Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cborgato_FTNT
Staff
Staff

Created on ‎03-04-2015 05:20 AM Edited on ‎01-18-2024 09:10 PM By Community Manager

Article Id 196776

Technical Tip: HA session-sync-dev configuration

Description

 

This article describes the benefits of configuring a dedicated session-sync-dev in an HA (High Availability) FortiGate Cluster, especially in situations where the exchange of session synchronization information is high.

 

Using the session-sync-dev option it is possible to select one or more FortiGate interfaces to use for synchronizing sessions as required for session pickup. Normally session synchronization occurs over the HA heartbeat link.

Moving session synchronization from the HA heartbeat interface reduces the bandwidth requirements of the HA heartbeat interface and may improve the efficiency and performance of the cluster, especially if the cluster is synchronizing a large number of sessions. Load balancing session synchronization among multiple interfaces can further improve performance and efficiency if the cluster is synchronizing a large number of sessions.


Key factors to consider when deciding to use session-sync-dev in FortiGate configuration include:

  1. High Session Synchronization Requirements.
  2. Telco/ISP Environments.
  3.  Enhanced Fault Tolerance.
  4.  Load Balancing.
  5.  Scalability Requirements.
  6.  Redundancy Needs.
  7.  Mission-Critical Applications.

 

Scope

 

FortiGate.


Solution

 

session-sync-dev means only the selected interfaces are used for session synchronization and not the HA heartbeat link. Selecting more than one interface, session synchronization traffic is load balanced among the selected interfaces.

Use the following command to perform cluster session synchronization using the port10 and port12 interfaces:
 
config system ha
    set session-sync-dev port10 port12
end

Session synchronization packets use Ethertype 0x8892. The interfaces to use for session synchronization must be connected together either directly using the appropriate cable (possible if there are only two units in the cluster) or using switches. If one of the interfaces becomes disconnected the cluster uses the remaining interfaces for session synchronization. If all of the session synchronization interfaces become disconnected, session synchronization reverts to using the HA heartbeat link. All session synchronization traffic is between the primary unit and each subordinate unit.

 

Related articles:

Technical Note: Sessions synchronization

Technical Note: How to increase session-sync performance on a SLBC cluster

13286
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.