Fortinet white logo
Fortinet white logo

FortiGate-7000F Handbook

Flow rules for sessions that cannot be load balanced

Flow rules for sessions that cannot be load balanced

Some traffic types cannot be load balanced. Sessions for traffic types that cannot be load balanced should normally be sent to the primary FPM by configuring flow rules for that traffic. You can also configure flow rules to send traffic that cannot be load balanced to specific FPMs.

Create flow rules using the config load-balance flow-rule command. The default configuration uses this command to send Kerberos, BGP, RIP, VRRP, IPv4 and IPv6 DHCP, PPTP, BFD, IPv4 and IPv6 multicast, GTP, and HTTP and HTTPS authd sessions to the primary FPM. You can view the default configuration of the config load-balance flow-rule command to see how this is all configured, or see Default configuration for traffic that cannot be load balanced.

Note Because of a limitation of the FIM-7921F switch hardware, the FortiGate-7121F with FIM-7921Fs does not support adding VLANs to flow rules. The vlan setting of the config load-balance flow-rule command is ignored.

For example, the following configuration sends BGP source and destination sessions to the primary FPM:

config load-balance flow-rule

edit 3

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 179-179

set dst-l4port 0-0

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp src"

next

edit 4

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 0-0

set dst-l4port 179-179

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp dst"

end

Flow rules for sessions that cannot be load balanced

Flow rules for sessions that cannot be load balanced

Some traffic types cannot be load balanced. Sessions for traffic types that cannot be load balanced should normally be sent to the primary FPM by configuring flow rules for that traffic. You can also configure flow rules to send traffic that cannot be load balanced to specific FPMs.

Create flow rules using the config load-balance flow-rule command. The default configuration uses this command to send Kerberos, BGP, RIP, VRRP, IPv4 and IPv6 DHCP, PPTP, BFD, IPv4 and IPv6 multicast, GTP, and HTTP and HTTPS authd sessions to the primary FPM. You can view the default configuration of the config load-balance flow-rule command to see how this is all configured, or see Default configuration for traffic that cannot be load balanced.

Note Because of a limitation of the FIM-7921F switch hardware, the FortiGate-7121F with FIM-7921Fs does not support adding VLANs to flow rules. The vlan setting of the config load-balance flow-rule command is ignored.

For example, the following configuration sends BGP source and destination sessions to the primary FPM:

config load-balance flow-rule

edit 3

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 179-179

set dst-l4port 0-0

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp src"

next

edit 4

set status enable

set vlan 0

set ether-type ip

set protocol tcp

set src-l4port 0-0

set dst-l4port 179-179

set tcp-flag any

set action forward

set forward-slot master

set priority 5

set comment "bgp dst"

end