Fortinet black logo

Session-Aware Load Balancing Cluster Guide

Home FortiController 5.2.10 Session-Aware Load Balancing Cluster Guide
5.2.10
5.2.11
5.2.10

Life of a TCP packet (default configuration: TCP local ingress disabled)

Life of a TCP packet (default configuration: TCP local ingress disabled)

Here is what can happen when a TCP packet enters a SLBC cluster with the default load balancing configuration (TCP local ingress disabled):

  1. A TCP packet is received by a FortiController front panel interface.

  2. The DP processor looks up the packet in its session table and one of the following happens:

    If the packet is part of an established session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of the worker that is processing the session. The packet is then processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and accepts the packet. The packet is processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and denies the session. The packet is dropped.

  3. Accepted packets are received by the FortiController backplane interface.

    If the packet is part of an established session the DP processor records the packet as part of an established session.

    If the packet is starting a new session, the DP processor adds the new session to its session table.

  4. The packets exit the cluster through a FortiController front panel interface.

    The DP processor session table contains sessions accepted by worker firewall policies. These sessions expire and are removed from the table when no new packets have been received for that session by the TCP session timeout.

Previous
Next

Life of a TCP packet (default configuration: TCP local ingress disabled)

Here is what can happen when a TCP packet enters a SLBC cluster with the default load balancing configuration (TCP local ingress disabled):

  1. A TCP packet is received by a FortiController front panel interface.

  2. The DP processor looks up the packet in its session table and one of the following happens:

    If the packet is part of an established session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of the worker that is processing the session. The packet is then processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and accepts the packet. The packet is processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and denies the session. The packet is dropped.

  3. Accepted packets are received by the FortiController backplane interface.

    If the packet is part of an established session the DP processor records the packet as part of an established session.

    If the packet is starting a new session, the DP processor adds the new session to its session table.

  4. The packets exit the cluster through a FortiController front panel interface.

    The DP processor session table contains sessions accepted by worker firewall policies. These sessions expire and are removed from the table when no new packets have been received for that session by the TCP session timeout.

Previous
Next