DOCUMENT LIBRARY

Session-Aware Load Balancing Cluster Guide

About Session-Aware Load Balanced Clusters (SLBCs)
SLBC FortiController models
- FortiController-5103B
- FortiController-5903C
- FortiController-5913C
Getting started and SLBC Basics
- SLBC licensing
  - FortiOS Carrier licensing
  - Certificates
- Changing FortiController interface configurations
- Quick SLBC cluster setup
- Managing the cluster
- Monitoring the cluster
- Worker communication with FortiGuard
- Basic cluster NAT/Route mode configuration
  - Using the GUI to configure NAT/Route mode
  - Using the CLI to configure NAT/Route mode
- Primary unit (master) selection
  - Selecting the primary FortiController (and the primary chassis)
  - Selecting the primary worker
- Adding and removing workers
  - Adding one or more new workers
  - Removing a worker from a cluster
- Adding link aggregation (LACP) to an SLBC cluster (FortiController trunks)
  - Adding an aggregated interface
- Individual FortiAnalyzer settings on each worker
  - Configuring different FortiAnalyzer settings for each SLBC worker
  - Configuring different FortiAnalyzer settings for each worker and for the root VDOM of each worker
- Adding VLANs
  - Adding a VLAN to a FortiController interface
- VRRP support
- FGCP to SLBC migration
  - Assumptions
  - Conversion steps
- Updating SLBC firmware
Configuring communication between FortiControllers
- Changing the base control subnet and VLAN
- Changing the base management subnet and VLAN
- Changing the heartbeat VLAN
- Using the FortiController-5103B mgmt interface as a heartbeat interface
- Changing the heartbeat interface mode
- Enabling session sync and configuring the session sync interface
Changing load balancing settings
- Tuning TCP load balancing performance (TCP local ingress)
- Tuning UDP load balancing (UDP local ingress and UDP remote/local session setup)
- Changing the load distribution method
- TCP and UDP local ingress session setup and round robin load balancing
- Changing how UDP sessions are processed by the cluster
- Tuning load balancing performance: fragmented sessions
- Changing session timers
Life of a TCP packet
- Life of a TCP packet (default configuration: TCP local ingress disabled)
- Life of a TCP packet (TCP local ingress enabled)
Life of a UDP packet
- Life of a UDP packet (default configuration: UDP local ingress disabled and UDP remote session setup)
- Life of a UDP packet (UDP local ingress disabled and UDP local session setup)
- Life of a UDP packet (UDP local ingress enabled and UDP remote session setup)
- Life of a UDP packet (UDP local ingress enabled and UDP local session setup)
SLBC with one FortiController-5103B
- Setting up the hardware
- Configuring the FortiController
- Adding the workers to the cluster
- Operating and managing the cluster
Active-Passive SLBC with two FortiController-5103Bs
- Setting up the hardware
- Configuring the FortiControllers
- Adding the workers to the cluster
- Operating and managing the cluster
Dual mode SLBC with two FortiController-5103Bs
- Setting up the Hardware
- Configuring the FortiControllers
- Adding the workers to the cluster
- Operating and managing the cluster
Active-passive SLBC with two FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1
- Configuring the FortiController in chassis 2
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Active-passive SLBC with four FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1 slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC with four FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1 slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC with four FortiController-5903Cs and two chassis
- Setting up the hardware
- Configuring the FortiController in Chassis 1 Slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC HA with LAGs third-party switch example
AP mode single chassis SLBC with LAGs third-party switch example
AP mode SLBC HA with LAGs third-party switch example
FortiController get and diagnose commands
- get load-balance status
- diagnose system flash list
- diagnose system ha showcsum
- diagnose system ha stats
- diagnose system ha status
- diagnose system ha force-slave-state
- diagnose system load-balance worker-blade status
- diagnose system load-balance worker-blade session-clear
- diagnose switch fabric-channel egress list
- diagnose switch base-channel egress list
- diagnose switch fabric-channel packet heartbeat-counters list
- diagnose switch fabric-channel physical-ports
- diagnose switch fabric-channel mac-address list
- diagnose switch fabric-channel mac-address filter
- diagnose switch fabric-channel trunk list
FortiController/FortiSwitch MIBs
FortiController/FortiSwitch traps
FortiController/FortiSwitch MIB fields
Shelf manager traps
Shelf manager MIB fields
- Shelf manager IPM controller (OID 1.3.6.1.4.1.16394.2.1.1.1)
- Shelf manager FRU device (OID 1.3.6.1.4.1.16394.2.1.1.2)
- Shelf manager sensor (OID 1.3.6.1.4.1.16394.2.1.1.3)
- Shelf manager board (OID 1.3.6.1.4.1.16394.2.1.1.4)
- Shelf manager system event log (sel) (OID 1.3.6.1.4.1.16394.2.1.1.5)
- Shelf manager shelf (OID 1.3.6.1.4.1.16394.2.1.1.6)
- Shelf manager LAN configuration (OID 1.3.6.1.4.1.16394.2.1.1.7)
- Shelf manager platform event filter (PEF) (OIDs 1.3.6.1.4.1.16394.2.1.1.8 - 19)
- Shelf manager FRU info table (OID 1.3.6.1.4.1.16394.2.1.1.20)
- Shelf manager FRU device by site (OID 1.3.6.1.4.1.16394.2.1.1.21)
- Shelf manager FRU LED state (OID 1.3.6.1.4.1.16394.2.1.1.22)
- Shelf manager board basic (OID 1.3.6.1.4.1.16394.2.1.1.32)
- Shelf manager fan tray (OID 1.3.6.1.4.1.16394.2.1.1.33)
- Shelf manager power supply (OID 1.3.6.1.4.1.16394.2.1.1.34)
- Shelf manager shelf manager (OID 1.3.6.1.4.1.16394.2.1.1.35)
- Shelf manager chassis (OID 1.3.6.1.4.1.16394.2.1.1.36)
- Shelf manager events (OID 1.3.6.1.4.1.16394.2.1.1.37)
- Shelf manager shelf manager status (OID 1.3.6.1.4.1.16394.2.1.1.38)
- Shelf manager shelf manager version (OID 1.3.6.1.4.1.16394.2.1.1.39)
- Shelf manager telco alarm (OID 1.3.6.1.4.1.16394.2.1.1.40)
- Shelf manager SEL information (OID 1.3.6.1.4.1.16394.2.1.1.41)
FortiController/FortiSwitch SNMP links
Change log

Home FortiController 5.2.10 Session-Aware Load Balancing Cluster Guide

5.2.10

Configuring the FortiControllers

Connect to the GUI (using HTTPS) or CLI (using SSH) of the FortiController in slot 1 using the default IP address 192.168.1.99.

Or connect to the FortiController CLI through the console port (Baud Rate 9600bps, Data bits 8, Parity None, Stop bits 1, and Flow Control None).
Login using the admin administrator account and no password.
Add a password for the admin administrator account. From the GUI use the Administrators widget or from the CLI enter this command.

config admin user

edit admin

set password <password>

end
Change the FortiController mgmt interface IP address.

From the GUI use the Management Port widget or from the CLI enter this command:

config system interface

edit mgmt

set ip 172.20.120.151/24

end
If you need to add a default route for the management IP address, enter this command.

config route static

edit route 1

set gateway 172.20.120.2

end
Set the chassis type that you are using, for example:

config system global

set chassis-type fortigate-5140

end
Configure active-passive HA on the FortiController in slot 1. From the FortiController GUI System Information widget, beside HA Status select Configure.
Set Mode to Active-Passive, change the Group ID, and move the b1 and b2 interfaces to the Selected column and select OK.

You can also enter the following from the CL:

config system ha

set mode a-p>

set groupid 23

set hbdev b1 b2

end

If you have more than one cluster on the same network, each cluster should have a different Group ID. Changing the Group ID changes the cluster interface virtual MAC addresses. If your group ID setting causes a MAC address conflict you can select a different Group ID. The default Group ID of 0 is not a good choice and normally should be changed.

You can also adjust other HA settings. For example, you could increase the Device Priority of the FortiController that you want to become the primary unit, enable Override to make sure the FortiController with the highest device priority becomes the primary unit, and change the VLAN to use for HA heartbeat traffic if it conflicts with a VLAN on your network.

You would only select Enable chassis redundancy if your cluster has more than one chassis.
Log into the GUI of the FortiController in slot 2 and duplicate the HA configuration of the FortiController in slot 1, except for the Device Priority and override setting, which can be different on each FortiController.

After a short time, the FortiControllers restart in HA mode and form an active-passive cluster. Both FortiControllers must have the same HA configuration and at least one heartbeat link must be connected.

Normally the FortiController in slot 1 is the primary unit, and you can log into the cluster using the management IP address you assigned to this FortiController.
Confirm that cluster has been formed by viewing the HA configuration from the FortiController GUI. The display should show both FortiControllers in the cluster.

Since the configuration of all FortiControllers is synchronized, you can complete the configuration of the cluster from the primary FortiController.
Go to Load Balance > Status see the status of the cluster.

This page should show both FortiControllers in the cluster. The FortiController in slot 1 is the primary unit (slot icon colored green) and the FortiController in slot 2 is the secondary unit (slot icon colored yellow).
Go to Load Balance > Config to add the workers to the cluster by selecting Edit and moving the slots that contain workers to the Members list.

The Config page shows the slots in which the cluster expects to find workers. If the workers have not been configured yet their status will be Down.
Configure the External Management IP/Netmask. Once you have connected workers to the cluster, you can use this IP address to manage and configure them.

You can also enter the following CLI command to add slots 3, 4, and 5 to the cluster:

config load-balance setting

config slots

edit 3

next

edit 4

next

edit 5

end

end

You can also use the following CLI command to configure the external management IP/Netmask and management access to this address:

config load-balance setting

set base-mgmt-external-ip 172.20.120.100 255.255.255.0

set base-mgmt-allowaccess https ssh ping

end
Enable base management traffic between FortiControllers. The CLI syntax shows setting the default base management VLAN (101). You can also use this command to change the base management VLAN.

config load-balance setting

config base-mgmt-interfaces

edit b1

set vlan-id 101

next

edit b2

set vlan-id 101

end

end
Enable base control traffic between FortiControllers. The CLI syntax shows setting the default base control VLAN (301). You can also use this command to change the base management VLAN.

config load-balance setting

config base-ctrl-interfaces

edit b1

set vlan-id 301

next

edit b2

set vlan-id 301

end

end

Configuring the FortiControllers

Connect to the GUI (using HTTPS) or CLI (using SSH) of the FortiController in slot 1 using the default IP address 192.168.1.99.

Or connect to the FortiController CLI through the console port (Baud Rate 9600bps, Data bits 8, Parity None, Stop bits 1, and Flow Control None).
Login using the admin administrator account and no password.
Add a password for the admin administrator account. From the GUI use the Administrators widget or from the CLI enter this command.

config admin user

edit admin

set password <password>

end
Change the FortiController mgmt interface IP address.

From the GUI use the Management Port widget or from the CLI enter this command:

config system interface

edit mgmt

set ip 172.20.120.151/24

end
If you need to add a default route for the management IP address, enter this command.

config route static

edit route 1

set gateway 172.20.120.2

end
Set the chassis type that you are using, for example:

config system global

set chassis-type fortigate-5140

end
Configure active-passive HA on the FortiController in slot 1. From the FortiController GUI System Information widget, beside HA Status select Configure.
Set Mode to Active-Passive, change the Group ID, and move the b1 and b2 interfaces to the Selected column and select OK.

You can also enter the following from the CL:

config system ha

set mode a-p>

set groupid 23

set hbdev b1 b2

end

If you have more than one cluster on the same network, each cluster should have a different Group ID. Changing the Group ID changes the cluster interface virtual MAC addresses. If your group ID setting causes a MAC address conflict you can select a different Group ID. The default Group ID of 0 is not a good choice and normally should be changed.

You can also adjust other HA settings. For example, you could increase the Device Priority of the FortiController that you want to become the primary unit, enable Override to make sure the FortiController with the highest device priority becomes the primary unit, and change the VLAN to use for HA heartbeat traffic if it conflicts with a VLAN on your network.

You would only select Enable chassis redundancy if your cluster has more than one chassis.
Log into the GUI of the FortiController in slot 2 and duplicate the HA configuration of the FortiController in slot 1, except for the Device Priority and override setting, which can be different on each FortiController.

After a short time, the FortiControllers restart in HA mode and form an active-passive cluster. Both FortiControllers must have the same HA configuration and at least one heartbeat link must be connected.

Normally the FortiController in slot 1 is the primary unit, and you can log into the cluster using the management IP address you assigned to this FortiController.
Confirm that cluster has been formed by viewing the HA configuration from the FortiController GUI. The display should show both FortiControllers in the cluster.

Since the configuration of all FortiControllers is synchronized, you can complete the configuration of the cluster from the primary FortiController.
Go to Load Balance > Status see the status of the cluster.

This page should show both FortiControllers in the cluster. The FortiController in slot 1 is the primary unit (slot icon colored green) and the FortiController in slot 2 is the secondary unit (slot icon colored yellow).
Go to Load Balance > Config to add the workers to the cluster by selecting Edit and moving the slots that contain workers to the Members list.

The Config page shows the slots in which the cluster expects to find workers. If the workers have not been configured yet their status will be Down.
Configure the External Management IP/Netmask. Once you have connected workers to the cluster, you can use this IP address to manage and configure them.

You can also enter the following CLI command to add slots 3, 4, and 5 to the cluster:

config load-balance setting

config slots

edit 3

next

edit 4

next

edit 5

end

end

You can also use the following CLI command to configure the external management IP/Netmask and management access to this address:

config load-balance setting

set base-mgmt-external-ip 172.20.120.100 255.255.255.0

set base-mgmt-allowaccess https ssh ping

end
Enable base management traffic between FortiControllers. The CLI syntax shows setting the default base management VLAN (101). You can also use this command to change the base management VLAN.

config load-balance setting

config base-mgmt-interfaces

edit b1

set vlan-id 101

next

edit b2

set vlan-id 101

end

end
Enable base control traffic between FortiControllers. The CLI syntax shows setting the default base control VLAN (301). You can also use this command to change the base management VLAN.

config load-balance setting

config base-ctrl-interfaces

edit b1

set vlan-id 301

next

edit b2

set vlan-id 301

end

end

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Session-Aware Load Balancing Cluster Guide

Configuring the FortiControllers

Configuring the FortiControllers

Configuring the FortiControllers

Configuring the FortiControllers