FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
grg
Staff
Staff
Article Id 194620

Description


This article explains excluding a few configs to sync between HA units.

 

Scope

 

FortiGate.

Solution

 

  • When FortiGate in HA with config sync enabled, if few config needs to be exempted to sync with HA members.
  • When both the FortiGate are in different availability zone (Cloud), both the FortiGate will have different subnets for each interfaces, so interface IP config should not sync with FortiGate member.
  • Similarly, if any other config should be excluded from sync.
  • To exclude the config to sync enable the Vdom-Exception.

Note

In Azure HA scenarios, it is essential to manually set the physical interface IP address (e.g., port1) and local tunnel interface IP addresses on the secondary FortiGate. HA does not automatically synchronize these IP addresses. Additionally, the loopback interface configuration must be copied manually from the HA primary to the secondary FortiGate. Configuring a VDOM exception for 'system.interface' does not affect behavior.

 

CLI example to configure the Vdom-Exception.

 

config sys vdom-exception
    edit < 1 – 4069>
        set object <Name>
    next
end

 

Below is the example to exclude the interface and Static route config sync between HA members:

 

config system vdom-exception
    edit 1
        set object system.interface
    next
    edit 2
        set object router.static
    next
end

 

Note.
Config which are part of 'vdom-exception' should be manually configured on both the FortiGates. Below is the available object to exclude For VM:

log.fortianalyzer.setting                  
log.fortianalyzer.override-setting         
log.fortianalyzer2.setting                 
log.fortianalyzer2.override-setting        
log.fortianalyzer3.setting                 
log.fortianalyzer3.override-setting        
log.fortianalyzer-cloud.setting            
log.fortianalyzer-cloud.override-setting   
log.syslogd.setting                        
log.syslogd.override-setting               
log.syslogd2.setting                       
log.syslogd2.override-setting              
log.syslogd3.setting                       
log.syslogd3.override-setting              
log.syslogd4.setting                       
log.syslogd4.override-setting              
system.central-management                  
system.csf                                 
user.radius                                
system.interface                           
vpn.ipsec.phase1-interface                 
vpn.ipsec.phase2-interface                 
router.bgp                                 
router.route-map                           
router.prefix-list                         
firewall.ippool                            
firewall.ippool6                           
router.static                              
router.static6                             
firewall.vip                               
firewall.vip6                              
firewall.vip46                             
firewall.vip64                             
system.sdwan                               
system.saml                                
router.policy                              
router.policy6

For Hardware Fortigate, they are limited to the following object : 

 

log.fortianalyzer.setting
log.fortianalyzer.override-setting
log.fortianalyzer2.setting
log.fortianalyzer2.override-setting
log.fortianalyzer3.setting
log.fortianalyzer3.override-setting
log.fortianalyzer-cloud.setting
log.fortianalyzer-cloud.override-setting
log.syslogd.setting
log.syslogd.override-setting
log.syslogd2.setting
log.syslogd2.override-setting
log.syslogd3.setting
log.syslogd3.override-setting
log.syslogd4.setting
log.syslogd4.override-setting
system.gre-tunnel
system.central-management
system.csf
user.radius