Fortinet white logo
Fortinet white logo

FortiGate-7000E Handbook

FortiGate-7000E config CLI commands

FortiGate-7000E config CLI commands

This chapter describes the following FortiGate-7000E load balancing configuration commands:

config load-balance flow-rule

Use this command to create flow rules that add exceptions to how matched traffic is processed. You can use flow rules to match a type of traffic and control whether the traffic is forwarded or blocked. And if the traffic is forwarded, you can specify whether to forward the traffic to a specific slot or slots. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to define two flow rules to match both traffic directions (forward and reverse).

Syntax

config load-balance flow-rule

edit <id>

set status {disable | enable}

set src-interface <interface-name> [<interface-name>...]

set vlan <vlan-id>

set ether-type {any | arp | ip | ipv4 | ipv6}

set src-addr-ipv4 <ip4-address> <netmask>

set dst-addr-ipv4 <ip4-address> <netmask>

set src-addr-ipv6 <ip6-address> <netmask>

set dst-addr-ipv6 <ip6-address> <netmask>

set protocol {<protocol-number> | any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

set src-l4port <start>[-<end>]

set dst-l4port <start>[-<end>]

set icmptype <type>

set icmpcode <type>

set tcp-flag {any | syn | fin | rst}

set action {forward | mirror-ingress | stats | drop}

set mirror-interface <interface-name>

set forward-slot {master | all | load-balance | <FPM#>}

set priority <number>

set comment <text>

end

status {disable | enable}

Enable or disable this flow rule. New flow rules are disabled by default.

src-interface <interface-name> [interface-name>...]

Optionally add the names of one or more front panel interfaces accepting the traffic to be subject to the flow rule. If you don't specify a src-interface, the flow rule matches traffic received by any interface.

If you are matching VLAN traffic, select the interface that the VLAN has been added to and use the vlan option to specify the VLAN ID of the VLAN interface.

vlan <vlan-id>

If the traffic matching the rule is VLAN traffic, enter the VLAN ID used by the traffic. You must set src-interface to the interface that the VLAN interface is added to.

ether-type {any | arp | ip | ipv4 | ipv6}

The type of traffic to be matched by the rule. You can match any traffic (the default) or just match ARP, IP, IPv4 or IPv6 traffic.

{src-addr-ipv4 | dst-addr-ipv4} <ipv4-address> <netmask>

The IPv4 source and destination address of the IPv4 traffic to be matched. The default of 0.0.0.0 0.0.0.0 matches all IPv4 traffic. Available if ether-type is set to ipv4.

{src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask>

The IPv6 source and destination address of the IPv6 traffic to be matched. The default of ::/0 matches all IPv6 traffic. Available if ether-type is set to ipv6.

protocol {<protocol-number> | any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

If ether-type is set to ip, ipv4, or ipv6, specify the protocol of the IP, IPv4, or IPv6 traffic to match the rule. The default is any. You can specify any protocol number or you can use the following keywords to select common protocols.

Option Protocol number
icmp 1
icmpv6 58
tcp 6
udp 17
igmp 2
sctp 132
gre 47
esp 50
ah 51
ospf 89
pim 103
vrrp 112

{src-l4port | dst-l4port} <start>[-<end>]

Specify a layer 4 source port range and destination port range. This option appears when protocol is set to tcp or udp. The default range is 0-0, which matches all ports. You don't have to enter a range to match just one port. For example, to set the source port to 80, enter set src-l4port 80.

set icmptype <type>

Specify an ICMP type number in the range of 0 to 255. The default is 255. This option appears if protocol is set to icmp. For information about ICMP type numbers, see Internet Control Message Protocol (ICMP) Parameters.

icmpcode <type>

If the ICMP type also includes an ICMP code, you can use this option to add that ICMP code. The ranges is 0 to 255. The default is 255. This option appears if protocol is set to icmp. For information about ICMP code numbers, see Internet Control Message Protocol (ICMP) Parameters.

tcp-flag {any | syn | fin | rst}

Set the TCP session flag to match. The any setting (the default) matches all TCP sessions. You can add specific flags to only match specific TCP session types.

action {forward | mirror-ingress | stats | drop}

The action to take with matching sessions. They can be dropped, forwarded to another destination, or you can record statistics about the traffic for later analysis. You can combine two or three settings in one command for example, you can set action to both forward and stats to forward traffic and collect statistics about it. Use append to append additional options.

The default action is forward, which forwards packets to the specified forward-slot.

The mirror-ingress option copies (mirrors) all ingress packets that match this flow rule and sends them to the interface specified with the mirror-interface option.

mirror-interface <interface-name>

The name of the interface to send packets matched by this flow-rule to when action is set to mirror-ingress.

forward-slot {master | all | load-balance | <FPM#>}

The slot that you want to forward the traffic that matches this rule to.

Where:

master forwards traffic to the primary FPM.

all means forward the traffic to all FPMs.

load-balance means forward this traffic to the DP processors that then use the default load balancing configuration to handle this traffic.

<FPM#> forward the matching traffic to a specific FPM. For example, FPM3 is the FPM in slot 3.

priority <number>

Set the priority of the flow rule in the range 1 (lowest priority) to 10 (highest priority). Higher priority rules are matched first. You can use the priority to control which rule is matched first if you have overlapping rules.

The default priority is 5.

comment <text>

Optionally add a comment that describes the flow rule.

config load-balance setting

Use this command to set a wide range of load balancing settings.

config load-balance setting

set slbc-mgmt-intf {mgmt1 | mgmt2 | mgmt3)

set max-miss-heartbeats <heartbeats>

set max-miss-mgmt-heartbeats <heartbeats>

set weighted-load-balance {disable | enable}

set gtp-load-balance {disable | enable}

set dp-fragment-session {disable | enable)

set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

set sw-load-distribution-method {src-dst-ip | src-dst-ip-sport-dport}

set dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}

set dp-session-table-type {intf-vlan-based | vdom-based}

config workers

edit <slot>

set status {disable | enable}

set weight <weight>

end

slbc-mgmt-intf mgmt

Selects the interface used for management connections. For the FortiGate-7000E, this option is always set to mgmt and cannot be changed. The IP address of this interface becomes the IP address used to enable management access to individual FIMs or FPMs using special administration ports as described in Special management port numbers. To manage individual FIMs or FPMs, this interface must be connected to a network.

Note

To enable using the special management port numbers to connect to individual FIMs and FPMs, the mgmt interface must be connected to a network, have a valid IP address, and have management or administrative access enabled. To block access to the special management port numbers, disconnect the mgmt interface from a network, configure the mgmt interface with an invalid IP address, or disable management or administrative access for the mgmt interface.

max-miss-heartbeats <heartbeats>

Set the number of missed heartbeats before an FPM is considered to have failed. If a failure occurs, the DP2 processor will no longer load balance sessions to the FPM.

The time between heartbeats is 0.2 seconds. Range is 3 to 300. A value of 3 means 0.6 seconds, 20 (the default) means 4 seconds, and 300 means 60 seconds.

max-miss-mgmt-heartbeats <heartbeats>

Set the number of missed management heartbeats before a FPM is considering to have failed. If a failure occurs, the DP2 processor will no longer load balance sessions to the FPM.

The time between management heartbeats is 1 second. Range is 3 to 300 heartbeats. The default is 10 heartbeats.

weighted-load-balance {disable | enable}

Enable weighted load balancing depending on the slot (or worker) weight. Use config workers to set the weight for each slot or worker.

gtp-load-balance {disable | enable}

Enable GTP-U load balancing. If GTP-U load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP-U sessions.

dp-fragment-session {disable | enable}

Enable or disable efficient DP2 load balancing of TCP, UDP, and ICMP sessions with fragmented packets. The option is disabled by default.

For more information, see Load balancing TCP, UDP, and ICMP sessions with fragmented packets.

dp-load-distribution-method {to-master | round-robin | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

Set the method used by the DP2 processor to load balance sessions among FPMs. Usually you would only need to change the load balancing method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is src-dst-ip-sport-dport which means sessions are identified by their source address and port and destination address and port.

to-master directs all session to the primary FPM. This method is for troubleshooting only and should not be used for normal operation. Directing all sessions to the primary FPM will have a negative impact on performance.

src-ip sessions are distributed across all FPMs according to their source IP address.

dst-ip sessions are statically distributed across all FPMs according to their destination IP address.

src-dst-ip sessions are distributed across all FPMs according to their source and destination IP addresses.

src-ip-sport sessions are distributed across all FPMs according to their source IP address and source port.

dst-ip-dport sessions are distributed across all FPMs according to their destination IP address and destination port.

src-dst-ipsport-dport distribute sessions across all FPMs according to their source and destination IP address, source port, and destination port. This is the default load balance algorithm and represents true session-aware load balancing. Session aware load balancing takes all session information into account when deciding where to send new sessions and where to send additional packets that are part of an already established session.

Note The src-ip and dst-ip load balancing methods use layer 3 information (IP addresses) to identify and load balance sessions. All of the other load balancing methods (except for to-master) use both layer 3 and layer 4 information (IP addresses and port numbers) to identify a TCP and UDP session. The layer 3 and layer 4 load balancing methods only use layer 3 information for other types of traffic (SCTP, ICMP, and ESP). If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions.

sw-load-distribution-method {src-dst-ip | src-dst-ip-sport-dport}

Configure the load distribution method used by the Internal Switch Fabric (ISF). The default setting is src-dst-ip-sport-dport.

To support load balancing sessions with fragmented packets, set sw-load-distribution-method to src-dst-ip. For more information, see Load balancing TCP, UDP, and ICMP sessions with fragmented packets.

dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}

Set the method used to load balance ICMP sessions among FPMs. Usually you would only need to change the load balancing method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is to-master, which means all ICMP sessions are sent to the primary (master) FPM.

to-master directs all ICMP session to the primary FPM.

src-ip ICMP sessions are distributed across all FPMs according to their source IP address.

dst-ip ICMP sessions are statically distributed across all FPMs according to their destination IP address.

src-dst-ip ICMP sessions are distributed across all FPMs according to their source and destination IP addresses.

derived ICMP sessions are load balanced using the dp-load-distribution-method setting. Since port-based ICMP load balancing is not possible, if dp-load-distribution-method is set to a load balancing method that includes ports, ICMP load balancing will use the equivalent load balancing method that does not include ports. For example, if dp-load-distribution-method is set to the src-dst-ip-sport-dport (the default) then ICMP load balancing will use src-dst-ip load balancing.

dp-session-table-type {intf-vlan-based | vdom-based}

Change DP processing load balancing mode:

dp-session-table-type is the default value and should be used in all cases unless the FortiGate-7000E will support ECMP.

vdom-based should only be selected to support ECMP. Enabling VDOM session tables can reduce connections per second (CPS) performance so it should only be enabled if needed to support ECMP. This performance reduction can be more noticeable if the FortiGate-7000E is processing many firewall only sessions. For more information, see ECMP support.

config workers

Set the weight and enable or disable each worker (FPM). Use the edit command to specify the slot the FPM is installed in. You can enable or disable each FPM and set a weight for each FPM.

The weight range is 1 to 10. 5 is average (and the default), 1 is -80% of average and 10 is +100% of average. The weights take effect if weighted-loadbalance is enabled.

config workers

edit <slot>

set status enable

set weight 5

end

FortiGate-7000E config CLI commands

FortiGate-7000E config CLI commands

This chapter describes the following FortiGate-7000E load balancing configuration commands:

config load-balance flow-rule

Use this command to create flow rules that add exceptions to how matched traffic is processed. You can use flow rules to match a type of traffic and control whether the traffic is forwarded or blocked. And if the traffic is forwarded, you can specify whether to forward the traffic to a specific slot or slots. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to define two flow rules to match both traffic directions (forward and reverse).

Syntax

config load-balance flow-rule

edit <id>

set status {disable | enable}

set src-interface <interface-name> [<interface-name>...]

set vlan <vlan-id>

set ether-type {any | arp | ip | ipv4 | ipv6}

set src-addr-ipv4 <ip4-address> <netmask>

set dst-addr-ipv4 <ip4-address> <netmask>

set src-addr-ipv6 <ip6-address> <netmask>

set dst-addr-ipv6 <ip6-address> <netmask>

set protocol {<protocol-number> | any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

set src-l4port <start>[-<end>]

set dst-l4port <start>[-<end>]

set icmptype <type>

set icmpcode <type>

set tcp-flag {any | syn | fin | rst}

set action {forward | mirror-ingress | stats | drop}

set mirror-interface <interface-name>

set forward-slot {master | all | load-balance | <FPM#>}

set priority <number>

set comment <text>

end

status {disable | enable}

Enable or disable this flow rule. New flow rules are disabled by default.

src-interface <interface-name> [interface-name>...]

Optionally add the names of one or more front panel interfaces accepting the traffic to be subject to the flow rule. If you don't specify a src-interface, the flow rule matches traffic received by any interface.

If you are matching VLAN traffic, select the interface that the VLAN has been added to and use the vlan option to specify the VLAN ID of the VLAN interface.

vlan <vlan-id>

If the traffic matching the rule is VLAN traffic, enter the VLAN ID used by the traffic. You must set src-interface to the interface that the VLAN interface is added to.

ether-type {any | arp | ip | ipv4 | ipv6}

The type of traffic to be matched by the rule. You can match any traffic (the default) or just match ARP, IP, IPv4 or IPv6 traffic.

{src-addr-ipv4 | dst-addr-ipv4} <ipv4-address> <netmask>

The IPv4 source and destination address of the IPv4 traffic to be matched. The default of 0.0.0.0 0.0.0.0 matches all IPv4 traffic. Available if ether-type is set to ipv4.

{src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask>

The IPv6 source and destination address of the IPv6 traffic to be matched. The default of ::/0 matches all IPv6 traffic. Available if ether-type is set to ipv6.

protocol {<protocol-number> | any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

If ether-type is set to ip, ipv4, or ipv6, specify the protocol of the IP, IPv4, or IPv6 traffic to match the rule. The default is any. You can specify any protocol number or you can use the following keywords to select common protocols.

Option Protocol number
icmp 1
icmpv6 58
tcp 6
udp 17
igmp 2
sctp 132
gre 47
esp 50
ah 51
ospf 89
pim 103
vrrp 112

{src-l4port | dst-l4port} <start>[-<end>]

Specify a layer 4 source port range and destination port range. This option appears when protocol is set to tcp or udp. The default range is 0-0, which matches all ports. You don't have to enter a range to match just one port. For example, to set the source port to 80, enter set src-l4port 80.

set icmptype <type>

Specify an ICMP type number in the range of 0 to 255. The default is 255. This option appears if protocol is set to icmp. For information about ICMP type numbers, see Internet Control Message Protocol (ICMP) Parameters.

icmpcode <type>

If the ICMP type also includes an ICMP code, you can use this option to add that ICMP code. The ranges is 0 to 255. The default is 255. This option appears if protocol is set to icmp. For information about ICMP code numbers, see Internet Control Message Protocol (ICMP) Parameters.

tcp-flag {any | syn | fin | rst}

Set the TCP session flag to match. The any setting (the default) matches all TCP sessions. You can add specific flags to only match specific TCP session types.

action {forward | mirror-ingress | stats | drop}

The action to take with matching sessions. They can be dropped, forwarded to another destination, or you can record statistics about the traffic for later analysis. You can combine two or three settings in one command for example, you can set action to both forward and stats to forward traffic and collect statistics about it. Use append to append additional options.

The default action is forward, which forwards packets to the specified forward-slot.

The mirror-ingress option copies (mirrors) all ingress packets that match this flow rule and sends them to the interface specified with the mirror-interface option.

mirror-interface <interface-name>

The name of the interface to send packets matched by this flow-rule to when action is set to mirror-ingress.

forward-slot {master | all | load-balance | <FPM#>}

The slot that you want to forward the traffic that matches this rule to.

Where:

master forwards traffic to the primary FPM.

all means forward the traffic to all FPMs.

load-balance means forward this traffic to the DP processors that then use the default load balancing configuration to handle this traffic.

<FPM#> forward the matching traffic to a specific FPM. For example, FPM3 is the FPM in slot 3.

priority <number>

Set the priority of the flow rule in the range 1 (lowest priority) to 10 (highest priority). Higher priority rules are matched first. You can use the priority to control which rule is matched first if you have overlapping rules.

The default priority is 5.

comment <text>

Optionally add a comment that describes the flow rule.

config load-balance setting

Use this command to set a wide range of load balancing settings.

config load-balance setting

set slbc-mgmt-intf {mgmt1 | mgmt2 | mgmt3)

set max-miss-heartbeats <heartbeats>

set max-miss-mgmt-heartbeats <heartbeats>

set weighted-load-balance {disable | enable}

set gtp-load-balance {disable | enable}

set dp-fragment-session {disable | enable)

set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

set sw-load-distribution-method {src-dst-ip | src-dst-ip-sport-dport}

set dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}

set dp-session-table-type {intf-vlan-based | vdom-based}

config workers

edit <slot>

set status {disable | enable}

set weight <weight>

end

slbc-mgmt-intf mgmt

Selects the interface used for management connections. For the FortiGate-7000E, this option is always set to mgmt and cannot be changed. The IP address of this interface becomes the IP address used to enable management access to individual FIMs or FPMs using special administration ports as described in Special management port numbers. To manage individual FIMs or FPMs, this interface must be connected to a network.

Note

To enable using the special management port numbers to connect to individual FIMs and FPMs, the mgmt interface must be connected to a network, have a valid IP address, and have management or administrative access enabled. To block access to the special management port numbers, disconnect the mgmt interface from a network, configure the mgmt interface with an invalid IP address, or disable management or administrative access for the mgmt interface.

max-miss-heartbeats <heartbeats>

Set the number of missed heartbeats before an FPM is considered to have failed. If a failure occurs, the DP2 processor will no longer load balance sessions to the FPM.

The time between heartbeats is 0.2 seconds. Range is 3 to 300. A value of 3 means 0.6 seconds, 20 (the default) means 4 seconds, and 300 means 60 seconds.

max-miss-mgmt-heartbeats <heartbeats>

Set the number of missed management heartbeats before a FPM is considering to have failed. If a failure occurs, the DP2 processor will no longer load balance sessions to the FPM.

The time between management heartbeats is 1 second. Range is 3 to 300 heartbeats. The default is 10 heartbeats.

weighted-load-balance {disable | enable}

Enable weighted load balancing depending on the slot (or worker) weight. Use config workers to set the weight for each slot or worker.

gtp-load-balance {disable | enable}

Enable GTP-U load balancing. If GTP-U load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP-U sessions.

dp-fragment-session {disable | enable}

Enable or disable efficient DP2 load balancing of TCP, UDP, and ICMP sessions with fragmented packets. The option is disabled by default.

For more information, see Load balancing TCP, UDP, and ICMP sessions with fragmented packets.

dp-load-distribution-method {to-master | round-robin | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

Set the method used by the DP2 processor to load balance sessions among FPMs. Usually you would only need to change the load balancing method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is src-dst-ip-sport-dport which means sessions are identified by their source address and port and destination address and port.

to-master directs all session to the primary FPM. This method is for troubleshooting only and should not be used for normal operation. Directing all sessions to the primary FPM will have a negative impact on performance.

src-ip sessions are distributed across all FPMs according to their source IP address.

dst-ip sessions are statically distributed across all FPMs according to their destination IP address.

src-dst-ip sessions are distributed across all FPMs according to their source and destination IP addresses.

src-ip-sport sessions are distributed across all FPMs according to their source IP address and source port.

dst-ip-dport sessions are distributed across all FPMs according to their destination IP address and destination port.

src-dst-ipsport-dport distribute sessions across all FPMs according to their source and destination IP address, source port, and destination port. This is the default load balance algorithm and represents true session-aware load balancing. Session aware load balancing takes all session information into account when deciding where to send new sessions and where to send additional packets that are part of an already established session.

Note The src-ip and dst-ip load balancing methods use layer 3 information (IP addresses) to identify and load balance sessions. All of the other load balancing methods (except for to-master) use both layer 3 and layer 4 information (IP addresses and port numbers) to identify a TCP and UDP session. The layer 3 and layer 4 load balancing methods only use layer 3 information for other types of traffic (SCTP, ICMP, and ESP). If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions.

sw-load-distribution-method {src-dst-ip | src-dst-ip-sport-dport}

Configure the load distribution method used by the Internal Switch Fabric (ISF). The default setting is src-dst-ip-sport-dport.

To support load balancing sessions with fragmented packets, set sw-load-distribution-method to src-dst-ip. For more information, see Load balancing TCP, UDP, and ICMP sessions with fragmented packets.

dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}

Set the method used to load balance ICMP sessions among FPMs. Usually you would only need to change the load balancing method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is to-master, which means all ICMP sessions are sent to the primary (master) FPM.

to-master directs all ICMP session to the primary FPM.

src-ip ICMP sessions are distributed across all FPMs according to their source IP address.

dst-ip ICMP sessions are statically distributed across all FPMs according to their destination IP address.

src-dst-ip ICMP sessions are distributed across all FPMs according to their source and destination IP addresses.

derived ICMP sessions are load balanced using the dp-load-distribution-method setting. Since port-based ICMP load balancing is not possible, if dp-load-distribution-method is set to a load balancing method that includes ports, ICMP load balancing will use the equivalent load balancing method that does not include ports. For example, if dp-load-distribution-method is set to the src-dst-ip-sport-dport (the default) then ICMP load balancing will use src-dst-ip load balancing.

dp-session-table-type {intf-vlan-based | vdom-based}

Change DP processing load balancing mode:

dp-session-table-type is the default value and should be used in all cases unless the FortiGate-7000E will support ECMP.

vdom-based should only be selected to support ECMP. Enabling VDOM session tables can reduce connections per second (CPS) performance so it should only be enabled if needed to support ECMP. This performance reduction can be more noticeable if the FortiGate-7000E is processing many firewall only sessions. For more information, see ECMP support.

config workers

Set the weight and enable or disable each worker (FPM). Use the edit command to specify the slot the FPM is installed in. You can enable or disable each FPM and set a weight for each FPM.

The weight range is 1 to 10. 5 is average (and the default), 1 is -80% of average and 10 is +100% of average. The weights take effect if weighted-loadbalance is enabled.

config workers

edit <slot>

set status enable

set weight 5

end