Fortinet Document Library

Version:


Table of Contents

Session-Aware Load Balancing Cluster Guide

5.2.10
Download PDF
Copy Link

About Session-Aware Load Balanced Clusters (SLBCs)

This FortiController Session-Aware Load Balancing (SLBC) Guide describes connecting and configuring session-aware load balancing (SLBC) clusters consisting of FortiControllers acting as load balancers and FortiGate-5000s and operating as workers all installed in FortiGate-5000 series chassis. All traffic is directed to the FortiController front panel interfaces and then the FortiControllers load balance traffic to the workers.

Note The worker front panel interfaces are not used for traffic or for management and should not be connected to networks. All communication with the workers occurs over the FortiGate-5000 chassis fiber and base backplane channels.

SLBC clusters load balance TCP and UDP sessions. As a session-aware load balancer, the FortiController includes DP processors that maintain state information for all TCP and UDP sessions. The DP processors are capable of directing any TCP or UDP session to any worker installed in the same chassis. This session-awareness means that all TCP and UDP traffic being processed by a specific worker continues to be processed by the same worker. Session-awareness also means that more complex networking features such as network address translation (NAT), fragmented packets, complex UDP protocols, and complex protocols such as SIP that use pinholes, can be load balanced by the cluster.

In an SLBC, when a worker that is processing SIP traffic creates a pinhole, this information is communicated to the FortiController. The FortiController then knows to distribute the voice and media sessions to this worker.

SLBC things to know:

  • The SIP protocol uses known SIP ports for control traffic but dynamically uses a wide range of ports for voice and other media traffic. To successfully pass SIP traffic through a firewall, the firewall must use a session helper or application gateway to look inside the SIP control traffic and determine the ports to open for voice and media. To allow the voice and media traffic, the firewall temporarily opens these ports, creating what’s known as a pinhole that temporarily allows traffic on a port as determined by the SIP control traffic. The pinhole is closed when the first voice or media session packet is received. When this happens the pinhole is converted to a normal session and the pinhole itself is deleted.
  • Session-aware load balancing does not support traffic shaping.
  • IPv4 and IPv6 interface (or route-based) IPsec VPN sessions are not load balanced but are all processed by the primary worker. Policy-based IPsec VPNs, manual key IPsec VPNs and hub and spoke IPsec VPNs are not supported. These IPsec VPN session are dropped. Uni-directional SSL VPN sessions are load balanced to all workers.
  • You cannot mix ELBC, FGCP and SLBC clusters in the same chassis.
  • GTP sessions are not load balanced by SLBC. All GTP sessions are processed by the primary worker.

An SLBC consists of one or two FortiControllers installed in chassis slots 1 and 2 and from one to 12 workers installed chassis slots 3 and up. Network traffic is received by the FortiControllers and load balanced to the workers by the DP processors on the FortiControllers. Networks are connected to the FortiController front panel interfaces and communication between the FortiControllers and the workers uses the chassis fabric and base backplanes.

An SLBC with two FortiControllers can operate in active-passive mode or dual mode. In active-passive mode, if the active FortiController fails traffic is transferred to the secondary FortiController. In dual mode both FortiControllers load balance traffic and twice as many network interfaces are available.

You can also install FortiControllers and workers in a second chassis. The second chassis acts as a secondary and will keep operating if the active chassis fails. You can install one or two FortiControllers in each chassis. If you install one FortiController in each chassis you create an active-passive setup. If the active chassis fails, traffic is processed by the secondary chassis. You can also install two FortiControllers in each chassis. The SLBC cluster in each chassis can operate in active-passive mode or dual mode. If the active chassis fails, traffic is processed by the secondary chassis.

The following picture shows a FortiController cluster consisting of one FortiController and three FortiGate-5001Cs.

Example FortiController Session-Aware Load Balanced Cluster (SLBC)

 

SLBC does not support session sync between workers in the same chassis. The FortiControllers in a cluster keep track of the status of the workers in their chassis and load balance sessions to the workers. If a worker fails the FortiController detects the failure and stops load balancing sessions to that worker. The sessions that the worker is processing when it fails are lost.

Most of the examples in this document are based on the FortiController-5103B. However all configurations should be similar with other FortiControllers the only differences being things like the FortiController interface names. Supported FortiControllers include the FortiController-5103B, 5903C, and 5913C. Supported workers include the FortiGate-5001B, 5101C, 5001C, 5001D, 5001E, and the 5001E1.

Before using this document, your chassis should be mounted and connected to your power system. The chassis should be powered up and the front panel LEDs should indicate that it is functioning normally.

About Session-Aware Load Balanced Clusters (SLBCs)

This FortiController Session-Aware Load Balancing (SLBC) Guide describes connecting and configuring session-aware load balancing (SLBC) clusters consisting of FortiControllers acting as load balancers and FortiGate-5000s and operating as workers all installed in FortiGate-5000 series chassis. All traffic is directed to the FortiController front panel interfaces and then the FortiControllers load balance traffic to the workers.

Note The worker front panel interfaces are not used for traffic or for management and should not be connected to networks. All communication with the workers occurs over the FortiGate-5000 chassis fiber and base backplane channels.

SLBC clusters load balance TCP and UDP sessions. As a session-aware load balancer, the FortiController includes DP processors that maintain state information for all TCP and UDP sessions. The DP processors are capable of directing any TCP or UDP session to any worker installed in the same chassis. This session-awareness means that all TCP and UDP traffic being processed by a specific worker continues to be processed by the same worker. Session-awareness also means that more complex networking features such as network address translation (NAT), fragmented packets, complex UDP protocols, and complex protocols such as SIP that use pinholes, can be load balanced by the cluster.

In an SLBC, when a worker that is processing SIP traffic creates a pinhole, this information is communicated to the FortiController. The FortiController then knows to distribute the voice and media sessions to this worker.

SLBC things to know:

  • The SIP protocol uses known SIP ports for control traffic but dynamically uses a wide range of ports for voice and other media traffic. To successfully pass SIP traffic through a firewall, the firewall must use a session helper or application gateway to look inside the SIP control traffic and determine the ports to open for voice and media. To allow the voice and media traffic, the firewall temporarily opens these ports, creating what’s known as a pinhole that temporarily allows traffic on a port as determined by the SIP control traffic. The pinhole is closed when the first voice or media session packet is received. When this happens the pinhole is converted to a normal session and the pinhole itself is deleted.
  • Session-aware load balancing does not support traffic shaping.
  • IPv4 and IPv6 interface (or route-based) IPsec VPN sessions are not load balanced but are all processed by the primary worker. Policy-based IPsec VPNs, manual key IPsec VPNs and hub and spoke IPsec VPNs are not supported. These IPsec VPN session are dropped. Uni-directional SSL VPN sessions are load balanced to all workers.
  • You cannot mix ELBC, FGCP and SLBC clusters in the same chassis.
  • GTP sessions are not load balanced by SLBC. All GTP sessions are processed by the primary worker.

An SLBC consists of one or two FortiControllers installed in chassis slots 1 and 2 and from one to 12 workers installed chassis slots 3 and up. Network traffic is received by the FortiControllers and load balanced to the workers by the DP processors on the FortiControllers. Networks are connected to the FortiController front panel interfaces and communication between the FortiControllers and the workers uses the chassis fabric and base backplanes.

An SLBC with two FortiControllers can operate in active-passive mode or dual mode. In active-passive mode, if the active FortiController fails traffic is transferred to the secondary FortiController. In dual mode both FortiControllers load balance traffic and twice as many network interfaces are available.

You can also install FortiControllers and workers in a second chassis. The second chassis acts as a secondary and will keep operating if the active chassis fails. You can install one or two FortiControllers in each chassis. If you install one FortiController in each chassis you create an active-passive setup. If the active chassis fails, traffic is processed by the secondary chassis. You can also install two FortiControllers in each chassis. The SLBC cluster in each chassis can operate in active-passive mode or dual mode. If the active chassis fails, traffic is processed by the secondary chassis.

The following picture shows a FortiController cluster consisting of one FortiController and three FortiGate-5001Cs.

Example FortiController Session-Aware Load Balanced Cluster (SLBC)

 

SLBC does not support session sync between workers in the same chassis. The FortiControllers in a cluster keep track of the status of the workers in their chassis and load balance sessions to the workers. If a worker fails the FortiController detects the failure and stops load balancing sessions to that worker. The sessions that the worker is processing when it fails are lost.

Most of the examples in this document are based on the FortiController-5103B. However all configurations should be similar with other FortiControllers the only differences being things like the FortiController interface names. Supported FortiControllers include the FortiController-5103B, 5903C, and 5913C. Supported workers include the FortiGate-5001B, 5101C, 5001C, 5001D, 5001E, and the 5001E1.

Before using this document, your chassis should be mounted and connected to your power system. The chassis should be powered up and the front panel LEDs should indicate that it is functioning normally.