FortiGate-6000 config CLI commands
This chapter describes the following FortiGate-6000 load balancing configuration commands:
config load-balance flow-rule
Use this command to create flow rules that add exceptions to how matched traffic is processed. You can use flow rules to match a type of traffic and control whether the traffic is forwarded or blocked. And if the traffic is forwarded, you can specify whether to forward the traffic to a specific slot or slots. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to define two flow rules to match both traffic directions (forward and reverse).
Syntax
config load-balance flow-rule
edit <id>
set status {disable | enable}
set src-interface <interface-name> [<interface-name>...]
set vlan <vlan-id>
set ether-type {any | arp | ip | ipv4 | ipv6}
set src-addr-ipv4 <ip4-address> <netmask>
set dst-addr-ipv4 <ip4-address> <netmask>
set src-addr-ipv6 <ip6-address> <netmask>
set dst-addr-ipv6 <ip6-address> <netmask>
set protocol {any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}
set src-l4port <start>[-<end>]
set dst-l4port <start>[-<end>]
set icmptype <type>
set icmpcode <type>
set tcp-flag {any | syn | fin | rst}
set action {forward | mirror-ingress | stats | drop}
set mirror-interface <interface-name>
set forward-slot {master | all | load-balance | <FPM# or FPC#>}
set priority <number>
set comment <text>
end
status {disable | enable}
Enable or disable this flow rule. New flow rules are disabled by default.
src-interface <interface-name> [interface-name>...]
Optionally add the names of one or more front panel interfaces accepting the traffic to be subject to the flow rule. If you don't specify a src-interface
, the flow rule matches traffic received by any interface.
If you are matching VLAN traffic, select the interface that the VLAN has been added to and use the vlan
option to specify the VLAN ID of the VLAN interface.
vlan <vlan-id>
If the traffic matching the rule is VLAN traffic, enter the VLAN ID used by the traffic. You must set src-interface
to the interface that the VLAN interface is added to.
ether-type {any | arp | ip | ipv4 | ipv6}
The type of traffic to be matched by the rule. You can match any traffic (the default) or just match ARP, IP, IPv4 or IPv6 traffic.
{src-addr-ipv4 | dst-addr-ipv4} <ipv4-address> <netmask>
The IPv4 source and destination address of the IPv4 traffic to be matched. The default of 0.0.0.0 0.0.0.0
matches all IPv4 traffic. Available if ether-type
is set to ipv4
.
{src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask>
The IPv6 source and destination address of the IPv6 traffic to be matched. The default of ::/0
matches all IPv6 traffic. Available if ether-type
is set to ipv6
.
protocol {any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}
If ether-type
is set to ip
, ipv4
, or ipv6
, specify the protocol of the IP, IPv4, or IPv6 traffic to match the rule. The default is any
.
Option | Protocol number |
---|---|
icmp | 1 |
icmpv6 | 58 |
tcp | 6 |
udp | 17 |
igmp | 2 |
sctp | 132 |
gre | 47 |
esp | 50 |
ah | 51 |
ospf | 89 |
pim | 103 |
vrrp | 112 |
{src-l4port | dst-l4port} <start>[-<end>]
Specify a layer 4 source port range and destination port range. This option appears when protocol
is set to tcp
or udp
. The default range is 0-0, which matches all ports. You don't have to enter a range to match just one port. For example, to set the source port to 80, enter set src-l4port 80
.
set icmptype <type>
Specify an ICMP type number in the range of 0 to 255. The default is 255. This option appears if protocol
is set to icmp
. For information about ICMP type numbers, see Internet Control Message Protocol (ICMP) Parameters.
set icmpcode <type>
If the ICMP type also includes an ICMP code, you can use this option to add that ICMP code. The ranges is 0 to 255. The default is 255. This option appears if protocol
is set to icmp
. For information about ICMP code numbers, see Internet Control Message Protocol (ICMP) Parameters.
set tcp-flag {any | syn | fin | rst}
Set the TCP session flag to match. The any
setting (the default) matches all TCP sessions. You can add specific flags to only match specific TCP session types.
action {forward | mirror-ingress | stats | drop}
The action to take with matching sessions. They can be dropped, forwarded to another destination, or you can record statistics about the traffic for later analysis. You can combine two or three settings in one command for example, you can set action
to both forward
and stats
to forward traffic and collect statistics about it. Use append
to append additional options.
The default action is forward
, which forwards packets to the specified forward-slot
.
The mirror-ingress
option copies (mirrors) all ingress packets that match this flow rule and sends them to the interface specified with the mirror-interface
option.
set mirror-interface <interface-name>
The name of the interface to send packets matched by this flow-rule to when action
is set to mirror-ingress
.
forward-slot {master | all | load-balance | <FPC#>}
The slot that you want to forward the traffic that matches this rule to.
Where:
master
forwards traffic to the primary FPC.
all
means forward the traffic to all FPCs.
load-balance
means forward this traffic to the DP processors that then use the default load balancing configuration to handle this traffic.
<FPC#>
forward the matching traffic to a specific FPC. For example, FPC3 is the FPC in slot 3.
priority <number>
Set the priority of the flow rule in the range 1 (highest priority) to 10 (lowest priority). Higher priority rules are matched first. You can use the priority to control which rule is matched first if you have overlapping rules.
The default priority is 5.
comment <text>
Optionally add a comment that describes the flow rule.
config load-balance setting
Use this command to set a wide range of load balancing settings.
config load-balance setting
set slbc-mgmt-intf {mgmt1 | mgmt2 | mgmt3}
set max-miss-heartbeats <heartbeats>
set max-miss-mgmt-heartbeats <heartbeats>
set weighted-load-balance {disable | enable}
set ipsec-load-balance {disable | enable}
set gtp-load-balance {disable | enable}
set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}
config workers
edit 3
set status enable
set weight 5
end
slbc-mgmt-intf {mgmt1 | mgmt2 | mgmt3}
Selects the interface used for management connections. The default is mgmt1
. The IP address of this interface becomes the IP address used to enable management access to individual FPCs using special administration ports as described in Special management port numbers. To manage individual FPCs, this interface must be connected to a network.
To enable using the special management port numbers to connect to individual FPCs, set |
max-miss-heartbeats <heartbeats>
Set the number of missed heartbeats before an FPC is considered to have failed. If a failure occurs, the DP3 processor will no longer load balance sessions to the FPC.
The time between heartbeats is 0.2 seconds. Range is 3 to 300. A value of 3 means 0.6 seconds, 20 (the default) means 4 seconds, and 300 means 60 seconds.
max-miss-mgmt-heartbeats <heartbeats>
Set the number of missed management heartbeats before a FPC is considering to have failed. If a failure occurs, the DP3 processor will no longer load balance sessions to the FPC.
The time between management heartbeats is 1 second. Range is 3 to 300 heartbeats. The default is 10 heartbeats.
weighted-load-balance {disable | enable}
Enable weighted load balancing depending on the slot (or worker) weight. Use config workers
to set the weight for each slot or worker.
ipsec-load-balance {disable | enable}
Enable or disable IPsec VPN load balancing.
By default IPsec VPN load balancing is enabled and the flow rules listed below are disabled. The FortiGate-6000 directs IPsec VPN sessions to the DP3 processors which load balance them among the FPCs.
Default IPsec VPN flow-rules
edit 21 set status disable set ether-type ipv4 set protocol udp set dst-l4port 500-500 set action forward set forward-slot master set comment "ipv4 ike" next edit 22 set status disable set ether-type ipv4 set protocol udp set dst-l4port 4500-4500 set action forward set forward-slot master set comment "ipv4 ike-natt dst" next edit 23 set status disable set ether-type ipv4 set protocol esp set action forward set forward-slot master set comment "ipv4 esp" next
If IPsec VPN load balancing is enabled, the FortiGate-6000 will drop IPsec VPN sessions traveling between two IPsec tunnels because the two IPsec tunnels may be terminated on different FPCs. If you have traffic entering the FortiGate-6000 from one IPsec VPN tunnel and leaving the FortiGate-6000 out another IPsec VPN tunnel you need to disable IPsec load balancing. Disabling IPsec VPN load balancing enables the default IPsec VPN flow-rules.
gtp-load-balance {disable | enable}
Enable GTP load balancing. If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions.
dp-load-distribution-method {to-master | round-robin | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}
Set the method used to load balance sessions among FPCs. Usually you would only need to change the load balancing method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is src-dst-ip-sport-dport
which means sessions are identified by their source address and port and destination address and port.
to-master
directs all session to the primary FPC. This method is for troubleshooting only and should not be used for normal operation. Directing all sessions to the primary FPC will have a negative impact on performance.
src-ip
sessions are distributed across all FPCs according to their source IP address.
dst-ip
sessions are statically distributed across all FPCs according to their destination IP address.
src-dst-ip
sessions are distributed across all FPCs according to their source and destination IP addresses.
src-ip-sport
sessions are distributed across all FPCs according to their source IP address and source port.
dst-ip-dport
sessions are distributed across all FPCs according to their destination IP address and destination port.
src-dst-ipsport-dport
sessions are distributed across all FPCs according to their source and destination IP address, source port, and destination port. This is the default load balance algorithm and represents true session-aware load balancing. All session information is taken into account when deciding where to send new sessions and where to send additional packets that are part of an already established session.
The src-ip and dst-ip load balancing methods use layer 3 information (IP addresses) to identify and load balance sessions. All of the other load balancing methods (except for to-master ) use both layer 3 and layer 4 information (IP addresses and port numbers) to identify a TCP and UDP session. The layer 3 and layer 4 load balancing methods only use layer 3 information for other types of traffic (SCTP, ICMP, and ESP). If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions. |
config workers
Set the weight and enable or disable each worker (FPC). Use the edit command to specify the slot the FPC is installed in. You can enable or disable each FPC and set each FPC's weight.
The weight range is 1 to 10. 5 is average (and the default), 1 is -80% of average and 10 is +100% of average. The weights take effect if weighted-loadbalance
is enabled.
config workers
edit 3
set status enable
set weight 5
end