Technical Tip: FortiManager in managing FortiGate FGSP cluster

heng · ‎09-08-2023

Description

This article describes how FortiManager manages a FortiGate FGSP (FortiGate Session Life Support Protocol) cluster. Even though FortiGate FGSP is an HA solution, FortiManager views the FortiGate or FortiGate FGCP as individual managed devices. For example: when there are two standalone FortiGate(s) in the FGSP cluster, FortiManager manages it as two different managed devices. If there are N members in the cluster, FortiManager will manage the cluster as N managed devices. FGSP supports from 2 up to 16 standalone FortiGates, or two to 16 FortiGate FGCP clusters of two members each.

Scope

FortiManager, FortiGate FGSP.

Solution

This article assumes the following configuration use case scenario:

FortiGate FGSP is configured with two standalone FortiGate(s). For a configuration guide, refer to the FortiGate admin guide.
If standalone-config-sync is enabled, the FortiGate config system central-management will sync across the cluster member. This means that, upon configuring any member of the cluster, the settings will be synced to other member. In this case, FGSP-A was configured and the central management config was subsequently synced to FGSP-B.

FGSP-A:

FGSP-B:

At this stage, FortiManager will have received two requests to join from each of the FGSP members. Both devices will need to be authorized and managed individually at the FortiManager device level.

Authorize the device and add it into the respective ADOM:

In Device Manager, the managed FGSP cluster will appear as two managed devices.

Lastly, since the cluster is FGSP, it is possible to assign a single policy package or same policy package to provision for both members if standalone-config-sync is enabled for the FGSP cluster. Step 4 illustrates that both members are set as the install target with the same policy package named TFW_PP.