FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the configuration requirements for FortiGate to enable NAT session sync and seamless session pickup in a CGNAT Network with FGSP session sync.
Scope
FortiGate, FGSP.
Solution
To configure FortiGate for seamless session pickup in an FGSP + CGNAT design, follow these steps:
Ensure that the FortiGate units have the same IP pool configuration. For example, config firewall ippool edit 'pool-A' set type port-block-allocation.
Configure identical firewall policies on each peer(FGTA and FGTB). For example, on FortiGate, go to Policy & Object -> Firewall Policy, the same configuration is on both peers, with the IPOOL created for added.
Verify that session sync is working by running the command:
diagnose sys session list | grep synced -c <-- On the Primary unit. diagnose sys session list | grep syn_ses -c <-- On the Secondary unit.
Troubleshoot common issues by checking the session logs and verifying that the sessions are being synced correctly.
Note: The FortiGate configuration files should be identical on both peers, including the IP pool configuration and firewall policies for session match to work well.
