Session failover (session-pickup)
High Availability
After a failover the new primary FortiGate-7000 recognizes open sessions that were being handled by the cluster.
The sessions continue to be processed by the new primary FortiGate-7000 and are handled according to their last
known state.
Session-pickup has some limitations. For example, session failover is not supported
for sessions being scanned by proxy-based security profiles. Session failover is
supported for sessions being scanned by flow-based security profiles; however, flow-
based sessions that fail over are not inspected after they fail over.
Session terminated by the cluster include management sessions (such as HTTPS connections to the FortiGate
GUI or SSH connection to the CLI as well as SNMP and logging and so on). Also included in this category are
IPsec VPN, SSL VPN, sessions terminated by the cluster, and explicit proxy sessions. In general, whether or not
session-pickup is enabled, these sessions do not failover and have to be restarted.
Enabling session pickup for TCP and UDP
To enable session-pickup, from the CLI enter:
config system ha
set session-pickup enable
end
When session-pickup is enabled, sessions in the primary FortiGate-7000 TCP and UDP session tables are
synchronized to the backup FortiGate-7000. As soon as a new TCP or UDP session is added to the primary
FortiGate-7000 session table, that session is synchronized to the backup FortiGate-7000. This synchronization
happens as quickly as possible to keep the session tables synchronized.
If the primary FortiGate-7000 fails, the new primary FortiGate-7000 uses its synchronized session tables to
resume all TCP and UDP sessions that were being processed by the former primary FortiGate-7000 with only
minimal interruption. Under ideal conditions all TCP and UDP sessions should be resumed. This is not
guaranteed though and under less than ideal conditions some sessions may need to be restarted.
If session pickup is disabled
If you disable session pickup, the FortiGate-7000 HA cluster does not keep track of sessions and after a failover,
active sessions have to be restarted or resumed. Most session can be resumed as a normal result of how TCP
and UDP resumes communication after any routine network interruption.
The session-pickup setting does not affect session failover for sessions terminated by
the cluster.
If you do not require session failover protection, leaving session pickup disabled may reduce CPU usage and
reduce HA heartbeat network bandwidth usage. Also if your FortiGate-7000 HA cluster is mainly being used for
traffic that is not synchronized (for example, for proxy-based security profile processing) enabling session pickup
is not recommended since most sessions will not be failed over anyway.
65
FortiGate-7000
Fortinet Technologies Inc.