Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Azure Administration Guide

    Home FortiGate Public Cloud 7.4.0 Azure Administration Guide
    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Configuring FGSP session sync

    Configuring FGSP session sync

    FortiGate session life support protocol (FGSP) cluster-sync and session-pickup is automatically enabled on FortiGate-VM instances deployed on Azure with autoscaling enabled.

    You can achieve the setup in this example by deploying the template available on GitHub.

    The following describes the example configuration:

    • The load balancing (LB) rules of both the external load balancer (ELB) and internal load balancer (ILB) have a floating IP address enabled and session persistence set to the client IP address.
    • Outbound rules are configured to the ELB so that PC15 has Internet access.
    • The FortiGate-VMs have firewall virtual IP address rules configured with the ELB performing destination network address translation so that client access from the Internet to PC15 keeps the original IP address.
    • Client access from the Internet to PC15 has symmetric flow.
    To configure FGSP session sync on FortiGate-VMs on Azure with autoscaling enabled:
    1. In Azure, configure the ELB load balancing rules. Ensure that you configured Session persistence to the client IP address and enabled Floating IP:

    2. Configure the ELB outbound rules:

    3. Configure the ILB rules. Ensure that you configured Session persistence to the client IP address and enabled Floating IP:

    4. Confirm the configuration in the FortiGate A CLI. The following shows an example of possible output: 
      v700b0066-FGT-A # diagnose ip address list 
IP=172.16.136.4->172.16.136.4/255.255.255.192 index=3 devname=port1
IP=172.16.136.69->172.16.136.69/255.255.255.192 index=4 devname=port2
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=7 devname=root
IP=10.255.1.1->10.255.1.1/255.255.255.0 index=11 devname=fortilink
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=12 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=14 devname=vsys_fgfm

v700b0066-FGT-A # 
v700b0066-FGT-A # show system vdom-exception 
config system vdom-exception
    edit 10
        set object system.cluster-sync
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show system auto-scale 
config system auto-scale
    set status enable
    set role primary
    set sync-interface "port2"
    set psksecret ENC TJSGPV1J2oxb7+ePiw8Sd42y6fHGYfHm84LeKa2wGTkcMxDfLg94dpuNqB8ID53wke91tNs3lyl0rZ5xc8cU6NGGLTwS7U3pFkkd0vxCMF37fDVLcItPLDXN2EWXTiX5v2s02QpUTkqIWlAv/KedMpRMuKdx6DDWmhWUoLnw99CO3zUWQjtf5FAtxIupcL6yGtSAVw==
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show system cluster-sync 
config system standalone-cluster
    edit 1
        set peerip 172.16.136.70
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show system ha
config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
    set session-pickup-expectation enable
    set session-pickup-nat enable
    set override disable
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show firewall vip 172.16.137.15:22 
config firewall vip
    edit "172.16.137.15:22"
        set uuid a26b50cc-db75-51eb-7dd5-a313054c614a
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 65022
        set mappedport 22
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show firewall vip 172.16.137.15:80 
config firewall vip
    edit "172.16.137.15:80"
        set uuid aba58d6a-db75-51eb-118b-b771bfbf59b4
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 80
        set mappedport 80
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show firewall vip 172.16.137.15:443 
config firewall vip
    edit "172.16.137.15:443"
        set uuid b0e949d8-db75-51eb-fb60-f5537489a0bc
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 443
        set mappedport 443
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show firewall policy 
config firewall policy
    edit 2
        set name "to_VIP"
        set uuid c9ff1fd8-db75-51eb-6b34-e17d224884b9
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "172.16.137.15:22" "172.16.137.15:443" "172.16.137.15:80"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set av-profile "default"
        set logtraffic all
    next
    edit 3
        set name "to_Internet"
        set uuid d834ffb4-db75-51eb-e370-b6668f0fd24d
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set nat enable
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show router static 
config router static
    edit 1
        set gateway 172.16.136.1
        set device "port1"
    next
    edit 2
        set dst 172.16.136.0 255.255.252.0
        set gateway 172.16.136.65
        set device "port2"
    next
    edit 3
        set dst 168.63.129.16 255.255.255.255
        set gateway 172.16.136.65
        set device "port2"
    next
    edit 4
        set dst 168.63.129.16 255.255.255.255
        set gateway 172.16.136.1
        set device "port1"
    next
    edit 137
        set dst 172.16.137.0 255.255.255.0
        set gateway 172.16.136.65
        set device "port2"
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # get system auto-scale 
status              : enable 
role                : primary 
sync-interface      : port2 
primary-ip          : 0.0.0.0
callback-url        : 
hb-interval         : 10
psksecret           : * 

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys ha autoscale-peers 
Serial#: FGTAZRUPN-GQBR9B
VMID:    9b09d366-f5e2-490f-acab-3bbf2835bd7b
Role:    secondary
IP:      172.16.136.70


v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys ha checksum autoscale-cluster 

================== FGTAZRJ_NNBQZJD0 ==================

is_autoscale_primary()=1
debugzone
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

checksum
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

================== FGTAZRUPN-GQBR9B ==================

is_autoscale_primary()=0
debugzone
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

checksum
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session sync 
sync_ctx: sync_started=1, sync_tcp=1, sync_others=1,
sync_expectation=1, sync_nat=1, stdalone_sesync=1.
sync: create=115:0, update=505, delete=1:0, query=5
recv: create=7:0, update=22, delete=0:0, query=0
ses pkts: send=0, alloc_fail=0, recv=0, recv_err=0 sz_err=0
udp pkts: send=626, recv=28
nCfg_sess_sync_num=1, mtu=1500, ipsec_tun_sync=1
sync_filter:
	1: vd=-1, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535
    5. Confirm the configuration in the FortiGate B CLI. The following shows an example of possible output: 
      v700b0066-FGT-B # diagnose ip address list 
IP=172.16.136.5->172.16.136.5/255.255.255.192 index=3 devname=port1
IP=172.16.136.70->172.16.136.70/255.255.255.192 index=4 devname=port2
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=7 devname=root
IP=10.255.1.1->10.255.1.1/255.255.255.0 index=11 devname=fortilink
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=12 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=14 devname=vsys_fgfm

v700b0066-FGT-B # 
v700b0066-FGT-B # show system vdom-exception 
path=system, objname=vdom-exception, tablename=(null), size=88
config system vdom-exception
    edit 10
        set object system.cluster-sync
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show system auto-scale 
path=system, objname=auto-scale, tablename=(null), size=184
config system auto-scale
    set status enable
    set sync-interface "port2"
    set primary-ip 172.16.136.69
    set psksecret ENC eZcoPrBuiWb56WynxSJPLzPnxnD9SrMSRxHpb8uwW/jFi9tFl+66kj9atAtSlTfoWff/12hQJjp0nECYHWd/RrUMN0AavBdDFzZM7u8COFk7MgkPmtW+DMJyIojlDS80VGTebNIUES+svJm1wkL7Km4FdNu3xKeZzEzv2VUoyO1abrdWI50vz0MOOCesK7Xuxq/Kig==
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show system cluster-sync 
path=system, objname=cluster-sync, tablename=(null), size=216
config system standalone-cluster
    edit 1
        set peerip 172.16.136.70
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show system ha
path=system, objname=ha, tablename=(null), size=5960
config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
    set session-pickup-expectation enable
    set session-pickup-nat enable
    set override disable
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show firewall vip 172.16.137.15:22 
path=firewall, objname=vip, tablename=172.16.137.15:22, size=840
config firewall vip
    edit "172.16.137.15:22"
        set uuid a26b50cc-db75-51eb-7dd5-a313054c614a
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 65022
        set mappedport 22
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show firewall vip 172.16.137.15:80 
path=firewall, objname=vip, tablename=172.16.137.15:80, size=840
config firewall vip
    edit "172.16.137.15:80"
        set uuid aba58d6a-db75-51eb-118b-b771bfbf59b4
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 80
        set mappedport 80
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show firewall vip 172.16.137.15:443 
path=firewall, objname=vip, tablename=172.16.137.15:443, size=840
config firewall vip
    edit "172.16.137.15:443"
        set uuid b0e949d8-db75-51eb-fb60-f5537489a0bc
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 443
        set mappedport 443
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show firewall policy 
path=firewall, objname=policy, tablename=(null), size=2816
config firewall policy
    edit 2
        set name "to_VIP"
        set uuid c9ff1fd8-db75-51eb-6b34-e17d224884b9
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "172.16.137.15:22" "172.16.137.15:443" "172.16.137.15:80"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set av-profile "default"
        set logtraffic all
    next
    edit 3
        set name "to_Internet"
        set uuid d834ffb4-db75-51eb-e370-b6668f0fd24d
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set nat enable
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show router static 
path=router, objname=static, tablename=(null), size=296
config router static
    edit 1
        set gateway 172.16.136.1
        set device "port1"
    next
    edit 2
        set dst 172.16.136.0 255.255.252.0
        set gateway 172.16.136.65
        set device "port2"
    next
    edit 3
        set dst 168.63.129.16 255.255.255.255
        set gateway 172.16.136.65
        set device "port2"
    next
    edit 4
        set dst 168.63.129.16 255.255.255.255
        set gateway 172.16.136.1
        set device "port1"
    next
    edit 137
        set dst 172.16.137.0 255.255.255.0
        set gateway 172.16.136.65
        set device "port2"
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # get system auto-scale 
path=system, objname=auto-scale, tablename=(null), size=184
status              : enable 
role                : secondary 
sync-interface      : port2 
primary-ip          : 172.16.136.69
callback-url        : 
hb-interval         : 10
psksecret           : * 

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys ha autoscale-peers 
Serial#: FGTAZRJ_NNBQZJD0
VMID:    d00cd4bc-2d8f-4fb5-a42f-0297d5e52db7
Role:    primary
IP:      172.16.136.69


v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys ha checksum autoscale-cluster

================== FGTAZRUPN-GQBR9B ==================

is_autoscale_primary()=0
debugzone
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

checksum
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

================== FGTAZRJ_NNBQZJD0 ==================

is_autoscale_primary()=1
debugzone
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

checksum
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session sync 
sync_ctx: sync_started=1, sync_tcp=1, sync_others=1,
sync_expectation=1, sync_nat=1, stdalone_sesync=1.
sync: create=59:0, update=219, delete=0:0, query=6
recv: create=11:0, update=45, delete=0:0, query=0
ses pkts: send=0, alloc_fail=0, recv=0, recv_err=0 sz_err=0
udp pkts: send=284, recv=51
nCfg_sess_sync_num=1, mtu=1500, ipsec_tun_sync=1
sync_filter:
	1: vd=-1, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535

v700b0066-FGT-B #

    When autoscaling is enabled, the configuration syncs between the primary FortiGate to the secondary FortiGate in the virtual machine scale set (VMSS). With FGSP configured, sessions sync to all VMSS members. With the ELB performing DNAT and the firewall VIP policy configured on the FortiGate, original client IP addresses are kept.

    fosqa@pc15:~$ w
 16:26:02 up 38 days,  1:29,  3 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
packet   pts/0    13.83.82.124     Wed15   23:45m  0.02s  0.00s tail -f /var/lo
fosqa    pts/1    207.102.138.19   Wed15    2.00s  0.03s  0.00s w
fosqa    pts/3    13.66.229.197    Wed15   23:45m  0.02s  0.00s tail -f /var/lo
fosqa@pc15:~$ 
fosqa@pc15:~$ tail /var/log/nginx/access.log 
165.22.97.76 - - [12/Aug/2021:15:55:11 -0700] "GET /stalker_portal/c/version.js HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
165.22.97.76 - - [12/Aug/2021:15:55:11 -0700] "GET /stream/live.php HTTP/1.1" 444 0 "-" "Roku/DVP-9.10 (289.10E04111A)"
165.22.97.76 - - [12/Aug/2021:15:55:12 -0700] "GET /flu/403.html HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
117.193.32.121 - - [12/Aug/2021:15:56:15 -0700] "GET / HTTP/1.1" 444 0 "-" "-"
88.2.174.20 - - [12/Aug/2021:16:04:30 -0700] "GET / HTTP/1.1" 200 443 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"
45.79.155.112 - - [12/Aug/2021:16:13:23 -0700] "GET / HTTP/1.1" 200 299 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
117.223.219.238 - - [12/Aug/2021:16:14:14 -0700] "GET / HTTP/1.1" 444 0 "-" "-"
59.95.127.92 - - [12/Aug/2021:16:16:03 -0700] "GET / HTTP/1.1" 444 0 "-" "-"
103.197.205.191 - - [12/Aug/2021:16:16:28 -0700] "GET / HTTP/1.1" 444 0 "-" "-"
128.199.23.44 - - [12/Aug/2021:16:21:03 -0700] "GET / HTTP/1.1" 200 299 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 OPR/47.0.2631.39"
fosqa@pc15:~$

    For example, when multiple uses are connecting to PC15 via SSH from the Internet, DNAT sessions sync between the FortiGates:

    v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session filter clear

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session filter proto 6

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session filter dport 65022

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session clear

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session list
total session 0

v700b0066-FGT-A # 
v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session list

session info: proto=6 proto_state=11 duration=9 expire=3595 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty synced f00 
statistic(bytes/packets/allow_err): org=4305/22/1 reply=4533/19/1 tuples=3
tx speed(Bps/kbps): 436/3 rx speed(Bps/kbps): 459/3
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=172.16.136.65/172.16.136.1
hook=pre dir=org act=dnat 207.102.138.19:57402->20.150.252.91:65022(172.16.137.15:22)
hook=post dir=reply act=snat 172.16.137.15:22->207.102.138.19:57402(20.150.252.91:65022)
hook=post dir=org act=noop 207.102.138.19:57402->172.16.137.15:22(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00001fd4 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x001008

session info: proto=6 proto_state=11 duration=10 expire=3589 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr f00 syn_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 13.83.82.124:55212->20.150.252.91:65022(172.16.137.15:22)
hook=post dir=reply act=snat 172.16.137.15:22->13.83.82.124:55212(20.150.252.91:65022)
hook=post dir=org act=noop 13.83.82.124:55212->172.16.137.15:22(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00000591 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x001000
total session 2

v700b0066-FGT-A # 
v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session sync
sync_ctx: sync_started=1, sync_tcp=1, sync_others=1,
sync_expectation=1, sync_nat=1, stdalone_sesync=1.
sync: create=213:0, update=899, delete=2:0, query=11
recv: create=32:0, update=119, delete=1:0, query=1
ses pkts: send=0, alloc_fail=0, recv=0, recv_err=0 sz_err=0
udp pkts: send=1125, recv=152
nCfg_sess_sync_num=1, mtu=1500, ipsec_tun_sync=1
sync_filter:
	1: vd=-1, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535

v700b0066-FGT-A # 
    v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session filter clear

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session filter proto 6

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session filter dport 65022

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session clear

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session list
total session 0

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session list

session info: proto=6 proto_state=11 duration=12 expire=3587 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr f00 syn_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 207.102.138.19:57402->20.150.252.91:65022(172.16.137.15:22)
hook=post dir=reply act=snat 172.16.137.15:22->207.102.138.19:57402(20.150.252.91:65022)
hook=post dir=org act=noop 207.102.138.19:57402->172.16.137.15:22(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00001fd4 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x001000

session info: proto=6 proto_state=11 duration=13 expire=3598 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty synced f00 
statistic(bytes/packets/allow_err): org=3861/27/1 reply=3965/21/1 tuples=3
tx speed(Bps/kbps): 277/2 rx speed(Bps/kbps): 284/2
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=172.16.136.65/172.16.136.1
hook=pre dir=org act=dnat 13.83.82.124:55212->20.150.252.91:65022(172.16.137.15:22)
hook=post dir=reply act=snat 172.16.137.15:22->13.83.82.124:55212(20.150.252.91:65022)
hook=post dir=org act=noop 13.83.82.124:55212->172.16.137.15:22(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00000591 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x001008
total session 2

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session sync
sync_ctx: sync_started=1, sync_tcp=1, sync_others=1,
sync_expectation=1, sync_nat=1, stdalone_sesync=1.
sync: create=23:0, update=89, delete=1:0, query=1
recv: create=43:0, update=146, delete=0:0, query=3
ses pkts: send=0, alloc_fail=0, recv=0, recv_err=0 sz_err=0
udp pkts: send=114, recv=187
nCfg_sess_sync_num=1, mtu=1500, ipsec_tun_sync=1
sync_filter:
	1: vd=-1, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535

v700b0066-FGT-B #
    Previous
    Next

    Configuring FGSP session sync

    Configuring FGSP session sync

    FortiGate session life support protocol (FGSP) cluster-sync and session-pickup is automatically enabled on FortiGate-VM instances deployed on Azure with autoscaling enabled.

    You can achieve the setup in this example by deploying the template available on GitHub.

    The following describes the example configuration:

    • The load balancing (LB) rules of both the external load balancer (ELB) and internal load balancer (ILB) have a floating IP address enabled and session persistence set to the client IP address.
    • Outbound rules are configured to the ELB so that PC15 has Internet access.
    • The FortiGate-VMs have firewall virtual IP address rules configured with the ELB performing destination network address translation so that client access from the Internet to PC15 keeps the original IP address.
    • Client access from the Internet to PC15 has symmetric flow.
    To configure FGSP session sync on FortiGate-VMs on Azure with autoscaling enabled:
    1. In Azure, configure the ELB load balancing rules. Ensure that you configured Session persistence to the client IP address and enabled Floating IP:

    2. Configure the ELB outbound rules:

    3. Configure the ILB rules. Ensure that you configured Session persistence to the client IP address and enabled Floating IP:

    4. Confirm the configuration in the FortiGate A CLI. The following shows an example of possible output: 
      v700b0066-FGT-A # diagnose ip address list 
IP=172.16.136.4->172.16.136.4/255.255.255.192 index=3 devname=port1
IP=172.16.136.69->172.16.136.69/255.255.255.192 index=4 devname=port2
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=7 devname=root
IP=10.255.1.1->10.255.1.1/255.255.255.0 index=11 devname=fortilink
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=12 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=14 devname=vsys_fgfm

v700b0066-FGT-A # 
v700b0066-FGT-A # show system vdom-exception 
config system vdom-exception
    edit 10
        set object system.cluster-sync
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show system auto-scale 
config system auto-scale
    set status enable
    set role primary
    set sync-interface "port2"
    set psksecret ENC TJSGPV1J2oxb7+ePiw8Sd42y6fHGYfHm84LeKa2wGTkcMxDfLg94dpuNqB8ID53wke91tNs3lyl0rZ5xc8cU6NGGLTwS7U3pFkkd0vxCMF37fDVLcItPLDXN2EWXTiX5v2s02QpUTkqIWlAv/KedMpRMuKdx6DDWmhWUoLnw99CO3zUWQjtf5FAtxIupcL6yGtSAVw==
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show system cluster-sync 
config system standalone-cluster
    edit 1
        set peerip 172.16.136.70
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show system ha
config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
    set session-pickup-expectation enable
    set session-pickup-nat enable
    set override disable
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show firewall vip 172.16.137.15:22 
config firewall vip
    edit "172.16.137.15:22"
        set uuid a26b50cc-db75-51eb-7dd5-a313054c614a
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 65022
        set mappedport 22
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show firewall vip 172.16.137.15:80 
config firewall vip
    edit "172.16.137.15:80"
        set uuid aba58d6a-db75-51eb-118b-b771bfbf59b4
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 80
        set mappedport 80
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show firewall vip 172.16.137.15:443 
config firewall vip
    edit "172.16.137.15:443"
        set uuid b0e949d8-db75-51eb-fb60-f5537489a0bc
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 443
        set mappedport 443
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show firewall policy 
config firewall policy
    edit 2
        set name "to_VIP"
        set uuid c9ff1fd8-db75-51eb-6b34-e17d224884b9
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "172.16.137.15:22" "172.16.137.15:443" "172.16.137.15:80"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set av-profile "default"
        set logtraffic all
    next
    edit 3
        set name "to_Internet"
        set uuid d834ffb4-db75-51eb-e370-b6668f0fd24d
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set nat enable
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # show router static 
config router static
    edit 1
        set gateway 172.16.136.1
        set device "port1"
    next
    edit 2
        set dst 172.16.136.0 255.255.252.0
        set gateway 172.16.136.65
        set device "port2"
    next
    edit 3
        set dst 168.63.129.16 255.255.255.255
        set gateway 172.16.136.65
        set device "port2"
    next
    edit 4
        set dst 168.63.129.16 255.255.255.255
        set gateway 172.16.136.1
        set device "port1"
    next
    edit 137
        set dst 172.16.137.0 255.255.255.0
        set gateway 172.16.136.65
        set device "port2"
    next
end

v700b0066-FGT-A # 
v700b0066-FGT-A # get system auto-scale 
status              : enable 
role                : primary 
sync-interface      : port2 
primary-ip          : 0.0.0.0
callback-url        : 
hb-interval         : 10
psksecret           : * 

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys ha autoscale-peers 
Serial#: FGTAZRUPN-GQBR9B
VMID:    9b09d366-f5e2-490f-acab-3bbf2835bd7b
Role:    secondary
IP:      172.16.136.70


v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys ha checksum autoscale-cluster 

================== FGTAZRJ_NNBQZJD0 ==================

is_autoscale_primary()=1
debugzone
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

checksum
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

================== FGTAZRUPN-GQBR9B ==================

is_autoscale_primary()=0
debugzone
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

checksum
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session sync 
sync_ctx: sync_started=1, sync_tcp=1, sync_others=1,
sync_expectation=1, sync_nat=1, stdalone_sesync=1.
sync: create=115:0, update=505, delete=1:0, query=5
recv: create=7:0, update=22, delete=0:0, query=0
ses pkts: send=0, alloc_fail=0, recv=0, recv_err=0 sz_err=0
udp pkts: send=626, recv=28
nCfg_sess_sync_num=1, mtu=1500, ipsec_tun_sync=1
sync_filter:
	1: vd=-1, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535
    5. Confirm the configuration in the FortiGate B CLI. The following shows an example of possible output: 
      v700b0066-FGT-B # diagnose ip address list 
IP=172.16.136.5->172.16.136.5/255.255.255.192 index=3 devname=port1
IP=172.16.136.70->172.16.136.70/255.255.255.192 index=4 devname=port2
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=7 devname=root
IP=10.255.1.1->10.255.1.1/255.255.255.0 index=11 devname=fortilink
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=12 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=14 devname=vsys_fgfm

v700b0066-FGT-B # 
v700b0066-FGT-B # show system vdom-exception 
path=system, objname=vdom-exception, tablename=(null), size=88
config system vdom-exception
    edit 10
        set object system.cluster-sync
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show system auto-scale 
path=system, objname=auto-scale, tablename=(null), size=184
config system auto-scale
    set status enable
    set sync-interface "port2"
    set primary-ip 172.16.136.69
    set psksecret ENC eZcoPrBuiWb56WynxSJPLzPnxnD9SrMSRxHpb8uwW/jFi9tFl+66kj9atAtSlTfoWff/12hQJjp0nECYHWd/RrUMN0AavBdDFzZM7u8COFk7MgkPmtW+DMJyIojlDS80VGTebNIUES+svJm1wkL7Km4FdNu3xKeZzEzv2VUoyO1abrdWI50vz0MOOCesK7Xuxq/Kig==
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show system cluster-sync 
path=system, objname=cluster-sync, tablename=(null), size=216
config system standalone-cluster
    edit 1
        set peerip 172.16.136.70
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show system ha
path=system, objname=ha, tablename=(null), size=5960
config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
    set session-pickup-expectation enable
    set session-pickup-nat enable
    set override disable
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show firewall vip 172.16.137.15:22 
path=firewall, objname=vip, tablename=172.16.137.15:22, size=840
config firewall vip
    edit "172.16.137.15:22"
        set uuid a26b50cc-db75-51eb-7dd5-a313054c614a
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 65022
        set mappedport 22
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show firewall vip 172.16.137.15:80 
path=firewall, objname=vip, tablename=172.16.137.15:80, size=840
config firewall vip
    edit "172.16.137.15:80"
        set uuid aba58d6a-db75-51eb-118b-b771bfbf59b4
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 80
        set mappedport 80
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show firewall vip 172.16.137.15:443 
path=firewall, objname=vip, tablename=172.16.137.15:443, size=840
config firewall vip
    edit "172.16.137.15:443"
        set uuid b0e949d8-db75-51eb-fb60-f5537489a0bc
        set extip 20.150.252.91
        set mappedip "172.16.137.15"
        set extintf "port1"
        set portforward enable
        set extport 443
        set mappedport 443
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show firewall policy 
path=firewall, objname=policy, tablename=(null), size=2816
config firewall policy
    edit 2
        set name "to_VIP"
        set uuid c9ff1fd8-db75-51eb-6b34-e17d224884b9
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "172.16.137.15:22" "172.16.137.15:443" "172.16.137.15:80"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set av-profile "default"
        set logtraffic all
    next
    edit 3
        set name "to_Internet"
        set uuid d834ffb4-db75-51eb-e370-b6668f0fd24d
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set nat enable
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # show router static 
path=router, objname=static, tablename=(null), size=296
config router static
    edit 1
        set gateway 172.16.136.1
        set device "port1"
    next
    edit 2
        set dst 172.16.136.0 255.255.252.0
        set gateway 172.16.136.65
        set device "port2"
    next
    edit 3
        set dst 168.63.129.16 255.255.255.255
        set gateway 172.16.136.65
        set device "port2"
    next
    edit 4
        set dst 168.63.129.16 255.255.255.255
        set gateway 172.16.136.1
        set device "port1"
    next
    edit 137
        set dst 172.16.137.0 255.255.255.0
        set gateway 172.16.136.65
        set device "port2"
    next
end

v700b0066-FGT-B # 
v700b0066-FGT-B # get system auto-scale 
path=system, objname=auto-scale, tablename=(null), size=184
status              : enable 
role                : secondary 
sync-interface      : port2 
primary-ip          : 172.16.136.69
callback-url        : 
hb-interval         : 10
psksecret           : * 

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys ha autoscale-peers 
Serial#: FGTAZRJ_NNBQZJD0
VMID:    d00cd4bc-2d8f-4fb5-a42f-0297d5e52db7
Role:    primary
IP:      172.16.136.69


v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys ha checksum autoscale-cluster

================== FGTAZRUPN-GQBR9B ==================

is_autoscale_primary()=0
debugzone
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

checksum
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

================== FGTAZRJ_NNBQZJD0 ==================

is_autoscale_primary()=1
debugzone
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

checksum
global: b7 0b d4 ae bd 33 00 2d 81 e5 b4 77 79 06 41 8d 
root: 21 41 b7 00 7c 7e 66 86 26 99 be 0b 92 88 ed 1e 
all: 92 7d d2 09 b2 56 a2 86 9a 23 f5 72 d0 90 c3 1e 

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session sync 
sync_ctx: sync_started=1, sync_tcp=1, sync_others=1,
sync_expectation=1, sync_nat=1, stdalone_sesync=1.
sync: create=59:0, update=219, delete=0:0, query=6
recv: create=11:0, update=45, delete=0:0, query=0
ses pkts: send=0, alloc_fail=0, recv=0, recv_err=0 sz_err=0
udp pkts: send=284, recv=51
nCfg_sess_sync_num=1, mtu=1500, ipsec_tun_sync=1
sync_filter:
	1: vd=-1, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535

v700b0066-FGT-B #

    When autoscaling is enabled, the configuration syncs between the primary FortiGate to the secondary FortiGate in the virtual machine scale set (VMSS). With FGSP configured, sessions sync to all VMSS members. With the ELB performing DNAT and the firewall VIP policy configured on the FortiGate, original client IP addresses are kept.

    fosqa@pc15:~$ w
 16:26:02 up 38 days,  1:29,  3 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
packet   pts/0    13.83.82.124     Wed15   23:45m  0.02s  0.00s tail -f /var/lo
fosqa    pts/1    207.102.138.19   Wed15    2.00s  0.03s  0.00s w
fosqa    pts/3    13.66.229.197    Wed15   23:45m  0.02s  0.00s tail -f /var/lo
fosqa@pc15:~$ 
fosqa@pc15:~$ tail /var/log/nginx/access.log 
165.22.97.76 - - [12/Aug/2021:15:55:11 -0700] "GET /stalker_portal/c/version.js HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
165.22.97.76 - - [12/Aug/2021:15:55:11 -0700] "GET /stream/live.php HTTP/1.1" 444 0 "-" "Roku/DVP-9.10 (289.10E04111A)"
165.22.97.76 - - [12/Aug/2021:15:55:12 -0700] "GET /flu/403.html HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
117.193.32.121 - - [12/Aug/2021:15:56:15 -0700] "GET / HTTP/1.1" 444 0 "-" "-"
88.2.174.20 - - [12/Aug/2021:16:04:30 -0700] "GET / HTTP/1.1" 200 443 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"
45.79.155.112 - - [12/Aug/2021:16:13:23 -0700] "GET / HTTP/1.1" 200 299 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
117.223.219.238 - - [12/Aug/2021:16:14:14 -0700] "GET / HTTP/1.1" 444 0 "-" "-"
59.95.127.92 - - [12/Aug/2021:16:16:03 -0700] "GET / HTTP/1.1" 444 0 "-" "-"
103.197.205.191 - - [12/Aug/2021:16:16:28 -0700] "GET / HTTP/1.1" 444 0 "-" "-"
128.199.23.44 - - [12/Aug/2021:16:21:03 -0700] "GET / HTTP/1.1" 200 299 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 OPR/47.0.2631.39"
fosqa@pc15:~$

    For example, when multiple uses are connecting to PC15 via SSH from the Internet, DNAT sessions sync between the FortiGates:

    v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session filter clear

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session filter proto 6

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session filter dport 65022

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session clear

v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session list
total session 0

v700b0066-FGT-A # 
v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session list

session info: proto=6 proto_state=11 duration=9 expire=3595 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty synced f00 
statistic(bytes/packets/allow_err): org=4305/22/1 reply=4533/19/1 tuples=3
tx speed(Bps/kbps): 436/3 rx speed(Bps/kbps): 459/3
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=172.16.136.65/172.16.136.1
hook=pre dir=org act=dnat 207.102.138.19:57402->20.150.252.91:65022(172.16.137.15:22)
hook=post dir=reply act=snat 172.16.137.15:22->207.102.138.19:57402(20.150.252.91:65022)
hook=post dir=org act=noop 207.102.138.19:57402->172.16.137.15:22(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00001fd4 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x001008

session info: proto=6 proto_state=11 duration=10 expire=3589 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr f00 syn_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 13.83.82.124:55212->20.150.252.91:65022(172.16.137.15:22)
hook=post dir=reply act=snat 172.16.137.15:22->13.83.82.124:55212(20.150.252.91:65022)
hook=post dir=org act=noop 13.83.82.124:55212->172.16.137.15:22(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00000591 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x001000
total session 2

v700b0066-FGT-A # 
v700b0066-FGT-A # 
v700b0066-FGT-A # diagnose sys session sync
sync_ctx: sync_started=1, sync_tcp=1, sync_others=1,
sync_expectation=1, sync_nat=1, stdalone_sesync=1.
sync: create=213:0, update=899, delete=2:0, query=11
recv: create=32:0, update=119, delete=1:0, query=1
ses pkts: send=0, alloc_fail=0, recv=0, recv_err=0 sz_err=0
udp pkts: send=1125, recv=152
nCfg_sess_sync_num=1, mtu=1500, ipsec_tun_sync=1
sync_filter:
	1: vd=-1, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535

v700b0066-FGT-A # 
    v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session filter clear

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session filter proto 6

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session filter dport 65022

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session clear

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session list
total session 0

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session list

session info: proto=6 proto_state=11 duration=12 expire=3587 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr f00 syn_ses 
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 207.102.138.19:57402->20.150.252.91:65022(172.16.137.15:22)
hook=post dir=reply act=snat 172.16.137.15:22->207.102.138.19:57402(20.150.252.91:65022)
hook=post dir=org act=noop 207.102.138.19:57402->172.16.137.15:22(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00001fd4 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x001000

session info: proto=6 proto_state=11 duration=13 expire=3598 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty synced f00 
statistic(bytes/packets/allow_err): org=3861/27/1 reply=3965/21/1 tuples=3
tx speed(Bps/kbps): 277/2 rx speed(Bps/kbps): 284/2
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=172.16.136.65/172.16.136.1
hook=pre dir=org act=dnat 13.83.82.124:55212->20.150.252.91:65022(172.16.137.15:22)
hook=post dir=reply act=snat 172.16.137.15:22->13.83.82.124:55212(20.150.252.91:65022)
hook=post dir=org act=noop 13.83.82.124:55212->172.16.137.15:22(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00000591 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x001008
total session 2

v700b0066-FGT-B # 
v700b0066-FGT-B # diagnose sys session sync
sync_ctx: sync_started=1, sync_tcp=1, sync_others=1,
sync_expectation=1, sync_nat=1, stdalone_sesync=1.
sync: create=23:0, update=89, delete=1:0, query=1
recv: create=43:0, update=146, delete=0:0, query=3
ses pkts: send=0, alloc_fail=0, recv=0, recv_err=0 sz_err=0
udp pkts: send=114, recv=187
nCfg_sess_sync_num=1, mtu=1500, ipsec_tun_sync=1
sync_filter:
	1: vd=-1, szone=0, dzone=0, saddr=0.0.0.0:0.0.0.0, daddr=0.0.0.0:0.0.0.0, sport=0-65535, dport=0:65535

v700b0066-FGT-B #
    Previous
    Next