FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fgilloteau_FTNT
Description
This article gives some redundancy solutions when using FGSP cluster and session sync.

Solution
To configure FGSP cluster between two FortiGates units, turn on session synchronization with the following options:
# config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
    set session-pickup-expectation enable
    set session-pickup-nat enable
end
Then, define the peer IP address with which to sync the session.

To provide redundancy of session synchronization, use the following configuration options:

1) Use an aggregate interface to do session sync. This provides physical redundancy.
2) Use BGP to receive the IP address of the peer. The peer can be received through multiple path.
3) Use multiple peerip which are routed over different physical interfaces.

The following example focuses on the third option:
# config system cluster-sync
    edit 4
        set peerip 10.57.4.137
        set syncvd "root"
    next
    edit 6
        set peerip 10.5.20.137
        set syncvd "root"
    next
end
With the above configuration, session sync will use peer IP 10.57.4.137. If the peer becomes unreachable, it will automatically use peer IP 10.5.20.137

To check which peer is used by default, use this command:
# diagnose test application sessionsync 1

HA is not enabled
sync context:
        sync-enabled=0, sync-tcp=1, sync-redir=0, sync-nat=1
        sync-other=1, sync-exp=1, standalone-sync=1, mtu=0
standalone-peers=2, default-peer=10.57.4.137 in vdom=0, kernel-filters=2

To check the list of peers used, use this command:
# diagnose test application sessionsync 3

peer 201: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 202: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 203: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 204: 0.0.0.0 in vsys_ha, ha=1, num-sync-vd=0
peer 4: 10.57.4.137 in root, ha=0, num-sync-vd=1
peer 6: 10.5.20.137 in root, ha=0, num-sync-vd=1

failed retries of SESYNC_PACKET_T_QUERYALL: 20

Contributors