Help
FortiGate Azure Discussions & Onboarding Information
RJ1
New Contributor III

Created on ‎09-30-2024 11:57 AM

synchronise sessions between Fortigate devices in Azure in HA (active-passive)

I have Fortigates in Azure deployed as per below scenario:

 

Active-passive with external and internal Azure load balancer (LB)

 

Can session synchronization happen between Fortigates? If YES how? If NO Why?

 

SJ
SJ
Labels:
2342
0 Kudos
3 Solutions
JohnMcdo
Staff
Staff

Created on ‎09-30-2024 01:49 PM

Hi SJ,

 

Yes

 

Session sync is enabled by default when an HA A/P FortiGate pair is deployed using the Azure Markeplace or Fortinet Github Azure templates, https://github.com/fortinet/azure-templates/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-provisioning.md

 

In the link above you'll see config sections for FortiGate A and FortiGate B, each FortiGate has a section for config system ha, similar to this


config system ha
  set group-name AzureHA
  set mode a-p
  set hbdev port3 100
  set session-pickup enable
  set session-pickup-connectionless enable
  set ha-mgmt-status enable
  config ha-mgmt-interfaces
    edit 1
      set interface port4
      set gateway 172.16.136.193
    next
  end
  set override disable
  set priority 255
  set unicast-hb enable
  set unicas

 Hope this helps.

Cloud Solutions Engineer Fortinet

View solution in original post

2286
franzcisco
Staff
Staff
In response to RJ1

Created on ‎10-03-2024 07:17 AM Edited on ‎10-03-2024 07:18 AM

This is correct. As you stated, Azure Load Balancer is not capable of failing over after a failed probe, as documented here:
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-down... 

as seen in this link for TCP sessions the Azure LB will continue to forward to the "unresponsive" endpoint, thus only new sessions will work.
For UDP session however existing sessions will be moved to the new node.


From the FortiOS point of view, the behaviour is the standard, where sessions are synchronized between the A/P nodes - if the load balancer (whatever load balancer) sends the traffic to the passive firewall it will be ready to process the session.

 

/franz

View solution in original post

2182
avinash_v
Staff
Staff

Created on ‎10-08-2024 12:58 AM

This is a known issue for the Azure load balancer. Even though a health probe failed, it will not re-route the existing sessions.
This is by design, intended to offer the administrator the opportunity to gracefully shutdown from the application to avoid any unexpected and sudden termination of ongoing application workflow.

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-creates-a-new-session-on-a...

 

https://learn.microsoft.com/en-us/answers/questions/1692319/azure-loadbalancer-failover-sessions-not...

View solution in original post

2037
12 REPLIES 12
avinash_v
Staff
Staff

Created on ‎10-08-2024 12:58 AM

This is a known issue for the Azure load balancer. Even though a health probe failed, it will not re-route the existing sessions.
This is by design, intended to offer the administrator the opportunity to gracefully shutdown from the application to avoid any unexpected and sudden termination of ongoing application workflow.

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-creates-a-new-session-on-a...

 

https://learn.microsoft.com/en-us/answers/questions/1692319/azure-loadbalancer-failover-sessions-not...

2038
RJ1
New Contributor III
In response to avinash_v

Created on ‎10-08-2024 01:16 AM

The article (ID- 327740) shared by you explains for Active-Active cluster, does this also applies for Active-Passive also?

SJ
SJ
630
0 Kudos
avinash_v
Staff
Staff
In response to RJ1

Created on ‎10-08-2024 01:28 AM Edited on ‎10-08-2024 01:28 AM

applies to both, active-active and active-passive

627
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.