Fortinet black logo

CLI Reference

config link-load-balance flow-policy

config link-load-balance flow-policy

Use this command to configure link load balancing policy rules.

A link policy matches traffic to rules that select a link group or virtual tunnel.

The policy uses a matching tuple: source, destination, service, and schedule. The policy match is a Boolean AND—All must match for the rule to be applied.

The elements of the tuple support specification by group objects. This is a Boolean OR—If source IP address belongs to member 1 OR member 2, then source matches.

The logical combinations enable you to subscribe multiple address spaces or services to a group of links, and create load balancing rules on that group basis.

The policy table is consulted from top to bottom. The first rule to match is applied.

The FortiADC system evaluates traffic to determine the routing rules to apply. With regard to link load balancing, the system evaluates rules in the following order and applies the first match:

  1. LLB link policy
  2. Policy route
  3. Static/Dynamic route
  4. LLB default link group

Before you begin:

  • You must have configured any address, service, and schedule objects that you want to use as match criteria for your policy.
  • You must have configured a link group or virtual tunnel group.
  • You must have read-write permission for link load balancing settings.

Syntax

config link-load-balance flow-policy

set default-link-group <datasource>

config rule

edit <name>

set group-type {link-group | virtual-tunnel}

set link-group <datasource>

set virtual-tunnel <datasource>

set destination-type {address|addrgrp|isp}

set destination-address <datasource>

set destination-addrgrp <datasource>

set destination-isp <datasource>

set in-interface <datasource>

set schedule <datasource>

set service-type {service|servicegrp}

set service <datasource>

set servicegrp <datasource>

set source-type {address|addrgrp|isp}

set source-address <datasource>

set source-addrgrp <datasource>

set source-isp <datasource>

next

end

default-link-group

Specify a link group configuration object that is used as the default when traffic does not match policy rules.

config rule

group-type

  • link-group: Policy uses a link group.
  • virtual-tunnel: Policy uses a virtual tunnel.

link-group

If you specify the link group type, specify a link group configuration object.

virtual-tunnel

If you specify the virtual tunnel group type, specify a virtual tunnel configuration object.

destination-type

Specify whether to use address, address group, or ISP address objects for this rule.

destination-address

Specify an address object to match destination addresses. If you do not specify a destination address, the rule matches any destination.

destination-addrgrp

Specify an address object to match destination addresses. If you do not specify a destination address, the rule matches any destination.

destination-isp

Specify an address object to match destination addresses. If you do not specify a destination address, the rule matches any destination.

in-interface

Network interface to which the policy applies.

schedule

Specify the schedule object that determines the times the system uses the logic of this configuration. The link policy is active when the current time falls in a time period specified by one or more schedules in the schedule group. If you do not specify a schedule, the rule applies at all times.

service-type

Specify whether to use service or service group objects for this rule.

service

Specify a service object to match destination services. If you do not specify a service, the rule matches any service.

servicegrp

Specify a service group object to match destination services. If you do not specify a service, the rule matches any service.

source-type

Specify whether to use address, address group, or ISP address objects for this rule.

source-address

Specify an address object to match source addresses. If you do not specify a source address, the rule matches any source address.

source-addrgrp

Specify an address object to match source addresses. If you do not specify a source address, the rule matches any source address.

source-isp

Specify an address object to match source addresses. If you do not specify a source address, the rule matches any source address.

Example

FortiADC-docs # config link-load-balance flow-policy

FortiADC-docs (flow-policy) # config rule

FortiADC-docs (rule) # edit ISP-1

Add new entry 'ISP-1' for node 634

FortiADC-docs (ISP-1) # get

in-interface :

source-type : address

source-address :

destination-type : address

destination-address :

service-type : service

service :

schedule :

group-type : link-group

link-group :

FortiADC-docs (ISP-1) # set in-interface port2

FortiADC-docs (ISP-1) # set source-type addrgrp

FortiADC-docs (ISP-1) # set source-addrgrp LAN

FortiADC-docs (ISP-1) # set destination-type addrgrp

FortiADC-docs (ISP-1) # set destination-addrgrp WAN

FortiADC-docs (ISP-1) # set service-type servicegrp

FortiADC-docs (ISP-1) # set servicegrp Web

FortiADC-docs (ISP-1) # set link-group ISP1

FortiADC-docs (ISP-1) # end

FortiADC-docs (flow-policy) # end

config link-load-balance flow-policy

Use this command to configure link load balancing policy rules.

A link policy matches traffic to rules that select a link group or virtual tunnel.

The policy uses a matching tuple: source, destination, service, and schedule. The policy match is a Boolean AND—All must match for the rule to be applied.

The elements of the tuple support specification by group objects. This is a Boolean OR—If source IP address belongs to member 1 OR member 2, then source matches.

The logical combinations enable you to subscribe multiple address spaces or services to a group of links, and create load balancing rules on that group basis.

The policy table is consulted from top to bottom. The first rule to match is applied.

The FortiADC system evaluates traffic to determine the routing rules to apply. With regard to link load balancing, the system evaluates rules in the following order and applies the first match:

  1. LLB link policy
  2. Policy route
  3. Static/Dynamic route
  4. LLB default link group

Before you begin:

  • You must have configured any address, service, and schedule objects that you want to use as match criteria for your policy.
  • You must have configured a link group or virtual tunnel group.
  • You must have read-write permission for link load balancing settings.

Syntax

config link-load-balance flow-policy

set default-link-group <datasource>

config rule

edit <name>

set group-type {link-group | virtual-tunnel}

set link-group <datasource>

set virtual-tunnel <datasource>

set destination-type {address|addrgrp|isp}

set destination-address <datasource>

set destination-addrgrp <datasource>

set destination-isp <datasource>

set in-interface <datasource>

set schedule <datasource>

set service-type {service|servicegrp}

set service <datasource>

set servicegrp <datasource>

set source-type {address|addrgrp|isp}

set source-address <datasource>

set source-addrgrp <datasource>

set source-isp <datasource>

next

end

default-link-group

Specify a link group configuration object that is used as the default when traffic does not match policy rules.

config rule

group-type

  • link-group: Policy uses a link group.
  • virtual-tunnel: Policy uses a virtual tunnel.

link-group

If you specify the link group type, specify a link group configuration object.

virtual-tunnel

If you specify the virtual tunnel group type, specify a virtual tunnel configuration object.

destination-type

Specify whether to use address, address group, or ISP address objects for this rule.

destination-address

Specify an address object to match destination addresses. If you do not specify a destination address, the rule matches any destination.

destination-addrgrp

Specify an address object to match destination addresses. If you do not specify a destination address, the rule matches any destination.

destination-isp

Specify an address object to match destination addresses. If you do not specify a destination address, the rule matches any destination.

in-interface

Network interface to which the policy applies.

schedule

Specify the schedule object that determines the times the system uses the logic of this configuration. The link policy is active when the current time falls in a time period specified by one or more schedules in the schedule group. If you do not specify a schedule, the rule applies at all times.

service-type

Specify whether to use service or service group objects for this rule.

service

Specify a service object to match destination services. If you do not specify a service, the rule matches any service.

servicegrp

Specify a service group object to match destination services. If you do not specify a service, the rule matches any service.

source-type

Specify whether to use address, address group, or ISP address objects for this rule.

source-address

Specify an address object to match source addresses. If you do not specify a source address, the rule matches any source address.

source-addrgrp

Specify an address object to match source addresses. If you do not specify a source address, the rule matches any source address.

source-isp

Specify an address object to match source addresses. If you do not specify a source address, the rule matches any source address.

Example

FortiADC-docs # config link-load-balance flow-policy

FortiADC-docs (flow-policy) # config rule

FortiADC-docs (rule) # edit ISP-1

Add new entry 'ISP-1' for node 634

FortiADC-docs (ISP-1) # get

in-interface :

source-type : address

source-address :

destination-type : address

destination-address :

service-type : service

service :

schedule :

group-type : link-group

link-group :

FortiADC-docs (ISP-1) # set in-interface port2

FortiADC-docs (ISP-1) # set source-type addrgrp

FortiADC-docs (ISP-1) # set source-addrgrp LAN

FortiADC-docs (ISP-1) # set destination-type addrgrp

FortiADC-docs (ISP-1) # set destination-addrgrp WAN

FortiADC-docs (ISP-1) # set service-type servicegrp

FortiADC-docs (ISP-1) # set servicegrp Web

FortiADC-docs (ISP-1) # set link-group ISP1

FortiADC-docs (ISP-1) # end

FortiADC-docs (flow-policy) # end