system : session-sync
 
session-sync
Use this command to configure TCP session synchronization between two standalone FortiGate units. You can use this feature with external routers or load balancers configured to distribute or load balance TCP sessions between two peer FortiGate units. If one of the peers fails, session failover occurs and active TCP sessions fail over to the peer that is still operating. This failover occurs without any loss of data. As well the external routers or load balancers will detect the failover and re-distribute all sessions to the peer that is still operating.
 
TCP session synchronization between two standalone FortiGate units is also sometimes called standalone session synchronization or session synchronization between non-HA FortiGate units.
You cannot configure standalone session synchronization when HA is enabled.
Syntax
config system session-sync
edit <sync_id>
set peerip <peer_ipv4>
set peervd <vd_name>
set syncvd <vd_name>
config filter
set dstaddr <dst_ip_ipv4> <dst_mask_ipv4>
set dstaddr6 <dst_ip_ipv6>
set dstintf <interface_name>
set service <string>
set srcaddr <src_ip_ipv4> <src_mask_ipv4>
set srcaddr6 <src_ip_ipv6>
set srcintf <interface_name>
config custom-service
edit <service_filter_id>
set src-port-range <xxx‑yyy>
set dst-port-range <xxx‑yyy>
end
end
end
end
Variable
Description
Default
<service_filter_id>
Enter the unique ID for the service filter.
 
<sync_id>
Enter the unique ID number for the session synchronization configuration to edit. The session synchronization configuration ID can be any number between 1 and 200. The session synchronization configuration IDs of the peers do not have to match.
No default.
peerip <peer_ipv4>
Enter the IP address of the interface on the peer unit that is used for the session synchronization link.
0.0.0.0
peervd <vd_name>
Enter the name of the virtual domain that contains the session synchronization link interface on the peer unit. Usually both peers would have the same peervd. Multiple session synchronization configurations can use the same peervd.
root
syncvd <vd_name>
Enter the names of one or more virtual domains so that the sessions processed by these virtual domains are synchronized using this session synchronization configuration.
 
config custom-service
Add a service filter for session sync.
 
config filter
Add a filter to a standalone session synchronization configuration. You can add a filter if you want to only synchronize some TCP sessions. Using a filter you can configure synchronization to only synchronize sessions according to source and destination address, source and destination interface, and predefined firewall TCP service. You can only add one filter to a standalone session synchronization configuration.
 
dstaddr <dst_ip_ipv4> <dst_mask_ipv4>
dstaddr6 <dst_ip_ipv6>
Enter the destination IP address (or range) and netmask of the sessions to synchronize. For IPv4 addresses, use dstaddr. For IPv6 addresses, use dstaddr6.
The default IP address and netmask (0.0.0.0 / 0.0.0.0 or ::/0) synchronizes sessions for all destination address.
If you want to specify multiple IP addresses or address ranges you can add multiple standalone session synchronization configurations.
0.0.0.0 0.0.0.0
 
::/0
dstintf <interface_name>
Enter the name of a FortiGate interface (this can be any interface including a VLAN interface, aggregate interface, redundant interface, virtual SSL VPN interface, or inter-VDOM link interface). Only sessions destined for this interface are synchronized. You can only enter one interface name. If you want to synchronize sessions for multiple interfaces you can add multiple standalone session synchronization configurations. The default dstintf setting synchronizes sessions for all interfaces.
(null)
dst-port-range <xxx‑yyy>
Enter the destination port range for the service filter.
(null)
service <string>
Enter the name of a FortiGate firewall predefined service. Only sessions that use this predefined service are synchronized. You can only enter one predefined service name. If you want to synchronize sessions for multiple services you can add multiple standalone session synchronization configurations.
(null)
srcaddr <src_ip_ipv4> <src_mask_ipv4>
srcaddr6 <src_ip_ipv6>
Enter the source IP address and netmask of the sessions to synchronize. For IPv4 addresses, use srcaddr. For IPv6 addresses, use srcaddr6.
The default IP address and netmask (0.0.0.0 / 0.0.0.0 or ::/0) synchronizes sessions for all source address. If you want to specify multiple IP addresses or address ranges you can add multiple standalone session synchronization configurations.
0.0.0.0 0.0.0.0
 
::/0
srcintf <interface_name>
Enter the name of a FortiGate interface (this can be any interface including a VLAN interface, aggregate interface, redundant interface, virtual SSL VPN interface, or inter-VDOM link interface). Only sessions from this interface are synchronized. You can only enter one interface name. If you want to synchronize sessions for multiple interfaces you can add multiple standalone session synchronization configurations. The default srcintf setting synchronizes sessions for all interfaces.
(null)
src-port-range <xxx‑yyy>
Enter the source port range for the service filter.
(null)