Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

Load balancing and flow rules

This chapter provides an overview of how FortiGate-6000 Session-Aware Load Balancing (SLBC) works and then breaks down the details and explains why you might want to change some load balancing settings.

FortiGate-6000 SLBC works as follows.

  1. The FortiGate-6000 directs all traffic that does not match a load balancing flow rule to the DP3 processors.

    If a session matches a flow rule, the session skips the DP3 processors and is directed according to the action setting of the flow rule. Default flow rules send traffic that can't be load balanced to the primary FPC. See Default configuration for traffic that cannot be load balanced.

  2. The DP3 processors load balance TCP, UDP, SCTP, and (if enabled) ESP (IPsec) sessions among the FPCs according to the load balancing method set by the dp-load-distribution-method option of the config load-balance setting command.

    The DP3 processors load balance ESP (IPsec) sessions that use static routes if IPsec VPN load balancing is enabled. If IPsec VPN load balancing is disabled, the DP3 processors send ESP (IPsec) sessions to the primary FPC. For more information about IPsec VPN load balancing, see IPsec VPN load balancing.

    The DP3 processors load balance ICMP sessions according to the load balancing method set by the dp-icmp-distribution-method option of the config load-balance setting command. See ICMP load balancing.

    The DP3 processors load balance GTP-U sessions if GTP load balancing is enabled. If GTP load balancing is disabled, the DP3 processors send GTP sessions to the primary FPC. For more information about GTP load balancing, see Enabling GTP load balancing.

    To support ECMP you can change how the DP3 processors manage session tables, see ECMP support

  3. The DP3 processors send other sessions that cannot be load balanced to the primary FPC.

Load balancing and flow rules

This chapter provides an overview of how FortiGate-6000 Session-Aware Load Balancing (SLBC) works and then breaks down the details and explains why you might want to change some load balancing settings.

FortiGate-6000 SLBC works as follows.

  1. The FortiGate-6000 directs all traffic that does not match a load balancing flow rule to the DP3 processors.

    If a session matches a flow rule, the session skips the DP3 processors and is directed according to the action setting of the flow rule. Default flow rules send traffic that can't be load balanced to the primary FPC. See Default configuration for traffic that cannot be load balanced.

  2. The DP3 processors load balance TCP, UDP, SCTP, and (if enabled) ESP (IPsec) sessions among the FPCs according to the load balancing method set by the dp-load-distribution-method option of the config load-balance setting command.

    The DP3 processors load balance ESP (IPsec) sessions that use static routes if IPsec VPN load balancing is enabled. If IPsec VPN load balancing is disabled, the DP3 processors send ESP (IPsec) sessions to the primary FPC. For more information about IPsec VPN load balancing, see IPsec VPN load balancing.

    The DP3 processors load balance ICMP sessions according to the load balancing method set by the dp-icmp-distribution-method option of the config load-balance setting command. See ICMP load balancing.

    The DP3 processors load balance GTP-U sessions if GTP load balancing is enabled. If GTP load balancing is disabled, the DP3 processors send GTP sessions to the primary FPC. For more information about GTP load balancing, see Enabling GTP load balancing.

    To support ECMP you can change how the DP3 processors manage session tables, see ECMP support

  3. The DP3 processors send other sessions that cannot be load balanced to the primary FPC.