FortiGate Session Life Support Protocol (FGSP)

Fortigate HA High availability FGSP instaelearn.com
Fortigate HA High availability FGSP instaelearn.com

FortiGate Session Life Support Protocol (FGSP) is used for traffic redundancy. Distributes sessions between two FortiGate units and the FGSP performs session synchronization. Now,  if one of the peers fails, session failover occurs, and active sessions failover to the peer that is still operating. This failover occurs without any loss of data. Also, the external routers or load balancers will detect the failover and redistribute all sessions to the peer that is still operating. The two FortiGate units must be the same model and must be running the same firmware.

In a network that already includes load balancing (either with load balancers or routers) for traffic redundancy, two identical FortiGate units can be integrated into the load balancing configuration using the FortiGate Session Life Support Protocol (FGSP). The external load balancers or routers can distribute sessions among the FortiGate units and the FGSP performs session synchronization of IPv4 and IPv6 TCP, UDP, ICMP, expectation, and NAT sessions to keep the session tables of both FortiGate units synchronized.

The two FortiGate units must be the same model. The FGSP synchronizes both IPv4 and IPv6 TCP, UDP, ICMP, expectation, and NAT sessions. You can use this feature with external routers or load balancers configured to distribute or load balance sessions between two peer FortiGate units. If one of the peers fails, session failover occurs, and active sessions failover to the peer that is still operating. This failover occurs without any loss of data. As well, the external routers or load balancers will detect the failover and re-distribute all sessions to the peer that is still operating.

We configure FGSP HA separately for each virtual domain to be synchronized. If virtual domain configuration is not enabled, you configure FGSP HA for the root virtual domain. When virtual domain configuration is enabled and you have added virtual domains you configure FGSP HA for each virtual domain to be synchronized. You don’t have to synchronize all virtual domains. We also must configure FGSP HA and network settings on both peers. Once you establish the initial configuration, the configurations of both FortiGate units are synchronized so when you change the configuration of one, the changes are synchronized to the other.

For FGSP HA to work properly all synchronized virtual domains must be added to both peers. The names of the matching interfaces in each virtual domain must also be the same; this includes the names of matching VLAN interfaces. Note that the index numbers of the matching interfaces and VLAN interfaces can be different. Also, the VLAN IDs of the matching VLAN interfaces can be different.

So to configure FGSP HA follow the below steps we will follow the

  1. Configure the load balancer or router to send all sessions to peer_1.
  2. Configure the load balancer or router to send all traffic to peer_2 if peer_1 fails.
  3. Use normal FortiGate configuration steps on peer_1:* Enable virtual domain configuration.
    • Add the vdom_1 virtual domain.
    • Add port1 and port2 to the vdom_1 virtual domain and configure these interfaces.
    • Set the IP address of port1 to 192.168.20.1.
    • Set the IP address of port2 to 172.110.20.1.
    • Set the IP address of port3 to 10.10.10.1.
    • Add route mode security policies between port1 and port2 to vdom_1.

4. Enter the following commands to configure session synchronization for peer_1

config system session-sync
   edit 1
   set peerip 10.10.10.2
   set peervd root
   set syncvd vdom_1
end

5. Use normal FortiGate configuration steps on peer_2:

    • Enable virtual domain configuration.
    • Add the vdom_1 virtual domain.
    • Add port1 and port2 to the vdom_1 virtual domain and configure these interfaces.
    • Set the IP address of port1 to 192.168.20.2.
    • Set the IP address of port2 to 172.110.20.2.
    • Set the IP address of port3 to 10.10.10.2.
    • Add route mode security policies between port1 and port2 to vdom_1.

6. Enter the following command to configure session synchronization for peer_1

config system session-sync
   edit 1
   set peerip 10.10.10.1
   set peervd root
   set syncvd vdom_1
end

Now that the FortiGate units are connected and configured their configurations are synchronized, so when you make a configuration change on one FortiGate unit it is synchronized to the other one.

To add filters we can add a filter to this basic configuration if you only want to synchronize some TCP sessions. For example, we can enter the following command to add a filter so that only HTTP sessions are synchronized:

config system session-sync
   edit 1
   config filter
   set service HTTP
end

We can also add a filter to control the source and destination addresses of the IPv4 packets that are synchronized. For example, you can enter the following command to add a filter so that only sessions with source addresses in the range 10.10.10.100 to 10.10.10.200 are synchronized.

config system session-sync
   edit 1
   config filter
   set srcaddr 10.10.10.100 10.10.10.200
end

We can also add a filter to control the source and destination addresses of the IPv6 packets that are synchronized. For example, you can enter the following command to add a filter so that only sessions with destination addresses in the range 2001:db8:0:2::/64 are synchronized.

config system session-sync
   edit 1
   config filter
   set dstaddr6 2001:db8:0:2::/64
end

By default configuration synchronization is disabled. You can use the following command to enable it.

config system ha
   set standalone-config-sync enable
end

In many configurations, due to their non-stateful nature, UDP and ICMP sessions don’t need to be synchronized to naturally failover. However, if it is required you can configure the FGSP to synchronize UDP and ICMP sessions by entering the following command:

config system ha
   set session-pickup enable
   set session-pickup-connectionless enable
end

By default, NAT sessions are not synchronized. However, the FGSP can synchronize the NAT session if you enter the following command:

config system ha
   set session-pickup enable
   set session-pickup-nat enable
end

If you want to synchronize expectation sessions so that they will continue after a failover you can enter the following command on both FortiGates to synchronize them:

config system ha
   set session-pickup enable
   set session-pickup-expectation enable
end

To check the status of the cluster

#get system ha status

HA Health Status: OK
Model: FortiGate-60E
Mode: HA A-P
Group: 200
Debug: 0
Cluster Uptime: 239 days 09:08:45
Cluster state change time: 2020-05-01 22:53:09

As you can see with this output, you can see group id, uptime, state change time, as well as other output like why the master is the actual master, etc.

Note: This command gives you information about your HA cluster. If cluster status looks healthy the FGSP is configured sucessfully.

 

We have also covered few other fortigate HA solutions listed in another blogs categorically and detailed How-To steps.

Basics

FortiGate Cluster Protocol (FGCP)

FortiGate Session Life Support Protocol (FGSP)

Session-Aware Load Balancing Clustering (SLBC)

Content Clustering

VRRP

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *