FortiGate-6000 Handbook

What's New
- What's new for FortiGate-6000 6.2.16
- What's new for FortiGate-6000 6.2.15
- What's new for FortiGate-6000 6.2.13
- What's new for FortiGate-6000 6.2.12
- What's new for FortiGate-6000 6.2.11
- What's new for FortiGate-6000 6.2.10
- What's new for FortiGate-6000 6.2.9
- What's new for FortiGate-6000 6.2.7
- What's new for FortiGate-6000 6.2.6
- What's new for FortiGate-6000 6.2.4
- What's new for FortiGate-6000 6.2.3
FortiGate-6000 overview
- Front panel interfaces
- FortiGate-6000 schematic
- Interface groups and changing data interface speeds
- FortiGate-6000 series hardware generations
Getting started with FortiGate-6000 series
- Confirming startup status
- Configuration synchronization
- FortiGate-6000 dashboard widgets
- Multi VDOM mode
- Security Fabric and Split-Task VDOM mode
Managing individual FortiGate-6000 management boards and FPCs
- Special management port numbers
- HA mode special management port numbers
- Connecting to individual FPC consoles
- Connecting to individual FPC CLIs
- Connecting to individual FPC CLIs of the secondary FortiGate-6000 in an HA configuration
- Performing other operations on individual FPCs
Load balancing and flow rules
- Setting the load balancing method
- Flow rules for sessions that cannot be load balanced
- Determining the primary FPC
- SSL VPN load balancing
- FortiOS Carrier GTP load balancing
  - Optimizing NPU GTP performance
  - Enabling GTP load balancing
- ICMP load balancing
- Load balancing TCP, UDP, and ICMP sessions with fragmented packets
- Adding flow rules to support DHCP relay
- Default configuration for traffic that cannot be load balanced
- Showing how the DP3 processor will load balance a session
- Maximum number of flow rules limited by hardware
FortiGate-6000 IPsec VPN
- IPsec VPN load balancing
- Example FortiGate-6000 IPsec VPN VRF configuration
- Troubleshooting
FortiGate-6000 high availability
- Introduction to FortiGate-6000 FGCP HA
- Before you begin configuring HA
- Connect the HA1 and HA2 interfaces for HA heartbeat communication
  - Default HA heartbeat VLAN triple-tagging
  - HA heartbeat VLAN double-tagging
- Basic FortiGate-6000 HA configuration
- Confirming that the FortiGate-6000 HA cluster is synchronized
  - Viewing more details about HA cluster synchronization
- Primary FortiGate-6000 selection with override disabled (default)
- Primary FortiGate-6000 selection with override enabled
- Failover protection
- HA reserved management interfaces
- Virtual clustering
- HA cluster firmware upgrades
- Distributed clustering
- Modifying heartbeat timing
- Changing how long routes stay in a cluster unit routing table
- Session failover (session-pickup)
- FortiGate-6000 FGSP
- Inter-cluster session synchronization
  - Example FortiGate-6000 inter-cluster session synchronization configuration
- Standalone configuration synchronization
- FortiGate-6000 VRRP HA
Operating a FortiGate-6000
- FortiLink support
- ECMP support
  - VDOM-based session tables
  - IPv4 and IPv6 ECMP load balancing
  - Enabling auxiliary session support
- ICAP support
- SSL mirroring support
- VXLAN support
- FortiGate-6000 IPsec load balancing EMAC VLAN interface limitation
- Configuring a FortiGate-6000 to operate in FIPS-CC mode
- Using data interfaces for management traffic
- FortiGate-6000 management interface LAG and VLAN support
- Setting the MTU for a data interface
- More management connections than expected for one device
- More ARP queries than expected for one device - potential issue on large WiFi networks
- VLAN ID 1 is reserved
- Connecting to FPC CLIs using the console port
- Firmware upgrade basics
- Installing firmware on an individual FPC
- Installing firmware from the BIOS after a reboot
- Synchronizing the FPCs with the management board
- FPC failover in a standalone FortiGate-6000
- Troubleshooting an FPC failure
- Adjusting global DP3 timers
- Changing the FortiGate 6501F, or FortiGate 6301F log disk and RAID configuration
- Restarting the FortiGate-6000
- Packet sniffing for FPC and management board packets
- NMI switch and NMI reset commands
- Diagnose debug flow trace for FPC and management board activity
FortiGate-6000 v6.2.16 special features and limitations
FortiGate-6000 v6.2.15 special features and limitations
FortiGate-6000 v6.2.13 special features and limitations
FortiGate-6000 v6.2.12 special features and limitations
FortiGate-6000 v6.2.11 special features and limitations
FortiGate-6000 v6.2.10 special features and limitations
FortiGate-6000 v6.2.9 special features and limitations
FortiGate-6000 v6.2.7 special features and limitations
FortiGate-6000 v6.2.6 special features and limitations
FortiGate-6000 v6.2.4 special features and limitations
FortiGate-6000 v6.2.3 special features and limitations
FortiGate-6000 config CLI commands
FortiGate-6000 execute CLI commands
Change log

Home FortiGate-6000 6.2.16 FortiGate-6000 Handbook

6.2.16

Enabling auxiliary session support

When ECMP is enabled, TCP traffic for the same session can exit and enter the FortiGate on different interfaces. To allow this traffic to pass through, FortiOS creates auxiliary sessions. Allowing the creation of auxiliary sessions is handed by the following command:

config system settings

set auxiliary-sessions {disable | enable}

end

By default, the auxiliary-session option is disabled. This can block some TCP traffic when ECMP is enabled. If this occurs, enabling auxiliary-session may solve the problem. For more information, see Technical Tip: Enabling auxiliary session with ECMP or SD-WAN.