Fortinet black logo

FortiGate-7000 Handbook

Home FortiGate-7000 6.0.4 FortiGate-7000 Handbook
6.0.4
6.2.3
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.9

FortiGate-7000 FGSP HA

FortiGate-7000 FGSP HA

FortiGate-7000 supports the FortiGate Session Life Support Protocol (FGSP) (also called standalone session sync) HA to synchronize sessions among up to four FortiGate-7000s. All of the FortiGate-7000s in the FGSP cluster must be the same model and running the same firmware. All of the devices in an FGSP cluster must have their own network configuration (interface IPs, routing, and so on). FGSP synchronizes individual VDOM sessions. All of the devices in an FGSP cluster must include the VDOMs to be synchronized and for each device the VDOMs must have the same firewall configuration.

For details about FGSP for FortiOS 6.0, see: FortiOS 6.0 Handbook: FGSP.

FortiGate-7000 FGSP support has the following limitations:

  • Configuration synchronization is currently not supported, you must configure all of the devices in the FGSP cluster separately or use FortiManager to keep key parts of the configuration, such as security policies, synchronized on the devices in the FGSP cluster.
  • FortiGate-7000 FGSP can use the 1-M1 and 1-M2 and 2-M1 and 2-M2 interfaces for session synchronization. Using multiple interfaces is recommended for redundancy. To use these interfaces for FGSP, you must give them IP addresses and optionally set up routing for them. Ideally the session synchronization interfaces of each device in the FGSP cluster would be on the same network and that network would only be used for session synchronization traffic. However, you can configure routing to send session synchronization traffic between networks. NAT between session synchronization interfaces is not supported.
  • Multiple VDOMs can be synchronized over the same session synchronization interface. You can also distribute synchronization traffic to multiple interfaces.
  • FortiGate-7000 FGSP doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • FGSP doesn't synchronize ICMP sessions when ICMP load balancing is set to to-master. If you want to synchronize ICMP sessions, set ICMP load balancing to either src-ip, dst-ip, or src-dst-ip. See ICMP load balancing for more information.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • Inter-cluster session synchronization, or FGSP between FGCP clusters, is not supported.
  • FGSP IPsec tunnel synchronization is not supported.
  • Fragmented packet synchronization is not supported.

FGSP session synchronization options

FortiGate-7000 FGSP supports the following HA session synchronization options:

config system ha

set session-pickup {disable | enable}

set session-pickup-connectionless {disable | enable}

set session-pickup-expectation {disable | enable}

set session-pickup-nat {disable | enable}

set session-pickup-delay {disable | enable}

end

Some notes:

  • The session-pickup-expectation and session-pickup-nat options only apply to FGSP HA. FGCP HA synchronizes NAT sessions when you enable session-pickup.
  • The session-pickup-delay option applies to TCP sessions only and does not apply to connectionless and SCTP sessions.
  • The session-pickup-delay option should not be used in FGSP topologies where the traffic can take an asymmetric path (forward and reverse traffic going through different FortiGates).

Enabling session synchronization

Enable session-pickup to synchronize sessions between the FortiGate-7000s in an FGSP cluster. Turning on session synchronization for TCP and SCTP sessions by enabling session-pickup also turns on session synchronization for connectionless protocol sessions, such as ICMP and UDP, by enabling session-pickup-connectionless. If you don't want to synchronize connectionless sessions, you can manually disable session-pickup-connectionless.

Synchronizing expectation sessions

Enable session-pickup-expectation to synchronize expectation sessions. FortiOS session helpers keep track of the communication of Layer-7 protocols such as FTP and SIP that have control sessions and expectation sessions. Usually the control sessions establish the link between server and client and negotiate the ports and protocols that will be used for data communications. The session helpers then create expectation sessions through the FortiGate for the ports and protocols negotiated by the control session.

The expectation sessions are usually the sessions that actually communicate data. For FTP, the expectation sessions transmit files being uploaded or downloaded. For SIP, the expectation sessions transmit voice and video data. Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.

Synchronizing NAT sessions

Enable session-pickup-nat to synchronize NAT sessions in an FGSP cluster.

Synchronizing TCP sessions older than 30 seconds

Enable session-pickup-delay to synchronize TCP sessions only if they remain active for more than 30 seconds. This option improves performance when session-pickup is enabled by reducing the number of sessions that are synchronized. This option does not affect SCTP or connectionless sessions.

Example FortiGate-7000 FGSP configuration

This example shows how to configure an FGSP cluster to synchronize sessions between two FortiGate-7040Es for two VDOMs: VDOM-1 and VDOM-2. The example uses the 1-M1 interface for VDOM-1 session synchronization and the 1-M2 interface for VDOM-2 session synchronization. The 1-M1 interfaces are connected to the 172.25.177.0/24 network and the 1-M2 interfaces are connected to the 172.25.178.0/24 network.

Because configuration synchronization is not supported for FGSP you must set up both FortiGate-7040Es with the same configuration, including the VDOMs to be synchronized and these VDOMs must have the same firewall policies. The two FortiGate-7040Es must have their own IP addresses and their own networking configuration. In addition, you can give the FortiGate--7040Es different host names to make them easier to identify.

Example FortiGate-7000 FGSP configuration

  1. Configure the routers or load balancers to send all sessions to peer_1.

  2. Configure the routers or load balancers to send all traffic to peer_2 if peer_1 fails.

  3. Give each FortiGate-7040E a different host name (in this case peer_1 and peer_2).

  4. Configure network settings for each FortiGate-7040E to allow them to connect to their networks and route traffic.

  5. Add VDOM-1 and VDOM-2 to each FortiGate-7040E.

  6. Configure VDOM-1 on each FortiGate-7040E with the same firewall policies.

  7. Configure VDOM-2 on each FortiGate-7040E with the same firewall policies.

  8. Configure the 1-M1 and 1-M2 interfaces of the peer_1 FortiGate-7040E with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.30 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.35 255.255.255.0

    end

  9. Configure the 1-M1 and 1-M2 interfaces of the peer_2 FortiGate-7040E with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.40 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.45 255.255.255.0

    end

  10. On the peer_1 FortiGate-7040E, configure session synchronization for VDOM-1 and VDOM-2.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.40

    set syncvd VDOM-1

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.45

    set syncvd VDOM-2

    next

    For VDOM-1, peervd will always be mgmt-vdom, the peerip is the IP address of the 1-M1 interface of the peer_2 FortiGate-7040E, and syncvd is VDOM-1.

    For VDOM-2, peervd will always be mgmt-vdom, the peerip is the IP address of the 1-M2 interface of the peer_2 FortiGate-7040E, and syncvd is VDOM-2.

  11. On the peer_2 FortiGate-7040E, configure session synchronization for VDOM-1 and VDOM-2.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.30

    set syncvd VDOM-1

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.35

    set syncvd VDOM-2

    next

    For VDOM-1, peervd will always be mgmt-vdom, the peerip is the IP address of the 1-M1 interface of the peer_1 FortiGate-7040E, and syncvd is VDOM-1.

    For VDOM-2, peervd will always be mgmt-vdom, the peerip is the IP address of the 1-M2 interface of the peer_1 FortiGate-7040E, and syncvd is VDOM-2.

Previous
Next

FortiGate-7000 FGSP HA

FortiGate-7000 supports the FortiGate Session Life Support Protocol (FGSP) (also called standalone session sync) HA to synchronize sessions among up to four FortiGate-7000s. All of the FortiGate-7000s in the FGSP cluster must be the same model and running the same firmware. All of the devices in an FGSP cluster must have their own network configuration (interface IPs, routing, and so on). FGSP synchronizes individual VDOM sessions. All of the devices in an FGSP cluster must include the VDOMs to be synchronized and for each device the VDOMs must have the same firewall configuration.

For details about FGSP for FortiOS 6.0, see: FortiOS 6.0 Handbook: FGSP.

FortiGate-7000 FGSP support has the following limitations:

  • Configuration synchronization is currently not supported, you must configure all of the devices in the FGSP cluster separately or use FortiManager to keep key parts of the configuration, such as security policies, synchronized on the devices in the FGSP cluster.
  • FortiGate-7000 FGSP can use the 1-M1 and 1-M2 and 2-M1 and 2-M2 interfaces for session synchronization. Using multiple interfaces is recommended for redundancy. To use these interfaces for FGSP, you must give them IP addresses and optionally set up routing for them. Ideally the session synchronization interfaces of each device in the FGSP cluster would be on the same network and that network would only be used for session synchronization traffic. However, you can configure routing to send session synchronization traffic between networks. NAT between session synchronization interfaces is not supported.
  • Multiple VDOMs can be synchronized over the same session synchronization interface. You can also distribute synchronization traffic to multiple interfaces.
  • FortiGate-7000 FGSP doesn't support setting up IPv6 session filters using the config session-sync-filter option.
  • FGSP doesn't synchronize ICMP sessions when ICMP load balancing is set to to-master. If you want to synchronize ICMP sessions, set ICMP load balancing to either src-ip, dst-ip, or src-dst-ip. See ICMP load balancing for more information.
  • Asymmetric IPv6 SCTP traffic sessions are not supported. These sessions are dropped.
  • Inter-cluster session synchronization, or FGSP between FGCP clusters, is not supported.
  • FGSP IPsec tunnel synchronization is not supported.
  • Fragmented packet synchronization is not supported.

FGSP session synchronization options

FortiGate-7000 FGSP supports the following HA session synchronization options:

config system ha

set session-pickup {disable | enable}

set session-pickup-connectionless {disable | enable}

set session-pickup-expectation {disable | enable}

set session-pickup-nat {disable | enable}

set session-pickup-delay {disable | enable}

end

Some notes:

  • The session-pickup-expectation and session-pickup-nat options only apply to FGSP HA. FGCP HA synchronizes NAT sessions when you enable session-pickup.
  • The session-pickup-delay option applies to TCP sessions only and does not apply to connectionless and SCTP sessions.
  • The session-pickup-delay option should not be used in FGSP topologies where the traffic can take an asymmetric path (forward and reverse traffic going through different FortiGates).

Enabling session synchronization

Enable session-pickup to synchronize sessions between the FortiGate-7000s in an FGSP cluster. Turning on session synchronization for TCP and SCTP sessions by enabling session-pickup also turns on session synchronization for connectionless protocol sessions, such as ICMP and UDP, by enabling session-pickup-connectionless. If you don't want to synchronize connectionless sessions, you can manually disable session-pickup-connectionless.

Synchronizing expectation sessions

Enable session-pickup-expectation to synchronize expectation sessions. FortiOS session helpers keep track of the communication of Layer-7 protocols such as FTP and SIP that have control sessions and expectation sessions. Usually the control sessions establish the link between server and client and negotiate the ports and protocols that will be used for data communications. The session helpers then create expectation sessions through the FortiGate for the ports and protocols negotiated by the control session.

The expectation sessions are usually the sessions that actually communicate data. For FTP, the expectation sessions transmit files being uploaded or downloaded. For SIP, the expectation sessions transmit voice and video data. Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.

Synchronizing NAT sessions

Enable session-pickup-nat to synchronize NAT sessions in an FGSP cluster.

Synchronizing TCP sessions older than 30 seconds

Enable session-pickup-delay to synchronize TCP sessions only if they remain active for more than 30 seconds. This option improves performance when session-pickup is enabled by reducing the number of sessions that are synchronized. This option does not affect SCTP or connectionless sessions.

Example FortiGate-7000 FGSP configuration

This example shows how to configure an FGSP cluster to synchronize sessions between two FortiGate-7040Es for two VDOMs: VDOM-1 and VDOM-2. The example uses the 1-M1 interface for VDOM-1 session synchronization and the 1-M2 interface for VDOM-2 session synchronization. The 1-M1 interfaces are connected to the 172.25.177.0/24 network and the 1-M2 interfaces are connected to the 172.25.178.0/24 network.

Because configuration synchronization is not supported for FGSP you must set up both FortiGate-7040Es with the same configuration, including the VDOMs to be synchronized and these VDOMs must have the same firewall policies. The two FortiGate-7040Es must have their own IP addresses and their own networking configuration. In addition, you can give the FortiGate--7040Es different host names to make them easier to identify.

Example FortiGate-7000 FGSP configuration

  1. Configure the routers or load balancers to send all sessions to peer_1.

  2. Configure the routers or load balancers to send all traffic to peer_2 if peer_1 fails.

  3. Give each FortiGate-7040E a different host name (in this case peer_1 and peer_2).

  4. Configure network settings for each FortiGate-7040E to allow them to connect to their networks and route traffic.

  5. Add VDOM-1 and VDOM-2 to each FortiGate-7040E.

  6. Configure VDOM-1 on each FortiGate-7040E with the same firewall policies.

  7. Configure VDOM-2 on each FortiGate-7040E with the same firewall policies.

  8. Configure the 1-M1 and 1-M2 interfaces of the peer_1 FortiGate-7040E with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.30 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.35 255.255.255.0

    end

  9. Configure the 1-M1 and 1-M2 interfaces of the peer_2 FortiGate-7040E with IP addresses on the 172.25.177.0/24 and 172.25.178.0/24 networks:

    config system interface

    edit 1-M1

    set ip 172.25.177.40 255.255.255.0

    next

    edit 1-M2

    set ip 172.25.178.45 255.255.255.0

    end

  10. On the peer_1 FortiGate-7040E, configure session synchronization for VDOM-1 and VDOM-2.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.40

    set syncvd VDOM-1

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.45

    set syncvd VDOM-2

    next

    For VDOM-1, peervd will always be mgmt-vdom, the peerip is the IP address of the 1-M1 interface of the peer_2 FortiGate-7040E, and syncvd is VDOM-1.

    For VDOM-2, peervd will always be mgmt-vdom, the peerip is the IP address of the 1-M2 interface of the peer_2 FortiGate-7040E, and syncvd is VDOM-2.

  11. On the peer_2 FortiGate-7040E, configure session synchronization for VDOM-1 and VDOM-2.

    config system cluster-sync

    edit 1

    set peervd mgmt-vdom

    set peerip 172.25.177.30

    set syncvd VDOM-1

    next

    edit 2

    set peervd mgmt-vdom

    set peerip 172.25.178.35

    set syncvd VDOM-2

    next

    For VDOM-1, peervd will always be mgmt-vdom, the peerip is the IP address of the 1-M1 interface of the peer_1 FortiGate-7040E, and syncvd is VDOM-1.

    For VDOM-2, peervd will always be mgmt-vdom, the peerip is the IP address of the 1-M2 interface of the peer_1 FortiGate-7040E, and syncvd is VDOM-2.

Previous
Next