Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

SSL VPN load balancing

FortiGate-6000 supports load balancing SSL VPN tunnel mode sessions terminated by the FortiGate-6000. By default SSL VPN load balancing is disabled and a flow rule is required to send all SSL VPN sessions to one FPC (usually the primary FPC).

To support SSL VPN tunnel load balancing, you must disable all flow rules that match the SSL VPN traffic to be load balanced.

For SSL VPN load balancing to work properly, the DP processor load distribution method must be changed to a setting that does not include src-port. The following DP load distribution methods are supported for SSL VPN load balancing:

config load balance setting

set dp-load-distribution-method {to-master | src-ip | dist-ip | src-dst-ip | dis-ip-dport}

end

Then you can use the following command to enable SSL VPN load balancing:

config load-balance setting

set sslvpn-load-balance enable

end

When you enable SSL VPN load balancing, the FortiGate-6000 restarts SSL VPN processes running on the management board and the FPCs, resetting all current SSL VPN sessions. This restart will interrupt any active SSL VPN sessions.

Once the SSL VPN processes restart, the FortiGate-6000 DP3 processor distributes SSL VPN tunnel mode sessions to all of the FPCs.

To be able to distribute SSL VPN sessions to all FPCs, SSL VPN load balancing statically allocates the IP addresses in SSL VPN IP pools among the FPCs. Each FPC acquires a subset of the IP addresses in the IP pool. You may need to expand the number of IP addresses in your SSL VPN IP pools to make sure enough IP addresses are available for each FPC.

Note

SSL VPN IP pool IP addresses are not re-allocated if an FPC goes down, is disabled, or is taken offline. The IP pool IP addresses assigned to the missing FPC are not available until the FPC returns to normal operation.

No other special configuration is required to support SSL VPN tunnel mode load balancing.

SSL VPN load balancing

FortiGate-6000 supports load balancing SSL VPN tunnel mode sessions terminated by the FortiGate-6000. By default SSL VPN load balancing is disabled and a flow rule is required to send all SSL VPN sessions to one FPC (usually the primary FPC).

To support SSL VPN tunnel load balancing, you must disable all flow rules that match the SSL VPN traffic to be load balanced.

For SSL VPN load balancing to work properly, the DP processor load distribution method must be changed to a setting that does not include src-port. The following DP load distribution methods are supported for SSL VPN load balancing:

config load balance setting

set dp-load-distribution-method {to-master | src-ip | dist-ip | src-dst-ip | dis-ip-dport}

end

Then you can use the following command to enable SSL VPN load balancing:

config load-balance setting

set sslvpn-load-balance enable

end

When you enable SSL VPN load balancing, the FortiGate-6000 restarts SSL VPN processes running on the management board and the FPCs, resetting all current SSL VPN sessions. This restart will interrupt any active SSL VPN sessions.

Once the SSL VPN processes restart, the FortiGate-6000 DP3 processor distributes SSL VPN tunnel mode sessions to all of the FPCs.

To be able to distribute SSL VPN sessions to all FPCs, SSL VPN load balancing statically allocates the IP addresses in SSL VPN IP pools among the FPCs. Each FPC acquires a subset of the IP addresses in the IP pool. You may need to expand the number of IP addresses in your SSL VPN IP pools to make sure enough IP addresses are available for each FPC.

Note

SSL VPN IP pool IP addresses are not re-allocated if an FPC goes down, is disabled, or is taken offline. The IP pool IP addresses assigned to the missing FPC are not available until the FPC returns to normal operation.

No other special configuration is required to support SSL VPN tunnel mode load balancing.