FortiGate-6000 Handbook

What's New
- What's new for FortiGate-6000 6.2.16
- What's new for FortiGate-6000 6.2.15
- What's new for FortiGate-6000 6.2.13
- What's new for FortiGate-6000 6.2.12
- What's new for FortiGate-6000 6.2.11
- What's new for FortiGate-6000 6.2.10
- What's new for FortiGate-6000 6.2.9
- What's new for FortiGate-6000 6.2.7
- What's new for FortiGate-6000 6.2.6
- What's new for FortiGate-6000 6.2.4
- What's new for FortiGate-6000 6.2.3
FortiGate-6000 overview
- Front panel interfaces
- FortiGate-6000 schematic
- Interface groups and changing data interface speeds
- FortiGate-6000 series hardware generations
Getting started with FortiGate-6000 series
- Confirming startup status
- Configuration synchronization
- FortiGate-6000 dashboard widgets
- Multi VDOM mode
- Security Fabric and Split-Task VDOM mode
Managing individual FortiGate-6000 management boards and FPCs
- Special management port numbers
- HA mode special management port numbers
- Connecting to individual FPC consoles
- Connecting to individual FPC CLIs
- Connecting to individual FPC CLIs of the secondary FortiGate-6000 in an HA configuration
- Performing other operations on individual FPCs
Load balancing and flow rules
- Setting the load balancing method
- Flow rules for sessions that cannot be load balanced
- Determining the primary FPC
- SSL VPN load balancing
- FortiOS Carrier GTP load balancing
  - Optimizing NPU GTP performance
  - Enabling GTP load balancing
- ICMP load balancing
- Load balancing TCP, UDP, and ICMP sessions with fragmented packets
- Adding flow rules to support DHCP relay
- Default configuration for traffic that cannot be load balanced
- Showing how the DP3 processor will load balance a session
- Maximum number of flow rules limited by hardware
FortiGate-6000 IPsec VPN
- IPsec VPN load balancing
- Example FortiGate-6000 IPsec VPN VRF configuration
- Troubleshooting
FortiGate-6000 high availability
- Introduction to FortiGate-6000 FGCP HA
- Before you begin configuring HA
- Connect the HA1 and HA2 interfaces for HA heartbeat communication
  - Default HA heartbeat VLAN triple-tagging
  - HA heartbeat VLAN double-tagging
- Basic FortiGate-6000 HA configuration
- Confirming that the FortiGate-6000 HA cluster is synchronized
  - Viewing more details about HA cluster synchronization
- Primary FortiGate-6000 selection with override disabled (default)
- Primary FortiGate-6000 selection with override enabled
- Failover protection
- HA reserved management interfaces
- Virtual clustering
- HA cluster firmware upgrades
- Distributed clustering
- Modifying heartbeat timing
- Changing how long routes stay in a cluster unit routing table
- Session failover (session-pickup)
- FortiGate-6000 FGSP
- Inter-cluster session synchronization
  - Example FortiGate-6000 inter-cluster session synchronization configuration
- Standalone configuration synchronization
- FortiGate-6000 VRRP HA
Operating a FortiGate-6000
- FortiLink support
- ECMP support
  - VDOM-based session tables
  - IPv4 and IPv6 ECMP load balancing
  - Enabling auxiliary session support
- ICAP support
- SSL mirroring support
- VXLAN support
- FortiGate-6000 IPsec load balancing EMAC VLAN interface limitation
- Configuring a FortiGate-6000 to operate in FIPS-CC mode
- Using data interfaces for management traffic
- FortiGate-6000 management interface LAG and VLAN support
- Setting the MTU for a data interface
- More management connections than expected for one device
- More ARP queries than expected for one device - potential issue on large WiFi networks
- VLAN ID 1 is reserved
- Connecting to FPC CLIs using the console port
- Firmware upgrade basics
- Installing firmware on an individual FPC
- Installing firmware from the BIOS after a reboot
- Synchronizing the FPCs with the management board
- FPC failover in a standalone FortiGate-6000
- Troubleshooting an FPC failure
- Adjusting global DP3 timers
- Changing the FortiGate 6501F, or FortiGate 6301F log disk and RAID configuration
- Restarting the FortiGate-6000
- Packet sniffing for FPC and management board packets
- NMI switch and NMI reset commands
- Diagnose debug flow trace for FPC and management board activity
FortiGate-6000 v6.2.16 special features and limitations
FortiGate-6000 v6.2.15 special features and limitations
FortiGate-6000 v6.2.13 special features and limitations
FortiGate-6000 v6.2.12 special features and limitations
FortiGate-6000 v6.2.11 special features and limitations
FortiGate-6000 v6.2.10 special features and limitations
FortiGate-6000 v6.2.9 special features and limitations
FortiGate-6000 v6.2.7 special features and limitations
FortiGate-6000 v6.2.6 special features and limitations
FortiGate-6000 v6.2.4 special features and limitations
FortiGate-6000 v6.2.3 special features and limitations
FortiGate-6000 config CLI commands
FortiGate-6000 execute CLI commands
Change log

Home FortiGate-6000 6.2.16 FortiGate-6000 Handbook

6.2.16

Load balancing TCP, UDP, and ICMP sessions with fragmented packets

If your FortiGate-6000 receives fragmented TCP, UDP, or ICMP packets, you can use the following configuration to make sure the Internal Switch Fabric (ISF) handles them correctly.

config load-balance setting

set dp-fragment-session enable

set sw-load-distribution-method src-dst-ip

end

With this configuration, when the DP3 processor receives a header fragment packet, if a matching session is found, the DP3 processor creates an additional fragment session matching the source-ip, destination-ip, and IP identifier (IPID) of the header fragment packet. Subsequent non-header fragments will match this fragment session and be forwarded to the same FPC as the header fragment.

If dp-fragment-session is disabled (the default), handling fragmented packets is less efficient because the DP3 processor broadcasts all non-header fragmented TCP, UDP, or ICMP packets to all FPCs. FPCs that also received the header fragments of these packets re-assemble the packets correctly. FPCs that did not receive the header fragments discard the non-header fragments.

If sw-load-distribution-method is set to src-dst-ip-sport-dport, fragmented packets may be dropped. Changing the load distribution method to src-dst-ip may lower performance because regular traffic may not be optimally load balanced. You can experiment with enabling and disabling dp-fragment-session and changing sw-load-distribution-method to determine the configuration that produces the best results for your network's traffic.

The age of the fragment session can be controlled using the following command:

config system global

set dp-fragment-timer <timer>

end

The default <timer> value is 120 seconds. The range is 1 to 65535 seconds.