DescriptionThis article explains how to force specific traffic to be handled by one FortiGate worker when it is managed by FortiController. With these parameters the traffic that matches with the configured criteria will be always sent to the slot defined in the rule.
SolutionThe name and location for this configuration was changed between firmware version 5.2.1 and 5.2.2:
FortiController 5.2.1 and below (Forward-rule)
FortiController 5.2.2 and above (Flow-rule)
Forward-Rule (5.2.1 and below)
# config load-balance forward-rule
edit 0
set status {enable | disable}
set src-interface <interface-name>
set vlan <vlan-id>
set ether-type {any | arp | ip | ipv4}
set src-addr-ipv4 <ip-address> <netmask>
set dst-addr-ipv4 <ip-address> <netmask>
set protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp |
ah | ospf | pim | vrrp}
set action {drop | forward | stats}
set forward-slot <number>
set priority <number>
set comment <text>
next
end
Example:# config load-balance forward-rule
edit 1
set status enable
set src-addr-ipv4 10.10.10.1 255.255.255.0
set dst-addr-ipv4 10.10.20.2 255.255.255.0
set protocol tcp
set forward-slot 4
next
end
Flow-Rule (5.2.2 and above)
# config switch fabric-channel flow-rule
edit 0
set src-interface [interface-name>
set vlan <vlan-id>
set ether-type {any | arp | ip | ipv4}
set src-addr-ipv4 <ip-address> <netmask>
set dst-addr-ipv4 <ip-address> <netmask>
set protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp |
set forward-slot <number>
set priority <number>
set comment <text>
next
end
Example:
# config switch fabric-channel flow-rule
edit 1
set src-interface f1 f5
set ether-type ip
set protocol gre
set action forward
set forward-slot 8
end