FortiGate-7000 Load balancing commands
The most notable difference between a FortiGate-7000 and other FortiGates are the commands described in this section for configuring load balancing. The following commands are available:
config load-balance flow-rule config load-balance setting
In most cases you do not have to use these commands. However, they are available to customize some aspects of load balancing.
config load-balance flow-rule
Use this command to add flow rules that add exceptions to how matched traffic is processed by a FortiGate-7000. Specifically you can use these rules to match a type of traffic and control whether the traffic is forwarded or blocked. And if the traffic is forwarded you can specify whether to forward the traffic to a specific FPM or to all FPMs. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to define two flow rules to match both traffic directions (forward and reverse).
One common use of this command is to control how traffic that is not load balanced is handled. For example, use the following command to send all GRE traffic to the processor module in slot 4. In this example the GRE traffic is received by FortiGate-7000 front panel ports 1C1 and 1C5:
config load-balance flow-rule edit 0 set src-interface 1c1 1c5 set ether-type ip set protocol gre set action forward set forward-slot 4
end
The default configuration includes a number of flow rules that send traffic such as BGP traffic, DHCP traffic and so on to the primary worker. This is traffic that cannot be load balanced and is then just processed by the primary worker.
Syntax
config load-balance flow-rule edit 0 set status {disable | enable}
set src-interface <interface-name> [interface-name>…} set vlan <vlan-id> set ether-type {any | arp | ip | ipv4} set src-addr-ipv4 <ip-address> <netmask> set dst-addr-ipv4 <ip-address> <netmask> set src-addr-ipv6 <ip-address> <netmask> set dst-addr-ipv6 <ip-address> <netmask> set protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp } ah | ospf | pim | vrrp}
set src-l4port <start>[-<end>] set dst-l4port <start>[-<end>]
config load-balance flow-rule FortiGate-7000 Load balancing commands
set action {forward | mirror-ingress | mirror-egress | stats | drop} set mirror-interface <interface-name>
set forward-slot {master | all | load-balance | FPM3 | FMP4} set priority <number> set comment <text>
end
status {disable | enable}
Enable or disable this flow rule. Default for a new flow-rule is disable.
src-interface <interface-name> [interface-name>…}
The names of one or more FIM interface front panel interfaces accepting the traffic to be subject to the flow rule.
vlan <vlan-id>
If the traffic matching the rule is VLAN traffic, enter the VLAN ID used by the traffic.
ether-type {any | arp | ip | ipv4 | ipv6}
The type of traffic to be matched by the rule. You can match any traffic (the default) or just match ARP, IP, or
IPv4 traffic.
{src-addr-ipv4 | dst-addr-ipv4 | src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask>
The source and destination address of the traffic to be matched. The default of 0.0.0.0 0.0.0.0 matches all traffic.
protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}
If ether-type is set to ip, ipv4 or ipv6 specify the protocol of the IP or IPv4 traffic to match the rule. The default is any.
{src-l4port | dst-l4port} <start>[-<end>]
Specify a source port range and a destination port range. This option appears for some protocol settings. For example if protocol is set to tcp or udp. The default range is 0-0.
action {forward | mirror-ingress | mirror-egress | stats | drop}
How to handle matching packets. They can be dropped, forwarded to another destination or you can record statistics about the traffic for later analysis. You can combine two or three settings in one command for example you can set action to both forward and stats to forward traffic and collect statistics about it. Use append to add multiple options.
The default action is forward.
The mirror-ingress option copies (mirrors) all ingress packets that match this flow rule and sends them to the interface specified with the mirror-interface option.
config load-balance setting
The mirror-egress option copies (mirrors) all egress packets that match this flow rule and sends them to the interface specified with the mirror-interface option.
set mirror-interface <interface-name>
The name of the interface to send packets matched by this flow-rule when action is set to mirror-ingress or mirroregress.
forward-slot {master | all | load-balance | FPM3 | FPM4 | FPM5 | FPM6}
The worker that you want to forward the traffic that matches this rule to. master forwards the traffic the worker that is operating as the primary worker (usually the FPM module in slot 3. All means forward the traffic to all workers. load-balance means use the default load balancing configuration to handle this traffic. FPM3, FPM4, FPM5 and FPM3 allow you to forward the matching traffic to a specific FPM module. FPM3 is the FPM module in slot 3. FPM4 is the FPM module in slot for. And so on. priority <number>
Set the priority of the flow rule in the range 1 (highest priority) to 10 (lowest priority). Higher priority rules are matched first. You can use the priority to control which rule is matched first if you have overlapping rules.
comment <text>
Optionally add a comment that describes the rule.
config load-balance setting
Use this command to set a wide range of load balancing settings.
config load-balance setting set gtp-load-balance {disable | enable} set max-miss-heartbeats <heartbeats> set max-miss-mgmt-heartbeats <heartbeats> set weighted-load-balance {disable | enable}
set dp-load-distribution-method {round-robin | src-ip | dst-ip | src-dst-ip | src-ipsport | dst-ip-dport | src-dst-ip-sport-dport}
config workers edit 3 set status enable set weight 5
end
end
gtp-load-balance {disable | enable}
Enable GTP load balancing for FortiGate-7000 configurations licensed for FortiOS Carrier.
config load-balance setting FortiGate-7000 Load balancing commands
max-miss-heartbeats <heartbeats>
Set the number of missed heartbeats before a worker is considered to have failed. If this many heartbeats are not received from a worker, this indicates that the worker is not able to process data traffic and no more traffic will be sent to this worker.
The time between heartbeats is 0.2 seconds. Range is 3 to 300. 3 means 0.6 seconds, 10 (the default) means 2 seconds, and 300 means 60 seconds. max-miss-mgmt-heartbeats <heartbeats>
Set the number of missed management heartbeats before a worker is considering to have failed. If a management heartbeat fails, there is a communication problem between a worker and other workers. This communication problem means the worker may not be able to synchronize configuration changes, sessions, the kernel routing table, the bridge table and so on with other workers. If a management heartbeat failure occurs, no traffic will be sent to the worker.
The time between management heartbeats is 1 second. Range is 3 to 300 seconds. The default is 20 seconds. weighted-load-balance {disable | enable}
Enable weighted load balancing depending on the slot weight. Use the config slot command to set the weight for each slot.
dp-load-distribution-method {round-robin | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ipdport | src-dst-ip-sport-dport}
Set the method used to distribute sessions among workers. Usually you would only need to change the method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is src-dst-ip-sport-dport which means sessions are identified by their source address and port and destination address and port. round-robin Directs new requests to the next slot regardless of response time or number of connections. src-ip traffic load is distributed across all slots according to source IP address. dst-ip traffic load is statically distributed across all slots according to destination IP address. src-dst-ip traffic load is distributed across all slots according to the source and destination IP addresses. src-ip-sport traffic load is distributed across all slots according to the source IP address and source port.
dst-ip-dport traffic load is distributed across all slots according to the destination IP address and destination port.
src-dst-ipsport-dport traffic load is distributed across all slots according to the source and destination IP address, source port, and destination port. This is the default load balance schedule and represents true sessionaware load balancing.
config workers
Set the weight and enable or disable each worker. Use the edit command to specify the slot the worker is installed in. You can enable or disable each worker and set each worker’s weight.
config load-balance setting
The weight range is 1 to 10. 5 is average, 1 is -80% of average and 10 is +100% of average. The weights take effect if weighted-loadbalance is enabled.
config workers edit 3 set status enable set weight 5 end