FortiController-5913C system
FortiController-5913C session-aware load balancing (SALB)
FortiController-5913C Session-Aware Load Balancing Cluster (SLBC) System Guide
10-500-259409-20160210
9
As a session-aware load balancer, the FortiController-5913C maintains the state for each
session and is capable of directing any session to any worker installed in the same
chassis. This session-awareness means that all traffic being processed by a specific
worker continues to be processed by the same worker. Session-awareness also means
that more complex networking features such as network address translation (NAT),
fragmented packets, complex UDP protocols, and complex protocols such as SIP that
use pinholes, can be load balanced by the cluster.
In a FortiController-5913C load balanced cluster, when a worker that is processing SIP
traffic creates a pinhole, this information is communicated to the FortiController-5913C.
The FortiController-5913C then knows to distribute the voice and media sessions to this
worker.
The FortiController-5913C supports adding and removing workers from the cluster. So
you can start with a small number of workers and add more as your requirements grow.
When a new worker is added to a chassis slot and switched to forticontroller mode the
cluster automatically detects it, synchronizes its configuration and begins sending new
sessions to it, maintaining existing sessions on the workers that were already in the
cluster. If a worker fails or is removed from the cluster, the FortiController-5913C detects
its absence and re-balances and redistributes sessions to the remaining workers.
The FortiController-5913C supports the following single-chassis SALB configurations:
•
One FortiController-5913C and up to 12 workers. The FortiController-5913C receives
all sessions and load balances them to the workers. If the FortiController-5913C fails
the cluster fails.
•
Two FortiController-5913Cs in HA mode and up to 12 workers. The primary
FortiController-5913C receives all sessions and load balances them to the workers. If
the primary FortiController-5913C fails, the backup FortiController-5913C takes its
place.
•
Two FortiController-5913Cs in dual mode and up to 12 workers. Both
FortiController-5913Cs receive and load balance sessions to the workers. If a
FortiController-5913C fails the other FortiController-5913C continues to operate. All
sessions processed by the failed FortiController-5913C are lost.
•
Four FortiController-5913Cs and up to 10 workers in a chassis with dual dual star
architecture (such as the FortiGate-5144C). The FortiController-5913Cs in slots 1 and
2 receive and load balance sessions to the workers. The FortiController-5913Cs in
slots 1 and 3 and the FortiController-5913Cs in slots 2 and 4 form redundant pairs. If
the FortiController-5913C in slot 1 fails, the FortiController-5913C in slot 3 takes over.
If the FortiController-5913C in slot 2 fails, the FortiController-5913C in slot 4 takes
over.
The SIP protocol uses known SIP ports for control traffic but dynamically uses a wide
range of ports for voice and other media traffic. To successfully pass SIP traffic through
a firewall, the firewall must use a session helper or application gateway to look inside the
SIP control traffic and determine the ports to open for voice and media. To allow the
voice and media traffic, the firewall temporarily opens these ports, creating what’s
known as a pinhole that temporarily allows traffic on a port as determined by the SIP
control traffic. The pinhole is closed when the voice or media session ends.
Session-aware load balancing does not support traffic shaping.
