This advanced scenario describes how to configure FortiGate Session Life Support Protocol (FGSP) HA with four peer FortiGates protecting two active-active data centers.
In this configuration, two redundant active-active data centers process traffic from the Internet. Traffic is distributed to the FortiGates (named Peer-1, Peer-2, Peer-3 and Peer-4) by the routers or load balancers. All of the FortiGates are configured with two virtual domains: root and vdom1. All sessions processed by vdom1 are synchronized to all of the FortiGates. The synchronization link interface is port 3, which is in the root virtual domain. The IP addresses of port 3 are different for each FortiGate:
- For Peer-1, the port 3 IP address is 10.10.10.1
- For Peer-2, the port 3 IP address is 10.10.10.2
- For Peer-3, the port 3 IP address is 10.10.10.3
- For Peer-4, the port 3 IP address is 10.10.10.4
The port 1 and port 2 interfaces are added to vdom1. To keep the configuration very simple and applicable to many different networks, port 1 and port 2 are added to a virtual wire pair so these interfaces do not have IP addresses. This example includes a simple policy that allows all traffic across the virtual wire pair. The example policy applies the default VoIP profile to all VoIP traffic and otherwise applies virus scanning and application control.
This architecture supports different configurations on each FortiGate, but this is not recommended. Usually all of the FortiGates in an FGSP cluster have the same configuration. This example disables FGSP configuration synchronization and assumes you are using FortiManager to keep the configurations of the FortiGates synchronized.
1. Configuring the first FortiGate (Peer-1) |
|
|
Configure Peer-1 with the following settings: |
|
|
Enable virtual domain configuration, add vdom1, set vdom1 to proxy mode (to support VoIP profiles), and add port 1 and port 2 to vdom1. |
config system global
set vdom-admin enable
end
config vdom
edit vdom1
config system settings
set inspection-mode proxy
end
end
config system global
config system interface
edit port1
set vdom vdom1
next
edit port2
set vdom vdom1
end
end
|
|
Create a virtual wire pair between port 1 and port 2. |
config vdom
edit vdom1
config system virtual-wire-pair
edit my-wire-pair
set member port1 port2
end
end
|
|
Create a virtual wire pair policy to allow all traffic between port 1 and port 2. This example policy applies antivirus scanning, application control, and VoIP profiles. |
config vdom
edit vdom1
config firewall policy
edit 1
set srcintf port1 port2
set srcintf port1 port2
set srcaddr all
set dstaddr all
set service ALL
set schedule always
set action allow
set utm-status enable
set av-profile default
set application-list default
set voip-profile default
end
|
|
Configure Peer-1 for FGSP.
|
config system cluster-sync
edit 1
set peerip 10.10.10.2
set peervd root
set syncvd vdom1
next
edit 2
set peerip 10.10.10.3
set peervd root
set syncvd vdom1
next
edit 3
set peerip 10.10.10.4
set peervd root
set syncvd vdom1
end
|
2. Configuring the second FortiGate (Peer-2) |
|
|
Configure Peer-2 with the same configuration as Peer-1:
|
|
|
Configure Peer-2 for FGSP. |
config system cluster-sync
edit 1
set peerip 10.10.10.1
set peervd root
set syncvd vdom1
next
edit 2
set peerip 10.10.10.3
set peervd root
set syncvd vdom1
next
edit 3
set peerip 10.10.10.4
set peervd root
set syncvd vdom1
end
|
3. Configuring the third FortiGate (Peer-3) |
|
|
Configure Peer-3 with the same configuration as Peer-1:
|
|
|
Configure Peer-3 for FGSP.
|
config system cluster-sync
edit 1
set peerip 10.10.10.1
set peervd root
set syncvd vdom1
next
edit 2
set peerip 10.10.10.2
set peervd root
set syncvd vdom1
next
edit 3
set peerip 10.10.10.4
set peervd root
set syncvd vdom1
end
|
4. Configuring the fourth FortiGate (Peer-4) |
|
|
Configure Peer-4 with the same configuration as Peer-1:
|
|
|
Configure Peer-4 for FGSP.
|
config system cluster-sync
edit 1
set peerip 10.10.10.1
set peervd root
set syncvd vdom1
next
edit 2
set peerip 10.10.10.2
set peervd root
set syncvd vdom1
next
edit 3
set peerip 10.10.10.3
set peervd root
set syncvd vdom1
end
|
5. Synchronizing TCP sessions |
|
|
Synchronize TCP sessions so that if one of the FortiGates fails, its TCP sessions continue to be processed by the remaining FortiGates. The sessions to the failed FortiGate are redistributed by the router or load balancer. The remaining FortiGates continue to process these sessions because they have been synchronized to the session tables of all of the FortiGates in the FGSP cluster. |
|
|
Enter this command on each FortiGate to synchronize TCP sessions among all of the FortiGates. |
config system ha
set session-pickup enable
end
|
6. Synchronizing UDP and ICMP sessions |
|
|
Enter this command on each FortiGate to synchronize UDP and ICMP sessions among all of the FortiGates. You must enable TCP session synchronization to synchronize other types of sessions. |
config system ha
set session-pickup enable
set session-pickup-connectionless enable
end
|
7. Synchronizing VoIP sessions |
|
|
Synchronizing VoIP requires the FortiGates to automatically allow RTP sessions that should be allowed because of a previous SIP session, even if the SIP session was received by a different FortiGate. FortiOS calls these expectation sessions and synchronizing VoIP sessions requires expectation session synchronization. You can use the |
|
|
Enter the following command on each FortiGate to synchronize expectation sessions to support VoIP. You must enable TCP session synchronization to synchronize other types of sessions. |
config system ha
set session-pickup enable
set session-pickup-expectation enable
end
|
8. Synchronizing the configuration |
|
|
You can use the built-in configuration synchronization feature of FGSP to keep the configuration of all of the FortiGates synchronized. If you are using FortiManager, you can disable configuration synchronization. |
|
|
Enter the following command on each FortiGate to disable configuration synchronization. |
config system ha
set standalone-config-sync disable
end
|
The post Using FGSP to load balance access to two active-active data centers – expert appeared first on Fortinet Cookbook.