Using FGSP to load balance access to two active-active data centers – expert

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This advanced scenario describes how to configure FortiGate Session Life Support Protocol (FGSP) HA with four peer FortiGates protecting two active-active data centers.

In this configuration, two redundant active-active data centers process traffic from the Internet. Traffic is distributed to the FortiGates (named Peer-1, Peer-2, Peer-3 and Peer-4) by the routers or load balancers. All of the FortiGates are configured with two virtual domains: root and vdom1. All sessions processed by vdom1 are synchronized to all of the FortiGates. The synchronization link interface is port 3, which is in the root virtual domain. The IP addresses of port 3 are different for each FortiGate:

  • For Peer-1, the port 3 IP address is 10.10.10.1
  • For Peer-2, the port 3 IP address is 10.10.10.2
  • For Peer-3, the port 3 IP address is 10.10.10.3
  • For Peer-4, the port 3 IP address is 10.10.10.4

The port 1 and port 2 interfaces are added to vdom1. To keep the configuration very simple and applicable to many different networks, port 1 and port 2 are added to a virtual wire pair so these interfaces do not have IP addresses. This example includes a simple policy that allows all traffic across the virtual wire pair. The example policy applies the default VoIP profile to all VoIP traffic and otherwise applies virus scanning and application control.

This architecture supports different configurations on each FortiGate, but this is not recommended. Usually all of the FortiGates in an FGSP cluster have the same configuration. This example disables FGSP configuration synchronization and assumes you are using FortiManager to keep the configurations of the FortiGates synchronized.

1. Configuring the first FortiGate (Peer-1)

Configure Peer-1 with the following settings:

Enable virtual domain configuration, add vdom1, set vdom1 to proxy mode (to support VoIP profiles), and add port 1 and port 2 to vdom1.

config system global
    set vdom-admin enable
end

config vdom 
   edit vdom1 
     config system settings
       set inspection-mode proxy
     end
   end

config system global 
   config system interface 
      edit port1 
         set vdom vdom1 
      next 
      edit port2 
         set vdom vdom1 
      end
   end

Create a virtual wire pair between port 1 and port 2.

config vdom
    edit vdom1
       config system virtual-wire-pair
          edit my-wire-pair
             set member port1 port2
          end
     end

Create a virtual wire pair policy to allow all traffic between port 1 and port 2. This example policy applies antivirus scanning, application control, and VoIP profiles.

config vdom
    edit vdom1
       config firewall policy
          edit 1
            set srcintf port1 port2
            set srcintf port1 port2
            set srcaddr all
            set dstaddr all
            set service ALL
            set schedule always
            set action allow
            set utm-status enable
            set av-profile default
            set application-list default
            set voip-profile default
         end

Configure Peer-1 for FGSP.

 

config system cluster-sync
    edit 1
        set peerip 10.10.10.2
        set peervd root
        set syncvd vdom1
    next
    edit 2
        set peerip 10.10.10.3
        set peervd root
        set syncvd vdom1
    next
    edit 3
        set peerip 10.10.10.4
        set peervd root
        set syncvd vdom1
    end

2. Configuring the second FortiGate (Peer-2)

Configure Peer-2 with the same configuration as Peer-1:

  • Enable virtual domain configuration, add vdom1, set vdom1 to proxy mode (to support VoIP profiles), and add port 1 and port 2 to vdom1.
  • Create a virtual wire pair between port 1 and port 2.
  • Create a virtual wire pair policy to allow all traffic between port 1 and port 2. This example policy applies antivirus scanning, application control, and VoIP profiles.

Configure Peer-2 for FGSP.

config system cluster-sync
    edit 1
        set peerip 10.10.10.1
        set peervd root
        set syncvd vdom1
    next
    edit 2
        set peerip 10.10.10.3
        set peervd root
        set syncvd vdom1
    next
    edit 3
        set peerip 10.10.10.4
        set peervd root
        set syncvd vdom1
    end

3. Configuring the third FortiGate (Peer-3)

Configure Peer-3 with the same configuration as Peer-1:

  • Enable virtual domain configuration, add vdom1, set vdom1 to proxy mode (to support VoIP profiles), and add port 1 and port 2 to vdom1.
  • Create a virtual wire pair between port 1 and port 2.
  • Create a virtual wire pair policy to allow all traffic between port 1 and port 2. This example policy applies antivirus scanning, application control, and VoIP profiles.

Configure Peer-3 for FGSP.

 

config system cluster-sync
    edit 1
        set peerip 10.10.10.1
        set peervd root
        set syncvd vdom1
    next
    edit 2
        set peerip 10.10.10.2
        set peervd root
        set syncvd vdom1
    next
    edit 3
        set peerip 10.10.10.4
        set peervd root
        set syncvd vdom1
    end

4. Configuring the fourth FortiGate (Peer-4)

Configure Peer-4 with the same configuration as Peer-1:

  • Enable virtual domain configuration, add vdom1, set vdom1 to proxy mode (to support VoIP profiles), and add port 1 and port 2 to vdom1.
  • Create a virtual wire pair between port 1 and port 2.
  • Create a virtual wire pair policy to allow all traffic between port 1 and port 2. This example policy applies antivirus scanning, application control, and VoIP profiles.

Configure Peer-4 for FGSP.

 

config system cluster-sync
    edit 1
        set peerip 10.10.10.1
        set peervd root
        set syncvd vdom1
    next
    edit 2
        set peerip 10.10.10.2
        set peervd root
        set syncvd vdom1
    next
    edit 3
        set peerip 10.10.10.3
        set peervd root
        set syncvd vdom1
    end

5. Synchronizing TCP sessions

Synchronize TCP sessions so that if one of the FortiGates fails, its TCP sessions continue to be processed by the remaining FortiGates. The sessions to the failed FortiGate are redistributed by the router or load balancer. The remaining FortiGates continue to process these sessions because they have been synchronized to the session tables of all of the FortiGates in the FGSP cluster.

Enter this command on each FortiGate to synchronize TCP sessions among all of the FortiGates.

config system ha
    set session-pickup enable
end

6. Synchronizing UDP and ICMP sessions

Enter this command on each FortiGate to synchronize UDP and ICMP sessions among all of the FortiGates. You must enable TCP session synchronization to synchronize other types of sessions.

config system ha
    set session-pickup enable
    set session-pickup-connectionless enable
end

7. Synchronizing VoIP sessions

Synchronizing VoIP requires the FortiGates to automatically allow RTP sessions that should be allowed because of a previous SIP session, even if the SIP session was received by a different FortiGate. FortiOS calls these expectation sessions and synchronizing VoIP sessions requires expectation session synchronization. You can use the diagnose sys session list expectation command to display the synchronization state of expectation sessions on each FortiGate.

Enter the following command on each FortiGate to synchronize expectation sessions to support VoIP. You must enable TCP session synchronization to synchronize other types of sessions.

config system ha
    set session-pickup enable
    set session-pickup-expectation enable
end

8. Synchronizing the configuration

You can use the built-in configuration synchronization feature of FGSP to keep the configuration of all of the FortiGates synchronized. If you are using FortiManager, you can disable configuration synchronization.

Enter the following command on each FortiGate to disable configuration synchronization.

config system ha
    set standalone-config-sync disable
end

Bill Dickie

Our Fearless Documentation Leader at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.
  • Was this helpful?
  • Yes   No
FGSP supports up to 16 peer FortiGates.