Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate-6000 Handbook

    Home FortiGate-6000 6.0.8 FortiGate-6000 Handbook
    6.0.8
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.10
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.10
    6.4.8
    6.4.6
    6.4.2
    6.2.16
    6.2.16
    6.2.15
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.10
    6.0.9
    6.0.8
    6.0.6
    6.0.4
    5.6.14
    5.6.12
    5.6.11
    5.6.7
    5.4.10

    SSL VPN load balancing

    SSL VPN load balancing

    The FortiGate-6000 does not support load balancing SSL VPN sessions terminated by the FortiGate-6000. The recommended configuration is to direct SSL VPN sessions terminated by the FortiGate-6000 to the primary FPC.

    Note SSL VPN sessions are sessions from an SSL VPN client to your configured SSL VPN server listening port.

    Using a FortiGate-6000 as an SSL VPN server requires you to manually add an SSL VPN load balance flow rule to configure the FortiGate-6000 to send all SSL VPN sessions to the primary (master) FPC. To match with the SSL VPN server traffic, the rule should include a destination port that matches the destination port of the SSL VPN server. For example:

    config load-balance flow-rule

    edit 0

    set status enable

    set ether-type ipv4

    set protocol tcp

    set dst-l4port 443-443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    end

    This flow rule matches all sessions sent to port 443 (the default SSL VPN server listening port) and sends these sessions to the primary FPC. This should match all of your SSL VPN traffic if you are using the default SSL VPN server listening port (443). This flow rule also matches all other sessions using 443 as the destination port so all of this traffic is also sent to the primary FPC.

    If you change the SSL VPN server listening port

    If you have changed the SSL VPN server listening port to 10443, you can change the SSL VPN flow rule as follows. This example also sets the source interface to port12, which is the SSL VPN server interface, instead of adding the IP address of port12 to the configuration:

    config load-balance flow-rule

    edit 26

    set status enable

    set ether-type ipv4

    set protocol tcp

    set src-interface port12

    set dst-l4port 10443-10443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    end

    Adding the SSL VPN server IP address

    You can add the IP address of the FortiGate-6000 interface that receives SSL VPN traffic to the SSL VPN flow rule to make sure that the flow rule only matches the traffic of SSL VPN clients connecting to the SSL VPN server. For example, if the IP address of the interface is 172.25.176.32 and the SSL VPN flow rule ID is 26:

    config load-balance flow-rule

    edit 26

    set status enable

    set ether-type ipv4

    set protocol tcp

    set dst-addr-ipv4 172.25.176.32 255.255.255.255

    set dst-l4port 10443-10443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    end

    This flow rule will now only match SSL VPN sessions with 172.25.176.32 as the destination address and send all of these sessions to the primary FPC.

    Previous
    Next

    SSL VPN load balancing

    SSL VPN load balancing

    The FortiGate-6000 does not support load balancing SSL VPN sessions terminated by the FortiGate-6000. The recommended configuration is to direct SSL VPN sessions terminated by the FortiGate-6000 to the primary FPC.

    Note SSL VPN sessions are sessions from an SSL VPN client to your configured SSL VPN server listening port.

    Using a FortiGate-6000 as an SSL VPN server requires you to manually add an SSL VPN load balance flow rule to configure the FortiGate-6000 to send all SSL VPN sessions to the primary (master) FPC. To match with the SSL VPN server traffic, the rule should include a destination port that matches the destination port of the SSL VPN server. For example:

    config load-balance flow-rule

    edit 0

    set status enable

    set ether-type ipv4

    set protocol tcp

    set dst-l4port 443-443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    end

    This flow rule matches all sessions sent to port 443 (the default SSL VPN server listening port) and sends these sessions to the primary FPC. This should match all of your SSL VPN traffic if you are using the default SSL VPN server listening port (443). This flow rule also matches all other sessions using 443 as the destination port so all of this traffic is also sent to the primary FPC.

    If you change the SSL VPN server listening port

    If you have changed the SSL VPN server listening port to 10443, you can change the SSL VPN flow rule as follows. This example also sets the source interface to port12, which is the SSL VPN server interface, instead of adding the IP address of port12 to the configuration:

    config load-balance flow-rule

    edit 26

    set status enable

    set ether-type ipv4

    set protocol tcp

    set src-interface port12

    set dst-l4port 10443-10443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    end

    Adding the SSL VPN server IP address

    You can add the IP address of the FortiGate-6000 interface that receives SSL VPN traffic to the SSL VPN flow rule to make sure that the flow rule only matches the traffic of SSL VPN clients connecting to the SSL VPN server. For example, if the IP address of the interface is 172.25.176.32 and the SSL VPN flow rule ID is 26:

    config load-balance flow-rule

    edit 26

    set status enable

    set ether-type ipv4

    set protocol tcp

    set dst-addr-ipv4 172.25.176.32 255.255.255.255

    set dst-l4port 10443-10443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    end

    This flow rule will now only match SSL VPN sessions with 172.25.176.32 as the destination address and send all of these sessions to the primary FPC.

    Previous
    Next