Technical Tip: Configuring VDOM-Based Session Limits for Customers on FortiGate 6000/7000 Chassis

VDOM-based session limit could be configured as below on the FortiGate 6000/7000 as well:

config system vdom-property     edit <vdom>         set session <max>     next end

The value configured here limits the concurrent forward session count. It is calculated separately for each FPM. In other words, each FPM is limited to the configured number of sessions.

For Example, if the session is set to '2000' for a chassis with 3 FPM modules, a maximum of 6000 sessions could be created.

Local sessions do not count for session limit settings. The diagnose system session stat command would also show local sessions. For this reason, the total session count could seem more than the configured vdom session limit.

Expectation sessions are counted for this setting. If the session count reaches the limit, then expectation session packets also would be dropped.

If the session limit is reached, FortiGate would send a 'VDOM resource limit exceeded' event log. New session packets would also be dropped, but FortiGate does not go create a log separately for it. 

Notes:

• The load-balancing method of the FIMs can affect how traffic is distributed among the FPMs. Use the config load-balance setting command to view the current load balancing settings. Selected settings of dp-load-distribution-method would be effective for TCP, UDP, and SCTP sessions. IPv4 ICMP.
• Based on the config load-balance flow-rule, FIM could forward specific traffic only to the primary FPM.
• By default, all ICMP traffic is redirected to the primary FPM. It could be changed by setting dp-icmp-distribution-method under the config load-balance setting.