FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link
> Chapter 15 - High Availability > FortiGate Session Life Support Protocol (FGSP) > Configuring FGSP HA

Home > Online Help

Configuring FGSP HA cluster-sync instances

You use the following command to configure an FGSP HA cluster-sync instance.

config system cluster-sync

edit 1

set peerip <peer-ip-address>

set peervd <vdom-name>

set syncvd <vdom-name>

end

Where:

peerip is the IP address of an interface of another FortiGate in the FGSP cluster that this configuration synchronizes sessions to.

peervd is the name of the VDOM on the other FortiGate that should be synchronized with this one. By default the peervd is root.

syncvd is the name of the VDOM of the FortiGate that should be synchronized with the other FortiGate. If multiple VDOMs are not enabled syncvd should be set to root.

note icon For FGSP HA to work properly, all VDOMs to be synchronized must be added to all of the FortiGates in cluster. The names of the matching interfaces in each VDOM must also be the same; this includes the names of matching VLAN interfaces. Note that the index numbers of the matching interfaces and VLAN interfaces can be different. Also the VLAN IDs of the matching VLAN interfaces can be different. If you enable configuration synchronization this will happen automatically.

This command creates a cluster-sync instance that causes a FortiGate to synchronize the TCP sessions of one of its VDOMs (by default the root VDOM) to the root VDOM of another FortiGate (which would become another FortiGate in the FGSP cluster). You can also use the config system ha command to synchronize more session types and to synchronize the configuration. Cluster-sync instances are not synchronized and must be added to each FortiGate in the cluster.

A cluster of two FortiGates would only require one cluster-sync instance for each VDOM to be synchronized. This instance would synchronize the sessions from the root VDOM of one FortiGate to the root VDOM of the other. The second FortiGate would also include a cluster-sync instance to synchronize its root VDOM with the other FortiGate's root VDOM.

In a multiple VDOM configuration, you add a separate cluster-sync instance for each VDOM to be synchronized. You don’t have to synchronize all VDOMs. If multiple VDOMs are enabled, the config system cluster-sync command is a global command.

FGSP clusters with three or more FortiGates

If an FGSP cluster includes three or more FortiGates you must explicitly define all of the cluster-sync instances that you need. In a cluster of four FortiGates, each FortiGate can synchronized with up to thee other FortiGates so to synchronize all of the FortiGates you must add three cluster-sync instances to each FortiGate (or n-1, where n is the number of FortiGates in the cluster).

Selecting the sessions to synchronize

You can add a cluster-sync instance with a filter to only synchronize some sessions. A filter can be added to a cluster-sync instance as follows:

config system cluster-sync

edit 1

set peerip <peer-ip-address>

set peervd <vdom-name>

set syncvd <vdom-name>

config session-sync-filter

srcintf <interface-name>

dstintf <interface-name>

srcaddr x.x.x.x x.x.x.x

dstaddr x.x.x.x x.x.x.x

srcaddr6 ::/x

dstaddr6 ::/x

end

end

You can use the filter to only synchronize sessions according to the session source and destination interface and IPv4 ot IPv6 address.

You can only add one filter to a cluster-sync instance. To create mutltiple filters you must create multiple cluster-sync instances.