FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fgilloteau_FTNT
Article Id 195515
Description
This article explains how session synchronization works:

Things to know

1. When a session is created on the MASTER, it is immediately synchronized to the SLAVE unit unless you have activated 'session-pickup' enable in your #config system ha

2. If you have activated 'session-pickup' enable under config system ha, it will not sync sessions lower than 30 sec duration. This avoids syncing all the DNS session for example. Only sessions created more than 30sec ago will be synchronized.

3. When the state of the session changes (You can see it with #diag sys session list and look at proto_state=xx), the session is sync again on the slave

4. The expire timer of the session is not sync between MASTER and SLAVE. When the expire timer is going to expire on the SLAVE, the SLAVE asks the MASTER if this session should be kept or can be deleted.
   If the session must be kept, the SLAVE reset the 'expire' timer to the 'timeout' value

5. Because the expire timer is not sync between both units, it can lead to situation where there is a failover and the expire timer is so low on the SLAVE which causes the session to expire.

6. To solve 5/, there is an other HA option under #config system ha which is 'set update-all-session-timer' enable. This parameter is disabled by default. Enable it will update all session timers to their timeout value after failover.

7. By default session sync is done using the heartbeat devices (hbdev in #config system ha). For better performance, if you have a lot of sessions, it is better to do it using dedicated links. There is a specific HA setting for that under #config system ha, it is 'set session-sync-dev <INTERFACE>'
  

Contributors