Session-Aware Load Balancing Cluster Guide

About Session-Aware Load Balanced Clusters (SLBCs)
SLBC FortiController models
- FortiController-5103B
- FortiController-5903C
- FortiController-5913C
Getting started and SLBC Basics
- SLBC licensing
  - FortiOS Carrier licensing
  - Certificates
- Changing FortiController interface configurations
- Quick SLBC cluster setup
- Managing the cluster
- Monitoring the cluster
- Worker communication with FortiGuard
- Basic cluster NAT/Route mode configuration
  - Using the GUI to configure NAT/Route mode
  - Using the CLI to configure NAT/Route mode
- Primary unit (master) selection
  - Selecting the primary FortiController (and the primary chassis)
  - Selecting the primary worker
- Adding and removing workers
  - Adding one or more new workers
  - Removing a worker from a cluster
- Adding link aggregation (LACP) to an SLBC cluster (FortiController trunks)
  - Adding an aggregated interface
- Individual FortiAnalyzer settings on each worker
  - Configuring different FortiAnalyzer settings for each SLBC worker
  - Configuring different FortiAnalyzer settings for each worker and for the root VDOM of each worker
- Adding VLANs
  - Adding a VLAN to a FortiController interface
- VRRP support
- FGCP to SLBC migration
  - Assumptions
  - Conversion steps
- Updating SLBC firmware
Configuring communication between FortiControllers
- Changing the base control subnet and VLAN
- Changing the base management subnet and VLAN
- Changing the heartbeat VLAN
- Using the FortiController-5103B mgmt interface as a heartbeat interface
- Changing the heartbeat interface mode
- Enabling session sync and configuring the session sync interface
Changing load balancing settings
- Tuning TCP load balancing performance (TCP local ingress)
- Tuning UDP load balancing (UDP local ingress and UDP remote/local session setup)
- Changing the load distribution method
- TCP and UDP local ingress session setup and round robin load balancing
- Changing how UDP sessions are processed by the cluster
- Tuning load balancing performance: fragmented sessions
- Changing session timers
Life of a TCP packet
- Life of a TCP packet (default configuration: TCP local ingress disabled)
- Life of a TCP packet (TCP local ingress enabled)
Life of a UDP packet
- Life of a UDP packet (default configuration: UDP local ingress disabled and UDP remote session setup)
- Life of a UDP packet (UDP local ingress disabled and UDP local session setup)
- Life of a UDP packet (UDP local ingress enabled and UDP remote session setup)
- Life of a UDP packet (UDP local ingress enabled and UDP local session setup)
SLBC with one FortiController-5103B
- Setting up the hardware
- Configuring the FortiController
- Adding the workers to the cluster
- Operating and managing the cluster
Active-Passive SLBC with two FortiController-5103Bs
- Setting up the hardware
- Configuring the FortiControllers
- Adding the workers to the cluster
- Operating and managing the cluster
Dual mode SLBC with two FortiController-5103Bs
- Setting up the Hardware
- Configuring the FortiControllers
- Adding the workers to the cluster
- Operating and managing the cluster
Active-passive SLBC with two FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1
- Configuring the FortiController in chassis 2
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Active-passive SLBC with four FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1 slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC with four FortiController-5103Bs and two chassis
- Setting up the hardware
- Configuring the FortiController in chassis 1 slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC with four FortiController-5903Cs and two chassis
- Setting up the hardware
- Configuring the FortiController in Chassis 1 Slot 1
- Configuring the FortiController in chassis 1 slot 2
- Configuring the FortiController in chassis 2 slot 1
- Configuring the FortiController in chassis 2 slot 2
- Configuring the cluster
- Adding the workers to the cluster
- Operating and managing the cluster
- Checking the cluster status
Dual mode SLBC HA with LAGs third-party switch example
AP mode single chassis SLBC with LAGs third-party switch example
AP mode SLBC HA with LAGs third-party switch example
FortiController get and diagnose commands
- get load-balance status
- diagnose system flash list
- diagnose system ha showcsum
- diagnose system ha stats
- diagnose system ha status
- diagnose system ha force-slave-state
- diagnose system load-balance worker-blade status
- diagnose system load-balance worker-blade session-clear
- diagnose switch fabric-channel egress list
- diagnose switch base-channel egress list
- diagnose switch fabric-channel packet heartbeat-counters list
- diagnose switch fabric-channel physical-ports
- diagnose switch fabric-channel mac-address list
- diagnose switch fabric-channel mac-address filter
- diagnose switch fabric-channel trunk list
FortiController/FortiSwitch MIBs
FortiController/FortiSwitch traps
FortiController/FortiSwitch MIB fields
Shelf manager traps
Shelf manager MIB fields
- Shelf manager IPM controller (OID 1.3.6.1.4.1.16394.2.1.1.1)
- Shelf manager FRU device (OID 1.3.6.1.4.1.16394.2.1.1.2)
- Shelf manager sensor (OID 1.3.6.1.4.1.16394.2.1.1.3)
- Shelf manager board (OID 1.3.6.1.4.1.16394.2.1.1.4)
- Shelf manager system event log (sel) (OID 1.3.6.1.4.1.16394.2.1.1.5)
- Shelf manager shelf (OID 1.3.6.1.4.1.16394.2.1.1.6)
- Shelf manager LAN configuration (OID 1.3.6.1.4.1.16394.2.1.1.7)
- Shelf manager platform event filter (PEF) (OIDs 1.3.6.1.4.1.16394.2.1.1.8 - 19)
- Shelf manager FRU info table (OID 1.3.6.1.4.1.16394.2.1.1.20)
- Shelf manager FRU device by site (OID 1.3.6.1.4.1.16394.2.1.1.21)
- Shelf manager FRU LED state (OID 1.3.6.1.4.1.16394.2.1.1.22)
- Shelf manager board basic (OID 1.3.6.1.4.1.16394.2.1.1.32)
- Shelf manager fan tray (OID 1.3.6.1.4.1.16394.2.1.1.33)
- Shelf manager power supply (OID 1.3.6.1.4.1.16394.2.1.1.34)
- Shelf manager shelf manager (OID 1.3.6.1.4.1.16394.2.1.1.35)
- Shelf manager chassis (OID 1.3.6.1.4.1.16394.2.1.1.36)
- Shelf manager events (OID 1.3.6.1.4.1.16394.2.1.1.37)
- Shelf manager shelf manager status (OID 1.3.6.1.4.1.16394.2.1.1.38)
- Shelf manager shelf manager version (OID 1.3.6.1.4.1.16394.2.1.1.39)
- Shelf manager telco alarm (OID 1.3.6.1.4.1.16394.2.1.1.40)
- Shelf manager SEL information (OID 1.3.6.1.4.1.16394.2.1.1.41)
FortiController/FortiSwitch SNMP links
Change log

Home FortiController 5.2.11 Session-Aware Load Balancing Cluster Guide

5.2.11

Replacing the default management certificate

The default Fortinet_Factory certificate, used for HTTPS and SSH management connections with the FortiController, has a key strength is 1024 bits. If you want to use your own certificate, which may have a higher key strength, and other advantages, such as being trusted on your network, you can use the execute user certificate upload command to install your custom certificate on the FortiController.

Then you can use the following command to replace the default server certificate with your custom certificate.

config system global

set admin-server-cert <certificate-name>

end

For security reasons, certificates are not synchronized between FortiControllers. So you need to upload the certificate and repeat the set admin-server-cert command on each FortiController in your SLBC cluster.