Optimizing FGSP session synchronization and redundancy
By using session-sync-dev
to offload session synchronization processing to the kernel, FGSP session synchronization can be supported to handle heavy loads.
Topology
In this topology, there are three FGSP peer groups for each FortiGate. Sessions are synchronized between each FortiGate and its peer groups. Redundancy is achieved by using two dedicated session sync device links for each peer setup. There are a total of six peer IPs for each session synchronization device link in each FGSP peer. When one link is fails, session synchronization is not affected.
For optimization, sync-packet-balance
is enabled to distribute synchronization packets processing to multiple CPUs. The session synchronization process is offloaded to the kernel, and sessions are synchronized over layer 2 over the connected interfaces (set session-sync-dev "port5" "port6"
). Jumbo frame MTU 9216 is configured on each session synchronization device link to reduce the number of packets; however, setting MTU to 9216 is entirely optional.
To configure FGT_A:
- Configure HA:
config system ha set sync-packet-balance enable set session-pickup enable set session-pickup-connectionless enable set session-pickup-expectation enable set session-pickup-nat enable end
- Configure the layer 2 session synchronization links:
config system standalone-cluster set session-sync-dev "port5" "port6" end
- Configure the session TTL default timeout:
config system session-ttl set default 300 end
- Configure the interfaces:
config system interface edit port5 set ip 10.1.1.1/24 set mtu-override enable set mtu 9216 next edit port6 set ip 10.2.2.1/24 set mtu-override enable set mtu 9216 next end
- Configure FGSP session synchronization:
config system standalone-cluster config cluster-peer edit 1 set peerip 10.1.1.2 next edit 2 set peerip 10.2.2.2 next edit 3 set peerip 10.1.1.3 next edit 4 set peerip 10.2.2.3 next edit 5 set peerip 10.1.1.4 next edit 6 set peerip 10.2.2.4 next end end
To configure FGT_B:
- Configure HA:
config system ha set sync-packet-balance enable set session-pickup enable set session-pickup-connectionless enable set session-pickup-expectation enable set session-pickup-nat enable end
- Configure the layer 2 session synchronization links:
config system standalone-cluster set session-sync-dev "port5" "port6" end
- Configure the session TTL default timeout:
config system session-ttl set default 300 end
- Configure the interfaces:
config system interface edit port5 set ip 10.1.1.2/24 set mtu-override enable set mtu 9216 next edit port6 set ip 10.2.2.2/24 set mtu-override enable set mtu 9216 next end
- Configure FGSP session synchronization:
config system standalone-cluster config cluster-peer edit 1 set peerip 10.1.1.1 next edit 2 set peerip 10.2.2.1 next edit 3 set peerip 10.1.1.3 next edit 4 set peerip 10.2.2.3 next edit 5 set peerip 10.1.1.4 next edit 6 set peerip 10.2.2.4 next end end
To configure FGT_C:
- Configure HA:
config system ha set sync-packet-balance enable set session-pickup enable set session-pickup-connectionless enable set session-pickup-expectation enable set session-pickup-nat enable end
- Configure the layer 2 session synchronization links:
config system standalone-cluster set session-sync-dev "port5" "port6" end
- Configure the session TTL default timeout:
config system session-ttl set default 300 end
- Configure the interfaces:
config system interface edit port5 set ip 10.1.1.3/24 set mtu-override enable set mtu 9216 next edit port6 set ip 10.2.2.3/24 set mtu-override enable set mtu 9216 next end
- Configure FGSP session synchronization:
config system standalone-cluster config cluster-peer edit 1 set peerip 10.1.1.1 next edit 2 set peerip 10.2.2.1 next edit 3 set peerip 10.1.1.2 next edit 4 set peerip 10.2.2.2 next edit 5 set peerip 10.1.1.4 next edit 6 set peerip 10.2.2.4 next end end
To configure FGT_D:
- Configure HA:
config system ha set sync-packet-balance enable set session-pickup enable set session-pickup-connectionless enable set session-pickup-expectation enable set session-pickup-nat enable end
- Configure the layer 2 session synchronization links:
config system standalone-cluster set session-sync-dev "port5" "port6" end
- Configure the session TTL default timeout:
config system session-ttl set default 300 end
- Configure the interfaces:
config system interface edit port5 set ip 10.1.1.4/24 set mtu-override enable set mtu 9216 next edit port6 set ip 10.2.2.4/24 set mtu-override enable set mtu 9216 next end
- Configure FGSP session synchronization:
config system standalone-cluster config cluster-peer edit 1 set peerip 10.1.1.1 next edit 2 set peerip 10.2.2.1 next edit 3 set peerip 10.1.1.2 next edit 4 set peerip 10.2.2.2 next edit 5 set peerip 10.1.1.3 next edit 6 set peerip 10.2.2.3 next end end