Description
This article explains excluding a few configs to sync between HA units.
Scope
FortiGate.
Solution
- When FortiGate in HA with config sync enabled, if few config needs to be exempted to sync with HA members.
- When both the FortiGate are in different availability zone (Cloud), both the FortiGate will have different subnets for each interfaces, so interface IP config should not sync with FortiGate member.
- Similarly, if any other config should be excluded from sync.
- To exclude the config to sync enable the Vdom-Exception.
Note:
In Azure HA scenarios, it is essential to manually set the physical interface IP address (e.g., port1) and local tunnel interface IP addresses on the secondary FortiGate. HA does not automatically synchronize these IP addresses. Additionally, the loopback interface configuration must be copied manually from the HA primary to the secondary FortiGate. Configuring a VDOM exception for 'system.interface' does not affect behavior.
CLI example to configure the Vdom-Exception.
config sys vdom-exception
edit < 1 – 4069>
set object <Name>
next
end
Below is the example to exclude the interface and Static route config sync between HA members:
config system vdom-exception
edit 1
set object system.interface
next
edit 2
set object router.static
next
end
Note.
Config which are part of 'vdom-exception' should be manually configured on both the FortiGates. Below is the available object to exclude For VM:
log.fortianalyzer.setting
log.fortianalyzer.override-setting
log.fortianalyzer2.setting
log.fortianalyzer2.override-setting
log.fortianalyzer3.setting
log.fortianalyzer3.override-setting
log.fortianalyzer-cloud.setting
log.fortianalyzer-cloud.override-setting
log.syslogd.setting
log.syslogd.override-setting
log.syslogd2.setting
log.syslogd2.override-setting
log.syslogd3.setting
log.syslogd3.override-setting
log.syslogd4.setting
log.syslogd4.override-setting
system.central-management
system.csf
user.radius
system.interface
vpn.ipsec.phase1-interface
vpn.ipsec.phase2-interface
router.bgp
router.route-map
router.prefix-list
firewall.ippool
firewall.ippool6
router.static
router.static6
firewall.vip
firewall.vip6
firewall.vip46
firewall.vip64
system.sdwan
system.saml
router.policy
router.policy6
For Hardware Fortigate, they are limited to the following object :
log.fortianalyzer.setting
log.fortianalyzer.override-setting
log.fortianalyzer2.setting
log.fortianalyzer2.override-setting
log.fortianalyzer3.setting
log.fortianalyzer3.override-setting
log.fortianalyzer-cloud.setting
log.fortianalyzer-cloud.override-setting
log.syslogd.setting
log.syslogd.override-setting
log.syslogd2.setting
log.syslogd2.override-setting
log.syslogd3.setting
log.syslogd3.override-setting
log.syslogd4.setting
log.syslogd4.override-setting
system.gre-tunnel
system.central-management
system.csf
user.radius