Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Release Notes

IPv6 ECMP support

FortiOS 6.2.4 for FortiGate-6000 and 7000 now includes support for most FortiOS IPv6 ECMP functionality.

Before setting up IPv4 or IPv6 ECMP you need to use the following command to configure the DP processor to operate with VDOM-based session tables:

config load-balance setting

set dp-session-table-type vdom-based

end

Once you have enabled VDOM-based session tables, you can enable and configure IPv4 and IPv6 ECMP as you would for any FortiGate.

VDOM-based session tables

In an ECMP configuration, because of load balancing, return traffic could enter through a different interface than the one it exited from. If this happens, the DP processor operating with default interface-based session tables may not be able to send the return traffic to the FPC or FPM that processed the incoming session, causing the return traffic to be dropped. Operating with VDOM-based session tables solves this problem, allowing traffic received on a different interface to be properly identified and sent to the correct FPC or FPM.

Enabling VDOM session tables can reduce connections per second (CPS) performance so it should only be enabled if needed to support ECMP. This performance reduction can be more noticeable if the FortiGate-6000 or 7000 is processing many firewall only sessions. If the FortiGate-6000 or 7000 is performing content inspection where CPS performance is less important, the performance reduction resulting from enabling VDOM-based session tables may be less noticeable.

IPv4 and IPv6 ECMP load balancing

You can use the following command to configure the IPv4 ECMP load balancing method for a VDOM:

config system settings

set v4-ecmp-mode {source-ip-based | weight-based | source-dest-ip-based | usage-based}

end

With VDOM-based session tables enabled, the FortiGate-6000 and 7000 support all ECMP load balancing methods except usage-based. If you select usage-based, all IP v4 traffic uses the first IPv4 ECMP route instead of being load balanced among all IPv4 ECMP routes. All other IPv4 ECMP load balancing methods are supported.

See this link for information about how to support IPv6 ECMP load balancing: Technical Tip: ECMP – Load balancing algorithms for IPv4 and IPv6.

Enabling auxiliary session support

When ECMP is enabled, TCP traffic for the same session can exit and enter the FortiGate on different interfaces. To allow this traffic to pass through, FortiOS creates auxiliary sessions. Allowing the creation of auxiliary sessions is handed by the following command:

config system settings

set auxiliary-sessions {disable | enable}

end

By default, for FortiOS 6.2.4 the auxiliary-session option is disabled. This can block some TCP traffic when ECMP is enabled. If this occurs, enabling auxiliary-session may solve the problem. For more information, see Technical Tip: Enabling auxiliary session with ECMP or SD-WAN.

IPv6 ECMP support

FortiOS 6.2.4 for FortiGate-6000 and 7000 now includes support for most FortiOS IPv6 ECMP functionality.

Before setting up IPv4 or IPv6 ECMP you need to use the following command to configure the DP processor to operate with VDOM-based session tables:

config load-balance setting

set dp-session-table-type vdom-based

end

Once you have enabled VDOM-based session tables, you can enable and configure IPv4 and IPv6 ECMP as you would for any FortiGate.

VDOM-based session tables

In an ECMP configuration, because of load balancing, return traffic could enter through a different interface than the one it exited from. If this happens, the DP processor operating with default interface-based session tables may not be able to send the return traffic to the FPC or FPM that processed the incoming session, causing the return traffic to be dropped. Operating with VDOM-based session tables solves this problem, allowing traffic received on a different interface to be properly identified and sent to the correct FPC or FPM.

Enabling VDOM session tables can reduce connections per second (CPS) performance so it should only be enabled if needed to support ECMP. This performance reduction can be more noticeable if the FortiGate-6000 or 7000 is processing many firewall only sessions. If the FortiGate-6000 or 7000 is performing content inspection where CPS performance is less important, the performance reduction resulting from enabling VDOM-based session tables may be less noticeable.

IPv4 and IPv6 ECMP load balancing

You can use the following command to configure the IPv4 ECMP load balancing method for a VDOM:

config system settings

set v4-ecmp-mode {source-ip-based | weight-based | source-dest-ip-based | usage-based}

end

With VDOM-based session tables enabled, the FortiGate-6000 and 7000 support all ECMP load balancing methods except usage-based. If you select usage-based, all IP v4 traffic uses the first IPv4 ECMP route instead of being load balanced among all IPv4 ECMP routes. All other IPv4 ECMP load balancing methods are supported.

See this link for information about how to support IPv6 ECMP load balancing: Technical Tip: ECMP – Load balancing algorithms for IPv4 and IPv6.

Enabling auxiliary session support

When ECMP is enabled, TCP traffic for the same session can exit and enter the FortiGate on different interfaces. To allow this traffic to pass through, FortiOS creates auxiliary sessions. Allowing the creation of auxiliary sessions is handed by the following command:

config system settings

set auxiliary-sessions {disable | enable}

end

By default, for FortiOS 6.2.4 the auxiliary-session option is disabled. This can block some TCP traffic when ECMP is enabled. If this occurs, enabling auxiliary-session may solve the problem. For more information, see Technical Tip: Enabling auxiliary session with ECMP or SD-WAN.