Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
atyler555
New Contributor II

FortiGate HA does not offer stateful failover?

Hi everyone, I've been going through a full evaluation of the FortiGate product.  We are a SonicWALL shop today and have finally made the decision to start moving toward FortiGate.  We have about 50 firewalls in our environment and use OSPF for dynamic routing.  So far things have been going well, we are even playing with the FortiManager central management platform.

 

Up to this point, FortiGate has proven to be superior, however one discovery I've just made is that FortiGate HA seems to not offer the stateful HA failover feature that SonicWALL does.  The biggest benefit to this is that no IPSec VPNs need to renegotiate during an HA failover event.  I was floored.  This feature has been a standard with any SonicWALL HA pair we've deployed, happy to pay the additional license to prevent VPN hiccups during an HA event.  Can anyone from the forums provide some insight as to why this feature is missing on the FortiGate line?

 

Regards,

Adam Tyler

 

Snap22.jpg

7 REPLIES 7
Toshi_Esumi
Esteemed Contributor III

Do you have "set session-pickup enable" configured under "config sys ha"?

 

Toshi

atyler555

We haven't implemented an HA pair yet with FortiGate.  Simply working with a consultant that mentioned this stateful HA feature was not available on the FortiGate platform.  Are you saying that he was mistaken, and this "session-pickup" feature is an apples-to-apples comparison to the SonicWALL HA feature I've described?

Toshi_Esumi
Esteemed Contributor III

Different provider's FWs use different terminology to describe its features.
At least FGT's "sessions" keep states of all TCP, UDP, even ICMP with "5-tupple"(https://www.techopedia.com/definition/28190/5-tuple) for the "stateful" operation.


With FGT, "session pickup" is used to describe seamless (as much as possible) HA failover.

https://docs.fortinet.com/document/fortigate/7.4.1/fortigate-7000e-administration-guide/66351/sessio...


Palo Alto seems to use "session synchronization" for the same feature in HA.
https://live.paloaltonetworks.com/t5/best-practice-assessment-device/high-availability-ha2-session-s...

 

Since you already decided to get FGTs, get the fist pair and set the HA up with that option and test the fail-over. I believe at least IPsecs would be kept up if the routing/interface IP are statically set up.

 

If you still have doubts, contact an FTNT SE via the partner sales you're planning to get those FGTs from and ask more detail about HA operation. They would likely let you get a pair of demo units to test with for whatever you need to test before getting 50 of them. Just ask them.

 

Even if both used the same terminology, that doesn't necessarily mean they would behave the same when HA fail-over happens, while HA is NOT a standardized protocol. You wouldn't know until you test it. I never touched SonicWall so I never tested its behavior. therefore I wouldn't be able to tell if exactly the same.

Toshi

atyler555

Apologies for the delayed response, I've been sidetracked.

 

I think the point I am trying to clarify is related to this statement...

"With FGT, "session pickup" is used to describe seamless (as much as possible) HA failover."

 

SonicWALL has taken this a step further and is able to maintain all VPN states between HA devices.  When you failover between units, ALL VPNs remain online and they do not need to renegotiate.

 

Based on the FG documentation you forwarded; I am seeing this...

"Also included in this category are IPsec VPN, SSL VPN, sessions terminated by the cluster, and explicit proxy sessions. In general, whether or not session-pickup is enabled, these sessions do not failover and have to be restarted."

 

I am really surprised that FG doesn't offer the same HA protection that the SonicWALL product can.  Wild.

Toshi_Esumi
Esteemed Contributor III

or "Session pickup" option in GUI.

Debbie_FTNT
Staff
Staff

Hey atyler555,

 

there are in fact some settings on FortiGate to ensure IPSec VPN is not interrupted during a failover:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-in-HA-Environment/ta-p/195849

 

In particular this setting: ha-sync-esp-seqno ensures that active IPSec VPN tunnels are synced between HA nodes; the KB above includes some diagnose commands towards the end you can run on a secondary device to verify that the active IPSec tunnels are synced between the nodes.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Toshi_Esumi
Esteemed Contributor III

Since I didn't know about this setting, I went back to some of our customer's IPSecs to check this "ha-sync-esp-seqno" setting. It appeared that this is enabled by default. All of them had "enable" in the config although we never touched because we didn't know.

Toshi

Labels
Top Kudoed Authors