Fortinet black logo

FortiGate-7000E Handbook

Load balancing fragmented ICMP packets

Load balancing fragmented ICMP packets

This section describes how the FortiGate-7000 DP2 processor supports efficient load balancing of fragmented ICMP packets. When the DP2 processor receives a header fragment packet, if a matching session is found, the DP2 processor creates an additional fragment session matching the source-ip, destination-ip, and IP identifier (IPID) of the header fragment packet. Subsequent non-header fragments will match this fragment session and be forwarded to the same FPM as the header fragment.

You can use the following command to enable or disable this method of handling fragmented ICMP packets. The option is enabled by default.

config load-balance setting

set dp-fragment-session {disable | enable}

end

If you disable dp-fragment-session, the DP2 processor broadcasts all non-header fragmented ICMP packets to all FPMs. FPMs that also received the header fragments of these packets re-assemble the packets correctly. FPCs that did not receive the header fragments discard the non-header fragments.

The age of the fragment session can be controlled using the following command:

config system global

set dp-fragment-timer <timer>

end

The default <timer> value is 120 seconds.

Load balancing fragmented ICMP packets

This section describes how the FortiGate-7000 DP2 processor supports efficient load balancing of fragmented ICMP packets. When the DP2 processor receives a header fragment packet, if a matching session is found, the DP2 processor creates an additional fragment session matching the source-ip, destination-ip, and IP identifier (IPID) of the header fragment packet. Subsequent non-header fragments will match this fragment session and be forwarded to the same FPM as the header fragment.

You can use the following command to enable or disable this method of handling fragmented ICMP packets. The option is enabled by default.

config load-balance setting

set dp-fragment-session {disable | enable}

end

If you disable dp-fragment-session, the DP2 processor broadcasts all non-header fragmented ICMP packets to all FPMs. FPMs that also received the header fragments of these packets re-assemble the packets correctly. FPCs that did not receive the header fragments discard the non-header fragments.

The age of the fragment session can be controlled using the following command:

config system global

set dp-fragment-timer <timer>

end

The default <timer> value is 120 seconds.