Troubleshooting Tip: Disabling EtherType 0x8892 (PROFINET) Broadcasts for Session-Sync in FortiGate FGSP Environments

When FortiGate devices utilize FGSP (FortiGate Session Life Support Protocol), EtherType 0x8892(PROFINET) frames are generated exclusively when Layer 2 session synchronization is active. Even if the Layer 2 connection is set to unavailable, the system may still broadcast briefly during startup if session-sync-dev interfaces are defined on physically adjacent links.

To completely eliminate broadcast packets and mandate the use of Layer 3 unicast (UDP/708), the following configuration must be applied:

1. Explicitly disable layer 2 synchronization:

Remove the interfaces that trigger kernel-space synchronization via EtherType 0x8892:

config system standalone-cluster
    set layer2-connection unavailable
    unset session-sync-dev
end

2. Enforce layer 3 unicast synchronization:

Define FGSP peers using static IP addresses. This ensures synchronization occurs over routed paths using UDP port 708 instead of Ethernet broadcast frames.

config system standalone-cluster
    config cluster-peer
        edit 1
            set peerip 10.1.1.2
        next
    end
end

3. Verification: 

Run a packet capture and confirm no packets match EtherType 0x8892:

diagnose sniffer packet any 'ether proto 0x8892' 6 0 a

If the result is empty, then Layer 2 broadcast sync is fully disabled.

Related documents and articles:

• Session synchronization interfaces in FGSP | Fortinet Document Library
• Technical Tip: Suggested Parameters to use for a FortiGate Session Life Support Protocol (FGSP) cluster
• Technical Tip: FortiGate HA Heartbeat packet Ethertypes
• Technical Tip: Information about the protocols and ports used in FortiGate high availability