FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 10 - Fortinet Communication Ports and Protocols > FGSP - FortiGate Session Life Support Protocol

FGSP - FortiGate Session Life Support Protocol

FortiGate Session Life Support Protocol (FGSP) distributes sessions between two FortiGate units and the FGSP performs session synchronization. If one of the peers fails, session failover occurs and active sessions fail over to the peer that is still operating. This failover occurs without any loss of data. Also, the external routers or load balancers will detect the failover and re-distribute all sessions to the peer that is still operating. The two FortiGate units must be the same model and must be running the same firmware.

note icon Note that you cannot configure FGSP HA when FGCP HA is enabled.

You can also use the config system cluster-sync command to configure FGSP between two FortiGate units.

The FortiGate's HA Heartbeat listens on ports TCP/703, TCP/23, or ETH Layer 2/8890.

In previous versions of FortiOS, FGSP was called TCP session synchronization or standalone session synchronization. However, FGSP has been expanded to include both IPv4 and IPv6 TCP, UDP, ICMP, expectation, NAT sessions, and IPsec tunnels.

Configuration synchronization

Configuration synchronization can also be performed, allowing you to make configuration changes once for both FortiGate units instead of requiring multiple configuration changes on each FortiGate unit. However interface IP addresses, BGP neighbor settings, and other settings that identify the FortiGate unit on the network are not synchronized. You can enable configuration synchronization by entering the following command:

config system ha

set standalone-config-sync enable

end

UDP and ICMP (connectionless) session synchronization

In many configurations, due to their non-stateful nature, UDP and ICMP sessions don't need to be synchronized to naturally failover. However, if it is required, you can configure the FGSP to also synchronize UDP and ICMP sessions by entering the following command:

config system ha

set session-pickup enable

set session-pickup-connectionless enable

end

Expectation (asymmetric) session synchronization

Synchronizing asymmetric traffic can be very useful in situations where multiple Internet connections from different ISPs are spread across two FortiGates.

The FGSP enforces firewall policies for asymmetric traffic, including cases where the TCP 3-way handshake is split between two FortiGates. For example, FGT-A receives the TCP-SYN, FGT-B receives the TCP-SYN-ACK, and FGT-A receives the TCP-ACK. Under normal conditions a firewall will drop this connection since the 3-way handshake was not seen by the same firewall. However two FortiGates with FGSP configured will be able to properly pass this traffic since the firewall sessions are synchronized.

If traffic will be highly asymmetric, as described above, the following command must be enabled on both FortiGates:

config system ha

set session-pickup enable

set session-pickup-expectation enable

end

Security profile inspection with asymmetric and symmetric traffic

Security profile inspection, flow or proxy based, is not expected to work properly if the traffic in the session is load balanced across more than one FortiGate in either direction. However, flow-based inspection should be used in FGSP deployments.

For symmetric traffic, security profile inspection can be used but with the following limitations:

  • No session synchronization for the sessions inspected using proxy-based inspection. Sessions will drop and need to be reestablished after data path failover.
  • Sessions with flow-based inspection will failover, and inspection of sessions after a failover may not work.

NAT session synchronization

NAT sessions are not synchronized by default. You can enable NAT session synchronization by entering the following command:

config system ha

set session-pickup enable

set session-pickup-nat enable

end

 

Note that, after a failover with this configuration, all sessions that include the IP addresses of interfaces on the failed FortiGate unit will have nowhere to go since the IP addresses of the failed FortiGate unit will no longer be on the network. If you want NAT sessions to resume after a failover you should not configure NAT to use the destination interface IP address, since the FGSP FortiGate units have different IP addresses. To avoid this issue, you should use IP pools with the type set to overload (which is the default IP pool type), as shown in the example below:

config firewall ippool

edit FGSP-pool

set type overload

set startip 172.20.120.10

set endip 172.20.120.20

end

In NAT/Route mode, only sessions for route mode security policies are synchronized. FGSP HA is also available for FortiGate units or virtual domains operating in Transparent mode. Only sessions for normal Transparent mode policies are synchronized.

IPsec tunnel synchronization

When you use the config system cluster-sync command to enable FGSP, IPsec keys and other runtime data are synchronized between cluster units. This means that if one of the cluster units goes down the cluster unit that is still operating can quickly get IPsec tunnels re-established without re-negotiating them. However, after a failover, all existing tunnel sessions on the failed FortiGate have to be restarted on the still operating FortiGate.

IPsec tunnel sync only supports dialup IPsec. The interfaces on both FortiGates that are tunnel endpoints must have the same IP addresses and external routers must be configured to load balance IPsec tunnel sessions to the FortiGates in the cluster.

Standalone configuration synchronization uses a very similar process as FGCP. There is a similar relationship between the two FortiGates but only in regards to configuration synchronization, not session information. The primary unit is selected by using priority/override. The heartbeat is used to check the primary unit's health. Once heartbeat loss is detected, a new primary unit is selected.

Automatic session synchronization after peer reboot

The following command allows you to configure an automatic session synchronization after a peer FGSP unit has rebooted. FGSP will send out heartbeat signals (every 1 - 10 seconds, as shown below) if one FortiGate is rebooting and the other FortiGate fails.

To configure automatic session synchronization:

config system session-sync

edit 1

set down-intfs-before-sess-sync <interfaces> - List of interfaces to be turned down before session synchronization is complete.

set-hb-interval <integer> - (1 - 10 seconds)

set hb-lost-threshold <integer> - (1 - 10)

next

end