FortiGate-7000 config CLI commands
This chapter describes the following FortiGate-7000 load balancing configuration commands:
config load-balance flow-rule
Use this command to create flow rules that add exceptions to how matched traffic is processed. You can use flow rules to match a type of traffic and control whether the traffic is forwarded or blocked. And if the traffic is forwarded, you can specify whether to forward the traffic to a specific slot or slots. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to define two flow rules to match both traffic directions (forward and reverse).
Syntax
config load-balance flow-rule
edit <id>
set status {disable | enable}
set src-interface <interface-name> [<interface-name>...]
set vlan <vlan-id>
set ether-type {any | arp | ip | ipv4 | ipv6}
set src-addr-ipv4 <ip4-address> <netmask>
set dst-addr-ipv4 <ip4-address> <netmask>
set src-addr-ipv6 <ip6-address> <netmask>
set dst-addr-ipv6 <ip6-address> <netmask>
set protocol {any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}
set src-l4port <start>[-<end>]
set dst-l4port <start>[-<end>]
set icmptype <type>
set icmpcode <type>
set tcp-flag {any | syn | fin | rst}
set action {forward | mirror-ingress | stats | drop}
set mirror-interface <interface-name>
set forward-slot {master | all | load-balance | <FPM#>}
set priority <number>
set comment <text>
end
status {disable | enable}
Enable or disable this flow rule. New flow rules are disabled by default.
src-interface <interface-name> [interface-name>...]
Optionally add the names of one or more front panel interfaces accepting the traffic to be subject to the flow rule. If you don't specify a src-interface
, the flow rule matches traffic received by any interface.
If you are matching VLAN traffic, select the interface that the VLAN has been added to and use the vlan
option to specify the VLAN ID of the VLAN interface.
vlan <vlan-id>
If the traffic matching the rule is VLAN traffic, enter the VLAN ID used by the traffic. You must set src-interface
to the interface that the VLAN interface is added to.
ether-type {any | arp | ip | ipv4 | ipv6}
The type of traffic to be matched by the rule. You can match any traffic (the default) or just match ARP, IP, IPv4 or IPv6 traffic.
{src-addr-ipv4 | dst-addr-ipv4} <ipv4-address> <netmask>
The IPv4 source and destination address of the IPv4 traffic to be matched. The default of 0.0.0.0 0.0.0.0
matches all IPv4 traffic. Available if ether-type
is set to ipv4
.
{src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask>
The IPv6 source and destination address of the IPv6 traffic to be matched. The default of ::/0
matches all IPv6 traffic. Available if ether-type
is set to ipv6
.
protocol {any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}
If ether-type
is set to ip
, ipv4
, or ipv6
, specify the protocol of the IP, IPv4, or IPv6 traffic to match the rule. The default is any
.
Option | Protocol number |
---|---|
icmp | 1 |
icmpv6 | 58 |
tcp | 6 |
udp | 17 |
igmp | 2 |
sctp | 132 |
gre | 47 |
esp | 50 |
ah | 51 |
ospf | 89 |
pim | 103 |
vrrp | 112 |
{src-l4port | dst-l4port} <start>[-<end>]
Specify a layer 4 source port range and destination port range. This option appears when protocol
is set to tcp
or udp
. The default range is 0-0, which matches all ports. You don't have to enter a range to match just one port. For example, to set the source port to 80, enter set src-l4port 80
.
set icmptype <type>
Specify an ICMP type number in the range of 0 to 255. The default is 255. This option appears if protocol
is set to icmp
. For information about ICMP type numbers, see Internet Control Message Protocol (ICMP) Parameters.
icmpcode <type>
If the ICMP type also includes an ICMP code, you can use this option to add that ICMP code. The ranges is 0 to 255. The default is 255. This option appears if protocol
is set to icmp
. For information about ICMP code numbers, see Internet Control Message Protocol (ICMP) Parameters.
tcp-flag {any | syn | fin | rst}
Set the TCP session flag to match. The any
setting (the default) matches all TCP sessions. You can add specific flags to only match specific TCP session types.
action {forward | mirror-ingress | stats | drop}
The action to take with matching sessions. They can be dropped, forwarded to another destination, or you can record statistics about the traffic for later analysis. You can combine two or three settings in one command for example, you can set action
to both forward
and stats
to forward traffic and collect statistics about it. Use append
to append additional options.
The default action is forward
, which forwards packets to the specified forward-slot
.
The mirror-ingress
option copies (mirrors) all ingress packets that match this flow rule and sends them to the interface specified with the mirror-interface
option.
mirror-interface <interface-name>
The name of the interface to send packets matched by this flow-rule to when action
is set to mirror-ingress
.
forward-slot {master | all | load-balance | <FPM#>}
The slot that you want to forward the traffic that matches this rule to.
Where:
master
forwards traffic to the primary FPM.
all
means forward the traffic to all FPMs.
load-balance
means forward this traffic to the DP processors that then use the default load balancing configuration to handle this traffic.
<FPM#>
forward the matching traffic to a specific FPM. For example, FPM3 is the FPM in slot 3.
priority <number>
Set the priority of the flow rule in the range 1 (highest priority) to 10 (lowest priority). Higher priority rules are matched first. You can use the priority to control which rule is matched first if you have overlapping rules.
The default priority is 5.
comment <text>
Optionally add a comment that describes the flow rule.
config load-balance setting
Use this command to set a wide range of load balancing settings.
config load-balance setting
set slbc-mgmt-intf mgmt
set max-miss-heartbeats <heartbeats>
set max-miss-mgmt-heartbeats <heartbeats>
set weighted-load-balance {disable | enable}
set ipsec-load-balance {disable | enable}
set gtp-load-balance {disable | enable}
set dp-keep-assist-sessions {disable | enable}
set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}
set dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}
set dp-session-table-type {vdom-based | intf-vlan-based}
set dp-fragment-session {disable | enable)
config workers
edit 3
set status {disable | enable}
set weight <weight>
end
end
slbc-mgmt-intf mgmt
Selects the interface used for management connections. For the FortiGate-7000, this option is always set to mgmt
and cannot be changed. The IP address of this interface becomes the IP address used to enable management access to individual FIMs or FPMs using special administration ports as described in Special management port numbers. To manage individual FIMs or FPMs, this interface must be connected to a network.
To enable using the special management port numbers to connect to individual FIMs and FPMs, the mgmt interface must be connected to a network, have a valid IP address, and have management or administrative access enabled. To block access to the special management port numbers, disconnect the mgmt interface from a network, configure the mgmt interface with an invalid IP address, or disable management or administrative access for the mgmt interface. |
max-miss-heartbeats <heartbeats>
Set the number of missed heartbeats before an FPM is considered to have failed. If a failure occurs, the DP2 processor will no longer load balance sessions to the FPM.
The time between heartbeats is 0.2 seconds. Range is 3 to 300. A value of 3 means 0.6 seconds, 20 (the default) means 4 seconds, and 300 means 60 seconds.
max-miss-mgmt-heartbeats <heartbeats>
Set the number of missed management heartbeats before a FPM is considering to have failed. If a failure occurs, the DP2 processor will no longer load balance sessions to the FPM.
The time between management heartbeats is 1 second. Range is 3 to 300 heartbeats. The default is 10 heartbeats.
weighted-load-balance {disable | enable}
Enable weighted load balancing depending on the slot (or worker) weight. Use config workers
to set the weight for each slot or worker.
ipsec-load-balance {disable | enable}
Enable or disable IPsec VPN load balancing.
By default IPsec VPN load balancing is enabled and the flow rules listed below are disabled. The FortiGate-7000 directs IPsec VPN sessions to the DP2 processors which load balance them among the FPMs.
Default IPsec VPN flow-rules
edit 21 set status disable set ether-type ipv4 set protocol udp set dst-l4port 500-500 set action forward set forward-slot master set comment "ipv4 ike" next edit 22 set status disable set ether-type ipv4 set protocol udp set dst-l4port 4500-4500 set action forward set forward-slot master set comment "ipv4 ike-natt dst" next edit 23 set status disable set ether-type ipv4 set protocol esp set action forward set forward-slot master set comment "ipv4 esp" next
If IPsec VPN load balancing is enabled, the FortiGate-7000 will drop IPsec VPN sessions traveling between two IPsec tunnels because the two IPsec tunnels may be terminated on different FPMs. If you have traffic entering the FortiGate-7000 from one IPsec VPN tunnel and leaving the FortiGate-7000 out another IPsec VPN tunnel you need to disable IPsec load balancing. Disabling IPsec VPN load balancing enables the default IPsec VPN flow-rules.
gtp-load-balance {disable | enable}
Enable GTP-U load balancing. If GTP-U load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP-U sessions.
dp-keep-assist-sessions {disable | enable}
This option is visible on the CLI but cannot be changed.
dp-load-distribution-method {to-master | round-robin | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}
Set the method used to load balance sessions among FPMs. Usually you would only need to change the load balancing method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is src-dst-ip-sport-dport
which means sessions are identified by their source address and port and destination address and port.
to-master
directs all session to the primary FPM. This method is for troubleshooting only and should not be used for normal operation. Directing all sessions to the primary FPM will have a negative impact on performance.
src-ip
sessions are distributed across all FPMs according to their source IP address.
dst-ip
sessions are statically distributed across all FPMs according to their destination IP address.
src-dst-ip
sessions are distributed across all FPMs according to their source and destination IP addresses.
src-ip-sport
sessions are distributed across all FPMs according to their source IP address and source port.
dst-ip-dport
sessions are distributed across all FPMs according to their destination IP address and destination port.
src-dst-ipsport-dport
distribute sessions across all FPMs according to their source and destination IP address, source port, and destination port. This is the default load balance algorithm and represents true session-aware load balancing. Session aware load balancing takes all session information into account when deciding where to send new sessions and where to send additional packets that are part of an already established session.
The src-ip and dst-ip load balancing methods use layer 3 information (IP addresses) to identify and load balance sessions. All of the other load balancing methods (except for to-master ) use both layer 3 and layer 4 information (IP addresses and port numbers) to identify a TCP and UDP session. The layer 3 and layer 4 load balancing methods only use layer 3 information for other types of traffic (SCTP, ICMP, and ESP). If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions. |
dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}
Set the method used to load balance ICMP sessions among FPMs. Usually you would only need to change the load balancing method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is to-master
, which means all ICMP sessions are sent to the primary (master) FPM.
to-master
directs all ICMP session to the primary FPM.
src-ip
ICMP sessions are distributed across all FPMs according to their source IP address.
dst-ip
ICMP sessions are statically distributed across all FPMs according to their destination IP address.
src-dst-ip
ICMP sessions are distributed across all FPMs according to their source and destination IP addresses.
derived
ICMP sessions are load balanced using the dp-load-distribution-method
setting. Since port-based ICMP load balancing is not possible, if dp-load-distribution-method
is set to a load balancing method that includes ports, ICMP load balancing will use the equivalent load balancing method that does not include ports. For example, if dp-load-distribution-method
is set to the src-dst-ip-sport-dport
(the default) then ICMP load balancing will use src-dst-ip
load balancing.
dp-session-table-type {vdom-based | intf-vlan-based}
dp-session-table-type
will be supported in a future version. For FortiOS 6.0.4, dp-session-table-type
must be set to intf-vlan-based
(the default value).
dp-fragment-session {disable | enable}
Enable or disable load balancing fragmented ICMP packets. The option is enabled by default.
When enabled, when the DP2 processor receives a head fragment packet, if a matching session is found, the DP2 processor creates an additional fragment session matching the source-ip, destination-ip, and IP identifier of the head fragment packet. Subsequent non-head fragments will match this fragment session and be forwarded to the same FPM as the head fragment.
When disabled, the DP3 processor broadcasts all non-head fragmented ICMP packets to all FPMs. FPMs that also received the head fragments of these packets combine the non-head fragments with the head fragment to reassamble the packets. FPMs that did not receive the head fragments discard the non-head fragments.
The age of the fragment session can be controlled using the following command:
config system global
set dp-fragment-timer <timer>
end
The default <timer>
value is 120 seconds.
config workers
Set the weight and enable or disable each worker (FPM). Use the edit command to specify the slot the FPM is installed in. You can enable or disable each FPM and set a weight for each FPM.
The weight range is 1 to 10. 5 is average (and the default), 1 is -80% of average and 10 is +100% of average. The weights take effect if weighted-loadbalance
is enabled.
config workers
edit 3
set status enable
set weight 5
end