Version:

Version:

Version:


Table of Contents

FortiGate-7000F Handbook

Download PDF
Copy Link

FortiGate-7000F config CLI commands

This chapter describes the following FortiGate-7000F load balancing configuration commands:

config load-balance flow-rule

Use this command to create flow rules that add exceptions to how matched traffic is processed. You can use flow rules to match a type of traffic and control whether the traffic is forwarded or blocked. And if the traffic is forwarded, you can specify whether to forward the traffic to a specific slot or slots. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to define two flow rules to match both traffic directions (forward and reverse).

config load-balance flow-rule

edit <id>

set status {disable | enable}

set src-interface <interface-name> [<interface-name>...]

set vlan <vlan-id>

set ether-type {any | arp | ip | ipv4 | ipv6}

set src-addr-ipv4 <ip4-address> <netmask>

set dst-addr-ipv4 <ip4-address> <netmask>

set src-addr-ipv6 <ip6-address> <netmask>

set dst-addr-ipv6 <ip6-address> <netmask>

set protocol {<protocol-number> | any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

set src-l4port <start>[-<end>]

set dst-l4port <start>[-<end>]

set icmptype <type>

set icmpcode <type>

set tcp-flag {any | syn | fin | rst}

set action {forward | mirror-ingress | stats | drop}

set mirror-interface <interface-name>

set forward-slot {master | all | load-balance | <FPM#>}

set priority <number>

set comment <text>

end

status {disable | enable}

Enable or disable this flow rule. New flow rules are disabled by default.

src-interface <interface-name> [interface-name>...]

Optionally add the names of one or more front panel interfaces accepting the traffic to be subject to the flow rule. If you don't specify a src-interface, the flow rule matches traffic received by any interface.

If you are matching VLAN traffic, select the interface that the VLAN has been added to and use the vlan option to specify the VLAN ID of the VLAN interface.

vlan <vlan-id>

If the traffic matching the rule is VLAN traffic, enter the VLAN ID used by the traffic. You must set src-interface to the interface that the VLAN interface is added to.

ether-type {any | arp | ip | ipv4 | ipv6}

The type of traffic to be matched by the rule. You can match any traffic (the default) or just match ARP, IP, IPv4 or IPv6 traffic.

{src-addr-ipv4 | dst-addr-ipv4} <ipv4-address> <netmask>

The IPv4 source and destination address of the IPv4 traffic to be matched. The default of 0.0.0.0 0.0.0.0 matches all IPv4 traffic. Available if ether-type is set to ipv4.

{src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask>

The IPv6 source and destination address of the IPv6 traffic to be matched. The default of ::/0 matches all IPv6 traffic. Available if ether-type is set to ipv6.

protocol {<protocol-number> | any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

If ether-type is set to ip, ipv4, or ipv6, specify the protocol of the IP, IPv4, or IPv6 traffic to match the rule. The default is any. You can specify any protocol number or you can use the following keywords to select common protocols.

Option Protocol number
icmp 1
icmpv6 58
tcp 6
udp 17
igmp 2
sctp 132
gre 47
esp 50
ah 51
ospf 89
pim 103
vrrp 112

{src-l4port | dst-l4port} <start>[-<end>]

Specify a layer 4 source port range and destination port range. This option appears when protocol is set to tcp or udp. The default range is 0-0, which matches all ports. You don't have to enter a range to match just one port. For example, to set the source port to 80, enter set src-l4port 80.

set icmptype <type>

Specify an ICMP type number in the range of 0 to 255. The default is 255. This option appears if protocol is set to icmp. For information about ICMP type numbers, see Internet Control Message Protocol (ICMP) Parameters.

icmpcode <type>

If the ICMP type also includes an ICMP code, you can use this option to add that ICMP code. The ranges is 0 to 255. The default is 255. This option appears if protocol is set to icmp. For information about ICMP code numbers, see Internet Control Message Protocol (ICMP) Parameters.

tcp-flag {any | syn | fin | rst}

Set the TCP session flag to match. The any setting (the default) matches all TCP sessions. You can add specific flags to only match specific TCP session types.

action {forward | mirror-ingress | stats | drop}

The action to take with matching sessions. They can be dropped, forwarded to another destination, or you can record statistics about the traffic for later analysis. You can combine two or three settings in one command for example, you can set action to both forward and stats to forward traffic and collect statistics about it. Use append to append additional options.

The default action is forward, which forwards packets to the specified forward-slot.

The mirror-ingress option copies (mirrors) all ingress packets that match this flow rule and sends them to the interface specified with the mirror-interface option.

mirror-interface <interface-name>

The name of the interface to send packets matched by this flow-rule to when action is set to mirror-ingress.

forward-slot {master | all | load-balance | <FPM#>}

The slot that you want to forward the traffic that matches this rule to.

Where:

master forwards traffic to the primary FPM.

all means forward the traffic to all FPMs.

load-balance means forward this traffic to the DP processors that then use the default load balancing configuration to handle this traffic.

<FPM#> forward the matching traffic to a specific FPM. For example, FPM3 is the FPM in slot 3.

priority <number>

Set the priority of the flow rule in the range 1 (highest priority) to 10 (lowest priority). Higher priority rules are matched first. You can use the priority to control which rule is matched first if you have overlapping rules.

The default priority is 5.

comment <text>

Optionally add a comment that describes the flow rule.

config load-balance setting

Use this command to set a wide range of load balancing settings.

config load-balance setting

set slbc-mgmt-intf <management-interface>

set max-miss-heartbeats <heartbeats>

set max-miss-mgmt-heartbeats <heartbeats>

set weighted-load-balance {disable | enable}

set gtp-load-balance {disable | enable}

set sslvpn-load-balance {disable | enable}

set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

set sw-load-distribution-method {src-dst-ip | src-dst-ip-sport-dport}

set dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}

set nat-source-port {chassis-slots | enabled-slots}

config workers

edit <slot>

set status {disable | enable}

set weight <weight>

end

slbc-mgmt-intf mgmt

To be able to use special SLBC management interface features, such as being able to log into any FIM or FPM using the management IP address and a special port number, you need to use this option to select a FortiGate-7000F management interface to be the SLBC management interface.

You can use any of the FIM or FPM management interfaces to be the SLBC management interface. The following example uses the MGMT 1 interface of the FIM in slot 1. In the GUI and CLI the name of this interface is 1-mgmt1.

Enter the following command to set the 1-mgmt1 interface to be the SLBC management interface:

config global

config load-balance setting

set slbc-mgmt-intf 1-mgmt1

end

To manage individual FIMs or FPMs, the SLBC interface must be connected to a network

Note

The slbc-mgmt-intf option is blank by default and must be set to be able to manage individual FIMs and FPMs using the SLBC management interface IP address and special port numbers. If you decide to use a different management interface, you must also change the slbc-mgmt-intf to that interface.

To enable using the special management port numbers to connect to individual FIMs and FPMs, the mgmt interface must be connected to a network, have a valid IP address, and have management or administrative access enabled. To block access to the special management port numbers, disconnect the mgmt interface from a network, configure the mgmt interface with an invalid IP address, or disable management or administrative access for the mgmt interface.

max-miss-heartbeats <heartbeats>

Set the number of missed heartbeats before an FPM  is considered to have failed. If a failure occurs, the NP7 processors will no longer load balance sessions to the FPM.

The time between heartbeats is 0.2 seconds. Range is 3 to 300. A value of 3 means 0.6 seconds, 20 (the default) means 4 seconds, and 300 means 60 seconds.

max-miss-mgmt-heartbeats <heartbeats>

Set the number of missed management heartbeats before a FPM is considering to have failed. If a failure occurs, the NP7 processor will no longer load balance sessions to the FPM.

The time between management heartbeats is 1 second. Range is 3 to 300 heartbeats. The default is 10 heartbeats.

weighted-load-balance {disable | enable}

Enable weighted load balancing depending on the slot (or worker) weight. Use config workers to set the weight for each FPM slot.

gtp-load-balance {disable | enable}

Enable GTP-U load balancing. If GTP-U load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP-U sessions.

set sslvpn-load-balance {disable | enable}

Enable or disable SSL VPN load balancing. For more information, see SSL VPN load balancing.

dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

Set the method used by the NP7 processors to load balance sessions among FPMs. Usually you would only need to change the load balancing method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is src-dst-ip which means sessions are identified by their source destination IP addresses.

to-master directs all session to the primary FPM. This method is for troubleshooting only and should not be used for normal operation. Directing all sessions to the primary FPM will have a negative impact on performance.

src-ip sessions are distributed across all FPMs according to their source IP address.

dst-ip sessions are distributed across all FPMs according to their destination IP address.

src-dst-ip sessions are distributed across all FPMs according to their source and destination IP addresses. This is the default load balance algorithm. This method is normally the optimal load balancing method for most traffic types.

src-ip-sport sessions are distributed across all FPMs according to their source IP address and source port.

dst-ip-dport sessions are distributed across all FPMs according to their destination IP address and destination port.

src-dst-ipsport-dport distribute sessions across all FPMs according to their source and destination IP address, source port, and destination port.

Note The src-ip and dst-ip load balancing methods use layer 3 information (IP addresses) to identify and load balance sessions. All of the other load balancing methods (except for to-master) use both layer 3 and layer 4 information (IP addresses and port numbers) to identify a TCP and UDP session. The layer 3 and layer 4 load balancing methods only use layer 3 information for other types of traffic (SCTP, ICMP, and ESP). If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions.

sw-load-distribution-method {src-dst-ip | src-dst-ip-sport-dport}

Configure the load distribution method used by the Internal Switch Fabric (ISF). The default setting is src-dst-ip.

dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}

Set the method used by the NP7 processor to load balance ICMP sessions among FPMs. See ICMP load balancing.

set nat-source-port {chassis-slots | enabled-slots}

Change SNAT port partitioning behavior. For more information, see Controlling SNAT port partitioning behavior.

config workers

Set the weight and enable or disable each worker (FPM). Use the edit command to specify the slot the FPM is installed in. You can enable or disable each FPM and set a weight for each FPM.

The weight range is 1 to 10. 5 is average (and the default), 1 is -80% of average and 10 is +100% of average. The weights take effect if weighted-loadbalance is enabled.

For more information, see Optimizing NAT IP pool allocation on FortiGate-7000F systems with empty FPM slots.

config workers

edit <slot>

set status enable

set weight 5

end

FortiGate-7000F config CLI commands

This chapter describes the following FortiGate-7000F load balancing configuration commands:

config load-balance flow-rule

Use this command to create flow rules that add exceptions to how matched traffic is processed. You can use flow rules to match a type of traffic and control whether the traffic is forwarded or blocked. And if the traffic is forwarded, you can specify whether to forward the traffic to a specific slot or slots. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to define two flow rules to match both traffic directions (forward and reverse).

config load-balance flow-rule

edit <id>

set status {disable | enable}

set src-interface <interface-name> [<interface-name>...]

set vlan <vlan-id>

set ether-type {any | arp | ip | ipv4 | ipv6}

set src-addr-ipv4 <ip4-address> <netmask>

set dst-addr-ipv4 <ip4-address> <netmask>

set src-addr-ipv6 <ip6-address> <netmask>

set dst-addr-ipv6 <ip6-address> <netmask>

set protocol {<protocol-number> | any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

set src-l4port <start>[-<end>]

set dst-l4port <start>[-<end>]

set icmptype <type>

set icmpcode <type>

set tcp-flag {any | syn | fin | rst}

set action {forward | mirror-ingress | stats | drop}

set mirror-interface <interface-name>

set forward-slot {master | all | load-balance | <FPM#>}

set priority <number>

set comment <text>

end

status {disable | enable}

Enable or disable this flow rule. New flow rules are disabled by default.

src-interface <interface-name> [interface-name>...]

Optionally add the names of one or more front panel interfaces accepting the traffic to be subject to the flow rule. If you don't specify a src-interface, the flow rule matches traffic received by any interface.

If you are matching VLAN traffic, select the interface that the VLAN has been added to and use the vlan option to specify the VLAN ID of the VLAN interface.

vlan <vlan-id>

If the traffic matching the rule is VLAN traffic, enter the VLAN ID used by the traffic. You must set src-interface to the interface that the VLAN interface is added to.

ether-type {any | arp | ip | ipv4 | ipv6}

The type of traffic to be matched by the rule. You can match any traffic (the default) or just match ARP, IP, IPv4 or IPv6 traffic.

{src-addr-ipv4 | dst-addr-ipv4} <ipv4-address> <netmask>

The IPv4 source and destination address of the IPv4 traffic to be matched. The default of 0.0.0.0 0.0.0.0 matches all IPv4 traffic. Available if ether-type is set to ipv4.

{src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask>

The IPv6 source and destination address of the IPv6 traffic to be matched. The default of ::/0 matches all IPv6 traffic. Available if ether-type is set to ipv6.

protocol {<protocol-number> | any | icmp | icmpv6 | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

If ether-type is set to ip, ipv4, or ipv6, specify the protocol of the IP, IPv4, or IPv6 traffic to match the rule. The default is any. You can specify any protocol number or you can use the following keywords to select common protocols.

Option Protocol number
icmp 1
icmpv6 58
tcp 6
udp 17
igmp 2
sctp 132
gre 47
esp 50
ah 51
ospf 89
pim 103
vrrp 112

{src-l4port | dst-l4port} <start>[-<end>]

Specify a layer 4 source port range and destination port range. This option appears when protocol is set to tcp or udp. The default range is 0-0, which matches all ports. You don't have to enter a range to match just one port. For example, to set the source port to 80, enter set src-l4port 80.

set icmptype <type>

Specify an ICMP type number in the range of 0 to 255. The default is 255. This option appears if protocol is set to icmp. For information about ICMP type numbers, see Internet Control Message Protocol (ICMP) Parameters.

icmpcode <type>

If the ICMP type also includes an ICMP code, you can use this option to add that ICMP code. The ranges is 0 to 255. The default is 255. This option appears if protocol is set to icmp. For information about ICMP code numbers, see Internet Control Message Protocol (ICMP) Parameters.

tcp-flag {any | syn | fin | rst}

Set the TCP session flag to match. The any setting (the default) matches all TCP sessions. You can add specific flags to only match specific TCP session types.

action {forward | mirror-ingress | stats | drop}

The action to take with matching sessions. They can be dropped, forwarded to another destination, or you can record statistics about the traffic for later analysis. You can combine two or three settings in one command for example, you can set action to both forward and stats to forward traffic and collect statistics about it. Use append to append additional options.

The default action is forward, which forwards packets to the specified forward-slot.

The mirror-ingress option copies (mirrors) all ingress packets that match this flow rule and sends them to the interface specified with the mirror-interface option.

mirror-interface <interface-name>

The name of the interface to send packets matched by this flow-rule to when action is set to mirror-ingress.

forward-slot {master | all | load-balance | <FPM#>}

The slot that you want to forward the traffic that matches this rule to.

Where:

master forwards traffic to the primary FPM.

all means forward the traffic to all FPMs.

load-balance means forward this traffic to the DP processors that then use the default load balancing configuration to handle this traffic.

<FPM#> forward the matching traffic to a specific FPM. For example, FPM3 is the FPM in slot 3.

priority <number>

Set the priority of the flow rule in the range 1 (highest priority) to 10 (lowest priority). Higher priority rules are matched first. You can use the priority to control which rule is matched first if you have overlapping rules.

The default priority is 5.

comment <text>

Optionally add a comment that describes the flow rule.

config load-balance setting

Use this command to set a wide range of load balancing settings.

config load-balance setting

set slbc-mgmt-intf <management-interface>

set max-miss-heartbeats <heartbeats>

set max-miss-mgmt-heartbeats <heartbeats>

set weighted-load-balance {disable | enable}

set gtp-load-balance {disable | enable}

set sslvpn-load-balance {disable | enable}

set dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

set sw-load-distribution-method {src-dst-ip | src-dst-ip-sport-dport}

set dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}

set nat-source-port {chassis-slots | enabled-slots}

config workers

edit <slot>

set status {disable | enable}

set weight <weight>

end

slbc-mgmt-intf mgmt

To be able to use special SLBC management interface features, such as being able to log into any FIM or FPM using the management IP address and a special port number, you need to use this option to select a FortiGate-7000F management interface to be the SLBC management interface.

You can use any of the FIM or FPM management interfaces to be the SLBC management interface. The following example uses the MGMT 1 interface of the FIM in slot 1. In the GUI and CLI the name of this interface is 1-mgmt1.

Enter the following command to set the 1-mgmt1 interface to be the SLBC management interface:

config global

config load-balance setting

set slbc-mgmt-intf 1-mgmt1

end

To manage individual FIMs or FPMs, the SLBC interface must be connected to a network

Note

The slbc-mgmt-intf option is blank by default and must be set to be able to manage individual FIMs and FPMs using the SLBC management interface IP address and special port numbers. If you decide to use a different management interface, you must also change the slbc-mgmt-intf to that interface.

To enable using the special management port numbers to connect to individual FIMs and FPMs, the mgmt interface must be connected to a network, have a valid IP address, and have management or administrative access enabled. To block access to the special management port numbers, disconnect the mgmt interface from a network, configure the mgmt interface with an invalid IP address, or disable management or administrative access for the mgmt interface.

max-miss-heartbeats <heartbeats>

Set the number of missed heartbeats before an FPM  is considered to have failed. If a failure occurs, the NP7 processors will no longer load balance sessions to the FPM.

The time between heartbeats is 0.2 seconds. Range is 3 to 300. A value of 3 means 0.6 seconds, 20 (the default) means 4 seconds, and 300 means 60 seconds.

max-miss-mgmt-heartbeats <heartbeats>

Set the number of missed management heartbeats before a FPM is considering to have failed. If a failure occurs, the NP7 processor will no longer load balance sessions to the FPM.

The time between management heartbeats is 1 second. Range is 3 to 300 heartbeats. The default is 10 heartbeats.

weighted-load-balance {disable | enable}

Enable weighted load balancing depending on the slot (or worker) weight. Use config workers to set the weight for each FPM slot.

gtp-load-balance {disable | enable}

Enable GTP-U load balancing. If GTP-U load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP-U sessions.

set sslvpn-load-balance {disable | enable}

Enable or disable SSL VPN load balancing. For more information, see SSL VPN load balancing.

dp-load-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ip-dport | src-dst-ip-sport-dport}

Set the method used by the NP7 processors to load balance sessions among FPMs. Usually you would only need to change the load balancing method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is src-dst-ip which means sessions are identified by their source destination IP addresses.

to-master directs all session to the primary FPM. This method is for troubleshooting only and should not be used for normal operation. Directing all sessions to the primary FPM will have a negative impact on performance.

src-ip sessions are distributed across all FPMs according to their source IP address.

dst-ip sessions are distributed across all FPMs according to their destination IP address.

src-dst-ip sessions are distributed across all FPMs according to their source and destination IP addresses. This is the default load balance algorithm. This method is normally the optimal load balancing method for most traffic types.

src-ip-sport sessions are distributed across all FPMs according to their source IP address and source port.

dst-ip-dport sessions are distributed across all FPMs according to their destination IP address and destination port.

src-dst-ipsport-dport distribute sessions across all FPMs according to their source and destination IP address, source port, and destination port.

Note The src-ip and dst-ip load balancing methods use layer 3 information (IP addresses) to identify and load balance sessions. All of the other load balancing methods (except for to-master) use both layer 3 and layer 4 information (IP addresses and port numbers) to identify a TCP and UDP session. The layer 3 and layer 4 load balancing methods only use layer 3 information for other types of traffic (SCTP, ICMP, and ESP). If GTP load balancing is enabled, Tunnel Endpoint Identifiers (TEIDs) are used to identify GTP sessions.

sw-load-distribution-method {src-dst-ip | src-dst-ip-sport-dport}

Configure the load distribution method used by the Internal Switch Fabric (ISF). The default setting is src-dst-ip.

dp-icmp-distribution-method {to-master | src-ip | dst-ip | src-dst-ip | derived}

Set the method used by the NP7 processor to load balance ICMP sessions among FPMs. See ICMP load balancing.

set nat-source-port {chassis-slots | enabled-slots}

Change SNAT port partitioning behavior. For more information, see Controlling SNAT port partitioning behavior.

config workers

Set the weight and enable or disable each worker (FPM). Use the edit command to specify the slot the FPM is installed in. You can enable or disable each FPM and set a weight for each FPM.

The weight range is 1 to 10. 5 is average (and the default), 1 is -80% of average and 10 is +100% of average. The weights take effect if weighted-loadbalance is enabled.

For more information, see Optimizing NAT IP pool allocation on FortiGate-7000F systems with empty FPM slots.

config workers

edit <slot>

set status enable

set weight 5

end