Fortinet black logo

FortiGate-7000F Handbook

Home FortiGate-7000 7.0.14 FortiGate-7000F Handbook
7.0.14
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.2.16
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6

IPsec VPN load balancing

IPsec VPN load balancing

FortiGate 7000F IPsec load balancing is tunnel based. You can set the load balance strategy for each tunnel when configuring phase1-interface options:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | FPM3 | FPM4 | FPM5 | FPM6 | FPM7 | FPM8 | FPM9 | FPM10 | FPM11 | FPM12 | master}

end

auto the default setting. All tunnels started by this phase 1 are load balanced to an FPM slot based on the src-ip and dst-ip hash result. All traffic for a given tunnel instance is processed by the same FPM.

FPM3 to FPM12 all tunnels started by this phase 1 terminate on the selected FPM.

master all tunnels started by this phase 1 terminate on the primary FPM.

Even if you select master or a specific FPM, new SAs created by this tunnel are synchronized to all FPMs.

If the IPsec interface includes dynamic routing, the ipsec-tunnel-slot option is ignored and all tunnels are terminated on the primary FPM.

Previous
Next

IPsec VPN load balancing

FortiGate 7000F IPsec load balancing is tunnel based. You can set the load balance strategy for each tunnel when configuring phase1-interface options:

config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {auto | FPM3 | FPM4 | FPM5 | FPM6 | FPM7 | FPM8 | FPM9 | FPM10 | FPM11 | FPM12 | master}

end

auto the default setting. All tunnels started by this phase 1 are load balanced to an FPM slot based on the src-ip and dst-ip hash result. All traffic for a given tunnel instance is processed by the same FPM.

FPM3 to FPM12 all tunnels started by this phase 1 terminate on the selected FPM.

master all tunnels started by this phase 1 terminate on the primary FPM.

Even if you select master or a specific FPM, new SAs created by this tunnel are synchronized to all FPMs.

If the IPsec interface includes dynamic routing, the ipsec-tunnel-slot option is ignored and all tunnels are terminated on the primary FPM.

Previous
Next