Fortinet white logo
Fortinet white logo

FortiGate-6000 Handbook

Flow rules for sessions that cannot be load balanced

Flow rules for sessions that cannot be load balanced

Some traffic types cannot be load balanced. Sessions for traffic types that cannot be load balanced should normally be sent to the primary (or master) FPC by configuring flow rules for that traffic. You can also configure flow rules to send traffic that cannot be load balanced to specific FPCs.

Create flow rules using the config load-balance flow-rule command. The default configuration uses this command to send Kerberos, BGP, RIP, IPv4 and IPv6 DHCP, PPTP, BFD, IPv4 and IPv6 multicast, GTP, and HTTP and HTTPS authd sessions to the primary FPC. The default configuration also sends VRRP traffic to all FPCs.You can view the default configuration of the config load-balance flow-rule command to see how this is all configured, or see Default configuration for traffic that cannot be load balanced.

For example, the following configuration sends BGP source and destination sessions to the primary FPC:

config load-balance flow-rule

edit 3

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 179-179

set dst-l4port 0-0

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp src"

next

edit 4

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 0-0

set dst-l4port 179-179

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp dst"

end

Flow rules for sessions that cannot be load balanced

Flow rules for sessions that cannot be load balanced

Some traffic types cannot be load balanced. Sessions for traffic types that cannot be load balanced should normally be sent to the primary (or master) FPC by configuring flow rules for that traffic. You can also configure flow rules to send traffic that cannot be load balanced to specific FPCs.

Create flow rules using the config load-balance flow-rule command. The default configuration uses this command to send Kerberos, BGP, RIP, IPv4 and IPv6 DHCP, PPTP, BFD, IPv4 and IPv6 multicast, GTP, and HTTP and HTTPS authd sessions to the primary FPC. The default configuration also sends VRRP traffic to all FPCs.You can view the default configuration of the config load-balance flow-rule command to see how this is all configured, or see Default configuration for traffic that cannot be load balanced.

For example, the following configuration sends BGP source and destination sessions to the primary FPC:

config load-balance flow-rule

edit 3

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 179-179

set dst-l4port 0-0

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp src"

next

edit 4

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 0-0

set dst-l4port 179-179

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp dst"

end