Default configuration for traffic that cannot be load balanced
The default configure load-balance flow-rule command contains the recommended default flow rules that control how the FortiGate-7000E handles traffic types that cannot be load balanced. All of the default flow rules identify the traffic type using the options available in the command and direct matching traffic to the primary (or master) FPM (action set to forward and forward-slot set to master). The default flow rules also include a comment that identifies the traffic type. Most of the flow rules in the default configuration are enabled and are intended to send common traffic types that cannot be load balanced to the primary FPM.
The default configuration also includes disabled flow rules for Kerberos and PPTP traffic. Normally, you would only need to enable these flow rules if you know that your FortiGate-7000E will be handling these types of traffic.
Finally, the default configuration disables IPsec VPN flow rules because, by default IPsec VPN load balancing is enabled using the following command:
config load-balance setting
set ipsec-load-balance enable
end
If you disable IP sec VPN load balancing by setting ipsec-load-balance to disable, the FortiGate-7000E automatically enables the IPsec VPN flow rules and sends all IPsec VPN traffic to the primary FPM.
The CLI syntax below was created with the show full configuration command.
config load-balance flow-rule
edit 1
set status disable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 88-88
set dst-l4port 0-0
set action forward
set forward-slot master
set priority 5
set comment "kerberos src"
next
edit 2
set status disable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 0-0
set dst-l4port 88-88
set action forward
set forward-slot master
set priority 5
set comment "kerberos dst"
next
edit 3
set status enable
set vlan 0
set ether-type ip
set protocol tcp
set src-l4port 179-179
set dst-l4port 0-0
set tcp-flag any
set action forward
set forward-slot master
set priority 5
set comment "bgp src"
next
edit 4
set status enable
set vlan 0
set ether-type ip
set protocol tcp
set src-l4port 0-0
set dst-l4port 179-179
set tcp-flag any
set action forward
set forward-slot master
set priority 5
set comment "bgp dst"
next
edit 5
set status enable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 520-520
set dst-l4port 520-520
set action forward
set forward-slot master
set priority 5
set comment "rip"
next
edit 6
set status enable
set vlan 0
set ether-type ipv6
set src-addr-ipv6 ::/0
set dst-addr-ipv6 ::/0
set protocol udp
set src-l4port 521-521
set dst-l4port 521-521
set action forward
set forward-slot master
set priority 5
set comment "ripng"
next
edit 7
set status enable
set vlan 0
set ether-type ipv4
set src-addr-ipv4 0.0.0.0 0.0.0.0
set dst-addr-ipv4 0.0.0.0 0.0.0.0
set protocol udp
set src-l4port 67-67
set dst-l4port 68-68
set action forward
set forward-slot master
set priority 5
set comment "dhcpv4 server to client"
next
edit 8
set status enable
set vlan 0
set ether-type ipv4
set src-addr-ipv4 0.0.0.0 0.0.0.0
set dst-addr-ipv4 0.0.0.0 0.0.0.0
set protocol udp
set src-l4port 68-68
set dst-l4port 67-67
set action forward
set forward-slot master
set priority 5
set comment "dhcpv4 client to server"
next
edit 9
set status disable
set vlan 0
set ether-type ip
set protocol tcp
set src-l4port 1723-1723
set dst-l4port 0-0
set tcp-flag any
set action forward
set forward-slot master
set priority 5
set comment "pptp src"
next
edit 10
set status disable
set vlan 0
set ether-type ip
set protocol tcp
set src-l4port 0-0
set dst-l4port 1723-1723
set tcp-flag any
set action forward
set forward-slot master
set priority 5
set comment "pptp dst"
next
edit 11
set status enable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 0-0
set dst-l4port 3784-3784
set action forward
set forward-slot master
set priority 5
set comment "bfd control"
next
edit 12
set status enable
set vlan 0
set ether-type ip
set protocol udp
set src-l4port 0-0
set dst-l4port 3785-3785
set action forward
set forward-slot master
set priority 5
set comment "bfd echo"
next
edit 13
set status enable
set vlan 0
set ether-type ipv6
set src-addr-ipv6 ::/0
set dst-addr-ipv6 ::/0
set protocol udp
set src-l4port 547-547
set dst-l4port 546-546
set action forward
set forward-slot master
set priority 5
set comment "dhcpv6 server to client"
next
edit 14
set status enable
set vlan 0
set ether-type ipv6
set src-addr-ipv6 ::/0
set dst-addr-ipv6 ::/0
set protocol udp
set src-l4port 546-546
set dst-l4port 547-547
set action forward
set forward-slot master
set priority 5
set comment "dhcpv6 client to server"
next
edit 15
set status enable
set vlan 0
set ether-type ipv4
set src-addr-ipv4 0.0.0.0 0.0.0.0
set dst-addr-ipv4 224.0.0.0 240.0.0.0
set protocol any
set action forward
set forward-slot master
set priority 5
set comment "ipv4 multicast"
next
edit 16
set status enable
set vlan 0
set ether-type ipv6
set src-addr-ipv6 ::/0
set dst-addr-ipv6 ff00::/8
set protocol any
set action forward
set forward-slot master
set priority 5
set comment "ipv6 multicast"
next
edit 17
set status disable
set vlan 0
set ether-type ipv4
set src-addr-ipv4 0.0.0.0 0.0.0.0
set dst-addr-ipv4 0.0.0.0 0.0.0.0
set protocol udp
set src-l4port 0-0
set dst-l4port 2123-2123
set action forward
set forward-slot master
set priority 5
set comment "gtp-c to master blade"
next
edit 18
set status enable
set vlan 0
set ether-type ip
set protocol tcp
set src-l4port 0-0
set dst-l4port 1000-1000
set tcp-flag any
set action forward
set forward-slot master
set priority 5
set comment "authd http to master blade"
next
edit 19
set status enable
set vlan 0
set ether-type ip
set protocol tcp
set src-l4port 0-0
set dst-l4port 1003-1003
set tcp-flag any
set action forward
set forward-slot master
set priority 5
set comment "authd https to master blade"
next
edit 20
set status enable
set vlan 0
set ether-type ip
set protocol vrrp
set action forward
set forward-slot all
set priority 6
set comment "vrrp to all blades"
next
end