Fortinet black logo

Handbook

Configuring a virtual tunnel group

Configuring a virtual tunnel group

Virtual tunnels enable reliable, site-to-site connectivity using Generic Routing Encapsulation (GRE) to tunnel traffic between pairs of FortiADC appliances. See Using virtual tunnels.

The virtual tunnel group configuration sets the list of tunnel members, as well as load balancing options like algorithm and weight.

When you add members to a virtual tunnel configuration, you specify a local and remote IP address. These addresses are IP addresses assigned to a network interface on the local and remote FortiADC appliance.

Before you begin:

  • You must have Read-Write permission for Link Load Balance settings.

After you have configured a virtual tunnel configuration object, you can select it in the link policy configuration.

To configure a virtual tunnel:
  1. Go to Link Load Balance > Virtual Tunnel.
  2. Click Create New to display the configuration editor.
  3. Complete the configuration and add members as described in Virtual tunnel configuration.
  4. Save the configuration.

Virtual tunnel configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the LLB policy configuration.

Note: After you initially save the configuration, you cannot edit the name.

Method

  • Weighted Round Robin—Dispatches packets to VT members using a weighted round-robin method.
  • Source-Destination Hash—Dispatches packets by source-destination IP address tuple.

Add member

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Tunnel Local Address

IP address for the network interface this system uses to form a VPN tunnel with the remote system.

Tunnel Remote Address

IP address that the remote FortiADC system uses to form a VPN tunnel with this system.

Health Check

  • Enable—Send probes to test whether the link is available.
  • Disable—Do not send probes to test the health of the link.

Weight

Assigns relative preference among members—higher values are more preferred and are assigned connections more frequently.

Status

  • Enable—The member is considered available for new traffic.
  • Disable—The member is considered unavailable for new traffic.

Backup

Enable to designate the tunnel as a backup member of the group. All backup members are inactive until all main members are down.

Configuring a virtual tunnel group

Virtual tunnels enable reliable, site-to-site connectivity using Generic Routing Encapsulation (GRE) to tunnel traffic between pairs of FortiADC appliances. See Using virtual tunnels.

The virtual tunnel group configuration sets the list of tunnel members, as well as load balancing options like algorithm and weight.

When you add members to a virtual tunnel configuration, you specify a local and remote IP address. These addresses are IP addresses assigned to a network interface on the local and remote FortiADC appliance.

Before you begin:

  • You must have Read-Write permission for Link Load Balance settings.

After you have configured a virtual tunnel configuration object, you can select it in the link policy configuration.

To configure a virtual tunnel:
  1. Go to Link Load Balance > Virtual Tunnel.
  2. Click Create New to display the configuration editor.
  3. Complete the configuration and add members as described in Virtual tunnel configuration.
  4. Save the configuration.

Virtual tunnel configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the LLB policy configuration.

Note: After you initially save the configuration, you cannot edit the name.

Method

  • Weighted Round Robin—Dispatches packets to VT members using a weighted round-robin method.
  • Source-Destination Hash—Dispatches packets by source-destination IP address tuple.

Add member

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Tunnel Local Address

IP address for the network interface this system uses to form a VPN tunnel with the remote system.

Tunnel Remote Address

IP address that the remote FortiADC system uses to form a VPN tunnel with this system.

Health Check

  • Enable—Send probes to test whether the link is available.
  • Disable—Do not send probes to test the health of the link.

Weight

Assigns relative preference among members—higher values are more preferred and are assigned connections more frequently.

Status

  • Enable—The member is considered available for new traffic.
  • Disable—The member is considered unavailable for new traffic.

Backup

Enable to designate the tunnel as a backup member of the group. All backup members are inactive until all main members are down.