Fortinet black logo

Handbook

Asymmetric sessions

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:495288
Download PDF

Asymmetric sessions

By default, asymmetric sessions are not synchronized. Normally, session synchronization cannot be asymmetric because it is stateful. So all of the packets of a given session must be processed on the same FortiGate. This includes return packets.

However, if you have an asymmetric routing configuration, you can enter the following command to synchronize asymmetric sessions by dynamically detecting asymmetric sessions and disabling anti-reply for these sessions:

config system ha

set session-pickup enable

set session-pickup-expectation enable

end

The FGSP enforces firewall policies for asymmetric traffic, including cases where the TCP 3-way handshake is split between two FortiGates. For example, FGT-A receives the TCP-SYN, FGT-B receives the TCP-SYN-ACK, and FGT-A receives the TCP-ACK. Under normal conditions, a firewall will drop this connection since the 3-way handshake was not seen by the same firewall. However, two FortiGates with FGSP configured will be able to properly pass this traffic since the firewall sessions are synchronized.

This asymmetric function can also work with connectionless UDP and ICMP traffic. If traffic will be highly asymmetric, as described above, the following command must be enabled on both peers:

config system ha

set session-pickup enable

set session-pickup-connectionless enable

end

Synchronizing asymmetric traffic can be very useful in situations where multiple internet connections from different ISPs are spread across multiple FortiGates. Since it is typically not possible to guarantee internet-bound traffic leaving via an ISP will return using the exact same ISP, the FGSP provides critical firewall functions in this situation.

caution icon Asymmetric sessions may not be synchronized in low latency networks if the reply packet is received before the peer has received the session synchronization packet. This limitation usually only occurs in low latency networks.

The FGSP also has applications in virtualized computing environments where virtualized hosts move between data centers. The firewall session synchronization features of FGSP allow for more flexibility than in traditional firewalling functions.

Asymmetric sessions

By default, asymmetric sessions are not synchronized. Normally, session synchronization cannot be asymmetric because it is stateful. So all of the packets of a given session must be processed on the same FortiGate. This includes return packets.

However, if you have an asymmetric routing configuration, you can enter the following command to synchronize asymmetric sessions by dynamically detecting asymmetric sessions and disabling anti-reply for these sessions:

config system ha

set session-pickup enable

set session-pickup-expectation enable

end

The FGSP enforces firewall policies for asymmetric traffic, including cases where the TCP 3-way handshake is split between two FortiGates. For example, FGT-A receives the TCP-SYN, FGT-B receives the TCP-SYN-ACK, and FGT-A receives the TCP-ACK. Under normal conditions, a firewall will drop this connection since the 3-way handshake was not seen by the same firewall. However, two FortiGates with FGSP configured will be able to properly pass this traffic since the firewall sessions are synchronized.

This asymmetric function can also work with connectionless UDP and ICMP traffic. If traffic will be highly asymmetric, as described above, the following command must be enabled on both peers:

config system ha

set session-pickup enable

set session-pickup-connectionless enable

end

Synchronizing asymmetric traffic can be very useful in situations where multiple internet connections from different ISPs are spread across multiple FortiGates. Since it is typically not possible to guarantee internet-bound traffic leaving via an ISP will return using the exact same ISP, the FGSP provides critical firewall functions in this situation.

caution icon Asymmetric sessions may not be synchronized in low latency networks if the reply packet is received before the peer has received the session synchronization packet. This limitation usually only occurs in low latency networks.

The FGSP also has applications in virtualized computing environments where virtualized hosts move between data centers. The firewall session synchronization features of FGSP allow for more flexibility than in traditional firewalling functions.