Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Handbook

Download PDF
Copy Link

Flow rules for sessions that cannot be load balanced

Some traffic types cannot be load balanced. Sessions for traffic types that cannot be load balanced should normally be sent to the primary (or master) FPM by configuring flow rules for that traffic. You can also configure flow rules to send traffic that cannot be load balanced to specific FPMs.

Create flow rules using the config load-balance flow-rule command. The default configuration uses this command to send Kerberos, BGP, RIP, IPv4 and IPv6 DHCP, PPTP, BFD, IPv4 and IPv6 multicast, GTP, and HTTP and HTTPS authd sessions to the primary FPM. The default configuration also sends VRRP traffic to all FPMs. You can view the default configuration of the config load-balance flow-rule command to see how this is all configured, or see Default configuration for traffic that cannot be load balanced.

For example, the following configuration sends BGP source and destination sessions to the primary FPM:

config load-balance flow-rule

edit 3

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 179-179

set dst-l4port 0-0

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp src"

next

edit 4

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 0-0

set dst-l4port 179-179

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp dst"

end

Flow rules for sessions that cannot be load balanced

Some traffic types cannot be load balanced. Sessions for traffic types that cannot be load balanced should normally be sent to the primary (or master) FPM by configuring flow rules for that traffic. You can also configure flow rules to send traffic that cannot be load balanced to specific FPMs.

Create flow rules using the config load-balance flow-rule command. The default configuration uses this command to send Kerberos, BGP, RIP, IPv4 and IPv6 DHCP, PPTP, BFD, IPv4 and IPv6 multicast, GTP, and HTTP and HTTPS authd sessions to the primary FPM. The default configuration also sends VRRP traffic to all FPMs. You can view the default configuration of the config load-balance flow-rule command to see how this is all configured, or see Default configuration for traffic that cannot be load balanced.

For example, the following configuration sends BGP source and destination sessions to the primary FPM:

config load-balance flow-rule

edit 3

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 179-179

set dst-l4port 0-0

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp src"

next

edit 4

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 0-0

set dst-l4port 179-179

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp dst"

end