Technical Tip: Firewall policy hit count behavior under FGSP cluster

qyah · ‎10-23-2024

Description

This article describes how a firewall policy hit count will only update on the first FortiGate for the FGSP Cluster

Scope

FortiGate, FortiOS v7.4.X

Solution

For the example below, the first FortiGate is the first device of the joined FGSP cluster and the second FortiGate is the second device that joined the cluster, the configuration for the FGSP cluster can be completed by referring to the administration guide.

From the First FortiGate, observe that the policy hit count increased when the session has been synced among the FortiGate:

The following shows the hit count increased on the first FortiGate:

The following shows that the hit count does not update on the second FortiGate:

The session table shows that the session is being synced on the first FortiGate to the second FortiGate:

From the session table below observes that the session is being synced to the second FortiGate from the first FortiGate:

This knowledge base article below can be referred to for the configuration on FGSP for session synchronization and configuration synchronization.