FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 191165

Description

This article describes the session failover (session pickup) feature used on the FortiGate High Availability (HA) cluster.

 

Scope

 

FortiGate.


Solution

Session failover means that after the primary unit fails/reboots/power off, communications sessions resume on the new primary unit with minimal or no interruption.
With session failover (also called session pickup) enabled, the primary unit informs the subordinate units of changes to the primary unit connection and state tables, keeping the subordinate units up-to-date with the traffic currently being processed by the HA cluster.

This helps new primary units resume communication sessions with minimal loss of data, avoiding the need to restart active sessions.
All synchronization activity takes place over the HA heartbeat link using TCP/703 and UDP/703 packets.

Two categories of sessions need to be resumed after a failover:

  • Sessions pass through the cluster.
  • Sessions terminated by the cluster.

CLI Command to change enable the session Pickup:

 

config system ha

    set session-pickup enable

end

 

If the customer has VDOMs then this will be done from global VDOM:

 

config system global

    config system ha

        set session-pickup enable

end

 

 Sessions pass through the cluster.

Session failover is supported for sessions scanned by flow-based security profiles; however, flow-based sessions that failover are not inspected after they fail over.
Session failover is not supported for sessions being scanned by proxy-based security profiles.



 
Sessions terminated by the cluster.

Session terminated by the cluster include management sessions (such as HTTPS connections to the FortiGate GUI or SSH connection to the CLI as well as SNMP and logging and so on).
Also included in this category are IPsec VPN, SSL VPN, sessions terminated by the cluster, explicit proxy, WAN Optimization, and web caching.
In general, whether or not session pickup is enabled, these sessions do not failover and have to be restarted.
There are some exceptions though, particularly for IPsec and SSL VPN.