FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ahernandez_FTNT
Description
This article explains how to force specific traffic to be handled by one FortiGate worker when it is managed by FortiController.  With these parameters the traffic that matches with the configured criteria will be always sent to the slot defined in the rule.

Solution
The name and location for this configuration was changed between firmware version 5.2.1 and 5.2.2:

FortiController 5.2.1 and below (Forward-rule)
FortiController 5.2.2 and above (Flow-rule)

Forward-Rule (5.2.1 and below)
# config load-balance forward-rule
edit 0
set status {enable | disable}
set src-interface <interface-name>
set vlan <vlan-id>
set ether-type {any | arp | ip | ipv4}
set src-addr-ipv4 <ip-address> <netmask>
set dst-addr-ipv4 <ip-address> <netmask>
set protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp |
ah | ospf | pim | vrrp}
set action {drop | forward | stats}
set forward-slot <number>
set priority <number>
set comment <text>
next
end

Example:
# config load-balance forward-rule
edit 1
set status enable
set src-addr-ipv4 10.10.10.1 255.255.255.0
set dst-addr-ipv4 10.10.20.2 255.255.255.0
set protocol tcp
set forward-slot 4
next
end


Flow-Rule (5.2.2 and above)
# config switch fabric-channel flow-rule
edit 0
set src-interface [interface-name>
set vlan <vlan-id>
set ether-type {any | arp | ip | ipv4}
set src-addr-ipv4 <ip-address> <netmask>
set dst-addr-ipv4 <ip-address> <netmask>
set protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp |
set forward-slot <number>
set priority <number>
set comment <text>
next
end
Example:
# config switch fabric-channel flow-rule
edit 1
set src-interface f1 f5
set ether-type ip
set protocol gre
set action forward
set forward-slot 8
end

Contributors