Fortinet black logo

FortiGate-7000 Handbook

Home FortiGate-7000 5.4.9 FortiGate-7000 Handbook
5.4.9
6.2.3
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.9

FortiGate-7000 load balancing commands

FortiGate-7000 load balancing commands

The most notable difference between a FortiGate-7000 and other FortiGates are the commands described in this section for configuring load balancing. The following commands are available:

config load-balance flow-rule

config load-balance setting

In most cases you do not have to use these commands. However, they are available to customize some aspects of load balancing.

Note FortiGate-6000 and FortiGate-7000 have the commands described in this chapter in common. Some of the options described in this section may not apply in the same way on these two platforms. These differences are noted in the descriptions. For example, the generic term "worker" maps to an FPC in a FortiGate-6000 and an FPM in a FortiGate-7000.

config load-balance flow-rule

Use this command to add FortiGate-6000 or FortiGate-7000 flow rules that add exceptions to how matched traffic is processed. Specifically you can use these rules to match a type of traffic and control whether the traffic is forwarded or blocked. And if the traffic is forwarded you can specify whether to forward the traffic to a specific slot or slots. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to define two flow rules to match both traffic directions (forward and reverse).

Syntax

config load-balance flow-rule

edit 0

set status {disable | enable}

set src-interface <interface-name> [<interface-name>...]

set vlan <vlan-id>

set ether-type {any | arp | ip | ipv4 | ipv6}

set src-addr-ipv4 <ip4-address> <netmask>

set dst-addr-ipv4 <ip4-address> <netmask>

set src-addr-ipv6 <ip6-address> <netmask>

set dst-addr-ipv6 <ip6-address> <netmask>

set protocol {any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

set src-l4port <start>[-<end>]

set dst-l4port <start>[-<end>]

set tcp-flag

set action {forward | mirror-ingress stats | drop}

set mirror-interface <interface-name>

set forward-slot {master | all | load-balance | <FPM# or FPC#>}

set priority <number>

set comment <text>

end

status {disable | enable}

Enable or disable this flow rule. Default for a new flow-rule is disable.

src-interface <interface-name> [interface-name>...}

The names of one or more FIM interface front panel interfaces accepting the traffic to be subject to the flow rule.

vlan <vlan-id>

If the traffic matching the rule is VLAN traffic, enter the VLAN ID used by the traffic.

ether-type {any | arp | ip | ipv4 | ipv6}

The type of traffic to be matched by the rule. You can match any traffic (the default) or just match ARP, IP, or IPv4 traffic.

{src-addr-ipv4 | dst-addr-ipv4} <ipv4-address> <netmask>

The source and destination address of the traffic to be matched. The default of 0.0.0.0 0.0.0.0 matches all traffic. Available if ether-type is set to ipv4.

{src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask>

The source and destination address of the traffic to be matched. The default of::/0 matches all traffic. Available if ether-type is set to ipv6.

protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

If ether-type is set to ip, ipv4, or ipv6, specify the protocol of the IP, IPv4, or IPv6 traffic to match the rule. The default is any.

{src-l4port | dst-l4port} <start>[-<end>]

Specify a source port range and a destination port range. This option appears for some protocol settings. For example if protocol is set to tcp or udp. The default range is 0-0.

action {forward | mirror-ingress | stats | drop}

How to handle matching packets. They can be dropped, forwarded to another destination or you can record statistics about the traffic for later analysis. You can combine two or three settings in one command for example, you can set action to both forward and stats to forward traffic and collect statistics about it. Use append to add multiple options.

The default action is forward.

The mirror-ingress option copies (mirrors) all ingress packets that match this flow rule and sends them to the interface specified with the mirror-interface option.

set mirror-interface <interface-name>

The name of the interface to send packets matched by this flow-rule when action is set to mirror-ingress or mirror-egress.

forward-slot {master | all | load-balance | <FPC#>}

The slot that you want to forward the traffic that matches this rule to.

master forwards the primary FPM or FPC.

all means forward the traffic to all slots.

load-balance means use the default load balancing configuration to handle this traffic.

<FPM# or FPC#> allows you to forward the matching traffic to a specific FPC (FortiGate-6000) or FPM module (FortiGate-7000). For example, FPC3 is the FortiGate-6000 FPC in slot 3. FPM3 is the FortiGate-7000 FPM module in slot 3.

priority <number>

Set the priority of the flow rule in the range 1 (highest priority) to 10 (lowest priority). Higher priority rules are matched first. You can use the priority to control which rule is matched first if you have overlapping rules.

comment <text>

Optionally add a comment that describes the rule.

config load-balance setting

Use this command to set a wide range of load balancing settings.

config load-balance setting

set slbc-mgmt-intf {mgmt1 | mgmt2 | mgmt3}

set max-miss-heartbeats <heartbeats>

set max-miss-mgmt-heartbeats <heartbeats>

set weighted-load-balance {disable | enable}

set ipsec-load-balance {disable | enable}

set gtp-load-balance {disable | enable}

set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

config workers

edit 3

set status enable

set weight 5

end

end

slbc-mgmt-intf {mgmt1 | mgmt2 | mgmt3}

Select the interface used for management connections. The name depends on the available management interfaces on the device you are managing. You can use this option to enable access to the FPCs directly using the special administration ports as described in Managing individual FPCs.

max-miss-heartbeats <heartbeats>

Set the number of missed heartbeats before a worker (an FPC or FPM module) is considered to have failed. If this many heartbeats are not received from a worker, this indicates that the worker is not able to process data traffic and no more traffic will be sent to this worker.

The time between heartbeats is 0.2 seconds. Range is 3 to 300. 3 means 0.6 seconds, 10 (the default) means 2 seconds, and 300 means 60 seconds.

max-miss-mgmt-heartbeats <heartbeats>

Set the number of missed management heartbeats before a worker (an FPC or FPM module) is considering to have failed. If this happens, there is a communication problem between a worker and other workers. This communication problem means the worker may not be able to synchronize configuration changes, sessions, the kernel routing table, the bridge table and so on with other workers. If a management heartbeat failure occurs, no traffic will be sent to the worker.

The time between management heartbeats is 1 second. Range is 3 to 300 seconds. The default is 20 seconds.

weighted-load-balance {disable | enable}

Enable weighted load balancing depending on the slot (or worker) weight. Use the config workers command to set the weight for each slot or worker.

gtp-load-balance {disable | enable}

Enable GTP load balancing. If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions.

dp-load-distribution-method {to-master | round-robin | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

Set the method used to distribute sessions among workers (FPCs or FPM modules). Usually you would only need to change the method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is src-dst-ip-sport-dport which means sessions are identified by their source address and port and destination address and port.

to-master directs all session to the primary FPC. This method is for troubleshooting only and should not be used for normal operation. Directing all sessions to the primary FPC will have a negative impact on performance.

src-ip sessions are distributed across all FPCs according to their source IP address.

dst-ip sessions are statically distributed across all FPCs according to their destination IP address.

src-dst-ip sessions are distributed across all FPCs according to their source and destination IP addresses.

src-ip-sport sessions are distributed across all FPCs according to their source IP address and source port.

dst-ip-dport sessions are distributed across all FPCs according to their destination IP address and destination port.

src-dst-ipsport-dport sessions are distributed across all FPCs according to their source and destination IP address, source port, and destination port. This is the default load balance algorithm and represents true session-aware load balancing. All session information is taken into account when deciding where to send new sessions and where to send additional packets that are part of an already established session.

Note The src-ip and dst-ip load balancing methods use layer 3 information (IP addresses) to identify and load balance sessions. All of the other load balancing methods (except for to-master) use both layer 3 and layer 4 information (IP addresses and port numbers) to identify a TCP and UDP session. The layer 3 and layer 4 load balancing methods only use layer 3 information for other types of traffic (SCTP, ICMP, and ESP). If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions.

config workers

Set the weight and enable or disable each worker (FPC or FPM module). Use the edit command to specify the slot the worker is installed in. You can enable or disable each worker and set each worker's weight.

The weight range is 1 to 10. 5 is average, 1 is -80% of average and 10 is +100% of average. The weights take effect if weighted-loadbalance is enabled.

config workers

edit 3

set status enable

set weight 5

end

Previous
Next

FortiGate-7000 load balancing commands

The most notable difference between a FortiGate-7000 and other FortiGates are the commands described in this section for configuring load balancing. The following commands are available:

config load-balance flow-rule

config load-balance setting

In most cases you do not have to use these commands. However, they are available to customize some aspects of load balancing.

Note FortiGate-6000 and FortiGate-7000 have the commands described in this chapter in common. Some of the options described in this section may not apply in the same way on these two platforms. These differences are noted in the descriptions. For example, the generic term "worker" maps to an FPC in a FortiGate-6000 and an FPM in a FortiGate-7000.

config load-balance flow-rule

Use this command to add FortiGate-6000 or FortiGate-7000 flow rules that add exceptions to how matched traffic is processed. Specifically you can use these rules to match a type of traffic and control whether the traffic is forwarded or blocked. And if the traffic is forwarded you can specify whether to forward the traffic to a specific slot or slots. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to define two flow rules to match both traffic directions (forward and reverse).

Syntax

config load-balance flow-rule

edit 0

set status {disable | enable}

set src-interface <interface-name> [<interface-name>...]

set vlan <vlan-id>

set ether-type {any | arp | ip | ipv4 | ipv6}

set src-addr-ipv4 <ip4-address> <netmask>

set dst-addr-ipv4 <ip4-address> <netmask>

set src-addr-ipv6 <ip6-address> <netmask>

set dst-addr-ipv6 <ip6-address> <netmask>

set protocol {any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

set src-l4port <start>[-<end>]

set dst-l4port <start>[-<end>]

set tcp-flag

set action {forward | mirror-ingress stats | drop}

set mirror-interface <interface-name>

set forward-slot {master | all | load-balance | <FPM# or FPC#>}

set priority <number>

set comment <text>

end

status {disable | enable}

Enable or disable this flow rule. Default for a new flow-rule is disable.

src-interface <interface-name> [interface-name>...}

The names of one or more FIM interface front panel interfaces accepting the traffic to be subject to the flow rule.

vlan <vlan-id>

If the traffic matching the rule is VLAN traffic, enter the VLAN ID used by the traffic.

ether-type {any | arp | ip | ipv4 | ipv6}

The type of traffic to be matched by the rule. You can match any traffic (the default) or just match ARP, IP, or IPv4 traffic.

{src-addr-ipv4 | dst-addr-ipv4} <ipv4-address> <netmask>

The source and destination address of the traffic to be matched. The default of 0.0.0.0 0.0.0.0 matches all traffic. Available if ether-type is set to ipv4.

{src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask>

The source and destination address of the traffic to be matched. The default of::/0 matches all traffic. Available if ether-type is set to ipv6.

protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

If ether-type is set to ip, ipv4, or ipv6, specify the protocol of the IP, IPv4, or IPv6 traffic to match the rule. The default is any.

{src-l4port | dst-l4port} <start>[-<end>]

Specify a source port range and a destination port range. This option appears for some protocol settings. For example if protocol is set to tcp or udp. The default range is 0-0.

action {forward | mirror-ingress | stats | drop}

How to handle matching packets. They can be dropped, forwarded to another destination or you can record statistics about the traffic for later analysis. You can combine two or three settings in one command for example, you can set action to both forward and stats to forward traffic and collect statistics about it. Use append to add multiple options.

The default action is forward.

The mirror-ingress option copies (mirrors) all ingress packets that match this flow rule and sends them to the interface specified with the mirror-interface option.

set mirror-interface <interface-name>

The name of the interface to send packets matched by this flow-rule when action is set to mirror-ingress or mirror-egress.

forward-slot {master | all | load-balance | <FPC#>}

The slot that you want to forward the traffic that matches this rule to.

master forwards the primary FPM or FPC.

all means forward the traffic to all slots.

load-balance means use the default load balancing configuration to handle this traffic.

<FPM# or FPC#> allows you to forward the matching traffic to a specific FPC (FortiGate-6000) or FPM module (FortiGate-7000). For example, FPC3 is the FortiGate-6000 FPC in slot 3. FPM3 is the FortiGate-7000 FPM module in slot 3.

priority <number>

Set the priority of the flow rule in the range 1 (highest priority) to 10 (lowest priority). Higher priority rules are matched first. You can use the priority to control which rule is matched first if you have overlapping rules.

comment <text>

Optionally add a comment that describes the rule.

config load-balance setting

Use this command to set a wide range of load balancing settings.

config load-balance setting

set slbc-mgmt-intf {mgmt1 | mgmt2 | mgmt3}

set max-miss-heartbeats <heartbeats>

set max-miss-mgmt-heartbeats <heartbeats>

set weighted-load-balance {disable | enable}

set ipsec-load-balance {disable | enable}

set gtp-load-balance {disable | enable}

set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

config workers

edit 3

set status enable

set weight 5

end

end

slbc-mgmt-intf {mgmt1 | mgmt2 | mgmt3}

Select the interface used for management connections. The name depends on the available management interfaces on the device you are managing. You can use this option to enable access to the FPCs directly using the special administration ports as described in Managing individual FPCs.

max-miss-heartbeats <heartbeats>

Set the number of missed heartbeats before a worker (an FPC or FPM module) is considered to have failed. If this many heartbeats are not received from a worker, this indicates that the worker is not able to process data traffic and no more traffic will be sent to this worker.

The time between heartbeats is 0.2 seconds. Range is 3 to 300. 3 means 0.6 seconds, 10 (the default) means 2 seconds, and 300 means 60 seconds.

max-miss-mgmt-heartbeats <heartbeats>

Set the number of missed management heartbeats before a worker (an FPC or FPM module) is considering to have failed. If this happens, there is a communication problem between a worker and other workers. This communication problem means the worker may not be able to synchronize configuration changes, sessions, the kernel routing table, the bridge table and so on with other workers. If a management heartbeat failure occurs, no traffic will be sent to the worker.

The time between management heartbeats is 1 second. Range is 3 to 300 seconds. The default is 20 seconds.

weighted-load-balance {disable | enable}

Enable weighted load balancing depending on the slot (or worker) weight. Use the config workers command to set the weight for each slot or worker.

gtp-load-balance {disable | enable}

Enable GTP load balancing. If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions.

dp-load-distribution-method {to-master | round-robin | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

Set the method used to distribute sessions among workers (FPCs or FPM modules). Usually you would only need to change the method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is src-dst-ip-sport-dport which means sessions are identified by their source address and port and destination address and port.

to-master directs all session to the primary FPC. This method is for troubleshooting only and should not be used for normal operation. Directing all sessions to the primary FPC will have a negative impact on performance.

src-ip sessions are distributed across all FPCs according to their source IP address.

dst-ip sessions are statically distributed across all FPCs according to their destination IP address.

src-dst-ip sessions are distributed across all FPCs according to their source and destination IP addresses.

src-ip-sport sessions are distributed across all FPCs according to their source IP address and source port.

dst-ip-dport sessions are distributed across all FPCs according to their destination IP address and destination port.

src-dst-ipsport-dport sessions are distributed across all FPCs according to their source and destination IP address, source port, and destination port. This is the default load balance algorithm and represents true session-aware load balancing. All session information is taken into account when deciding where to send new sessions and where to send additional packets that are part of an already established session.

Note The src-ip and dst-ip load balancing methods use layer 3 information (IP addresses) to identify and load balance sessions. All of the other load balancing methods (except for to-master) use both layer 3 and layer 4 information (IP addresses and port numbers) to identify a TCP and UDP session. The layer 3 and layer 4 load balancing methods only use layer 3 information for other types of traffic (SCTP, ICMP, and ESP). If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions.

config workers

Set the weight and enable or disable each worker (FPC or FPM module). Use the edit command to specify the slot the worker is installed in. You can enable or disable each worker and set each worker's weight.

The weight range is 1 to 10. 5 is average, 1 is -80% of average and 10 is +100% of average. The weights take effect if weighted-loadbalance is enabled.

config workers

edit 3

set status enable

set weight 5

end

Previous
Next