Fortinet white logo
Fortinet white logo

FortiGate-7000 Release Notes

ECMP support

ECMP support

FortiOS 6.2.3 for FortiGate-6000 and 7000 now includes support for most FortiOS IPv4 ECMP functionality. (IPv6 ECMP is not supported.) Before setting up an ECMP configuration you need to use the following command to configure the DP processor to operate with VDOM-based session tables:

config load-balance setting

set dp-session-table-type vdom-based

end

Once you have enabled VDOM-based session tables, you can enable and configure ECMP as you would for any FortiGate.

VDOM-based session tables

In an ECMP configuration, because of load balancing return traffic could enter through a different interface than the one it exited from. If this happens, the DP processor operating with default interface-based session tables may not be able to send the return traffic to the FPC or FPM that processed the incoming session, causing the return traffic to be dropped. Operating with VDOM-based session tables solves this problem, allowing traffic received on a different interface to be properly identified and sent to the correct FPC or FPM.

Enabling VDOM session tables can reduce connections per second (CPS) performance so it should only be enabled if needed to support ECMP. This performance reduction can be more noticeable if the FortiGate-6000 or 7000 is processing many firewall only sessions. If the FortiGate-6000 or 7000 is performing content inspection where CPS performance is less important, the performance reduction resulting from enabling VDOM-based session tables may be less noticeable.

Supported ECMP load balancing methods

You can use the following command to configure the ECMP load balancing method for a VDOM:

config system settings

set v4-ecmp-mode {source-ip-based | weight-based | source-dest-ip-based | usage-based}

end

With VDOM-based session tables enabled, the FortiGate-6000 and 7000 support all ECMP load balancing methods except usage-based. If you select usage-based, all traffic uses the first ECMP route instead of being load balanced among all ECMP routes. All other ECMP load balancing methods are supported.

Enabling auxiliary session support

When ECMP is enabled, TCP traffic for the same session can exit and enter the FortiGate on different interfaces. To allow this traffic to pass through, FortiOS creates auxiliary sessions. Allowing the creation of auxiliary sessions is handed by the following command:

config system settings

set auxiliary-sessions {disable | enable}

end

By default, for FortiOS 6.2.3 the auxiliary-session option is disabled. This can block some TCP traffic when ECMP is enabled. If this occurs, enabling auxiliary-session may solve the problem. For more information, see Technical Tip: Enabling auxiliary session with ECMP or SD-WAN.

ECMP support

ECMP support

FortiOS 6.2.3 for FortiGate-6000 and 7000 now includes support for most FortiOS IPv4 ECMP functionality. (IPv6 ECMP is not supported.) Before setting up an ECMP configuration you need to use the following command to configure the DP processor to operate with VDOM-based session tables:

config load-balance setting

set dp-session-table-type vdom-based

end

Once you have enabled VDOM-based session tables, you can enable and configure ECMP as you would for any FortiGate.

VDOM-based session tables

In an ECMP configuration, because of load balancing return traffic could enter through a different interface than the one it exited from. If this happens, the DP processor operating with default interface-based session tables may not be able to send the return traffic to the FPC or FPM that processed the incoming session, causing the return traffic to be dropped. Operating with VDOM-based session tables solves this problem, allowing traffic received on a different interface to be properly identified and sent to the correct FPC or FPM.

Enabling VDOM session tables can reduce connections per second (CPS) performance so it should only be enabled if needed to support ECMP. This performance reduction can be more noticeable if the FortiGate-6000 or 7000 is processing many firewall only sessions. If the FortiGate-6000 or 7000 is performing content inspection where CPS performance is less important, the performance reduction resulting from enabling VDOM-based session tables may be less noticeable.

Supported ECMP load balancing methods

You can use the following command to configure the ECMP load balancing method for a VDOM:

config system settings

set v4-ecmp-mode {source-ip-based | weight-based | source-dest-ip-based | usage-based}

end

With VDOM-based session tables enabled, the FortiGate-6000 and 7000 support all ECMP load balancing methods except usage-based. If you select usage-based, all traffic uses the first ECMP route instead of being load balanced among all ECMP routes. All other ECMP load balancing methods are supported.

Enabling auxiliary session support

When ECMP is enabled, TCP traffic for the same session can exit and enter the FortiGate on different interfaces. To allow this traffic to pass through, FortiOS creates auxiliary sessions. Allowing the creation of auxiliary sessions is handed by the following command:

config system settings

set auxiliary-sessions {disable | enable}

end

By default, for FortiOS 6.2.3 the auxiliary-session option is disabled. This can block some TCP traffic when ECMP is enabled. If this occurs, enabling auxiliary-session may solve the problem. For more information, see Technical Tip: Enabling auxiliary session with ECMP or SD-WAN.