Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cphi
Staff
Staff

Created on ‎07-04-2022 01:25 PM

Article Id 216710

Technical Tip: HA FortiGate configurations that will sync and will not sync

Description This articles discusses about what configuration will and will not sync for HA FortiGate.
Scope HA FortiGate.
Solution

While most of the configuration will be synced between HA FortiGates, there are certain configurations (specifically the 'set' commands) that will not sync between the FortiGate.

Due to the nature of the configuration, set the config independently.

This is a list of the configuration that will not sync:

 

# config system interface

 edit [port]

 set management-ip X.X.X.X/X

 next

  end

 

# config system global

 set hostname [string]

  end

 

Note: The interface that is specified for the ha-mgmt-interface will not have it's configuration synced under 'config system interface'.


# config system ha

set group-id [0-255]
set group-name [string]
set mode [standalone|a-p|a-a]
set password [string]
set sync-config [enable|disable]
set encryption [enable|disable]
set authentication [enable|disable]
config ha-mgmt-interfaces

edit [ID]
set dst [class_ip&net_netmask]
set gateway [ipv4-address]
set gateway6 [ipv6-address]
next

end
set override [enable|disable]
set priority [0-255]
set override-wait-time [0-3600]
config secondary-vcluster

set override [enable|disable]
set priority [0-255]
next

end

  end

 

It's also possible to setup a vdom-exception to specify any of the following configuration to not sync between the cluster units.

If VDOM mode is disabled then the object(s) configured will apply for the whole device.

If VDOM mode is enabled then the object(s) configured will apply to the scope specified.

 

# config system vdom-exception

edit 1

set object [object]
set scope [all|inclusive|exclusive]*
set vdom [name1],[name2]..*

next

  end

 

List of object that can be independently configured:


log.fortianalyzer.setting
log.fortianalyzer.override-setting
log.fortianalyzer2.setting
log.fortianalyzer2.override-setting
log.fortianalyzer3.setting
log.fortianalyzer3.override-setting
log.fortianalyzer-cloud.setting
log.fortianalyzer-cloud.override-setting
log.syslogd.setting
log.syslogd.override-setting
log.syslogd2.setting
log.syslogd2.override-setting
log.syslogd3.setting
log.syslogd3.override-setting
log.syslogd4.setting
log.syslogd4.override-setting
system.gre-tunnel
system.central-management
system.csf
user.radius
system.cluster-sync*
system.standalone-cluster*
system.interface*
vpn.ipsec.phase1-interface*
vpn.ipsec.phase2-interface*
router.bgp*
router.route-map*
router.prefix-list*
firewall.ippool*
firewall.ippool6*
router.static*
router.static6*
firewall.vip*
firewall.vip6*
system.sdwan*
system.saml*
router.policy*
router.policy6*

 

*These configurations are only available on VM models
8074
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.