Fortinet black logo

FortiGate-7000 Handbook

Home FortiGate-7000 5.6.11 FortiGate-7000 Handbook

Flow rules for sessions that cannot be load balanced

5.6.11
6.2.3
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.9
Copy Link
Copy Doc ID 9f4efde9-e60f-11e9-8977-00505692583a:336555
Download PDF

Flow rules for sessions that cannot be load balanced

Some traffic types cannot be load balanced. Sessions for traffic types that cannot be load balanced should normally be sent to the primary (or master) FPM by configuring flow rules for that traffic. You can also configure flow rules to send traffic that cannot be load balanced to specific FPMs.

Create flow rules using the config load-balance flow-rule command. The default configuration uses this command to send IKE, GRE, session helper, Kerberos, BGP, RIP, IPv4 and IPv6 DHCP, PPTP, BFD, IPv4 multicast and IPv6 multicast to the primary FPM. You can view the default configuration of the config loadbalance flow-rule command to see how this is all configured or see Default configuration for traffic that cannot be load balanced.

For example, the following configuration sends all IKE sessions to the primary FPM:

config load-balance flow-rule

edit 1

set status enable

set vlan 0

set ether-type ip

set protocol udp

set src-l4port 500-500

set dst-l4port 500-500

set action forward

set forward-slot master

set priority 5

set comment "ike"

next

edit 2

set status disable

set vlan 0

set ether-type ip

set protocol udp

set src-l4port 4500-4500

set dst-l4port 0-0

set action forward

set forward-slot master

set priority 5

set comment "ike-natt src"

next

edit 3

set status disable

set vlan 0

set ether-type ip

set protocol udp

set src-l4port 0-0

set dst-l4port 4500-4500

set action forward

set forward-slot master

set priority 5

set comment "ike-natt dst"

next

Previous
Next

Flow rules for sessions that cannot be load balanced

Some traffic types cannot be load balanced. Sessions for traffic types that cannot be load balanced should normally be sent to the primary (or master) FPM by configuring flow rules for that traffic. You can also configure flow rules to send traffic that cannot be load balanced to specific FPMs.

Create flow rules using the config load-balance flow-rule command. The default configuration uses this command to send IKE, GRE, session helper, Kerberos, BGP, RIP, IPv4 and IPv6 DHCP, PPTP, BFD, IPv4 multicast and IPv6 multicast to the primary FPM. You can view the default configuration of the config loadbalance flow-rule command to see how this is all configured or see Default configuration for traffic that cannot be load balanced.

For example, the following configuration sends all IKE sessions to the primary FPM:

config load-balance flow-rule

edit 1

set status enable

set vlan 0

set ether-type ip

set protocol udp

set src-l4port 500-500

set dst-l4port 500-500

set action forward

set forward-slot master

set priority 5

set comment "ike"

next

edit 2

set status disable

set vlan 0

set ether-type ip

set protocol udp

set src-l4port 4500-4500

set dst-l4port 0-0

set action forward

set forward-slot master

set priority 5

set comment "ike-natt src"

next

edit 3

set status disable

set vlan 0

set ether-type ip

set protocol udp

set src-l4port 0-0

set dst-l4port 4500-4500

set action forward

set forward-slot master

set priority 5

set comment "ike-natt dst"

next

Previous
Next