Description
This article explains how to force specific traffic to be handled by one FortiGate worker when it is managed by FortiController. With these parameters, the traffic that matches the configured criteria will always be sent to the slot defined in the rule.
Scope
FortiGate.
Solution
The name and location for this configuration were changed between firmware v5.2.1 and v5.2.2:
FortiController v5.2.1 and below (Forward-rule)
FortiController v5.2.2 and above (Flow-rule)
Forward-Rule (5.2.1 and below)
config load-balance forward-rule
edit 0
set status {enable | disable}
set src-interface <interface-name>
set vlan <vlan-id>
set ether-type {any | arp | ip | ipv4}
set src-addr-ipv4 <ip-address> <netmask>
set dst-addr-ipv4 <ip-address> <netmask>
set protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp |
ah | ospf | pim | vrrp}
set action {drop | forward | stats}
set forward-slot <number>
set priority <number>
set comment <text>
next
end
Example:
# config load-balance forward-rule
edit 1
set status enable
set src-addr-ipv4 10.10.10.1 255.255.255.0
set dst-addr-ipv4 10.10.20.2 255.255.255.0
set protocol tcp
set forward-slot 4
next
end
Flow-Rule (5.2.2 and above)
# config switch fabric-channel flow-rule
edit 0
set src-interface [interface-name>
set vlan <vlan-id>
set ether-type {any | arp | ip | ipv4}
set src-addr-ipv4 <ip-address> <netmask>
set dst-addr-ipv4 <ip-address> <netmask>
set protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp |
set forward-slot <number>
set priority <number>
set comment <text>
next
end
Example:
# config switch fabric-channel flow-rule
edit 1
set src-interface f1 f5
set ether-type ip
set protocol gre
set action forward
set forward-slot 8
end
Related document:
FortiGate 7000F config CLI commands
