Example FortiGate 7000E FGSP configuration using 1-M1 interfaces
This example shows how to configure FGSP to synchronize sessions between two FortiGate-7040Es for the root VDOM and for a second VDOM, named vdom-1. The example uses the 1-M1 interface for root session synchronization and the 1-M2 interface for vdom-1 session synchronization. The 1-M1 interfaces are connected to the 172.25.177.0/24 network and the 1-M2 interfaces are connected to the 172.25.178.0/24 network.
The interfaces of the two FortiGate-7040Es must have their own IP addresses and their own networking configuration. You can give the FortiGate-7040Es different host names, in this example, peer_1 and peer_2, to make them easier to identify.
This example also adds configuration synchronization and sets the peer_1 device priority higher so that it becomes the config sync primary. Once configuration synchronization is enabled, you can log into peer_1 and add firewall policies and make other configuration changes and these configuration changes will be synchronized to peer_2. For information about configuration synchronization, including its limitations, see Standalone configuration synchronization.
Example FortiGate 7000E FGSP configuration
-
Configure the routers or load balancers to distribute sessions to the two FortiGate-7040s.
-
Change the host names of the FortiGate-7040Es to peer_1 and peer_2.
-
Configure network settings for each FortiGate-7040E to allow them to connect to their networks and route traffic.
-
Add the vdom-1 VDOM to each FortiGate-7040E.
-
On peer_1, set up the standalone-cluster configuration.
config system standalone-cluster
set standalone-group-id 4
set group-member-id 1
end
-
On peer_1 configure the 1-M1 and 1-M2 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:
config system interface
edit 1-M1
set ip 172.25.177.30 255.255.255.0
next
edit 1-M2
set ip 172.25.178.35 255.255.255.0
end
-
On peer_1, configure session synchronization for the root and vdom-1 VDOMs.
config system cluster-sync
edit 1
set peervd mgmt-vdom
set peerip 172.25.177.40
set syncvd root
next
edit 2
set peervd mgmt-vdom
set peerip 172.25.178.45
set syncvd vdom-1
next
For the root vdom,
peervd
will always bemgmt-vdom
andpeerip
is the IP address of the 1-M1 interface of peer_2.For vdom-1,
peervd
will always bemgmt-vdom
andpeerip
is the IP address of the 1-M2 interface of peer_2. -
On peer_1, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and set a higher device priority. This makes peer_1 become the config sync primary.
config system ha
set standalone-config-sync enable
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set priority 250
set hbdev 1-M1 50 1-M2 50
end
-
On peer_2, set up the standalone-cluster configuration.
config system standalone-cluster
set standalone-group-id 4
set group-member-id 2
end
-
On peer_2 configure the 1-M1 and 1-M2 interfaces with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:
config system interface
edit 1-M1
set ip 172.25.177.40 255.255.255.0
next
edit 1-M2
set ip 172.25.178.45 255.255.255.0
end
-
On peer_2, configure session synchronization for the root and vdom-1 VDOMs.
config system cluster-sync
edit 1
set peervd mgmt-vdom
set peerip 172.25.177.30
set syncvd root
next
edit 2
set peervd mgmt-vdom
set peerip 172.25.178.35
set syncvd vdom-1
next
For the root VDOM,
peervd
will always bemgmt-vdom
andpeerip
is the IP address of the 1-M1 interface of peer_1.For vdom-1,
peervd
will always bemgmt-vdom
andpeerip
is the IP address of the 1-M2 interface of peer_1. -
On peer_2, enable configuration synchronization, enable session pickup, configure the heartbeat interfaces, and leave the device priority set to the default value.
config system ha
set standalone-config-sync enable
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set hbdev 1-M1 50 1-M2 50
end
As sessions are forwarded by the routers or load balancers to one of the FortiGate-7040Es, the FGSP synchronizes the sessions to the other FortiGate-7040E. You can log into peer_1 and make configuration changes, which are synchronized to peer_2.