FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 193347


This article explains possible redundancy solutions for use with FGSP cluster and session sync.




Any supported version of FortiGate.




To configure an FGSP cluster between two FortiGates units, turn on session synchronization with the following configuration:

# config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
    set session-pickup-expectation enable
    set session-pickup-nat enable
Next, define the peer IP address with which to sync the session.
To provide redundancy of session synchronization, use the following configuration options:

1) Use an aggregate interface to do session sync. This provides physical redundancy.
2) Use BGP to receive the IP address of the peer. The peer can be received through multiple path.
3) Use multiple peerip which are routed over different physical interfaces.

The following example focuses on the third option:

# config system cluster-sync
    edit 4
        set peerip
        set syncvd "root"
    edit 6
        set peerip
        set syncvd "root"
With the configuration above, session sync will use peer IP If the peer becomes unreachable, it will automatically use peer IP

To check which peer is used by default, run the following command (example output is attached):
# diagnose test application sessionsync 1

HA is not enabled

sync context:
        sync-enabled=0, sync-tcp=1, sync-redir=0, sync-nat=1
        sync-other=1, sync-exp=1, standalone-sync=1, mtu=0
standalone-peers=2, default-peer= in vdom=0, kernel-filters=2
To check the list of peers used, use this command:

# diagnose test application sessionsync 3

peer 201: in vsys_ha, ha=1, num-sync-vd=0

peer 202: in vsys_ha, ha=1, num-sync-vd=0
peer 203: in vsys_ha, ha=1, num-sync-vd=0
peer 204: in vsys_ha, ha=1, num-sync-vd=0
peer 4: in root, ha=0, num-sync-vd=1
peer 6: in root, ha=0, num-sync-vd=1

failed retries of SESYNC_PACKET_T_QUERYALL: 20
Starting FortiOS 6.4.10 group-member-id is introduced to identify peers members. This value must be unique in every cluster members or following error message will appear:
# diagnose debug application sessionsync -1
[pid-567 standalone_process_heartbeat()-424] Duplicated member-id from peer is detected! Please configure different member-id for each peer.


Refer to the following community article for more information: