Life of a UDP packet (UDP local ingress disabled and UDP local session setup)
Here is what can happen when a UDP packet enters a SLBC cluster with UDP local ingress disabled and UDP remote/local session setup set to local:
The DP processor looks up the packet in its session table and one of the following happens:
If the packet is part of an established session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of the worker that is processing the session. The packet is then processed by the worker and exits the worker’s fabric backplane interface.
If the packet is starting a new session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and accepts the packet. The packet is processed by the worker and exits the worker’s fabric backplane interface.
If the packet is starting a new session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and denies the session. The packet is blocked by the worker.
Accepted packets are received by the FortiController backplane interface.
If the packet is part of an established session the DP processor records the packet as part of an established session.
If the packet is starting a new session, the DP processor adds the new session to its session table.
The packets exit the cluster through a FortiController front panel interface.
The DP processor session table contains sessions accepted by worker firewall policies. These sessions expire and are removed from the table when no new packets have been received for that session by the UDP session timeout.