Fortinet black logo

Handbook

Configuring link policies

Configuring link policies

A link policy matches traffic to rules that select a link group or virtual tunnel.

The policy uses a matching tuple: source, destination, service, and schedule. The policy match is a Boolean AND—All must match for the rule to be applied.

The elements of the tuple support specification by group objects. This is a Boolean OR—If source IP address belongs to member 1 OR member 2, then source matches.

The logical combinations enable you to subscribe multiple address spaces or services to a group of links, and create load balancing rules on that group basis.

The policy table is consulted from top to bottom. The first rule to match is applied.

The FortiADC system evaluates traffic to determine the routing rules to apply. With regard to link load balancing, the system evaluates rules in the following order and applies the first match:

  1. LLB link policy
  2. Policy route
  3. Static/Dynamic route
  4. LLB default link group

Before you begin:

  • You must have configured any address, service, and schedule objects that you want to use as match criteria for your policy.
  • You must have configured a link group or virtual tunnel group.
  • You must have Read-Write permission for Link Load Balance settings.
To configure a link policy:
  1. Go to Link Load Balance > Link Policy.
  2. Click Create New to display the configuration editor.
  3. Complete the configuration as described in Link policy configuration.
  4. Save the configuration.
  5. Reorder rules, as necessary.

Link policy configuration

Option Guidelines

Default Link Group

Select a link group configuration object that is used as the default when traffic does not match policy rules.

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Ingress Interface

Select the network interface to which the policy applies.

Source Type

Whether to use address, address group, or ISP address objects for this rule.

Source, Source ISP, or Source Group

Select an address object to match source addresses. If you do not specify a source address, the rule matches any source address. See Configuring IPv4 address groups.

Destination Type

Whether to use address, address group, or ISP address objects for this rule.

Destination, Destination ISP, or Destination Group

Select an address object to match destination addresses. If you do not specify a destination address, the rule matches any destination. See Configuring IPv4 address groups.

Service Type

Whether to use service or service group objects for this rule.

Service or Service Group

Select a service object to match destination services. If you do not specify a service, the rule matches any service. See Creating service groups.

Schedule

Select the schedule object that determines the times the system uses the logic of this configuration. The link policy is active when the current time falls in a time period specified by one or more schedules in the schedule group. If you do not specify a schedule, the rule applies at all times. See Creating schedule groups.

Group Type

Link Group

Select a link group.

Reordering

After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated.

Hit Counts

Hit Counts: For monitor only. The value indicates the link policy hit times.

Configuring link policies

A link policy matches traffic to rules that select a link group or virtual tunnel.

The policy uses a matching tuple: source, destination, service, and schedule. The policy match is a Boolean AND—All must match for the rule to be applied.

The elements of the tuple support specification by group objects. This is a Boolean OR—If source IP address belongs to member 1 OR member 2, then source matches.

The logical combinations enable you to subscribe multiple address spaces or services to a group of links, and create load balancing rules on that group basis.

The policy table is consulted from top to bottom. The first rule to match is applied.

The FortiADC system evaluates traffic to determine the routing rules to apply. With regard to link load balancing, the system evaluates rules in the following order and applies the first match:

  1. LLB link policy
  2. Policy route
  3. Static/Dynamic route
  4. LLB default link group

Before you begin:

  • You must have configured any address, service, and schedule objects that you want to use as match criteria for your policy.
  • You must have configured a link group or virtual tunnel group.
  • You must have Read-Write permission for Link Load Balance settings.
To configure a link policy:
  1. Go to Link Load Balance > Link Policy.
  2. Click Create New to display the configuration editor.
  3. Complete the configuration as described in Link policy configuration.
  4. Save the configuration.
  5. Reorder rules, as necessary.

Link policy configuration

Option Guidelines

Default Link Group

Select a link group configuration object that is used as the default when traffic does not match policy rules.

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Ingress Interface

Select the network interface to which the policy applies.

Source Type

Whether to use address, address group, or ISP address objects for this rule.

Source, Source ISP, or Source Group

Select an address object to match source addresses. If you do not specify a source address, the rule matches any source address. See Configuring IPv4 address groups.

Destination Type

Whether to use address, address group, or ISP address objects for this rule.

Destination, Destination ISP, or Destination Group

Select an address object to match destination addresses. If you do not specify a destination address, the rule matches any destination. See Configuring IPv4 address groups.

Service Type

Whether to use service or service group objects for this rule.

Service or Service Group

Select a service object to match destination services. If you do not specify a service, the rule matches any service. See Creating service groups.

Schedule

Select the schedule object that determines the times the system uses the logic of this configuration. The link policy is active when the current time falls in a time period specified by one or more schedules in the schedule group. If you do not specify a schedule, the rule applies at all times. See Creating schedule groups.

Group Type

Link Group

Select a link group.

Reordering

After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated.

Hit Counts

Hit Counts: For monitor only. The value indicates the link policy hit times.