Fortinet white logo
Fortinet white logo

FortiGate-7000E Handbook

SSL VPN load balancing

SSL VPN load balancing

FortiGate-7000E supports load balancing SSL VPN tunnel mode sessions terminated by the FortiGate-7000E. By default SSL VPN load balancing is disabled and a flow rule is required to send all SSL VPN sessions to one FPM (usually the primary FPM).

To support SSL VPN tunnel load balancing, you must disable all flow rules that match the SSL VPN traffic to be load balanced.

For SSL VPN load balancing to work properly, the DP processor load distribution method must be changed to a setting that does not include src-port. The following DP load distribution methods are supported for SSL VPN load balancing:

config load balance setting

set dp-load-distribution-method {to-master | src-ip | dist-ip | src-dst-ip | dis-ip-dport}

end

Then you can use the following command to enable SSL VPN load balancing:

config load-balance setting

set sslvpn-load-balance enable

end

When you enable SSL VPN load balancing, the FortiGate-7000E restarts SSL VPN processes running on the FIMs and the FPMs, resetting all current SSL VPN sessions. This restart will interrupt any active SSL VPN sessions.

Once the SSL VPN processes restart, the FortiGate-7000E DP2 processor distributes SSL VPN tunnel mode sessions to all of the FPMs.

To be able to distribute SSL VPN sessions to all FPMs, SSL VPN load balancing statically allocates the IP addresses in SSL VPN IP pools among the FPMs. Each FPM acquires a subset of the IP addresses in the IP pool. You may need to expand the number of IP addresses in your SSL VPN IP pools to make sure enough IP addresses are available for each FPM.

Note

SSL VPN IP pool IP addresses are not re-allocated if an FPM goes down, is disabled, or is taken offline. The IP pool IP addresses assigned to the missing FPM are not available until the FPM returns to normal operation.

No other special configuration is required to support SSL VPN tunnel mode load balancing.

For more information on FortiGate-7000E SSL VPN load balancing, see this Fortinet Community article:Technical Tip : How to load balance SSL VPN web-mode traffic on FortiGate-6000 series.

SSL VPN load balancing

SSL VPN load balancing

FortiGate-7000E supports load balancing SSL VPN tunnel mode sessions terminated by the FortiGate-7000E. By default SSL VPN load balancing is disabled and a flow rule is required to send all SSL VPN sessions to one FPM (usually the primary FPM).

To support SSL VPN tunnel load balancing, you must disable all flow rules that match the SSL VPN traffic to be load balanced.

For SSL VPN load balancing to work properly, the DP processor load distribution method must be changed to a setting that does not include src-port. The following DP load distribution methods are supported for SSL VPN load balancing:

config load balance setting

set dp-load-distribution-method {to-master | src-ip | dist-ip | src-dst-ip | dis-ip-dport}

end

Then you can use the following command to enable SSL VPN load balancing:

config load-balance setting

set sslvpn-load-balance enable

end

When you enable SSL VPN load balancing, the FortiGate-7000E restarts SSL VPN processes running on the FIMs and the FPMs, resetting all current SSL VPN sessions. This restart will interrupt any active SSL VPN sessions.

Once the SSL VPN processes restart, the FortiGate-7000E DP2 processor distributes SSL VPN tunnel mode sessions to all of the FPMs.

To be able to distribute SSL VPN sessions to all FPMs, SSL VPN load balancing statically allocates the IP addresses in SSL VPN IP pools among the FPMs. Each FPM acquires a subset of the IP addresses in the IP pool. You may need to expand the number of IP addresses in your SSL VPN IP pools to make sure enough IP addresses are available for each FPM.

Note

SSL VPN IP pool IP addresses are not re-allocated if an FPM goes down, is disabled, or is taken offline. The IP pool IP addresses assigned to the missing FPM are not available until the FPM returns to normal operation.

No other special configuration is required to support SSL VPN tunnel mode load balancing.

For more information on FortiGate-7000E SSL VPN load balancing, see this Fortinet Community article:Technical Tip : How to load balance SSL VPN web-mode traffic on FortiGate-6000 series.