Layer 3 unicast standalone configuration synchronization
Unicast standalone configuration synchronization is supported on layer 3, allowing peers to be synchronized in cloud environments that do not support layer 2 networking. Configuring a unicast gateway allows peers to be in different subnets.
Example
In this example, two FortiGates in different subnets are connected through a unicast gateway. Both cluster members use the same port for the heartbeat interface.
To configure unicast synchronization between peers:
-
Configure FortiGate A:
config system ha set group-name "testcs" set hbdev "port3" 50 set standalone-config-sync enable set unicast-status enable config unicast-peers edit 1 set peer-ip 10.1.100.72 next end set override enable set priority 200 set unicast-gateway 172.16.200.74 end
-
Configure FortiGate B:
config system ha set group-name "testcs" set hbdev "port3" 50 set standalone-config-sync enable set unicast-status enable config unicast-peers edit 1 set peer-ip 172.16.200.71 next end set override enable set priority 100 set unicast-gateway 10.1.100.74 end
-
Check the HA status on FortiGate A:
# get system ha status HA Health Status: OK Model: FortiGate-VM64 Mode: ConfigSync Group Name: testcs Group ID: 0 Debug: 0 Cluster Uptime: 2 days 3:40:25 Cluster state change time: 2021-03-08 12:00:38 Primary selected using: <2021/03/08 12:00:38> FGVMSLTM00000001 is selected as the primary because its override priority is larger than peer member FGVMSLTM00000002. <2021/03/06 11:50:35> FGVMSLTM00000001 is selected as the primary because it's the only member in the cluster. ses_pickup: disable override: enable Configuration Status: FGVMSLTM21000151(updated 5 seconds ago): in-sync FGVMSLTM21000152(updated 5 seconds ago): in-sync System Usage stats: FGVMSLTM21000151(updated 5 seconds ago): sessions=7, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=24% FGVMSLTM21000152(updated 5 seconds ago): sessions=5, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=23% HBDEV stats: FGVMSLTM21000151(updated 5 seconds ago): port3: physical/1000auto, up, rx-bytes/packets/dropped/errors=466060007/1049137/0/0, tx=429538329/953028/0/0 FGVMSLTM21000152(updated 5 seconds ago): port3: physical/1000auto, up, rx-bytes/packets/dropped/errors=48805199/85441/0/0, tx=33470286/81425/0/0 Primary : FGT-71 , FGVMSLTM00000001, HA cluster index = 1 Secondary : FGT-72 , FGVMSLTM00000002, HA cluster index = 0 number of vcluster: 1 vcluster 1: work 0.0.0.0 Primary: FGVMSLTM00000001, HA operating index = 0 Secondary: FGVMSLTM00000002, HA operating index = 1
-
Check the HA checksums on FortiGate A:
# diagnose sys ha checksum cluster ================== FGVMSLTM00000001 ================== is_manage_primary()=1, is_root_primary()=1 debugzone global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd checksum global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd ================== FGVMSLTM00000002 ================== is_manage_primary()=0, is_root_primary()=1 debugzone global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd checksum global: 4f 2c a2 04 07 57 46 c4 47 28 ca d2 5a c5 98 ee root: 16 af 5d a4 ac cf a5 4b b7 22 93 ce f9 02 68 bc all: 6e 28 7f 8a 74 f7 37 43 8f 32 73 68 1e d6 ca cd
-
Verify that configuration changes on the primary FortiGate are synchronized to the secondary FortiGate:
-
Adjust the administrator timeout value on FortiGate A:
config system global set admintimeout 100 end
-
Check the debug messages on FortiGate B:
# diagnose debug cli 7 Debug messages will be on for 30 minutes. # diagnose debug enable create pid=15639, clictxno=0, last=1615246288 0: conf sys global 0: set admintimeout 100 0: end
-