FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cborgato_FTNT
Article Id 196776
Description
This article describes how to configure HA FortiGates Cluster when the session synch info exchange is very high and eventually the 2 (or more) FortiGates are remotely connected via HA ports.

Using the session-sync-dev option it is possible to select one or more FortiGate interfaces to use for synchronizing sessions as required for session pickup. Normally session synchronization occurs over the HA heartbeat link.

Moving session synchronization from the HA heartbeat interface reduces the bandwidth requirements of the HA heartbeat interface and may improve the efficiency and performance of the cluster, especially if the cluster is synchronizing a large number of sessions. Load balancing session synchronization among multiple interfaces can further improve performance and efficiency if the cluster is synchronizing a large number of sessions.

Solution
session-sync-dev means only the selected interfaces are used for session synchronization and not the HA heartbeat link. Selecting more than one interface, session synchronization traffic is load balanced among the selected interfaces.

Use the following command to perform cluster session synchronization using the port10 and port12 interfaces:

config system ha
set session-sync-dev port10 port12
end

Session synchronization packets use Ethertype 0x8892. The interfaces to use for session synchronization must be connected together either directly using the appropriate cable (possible if there are only two units in the cluster) or using switches. If one of the interfaces becomes disconnected the cluster uses the remaining interfaces for session synchronization. If all of the session synchronization interfaces become disconnected, session synchronization reverts back to using the HA heartbeat link. All session synchronization traffic is between the primary unit and each subordinate unit.

Related Articles

Technical Note: Sessions synchronization

Technical Note: How to increase session-sync performance on a SLBC cluster

Contributors