Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.3
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Admin Guide (Standalone)

    Home FortiExtender 7.6.3 Admin Guide (Standalone)
    7.6.3
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.4
    7.4.1
    7.4.0
    7.2.3
    7.2.2
    7.2.0
    7.0.3
    7.0.2
    7.0.1

    Aggregate interface support with load-balancing

    Aggregate interface support with load-balancing

    Interfaces of the same type can be aggregated into a virtual aggregate interface as its members. A member of an aggregate interface can be monitored by HMON. A member is considered as healthy if its link is up and marked as ALIVE by HMON. Only a healthy member could be considered as a candidate for sending and receiving packets.

    Interfaces are aggregated in either of the following ways:

    • Active backup—Only one member of the aggregate interface is active to send and receive packets at a time. One member should be designated as the primary and the others as secondary. If the primary member is healthy, it should be chosen as the active member. Otherwise, another healthy member must be chosen instead. Once the primary member becomes healthy again, it will take over the traffic.
    • Load balance—All healthy members are active for sending and receiving packets. Packets are sent over active members based on the round-robin algorithm at the same time. Packets originated from the same source follow the same path.

    Once an interface becomes a member of an aggregate interface, it must not be used for firewall and PBR. The aggregate interface must be used instead.

    To create an aggregate interface in the GUI:
    1. Go to Networking>Aggregate Interface.
    2. Click Create Aggregate Interface.
    3. Configure the ID, Mode, and Mapping timeout if mode is set to load balance.
    4. Click Create Member.
    5. Configure the Name, Interface, Weight/Role, HealthCheck, HealthCheckFailCount, and HealthCheckRecoveryCount of each member.
    To create an aggregate interface in the CLI:

    A table is added to /config/system to represent interface aggregations. Each table entry indicates an aggregate interface to be created and one or more interfaces can be aggregated under this aggregate interface.

    The following configuration shows two aggregate interfaces in active backup and load-balance mode:

    config system aggregate-interface
    edit agg1
        set mode loadbalance
        set mapping-timeout 60
        config members
            edit 1
                set interface vx2
                set health-check-event vxlan
                set health-check-fail-cnt 5
                set health-check-recovery-cnt 5
            next
            edit 2
                set interface vx3
                set health-check-event
                set health-check-fail-cnt 5
                set health-check-recovery-cnt 5
            next
        end
    next
    edit agg2
        set mode activebackup
        config members
            edit 1
                set interface wan
                set role primary
                set health-check-event
                set health-check-fail-cnt 5
                set health-check-recovery-cnt 5
            next
            edit 2
                set interface port4
                set role secondary
                set health-check-event
                set health-check-fail-cnt 5
                set health-check-recovery-cnt 5
            next
        end
    next
end

    Following configuration will be automatically generated:

    config system interface
    edit agg1
        set type aggregate
        set status down
    next
    edit agg2
        set type aggregate
        set status down
    next
end

    You can update the IP, allowaccess, and other configurations based on the aggregate interface. And this interface can also be used in configuring the DHCP server, firewall policies, routes, and some other modules.

    To get the aggregate interface status:
     # get system aggregate-interface status
agg2:
        2(port4): linkdown UNKNOWN aggregated
        1(wan): linkup UNKNOWN aggregated active
agg1:
        2(vx3): linkup UNKNOWN aggregated active
        1(vx2): linkup ALIVE aggregated active
    Previous
    Next

    Aggregate interface support with load-balancing

    Aggregate interface support with load-balancing

    Interfaces of the same type can be aggregated into a virtual aggregate interface as its members. A member of an aggregate interface can be monitored by HMON. A member is considered as healthy if its link is up and marked as ALIVE by HMON. Only a healthy member could be considered as a candidate for sending and receiving packets.

    Interfaces are aggregated in either of the following ways:

    • Active backup—Only one member of the aggregate interface is active to send and receive packets at a time. One member should be designated as the primary and the others as secondary. If the primary member is healthy, it should be chosen as the active member. Otherwise, another healthy member must be chosen instead. Once the primary member becomes healthy again, it will take over the traffic.
    • Load balance—All healthy members are active for sending and receiving packets. Packets are sent over active members based on the round-robin algorithm at the same time. Packets originated from the same source follow the same path.

    Once an interface becomes a member of an aggregate interface, it must not be used for firewall and PBR. The aggregate interface must be used instead.

    To create an aggregate interface in the GUI:
    1. Go to Networking>Aggregate Interface.
    2. Click Create Aggregate Interface.
    3. Configure the ID, Mode, and Mapping timeout if mode is set to load balance.
    4. Click Create Member.
    5. Configure the Name, Interface, Weight/Role, HealthCheck, HealthCheckFailCount, and HealthCheckRecoveryCount of each member.
    To create an aggregate interface in the CLI:

    A table is added to /config/system to represent interface aggregations. Each table entry indicates an aggregate interface to be created and one or more interfaces can be aggregated under this aggregate interface.

    The following configuration shows two aggregate interfaces in active backup and load-balance mode:

    config system aggregate-interface
    edit agg1
        set mode loadbalance
        set mapping-timeout 60
        config members
            edit 1
                set interface vx2
                set health-check-event vxlan
                set health-check-fail-cnt 5
                set health-check-recovery-cnt 5
            next
            edit 2
                set interface vx3
                set health-check-event
                set health-check-fail-cnt 5
                set health-check-recovery-cnt 5
            next
        end
    next
    edit agg2
        set mode activebackup
        config members
            edit 1
                set interface wan
                set role primary
                set health-check-event
                set health-check-fail-cnt 5
                set health-check-recovery-cnt 5
            next
            edit 2
                set interface port4
                set role secondary
                set health-check-event
                set health-check-fail-cnt 5
                set health-check-recovery-cnt 5
            next
        end
    next
end

    Following configuration will be automatically generated:

    config system interface
    edit agg1
        set type aggregate
        set status down
    next
    edit agg2
        set type aggregate
        set status down
    next
end

    You can update the IP, allowaccess, and other configurations based on the aggregate interface. And this interface can also be used in configuring the DHCP server, firewall policies, routes, and some other modules.

    To get the aggregate interface status:
     # get system aggregate-interface status
agg2:
        2(port4): linkdown UNKNOWN aggregated
        1(wan): linkup UNKNOWN aggregated active
agg1:
        2(vx3): linkup UNKNOWN aggregated active
        1(vx2): linkup ALIVE aggregated active
    Previous
    Next