- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FGSP questions
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FGSP questions
Hi
About to deploy FGSP between 2 existing clusters, both clusters in a new environment with only test networks connected to them
I have 2 things I'm not clear on
1. I will be syncing a couple of VDOMS, is there any issue using the root VDOM for the sync link? Other options I have are create a new one for just this purpose, or finally use the test VDOM which has very little going on, and will be the least busy once the real network is connected.
2. In each cluster, the 2 firewalls are connected in usual fashion, 2 direct links. The FGSP link will be a lot higher bandwidth port. Do you normally leave it like that? Is session pickup on HA failover still running over the direct ports?
thanks
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
-
High Availability
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Badger
- No issue at all when using root VDOM for sync link.
- You mean by direct link p2p without L2 switch between them? Yes you can do that or use a switch needed. Yes session pickup are still running in both cases.
Just in my experience I used HA ports for FGSP because they are not connected to NPU. I'm not sure and I don't remember if using a NPU connected port is 100% safe for FGSP, you'll need to check.
AEK
AEK
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Badger
- No issue at all when using root VDOM for sync link.
- You mean by direct link p2p without L2 switch between them? Yes you can do that or use a switch needed. Yes session pickup are still running in both cases.
Just in my experience I used HA ports for FGSP because they are not connected to NPU. I'm not sure and I don't remember if using a NPU connected port is 100% safe for FGSP, you'll need to check.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
thanks for the response....so yes to clarify...
In each FGCP cluster, FW1 and FW2 have 2 direct connection via HA and another copper port.
The ports that are currently planned for FGSP, are going to be higher speed due to the fibres required on the LAN network that will connect the clusters across the site to site link.
So I just wanted to confirm
1. is that normal/ok?
2. When a FGCP HA failover happens, the sessions just failover using the direct links as normal - which I think you confirmed is the case
thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- For my last integration (DC FW) it was a so heavy load traffic so I used 2x 10G ports for FGSP sync and it worked fine. I couldn't take the risk using 1G ports with such high traffic. But I guess there may be some calculation to confirm if your FGSP sync ports are enough, but can't help further on that
- Here you talk about FGCP HA right? So you have 2 pairs of FG, each pair is FGCP and sessions are synced between the two pars with FGSP, right. So yes when FGCP HA fail-over happens all the sessions (local and FGSP) will fail-over to the second HA node as if nothing happened
That said you need to fine tune your FGSP and test it well with all possible scenarios before go prod.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. I'm actually thinking of doing the same as you for the sync links, I already have the fibre links in place that I can do 2 x 10G for FGSP into each FW. I couldn't see much info on FGSP bandwidth vs the main traffic links. But if I do 2X10 its more than enough for sure. I've seen people say they've used quite varied speeds for the sync link
2. yep correct, thanks
Created on 03-21-2024 12:18 PM Edited on 03-22-2024 07:52 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you need more support on FGSP feel free to post your questions and we'll be happy to help.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using the root VDOM for synchronization is not problematic, but may be a smart choice if that VDOM is the least loaded or has the largest resource available. However, creating a separate VDOM for synchronization may also be a smart solution to isolate this function from the main operations
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
great, thanks
Related Posts
- FortiWeb FortiSiem Seizing 72 Views
- Question about Fortigate license 144 Views
- FGSP Dynamic Tunnel VPN in SD-WAN 215 Views
- Flow-based and proxy-based inspection explanation needed 337 Views
- Discontinuation of FCNSP ERC codes for... 180 Views
Labels
-
FortiGate
6,536 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.