Fortinet black logo

FortiGate-7000 Handbook

Home FortiGate-7000 5.4.9 FortiGate-7000 Handbook

Default configuration for traffic that cannot be load balanced

5.4.9
6.2.3
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.9
Copy Link
Copy Doc ID 13098487-2a56-11e9-94bf-00505692583a:64497
Download PDF

Default configuration for traffic that cannot be load balanced

The following flow rules are recommended to handle common forms of traffic that cannot be load balanced. These flow rules send GPRS (port 2123), SSL VPN, IPv4 and IPv6 IPsec VPN, ICMP and ICMPv6 traffic to the primary (or master) FPM.

The CLI syntax below just shows the configuration changes. All other options are set to their defaults. For example, the flow rule option that controls the FPM slot that sessions are sent to is forward-slot and in all cases below forward-slot is set to its default setting of master. This setting sends matching sessions to the primary (or master) FPM.

config load-balance flow-rule

edit 20

set status enable

set ether-type ipv4

set protocol udp

set dst-l4port 2123-2123

next

edit 21

set status enable

set ether-type ip

set protocol tcp

set dst-l4port 10443-10443

set comment "ssl vpn to the primary FPM"

next

edit 22

set status enable

set ether-type ipv4

set protocol udp

set src-l4port 500-500

set dst-l4port 500-500

set comment "ipv4 ike"

next

edit 23

set status enable

set ether-type ipv4

set protocol udp

set src-l4port 4500-4500

set comment "ipv4 ike-natt src"

next

edit 24

set status enable

set ether-type ipv4

set protocol udp

set dst-l4port 4500-4500

set comment "ipv4 ike-natt dst"

next

edit 25

set status enable

set ether-type ipv4

set protocol esp

set comment "ipv4 esp"

next

edit 26

set status enable

set ether-type ipv6

set protocol udp

set src-l4port 500-500

set dst-l4port 500-500

set comment "ipv6 ike"

next

edit 27

set status enable

set ether-type ipv6

set protocol udp

set src-l4port 4500-4500

set comment "ipv6 ike-natt src"

next

edit 28

set status enable

set ether-type ipv6

set protocol udp

set dst-l4port 4500-4500

set comment "ipv6 ike-natt dst"

next

edit 29

set status enable

set ether-type ipv6

set protocol esp

set comment "ipv6 esp"

next

edit 30

set ether-type ipv4

set protocol icmp

set comment "icmp"

next

edit 31

set status enable

set ether-type ipv6

set protocol icmpv6

set comment "icmpv6"

next

edit 32

set ether-type ipv6

set protocol 41

end

Previous
Next

Default configuration for traffic that cannot be load balanced

The following flow rules are recommended to handle common forms of traffic that cannot be load balanced. These flow rules send GPRS (port 2123), SSL VPN, IPv4 and IPv6 IPsec VPN, ICMP and ICMPv6 traffic to the primary (or master) FPM.

The CLI syntax below just shows the configuration changes. All other options are set to their defaults. For example, the flow rule option that controls the FPM slot that sessions are sent to is forward-slot and in all cases below forward-slot is set to its default setting of master. This setting sends matching sessions to the primary (or master) FPM.

config load-balance flow-rule

edit 20

set status enable

set ether-type ipv4

set protocol udp

set dst-l4port 2123-2123

next

edit 21

set status enable

set ether-type ip

set protocol tcp

set dst-l4port 10443-10443

set comment "ssl vpn to the primary FPM"

next

edit 22

set status enable

set ether-type ipv4

set protocol udp

set src-l4port 500-500

set dst-l4port 500-500

set comment "ipv4 ike"

next

edit 23

set status enable

set ether-type ipv4

set protocol udp

set src-l4port 4500-4500

set comment "ipv4 ike-natt src"

next

edit 24

set status enable

set ether-type ipv4

set protocol udp

set dst-l4port 4500-4500

set comment "ipv4 ike-natt dst"

next

edit 25

set status enable

set ether-type ipv4

set protocol esp

set comment "ipv4 esp"

next

edit 26

set status enable

set ether-type ipv6

set protocol udp

set src-l4port 500-500

set dst-l4port 500-500

set comment "ipv6 ike"

next

edit 27

set status enable

set ether-type ipv6

set protocol udp

set src-l4port 4500-4500

set comment "ipv6 ike-natt src"

next

edit 28

set status enable

set ether-type ipv6

set protocol udp

set dst-l4port 4500-4500

set comment "ipv6 ike-natt dst"

next

edit 29

set status enable

set ether-type ipv6

set protocol esp

set comment "ipv6 esp"

next

edit 30

set ether-type ipv4

set protocol icmp

set comment "icmp"

next

edit 31

set status enable

set ether-type ipv6

set protocol icmpv6

set comment "icmpv6"

next

edit 32

set ether-type ipv6

set protocol 41

end

Previous
Next