Fortinet black logo

Session-Aware Load Balancing Cluster Guide

Life of a UDP packet (UDP local ingress enabled and UDP remote session setup)

5.2.10
Copy Link
Copy Doc ID 31a89d05-200d-11e9-b6f6-f8bc1258b856:63248
Download PDF

Life of a UDP packet (UDP local ingress enabled and UDP remote session setup)

With UDP local ingress enabled and UDP session setup set to remote, the life of a UDP packet looks like this:

  1. A UDP packet is received by a FortiController front panel interface.
  2. The DP processor looks up the packet in its session table and one of the following happens:

    If the packet is part of an established session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of the worker that is processing the session. The packet is then processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session the new session is added to the DP processor session table. The packet is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and accepts the packet. The packet is processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session the new session is added to the DP processor session table. The packet is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and denies the packet. The packet is blocked by the worker.

  3. Accepted packets are received by the FortiController backplane interface.
  4. Using worker-to-FortiController heartbeats, the workers send session updates for established sessions and new sessions to the DP processor.
  5. The packets exit the cluster through a FortiController front panel interface.

    The DP processor session table contains sessions accepted by and denied by worker firewall policies. These sessions expire and are removed from the table when no new packets have been received for that session by the UDP session timeout.

Life of a UDP packet (UDP local ingress enabled and UDP remote session setup)

With UDP local ingress enabled and UDP session setup set to remote, the life of a UDP packet looks like this:

  1. A UDP packet is received by a FortiController front panel interface.
  2. The DP processor looks up the packet in its session table and one of the following happens:

    If the packet is part of an established session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of the worker that is processing the session. The packet is then processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session the new session is added to the DP processor session table. The packet is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and accepts the packet. The packet is processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session the new session is added to the DP processor session table. The packet is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and denies the packet. The packet is blocked by the worker.

  3. Accepted packets are received by the FortiController backplane interface.
  4. Using worker-to-FortiController heartbeats, the workers send session updates for established sessions and new sessions to the DP processor.
  5. The packets exit the cluster through a FortiController front panel interface.

    The DP processor session table contains sessions accepted by and denied by worker firewall policies. These sessions expire and are removed from the table when no new packets have been received for that session by the UDP session timeout.