FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This KB explains about excluding few config to sync between HA unit.
Solution - When FortiGate in HA with config sync enabled, if few config needs to be exempted to sync with HA members. - When both the FortiGate are in different availability zone (Cloud), both the FortiGate will have different subnets for each interfaces, so interface IP config should not sync with FortiGate member. - Similarly, if any other config should be excluded from sync. - To exclude the config to sync enable the Vdom-Exception.
CLI example to configure the Vdom-Exception.
# config sys vdom-exception edit < 1 – 4069> set object <Name> next end
Below is the example to exclude the interface and Static route config sync between HA members –
# config system vdom-exception edit 1 set object system.interface next edit 2 set object router.static next end
Note. Config which are part of 'vdom-exception' should be manually configured on both the Fortigates.
