Session-Aware Load Balancing Cluster Guide

About Session-Aware Load Balanced Clusters (SLBCs)
SLBC FortiController models
- FortiController-5103B
- FortiController-5903C
- FortiController-5913C
Getting started and SLBC Basics
- SLBC licensing
  - FortiOS Carrier licensing
  - Certificates
- Changing FortiController interface configurations
- Quick SLBC cluster setup
- Managing the cluster
- Monitoring the cluster
- Worker communication with FortiGuard
- Basic cluster NAT/Route mode configuration
  - Using the GUI to configure NAT/Route mode
  - Using the CLI to configure NAT/Route mode
- Primary unit (master) selection
  - Selecting the primary FortiController (and the primary chassis)
  - Selecting the primary worker
- Adding and removing workers
  - Adding one or more new workers
  - Removing a worker from a cluster
- Adding link aggregation (LACP) to an SLBC cluster (FortiController trunks)
  - Adding an aggregated interface
- Individual FortiAnalyzer settings on each worker
  - Configuring different FortiAnalyzer settings for each SLBC worker
  - Configuring different FortiAnalyzer settings for each worker and for the root VDOM of each worker
- Adding VLANs
  - Adding a VLAN to a FortiController interface
- VRRP support
- FGCP to SLBC migration
  - Assumptions
  - Conversion steps
- Updating SLBC firmware
Configuring communication between FortiControllers
- Changing the base control subnet and VLAN
- Changing the base management subnet and VLAN
- Changing the heartbeat VLAN
- Using the FortiController-5103B mgmt interface as a heartbeat interface
- Changing the heartbeat interface mode
- Enabling session sync and configuring the session sync interface
Changing load balancing settings
- Tuning TCP load balancing performance (TCP local ingress)
- Tuning UDP load balancing (UDP local ingress and UDP remote/local session setup)
- Changing the load distribution method
- TCP and UDP local ingress session setup and round robin load balancing
- Changing how UDP sessions are processed by the cluster
- Tuning load balancing performance: fragmented sessions
- Changing session timers
Life of a TCP packet
- Life of a TCP packet (default configuration: TCP local ingress disabled)
- Life of a TCP packet (TCP local ingress enabled)
Life of a UDP packet
- Life of a UDP packet (default configuration: UDP local ingress disabled and UDP remote session setup)
- Life of a UDP packet (UDP local ingress disabled and UDP local session setup)
- Life of a UDP packet (UDP local ingress enabled and UDP remote session setup)
- Life of a UDP packet (UDP local ingress enabled and UDP local session setup)
SLBC with one FortiController-5103B
- Setting up the hardware
- Configuring the FortiController
- Adding the workers to the cluster
- Operating and managing the cluster
Active-Passive SLBC with two FortiController-5103Bs
- Setting up the hardware
- Configuring the FortiControllers
- Adding the workers to the cluster
- Operating and managing the cluster
Dual mode SLBC with two FortiController-5103Bs
- Setting up the Hardware
- Configuring the FortiControllers
- Adding the workers to the cluster
- Operating and managing the cluster
Active-passive SLBC with two FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1
- Configuring the FortiController in chassis 2
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Active-passive SLBC with four FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1 slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC with four FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1 slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC with four FortiController-5903Cs and two chassis
- Setting up the hardware
- Configuring the FortiController in Chassis 1 Slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC HA with LAGs third-party switch example
AP mode single chassis SLBC with LAGs third-party switch example
AP mode SLBC HA with LAGs third-party switch example
FortiController get and diagnose commands
- get load-balance status
- diagnose system flash list
- diagnose system ha showcsum
- diagnose system ha stats
- diagnose system ha status
- diagnose system ha force-slave-state
- diagnose system load-balance worker-blade status
- diagnose system load-balance worker-blade session-clear
- diagnose switch fabric-channel egress list
- diagnose switch base-channel egress list
- diagnose switch fabric-channel packet heartbeat-counters list
- diagnose switch fabric-channel physical-ports
- diagnose switch fabric-channel mac-address list
- diagnose switch fabric-channel mac-address filter
- diagnose switch fabric-channel trunk list
FortiController/FortiSwitch MIBs
FortiController/FortiSwitch traps
FortiController/FortiSwitch MIB fields
Shelf manager traps
Shelf manager MIB fields
- Shelf manager IPM controller (OID 1.3.6.1.4.1.16394.2.1.1.1)
- Shelf manager FRU device (OID 1.3.6.1.4.1.16394.2.1.1.2)
- Shelf manager sensor (OID 1.3.6.1.4.1.16394.2.1.1.3)
- Shelf manager board (OID 1.3.6.1.4.1.16394.2.1.1.4)
- Shelf manager system event log (sel) (OID 1.3.6.1.4.1.16394.2.1.1.5)
- Shelf manager shelf (OID 1.3.6.1.4.1.16394.2.1.1.6)
- Shelf manager LAN configuration (OID 1.3.6.1.4.1.16394.2.1.1.7)
- Shelf manager platform event filter (PEF) (OIDs 1.3.6.1.4.1.16394.2.1.1.8 - 19)
- Shelf manager FRU info table (OID 1.3.6.1.4.1.16394.2.1.1.20)
- Shelf manager FRU device by site (OID 1.3.6.1.4.1.16394.2.1.1.21)
- Shelf manager FRU LED state (OID 1.3.6.1.4.1.16394.2.1.1.22)
- Shelf manager board basic (OID 1.3.6.1.4.1.16394.2.1.1.32)
- Shelf manager fan tray (OID 1.3.6.1.4.1.16394.2.1.1.33)
- Shelf manager power supply (OID 1.3.6.1.4.1.16394.2.1.1.34)
- Shelf manager shelf manager (OID 1.3.6.1.4.1.16394.2.1.1.35)
- Shelf manager chassis (OID 1.3.6.1.4.1.16394.2.1.1.36)
- Shelf manager events (OID 1.3.6.1.4.1.16394.2.1.1.37)
- Shelf manager shelf manager status (OID 1.3.6.1.4.1.16394.2.1.1.38)
- Shelf manager shelf manager version (OID 1.3.6.1.4.1.16394.2.1.1.39)
- Shelf manager telco alarm (OID 1.3.6.1.4.1.16394.2.1.1.40)
- Shelf manager SEL information (OID 1.3.6.1.4.1.16394.2.1.1.41)
FortiController/FortiSwitch SNMP links
Change log

Home FortiController 5.2.11 Session-Aware Load Balancing Cluster Guide

5.2.11

AP mode SLBC HA with LAGs third-party switch example

This example shows how to configure a single Cisco Nexus 3000 switch to provide redundant connections for LACP LAGs in an AP mode SLBC HA cluster.

The cluster includes two FortiGate-5000 chassis. Each chassis has two FortiController-5903Cs in slots 1 and 2 operating in AP FortiController mode and two FortiGate-5000 workers in slots 3 and 4. The primary FortiController-5903C in chassis 1 slot 1 is configured with two LACP groups. One LACP group contains the F1 and F2 interfaces, the other LACP group contains the F3 and F4 interfaces. These LACP groups are synchronized to the secondary FortiController-5903C in slot 2 and to the primary and secondary FortiController-5903Cs in chassis 2.

The Cisco Nexus 3000 switch requires two LACP groups for each FortiController, for a total of 8 LACP groups. To support redundancy, the LACP groups that connect the F1 and F2 interfaces of all the FortiControllers are on one VLAN (in the example, 301) and the LACP groups that include the F3 and F4 interfaces are on another VLAN (in the example, 302).

To set up the configuration:

Log in to the CLI of the primary FortiController (in chassis 1 slot 1) and enter the following command to create two trunks.

config switch fabric-channel trunk

edit "trunk01"

set mode lacp-active

set members f1-1 f1-2

next

edit "trunk02"

set mode lacp-active

set members f1-3 f1-4

end

The trunks are synchronized to all of the FortiControllers in the cluster.
Log into the CLI of the primary worker and enter the following command to add two FortiController trunk interfaces. These match the trunks added to the FortiControllers:

config system interface

edit "fctrl1/trunk01"

set vdom "root"

set ip 11.0.0.1 255.0.0.0

set type fctrl-trunk

set member fctrl1/f1 fctrl1/f2

next

edit "fctrl1/trunk02"

set vdom "root"

set ip 12.0.0.1 255.0.0.0

set type fctrl-trunk

set member fctrl1/f3 fctrl1/f4

end

The trunk interfaces are synchronized to all of the workers in the cluster.
Log into the Cisco nexus 3000 switch CLI.
Configure eight port channels, one for each FortiController LACP group:

interface port-channel301

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

interface port-channel302

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

interface port-channel3011

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

interface port-channel3022

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

interface port-channel401

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

interface port-channel402

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

interface port-channel4011

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

interface port-channel4022

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302
Configure the switch interfaces (31 to 34) for the chassis 1 slot 1 trunks.

interface Ethernet1/31

description c1s1 f1

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 301 mode active

interface Ethernet1/32

description c1s1 f2

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 301 mode active

interface Ethernet1/33

description c1s1 f3

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 302 mode active

interface Ethernet1/34

description c1s1 f4

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 302 mode active
Configure the switch interfaces (41 to 44) for the chassis 1 slot 2 trunks.

interface Ethernet1/41

description c1s2 f1

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 3011 mode active

interface Ethernet1/42

description c1s2 f2

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 3011 mode active

interface Ethernet1/43

description c1s2 f3

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 3022 mode active

interface Ethernet1/44

description c1s2 f4

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 3022 mode active
Configure the switch interfaces (51 to 54) for the chassis 2 slot 1 trunks.

interface Ethernet1/51

description c2s1 f1

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 401 mode active

channel-group 301 mode active

interface Ethernet1/52

description c2s1 f2

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 401 mode active

interface Ethernet1/53

description c2s1 f3

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 402 mode active

interface Ethernet1/54

description c2s2 f4

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 402 mode active
Configure the switch interfaces (61 to 64) for the chassis 2 slot 2 trunks.

interface Ethernet1/61

description c2s2 f1

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 4011 mode active

interface Ethernet1/62

description c2s2 f2

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 4011 mode active

interface Ethernet1/63

description c2s2 f3

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 4022 mode active

interface Ethernet1/64

description c2s2 f4

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 4022 mode active

AP mode SLBC HA with LAGs third-party switch example

This example shows how to configure a single Cisco Nexus 3000 switch to provide redundant connections for LACP LAGs in an AP mode SLBC HA cluster.

To set up the configuration:

Log in to the CLI of the primary FortiController (in chassis 1 slot 1) and enter the following command to create two trunks.

config switch fabric-channel trunk

edit "trunk01"

set mode lacp-active

set members f1-1 f1-2

next

edit "trunk02"

set mode lacp-active

set members f1-3 f1-4

end

The trunks are synchronized to all of the FortiControllers in the cluster.
Log into the CLI of the primary worker and enter the following command to add two FortiController trunk interfaces. These match the trunks added to the FortiControllers:

config system interface

edit "fctrl1/trunk01"

set vdom "root"

set ip 11.0.0.1 255.0.0.0

set type fctrl-trunk

set member fctrl1/f1 fctrl1/f2

next

edit "fctrl1/trunk02"

set vdom "root"

set ip 12.0.0.1 255.0.0.0

set type fctrl-trunk

set member fctrl1/f3 fctrl1/f4

end

The trunk interfaces are synchronized to all of the workers in the cluster.
Log into the Cisco nexus 3000 switch CLI.
Configure eight port channels, one for each FortiController LACP group:

interface port-channel301

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

interface port-channel302

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

interface port-channel3011

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

interface port-channel3022

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

interface port-channel401

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

interface port-channel402

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

interface port-channel4011

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

interface port-channel4022

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302
Configure the switch interfaces (31 to 34) for the chassis 1 slot 1 trunks.

interface Ethernet1/31

description c1s1 f1

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 301 mode active

interface Ethernet1/32

description c1s1 f2

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 301 mode active

interface Ethernet1/33

description c1s1 f3

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 302 mode active

interface Ethernet1/34

description c1s1 f4

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 302 mode active
Configure the switch interfaces (41 to 44) for the chassis 1 slot 2 trunks.

interface Ethernet1/41

description c1s2 f1

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 3011 mode active

interface Ethernet1/42

description c1s2 f2

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 3011 mode active

interface Ethernet1/43

description c1s2 f3

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 3022 mode active

interface Ethernet1/44

description c1s2 f4

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 3022 mode active
Configure the switch interfaces (51 to 54) for the chassis 2 slot 1 trunks.

interface Ethernet1/51

description c2s1 f1

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 401 mode active

channel-group 301 mode active

interface Ethernet1/52

description c2s1 f2

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 401 mode active

interface Ethernet1/53

description c2s1 f3

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 402 mode active

interface Ethernet1/54

description c2s2 f4

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 402 mode active
Configure the switch interfaces (61 to 64) for the chassis 2 slot 2 trunks.

interface Ethernet1/61

description c2s2 f1

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 4011 mode active

interface Ethernet1/62

description c2s2 f2

switchport mode trunk

switchport trunk native vlan 301

switchport trunk allowed vlan 301

channel-group 4011 mode active

interface Ethernet1/63

description c2s2 f3

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 4022 mode active

interface Ethernet1/64

description c2s2 f4

switchport mode trunk

switchport trunk native vlan 302

switchport trunk allowed vlan 302

channel-group 4022 mode active

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Session-Aware Load Balancing Cluster Guide

AP mode SLBC HA with LAGs third-party switch example

AP mode SLBC HA with LAGs third-party switch example

AP mode SLBC HA with LAGs third-party switch example

AP mode SLBC HA with LAGs third-party switch example