Skip to main content
Tommie5
Tommie5
Visitor III
May 22, 2025
Question

Make the Standalone function in FGSP not synchronize the SD-WAN configuration.

  • May 22, 2025
  • 1 reply
  • 788 views

Hello everyone. Our company has two Fortigate 1500D firewalls, and we have configured FSGP, SD-WAN, and Standalone settings. On the core switch, I have set the default routes to point to these two firewalls respectively, and these two firewalls are interconnected to the carrier through their respective lines, then directed to the same carrier via static default routes.

The current issue is that when using Standalone configuration synchronization, gateways within the same SD-WAN members get overridden by the main firewall. Since this carrier provides me with two lines corresponding to different next hops, it's impossible to direct them towards the same gateway.

My question now is whether it's possible to specify Standalone functionality so that these two firewalls do not synchronize configurations within the SD-WAN module; when needed, I can manually configure features in this SD-WAN module while still enjoying other synchronized configurations under Standalone.3154703998.png

1 reply

AEK
SuperUser
AEK
SuperUser
May 22, 2025

Hi Tommie

It is possible to exclude some objects from FGCP synchronization.

https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/105611/vdom-exceptions

Unfortunately excluding sdwan config sync is only available on cloud FG.

I think you have 3 possible solutions:

  1. Use FortiManager to push the same rules and objects on both FGs
  2. Make the required design change so that the SD-WAN configs are the same, and continue use FGCP sync
  3. Do not use FGCP sync, and push config separately on each FG
AEK
    Tommie5
    Tommie5Author
    Visitor III
    May 23, 2025

    Hello, AEK. I am using the FGSP feature, not FGCP. I have already negotiated with the carrier(ISP), and they can only have different nexthop corresponding to different interface addresses; their specifications cannot be modified.

    My firewall version is 7.2.11, and I did not purchase fortigate cloud and fortimanager features.

    Is there a better way?

    AEK
    SuperUser
    AEK
    SuperUser
    May 25, 2025

    Hi Tommie

    FGSP is for session synchronization only.

    FGCP is for HA or for config only synchronization.

    I think one of the possible solutions is to configure your SD-WAN interfaces to use DHCP (or PPPoE) instead of static IP. In that case you don't need to set IP & GW since they are acquired dynamically.

    AEK
    Terms & ConditionsAccessibility statement