience reduced session synchronization performance.

  9. On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set priority 250

    set hbdev 1-M1 50 1-M2 50

    end

  10. On peer_2, configure the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to be FGSP session synchronization data interfaces.

    config system standalone-cluster

    set standalone-group-id 6

    set group-member-id 2

    set data-intf-session-sync-dev 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

    end

  11. On peer_2, add a data interface LAG to the fgsp-sync VDOM:

    config system interface

    edit Data-int-lag

    set type aggregate

    set vdom fgsp-sync

    set member 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

    set ip 172.25.177.80/24

    set mtu-override enable

    set mtu 9216

    end

    This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the eight data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

  12. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd fgsp-sync

    set peerip 172.25.177.70

    set syncvd root vdom-1

    end

  13. On peer_2, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and leave the device priority set to the default value.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set hbdev 1-M1 50 1-M2 50

    end

    As sessions are forwarded by the routers or load balancers to one of the FortiGate-7040Es, the FGSP synchronizes the sessions to the other FortiGate-7040E. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.

Example FortiGate 7000E FGSP session synchronization with a data interface LAG

Example FortiGate 7000E FGSP session synchronization with a data interface LAG

This example shows how to configure FGSP to synchronize sessions between two FortiGate-7040Es for the root VDOM and for a second VDOM, named vdom-1. For FGSP session synchronization, the example uses a data interface LAG that includes the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces.

To set up the configuration, start by giving each FortiGate-7040E a different host name to make them easier to identify. This example uses peer_1 and peer_2. On each FortiGate-7040E, create a VDOM named fgsp-sync and move the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to this VDOM. Then create a LAG named Data-int-lag, also in the fgsp-sync VDOM, that includes the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces. The LAGs on both FortiGate-7040Es are on the 172.25.177.0/24 network.

This example also adds standalone configuration synchronization using the 1-M1 and 1-M2 interfaces and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.

Example FortiGate-7000 FGSP configuration using data interface LAGs

  1. Configure the routers or load balancers to distribute sessions to the two FortiGate-7040Es.

  2. Change the host names of the FortiGate-7040Es to peer_1 and peer_2.
  3. Configure network settings for each FortiGate-7040E to allow them to connect to their networks and route traffic.
  4. Add the vdom-1 and fgsp-sync VDOMs to each FortiGate-7040E.
  5. Also on each FortiGate-7040E, move the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to the fgsp-sync VDOM.

  6. On peer_1, configure the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to be FGSP session synchronization data interfaces.

    config system standalone-cluster

    set standalone-group-id 6

    set group-member-id 1

    set data-intf-session-sync-dev 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

    end

  7. On peer_1, add a data interface LAG to the fgsp-sync VDOM.

    config system interface

    edit Data-int-lag

    set type aggregate

    set vdom fgsp-sync

    set member 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

    set ip 172.25.177.70/24

    set mtu-override enable

    set mtu 9216

    end

    This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the eight data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

  8. On peer_1, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd fgsp-sync

    set peerip 172.25.177.80

    set syncvd root vdom-1

    end

    peervd is fgsp-sync because the FGSP session synchronization data interfaces are in the fgsp-sync VDOM.

    peerip is the IP address of the data interface LAG added to peer_2.

    This configuration creates one cluster-sync instance that includes both VDOMs. You could have created a separate cluster-sync instance for each VDOM. If possible, however, avoid creating more than three cluster-sync instances. A fourth cluster-sync instance may experience reduced session synchronization performance.

  9. On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set priority 250

    set hbdev 1-M1 50 1-M2 50

    end

  10. On peer_2, configure the 1-A13, 1-A14, 1-A15, 1-A16, 2-A13, 2-A14, 2-A15, and 2-A16 interfaces to be FGSP session synchronization data interfaces.

    config system standalone-cluster

    set standalone-group-id 6

    set group-member-id 2

    set data-intf-session-sync-dev 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

    end

  11. On peer_2, add a data interface LAG to the fgsp-sync VDOM:

    config system interface

    edit Data-int-lag

    set type aggregate

    set vdom fgsp-sync

    set member 1-A13 1-A14 1-A15 1-A16 2-A13 2-A14 2-A15 2-A16

    set ip 172.25.177.80/24

    set mtu-override enable

    set mtu 9216

    end

    This configuration adds the data interface LAG to the fgsp-sync VDOM, includes the eight data interfaces configured to be FGSP session synchronization interfaces, and configures the LAG to support jumbo frames.

  12. On peer_2, configure session synchronization for the root and vdom-1 VDOMs.

    config system cluster-sync

    edit 1

    set peervd fgsp-sync

    set peerip 172.25.177.70

    set syncvd root vdom-1

    end

  13. On peer_2, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and leave the device priority set to the default value.

    config system ha

    set standalone-config-sync enable

    set session-pickup enable

    set session-pickup-connectionless enable

    set session-pickup-expectation enable

    set session-pickup-nat enable

    set hbdev 1-M1 50 1-M2 50

    end

    As sessions are forwarded by the routers or load balancers to one of the FortiGate-7040Es, the FGSP synchronizes the sessions to the other FortiGate-7040E. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.