Add FortiGate FGCP to FHRP Group Protocol Choices #8259

New Issue

Closed

opened 2025-12-29 20:34:25 +01:00 by adam · 5 comments

adam commented 2025-12-29 20:34:25 +01:00

Owner

Copy Link

Originally created by @hexa2k9 on GitHub (Jun 28, 2023).

NetBox version

v3.5.4

Feature type

Change to existing functionality

Proposed functionality

The FHRP Group Protocols currently include the Standard Cases like VRRP, CARP or Cisco/Checkpoint Specific Protocols. There's probably a magnitude of other Protocols out there so in best case this would be configurable. In our current case we're lacking the FortiGate Clustering Protocol - in short FGCP, which would be a pretty quick addition I think.

The FortiOS 5.4 Docs have "the best docs" on this:

FGCP active-active HA uses a technique similar to unicast load balancing in which the primary unit is associated with the cluster HA virtual MAC addresses and cluster IP addresses. The primary unit is the only cluster unit to receive packets sent to the cluster. The primary unit then uses a load balancing schedule to distribute sessions to all of the units in the cluster (including the primary unit). Subordinate unit interfaces retain their actual MAC addresses and the primary unit communicates with the subordinate units using these MAC addresses. Packets exiting the subordinate units proceed directly to their destination and do not pass through the primary unit first.

More recent versions of Documentation mention FGCP only for active-passive HA setups, but the idea remains the same.

I've prepared a changeset which I'd open a PR for once there's positive feedback on this.

Use case

The Use case is to document our setup we're running with an active-active HA Setup on a pair of FortiGates. Currently we use "Other" as Protocol which still "fits the documentation needs" but it doesn't reflect reality on a devices "interfaces" section for the FHRP Group.

Database changes

No response

External dependencies

No response

Originally created by @hexa2k9 on GitHub (Jun 28, 2023). ### NetBox version v3.5.4 ### Feature type Change to existing functionality ### Proposed functionality The FHRP Group Protocols currently include the Standard Cases like VRRP, CARP or Cisco/Checkpoint Specific Protocols. There's probably a magnitude of other Protocols out there so in best case this would be configurable. In our current case we're lacking the FortiGate Clustering Protocol - in short FGCP, which would be a pretty quick addition I think. The FortiOS 5.4 Docs have "the best docs" on this: > FGCP active-active HA uses a technique similar to unicast load balancing in which the primary unit is associated with the cluster HA virtual MAC addresses and cluster IP addresses. The primary unit is the only cluster unit to receive packets sent to the cluster. The primary unit then uses a load balancing schedule to distribute sessions to all of the units in the cluster (including the primary unit). Subordinate unit interfaces retain their actual MAC addresses and the primary unit communicates with the subordinate units using these MAC addresses. Packets exiting the subordinate units proceed directly to their destination and do not pass through the primary unit first. More recent versions of Documentation mention FGCP only [for active-passive](https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/564712/fgcp-fortigate-clustering-protocol) HA setups, but the idea remains the same. I've [prepared a changeset](https://github.com/hexa2k9/netbox/commit/547dd2fd2db6065b603c81c06d3c5ae5051947a2) which I'd open a PR for once there's positive feedback on this. ### Use case The Use case is to document our setup we're running with an active-active HA Setup on a pair of FortiGates. Currently we use "Other" as Protocol which still "fits the documentation needs" but it doesn't reflect reality on a devices "interfaces" section for the FHRP Group. ### Database changes _No response_ ### External dependencies _No response_

adam added the type: feature label 2025-12-29 20:34:25 +01:00

adam closed this issue 2025-12-29 20:34:25 +01:00

adam commented 2025-12-29 20:34:26 +01:00

Author

Owner

Copy Link

@pobradovic08 commented on GitHub (Jun 29, 2023):

The main question is is FGCP a FHRP? The current FHRP definition (from Netbox docs) says:

A first-hop redundancy protocol (FHRP) enables multiple physical interfaces to present a virtual IP address (VIP) in a redundant manner.

My thoughts on this are:

• All of the current protocols have a VIP address (even ClusterXL, which is not really a FHRP), while Fortigate uses the same (one) IP on both nodes and has no VIP.
• FHRP can be defined on interface pair basis, while FGCP and ClusterXL are on a device level
• FGCP and ClusterXL are clustering protocols that handle more than just first hop redundancy.

To me this looks more like a Virtual chassis usecase, but I agree that group ID and authentication is missing in Virtual chassis.

@pobradovic08 commented on GitHub (Jun 29, 2023): The main question is is FGCP a FHRP? The current FHRP definition (from Netbox docs) says: > A first-hop redundancy protocol (FHRP) enables multiple physical interfaces to present a virtual IP address (VIP) in a redundant manner. My thoughts on this are: - All of the current protocols have a VIP address (even ClusterXL, which is not really a FHRP), while Fortigate uses the same (one) IP on both nodes and has no VIP. - FHRP can be defined on interface pair basis, while FGCP and ClusterXL are on a device level - FGCP and ClusterXL are clustering protocols that handle more than just first hop redundancy. To me this looks more like a Virtual chassis usecase, but I agree that group ID and authentication is missing in Virtual chassis.

adam commented 2025-12-29 20:34:26 +01:00

Author

Owner

Copy Link

@hexa2k9 commented on GitHub (Jun 29, 2023):

From the quoted documentation part I think this is a fit.

I have to admit I'm not a "FortiGate Pro", and It certainly is true that FGCP does more than just providing HA for an IP to a pair of Interfaces in the Cluster and that a VC might be the more appropriate use case.

But in the case of doing the FortiGate Cluster as a VC (which is configured anyway for the instances we're running) it would have missing Interfaces from the VC members which IP Addresses (in this case in a n:1 relationship) can be assigned to to reflect the fact the IP is (or can be) active on more than one device (while only the primary unit processes traffic for the IP) and the devices itself - at least in our case - don't have individual IP Addresses assigned.

I could create 2 individual IP Addresses of let's say 11.22.33.44/29 and assign them to Interfaces on 2 individual Devices, but I think this doesn't reflect reality as it's actually the same IP Address assigned to 2 devices.

The lack of FGCP made me configure it as a FHRP of type "Other" which did let me assign the related IP Addresses and have this assigned to more than one Device/Interface pair.

@hexa2k9 commented on GitHub (Jun 29, 2023): From the quoted documentation part I think this is a fit. I have to admit I'm not a "FortiGate Pro", and It certainly is true that FGCP does more than just providing HA for an IP to a pair of Interfaces in the Cluster and that a VC might be the more appropriate use case. But in the case of doing the FortiGate Cluster as a VC (which is configured anyway for the instances we're running) it would have missing Interfaces from the VC members which IP Addresses (in this case in a n:1 relationship) can be assigned to to reflect the fact the IP is (or can be) active on more than one device (while only the primary unit processes traffic for the IP) and the devices itself - at least in our case - don't have individual IP Addresses assigned. I could create 2 individual IP Addresses of let's say 11.22.33.44/29 and assign them to Interfaces on 2 individual Devices, but I think this doesn't reflect reality as it's actually the same IP Address assigned to 2 devices. The lack of FGCP made me configure it as a FHRP of type "Other" which did let me assign the related IP Addresses and have this assigned to more than one Device/Interface pair.

adam commented 2025-12-29 20:34:26 +01:00

Author

Owner

Copy Link

@jsenecal commented on GitHub (Jul 7, 2023):

What about using 'other' for these obscure proprietary protocols?

@jsenecal commented on GitHub (Jul 7, 2023): What about using 'other' for these obscure proprietary protocols?

adam commented 2025-12-29 20:34:27 +01:00

Author

Owner

Copy Link

@hexa2k9 commented on GitHub (Jul 11, 2023):

That's what we currently do, yes. As there seems to be consensus about not adding FGCP I will close this request.

@hexa2k9 commented on GitHub (Jul 11, 2023): That's what we currently do, yes. As there seems to be consensus about not adding FGCP I will close this request.

adam commented 2025-12-29 20:34:27 +01:00

Author

Owner

Copy Link

@DanSheps commented on GitHub (Jul 11, 2023):

While something like Checkpoint's ClusterXL does appear to be a FHRP, FGCP appears to be more the control protocol for the cluster/HA itself then just a FHRP.

The Cisco (HSRP, GLBP) protocol is most definitely a FHRP, and Checkpoint (ClusterXL) protocol does appear to fit the description itself, so I don't think anything needs to happen in regards to those.

I am not against adding Fortigate's protocol, but I don't think it is really a FHRP myself.

@DanSheps commented on GitHub (Jul 11, 2023): While something like Checkpoint's ClusterXL does appear to be a FHRP, FGCP appears to be more the control protocol for the cluster/HA itself then just a FHRP. The Cisco (HSRP, GLBP) protocol is most definitely a FHRP, and Checkpoint (ClusterXL) protocol does appear to fit the description itself, so I don't think anything needs to happen in regards to those. I am not against adding Fortigate's protocol, but I don't think it is really a FHRP myself.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label type: feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#8259