Load balancing and session failover is done by external routers or load balancers instead of by the FGSP. You can add filters to only synchronize packets from specified source and destination addresses, specified source and destination interfaces, and specified services. You can also optionally add filters to control which sessions are synchronized. Since session pickup requires FortiGate resources, only enable this feature for sessions that you need to have synchronized. Enable session pickup for sessions that may be difficult to reestablish. Many protocols can successfully restart sessions with little, or no, loss of data. All sessions that are interrupted by the failover and must be re-established at the application level. If you do not enable session pickup, the FGSP does not share session tables for the particular session type and sessions do not resume after a failover. You can optionally enable session pickup to synchronize connectionless (UDP and ICMP) sessions, expectation sessions, and NAT sessions. This includes return packets.īy default, FGSP synchronizes all IPv4 and IPv6 TCP sessions, IPsec tunnels, and also synchronizes the configuration of the FortiGate units. The load balancers should be configured so that all of the packets for any given session are processed by the same peer. If external load balancers or routers load balance traffic to both peers, the effect is similar to active-active FGCP HA. If the external load balancers direct all sessions to one peer the affect is similar to active-passive FGCP HA. The FGSP can be used instead of FGCP HA to provide sess i o n synchronization between two peer FortiGate units. However FGSP HA is com- patible with VRRP.įGSP or standalone session synchronization is not supported if the FortiGate units are running different firmware versions. You cannot configure FGSP HA when FGCP HA is enabled. However, the FGSP has been expanded to include configuration synchronization and session synchronization of connectionless sessions, expectation sessions, and NAT sessions and IPsec tunnels.
In previous versions of FortiOS the FGSP was called TCP session synchronization or standalone session synchronization. As well, the external routers or load balancers will detect the failover and re-distribute all sessions to the peer that is still operating. This failover occurs without any loss of data. If one of the peers fails, session failover occurs and active sessions fail over to the peer that is still operating. You can use this feature with external routers or load balancers configured to distribute or load balance sessions between two peer FortiGate units. The FGSP synchronizes both IPv4 and IPv6 TCP, UDP, ICMP, expectation, and NAT sessions and IPsec tunnels. The two FortiGate units must be the same model. You can use the config system cluster-sync command to configure the FortiGate Session Life Support Protocol (FGSP) (previously called TCP session synchronization or standalone session synchronization) between two FortiGate units. The external load balancers or routers can distribute sessions among the FortiGate units and the FGSP performs session synchronization of IPv4 and IPv6 TCP, UDP, ICMP, expectation, and NAT sessions and IPsec tunnels to keep the session tables of both FortiGate units synchronized. In a network that already includes load balancing (either with load balancers or routers) for traffic redundancy, two identical FortiGate units can be integrated into the load balancing configuration using the FortiGate Session Life Support Protocol (FGSP). Fo r ti G a t e Session Life Support Protocol (FGSP)
0 kommentar(er)
