Fortinet black logo

FortiGate-7000 Release Notes

SSL VPN tunnel mode load balancing

SSL VPN tunnel mode load balancing

FortiGate-6000 and 7000 for FortiOS 6.4.8 supports load balancing SSL VPN tunnel mode sessions terminated by the FortiGate-6000 or 7000.

By default SSL VPN load balancing is disabled and a flow rule is required to send all SSL VPN sessions to one FPC or FPM. For example, the following flow rule sends all SSL VPN sessions to the primary FPC or FPM:

config load-balance flow-rule

edit 0

set status enable

set ether-type ipv4

set protocol tcp

set dst-l4port 443-443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

To support SSL VPN tunnel load balancing, you must disable all flow rules that match the SSL VPN traffic to be load balanced.

Then you can use the following new command to enable SSL VPN load balancing:

config load-balance setting

set sslvpn-load-balance enable

end

When you enable SSL VPN load balancing, the FortiGate-6000 or 7000 restarts SSL VPN processes on the management board and the FPCs and on all FIMs and FPMs, resetting all current SSL VPN sessions.

SSL VPN load balancing statically allocates the IP addresses in SSL VPN IP pools to the FPCs or FPMs. Each FPC or FPM acquires a subset of the IP addresses in the IP pool. You may need to expand the number of IP addresses in your SSL VPN IP pools to make sure enough IP addresses are available for each FPC or FPM.

SSL VPN IP pool IP addresses are not re-allocated if an FPC or FPM goes down, is disabled, or is taken offline. The IP pool IP addresses assigned to the missing FPC or FPM are not available.

Note

For SSL VPN load balancing to work properly, the DP processor load distribution method must be changed to a setting that does not include src-port. The following DP load distribution methods are supported for SSL VPN load balancing:

config load balance setting

set dp-load-distribution-method {to-master | src-ip | dist-ip | src-dst-ip | dis-ip-dport}

end

SSL VPN tunnel mode load balancing

FortiGate-6000 and 7000 for FortiOS 6.4.8 supports load balancing SSL VPN tunnel mode sessions terminated by the FortiGate-6000 or 7000.

By default SSL VPN load balancing is disabled and a flow rule is required to send all SSL VPN sessions to one FPC or FPM. For example, the following flow rule sends all SSL VPN sessions to the primary FPC or FPM:

config load-balance flow-rule

edit 0

set status enable

set ether-type ipv4

set protocol tcp

set dst-l4port 443-443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

To support SSL VPN tunnel load balancing, you must disable all flow rules that match the SSL VPN traffic to be load balanced.

Then you can use the following new command to enable SSL VPN load balancing:

config load-balance setting

set sslvpn-load-balance enable

end

When you enable SSL VPN load balancing, the FortiGate-6000 or 7000 restarts SSL VPN processes on the management board and the FPCs and on all FIMs and FPMs, resetting all current SSL VPN sessions.

SSL VPN load balancing statically allocates the IP addresses in SSL VPN IP pools to the FPCs or FPMs. Each FPC or FPM acquires a subset of the IP addresses in the IP pool. You may need to expand the number of IP addresses in your SSL VPN IP pools to make sure enough IP addresses are available for each FPC or FPM.

SSL VPN IP pool IP addresses are not re-allocated if an FPC or FPM goes down, is disabled, or is taken offline. The IP pool IP addresses assigned to the missing FPC or FPM are not available.

Note

For SSL VPN load balancing to work properly, the DP processor load distribution method must be changed to a setting that does not include src-port. The following DP load distribution methods are supported for SSL VPN load balancing:

config load balance setting

set dp-load-distribution-method {to-master | src-ip | dist-ip | src-dst-ip | dis-ip-dport}

end