Created on 11-17-2022 05:44 AM Edited on 11-17-2022 05:56 AM By Anthony_E
Description | This article provides additional information about FortiGate Life Support Protocol. |
Scope | FortiGate 6.4 and 7.0 |
Solution |
What is FGSP? FortiGate Session Life Support Protocol distributes sessions between 2 entities. In the defined configuration from the ticket, it is 2 standalone FortiGates. In the case of one FortiGate failure, the session failover occurs and active sessions fail over to the working peer. In this case, it is important that the external routers detect the failover and redistribute the sessions to the active peer. When using this session sync, it's important to ensure that the active device has enough processing power to handle all of the sessions if a failover occurs.
Are both devices active in a FGSP cluster? Each device communicates with its own IP address. Interface IP addresses are unique, but VLANs, LAGS etc must have the same name on the devices.
All devices in the cluster running FGSP must be the same hardware model and must be running the same firmware.
The sessions that can be synced are IPv4 and IPv6 TCP, UDP, ICMP expectation sessions, NAT sessions, asymmetric sessions, IKE routes, and IPSec tunnels. It's possible to manually decide and configure which sessions to sync.
Sessions that have Flow or Proxy-based security profiles are not expected to work properly if the traffic in the session is load balanced across several FortiGates in either direction. However, flow-based inspection will work in a FGSP deployment. IPsec keys and other runtime data are synced: IPSec tunnels will be re-established, but all existing tunnel sessions must be restarted. Interfaces on the FortiGates that are tunnel endpoints must have the same IP address. External routers need to load balance the IPsec tunnel session to the FortiGates
It is possible to enable config sync in an FGSP deployment. However, note the following limitations: - Network interruptions will occur during firmware upgrade, meaning all members in the standalone-config-sync group will upgrade simultaneously. - Unwanted configuration parameters may be synced. Due to these limitations, it is recommended to sync the configuration between the cluster devices in another way.
What are the protocols and ports used to sync the sessions? The FortiGate's HA Heartbeat listens on the following ports using these protocols: TCP/703, TCP/23, or ETH Layer 2/8890 on port 6066. Session sync packets will use ETH 2/8892.
To use FGSP, the following must be configured:
Is user traffic impacted when the session sync is slower than server response time? This can happen then only user-space session sync (IP-peer UDP 708) is used. To avoid this, use kernel session sync with dedicated session-sync-dev and layer2-connection enabled.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.