Session synchronization interfaces in FGSP
When peering over FGSP, by default, the FortiGates or FGCP clusters share information over L3 between the interfaces that are configured with Peer IP addresses. When a session synchronization interface is configured and FGSP peers are directly connected on this interface, then session synchronization is done over L2, only falling back to L3 if the session synchronization interface becomes unavailable.
When FGSP peers are formed between standalone FortiGates, the session synchronization process is performed by the kernel with UDP encapsulation. When using a FGSP session synchronization interface, the synchronization process is also offloaded to the kernel, albeit more efficiently without the UDP encapsulation. Therefore, a fast, dedicated, and stable L2 connection is recommended for the session synchronization interface between the FGSP peers. For redundancy, multiple synchronization interfaces can be configured. The session synchronization interface or interfaces should always be the same on each FGSP peer.
The configurations related to session tables should match. For example, the logical names used in firewall policies, IPsec interface names, VDOM names, firewall policy tables, and so on.
To configure session-sync interfaces:
config system standalone-cluster set session-sync-dev <interface 1> [<interface 2>] ... [<interface n>] set layer2-connection {available | unavailable} set encryption {enable | disable} end
The layer2-connection
setting is for forwarded traffic between FGSP peers. Set it to available
if the peer interface user for traffic forwarding is directly connected and supports L2 forwarding. See UTM inspection on asymmetric traffic in FGSP for more information.
Session synchronization in FGCP over FGSP
To provide full redundancy, FGCP clusters can be used in FGSP peering. This is called FGCP over FGSP. In these complex environments, as well as in high performance, low latency data centers, using the FGCP session synchronization interface is recommended, as it offloads the session synchronization process to the kernel.
To offload the session synchronization process to the kernel and synchronize sessions using connected interfaces directly:
config system ha set session-sync-dev <interface 1> [<interface 2>] ... [<interface n>] end
This is optimal when any of the following conditions apply:
-
The session rate is high.
-
Low network latency is required.
-
There is a complex environment with FGCP clusters synchronizing over FGSP using L3 only in the presence of asymmetric traffic.
Configuring the FGCP session-sync-dev
effectively offloads the session synchronization from the sessionsync daemon into the kernel and reduces the session synchronization latency.
When configuring both |
The following topology uses multiple session synchronization interfaces with a full mesh backbone to prevent any single point of failure.
The state diagram summarizes the session synchronization of a TCP session. It assumes that the session is connected over FGCP Cluster 1 and processed entirely by the primary unit, Cluster-1A.
-
The session starts with the Client SYN packet.
-
As the session is established, Cluster-1A synchronizes the session with Cluster-1B over the heartbeat interface, and with Cluster-2A over the session synchronization interface.
-
Cluster-2A then synchronizes the session with Cluster-2B over its heartbeat interface.
-
The process then repeats as it transitions to different states.
Session synchronization if links fail
In the previous topology, if any single session synchronization link fails on the primary member of each cluster, session synchronization will continue on the second link from the pair of session of session synchronization interfaces.
If the second link on the primary member of the same cluster then fails, L2 session synchronization over the session synchronization interface stops, and synchronization fails over to L3 between the peer IP links.
If the Peer IP link then fails, the FGSP peers are effectively disconnected, and no session synchronization will occur.