Created on 05-22-2021 09:14 AM Edited on 06-09-2022 09:02 PM By Anonymous
Description
This article describes how SSL VPN server load balance session to Master FPC/FPM using flow rule.
Solution
Using a FortiGate-6k-7k an SSL VPN server requires to manually add an SSL VPN load balancing flow rule to configure the FortiGate-6k-7k to send all SSL VPN sessions to the Master FPC/FPM.
Following example commands run on FortiGate-6k and in this example the Master FPC is in Slot-1:
FGT (global) # get system status
Version: FortiGate-6301F v6.0.9,build6783,200331 (GA)
Virus-DB: 85.00439(2021-04-14 01:20)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
IPS-DB: 18.00055(2021-04-12 04:21)
IPS-ETDB: 18.00058(2021-04-14 04:20)
APP-DB: 18.00056(2021-04-13 00:09)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
Serial-Number: F6KFxxxxxxxxxxxx
Module Serial-Number: F6KFxxxxxxxxxxxx
IPS Malicious URL Database: 3.00016(2021-05-21 05:18)
Botnet DB: 4.00694(2021-05-19 18:59)
BIOS version: 05000012
Module BIOS version: 05000012
System Part-Number: P22354-03
Module Part-Number: P22354-03
Log hard disk: Available
Hostname: FGT
Operation Mode: NAT
Current virtual domain: mgmt-vdom
Max number of virtual domains: 10
Virtual domains status: 2 in NAT mode, 0 in TP mode
Virtual domain configuration: enable
FIPS-CC mode: disable
Current HA mode: a-p, master
Cluster uptime: 18 days, 0 hours, 6 minutes, 9 seconds
Cluster state change time: 2021-05-04 22:41:05
Config-Sync: Master
FPC Master: slot-1 <<<<<
Branch point: 0335
Release Version Information: GA
FortiOS x86-64: Yes
System time: Sat May 22 22:47:05 2021
Without the flow rule DP (distribution processors) will decides and send the sessions to one of the FPC/FPM based on the load-balancing settings.
In this example FPC in Slot-2 processing all the SSL VPN traffic (without a flow-rule configured):
FGT (root) # diagnose sys session filter src 10.168.36.117
FGT (root) # diagnose sys session filter dport 10443
FGT (root) # diagnose sys session list
==========================================================================
Slot: 1 Module SN: FPC6KFxxxxxxxxxxxx
total session 0
==========================================================================
Slot: 2 Module SN: FPC6KFxxxxxxxxxxxx
session info: slot=2 ori_slot=2 proto=6 proto_state=01 duration=240 expire=3599 timeout=3600 flags=00000000 sockflag=00000004 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=8/8
state=local may_dirty
statistic(bytes/packets/allow_err): org=330734/2169/1 reply=99692/2110/1 tuples=2
tx speed(Bps/kbps): 1084/8 rx speed(Bps/kbps): 310/2
orgin->sink: org pre->in, reply out->post dev=11->62/62->11 gwy=10.56.241.109/0.0.0.0
hook=pre dir=org act=noop 10.168.36.117:62764->10.56.241.109:10443(0.0.0.0:0)
hook=post dir=reply act=noop 10.56.241.109:10443->10.168.36.117:62764(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 auth_info=0 chk_client_info=0 vd=0
serial=0000e3c5 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=00000000
no_ofld_reason: local
total session 1
To force SSL VPN server load balance to Master FPC/FPM, it is necessary to manually configure the flow rule:
FGT (global) # FGT (global) # config load-balance flow-rule
FGT (global) # FGT (global) # edit 0
set status enable
set src-interface "port<N>" <----- FortiGate listens for SSL VPN on the Port 'N' interface.
set ether-type ipv4
set dst-addr-ipv4 x.x.x.x 255.255.255.255 <----- IP address of FGT interface that receives SSL VPN traffic.
set protocol tcp
set dst-l4port 10443-10443 <----- SSL VPN server listening port.
set forward-slot master <----- forwarding SSL VPN sessions to Master FPC.
set comment "ssl vpn server to primary FPC Slot"
next
end
After configured flow rule all the SSL VPN traffic is processed by Master FPC.
In this example, this flow rule will match SSL VPN sessions with IP 10.56.241.109 and listening on port 10443 as the destination address and send all of these sessions to the Master FPC Slot-1.
==========================================================================
Slot: 1 Module SN: FPC6KFxxxxxxxxxxxx
session info: slot=1 ori_slot=1 proto=6 proto_state=01 duration=3 expire=3596 timeout=3600 flags=00000000 sockflag=00000004 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=8/8
state=local may_dirty
statistic(bytes/packets/allow_err): org=3350/28/1 reply=25477/24/1 tuples=2
tx speed(Bps/kbps): 957/7 rx speed(Bps/kbps): 7279/58
orgin->sink: org pre->in, reply out->post dev=11->62/62->11 gwy=10.56.241.109/0.0.0.0
hook=pre dir=org act=noop 10.168.36.117:59161->10.56.241.109:10443(0.0.0.0:0)
hook=post dir=reply act=noop 10.56.241.109:10443->10.168.36.117:59161(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 auth_info=0 chk_client_info=0 vd=0
serial=000aa97e tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=00000000
no_ofld_reason: local
session info: slot=1 ori_slot=1 proto=6 proto_state=01 duration=2 expire=3598 timeout=3600 flags=00000000 sockflag=00000004 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=8/8
state=local may_dirty
statistic(bytes/packets/allow_err): org=2389/19/1 reply=9120/18/1 tuples=2
tx speed(Bps/kbps): 1106/8 rx speed(Bps/kbps): 4222/33
orgin->sink: org pre->in, reply out->post dev=11->62/62->11 gwy=10.56.241.109/0.0.0.0
hook=pre dir=org act=noop 10.168.36.117:59165->10.56.241.109:10443(0.0.0.0:0)
hook=post dir=reply act=noop 10.56.241.109:10443->10.168.36.117:59165(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 auth_info=0 chk_client_info=0 vd=0
serial=000aa97f tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=00000000
no_ofld_reason: local
total session 2
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.