Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AliAllafzadeh
New Contributor III

Fortigate 7.4.2 - FSGP

Hello Everyone,

I need to configure the FGSP between two Foritgate Firewall 7.4.2 in Azure with Configuration Syncronization, You can see my topoloy:

FGSP.PNG

 

and here is my commands: 

FGT-A:

config system standalone-cluster
config cluster-peer
edit 1
set peerip 10.2.27.5
next
end
set standalone-group-id 1
set group-member-id 1
end


config system ha
set group-id 10
set group-name "test"
set hbdev "port3" 50
set standalone-config-sync enable
set priority 200
end

=================================================================================

FGT-B:

config system standalone-cluster
config cluster-peer
edit 1
set peerip 10.2.27.4
next
end
set standalone-group-id 1
set group-member-id 2
end


config system ha
set group-id 10
set group-name "test"
set hbdev "port3" 50
set standalone-config-sync enable
set priority 100
end

 

I can see the session but the configuration does not synchronized with second firewall, for example when I create the a policy on FGT-A, I can't see that on FGT-B? 

again , I need to configure FGSP in standalone mode with configuration synchronization, is there something which I didn't? 

Thanks for your help,
Ali

 
 

 

 

13 REPLIES 13
AEK
Honored Contributor II

Hi Ali

Can you share this output?

get system ha status 
AEK
AEK
AliAllafzadeh
New Contributor III

Hi AEK,

Sure, here: 
FortiAAC-FGT-A # get system ha status
HA Health Status: OK
Model: FortiGate-VM64-AZURE
Mode: ConfigSync
Group Name: FGSP
Group ID: 79
Debug: 0
Cluster Uptime: 0 days 2:20:20
Cluster state change time: 2024-02-05 05:11:59
Primary selected using:
<2024/02/05 05:11:59> vcluster-1: FGTAZRITKKDAMK24 is selected as the primary because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
System Usage stats:
FGTAZRITKKDAMK24(updated 1 seconds ago):
sessions=22, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=5%
HBDEV stats:
FGTAZRITKKDAMK24(updated 1 seconds ago):
port3: physical/40000full, up, rx-bytes/packets/dropped/errors=5226888/44474/0/0, tx=8782112/69018/0/0
SessionSync dev stats:
FGTAZRITKKDAMK24(updated 1 seconds ago):
port3: physical/40000full, up, rx-bytes/packets/dropped/errors=5226888/44474/0/0, tx=8782112/69018/0/0
number of member: 1
FortiAAC-FGT-A , FGTAZRITKKDAMK24, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FGTAZRITKKDAMK24, HA operating index = 0

Thanks,
Ali

AEK
Honored Contributor II

Hi Ali

Node B did not join the cluster. Can they ping each others from port3?

AEK
AEK
AliAllafzadeh
New Contributor III

Hi AEK, 
I didn't configure the FGCP, is it possible Configuration Authorization without the FGCP? 
btw, I can ping the Port3.
Thanks,
Ali

AEK
Honored Contributor II

Hi Ali

No need to setup FGCP.

Standalone config sync is a kind of cluster, that's why you should see second node in get sys ha status.

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/84777/using-standalone-configuration-sy...

Try check cluster logs or use debug to check why node B is not joining.

AEK
AEK
AliAllafzadeh
New Contributor III

I checked everything and seems is normal, also I read this guide before. 

AEK
Honored Contributor II

Actually FOS 7.4.2 has pretty much issues. So I'll try do the same on a stable version (7.0.13 or 7.2.6) and I'll let you know. You can try the same from your side.

AEK
AEK
ebilcari
Staff
Staff

FGSP is used only to share sessions between standalone FGT devices or a FGCP cluster. Since nodes are standalone, the configuration has to be done separately on both nodes.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
AliAllafzadeh

This is not correct, Please read this article:
FGSP Standalone configuration synchronization -> 
Standalone configuration synchronization | FortiGate / FortiOS 7.0.7 | Fortinet Document Library

 

You can configure synchronization from one standalone FortiGate to another standalone FortiGate (standalone-config-sync). With the exception of some configurations that do not sync (settings that identify the FortiGate to the network), the rest of the configurations are synced, such as firewall policies, firewall addresses, and UTM profiles.

Labels
Top Kudoed Authors