Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
Honored Contributor

UTM fail-over on FGSP

Hello

I have 4 FGT 7.0.12 of the same model in FGSP configuration (no HA), handling asymmetric traffic.

For non-UTM sessions, when testing failover (FGT reboot) all works fine, the sessions keep working when the node fails-over and fails-back.

However for UTM sessions the fail-over doesn't work when we have 4 nodes.

If the FGT handling the UTM session is rebooted, the session hangs until the node boots up, then it handles back its UTM session.

When I remove 2 FGT from my network and redo the test with only 2 FGT the fail-over works just fine.

 

In summary:

  • Non-UTM session fails-over successfully when we have 4 nodes
  • UTM session fails-over successfully when we have 2 nodes, but hangs with 4 nodes

Any idea?

 

AEK
AEK
1 Solution
AlexC-FTNT
Staff
Staff

Generally speaking asymmentric traffic is not recommended and we do not support such setups.

UTM Inspection on asymmetric traffic in FGSP is not supported for over 2 units. Support was introduced in 6.4 (587694), but only for 2 units.

 

Logically thinking, for a session that is inspected, the FG needs to intercept the handshake, the request, the session start. For asymmetric traffic, anything after a failover or path change is just regular traffic. 
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-the-FortiGate-behaves-when-asymmetric...
" No security inspection will be performed:"

Even if this behavior is somehow supported/implemented - it may be best to check with your local Fortinet System Engineer for testing/advice.



- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

3 REPLIES 3
AlexC-FTNT
Staff
Staff

Generally speaking asymmentric traffic is not recommended and we do not support such setups.

UTM Inspection on asymmetric traffic in FGSP is not supported for over 2 units. Support was introduced in 6.4 (587694), but only for 2 units.

 

Logically thinking, for a session that is inspected, the FG needs to intercept the handshake, the request, the session start. For asymmetric traffic, anything after a failover or path change is just regular traffic. 
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-the-FortiGate-behaves-when-asymmetric...
" No security inspection will be performed:"

Even if this behavior is somehow supported/implemented - it may be best to check with your local Fortinet System Engineer for testing/advice.



- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
AEK
Honored Contributor

Hello Alex

Thanks for the useful info. This explain many things.

I think Fortinet didn't publish much information regarding FGSP.

Also I couldn't find this info regarding 2 FGSP nodes limitation with UTM anywhere on admin guide, release notes, etc...

I'd appreciate if you can help with this.

 

AEK
AEK
AlexC-FTNT

Hi AEK,

It's not very clear even internally where the limitation comes from.
This is why someone may need to follow up with development on this one.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Labels
Top Kudoed Authors