Fortinet black logo

Handbook

Standalone configuration sync

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:679262
Download PDF

Standalone configuration sync

You can configure synchronization from one standalone FortiGate to another standalone FortiGate (standalone-config-sync). With the exception of some configurations that do not sync, the rest of the configurations are synced, such as firewall policies, firewall addresses, and UTM profiles.

This option is useful in situations when you need to set up FGSP peers, or when you want to quickly deploy several FortiGates with the same configurations. You can set up standalone-config-sync for multiple members.

By default, configuration synchronization is disabled. You can enter the following to enable it:

config system ha

set standalone-config-sync enable

end

Caution

standalone-config-sync is an independent feature and should be used with caution as there are some limitations. Fortinet recommends disabling it once the configurations have been synced over.

You must enter this command on all of the FortiGates in the group. When you enable synchronizing the configuration, FGCP primary unit selection is used to select a primary FortiGate (see Primary unit selection with override disabled (default)). The other FortiGates in the deployment become backup FortiGates. Changes that you make on the primary FortiGate are synchronized to the backup FortiGates. Fortinet recommends making all configuration changes on the primary FortiGate.

Config sync primary FortiGate selection

Normally the FortiGate with the highest serial number would become the primary FortiGate.

You can use device priority to select one of the FortiGates to become the primary FortiGate. For example, the following command enables configuration synchronization on a FortiGate and sets a higher device priority than the default of 128 to make sure that this FortiGate becomes the primary FortiGate.

config system ha

set standalone-config-sync enable

set priority 250

end

Settings that are not synchronized

standalone-config-sync does not synchronize settings that identify the FortiGate to the network. The following settings are not synchronized:

  • Transparent mode management IPv4 and IPv6 IP addresses and default gateways.
  • All config system cluster-sync settings.
  • All config system interface settings except vdom, vlanid, type, and interface.
  • All config firewall sniffer settings.
  • All router BFD and BFD6 settings.
  • The following BGP settings: as, router-id, aggregate-address, aggregate-address6, neighbor-group, neighbor, network, and network6.
  • The following OSPF settings: router-id, area, ospf-interface, network, neighbor, and summary-address.
  • The following OSPF6 settings: router-id, area, and ospf6-interface.
  • All RIP settings.
  • All policy routing settings.
  • All static routing settings.

Limitations

When standalone configuration synchronization is enabled, there are some limitations, including but not limited to the following:

  • Network interruptions occur during firmware upgrades: when upgrading the firmware, all members in the standalone-config-sync group are upgraded simultaneously. This creates downtime if the FortiGates are the only outgoing gateway in the network. We recommend disabling the option before upgrading firmware.
  • Some unwanted configurations might be synced: the current design and implementation of standalone-config-sync is based on requirements from specific customers. Thus, some users may find that unwanted parts of the configurations are synced. Should this occur, we recommend disabling the option and modifying those configurations manually.
  • The wrong primary device might be picked accidentally: standalone-config-sync is derived from the HA primary unit selection mechanism. All members in the group will join the selection process in the same way as a the HA cluster selection process. It is important to select the correct device as the primary, otherwise the wrong device could be selected and existing configurations could be overwritten.
  • Layer 2 heartbeat connections must be present: similar to HA heartbeat requirements, one or more layer 2 heartbeat connections are needed to sync configurations between the primary and backup devices.

Standalone configuration sync

You can configure synchronization from one standalone FortiGate to another standalone FortiGate (standalone-config-sync). With the exception of some configurations that do not sync, the rest of the configurations are synced, such as firewall policies, firewall addresses, and UTM profiles.

This option is useful in situations when you need to set up FGSP peers, or when you want to quickly deploy several FortiGates with the same configurations. You can set up standalone-config-sync for multiple members.

By default, configuration synchronization is disabled. You can enter the following to enable it:

config system ha

set standalone-config-sync enable

end

Caution

standalone-config-sync is an independent feature and should be used with caution as there are some limitations. Fortinet recommends disabling it once the configurations have been synced over.

You must enter this command on all of the FortiGates in the group. When you enable synchronizing the configuration, FGCP primary unit selection is used to select a primary FortiGate (see Primary unit selection with override disabled (default)). The other FortiGates in the deployment become backup FortiGates. Changes that you make on the primary FortiGate are synchronized to the backup FortiGates. Fortinet recommends making all configuration changes on the primary FortiGate.

Config sync primary FortiGate selection

Normally the FortiGate with the highest serial number would become the primary FortiGate.

You can use device priority to select one of the FortiGates to become the primary FortiGate. For example, the following command enables configuration synchronization on a FortiGate and sets a higher device priority than the default of 128 to make sure that this FortiGate becomes the primary FortiGate.

config system ha

set standalone-config-sync enable

set priority 250

end

Settings that are not synchronized

standalone-config-sync does not synchronize settings that identify the FortiGate to the network. The following settings are not synchronized:

  • Transparent mode management IPv4 and IPv6 IP addresses and default gateways.
  • All config system cluster-sync settings.
  • All config system interface settings except vdom, vlanid, type, and interface.
  • All config firewall sniffer settings.
  • All router BFD and BFD6 settings.
  • The following BGP settings: as, router-id, aggregate-address, aggregate-address6, neighbor-group, neighbor, network, and network6.
  • The following OSPF settings: router-id, area, ospf-interface, network, neighbor, and summary-address.
  • The following OSPF6 settings: router-id, area, and ospf6-interface.
  • All RIP settings.
  • All policy routing settings.
  • All static routing settings.

Limitations

When standalone configuration synchronization is enabled, there are some limitations, including but not limited to the following:

  • Network interruptions occur during firmware upgrades: when upgrading the firmware, all members in the standalone-config-sync group are upgraded simultaneously. This creates downtime if the FortiGates are the only outgoing gateway in the network. We recommend disabling the option before upgrading firmware.
  • Some unwanted configurations might be synced: the current design and implementation of standalone-config-sync is based on requirements from specific customers. Thus, some users may find that unwanted parts of the configurations are synced. Should this occur, we recommend disabling the option and modifying those configurations manually.
  • The wrong primary device might be picked accidentally: standalone-config-sync is derived from the HA primary unit selection mechanism. All members in the group will join the selection process in the same way as a the HA cluster selection process. It is important to select the correct device as the primary, otherwise the wrong device could be selected and existing configurations could be overwritten.
  • Layer 2 heartbeat connections must be present: similar to HA heartbeat requirements, one or more layer 2 heartbeat connections are needed to sync configurations between the primary and backup devices.