Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff

Created on ‎12-12-2019 02:47 AM Edited on ‎03-06-2025 11:51 PM By Moderator

Article Id 191149

Technical Tip: ECMP, Load balancing algorithms for IPv4 and IPv6

Description

 

This article describes how to modify the ECMP load-balancing algorithms for both IPv4 and IPv6.

 

Scope

 

FortiGate.

Solution

 
Equal cost multi-path (ECMP) is a mechanism that allows a FortiGate to load-balance routed traffic over multiple gateways. 
Just like routes in a routing table, ECMP is considered after policy routing, so any matching policy routes will take precedence over ECMP.
 
ECMP prerequisites are as follows.
 
  • Routes must have the same destination and costs. In the case of static routes, costs include distance and priority.
  • Routes are sourced from the same routing protocol. Supported protocols include static routing, OSPF, and BGP.
 
By default, both IPv4 and IPv6 use source-IP-based algorithms for ECMP. Note that ECMP settings can be modified on a per-VDOM basis.
 
config system settings
    set v4-ecmp-mode
    source-ip-based                            <----- Select next hop based on source IP.
    weight-based                               <----- Select next hop based on weight.
    usage-based                                <----- Select next hop based on usage.
    source-dest-ip-based                       <----- Select next hop based on both source and destination IPs.
 
This can be verified using the following command:
 
diagnose sys vd list
system fib version=37
list virtual firewall info:
   ------Truncated output ------
name=root/root index=0 enabled use=112 rt_num=31 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0
ecmp=source-ip-based, ecpm6=source-ip-based asym_rt6=0 rt6_num=32 strict_src_check=0 dns_log=1 ses_num=5 ses6_num=1 pkt_num=1158894
tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=2
log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0 central_nat=0 policy_mode_ngfw=0 block_land_attack=0 link_check_local_in=1
fw_session_hairpin=no  keep-PRP-trailer=0
ipv4_rate=0, ipv6_rate=0, mcast6-PMTU=0, allow_linkdown_path=0
mode=standalone ha_state=work prio=0 vid=0
vf_count=5 vfe_count=17
 
To change the algorithm for IPv6, use the config system virtual-wan-link/config system sdwan on a per VDOM basis. The option selected here will apply to both IPv4 and IPv6.
 
config system virtual-wan-link OR config system sdwan
    set status enable
 
(virtual-wan-link) set load-balance-mode
source-ip-based                        <----- Source IP load balancing. All traffic from a source IP is sent to the same interface.
weight-based                           <----- Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.
usage-based                            <----- Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.
source-dest-ip-based                   <----- Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.
measured-volume-based                  <----- Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.
(virtual-wan-link) set load-balance-mode source-dest-ip-based
(virtual-wan-link) end
 
Verify using the following command:
 
(global) # diagnose sys vd list
system fib version=37
list virtual firewall info:
   ------Truncated output ------
name=root/root index=0 enabled use=112 rt_num=31 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0
ecmp=source-dest-ip-based, ecpm6=source-dest-ip-based asym_rt6=0 rt6_num=32 strict_src_check=0 dns_log=1 ses_num=7 ses6_num=1 pkt_num=1161223
tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=2
log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0 central_nat=0 policy_mode_ngfw=0 block_land_attack=0 link_check_local_in=0
fw_session_hairpin=no  keep-PRP-trailer=0
ipv4_rate=1, ipv6_rate=0, mcast6-PMTU=0, allow_linkdown_path=0
mode=standalone ha_state=work prio=0 vid=0
vf_count=5 vfe_count=17
 
ECMP is enabled by default on the FortiGate, if needed it can be disabled by running the following command:
 

config system settings

    set ecmp-max-paths 1

end

 

Related documents:
Equal cost multi-path

Technical Tip: Equal cost multi-path (ECMP) - Maximum number of paths and routing issues

Labels:
24588
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.