FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 191149
Description
This article describes how to modify the ECMP load balancing algorithms for both IPv4 and IPv6.

Solution
Equal cost multi-path (ECMP) is a mechanism that allows a FortiGate to load-balance routed traffic over multiple gateways. 
Just like routes in a routing table, ECMP is considered after policy routing, so any matching policy routes will take precedence over ECMP.

ECMP pre-requisites are as follows.

- Routes must have the same destination and costs. In the case of static routes, costs include distance and priority
- Routes are sourced from the same routing protocol. Supported protocols include static routing, OSPF, and BGP

By default, both IPv4 and IPv6 uses source-IP-based algorithm for ECMP. Please note that ECMP settings can be modified on a per-VDOM basis.

# config system settings
       set v4-ecmp-mode
           source-ip-based                            <----- Select next hop based on source IP.
           weight-based                               <----- Select next hop based on weight.
           usage-based                                <----- Select next hop based on usage.
           source-dest-ip-based                       <----- Select next hop based on both source and destination IPs.

This can be verified using the following command:

# diagnose sys vd list
system fib version=37
list virtual firewall info:
   ------Truncated output ------
name=root/root index=0 enabled use=112 rt_num=31 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0
ecmp=source-ip-based, ecpm6=source-ip-based asym_rt6=0 rt6_num=32 strict_src_check=0 dns_log=1 ses_num=5 ses6_num=1 pkt_num=1158894
tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=2
log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0 central_nat=0 policy_mode_ngfw=0 block_land_attack=0 link_check_local_in=1
fw_session_hairpin=no  keep-PRP-trailer=0
ipv4_rate=0, ipv6_rate=0, mcast6-PMTU=0, allow_linkdown_path=0
mode=standalone ha_state=work prio=0 vid=0
vf_count=5 vfe_count=17

To change the algorithm for IPv6, use the config system virtual-wan-link/config system sdwan on as per VDOM basis. The option selected here will apply to both IPv4 and IPv6.

# config system virtual-wan-link OR config system sdwan
     set status enable

(virtual-wan-link) set load-balance-mode
source-ip-based                        <----- Source IP load balancing. All traffic from a source IP is sent to the same interface.
weight-based                           <----- Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic.
usage-based                            <----- Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface.
source-dest-ip-based                   <----- Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface.
measured-volume-based                  <----- Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.
(virtual-wan-link) set load-balance-mode source-dest-ip-based
(virtual-wan-link) end

Verify using following command:

(global) # diagnose sys vd list
system fib version=37
list virtual firewall info:
   ------Truncated output ------
name=root/root index=0 enabled use=112 rt_num=31 asym_rt=0 sip_helper=1, sip_nat_trace=1, mc_fwd=1, mc_ttl_nc=0, tpmc_sk_pl=0
ecmp=source-dest-ip-based, ecpm6=source-dest-ip-based asym_rt6=0 rt6_num=32 strict_src_check=0 dns_log=1 ses_num=7 ses6_num=1 pkt_num=1161223
tree_flag=1 tree6_flag=1 nataf=0 traffic_log=1 extended_traffic_log=0 svc_depth=2
log_neigh=0, deny_tcp_with_icmp=0 ses_denied_traffic=no tcp_no_syn_check=0 central_nat=0 policy_mode_ngfw=0 block_land_attack=0 link_check_local_in=0
fw_session_hairpin=no  keep-PRP-trailer=0
ipv4_rate=1, ipv6_rate=0, mcast6-PMTU=0, allow_linkdown_path=0
mode=standalone ha_state=work prio=0 vid=0
vf_count=5 vfe_count=17

Related document.
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/25967/equal-cost-multi-path

Related Articles

Technical Tip: Equal cost multi-path (ECMP) - Maximum number of paths and routing issues

Contributors