Fortinet black logo

IPS Architecture Guide

Home FortiGate / FortiOS 7.4.0 IPS Architecture Guide
7.4.0
7.4.0

FGSP with IPS inspection

FGSP with IPS inspection

With the FortiGate Session Life Support Protocol (FGSP), each FortiGate receives traffic by means of an external balancing method. It can be L2 with LACP or L3 with ECMP/VRRP. Sessions are synchronized between members. With IPS policies, traffic is forwarded to the session owner by L2 or L3 for inspection. The peer who receives the first packet of a session becomes the session owner. When the session owner synchronizes the session with its peers, the session owner's member ID is added to the session information. Other peers learn the session owner's member ID. If a peer receives any packet that is part of this session, it forwards the packet to the correct member. This eliminates any asymmetry to the traffic and each session is completey inspected by one FortiGate.

When there are multiple redundant sites, FGSP is preferred over FGCP. Traffic to each site may be routed by a L3 router or load balancer to the active site. Sessions are synchronized over a dedicated link. If traffic disruption is detected in one site, traffic can immediately switch to the backup site. If additional redundancy is needed, you can deploy FGCP clusters on each site and operate them in a FGCP over FGSP manner. You can apply IPS inline on the FortiGate protecting each site.

See High Availability.

Previous
Next

FGSP with IPS inspection

With the FortiGate Session Life Support Protocol (FGSP), each FortiGate receives traffic by means of an external balancing method. It can be L2 with LACP or L3 with ECMP/VRRP. Sessions are synchronized between members. With IPS policies, traffic is forwarded to the session owner by L2 or L3 for inspection. The peer who receives the first packet of a session becomes the session owner. When the session owner synchronizes the session with its peers, the session owner's member ID is added to the session information. Other peers learn the session owner's member ID. If a peer receives any packet that is part of this session, it forwards the packet to the correct member. This eliminates any asymmetry to the traffic and each session is completey inspected by one FortiGate.

When there are multiple redundant sites, FGSP is preferred over FGCP. Traffic to each site may be routed by a L3 router or load balancer to the active site. Sessions are synchronized over a dedicated link. If traffic disruption is detected in one site, traffic can immediately switch to the backup site. If additional redundancy is needed, you can deploy FGCP clusters on each site and operate them in a FGCP over FGSP manner. You can apply IPS inline on the FortiGate protecting each site.

See High Availability.

Previous
Next