Uncategorized

Introduction

Hi guys, in this series of blogs we will talk about different FortiGate HA protocols. FortiGate has different HA protocols FGCP and FGSP.

In this blog, we will understand more about FGSP protocol i.e FortiGate Session Life Support Protocol. FGSP was introduced in Fortios 5.0 and above to overcome the HA restrictions over asymmetric traffic, TCP, UDP, ICMP sessions as well as NAT sessions. It also supports configuration synchronization between two Fortigate Firewalls. The use of traffic load-balancers to share the load across two FortiGates is possible with FGSP. FGSP is well suited for networks using equal-cost load balancing of links between routers. Also called equal-cost multi-path (ECMP) routing or multipath routing.

FGSP can be used for both sessions synchronization and configurations synchronization between two FortiGate firewalls.

FGSP Deployment Scenarios

ECMP (Equal-cost multipath) routing is very common in large networks using OSPF. Typically, when ECMP is in use routers will route packets based on a source/destination IP pair. The figure above shows an example network with ECMP. Assume 192.168.1.50 and 192.168.1.100 are both sending traffic to 172.16.1.50 and 172.16.1.100 respectively, it is very likely that the traffic will each take a different path in the network. 172.16.1.50/192.168.1.50 might take the left path in the network and 172.16.1.100/192.168.1.100 would take the right path in the network.

In FGSP both FortiGate firewalls remain in an Active state and process the traffic in load-balancing which is the same as in ECMP routing. If one device fails the data will be processed through the other device as the sessions were already synced and no data will be lost.

Deployment Requirements

FGSP is not the same as FGCP the devices in FGSP behave as standalone devices with different interface IPs.

  • There is no clustering between the devices
  • FortiGate configuration sync must be configured to sync, it will not sync automatically.
  • The model and Fortios version should be the same for both devices.
  • Only specific VDOMS can sync the sessions.
  • VRRP is not supported in FGSP
  • FGCP and FGSP cannot be configured together on the same firewalls.
  • Fortios version should be above 5.0.

There can be a performance issue if one device goes down as all the traffic will be routed towards a single device.

Configuration’s requirements

  • FGSP parameters are configured through CLI only.
  • The best practice is to reset both the FortiGate devices to the factory mode.
  • Both the FortiGate interface ips should be different. As shown in the above figure FGT- A has interface 3 with ip address – 10.10.10.2 and FGT-B has interface 3 with ip address- 10.10.10.1

Configuring Session Synchronization peers between two firewalls

First of all, we need to configure Ips to the interfaces of both the firewalls that you can do from both GUI and CLI. I will explain here the CLI method

For FGT-A

system config interface

  • edit port3
  • set mode static
  • set ip 10.10.10.2/24
  • end

For FGT-B

  • system config interface
  • edit port3
  • set mode static
  • set ip 10.10.10.1/24
  • end

After configuring the ips to the interfaces now we need to configure the session peers to sync there VDOMS

FGT-A:

  • config system session-sync
  • edit 1
  • set peerip 10.10.10.1
  • set peervd “root”
  • set syncvd “vdom_1”

FGT-B:

  • config system session-sync
  • edit 1
  • set peerip 10.10.10.2
  • set peervd “root”
  • set syncvd “vdom_1”

The syncvd tells the FortiGate to synchronize sessions that exist in the “vdom_1” VDOM. Sessions in the “root” VDOM will not be synchronized. To synchronize more than one VDOM, add additional statements for each VDOM that requires session synchronization. The peerip and peervd settings will be the same, only the syncvd setting will change.

The peervd of root tells the FortiGate that sessions will be synchronized using the root VDOM as the transport mechanism. The peerip IP address must be in the same VDOM as the peervd setting. In the above figure, the port3 is in the “root” VDOM.

When VDOMs are not enabled the peervd setting defaults to “root” and is only visible using “show fullconfiguration”. If VDOMs are not enabled the peervd setting defaults to root.

FGT-A:

  • config system session-sync
  • edit 1
  • set peerip 10.10.10.1
  • set syncvd “root”

FGT-B:

  • config system session-sync
  • edit 1
  • set peerip 10.10.10.2
  • set syncvd “root

Enabling configuration Synchronization between the peers. Configuration Synchronization in FGSP synchronizes firewall policies, UTM policies, etc, and all other features. By default, it doesn’t synchronize, interface IP addresses, and BGP peer information.

To enable the configuration synchronization in CLI, you need to run the below commands on both FortiGate firewalls.

FGT-A:

  • config system ha
  • set standalone-config-sync enable

FGT-B:

  • config system ha
  • set standalone-config-sync enable

A Reboot will be required after the command on both FortiGate’s to enable the command.

FGSP standalone configuration synchronization uses a very similar process as FGCP. There is a master/backup relationship between the two FortiGate firewalls like FGCP but only of configuration synchronization, not session information.

Configuring Session Synchronization

Now we need to define in FGSP which sessions they need to share between the FortiGate firewalls.

FGSP synchronizes IPv4 and IPv6 TCP, UDP, ICMP, expectation (asymmetric sessions), and NAT sessions. All the configuration is done in HA system settings.

Session pickup must first be enabled. Different session synchronization commands need to be run to be defined as per the requirements.

To configure synchronization of NAT sessions: –

  • config system ha
  • set session-pickup enable
  • set session-pickup-nat enable

To configure synchronization of UDP and ICMP sessions: –

  • config system ha
  • set session-pickup enable
  • set session-pickup-connectionless enable

To configure synchronization of asymmetric sessions: –

  • config system ha
  • set session-pickup enable
  • set session-pickup-expectation enable

We can also configure a session filter that will help us synchronize specific traffic.

For example, only sessions for specific IP addresses can be synchronized. In the below configuration the traffic sessions only from sourced ip 192.168.1.50 to 172.16.1.50 would be synchronized. The rest traffic will not be synchronized.

  • config system session-sync
  • edit 1
  • config filter
  • set dstaddr 172.16.1.50 255.255.255.255
  • set srcaddr 192.168.1.50 255.255.255.255

You need to configure the commands on one FortiGate and it will be synchronized to both the firewalls.

So, in the above blog, we learned about how to configure FortiGate HA using FGSP. We also learned about how can we configure FortiGate HA using FGSP.

If you want to read more blogs on Security components (Cisco ISE, Cisco WSA, and FortiGate Firewall) blogs and Beginner and Advance Home Security then please follow the links. If you are planning to deploy FortiGate firewall for your network, you can always reach out to us, the team at Zindagi Technologies consists of experts in the field of Network Security, Data Centre technologies, Enterprise & Service Provider Networks, Virtualization, Private Cloud, Public Cloud, Data Centre Networks (LAN and SAN), Collaboration, Wireless, Surveillance, Open stack, ACI, storage and security technologies with over a 20 years of combined industry experience in planning, designing, implementing and optimizing complex Network Security and VPN deployments. To get in touch with us, you can give us a call at +91 9773973971.

Author
Anshul Sapra

Network Enterprise Consultant

Leave a comment

Your email address will not be published. Required fields are marked *