Document
Library

Session-Aware Load Balancing Cluster Guide

About Session-Aware Load Balanced Clusters (SLBCs)
SLBC FortiController models
- FortiController-5103B
- FortiController-5903C
- FortiController-5913C
Getting started and SLBC Basics
- SLBC licensing
  - FortiOS Carrier licensing
  - Certificates
- Changing FortiController interface configurations
- Quick SLBC cluster setup
- Managing the cluster
- Monitoring the cluster
- Worker communication with FortiGuard
- Basic cluster NAT/Route mode configuration
  - Using the GUI to configure NAT/Route mode
  - Using the CLI to configure NAT/Route mode
- Primary unit (master) selection
  - Selecting the primary FortiController (and the primary chassis)
  - Selecting the primary worker
- Adding and removing workers
  - Adding one or more new workers
  - Removing a worker from a cluster
- Adding link aggregation (LACP) to an SLBC cluster (FortiController trunks)
  - Adding an aggregated interface
- Individual FortiAnalyzer settings on each worker
  - Configuring different FortiAnalyzer settings for each SLBC worker
  - Configuring different FortiAnalyzer settings for each worker and for the root VDOM of each worker
- Adding VLANs
  - Adding a VLAN to a FortiController interface
- VRRP support
- FGCP to SLBC migration
  - Assumptions
  - Conversion steps
- Updating SLBC firmware
Configuring communication between FortiControllers
- Changing the base control subnet and VLAN
- Changing the base management subnet and VLAN
- Changing the heartbeat VLAN
- Using the FortiController-5103B mgmt interface as a heartbeat interface
- Changing the heartbeat interface mode
- Enabling session sync and configuring the session sync interface
Changing load balancing settings
- Tuning TCP load balancing performance (TCP local ingress)
- Tuning UDP load balancing (UDP local ingress and UDP remote/local session setup)
- Changing the load distribution method
- TCP and UDP local ingress session setup and round robin load balancing
- Changing how UDP sessions are processed by the cluster
- Tuning load balancing performance: fragmented sessions
- Changing session timers
Life of a TCP packet
- Life of a TCP packet (default configuration: TCP local ingress disabled)
- Life of a TCP packet (TCP local ingress enabled)
Life of a UDP packet
- Life of a UDP packet (default configuration: UDP local ingress disabled and UDP remote session setup)
- Life of a UDP packet (UDP local ingress disabled and UDP local session setup)
- Life of a UDP packet (UDP local ingress enabled and UDP remote session setup)
- Life of a UDP packet (UDP local ingress enabled and UDP local session setup)
SLBC with one FortiController-5103B
- Setting up the hardware
- Configuring the FortiController
- Adding the workers to the cluster
- Operating and managing the cluster
Active-Passive SLBC with two FortiController-5103Bs
- Setting up the hardware
- Configuring the FortiControllers
- Adding the workers to the cluster
- Operating and managing the cluster
Dual mode SLBC with two FortiController-5103Bs
- Setting up the Hardware
- Configuring the FortiControllers
- Adding the workers to the cluster
- Operating and managing the cluster
Active-passive SLBC with two FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1
- Configuring the FortiController in chassis 2
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Active-passive SLBC with four FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1 slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC with four FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1 slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC with four FortiController-5903Cs and two chassis
- Setting up the hardware
- Configuring the FortiController in Chassis 1 Slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC HA with LAGs third-party switch example
AP mode single chassis SLBC with LAGs third-party switch example
AP mode SLBC HA with LAGs third-party switch example
FortiController get and diagnose commands
- get load-balance status
- diagnose system flash list
- diagnose system ha showcsum
- diagnose system ha stats
- diagnose system ha status
- diagnose system ha force-slave-state
- diagnose system load-balance worker-blade status
- diagnose system load-balance worker-blade session-clear
- diagnose switch fabric-channel egress list
- diagnose switch base-channel egress list
- diagnose switch fabric-channel packet heartbeat-counters list
- diagnose switch fabric-channel physical-ports
- diagnose switch fabric-channel mac-address list
- diagnose switch fabric-channel mac-address filter
- diagnose switch fabric-channel trunk list
FortiController/FortiSwitch MIBs
FortiController/FortiSwitch traps
FortiController/FortiSwitch MIB fields
Shelf manager traps
Shelf manager MIB fields
- Shelf manager IPM controller (OID 1.3.6.1.4.1.16394.2.1.1.1)
- Shelf manager FRU device (OID 1.3.6.1.4.1.16394.2.1.1.2)
- Shelf manager sensor (OID 1.3.6.1.4.1.16394.2.1.1.3)
- Shelf manager board (OID 1.3.6.1.4.1.16394.2.1.1.4)
- Shelf manager system event log (sel) (OID 1.3.6.1.4.1.16394.2.1.1.5)
- Shelf manager shelf (OID 1.3.6.1.4.1.16394.2.1.1.6)
- Shelf manager LAN configuration (OID 1.3.6.1.4.1.16394.2.1.1.7)
- Shelf manager platform event filter (PEF) (OIDs 1.3.6.1.4.1.16394.2.1.1.8 - 19)
- Shelf manager FRU info table (OID 1.3.6.1.4.1.16394.2.1.1.20)
- Shelf manager FRU device by site (OID 1.3.6.1.4.1.16394.2.1.1.21)
- Shelf manager FRU LED state (OID 1.3.6.1.4.1.16394.2.1.1.22)
- Shelf manager board basic (OID 1.3.6.1.4.1.16394.2.1.1.32)
- Shelf manager fan tray (OID 1.3.6.1.4.1.16394.2.1.1.33)
- Shelf manager power supply (OID 1.3.6.1.4.1.16394.2.1.1.34)
- Shelf manager shelf manager (OID 1.3.6.1.4.1.16394.2.1.1.35)
- Shelf manager chassis (OID 1.3.6.1.4.1.16394.2.1.1.36)
- Shelf manager events (OID 1.3.6.1.4.1.16394.2.1.1.37)
- Shelf manager shelf manager status (OID 1.3.6.1.4.1.16394.2.1.1.38)
- Shelf manager shelf manager version (OID 1.3.6.1.4.1.16394.2.1.1.39)
- Shelf manager telco alarm (OID 1.3.6.1.4.1.16394.2.1.1.40)
- Shelf manager SEL information (OID 1.3.6.1.4.1.16394.2.1.1.41)
FortiController/FortiSwitch SNMP links
Change log

Home FortiController 5.2.10 Session-Aware Load Balancing Cluster Guide

Dual mode SLBC with two FortiController-5103Bs

5.2.10

Copy Link

Copy Doc ID 31a89d05-200d-11e9-b6f6-f8bc1258b856:162814

Download PDF

Dual mode SLBC with two FortiController-5103Bs

This example describes the basics of setting up a dual mode SLBC cluster that consists of two FortiController-5103Bs, installed in chassis slots 1 and 2, and three FortiGate-5001C workers, installed in chassis slots 3, 4, and 5. This SLBC configuration can have up to 16 10Gbit network connections.

The two FortiControllers in the same chassis to operate in dual mode to double the number of network interfaces available. In dual mode, two FortiControllers load balance traffic to multiple workers. Traffic can be received by both FortiControllers and load balanced to all of the workers in the chassis. In a dual mode configuration the front panel interfaces of both FortiControllers are active.

In a dual mode FortiController-5103B cluster, up to 16 10Gbyte network interfaces are available. The interfaces of the FortiController in slot 1 are named fctrl/f1 to fctrl/f8 and the interfaces of the FortiController in slot 2 are named fctr2/f1 to fctrl2/f8.

All networks have single connections to the first or second FortiController. It is a best practice in a dual-mode configuration to distribute traffic evenly between the FortiControllers. So in this example, ingress traffic from the internet is processed by the FortiController in slot 1 and egress traffic for the internal network is processed by the FortiController in slot 2.

Note

Redundant connections to a single network from two dual-mode FortiControllers in same chassis is only supported if you configure link aggregation.

One or more heartbeat links are created between the FortiControllers. Redundant heartbeat links are recommended. The heartbeat links use the FortiController front panel B1 and B2 interfaces.

If one of the FortiControllers fails, the remaining FortiController keeps processing traffic received by its front panel interfaces. Traffic to and from the failed FortiController is lost.

Previous

Next

Dual mode SLBC with two FortiController-5103Bs

This example describes the basics of setting up a dual mode SLBC cluster that consists of two FortiController-5103Bs, installed in chassis slots 1 and 2, and three FortiGate-5001C workers, installed in chassis slots 3, 4, and 5. This SLBC configuration can have up to 16 10Gbit network connections.

The two FortiControllers in the same chassis to operate in dual mode to double the number of network interfaces available. In dual mode, two FortiControllers load balance traffic to multiple workers. Traffic can be received by both FortiControllers and load balanced to all of the workers in the chassis. In a dual mode configuration the front panel interfaces of both FortiControllers are active.

In a dual mode FortiController-5103B cluster, up to 16 10Gbyte network interfaces are available. The interfaces of the FortiController in slot 1 are named fctrl/f1 to fctrl/f8 and the interfaces of the FortiController in slot 2 are named fctr2/f1 to fctrl2/f8.

All networks have single connections to the first or second FortiController. It is a best practice in a dual-mode configuration to distribute traffic evenly between the FortiControllers. So in this example, ingress traffic from the internet is processed by the FortiController in slot 1 and egress traffic for the internal network is processed by the FortiController in slot 2.

Note

Redundant connections to a single network from two dual-mode FortiControllers in same chassis is only supported if you configure link aggregation.

One or more heartbeat links are created between the FortiControllers. Redundant heartbeat links are recommended. The heartbeat links use the FortiController front panel B1 and B2 interfaces.

If one of the FortiControllers fails, the remaining FortiController keeps processing traffic received by its front panel interfaces. Traffic to and from the failed FortiController is lost.

Previous

Next