Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    New Features

    8.0.0
    8.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Selective GTP FGSP sync: only synchronize GTP tunnels

    Selective GTP FGSP sync: only synchronize GTP tunnels

    You can use the following option to disable IP session synchronization for an FGSP cluster:

    config system standalone-cluster

    set session-sync {disable | enable}

    end

    By default session-sync is enabled and FortiOS Carrier FGSP operates normally. You can disable session-sync to stop synchronizing IP sessions. GTP tunnel synchronization is not changed. Disabling IP session synchronization potentially reduces the amount of bandwidth required for FGSP session synchronization.

    Disabling session-sync is compatible with enabling gtp-fgsp-s10-only to synchronize only S10 GTP tunnels, see Selective GTP FGSP sync: only S10 tunnels. If you disable session-sync and enable gtp-fgsp-s10-only, FortiOS Carrier FGSP will only synchronize S10 GTP tunnels and also will not synchronize IP sessions.

    When session-sync is disabled, FGSP support for GTP asymmetric routing is no longer supported and the gtp-asym-fgsp system settings CLI option becomes hidden.

    Example topology

    Default configuration: session-sync enabled

    CLI configuration:

    config system standalone-cluster

    set session-sync enable

    end

    All IP sessions, GTP sessions, and GTP tunnels are received by FortiGate 1 (FGSP primary). IP sessions, GTP sessions, and GTP tunnels are synchronized to FortiGate 2 (FGSP peer).

    FortiGate 1 (FGSP primary)

    The output of diagnose sys session list | grep 172.16.200.61 shows IP sessions on FortiGate 1 (FGSP primary):

    diagnose sys session list | grep 172.16.200.61
hook=pre dir=org act=noop 10.1.100.60:52448->172.16.200.61:22(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.61:22->10.1.100.60:52448(0.0.0.0:0)

    The output of diagnose sys session list | grep 2123 shows the GTP sessions on FortiGate 1 (FGSP primary):

    diagnose sys session list | grep 2123
hook=pre dir=org act=noop 172.16.200.91:2123->10.1.100.91:2123(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.100.91:2123->172.16.200.91:2123(0.0.0.0:0)

    The output of the diagnose firewall gtp tunnel list command shows the GTP tunnels on FortiGate 1 (FGSP primary):

    diagnose firewall gtp tunnel list
list gtp tunnels

-----------prof=gtpp ref=6 imsi=987654112233445 msisdn=896745214365 mei=43658709.212030.1 ms_addr=Unknown s11_s4 0-----------
-----------index=00000003 life=34(sec) idle=34(sec) vd=0  ver=2-----------
c_pkt=1 c_bytes=276 u_pkt=0 u_bytes=0
rat type: utran
downlink cfteid:
    addr=10.10.10.10 teid=0x1ce7eab0 role=control vd=0 intf_type=s5/s8 sgw gtp-c
    1/1 requests shown:
        src=10.1.100.91:2123 dst=172.16.200.91:2123 seq=10017643 msg_type=32 vd=0 ver=2
uplink cfteid:
    addr=Unknown teid=0x00000000 role=control vd=0 intf_type=s1-u enodeb gtp-u
1/1 bearers:
    id=6 linked_id=6 type=regular dead=0 apn=internet2 selection=ms-or-net-provided-apn apn_restriction=public-2 u_pkt=0 u_bytes=0
    1 fteids:
        addr=10.10.10.10 teid=0x1ce7eab1 role=data vd=0 intf_type=s5/s8 sgw gtp-u
    FortiGate 2 (FGSP peer)

    The output of diagnose sys session list | grep 172.16.200.61 shows the IP sessions synchronized to FortiGate 2 (FGSP peer):

    diagnose sys session list | grep 172.16.200.61
hook=pre dir=org act=noop 10.1.100.60:52448->172.16.200.61:22(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.61:22->10.1.100.60:52448(0.0.0.0:0)

    The output of diagnose sys session list | grep 2123 shows the GTP sessions synchronized to FortiGate 2 (FGSP peer):

    diagnose sys session list | grep 2123
hook=pre dir=org act=noop 172.16.200.91:2123->10.1.100.91:2123(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.100.91:2123->172.16.200.91:2123(0.0.0.0:0)

    The output of the diagnose firewall gtp tunnel list command shows the GTP tunnels synchronized to FortiGate 2 (FGSP peer):

    diagnose firewall gtp tunnel list
list gtp tunnels

-----------prof=gtpp ref=5 imsi=987654112233445 msisdn=896745214365 mei=43658709.212030.1 ms_addr=80.80.80.1 s11_s4 0-----------
-----------index=00000001 life=4887(sec) idle=4887(sec) vd=0  ver=2-----------
c_pkt=0 c_bytes=0 u_pkt=0 u_bytes=0
rat type: utran
downlink cfteid:
    addr=10.10.10.10 teid=0x1ce7eab0 role=control vd=0 intf_type=s5/s8 sgw gtp-c
uplink cfteid:
    addr=20.20.20.10 teid=0x1ce7eab2 role=control vd=0 intf_type=s5/s8 pgw gtp-c
1/1 bearers:
    id=6 linked_id=6 type=regular dead=0 apn=internet2 selection=ms-or-net-provided-apn apn_restriction=public-2 user_addr=80.80.80.1 u_pkt=0 u_bytes=0
    2 fteids:
        addr=10.10.10.10 teid=0x1ce7eab1 role=data vd=0 intf_type=s5/s8 sgw gtp-u
        addr=20.20.20.10 teid=0x1ce7eab3 role=data vd=0 intf_type=s5/s8 pgw gtp-u
    Only GTP tunnels synchronized: session-sync disabled
    FortiGate 1 (FGSP primary)

    The output of diagnose sys session list | grep 172.16.200.61 shows IP sessions on FortiGate 1 (FGSP primary):

    diagnose sys session list | grep 172.16.200.61
hook=pre dir=org act=noop 10.1.100.60:55136->172.16.200.61:22(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.61:22->10.1.100.60:55136(0.0.0.0:0)

    The output of diagnose sys session list | grep 2123 shows the GTP sessions on FortiGate 1 (FGSP primary):

    diagnose sys session list | grep 2123
hook=pre dir=org act=noop 172.16.200.91:2123->10.1.100.91:2123(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.100.91:2123->172.16.200.91:2123(0.0.0.0:0)

    The output of the diagnose firewall gtp tunnel list command shows the GTP tunnels on FortiGate 1 (FGSP primary):

    diagnose firewall gtp tunnel list
list gtp tunnels

-----------prof=gtpp ref=6 imsi=987654112233445 msisdn=896745214365 mei=43658709.212030.1 ms_addr=Unknown s11_s4 0-----------
-----------index=00000002 life=85(sec) idle=85(sec) vd=0  ver=2-----------
c_pkt=1 c_bytes=276 u_pkt=0 u_bytes=0
rat type: utran
downlink cfteid:
    addr=10.10.10.10 teid=0x1ce7eab0 role=control vd=0 intf_type=s5/s8 sgw gtp-c
    1/1 requests shown:
        src=10.1.100.91:2123 dst=172.16.200.91:2123 seq=10017643 msg_type=32 vd=0 ver=2
uplink cfteid:
    addr=Unknown teid=0x00000000 role=control vd=0 intf_type=s1-u enodeb gtp-u
1/1 bearers:
    id=6 linked_id=6 type=regular dead=0 apn=internet2 selection=ms-or-net-provided-apn apn_restriction=public-2 u_pkt=0 u_bytes=0
    1 fteids:
        addr=10.10.10.10 teid=0x1ce7eab1 role=data vd=0 intf_type=s5/s8 sgw gtp-u
    FortiGate 2 (FGSP peer)

    The output of diagnose sys session list | grep 172.16.200.61 shows that IP sessions are not synchronized to FortiGate 2 (FGSP peer):

    diagnose sys session list | grep 172.16.200.61

    The output of diagnose sys session list | grep 2123 shows that GTP sessions are not synchronized to FortiGate 2 (FGSP peer):

    diagnose sys session list | grep 2123

    The output of the diagnose firewall gtp tunnel list command shows the GTP tunnels synchronized to FortiGate 2 (FGSP peer):

    diagnose firewall gtp tunnel list
list gtp tunnels

-----------prof=gtpp ref=5 imsi=987654112233445 msisdn=896745214365 mei=43658709.212030.1 ms_addr=80.80.80.1 s11_s4 0-----------
-----------index=00000005 life=10250(sec) idle=8667(sec) vd=0  ver=2-----------
c_pkt=0 c_bytes=0 u_pkt=0 u_bytes=0
rat type: utran
downlink cfteid:
    addr=10.10.10.10 teid=0x1ce7eab0 role=control vd=0 intf_type=s5/s8 sgw gtp-c
uplink cfteid:
    addr=20.20.20.10 teid=0x1ce7eab2 role=control vd=0 intf_type=s5/s8 pgw gtp-c
1/1 bearers:
    id=6 linked_id=6 type=regular dead=0 apn=internet2 selection=ms-or-net-provided-apn apn_restriction=public-2 user_addr=80.80.80.1 u_pkt=0 u_bytes=0
    2 fteids:
        addr=10.10.10.10 teid=0x1ce7eab1 role=data vd=0 intf_type=s5/s8 sgw gtp-u
        addr=20.20.20.10 teid=0x1ce7eab3 role=data vd=0 intf_type=s5/s8 pgw gtp-u
    Previous
    Next

    Selective GTP FGSP sync: only synchronize GTP tunnels

    Selective GTP FGSP sync: only synchronize GTP tunnels

    You can use the following option to disable IP session synchronization for an FGSP cluster:

    config system standalone-cluster

    set session-sync {disable | enable}

    end

    By default session-sync is enabled and FortiOS Carrier FGSP operates normally. You can disable session-sync to stop synchronizing IP sessions. GTP tunnel synchronization is not changed. Disabling IP session synchronization potentially reduces the amount of bandwidth required for FGSP session synchronization.

    Disabling session-sync is compatible with enabling gtp-fgsp-s10-only to synchronize only S10 GTP tunnels, see Selective GTP FGSP sync: only S10 tunnels. If you disable session-sync and enable gtp-fgsp-s10-only, FortiOS Carrier FGSP will only synchronize S10 GTP tunnels and also will not synchronize IP sessions.

    When session-sync is disabled, FGSP support for GTP asymmetric routing is no longer supported and the gtp-asym-fgsp system settings CLI option becomes hidden.

    Example topology

    Default configuration: session-sync enabled

    CLI configuration:

    config system standalone-cluster

    set session-sync enable

    end

    All IP sessions, GTP sessions, and GTP tunnels are received by FortiGate 1 (FGSP primary). IP sessions, GTP sessions, and GTP tunnels are synchronized to FortiGate 2 (FGSP peer).

    FortiGate 1 (FGSP primary)

    The output of diagnose sys session list | grep 172.16.200.61 shows IP sessions on FortiGate 1 (FGSP primary):

    diagnose sys session list | grep 172.16.200.61
hook=pre dir=org act=noop 10.1.100.60:52448->172.16.200.61:22(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.61:22->10.1.100.60:52448(0.0.0.0:0)

    The output of diagnose sys session list | grep 2123 shows the GTP sessions on FortiGate 1 (FGSP primary):

    diagnose sys session list | grep 2123
hook=pre dir=org act=noop 172.16.200.91:2123->10.1.100.91:2123(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.100.91:2123->172.16.200.91:2123(0.0.0.0:0)

    The output of the diagnose firewall gtp tunnel list command shows the GTP tunnels on FortiGate 1 (FGSP primary):

    diagnose firewall gtp tunnel list
list gtp tunnels

-----------prof=gtpp ref=6 imsi=987654112233445 msisdn=896745214365 mei=43658709.212030.1 ms_addr=Unknown s11_s4 0-----------
-----------index=00000003 life=34(sec) idle=34(sec) vd=0  ver=2-----------
c_pkt=1 c_bytes=276 u_pkt=0 u_bytes=0
rat type: utran
downlink cfteid:
    addr=10.10.10.10 teid=0x1ce7eab0 role=control vd=0 intf_type=s5/s8 sgw gtp-c
    1/1 requests shown:
        src=10.1.100.91:2123 dst=172.16.200.91:2123 seq=10017643 msg_type=32 vd=0 ver=2
uplink cfteid:
    addr=Unknown teid=0x00000000 role=control vd=0 intf_type=s1-u enodeb gtp-u
1/1 bearers:
    id=6 linked_id=6 type=regular dead=0 apn=internet2 selection=ms-or-net-provided-apn apn_restriction=public-2 u_pkt=0 u_bytes=0
    1 fteids:
        addr=10.10.10.10 teid=0x1ce7eab1 role=data vd=0 intf_type=s5/s8 sgw gtp-u
    FortiGate 2 (FGSP peer)

    The output of diagnose sys session list | grep 172.16.200.61 shows the IP sessions synchronized to FortiGate 2 (FGSP peer):

    diagnose sys session list | grep 172.16.200.61
hook=pre dir=org act=noop 10.1.100.60:52448->172.16.200.61:22(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.61:22->10.1.100.60:52448(0.0.0.0:0)

    The output of diagnose sys session list | grep 2123 shows the GTP sessions synchronized to FortiGate 2 (FGSP peer):

    diagnose sys session list | grep 2123
hook=pre dir=org act=noop 172.16.200.91:2123->10.1.100.91:2123(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.100.91:2123->172.16.200.91:2123(0.0.0.0:0)

    The output of the diagnose firewall gtp tunnel list command shows the GTP tunnels synchronized to FortiGate 2 (FGSP peer):

    diagnose firewall gtp tunnel list
list gtp tunnels

-----------prof=gtpp ref=5 imsi=987654112233445 msisdn=896745214365 mei=43658709.212030.1 ms_addr=80.80.80.1 s11_s4 0-----------
-----------index=00000001 life=4887(sec) idle=4887(sec) vd=0  ver=2-----------
c_pkt=0 c_bytes=0 u_pkt=0 u_bytes=0
rat type: utran
downlink cfteid:
    addr=10.10.10.10 teid=0x1ce7eab0 role=control vd=0 intf_type=s5/s8 sgw gtp-c
uplink cfteid:
    addr=20.20.20.10 teid=0x1ce7eab2 role=control vd=0 intf_type=s5/s8 pgw gtp-c
1/1 bearers:
    id=6 linked_id=6 type=regular dead=0 apn=internet2 selection=ms-or-net-provided-apn apn_restriction=public-2 user_addr=80.80.80.1 u_pkt=0 u_bytes=0
    2 fteids:
        addr=10.10.10.10 teid=0x1ce7eab1 role=data vd=0 intf_type=s5/s8 sgw gtp-u
        addr=20.20.20.10 teid=0x1ce7eab3 role=data vd=0 intf_type=s5/s8 pgw gtp-u
    Only GTP tunnels synchronized: session-sync disabled
    FortiGate 1 (FGSP primary)

    The output of diagnose sys session list | grep 172.16.200.61 shows IP sessions on FortiGate 1 (FGSP primary):

    diagnose sys session list | grep 172.16.200.61
hook=pre dir=org act=noop 10.1.100.60:55136->172.16.200.61:22(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.61:22->10.1.100.60:55136(0.0.0.0:0)

    The output of diagnose sys session list | grep 2123 shows the GTP sessions on FortiGate 1 (FGSP primary):

    diagnose sys session list | grep 2123
hook=pre dir=org act=noop 172.16.200.91:2123->10.1.100.91:2123(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.100.91:2123->172.16.200.91:2123(0.0.0.0:0)

    The output of the diagnose firewall gtp tunnel list command shows the GTP tunnels on FortiGate 1 (FGSP primary):

    diagnose firewall gtp tunnel list
list gtp tunnels

-----------prof=gtpp ref=6 imsi=987654112233445 msisdn=896745214365 mei=43658709.212030.1 ms_addr=Unknown s11_s4 0-----------
-----------index=00000002 life=85(sec) idle=85(sec) vd=0  ver=2-----------
c_pkt=1 c_bytes=276 u_pkt=0 u_bytes=0
rat type: utran
downlink cfteid:
    addr=10.10.10.10 teid=0x1ce7eab0 role=control vd=0 intf_type=s5/s8 sgw gtp-c
    1/1 requests shown:
        src=10.1.100.91:2123 dst=172.16.200.91:2123 seq=10017643 msg_type=32 vd=0 ver=2
uplink cfteid:
    addr=Unknown teid=0x00000000 role=control vd=0 intf_type=s1-u enodeb gtp-u
1/1 bearers:
    id=6 linked_id=6 type=regular dead=0 apn=internet2 selection=ms-or-net-provided-apn apn_restriction=public-2 u_pkt=0 u_bytes=0
    1 fteids:
        addr=10.10.10.10 teid=0x1ce7eab1 role=data vd=0 intf_type=s5/s8 sgw gtp-u
    FortiGate 2 (FGSP peer)

    The output of diagnose sys session list | grep 172.16.200.61 shows that IP sessions are not synchronized to FortiGate 2 (FGSP peer):

    diagnose sys session list | grep 172.16.200.61

    The output of diagnose sys session list | grep 2123 shows that GTP sessions are not synchronized to FortiGate 2 (FGSP peer):

    diagnose sys session list | grep 2123

    The output of the diagnose firewall gtp tunnel list command shows the GTP tunnels synchronized to FortiGate 2 (FGSP peer):

    diagnose firewall gtp tunnel list
list gtp tunnels

-----------prof=gtpp ref=5 imsi=987654112233445 msisdn=896745214365 mei=43658709.212030.1 ms_addr=80.80.80.1 s11_s4 0-----------
-----------index=00000005 life=10250(sec) idle=8667(sec) vd=0  ver=2-----------
c_pkt=0 c_bytes=0 u_pkt=0 u_bytes=0
rat type: utran
downlink cfteid:
    addr=10.10.10.10 teid=0x1ce7eab0 role=control vd=0 intf_type=s5/s8 sgw gtp-c
uplink cfteid:
    addr=20.20.20.10 teid=0x1ce7eab2 role=control vd=0 intf_type=s5/s8 pgw gtp-c
1/1 bearers:
    id=6 linked_id=6 type=regular dead=0 apn=internet2 selection=ms-or-net-provided-apn apn_restriction=public-2 user_addr=80.80.80.1 u_pkt=0 u_bytes=0
    2 fteids:
        addr=10.10.10.10 teid=0x1ce7eab1 role=data vd=0 intf_type=s5/s8 sgw gtp-u
        addr=20.20.20.10 teid=0x1ce7eab3 role=data vd=0 intf_type=s5/s8 pgw gtp-u
    Previous
    Next