Fortinet black logo

Session-Aware Load Balancing Cluster Guide

Home FortiController 5.2.10 Session-Aware Load Balancing Cluster Guide
5.2.10
5.2.11
5.2.10

Tuning TCP load balancing performance (TCP local ingress)

Tuning TCP load balancing performance (TCP local ingress)

TCP packets pass through the FortiController twice: first on ingress when the packet is received from the network by the FortiController front panel interface and a second time on egress after the packet leaves a worker and before it exits from a FortiController front panel interface to the network. New TCP sessions can be added to the DP processor session table on ingress or on egress. By default they are added on egress. Adding sessions on egress makes more efficient use of DP processor memory because sessions that are denied by worker firewall policies are not added to the DP processor session table. As a result the SLBC cluster can support more active sessions.

Adding sessions to the session table on egress has a limitation: round-robin load balancing does not work. If you need round-robin load balancing you must configure the cluster to add sessions to the DP processor on ingress by entering the following command:

config load-balance session-setup

set tcp-ingress enable

end

Round-robin load balancing is now supported; but, since sessions are added to the DP processor before filtering by worker firewall policies, some of these sessions may subsequently be denied by these firewall policies. These denied sessions remain in session table taking up memory until they time out.

In addition, adding sessions on ingress means that the FortiController is potentially open to DDOS attacks that could be prevented by worker firewall policies.

In most cases, the default configuration of disabling TCP local ingress should be maintained. However, if you need to use round-robin load balancing you can enable TCP local ingress as long as you are aware of the limitations of this configuration.

For details about the life of a TCP packet, see Life of a TCP packet.

Previous
Next

Tuning TCP load balancing performance (TCP local ingress)

TCP packets pass through the FortiController twice: first on ingress when the packet is received from the network by the FortiController front panel interface and a second time on egress after the packet leaves a worker and before it exits from a FortiController front panel interface to the network. New TCP sessions can be added to the DP processor session table on ingress or on egress. By default they are added on egress. Adding sessions on egress makes more efficient use of DP processor memory because sessions that are denied by worker firewall policies are not added to the DP processor session table. As a result the SLBC cluster can support more active sessions.

Adding sessions to the session table on egress has a limitation: round-robin load balancing does not work. If you need round-robin load balancing you must configure the cluster to add sessions to the DP processor on ingress by entering the following command:

config load-balance session-setup

set tcp-ingress enable

end

Round-robin load balancing is now supported; but, since sessions are added to the DP processor before filtering by worker firewall policies, some of these sessions may subsequently be denied by these firewall policies. These denied sessions remain in session table taking up memory until they time out.

In addition, adding sessions on ingress means that the FortiController is potentially open to DDOS attacks that could be prevented by worker firewall policies.

In most cases, the default configuration of disabling TCP local ingress should be maintained. However, if you need to use round-robin load balancing you can enable TCP local ingress as long as you are aware of the limitations of this configuration.

For details about the life of a TCP packet, see Life of a TCP packet.

Previous
Next