Technical Tip: Exclude few config to sync between HA members with 'vdom-exception'

Description

This article explains excluding a few configs to sync between HA units.

Scope

FortiGate.

Solution

• When FortiGate in HA with config sync enabled, if few config needs to be exempted to sync with HA members.
• When both the FortiGate are in different availability zone (Cloud), both the FortiGate will have different subnets for each interfaces, so interface IP config should not sync with FortiGate member.
• Similarly, if any other config should be excluded from sync.
• To exclude the config to sync enable the Vdom-Exception.

CLI example to configure the Vdom-Exception.

config sys vdom-exception
    edit < 1 – 4069>
        set object <Name>
    next
end

Below is the example to exclude the interface and Static route config sync between HA members:

config system vdom-exception
    edit 1
        set object system.interface
    next
    edit 2
        set object router.static
    next
end

Note.
Config which are part of 'vdom-exception' should be manually configured on both the Fortigates.

Below is the available object to exclude For VM :

log.fortianalyzer.setting                  
log.fortianalyzer.override-setting         
log.fortianalyzer2.setting                 
log.fortianalyzer2.override-setting        
log.fortianalyzer3.setting                 
log.fortianalyzer3.override-setting        
log.fortianalyzer-cloud.setting            
log.fortianalyzer-cloud.override-setting   
log.syslogd.setting                        
log.syslogd.override-setting               
log.syslogd2.setting                       
log.syslogd2.override-setting              
log.syslogd3.setting                       
log.syslogd3.override-setting              
log.syslogd4.setting                       
log.syslogd4.override-setting              
system.central-management                  
system.csf                                 
user.radius                                
system.interface                           
vpn.ipsec.phase1-interface                 
vpn.ipsec.phase2-interface                 
router.bgp                                 
router.route-map                           
router.prefix-list                         
firewall.ippool                            
firewall.ippool6                           
router.static                              
router.static6                             
firewall.vip                               
firewall.vip6                              
firewall.vip46                             
firewall.vip64                             
system.sdwan                               
system.saml                                
router.policy                              
router.policy6

For Hardware Fortigate, they are limited to the following object : 

log.fortianalyzer.setting
log.fortianalyzer.override-setting
log.fortianalyzer2.setting
log.fortianalyzer2.override-setting
log.fortianalyzer3.setting
log.fortianalyzer3.override-setting
log.fortianalyzer-cloud.setting
log.fortianalyzer-cloud.override-setting
log.syslogd.setting
log.syslogd.override-setting
log.syslogd2.setting
log.syslogd2.override-setting
log.syslogd3.setting
log.syslogd3.override-setting
log.syslogd4.setting
log.syslogd4.override-setting
system.gre-tunnel
system.central-management
system.csf
user.radius