Description
This article explains excluding a few configs to sync between HA units.
Scope
FortiGate.
Solution
- When FortiGate in HA with config sync enabled, if few config needs to be exempted to sync with HA members.
- When both the FortiGate are in different availability zone (Cloud), both the FortiGate will have different subnets for each interfaces, so interface IP config should not sync with FortiGate member.
- Similarly, if any other config should be excluded from sync.
- To exclude the config to sync enable the Vdom-Exception.
CLI example to configure the Vdom-Exception.
config sys vdom-exception
edit < 1 – 4069>
set object <Name>
next
end
Below is the example to exclude the interface and Static route config sync between HA members:
config system vdom-exception
edit 1
set object system.interface
next
edit 2
set object router.static
next
end
Note.
Config which are part of 'vdom-exception' should be manually configured on both the Fortigates.
Below is the available object to exclude For VM :
log.fortianalyzer.setting
log.fortianalyzer.override-setting
log.fortianalyzer2.setting
log.fortianalyzer2.override-setting
log.fortianalyzer3.setting
log.fortianalyzer3.override-setting
log.fortianalyzer-cloud.setting
log.fortianalyzer-cloud.override-setting
log.syslogd.setting
log.syslogd.override-setting
log.syslogd2.setting
log.syslogd2.override-setting
log.syslogd3.setting
log.syslogd3.override-setting
log.syslogd4.setting
log.syslogd4.override-setting
system.central-management
system.csf
user.radius
system.interface
vpn.ipsec.phase1-interface
vpn.ipsec.phase2-interface
router.bgp
router.route-map
router.prefix-list
firewall.ippool
firewall.ippool6
router.static
router.static6
firewall.vip
firewall.vip6
firewall.vip46
firewall.vip64
system.sdwan
system.saml
router.policy
router.policy6
For Hardware Fortigate, they are limited to the following object :
log.fortianalyzer.setting
log.fortianalyzer.override-setting
log.fortianalyzer2.setting
log.fortianalyzer2.override-setting
log.fortianalyzer3.setting
log.fortianalyzer3.override-setting
log.fortianalyzer-cloud.setting
log.fortianalyzer-cloud.override-setting
log.syslogd.setting
log.syslogd.override-setting
log.syslogd2.setting
log.syslogd2.override-setting
log.syslogd3.setting
log.syslogd3.override-setting
log.syslogd4.setting
log.syslogd4.override-setting
system.gre-tunnel
system.central-management
system.csf
user.radius