Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fgilloteau_FTNT
Staff
Staff

Created on ‎09-11-2019 05:25 AM Edited on ‎10-01-2023 09:47 PM By Community Manager

Article Id 193347

Technical Tip: How to configure FGSP peer redundancy

Description


This article explains possible redundancy solutions for use with FGSP cluster and session sync.

 

Scope

 

Any supported version of FortiGate.

Solution

 

Stephen_G_0-1678808221986.png

 
To configure an FGSP cluster between two FortiGates units, turn on session synchronization with the following configuration:

config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
    set session-pickup-expectation enable
    set session-pickup-nat enable
end
 
Next, define the peer IP address with which to sync the session.
 

To provide redundancy of session synchronization, use the following configuration options:

 

  1. Use an aggregate interface to do session sync. This provides physical redundancy.
  2. Use BGP to receive the IP address of the peer. The peer can be received through multiple paths.
  3. Use multiple peerip which are routed over different physical interfaces.

 

The following example focuses on the third option:


config system cluster-sync
    edit 4
        set peerip 10.57.4.137
        set syncvd "root"
    next
    edit 6
        set peerip 10.5.20.137
        set syncvd "root"
    next
end
 
With the configuration above, session sync will use peer IP 10.57.4.137. If the peer becomes unreachable, it will automatically use peer IP 10.5.20.137.

To check which peer is used by default, run the following command (example output is attached):
 
diagnose test application sessionsync 1
HA is not enabled
sync context:
sync-enabled=0, sync-tcp=1, sync-redir=0, sync-nat=1
sync-other=1, sync-exp=1, standalone-sync=1, mtu=0
standalone-peers=2, default-peer=10.57.4.137 in vdom=0, kernel-filters=2
 
To check the list of peers used, use this command:

diagnose test application sessionsync 3
peer 201: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 202: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 203: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 204: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 4: 10.57.4.137 in root, ha=0, num-sync-vd=1
peer 6: 10.5.20.137 in root, ha=0, num-sync-vd=1
failed retries of SESYNC_PACKET_T_QUERYALL: 20
 
Starting FortiOS 6.4.10 group-member-id is introduced to identify peers members. This value must be unique in every cluster member or the following error message will appear:
 
diagnose debug application sessionsync -1
 
Version 6.4:
 
[pid-567 standalone_process_heartbeat()-424] Duplicated member-id from peer 10.64.116.26 is detected! Please configure different member-id for each peer.
 
Version 7.0:
 
[pid-231 standalone_process_heartbeat()-421] Duplicated member-id from peer 10.64.116.26 is detected! Please configure different member-id for each peer.

FGSP cluster will still be formed but some functions may not work properly.

 

Refer to the following community article for more information:

Technical Tip: How to configure multiple links for FGSP peer redundancy

3196
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.