Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.14 Administration Guide
    7.0.14
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Synchronizing sessions between FGCP clusters

    Synchronizing sessions between FGCP clusters

    Synchronizing sessions between FGCP clusters is useful when data centers in different locations are used for load balancing, and traffic must be shared and flow freely based on demand.

    There are some limitations when synchronizing sessions between FGCP clusters:

    • All FortiGates must have the same model and generation, hardware configuration, and FortiOS version.
    • A total of 16 clusters can share sessions.

    • The configurations related to session tables should match. For example, the logical names used in firewall policies, IPsec interface names, VDOM names, firewall policy tables, and so on.

    To configure session synchronization between two clusters:
    1. Configure the two clusters (see HA active-passive cluster setup or HA active-active cluster setup).
    2. On cluster A, configure the peer IP for the interface:
      config system interface
    edit "port5"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end

      In this example, cluster A uses port5 and its IP address, 10.10.10.1, is reachable from another cluster.

    3. On cluster A, configure cluster and session synchronization:
      config system cluster-sync
    edit 1
        set peerip 10.10.10.2
    next
end
    4. On cluster A, configure additional FGSP attributes as needed:
      config system standalone-cluster
    set standalone-group-id 1
    set group-member-id 0
    set session-sync-dev <interface>
end

      The standalone-group-id must match between FGSP members. The group-member-id is unique for each FGCP cluster. session-sync-dev is an optional command to specify the interfaces to sync sessions.

    5. On cluster B, configure the peer IP for the interface:
      config system interface
    edit "port5"
        set vdom "root"
        set ip 10.10.10.2 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end

      In this example, cluster B uses port5 and its IP address, 10.10.10.2, is reachable from another cluster.

    6. On cluster B, configure cluster and session synchronization:
      config system cluster-sync
    edit 1
        set peerip 10.10.10.1
    next
end
    7. On cluster B, configure additional FGSP attributes as needed:
      config system standalone-cluster
    set standalone-group-id 1
    set group-member-id 1
    set session-sync-dev <interface>
end
    Previous
    Next

    More Links

    FGCP

    Synchronizing sessions between FGCP clusters

    Synchronizing sessions between FGCP clusters

    Synchronizing sessions between FGCP clusters is useful when data centers in different locations are used for load balancing, and traffic must be shared and flow freely based on demand.

    There are some limitations when synchronizing sessions between FGCP clusters:

    • All FortiGates must have the same model and generation, hardware configuration, and FortiOS version.
    • A total of 16 clusters can share sessions.

    • The configurations related to session tables should match. For example, the logical names used in firewall policies, IPsec interface names, VDOM names, firewall policy tables, and so on.

    To configure session synchronization between two clusters:
    1. Configure the two clusters (see HA active-passive cluster setup or HA active-active cluster setup).
    2. On cluster A, configure the peer IP for the interface:
      config system interface
    edit "port5"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end

      In this example, cluster A uses port5 and its IP address, 10.10.10.1, is reachable from another cluster.

    3. On cluster A, configure cluster and session synchronization:
      config system cluster-sync
    edit 1
        set peerip 10.10.10.2
    next
end
    4. On cluster A, configure additional FGSP attributes as needed:
      config system standalone-cluster
    set standalone-group-id 1
    set group-member-id 0
    set session-sync-dev <interface>
end

      The standalone-group-id must match between FGSP members. The group-member-id is unique for each FGCP cluster. session-sync-dev is an optional command to specify the interfaces to sync sessions.

    5. On cluster B, configure the peer IP for the interface:
      config system interface
    edit "port5"
        set vdom "root"
        set ip 10.10.10.2 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end

      In this example, cluster B uses port5 and its IP address, 10.10.10.2, is reachable from another cluster.

    6. On cluster B, configure cluster and session synchronization:
      config system cluster-sync
    edit 1
        set peerip 10.10.10.1
    next
end
    7. On cluster B, configure additional FGSP attributes as needed:
      config system standalone-cluster
    set standalone-group-id 1
    set group-member-id 1
    set session-sync-dev <interface>
end
    Previous
    Next