Staff

Technical Tip: Configuring FortiGate for seamless session pickup in CGNAT setup with FGSP session sync

Forum|Forum|9 months ago
August 7, 2025
0 replies
453 views

Description

This article describes the configuration requirements for FortiGate to enable NAT session sync and seamless session pickup in a CGNAT Network with FGSP session sync.

Scope

FortiGate, FGSP.

Solution

To configure FortiGate for seamless session pickup in an FGSP + CGNAT design, follow these steps:

Ensure that the FortiGate units have the same IP pool configuration. For example, config firewall ippool edit 'pool-A' set type port-block-allocation.
Configure identical firewall policies on each peer(FGTA and FGTB). For example, on FortiGate, go to Policy & Object -> Firewall Policy, the same configuration is on both peers, with the IPOOL created for added.
Verify that session sync is working by running the command:

diagnose sys session list | grep synced -c <-- On the Primary unit.
diagnose sys session list | grep syn_ses -c <-- On the Secondary unit.

Troubleshoot common issues by checking the session logs and verifying that the sessions are being synced correctly.

Note: The FortiGate configuration files should be identical on both peers, including the IP pool configuration and firewall policies for session match to work well.

FortiGate

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded