Description
This article describes how to perform the WAD source affinity exemption for a specific source address.
Scope
FortiGate.
Solution
When wad-source-affinity is enabled, the WAD traffic dispatcher allows incoming traffic to be directly distributed among the WAD workers.
config system global
set wad-source-affinity enable
end
When users are behind a NAT device then the traffic from the NATed source IP is forwarded to only one WAD worker and can be loaded by that WAD worker. This can also happen when there is a high number of sessions received from a few sources.
It is also possible to use the commands below to exempt these source addresses from proxy affinity, which allows traffic from the same source and different servers to be distributed to WAD workers in a round-robin configuration.
config web-proxy global
set src-affinity-exempt-addr <IPv4 address> ...
set src-affinity-exempt-addr6 <Pv6 address> ...
end
Note 1: These commands are valid for FortiProxy. Tested and verified on the LAB.
Note 2: Running 'show full web-proxy global' keeps the commands 'set src-affinity-exempt-addr' and 'set src-affinity-exempt-addr6' invisible, and it may be considered as a non-existing command.
FPX # sh full web-proxy global
config web-proxy global
set ssl-cert "default-server-cert"
set ssl-ca-cert "default-ca"
set fast-policy-match enable
set ldap-user-cache enable
set proxy-fqdn "default.fqdn"
set max-request-length 8
set max-message-length 32
set strict-web-check disable
set forward-proxy-auth disable
set forward-server-affinity-timeout 30
set webproxy-profile ''
set learn-client-ip log-only
unset learn-client-ip-from-header
set strict-guest disable
set https-replacement-message enable
set message-upon-server-error enable
set trace-auth-no-rsp disable
set policy-category-deep-inspect enable
set log-policy-pending disable
set extended-log disable
set log-http-transaction disable
set log-app-id disable
set realm "default"
end
To activate these commands, it is important to first configure the commands 'set learn-client-ip-from-header' and 'set learn-client-ip-srcaddr <all>'. After activating them, the commands 'set src-affinity-exempt-addr <X.X.X.X>' and 'set src-affinity-exempt-addr6 <Y.Y.Y.Y>' are visible:
FPX # sh full web-proxy global
config web-proxy global
set ssl-cert "default-server-cert"
set ssl-ca-cert "default-ca"
set fast-policy-match enable
set ldap-user-cache enable
set proxy-fqdn "default.fqdn"
set max-request-length 8
set max-message-length 32
set strict-web-check disable
set forward-proxy-auth disable
set forward-server-affinity-timeout 30
set webproxy-profile ''
set learn-client-ip log-only
set learn-client-ip-from-header x-forwarded-for
set learn-client-ip-srcaddr "all"
set strict-guest disable
set https-replacement-message enable
set message-upon-server-error enable
set trace-auth-no-rsp disable
set policy-category-deep-inspect enable
set log-policy-pending disable
set extended-log disable
set log-http-transaction disable
set log-app-id disable
set realm "default"
end
FPX # config web-proxy global
FPX (global) # set src-affinity-exempt-addr
src-affinity-exempt-addr IPv4 source addresses to exempt proxy affinity.
src-affinity-exempt-addr6 IPv6 source addresses to exempt proxy affinity.
