Default configuration for traffic that cannot be load balanced
The default FortiGate-6000 configure load-balance flow-rule
command contains default rules for how the FortiGate-6000 handles traffic types that cannot be load balanced. All of these flow rules identify the traffic type using the options available in the command and direct the traffic to the primary (or master) FPC. The rules also include a comment that identifies the traffic type.
The default configuration contains a mixture of enabled and disabled flow rules. Enabled flow rules usually direct matching traffic to the primary FPC. Disabled flow rules are available if your FortiGate-6000 will be processing the matching traffic. You can enable these flow rules if your FortiGate-6000 will be processing these traffic types.
The CLI syntax below was created with the show
command and just shows the configuration changes. All other options are set to their defaults. Flow rules with no status
option are disabled be default. Also the default forward-slot
setting is master
, which directs matching traffic to the primary FPC.
config load-balance flow-rule edit 1 set status disable set vlan 0 set ether-type ip set protocol udp set src-l4port 88-88 set dst-l4port 0-0 set action forward set forward-slot master set priority 5 set comment "kerberos src" next edit 2 set status disable set vlan 0 set ether-type ip set protocol udp set src-l4port 0-0 set dst-l4port 88-88 set action forward set forward-slot master set priority 5 set comment "kerberos dst" next edit 3 set status enable set vlan 0 set ether-type ip set protocol tcp set src-l4port 179-179 set dst-l4port 0-0 set tcp-flag any set action forward set forward-slot master set priority 5 set comment "bgp src" next edit 4 set status enable set vlan 0 set ether-type ip set protocol tcp set src-l4port 0-0 set dst-l4port 179-179 set tcp-flag any set action forward set forward-slot master set priority 5 set comment "bgp dst" next edit 5 set status enable set vlan 0 set ether-type ip set protocol udp set src-l4port 520-520 set dst-l4port 520-520 set action forward set forward-slot master set priority 5 set comment "rip" next edit 6 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ::/0 set protocol udp set src-l4port 521-521 set dst-l4port 521-521 set action forward set forward-slot master set priority 5 set comment "ripng" next edit 7 set status enable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 0.0.0.0 0.0.0.0 set protocol udp set src-l4port 67-67 set dst-l4port 68-68 set action forward set forward-slot master set priority 5 set comment "dhcpv4 server to client" next edit 8 set status enable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 0.0.0.0 0.0.0.0 set protocol udp set src-l4port 68-68 set dst-l4port 67-67 set action forward set forward-slot master set priority 5 set comment "dhcpv4 client to server" next edit 9 set status disable set vlan 0 set ether-type ip set protocol tcp set src-l4port 1723-1723 set dst-l4port 0-0 set tcp-flag any set action forward set forward-slot master set priority 5 set comment "pptp src" next edit 10 set status disable set vlan 0 set ether-type ip set protocol tcp set src-l4port 0-0 set dst-l4port 1723-1723 set tcp-flag any set action forward set forward-slot master set priority 5 set comment "pptp dst" next edit 11 set status enable set vlan 0 set ether-type ip set protocol udp set src-l4port 0-0 set dst-l4port 3784-3784 set action forward set forward-slot master set priority 5 set comment "bfd control" next edit 12 set status enable set vlan 0 set ether-type ip set protocol udp set src-l4port 0-0 set dst-l4port 3785-3785 set action forward set forward-slot master set priority 5 set comment "bfd echo" next edit 13 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ::/0 set protocol udp set src-l4port 547-547 set dst-l4port 546-546 set action forward set forward-slot master set priority 5 set comment "dhcpv6 server to client" next edit 14 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ::/0 set protocol udp set src-l4port 546-546 set dst-l4port 547-547 set action forward set forward-slot master set priority 5 set comment "dhcpv6 client to server" next edit 15 set status enable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 224.0.0.0 240.0.0.0 set protocol any set action forward set forward-slot master set priority 5 set comment "ipv4 multicast" next edit 16 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ff00::/8 set protocol any set action forward set forward-slot master set priority 5 set comment "ipv6 multicast" next edit 17 set status disable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 0.0.0.0 0.0.0.0 set protocol udp set src-l4port 0-0 set dst-l4port 2123-2123 set action forward set forward-slot master set priority 5 set comment "gtp-c to master blade" next edit 18 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ::/0 set protocol udp set src-l4port 0-0 set dst-l4port 500-500 set action forward set forward-slot master set priority 5 set comment "ipv6 ike" next edit 19 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ::/0 set protocol udp set src-l4port 0-0 set dst-l4port 4500-4500 set action forward set forward-slot master set priority 5 set comment "ipv6 ike-natt dst" next edit 20 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ::/0 set protocol esp set action forward set forward-slot master set priority 5 set comment "ipv6 esp" next edit 21 set status disable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 0.0.0.0 0.0.0.0 set protocol udp set src-l4port 0-0 set dst-l4port 500-500 set action forward set forward-slot master set priority 5 set comment "ipv4 ike" next edit 22 set status disable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 0.0.0.0 0.0.0.0 set protocol udp set src-l4port 0-0 set dst-l4port 4500-4500 set action forward set forward-slot master set priority 5 set comment "ipv4 ike-natt dst" next edit 23 set status disable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 0.0.0.0 0.0.0.0 set protocol esp set action forward set forward-slot master set priority 5 set comment "ipv4 esp" next edit 24 set status enable set vlan 0 set ether-type ip set protocol tcp set src-l4port 0-0 set dst-l4port 1000-1000 set tcp-flag any set action forward set forward-slot master set priority 5 set comment "authd http to master blade" next edit 25 set status enable set vlan 0 set ether-type ip set protocol tcp set src-l4port 0-0 set dst-l4port 1003-1003 set tcp-flag any set action forward set forward-slot master set priority 5 set comment "authd https to master blade" next edit 26 set status enable set vlan 0 set ether-type ip set protocol vrrp set action forward set forward-slot all set priority 6 set comment "vrrp to all blades" next end