Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ysatake
Staff
Staff

Created on ‎03-26-2025 01:42 AM

Article Id 384661

Technical Tip: FGCP HA failover enhancement for hyperscale mode from v7.4.4 and v7.6.0

Description This article describes an enhancement to reduce HA failover time for hardware sessions in hyperscale mode has been introduced in v7.4.4 and v7.6.0 and later.
Scope FGCP HA hardware session synchronization in hyperscale mode
Solution

Starting from v7.4.4 and v7.6.0, NHI (Next Hop Index) information has been added to hardware sessions synchronized via FGCP.


Note:

'Next Hop Index' refers to the gateway index information in the NP7 hardware routing engine, which is bound to the session table.


Before this enhancement, traffic could not be forwarded after an HA failover until the NHI of the hardware session was updated on the new primary unit.
With this solution, the update process is omitted, reducing service interruption time for hardware sessions during HA failover.

 

Primary unit:


session info: proto=17 proto_state=00 duration=308 expire=111 timeout=120 flags=00000000 socktype=0 sockport=0 av_idx=0 use=1
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=new f23
statistic(bytes/packets/allow_err): org=2144240/4376/0 reply=27195490/55501/0 tuples=2
tx speed(Bps/kbps): 6961/55 rx speed(Bps/kbps): 88297/706
orgin->sink: org pre->post, reply pre->post dev=97->98/98->97 gwy=210.227.238.185/210.227.238.177
hook=post dir=org act=snat 10.14.129.1:1025->192.168.214.2:12000(172.14.1.2:57920)
hook=pre dir=reply act=dnat 192.168.214.2:12000->172.14.1.2:57920(10.14.129.1:1025)
misc=0 policy_id=10 auth_info=0 chk_client_info=0 vd=485
serial=000002cf tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
setup by offloaded-policy: origin=native
O: npid=0/0, in: OID=239/VID=3041, out: NHI=239/VID=3042
R: npid=0/0, in: OID=239/VID=3042, out: NHI=239/VID=3041

 

Secondary unit:


session info: proto=17 proto_state=00 duration=328 expire=115 timeout=120 flags=00000000 socktype=0 sockport=0 av_idx=0 use=1
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=new f23
statistic(bytes/packets/allow_err): org=1837500/3750/0 reply=27891290/56921/0 tuples=2
tx speed(Bps/kbps): 5602/44 rx speed(Bps/kbps): 85034/680
orgin->sink: org pre->post, reply pre->post dev=97->0/98->0 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.14.129.1:1025->192.168.214.2:12000(172.14.1.2:57920)
hook=pre dir=reply act=dnat 192.168.214.2:12000->172.14.1.2:57920(10.14.129.1:1025)
misc=0 policy_id=10 auth_info=0 chk_client_info=0 vd=485
serial=00000118 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
setup by offloaded-policy: origin=sync-over
O: npid=0/0, in: OID=239/VID=3041, out: NHI=239/VID=3042<---- 'out: NHI' information is synchronized to the secondary unit.

R: npid=0/0, in: OID=239/VID=3042, out: NHI=239/VID=3041 <---- 'out: NHI' information is synchronized to the secondary unit.
Labels:
280
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.