FortiGate-6000 config CLI commands
This chapter describes the following FortiGate-6000 load balancing configuration commands:
config load-balance flow-rule
Use this command to create flow rules that add exceptions to how matched traffic is processed. You can use flow rules to match a type of traffic and control whether the traffic is forwarded or blocked. And if the traffic is forwarded, you can specify whether to forward the traffic to a specific slot or slots. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to define two flow rules to match both traffic directions (forward and reverse).
Syntax
config load-balance flow-rule
edit <id>
set status {disable | enable}
set src-interface <interface-name> [<interface-name>...]
set vlan <vlan-id>
set ether-type {any | arp | ip | ipv4 | ipv6}
set src-addr-ipv4 <ip4-address> <netmask>
set dst-addr-ipv4 <ip4-address> <netmask>
set src-addr-ipv6 <ip6-address> <netmask>
set dst-addr-ipv6 <ip6-address> <netmask>
set protocol {<protocol-number> | any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}
set src-l4port <start>[-<end>]
set dst-l4port <start>[-<end>]
set icmptype <type>
set icmpcode <type>
set tcp-flag {any | syn | fin | rst}
set action {forward | mirror-ingress | stats | drop}
set mirror-interface <interface-name>
set forward-slot {master | all | load-balance | <FPC#>}
set priority <number>
set comment <text>
end
status {disable | enable}
Enable or disable this flow rule. New flow rules are disabled by default.
src-interface <interface-name> [interface-name>...]
Optionally add the names of one or more front panel interfaces accepting the traffic to be subject to the flow rule. If you don't specify a src-interface
, the flow rule matches traffic received by any interface.
If you are matching VLAN traffic, select the interface that the VLAN has been added to and use the vlan
option to specify the VLAN ID of the VLAN interface.
vlan <vlan-id>
If the traffic matching the rule is VLAN traffic, enter the VLAN ID used by the traffic. You must set src-interface
to the interface that the VLAN interface is added to.
ether-type {any | arp | ip | ipv4 | ipv6}
The type of traffic to be matched by the rule. You can match any traffic (the default) or just match ARP, IP, IPv4 or IPv6 traffic.
{src-addr-ipv4 | dst-addr-ipv4} <ipv4-address> <netmask>
The IPv4 source and destination address of the IPv4 traffic to be matched. The default of 0.0.0.0 0.0.0.0
matches all IPv4 traffic. Available if ether-type
is set to ipv4
.
{src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask>
The IPv6 source and destination address of the IPv6 traffic to be matched. The default of ::/0
matches all IPv6 traffic. Available if ether-type
is set to ipv6
.
protocol {<protocol-number> | any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}
If ether-type
is set to ip
, ipv4
, or ipv6
, specify the protocol of the IP, IPv4, or IPv6 traffic to match the rule. The default is any
. You can specify any protocol number or you can use the following keywords to select common protocols.
Option | Protocol number |
---|---|
icmp | 1 |
icmpv6 | 58 |
tcp | 6 |
udp | 17 |
igmp | 2 |
sctp | 132 |
gre | 47 |
esp | 50 |
ah | 51 |
ospf | 89 |
pim | 103 |
vrrp | 112 |
{src-l4port | dst-l4port} <start>[-<end>]
Specify a layer 4 source port range and destination port range. This option appears when protocol
is set to tcp
or udp
. The default range is 0-0, which matches all ports. You don't have to enter a range to match just one port. For example, to set the source port to 80, enter set src-l4port 80
.
icmptype <type>
Specify an ICMP type number in the range of 0 to 255. The default is 255. This option appears if protocol
is set to icmp
. For information about ICMP type numbers, see Internet Control Message Protocol (ICMP) Parameters.
icmpcode <type>
If the ICMP type also includes an ICMP code, you can use this option to add that ICMP code. The ranges is 0 to 255. The default is 255. This option appears if protocol
is set to icmp
. For information about ICMP code numbers, see Internet Control Message Protocol (ICMP) Parameters.
tcp-flag {any | syn | fin | rst}
Set the TCP session flag to match. The any
setting (the default) matches all TCP sessions. You can add specific flags to only match specific TCP session types.
action {forward | mirror-ingress | stats | drop}
The action to take with matching sessions. They can be dropped, forwarded to another destination, or you can record statistics about the traffic for later analysis. You can combine two or three settings in one command for example, you can set action
to both forward
and stats
to forward traffic and collect statistics about it. Use append
to append additional options.
The default action is forward
, which forwards packets to the specified forward-slot
.
The mirror-ingress
option copies (mirrors) all ingress packets that match this flow rule and sends them to the interface specified with the mirror-interface
option.
set mirror-interface <interface-name>
The name of the interface to send packets matched by this flow-rule to when action
is set to mirror-ingress
.
forward-slot {master | all | load-balance | <FPC#>}
The slot that you want to forward the traffic that matches this rule to.
Where:
master
forwards traffic to the primary FPC.
all
means forward the traffic to all FPCs.
load-balance
means forward this traffic to the DP processors that then use the default load balancing configuration to handle this traffic.
<FPC#>
forward the matching traffic to a specific FPC. For example, FPC3 is the FPC in slot 3.
priority <number>
Set the priority of the flow rule in the range 1 (lowest priority) to 10 (highest priority). Higher priority rules are matched first. You can use the priority to control which rule is matched first if you have overlapping rules.
The default priority is 5.
comment <text>
Optionally add a comment that describes the flow rule.
config load-balance setting
Use this command to set a wide range of load balancing settings.
config load-balance setting
set slbc-mgmt-intf {mgmt1 | mgmt2 | mgmt3)
set max-miss-heartbeats <heartbeats>
set max-miss-mgmt-heartbeats <heartbeats>
set weighted-load-balance {disable | enable}
set gtp-load-balance {disable | enable}
set sslvpn-load-balance {disable | enable}
set dp-fragment-session {disable | enable)
set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}
set sw-load-distribution-method {src-dst-ip | src-dst-ip-sport-dport}
set dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}
set dp-session-table-type {intf-vlan-based | vdom-based}
set nat-source-port {chassis-slots | enabled-slots}
config workers
edit <slot>
set status {disable | enable}
set weight <weight>
end
slbc-mgmt-intf {mgmt1 | mgmt2 | mgmt3)
Selects the interface used for management connections. The default is mgmt1
. The IP address of this interface becomes the IP address used to enable management access to individual FPCs using special administration ports as described in Special management port numbers. To manage individual FPCs, this interface must be connected to a network.
To enable using the special management port numbers to connect to individual FPCs, set |
max-miss-heartbeats <heartbeats>
Set the number of missed heartbeats before an FPC is considered to have failed. If a failure occurs, the DP3 processor will no longer load balance sessions to the FPC.
The time between heartbeats is 0.2 seconds. Range is 3 to 300. A value of 3 means 0.6 seconds, 20 (the default) means 4 seconds, and 300 means 60 seconds.
max-miss-mgmt-heartbeats <heartbeats>
Set the number of missed management heartbeats before a FPC is considering to have failed. If a failure occurs, the DP3 processor will no longer load balance sessions to the FPC.
The time between management heartbeats is 1 second. Range is 3 to 300 heartbeats. The default is 10 heartbeats.
weighted-load-balance {disable | enable}
Enable weighted load balancing depending on the slot (or worker) weight. Use config workers
to set the weight for each slot or worker.
ipsec-load-balance {disable | enable}
Enable or disable IPsec VPN load balancing.
By default IPsec VPN load balancing is enabled and all default IPsec VPN flow rules are disabled. The FortiGate-6000 directs IPsec VPN sessions to the DP3 processors which load balance them among the FPCs.
If IPsec VPN load balancing is enabled, the FortiGate-6000 will drop IPsec VPN sessions traveling between two IPsec tunnels because the two IPsec tunnels may be terminated on different FPCs. If you have traffic entering the FortiGate-6000 from one IPsec VPN tunnel and leaving the FortiGate-6000 out another IPsec VPN tunnel you need to disable IPsec load balancing. Disabling IPsec VPN load balancing enables the default IPsec VPN flow-rules.
gtp-load-balance {disable | enable}
Enable GTP load balancing. If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions.
set sslvpn-load-balance {disable | enable}
Enable or disable SSL VPN load balancing. For more information, see SSL VPN load balancing.
dp-fragment-session {disable | enable}
Enable or disable efficient DP3 load balancing of TCP, UDP, and ICMP sessions with fragmented packets. The option is disabled by default.
For more information, see Load balancing TCP, UDP, and ICMP sessions with fragmented packets.
dp-load-distribution-method {to-master | round-robin | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}
Set the method used to load balance sessions among FPCs. Usually you would only need to change the load balancing method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is src-dst-ip-sport-dport
which means sessions are identified by their source address and port and destination address and port.
to-master
directs all session to the primary FPC. This method is for troubleshooting only and should not be used for normal operation. Directing all sessions to the primary FPC will have a negative impact on performance.
src-ip
sessions are distributed across all FPCs according to their source IP address.
dst-ip
sessions are statically distributed across all FPCs according to their destination IP address.
src-dst-ip
sessions are distributed across all FPCs according to their source and destination IP addresses.
src-ip-sport
sessions are distributed across all FPCs according to their source IP address and source port.
dst-ip-dport
sessions are distributed across all FPCs according to their destination IP address and destination port.
src-dst-ipsport-dport
distribute sessions across all FPCs according to their source and destination IP address, source port, and destination port. This is the default load balance algorithm and represents true session-aware load balancing. Session aware load balancing takes all session information into account when deciding where to send new sessions and where to send additional packets that are part of an already established session.
The src-ip and dst-ip load balancing methods use layer 3 information (IP addresses) to identify and load balance sessions. All of the other load balancing methods (except for to-master ) use both layer 3 and layer 4 information (IP addresses and port numbers) to identify a TCP and UDP session. The layer 3 and layer 4 load balancing methods only use layer 3 information for other types of traffic (SCTP, ICMP, and ESP). If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions. |
sw-load-distribution-method {src-dst-ip | src-dst-ip-sport-dport}
Configure the load distribution method used by the Internal Switch Fabric (ISF). The default setting is src-dst-ip-sport-dport
.
To support load balancing sessions with fragmented packets, set sw-load-distribution-method
to src-dst-ip
. For more information, see Load balancing TCP, UDP, and ICMP sessions with fragmented packets.
dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}
Set the method used to load balance ICMP sessions among FPCs. Usually you would only need to change the load balancing method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is to-master
, which means all ICMP sessions are sent to the primary (master) FPC.
to-master
directs all ICMP session to the primary FPC.
src-ip
ICMP sessions are distributed across all FPCs according to their source IP address.
dst-ip
ICMP sessions are statically distributed across all FPCs according to their destination IP address.
src-dst-ip
ICMP sessions are distributed across all FPCs according to their source and destination IP addresses.
derived
ICMP sessions are load balanced using the dp-load-distribution-method
setting. Since port-based ICMP load balancing is not possible, if dp-load-distribution-method
is set to a load balancing method that includes ports, ICMP load balancing will use the equivalent load balancing method that does not include ports. For example, if dp-load-distribution-method
is set to the src-dst-ip-sport-dport
(the default) then ICMP load balancing will use src-dst-ip
load balancing.
dp-session-table-type {intf-vlan-based | vdom-based}
Change DP processing load balancing mode:
intf-vlan-based
is the default value and should be used in all cases unless the FortiGate-6000 will support ECMP.
vdom-based
should only be selected to support ECMP. Enabling VDOM session tables can reduce connections per second (CPS) performance so it should only be enabled if needed to support ECMP. This performance reduction can be more noticeable if the FortiGate-6000 is processing many firewall only sessions. For more information, see ECMP support.
set nat-source-port {chassis-slots | enabled-slots}
Change SNAT port partitioning behavior. For more information, see Controlling SNAT port partitioning behavior.
config workers
Set the weight and enable or disable each worker (FPC). Use the edit command to specify the slot the FPC is installed in. You can enable or disable each FPC and set a weight for each FPC.
The weight range is 1 to 10. 5 is average (and the default), 1 is -80% of average and 10 is +100% of average. The weights take effect if weighted-loadbalance
is enabled.
config workers
edit <slot>
set status enable
set weight 5
end
config system console-server
Use this command to disable or enable the FortiGate-6000 console server. The console server allows you to use the execute system console server
command from the management board CLI to access individual FPC consoles in your FortiGate-6000.
Syntax
config system console-server
set status {disable | enable}
config entries
edit <slot>
set slot-id <id>
set port <port>
end
set status {disable | enable}
Disable or enable the FortiGate-6000 console server. Enabled by default. The edit <slot>
configuration shows the port number used for each slot. These settings cannot be changed.