Life of a UDP packet (default configuration: UDP local ingress disabled and UDP remote session setup)
Here is what can happen when a UDP packet enters a SLBC cluster with the default load balancing configuration (UDP local ingress disabled and UDP remote/local session setup set to remote):
- A UDP packet is received by a FortiController front panel interface.
-
The DP processor looks up the packet in its session table and one of the following happens:
If the packet is part of an established session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of the worker that is processing the session. The packet is then processed by the worker and exits the worker’s fabric backplane interface. The packet is received by the FortiController fabric backplane interface and then exits the cluster from a FortiController front panel interface.
If the packet is starting a new session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and accepts the packet. The packet is processed by the worker and exits the worker’s fabric backplane interface. The packet is received by the FortiController fabric backplane interface and then exits the cluster from a FortiController front panel interface
If the packet is starting a new session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and denies the session. The packet is blocked by the worker.
- Accepted packets are received by the FortiController backplane interface.
- Using worker-to-FortiController session setup helper packets, the workers send session updates for established sessions and new sessions to the DP processor.
-
The packets exit the cluster through a FortiController front panel interface.
The DP processor session table contains sessions accepted by worker firewall policies. These sessions expire and are removed from the table when no new packets have been received for that session by the UDP session timeout.