Fortinet black logo

CLI Reference

config link-load-balance persistence

config link-load-balance persistence

Use this command to configure persistence rules.

Persistence rules identify traffic that should be ignored by load balancing rules and instead be forwarded to the same gateway each time the traffic traverses the FortiADC appliance.

You should use persistence rules with applications that use a secure connection. Such applications drop connections when the server detects a change in a client’s source IP address.

Before you begin:
  • You must have an awareness of the types of outbound traffic from your network. Persistence rules are useful for traffic that requires an established session, such as secure connections (HTTPS and SSH, for example).
  • You must have knowledge of the source and/or destination subnets to which the persistence rules should apply.
  • You must have read-write permission for link load balancing settings.
You can use persistence rules in link groups but not virtual tunnels.

Syntax

config link-load-balance persistence

edit <name>

set timeout <integer>

set type {destination-address | source-address | source-destination-address | source-destination-pair}

set dst-ipv4-maskbits <integer>

set src-ipv4-maskbits <integer>

next

end

timeout

The default is 300 seconds.

type

  • destination-address: Packets with a destination IP address that belongs to the same subnet take same outgoing gateway.
  • source-address: Packets with a source IP address that belongs to the same subnet take the same outgoing gateway.
  • source-destination-address: Packets with a source IP address and destination IP address that belong to the same subnet take the same outgoing gateway.
  • source-destination-pair: Packets with the same source IP address and destination IP address take same outgoing gateway.

Note:

Source address based persistence consumes a significant amount of memory, as calculated using the following formula per VS:

(max persistence entry size) x (size per entry of the table) x (content routing or pool count)

For example:

If the max persistence entry size is 262144 (default), the per entry of the table is 44 bytes, and there is no content routing.

262144 x 44 = 11534336 bytes (which is ≈11MB)

dst-ipv4-maskbits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

For example, if you set this to 24, and the system chooses a particular gateway router for destination IP 192.168.1.100, the system will select that same gateway for traffic to all destination IPs in subnet 192.168.1.0/24.

src-ipv4-maskbits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

For example, if you set this to 24, and the system chooses a particular gateway router for client IP 192.168.1.100, the system will select that same gateway for subsequent client requests when the subsequent client belongs to subnet 192.168.1.0/24.

Example

FortiADC-VM # config link-load-balance persistence

FortiADC-VM (persistence) # edit llb-persistence

Add new entry 'llb-persistence' for node 674

FortiADC-VM (llb-persistence) # get

type : source-destination-pair

timeout : 300

FortiADC-VM (llb-persistence) # end

config link-load-balance persistence

Use this command to configure persistence rules.

Persistence rules identify traffic that should be ignored by load balancing rules and instead be forwarded to the same gateway each time the traffic traverses the FortiADC appliance.

You should use persistence rules with applications that use a secure connection. Such applications drop connections when the server detects a change in a client’s source IP address.

Before you begin:
  • You must have an awareness of the types of outbound traffic from your network. Persistence rules are useful for traffic that requires an established session, such as secure connections (HTTPS and SSH, for example).
  • You must have knowledge of the source and/or destination subnets to which the persistence rules should apply.
  • You must have read-write permission for link load balancing settings.
You can use persistence rules in link groups but not virtual tunnels.

Syntax

config link-load-balance persistence

edit <name>

set timeout <integer>

set type {destination-address | source-address | source-destination-address | source-destination-pair}

set dst-ipv4-maskbits <integer>

set src-ipv4-maskbits <integer>

next

end

timeout

The default is 300 seconds.

type

  • destination-address: Packets with a destination IP address that belongs to the same subnet take same outgoing gateway.
  • source-address: Packets with a source IP address that belongs to the same subnet take the same outgoing gateway.
  • source-destination-address: Packets with a source IP address and destination IP address that belong to the same subnet take the same outgoing gateway.
  • source-destination-pair: Packets with the same source IP address and destination IP address take same outgoing gateway.

Note:

Source address based persistence consumes a significant amount of memory, as calculated using the following formula per VS:

(max persistence entry size) x (size per entry of the table) x (content routing or pool count)

For example:

If the max persistence entry size is 262144 (default), the per entry of the table is 44 bytes, and there is no content routing.

262144 x 44 = 11534336 bytes (which is ≈11MB)

dst-ipv4-maskbits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

For example, if you set this to 24, and the system chooses a particular gateway router for destination IP 192.168.1.100, the system will select that same gateway for traffic to all destination IPs in subnet 192.168.1.0/24.

src-ipv4-maskbits

Number of bits in a subnet mask to specify a network segment that should following the persistence rule.

For example, if you set this to 24, and the system chooses a particular gateway router for client IP 192.168.1.100, the system will select that same gateway for subsequent client requests when the subsequent client belongs to subnet 192.168.1.0/24.

Example

FortiADC-VM # config link-load-balance persistence

FortiADC-VM (persistence) # edit llb-persistence

Add new entry 'llb-persistence' for node 674

FortiADC-VM (llb-persistence) # get

type : source-destination-pair

timeout : 300

FortiADC-VM (llb-persistence) # end