Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSwitch 7.2.7 Administration Guide
    7.2.7
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.11
    6.4.6
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.5
    6.2.2
    6.2.1
    6.2.0

    Multi-stage load balance

    Multi-stage load balance

    You can use a FortiSwitch unit to configure multi-stage load balancing on a set of FortiGate units. This capability allows you to scale security processing while maintaining a simple basic architecture. This configuration is commonly referred to a “firewall sandwich.”

    Because the FortiGate unit provides session-aware analysis, the load distribution algorithm must be symmetric (traffic for a given session, in both directions, must all traverse the same FortiGate unit).

    For larger scale deployment, the topology uses multiple layers of load distribution to allow for far larger numbers of FortiGate devices.

    The hash at the first and second stages must be symmetric. The two stages must provide different hashing results.

    Configuring the trunk ports

    Use the following commands to configure the trunk members and set the port-selection criteria:

    config switch trunk

    edit <trunk name>

    set description <description_string>

    set members <ports>

    set mode {fortinet-trunk | lacp-active | lacp-passive | static}

    set port-selection-criteria src-dst-ip-xor16

    end

    end

    Heartbeats

    When in Fortinet-trunk mode, Heartbeat capability is enabled. Heartbeat messages monitor the status of FortiGate units. If one is unavailable, the FortiSwitch unit stops sending traffic to that FortiGate unit until the FortiGate unit becomes available.

    If you enable hb-verify, each received heartbeat frame will be validated to match the signature (transmit-port plus switch serial number) and the following configured heartbeat parameters:

    • hb-in-vlan
    • hb-src-ip
    • hb-dst-ip
    • hb-src-upd-port
    • hb-dst-udp-port

    The destination MAC address of the heartbeat frame is set by default to 02:80:c2:00:00:02. You can change the value to any MAC address that is not a broadcast or multicast MAC address.

    Configuring heartbeats

    Configure the heartbeat fields using trunk configuration commands, as shown in this section. By default, all of the configurable values are set to zero, and hb-verify is disabled.

    Set the mode to forti-hb and set the heartbeat loss limit to a value between 3 and 32.

    The heartbeat will transmit at 1-second intervals on any link in the trunk that is up. This value is not configurable.

    The heartbeat frame has configurable parameters for the layer-3 source and destination addresses and the layer-4 UDP ports. You must also specify the transmit and receive VLANs.

    config switch trunk

    edit hb-trunk

    set mode fortinet-trunk

    set members <port> [<port>] ... [<port>]

    set hb-loss-limit <3-32>

    set hb-out-vlan <int>

    set hb-in-vlan <int>

    set hb-src-ip <x.x.x.x>

    set hb-dst-ip <x.x.x.x>

    set hb-src-udp-port <int>

    set hb-dst-udp-port <int>

    set hb-verify [ enable | disable ]

    end

    Use the following command to configure the destination MAC address:

    config switch global

    set forti-trunk-dmac <mac address>

    end

    Example

    The following example creates trunk tr1 with heartbeat capability:

    config switch trunk

    edit "tr1"

    set mode fortinet-trunk

    set members "port1" "port2"

    set hb-out-vlan 300

    set hb-in-vlan 500

    set hb-src-ip 10.105.7.200

    set hb-dst-ip 10.105.7.199

    set hb-src-udp-port 12345

    set hb-dst-udp-port 54321

    set hb-verify enable

    next

    end

    Previous
    Next

    Multi-stage load balance

    Multi-stage load balance

    You can use a FortiSwitch unit to configure multi-stage load balancing on a set of FortiGate units. This capability allows you to scale security processing while maintaining a simple basic architecture. This configuration is commonly referred to a “firewall sandwich.”

    Because the FortiGate unit provides session-aware analysis, the load distribution algorithm must be symmetric (traffic for a given session, in both directions, must all traverse the same FortiGate unit).

    For larger scale deployment, the topology uses multiple layers of load distribution to allow for far larger numbers of FortiGate devices.

    The hash at the first and second stages must be symmetric. The two stages must provide different hashing results.

    Configuring the trunk ports

    Use the following commands to configure the trunk members and set the port-selection criteria:

    config switch trunk

    edit <trunk name>

    set description <description_string>

    set members <ports>

    set mode {fortinet-trunk | lacp-active | lacp-passive | static}

    set port-selection-criteria src-dst-ip-xor16

    end

    end

    Heartbeats

    When in Fortinet-trunk mode, Heartbeat capability is enabled. Heartbeat messages monitor the status of FortiGate units. If one is unavailable, the FortiSwitch unit stops sending traffic to that FortiGate unit until the FortiGate unit becomes available.

    If you enable hb-verify, each received heartbeat frame will be validated to match the signature (transmit-port plus switch serial number) and the following configured heartbeat parameters:

    • hb-in-vlan
    • hb-src-ip
    • hb-dst-ip
    • hb-src-upd-port
    • hb-dst-udp-port

    The destination MAC address of the heartbeat frame is set by default to 02:80:c2:00:00:02. You can change the value to any MAC address that is not a broadcast or multicast MAC address.

    Configuring heartbeats

    Configure the heartbeat fields using trunk configuration commands, as shown in this section. By default, all of the configurable values are set to zero, and hb-verify is disabled.

    Set the mode to forti-hb and set the heartbeat loss limit to a value between 3 and 32.

    The heartbeat will transmit at 1-second intervals on any link in the trunk that is up. This value is not configurable.

    The heartbeat frame has configurable parameters for the layer-3 source and destination addresses and the layer-4 UDP ports. You must also specify the transmit and receive VLANs.

    config switch trunk

    edit hb-trunk

    set mode fortinet-trunk

    set members <port> [<port>] ... [<port>]

    set hb-loss-limit <3-32>

    set hb-out-vlan <int>

    set hb-in-vlan <int>

    set hb-src-ip <x.x.x.x>

    set hb-dst-ip <x.x.x.x>

    set hb-src-udp-port <int>

    set hb-dst-udp-port <int>

    set hb-verify [ enable | disable ]

    end

    Use the following command to configure the destination MAC address:

    config switch global

    set forti-trunk-dmac <mac address>

    end

    Example

    The following example creates trunk tr1 with heartbeat capability:

    config switch trunk

    edit "tr1"

    set mode fortinet-trunk

    set members "port1" "port2"

    set hb-out-vlan 300

    set hb-in-vlan 500

    set hb-src-ip 10.105.7.200

    set hb-dst-ip 10.105.7.199

    set hb-src-udp-port 12345

    set hb-dst-udp-port 54321

    set hb-verify enable

    next

    end

    Previous
    Next