Fortinet black logo

Session-Aware Load Balancing Cluster Guide

Home FortiController 5.2.11 Session-Aware Load Balancing Cluster Guide
5.2.11
5.2.11
5.2.10

Life of a TCP packet (TCP local ingress enabled)

Life of a TCP packet (TCP local ingress enabled)

With TCP local ingress enabled the life of a TCP packet looks like this:

  1. A TCP packet is received by a FortiController front panel interface.

  2. The DP processor looks up the packet in its session table and one of the following happens:

    If the packet is part of an established session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of the worker that is processing the session. The packet is then processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session the new session is added to the DP processor session table. The packet is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and accepts the packet. The packet is processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session the new session is added to the DP processor session table. The packet is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and denies the packet. The packet is blocked by the worker.

  3. Accepted packets are received by the FortiController backplane interface and recorded by DP processor as part of an established session.

  4. The packets exit the cluster through a FortiController front panel interface.

    The DP processor session table contains sessions accepted by and denied by worker firewall policies. These sessions expire and are removed from the table when no new packets have been received for that session by the TCP session timeout.

Previous
Next

Life of a TCP packet (TCP local ingress enabled)

With TCP local ingress enabled the life of a TCP packet looks like this:

  1. A TCP packet is received by a FortiController front panel interface.

  2. The DP processor looks up the packet in its session table and one of the following happens:

    If the packet is part of an established session it is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of the worker that is processing the session. The packet is then processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session the new session is added to the DP processor session table. The packet is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and accepts the packet. The packet is processed by the worker and exits the worker’s fabric backplane interface.

    If the packet is starting a new session the new session is added to the DP processor session table. The packet is forwarded to the FortiController fabric backplane interface and from there to the fabric backplane interface of a worker. The worker is selected by the DP processor based on the load distribution method. The worker applies FortiGate firewall policies and denies the packet. The packet is blocked by the worker.

  3. Accepted packets are received by the FortiController backplane interface and recorded by DP processor as part of an established session.

  4. The packets exit the cluster through a FortiController front panel interface.

    The DP processor session table contains sessions accepted by and denied by worker firewall policies. These sessions expire and are removed from the table when no new packets have been received for that session by the TCP session timeout.

Previous
Next