FortiGate-7000 Load balancing commands
config load-balance flow-rule
FortiGate-7000 Load balancing commands
The most notable difference between a FortiGate-7000 and other FortiGates are the commands described in this
section for configuring load balancing. The following commands are available:
config load-balance flow-rule
config load-balance setting
In most cases you do not have to use these commands. However, they are available to customize some aspects
of load balancing.
config load-balance flow-rule
Use this command to add flow rules that add exceptions to how matched traffic is processed by a FortiGate-7000.
Specifically you can use these rules to match a type of traffic and control whether the traffic is forwarded or
blocked. And if the traffic is forwarded you can specify whether to forward the traffic to a specific FPM or to all
FPMs. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to
define two flow rules to match both traffic directions (forward and reverse).
One common use of this command is to control how traffic that is not load balanced is handled. For example, use
the following command to send all GRE traffic to the processor module in slot 4. In this example the GRE traffic is
received by FortiGate-7000 front panel ports 1C1 and 1C5:
config load-balance flow-rule
edit 0
set src-interface 1c1 1c5
set ether-type ip
set protocol gre
set action forward
set forward-slot 4
end
The default configuration includes a number of flow rules that send traffic such as BGP traffic, DHCP traffic and
so on to the primary worker. This is traffic that cannot be load balanced and is then just processed by the primary
worker.
Syntax
config load-balance flow-rule
edit 0
set status {disable | enable}
set src-interface <interface-name> [interface-name>...}
set vlan <vlan-id>
set ether-type {any | arp | ip | ipv4}
set src-addr-ipv4 <ip-address> <netmask>
set dst-addr-ipv4 <ip-address> <netmask>
set src-addr-ipv6 <ip-address> <netmask>
set dst-addr-ipv6 <ip-address> <netmask>
set protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp }
ah | ospf | pim | vrrp}
set src-l4port <start>[-<end>]
set dst-l4port <start>[-<end>]
FortiGate-7000
Fortinet Technologies Inc.
82