Fortinet black logo

Cookbook

Synchronizing sessions between FGCP clusters

Copy Link
Copy Doc ID af0e75e9-211f-11ea-9384-00505692583a:431352
Download PDF

Synchronizing sessions between FGCP clusters is useful when data centers in different locations are used for load-balancing, and traffic must be shared and flow freely based on demand.

There are some limitations when synchronizing sessions between FGCP clusters:

  • All FortiGates must have the same model and generation, hardware configuration, and FortiOS version.
  • All sessions cannot be synced between clusters. Currently, only TCP sessions can be synced.
  • Currently, a total of four clusters can share sessions.
To configure session synchronization between two clusters:
  1. Configure the two clusters (see HA active-passive cluster setup or HA active-active cluster setup).
  2. On each cluster, enable session synchronization among HA clusters:
    config system ha
        set inter-cluster-session-sync enable
    end
  3. On cluster A, configure the peer IP for the interface:
    config system interface
        edit "port5"
            set vdom "root"
            set ip 10.10.10.1 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
        next
    end

    In this example, cluster A uses port5 and its IP address, 10.10.10.1, is reachable from another cluster.

  4. On cluster A, configure cluster synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.10.10.2
        next
    end
  5. On cluster B, configure the peer IP for the interface:
    config system interface
        edit "port5"
            set vdom "root"
            set ip 10.10.10.2 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
        next
    end

    In this example, cluster B uses port5 and its IP address, 10.10.10.2, is reachable from another cluster.

  6. On cluster B, configure cluster synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.10.10.1
        next
    end

Synchronizing sessions between FGCP clusters is useful when data centers in different locations are used for load-balancing, and traffic must be shared and flow freely based on demand.

There are some limitations when synchronizing sessions between FGCP clusters:

  • All FortiGates must have the same model and generation, hardware configuration, and FortiOS version.
  • All sessions cannot be synced between clusters. Currently, only TCP sessions can be synced.
  • Currently, a total of four clusters can share sessions.
To configure session synchronization between two clusters:
  1. Configure the two clusters (see HA active-passive cluster setup or HA active-active cluster setup).
  2. On each cluster, enable session synchronization among HA clusters:
    config system ha
        set inter-cluster-session-sync enable
    end
  3. On cluster A, configure the peer IP for the interface:
    config system interface
        edit "port5"
            set vdom "root"
            set ip 10.10.10.1 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
        next
    end

    In this example, cluster A uses port5 and its IP address, 10.10.10.1, is reachable from another cluster.

  4. On cluster A, configure cluster synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.10.10.2
        next
    end
  5. On cluster B, configure the peer IP for the interface:
    config system interface
        edit "port5"
            set vdom "root"
            set ip 10.10.10.2 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
        next
    end

    In this example, cluster B uses port5 and its IP address, 10.10.10.2, is reachable from another cluster.

  6. On cluster B, configure cluster synchronization:
    config system cluster-sync
        edit 1
            set peerip 10.10.10.1
        next
    end