Fortinet white logo
Fortinet white logo

CLI Reference

config system standalone-cluster

config system standalone-cluster

Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.

config system standalone-cluster
    Description: Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.
    set asymmetric-traffic-control [cps-preferred|strict-anti-replay]
    config cluster-peer
        Description: Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.
        edit <sync-id>
            set peervd {string}
            set peerip {ipv4-address}
            set syncvd <name1>, <name2>, ...
            set down-intfs-before-sess-sync <name1>, <name2>, ...
            set hb-interval {integer}
            set hb-lost-threshold {integer}
            set ipsec-tunnel-sync [enable|disable]
            set secondary-add-ipsec-routes [enable|disable]
            config session-sync-filter
                Description: Add one or more filters if you only want to synchronize some sessions. Use the filter to configure the types of sessions to synchronize.
                set srcintf {string}
                set dstintf {string}
                set srcaddr {ipv4-classnet-any}
                set dstaddr {ipv4-classnet-any}
                set srcaddr6 {ipv6-network}
                set dstaddr6 {ipv6-network}
                config custom-service
                    Description: Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custom services.
                    edit <id>
                        set src-port-range {user}
                        set dst-port-range {user}
                    next
                end
            end
        next
    end
    set encryption [enable|disable]
    set group-member-id {integer}
    set layer2-connection [available|unavailable]
    set psksecret {password-3}
    set session-sync-dev {user}
    set standalone-group-id {integer}
end

config system standalone-cluster

Parameter

Description

Type

Size

Default

asymmetric-traffic-control

Asymmetric traffic control mode.

option

-

cps-preferred

Option

Description

cps-preferred

Connection per second (CPS) preferred.

strict-anti-replay

Strict anti-replay check.

encryption

Enable/disable encryption when synchronizing sessions.

option

-

disable

Option

Description

enable

Enable encryption when synchronizing sessions.

disable

Disable encryption when synchronizing sessions.

group-member-id

Cluster member ID.

integer

Minimum value: 0 Maximum value: 15

0

layer2-connection

Indicate whether layer 2 connections are present among FGSP members.

option

-

unavailable

Option

Description

available

There exist layer 2 connections among FGSP members.

unavailable

There does not exist layer 2 connection among FGSP members.

psksecret

Pre-shared secret for session synchronization (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

session-sync-dev

Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

user

Not Specified

standalone-group-id

Cluster group ID. Must be the same for all members.

integer

Minimum value: 0 Maximum value: 255

0

config cluster-peer

Parameter

Description

Type

Size

Default

sync-id

Sync ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

peervd

VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd.

string

Maximum length: 31

root

peerip

IP address of the interface on the peer unit that is used for the session synchronization link.

ipv4-address

Not Specified

0.0.0.0

syncvd <name>

Sessions from these VDOMs are synchronized using this session synchronization configuration.

VDOM name.

string

Maximum length: 79

down-intfs-before-sess-sync <name>

List of interfaces to be turned down before session synchronization is complete.

Interface name.

string

Maximum length: 79

hb-interval

Heartbeat interval. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 20

2

hb-lost-threshold

Lost heartbeat threshold. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 60

10

ipsec-tunnel-sync

Enable/disable IPsec tunnel synchronization.

option

-

enable

Option

Description

enable

Enable IPsec tunnel synchronization.

disable

Disable IPsec tunnel synchronization.

secondary-add-ipsec-routes

Enable/disable IKE route announcement on the backup unit.

option

-

enable

Option

Description

enable

Add IKE routes to the backup unit.

disable

Do not add IKE routes to the backup unit.

config session-sync-filter

Parameter

Description

Type

Size

Default

srcintf

Only sessions from this interface are synchronized.

string

Maximum length: 15

dstintf

Only sessions to this interface are synchronized.

string

Maximum length: 15

srcaddr

Only sessions from this IPv4 address are synchronized.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dstaddr

Only sessions to this IPv4 address are synchronized.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

srcaddr6

Only sessions from this IPv6 address are synchronized.

ipv6-network

Not Specified

::/0

dstaddr6

Only sessions to this IPv6 address are synchronized.

ipv6-network

Not Specified

::/0

config custom-service

Parameter

Description

Type

Size

Default

id

Custom service ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

src-port-range

Custom service source port range.

user

Not Specified

0-0

dst-port-range

Custom service destination port range.

user

Not Specified

0-0

config system standalone-cluster

config system standalone-cluster

Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.

config system standalone-cluster
    Description: Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.
    set asymmetric-traffic-control [cps-preferred|strict-anti-replay]
    config cluster-peer
        Description: Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.
        edit <sync-id>
            set peervd {string}
            set peerip {ipv4-address}
            set syncvd <name1>, <name2>, ...
            set down-intfs-before-sess-sync <name1>, <name2>, ...
            set hb-interval {integer}
            set hb-lost-threshold {integer}
            set ipsec-tunnel-sync [enable|disable]
            set secondary-add-ipsec-routes [enable|disable]
            config session-sync-filter
                Description: Add one or more filters if you only want to synchronize some sessions. Use the filter to configure the types of sessions to synchronize.
                set srcintf {string}
                set dstintf {string}
                set srcaddr {ipv4-classnet-any}
                set dstaddr {ipv4-classnet-any}
                set srcaddr6 {ipv6-network}
                set dstaddr6 {ipv6-network}
                config custom-service
                    Description: Only sessions using these custom services are synchronized. Use source and destination port ranges to define these custom services.
                    edit <id>
                        set src-port-range {user}
                        set dst-port-range {user}
                    next
                end
            end
        next
    end
    set encryption [enable|disable]
    set group-member-id {integer}
    set layer2-connection [available|unavailable]
    set psksecret {password-3}
    set session-sync-dev {user}
    set standalone-group-id {integer}
end

config system standalone-cluster

Parameter

Description

Type

Size

Default

asymmetric-traffic-control

Asymmetric traffic control mode.

option

-

cps-preferred

Option

Description

cps-preferred

Connection per second (CPS) preferred.

strict-anti-replay

Strict anti-replay check.

encryption

Enable/disable encryption when synchronizing sessions.

option

-

disable

Option

Description

enable

Enable encryption when synchronizing sessions.

disable

Disable encryption when synchronizing sessions.

group-member-id

Cluster member ID.

integer

Minimum value: 0 Maximum value: 15

0

layer2-connection

Indicate whether layer 2 connections are present among FGSP members.

option

-

unavailable

Option

Description

available

There exist layer 2 connections among FGSP members.

unavailable

There does not exist layer 2 connection among FGSP members.

psksecret

Pre-shared secret for session synchronization (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

session-sync-dev

Offload session-sync process to kernel and sync sessions using connected interface(s) directly.

user

Not Specified

standalone-group-id

Cluster group ID. Must be the same for all members.

integer

Minimum value: 0 Maximum value: 255

0

config cluster-peer

Parameter

Description

Type

Size

Default

sync-id

Sync ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

peervd

VDOM that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd.

string

Maximum length: 31

root

peerip

IP address of the interface on the peer unit that is used for the session synchronization link.

ipv4-address

Not Specified

0.0.0.0

syncvd <name>

Sessions from these VDOMs are synchronized using this session synchronization configuration.

VDOM name.

string

Maximum length: 79

down-intfs-before-sess-sync <name>

List of interfaces to be turned down before session synchronization is complete.

Interface name.

string

Maximum length: 79

hb-interval

Heartbeat interval. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 20

2

hb-lost-threshold

Lost heartbeat threshold. Increase to reduce false positives.

integer

Minimum value: 1 Maximum value: 60

10

ipsec-tunnel-sync

Enable/disable IPsec tunnel synchronization.

option

-

enable

Option

Description

enable

Enable IPsec tunnel synchronization.

disable

Disable IPsec tunnel synchronization.

secondary-add-ipsec-routes

Enable/disable IKE route announcement on the backup unit.

option

-

enable

Option

Description

enable

Add IKE routes to the backup unit.

disable

Do not add IKE routes to the backup unit.

config session-sync-filter

Parameter

Description

Type

Size

Default

srcintf

Only sessions from this interface are synchronized.

string

Maximum length: 15

dstintf

Only sessions to this interface are synchronized.

string

Maximum length: 15

srcaddr

Only sessions from this IPv4 address are synchronized.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

dstaddr

Only sessions to this IPv4 address are synchronized.

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

srcaddr6

Only sessions from this IPv6 address are synchronized.

ipv6-network

Not Specified

::/0

dstaddr6

Only sessions to this IPv6 address are synchronized.

ipv6-network

Not Specified

::/0

config custom-service

Parameter

Description

Type

Size

Default

id

Custom service ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

src-port-range

Custom service source port range.

user

Not Specified

0-0

dst-port-range

Custom service destination port range.

user

Not Specified

0-0