Fortinet black logo

Handbook

Configuring persistence rules

Configuring persistence rules

Persistence rules identify traffic that should be ignored by load balancing rules and instead be forwarded to the same gateway each time the traffic traverses the FortiADC appliance.

You should use persistence rules with applications that use a secure connection. Such applications drop connections when the server detects a change in a client’s source IP address.

Persistence rules used in link load balancing describes the types of persistence rules you can configure.

Persistence rules used in link load balancing

Persistence Description

Source-Destination Pair

Packets with the same source IP address and destination IP address take same outgoing gateway.

Source-Destination Address

Packets with a source IP address and destination IP address that belong to the same subnet take the same outgoing gateway.

Source Address

Packets with a source IP address that belongs to the same subnet take the same outgoing gateway.

Destination Address

Packets with a destination IP address that belongs to the same subnet take same outgoing gateway.

Before you begin:

  • You must have an awareness of the types of outbound traffic from your network. Persistence rules are useful for traffic that requires an established session, such as secure connections (HTTPS and SSH, for example).
  • You must have knowledge of the source and/or destination subnets to which the persistence rules should apply.
  • You must have Read-Write permission for Link Load Balance settings.

You can use persistence rules in link groups but not virtual tunnels.
To configure a persistence rule:
  1. Go to Link Load Balance > Link Group.
  2. Click the Persistence tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Persistence rule configuration.
  5. Save the configuration.

Persistence rule configuration

Type Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the link group configuration.

Note: After you initially save the configuration, you cannot edit the name.

Type

Select one of the persistence types, as described below.

Source-Destination Pair

Timeout

The default is 300 seconds.

Source-Destination Address

Timeout

The default is 300 seconds.

Source IPv4 Netmask Bits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

Destination IPv4 Netmask Bits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

For example, if you set this to 24, and the system chooses a particular gateway router for destination IP 192.168.1.100, the system will select that same gateway for traffic to all destination IPs in subnet 192.168.1.0/24.

Source Address

Timeout

The default is 300 seconds.

Source IPv4 Netmask Bits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule. The default is 32, but you can set it to any value between 1 and 32.

For example, if you set this to 24, and the system chooses a particular gateway router for client IP 192.168.1.100, the system will select that same gateway for subsequent client requests when the subsequent client belongs to subnet 192.168.1.0/24.

Destination Address

Timeout

The default is 300 seconds.

Destination IPv4 Netmask Bits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

Configuring persistence rules

Persistence rules identify traffic that should be ignored by load balancing rules and instead be forwarded to the same gateway each time the traffic traverses the FortiADC appliance.

You should use persistence rules with applications that use a secure connection. Such applications drop connections when the server detects a change in a client’s source IP address.

Persistence rules used in link load balancing describes the types of persistence rules you can configure.

Persistence rules used in link load balancing

Persistence Description

Source-Destination Pair

Packets with the same source IP address and destination IP address take same outgoing gateway.

Source-Destination Address

Packets with a source IP address and destination IP address that belong to the same subnet take the same outgoing gateway.

Source Address

Packets with a source IP address that belongs to the same subnet take the same outgoing gateway.

Destination Address

Packets with a destination IP address that belongs to the same subnet take same outgoing gateway.

Before you begin:

  • You must have an awareness of the types of outbound traffic from your network. Persistence rules are useful for traffic that requires an established session, such as secure connections (HTTPS and SSH, for example).
  • You must have knowledge of the source and/or destination subnets to which the persistence rules should apply.
  • You must have Read-Write permission for Link Load Balance settings.

You can use persistence rules in link groups but not virtual tunnels.
To configure a persistence rule:
  1. Go to Link Load Balance > Link Group.
  2. Click the Persistence tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Persistence rule configuration.
  5. Save the configuration.

Persistence rule configuration

Type Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the link group configuration.

Note: After you initially save the configuration, you cannot edit the name.

Type

Select one of the persistence types, as described below.

Source-Destination Pair

Timeout

The default is 300 seconds.

Source-Destination Address

Timeout

The default is 300 seconds.

Source IPv4 Netmask Bits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

Destination IPv4 Netmask Bits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

For example, if you set this to 24, and the system chooses a particular gateway router for destination IP 192.168.1.100, the system will select that same gateway for traffic to all destination IPs in subnet 192.168.1.0/24.

Source Address

Timeout

The default is 300 seconds.

Source IPv4 Netmask Bits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule. The default is 32, but you can set it to any value between 1 and 32.

For example, if you set this to 24, and the system chooses a particular gateway router for client IP 192.168.1.100, the system will select that same gateway for subsequent client requests when the subsequent client belongs to subnet 192.168.1.0/24.

Destination Address

Timeout

The default is 300 seconds.

Destination IPv4 Netmask Bits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule.