|
What is FGSP?
FortiGate Session Life Support Protocol distributes sessions between 2 entities. In the defined configuration from the ticket, it is 2 standalone FortiGates. In the case of one FortiGate failure, the session failover occurs and active sessions fail over to the working peer. In this case, it is important that the external routers detect the failover and redistribute the sessions to the active peer. When using this session sync, it's important to ensure that the active device has enough processing power to handle all of the sessions if a failover occurs.
Are both devices active in a FGSP cluster?
Each device communicates with its own IP address. Interface IP addresses are unique, but VLANs, LAGS etc must have the same name on the devices.
What are the requirements for FGSP?
All devices in the cluster running FGSP must be the same hardware model and must be running the same firmware.
Which sessions can be synced?
The sessions that can be synced are IPv4 and IPv6 TCP, UDP, ICMP expectation sessions, NAT sessions, asymmetric sessions, IKE routes, and IPSec tunnels. It's possible to manually decide and configure which sessions to sync.
Which sessions will have an issues during failover?
Sessions that have Flow or Proxy-based security profiles are not expected to work properly if the traffic in the session is load balanced across several FortiGates in either direction. However, flow-based inspection will work in a FGSP deployment. IPsec keys and other runtime data are synced: IPSec tunnels will be re-established, but all existing tunnel sessions must be restarted. Interfaces on the FortiGates that are tunnel endpoints must have the same IP address. External routers need to load balance the IPsec tunnel session to the FortiGates
What about config sync?
It is possible to enable config sync in an FGSP deployment. However, note the following limitations:
- Network interruptions will occur during firmware upgrade, meaning all members in the standalone-config-sync group will upgrade simultaneously.
- Unwanted configuration parameters may be synced.
- The wrong primary device might be used accidentally. It is important to select the correct device as the primary device.
Due to these limitations, it is recommended to sync the configuration between the cluster devices in another way.
What are the protocols and ports used to sync the sessions?
The FortiGate's HA Heartbeat listens on the following ports using these protocols: TCP/703, TCP/23, or ETH Layer 2/8890 on port 6066. Session sync packets will use ETH 2/8892.
Which parameters are necessary to use FGSP protocol?
To use FGSP, the following must be configured:
- Parameters to find the peer to communicate with to send/receive the sessions.
- Parameters to send the sessions in its session table to sync to its peers and to maintain the synced session.
- Parameters to receive the sessions from the peer and maintain the sessions table in synch with these received sessions
Is user traffic impacted when the session sync is slower than server response time?
This can happen then only user-space session sync (IP-peer UDP 708) is used. To avoid this, use kernel session sync with dedicated session-sync-dev and layer2-connection enabled.
|
