Fortinet black logo

FortiGate-7000F Handbook

SSL VPN load balancing

Copy Link
Copy Doc ID aa7e59cd-938c-11ec-9fd1-fa163e15d75b:306129
Download PDF

SSL VPN load balancing

FortiGate-7000F supports load balancing SSL VPN tunnel mode sessions terminated by the FortiGate-7000F. By default SSL VPN load balancing is disabled and a flow rule is required to send all SSL VPN sessions to one FPM (usually the primary FPM).

To support SSL VPN tunnel load balancing, you must disable all flow rules that match the SSL VPN traffic to be load balanced.

For SSL VPN load balancing to work properly, the NP7 processor load distribution method must be changed to a setting that does not include src-port. The following NP7 load distribution methods are supported for SSL VPN load balancing:

config load balance setting

set dp-load-distribution-method {to-master | src-ip | dist-ip | src-dst-ip | dis-ip-dport}

end

Then you can use the following command to enable SSL VPN load balancing:

config load-balance setting

set sslvpn-load-balance enable

end

When you enable SSL VPN load balancing, the FortiGate-7000F restarts SSL VPN processes running on the management board and the FPMs, resetting all current SSL VPN sessions. This restart will interrupt any active SSL VPN sessions.

Once the SSL VPN processes restart, the FortiGate-7000F NP7 processor distributes SSL VPN tunnel mode sessions to all of the FPMs.

To be able to distribute SSL VPN sessions to all FPMs, SSL VPN load balancing statically allocates the IP addresses in SSL VPN IP pools among the FPMs. Each FPM acquires a subset of the IP addresses in the IP pool. You may need to expand the number of IP addresses in your SSL VPN IP pools to make sure enough IP addresses are available for each FPM.

Note

SSL VPN IP pool IP addresses are not re-allocated if an FPM goes down, is disabled, or is taken offline. The IP pool IP addresses assigned to the missing FPM are not available until the FPM returns to normal operation.

No other special configuration is required to support SSL VPN tunnel mode load balancing.

SSL VPN load balancing

FortiGate-7000F supports load balancing SSL VPN tunnel mode sessions terminated by the FortiGate-7000F. By default SSL VPN load balancing is disabled and a flow rule is required to send all SSL VPN sessions to one FPM (usually the primary FPM).

To support SSL VPN tunnel load balancing, you must disable all flow rules that match the SSL VPN traffic to be load balanced.

For SSL VPN load balancing to work properly, the NP7 processor load distribution method must be changed to a setting that does not include src-port. The following NP7 load distribution methods are supported for SSL VPN load balancing:

config load balance setting

set dp-load-distribution-method {to-master | src-ip | dist-ip | src-dst-ip | dis-ip-dport}

end

Then you can use the following command to enable SSL VPN load balancing:

config load-balance setting

set sslvpn-load-balance enable

end

When you enable SSL VPN load balancing, the FortiGate-7000F restarts SSL VPN processes running on the management board and the FPMs, resetting all current SSL VPN sessions. This restart will interrupt any active SSL VPN sessions.

Once the SSL VPN processes restart, the FortiGate-7000F NP7 processor distributes SSL VPN tunnel mode sessions to all of the FPMs.

To be able to distribute SSL VPN sessions to all FPMs, SSL VPN load balancing statically allocates the IP addresses in SSL VPN IP pools among the FPMs. Each FPM acquires a subset of the IP addresses in the IP pool. You may need to expand the number of IP addresses in your SSL VPN IP pools to make sure enough IP addresses are available for each FPM.

Note

SSL VPN IP pool IP addresses are not re-allocated if an FPM goes down, is disabled, or is taken offline. The IP pool IP addresses assigned to the missing FPM are not available until the FPM returns to normal operation.

No other special configuration is required to support SSL VPN tunnel mode load balancing.