Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hardware Acceleration

    Home FortiGate / FortiOS 7.4.1 Hardware Acceleration
    7.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.4.5
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    6.2.7
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    5.6.0

    Enhanced load balancing for LAG interfaces for NP6 platforms

    Enhanced load balancing for LAG interfaces for NP6 platforms

    For some LAG configurations with some network conditions on FortiGates with NP6 processors, you may find that packets are not evenly distributed among all of the interfaces in a LAG, leading to possible reduced performance. On FortiGate models that have an internal switch fabric (ISF) that supports modifying the distribution algorithm, you can configure enhanced hashing to help distribute traffic evenly across links on LAG interfaces. The enhanced hashing algorithm is based on a 5-tuple hash calculated from the IP Protocol, source IP address, destination IP address, source port number, and destination port number. You can also further improve distribution and performance by customizing the hashing algorithm.

    Note

    This feature is only supported by some FortiGate models with NP6 processors, including the FortiGate-1500D, 1500DT, 3000D, 3100D, 3200D, 3700D, and 5001D. In future releases this feature may be supported on more models.

    You can use the following command to enable and customize load balancing for LAG interfaces for NP6 platforms. This command is only available if your FortiGate supports this feature. Enabling this feature and adjusting the hashing algorithm can cause traffic disruptions.

    config system npu

    set lag-out-port-select {disable | enable}

    config sw-eh-hash

    set computation {xor4 | xor8 | xor16 | crc16}

    set ip-protocol {exclude | include}

    set source-ip-upper-16 {exclude | include}

    set source-ip-lower-16 {exclude | include}

    set destination-ip-upper-16 {exclude | include}

    set destination-ip-lower-16 {exclude | include}

    set source-port {exclude | include}

    set destination-port {exclude | include}

    set netmask-length <length>

    end

    lag-out-port-select enable enhanced load balancing for LAG interfaces. This option is disabled by default.

    config sw-eh-hash optionally configure how the ISF load balances sessions among interfaces in LAGs. The default hashing algorithm should work in most cases, but you can use the options of this command to adjust it.

    computation {xor4 | xor8 | xor16 | crc16} select the method used by the ISF to calculate the hash used to load balance sessions to LAGs.

    • xor16 use an XOR operator to create a 16-bit hash. This is the default setting.

    • xor8 use an XOR operator to create a 8-bit hash.

    • xor4 use an XOR operator to create a 4-bit hash.

    • crc16 use a CRC-16-CCITT polynomial to create a 16-bit hash.

    ip-protocol choose whether to include the IP protocol when calculating the hash. Included by default.

    source-ip-upper-16 choose whether to include the upper 16 bits of the source IP address when calculating the hash. Included by default.

    source-ip-lower-16 choose whether to include the lower 16 bits of the source IP address when calculating the hash. Included by default.

    destination-ip-upper-16 choose whether to include the upper 16 bits of the destination IP address when calculating the hash. Included by default.

    destination-ip-lower-16 choose whether to include the lower 16 bits of the destination IP address when calculating the hash. Included by default.

    source-port for TCP and UDP traffic, choose whether to include the source port number when calculating the hash. Included by default.

    destination-port for TCP and UDP traffic, choose whether to include the destination port number when calculating the hash. Included by default.

    netmask-length choose whether to include the network mask length when calculating the hash. Included by default.

    Previous
    Next

    Enhanced load balancing for LAG interfaces for NP6 platforms

    Enhanced load balancing for LAG interfaces for NP6 platforms

    For some LAG configurations with some network conditions on FortiGates with NP6 processors, you may find that packets are not evenly distributed among all of the interfaces in a LAG, leading to possible reduced performance. On FortiGate models that have an internal switch fabric (ISF) that supports modifying the distribution algorithm, you can configure enhanced hashing to help distribute traffic evenly across links on LAG interfaces. The enhanced hashing algorithm is based on a 5-tuple hash calculated from the IP Protocol, source IP address, destination IP address, source port number, and destination port number. You can also further improve distribution and performance by customizing the hashing algorithm.

    Note

    This feature is only supported by some FortiGate models with NP6 processors, including the FortiGate-1500D, 1500DT, 3000D, 3100D, 3200D, 3700D, and 5001D. In future releases this feature may be supported on more models.

    You can use the following command to enable and customize load balancing for LAG interfaces for NP6 platforms. This command is only available if your FortiGate supports this feature. Enabling this feature and adjusting the hashing algorithm can cause traffic disruptions.

    config system npu

    set lag-out-port-select {disable | enable}

    config sw-eh-hash

    set computation {xor4 | xor8 | xor16 | crc16}

    set ip-protocol {exclude | include}

    set source-ip-upper-16 {exclude | include}

    set source-ip-lower-16 {exclude | include}

    set destination-ip-upper-16 {exclude | include}

    set destination-ip-lower-16 {exclude | include}

    set source-port {exclude | include}

    set destination-port {exclude | include}

    set netmask-length <length>

    end

    lag-out-port-select enable enhanced load balancing for LAG interfaces. This option is disabled by default.

    config sw-eh-hash optionally configure how the ISF load balances sessions among interfaces in LAGs. The default hashing algorithm should work in most cases, but you can use the options of this command to adjust it.

    computation {xor4 | xor8 | xor16 | crc16} select the method used by the ISF to calculate the hash used to load balance sessions to LAGs.

    • xor16 use an XOR operator to create a 16-bit hash. This is the default setting.

    • xor8 use an XOR operator to create a 8-bit hash.

    • xor4 use an XOR operator to create a 4-bit hash.

    • crc16 use a CRC-16-CCITT polynomial to create a 16-bit hash.

    ip-protocol choose whether to include the IP protocol when calculating the hash. Included by default.

    source-ip-upper-16 choose whether to include the upper 16 bits of the source IP address when calculating the hash. Included by default.

    source-ip-lower-16 choose whether to include the lower 16 bits of the source IP address when calculating the hash. Included by default.

    destination-ip-upper-16 choose whether to include the upper 16 bits of the destination IP address when calculating the hash. Included by default.

    destination-ip-lower-16 choose whether to include the lower 16 bits of the destination IP address when calculating the hash. Included by default.

    source-port for TCP and UDP traffic, choose whether to include the source port number when calculating the hash. Included by default.

    destination-port for TCP and UDP traffic, choose whether to include the destination port number when calculating the hash. Included by default.

    netmask-length choose whether to include the network mask length when calculating the hash. Included by default.

    Previous
    Next