SLBC – Session-aware Load Balancing Cluster
The Session-aware Load Balancing Cluster (SLBC) protocol is used for clusters consisting of FortiControllers that perform load balancing of both TCP and UDP sessions. As session-aware load balancers, FortiControllers, with FortiASIC DP processors, are capable of directing any TCP or UDP session to any worker installed in the same chassis. It also means that more complex networking features such as NAT, fragmented packets, complex UDP protocols and others such as Session Initiation Protocol (SIP), a communications protocol for signaling and controlling multimedia communication sessions, can be load balanced by the cluster.
Currently, only three FortiController models are available for SLBC: FortiController-5103B, FortiController-
5903C, and FortiController-5913C. Supported workers include the FortiGate-5001B, 5001C, 5101C, and 5001D.
FortiGate-7000 series products also support SLBC.
An SLBC with two FortiControllers can operate in active-passive mode or dual mode. In active-passive mode, if
the active FortiController fails, traffic is transferred to the backup FortiController. In dual mode both FortiControllers load balance traffic and twice as many network interfaces are available.
SLBC clusters consisting of more than one FortiController use the following types of communication between FortiControllers to operate normally:
- Heartbeat: Allows the FortiControllers in the cluster to find each other and share status information. If a FortiController stops sending heartbeat packets it is considered down by other cluster members. By default heartbeat traffic uses VLAN 999.
- Base control: Communication between FortiControllers on subnet 10.101.11.0/255.255.255.0 using VLAN 301.
- Base management: Communication between FortiControllers on subnet 10.101.10.0/255.255.255.0 using VLAN 101. l Session synchronization: If one FortiController fails, session synchronization allows another to take its place and maintain active communication sessions. FortiController-5103B session sync traffic uses VLAN 2000.
FortiController-5903C and FortiController-5913C session sync traffic between the FortiControllers in slot 1 uses VLAN 1900 and between the FortiControllers in slot 2 uses VLAN 1901. You cannot change these VLANs.
Note that SLBC does not support session synchronization between workers in the same chassis. The FortiControllers in a cluster keep track of the status of the workers in their chassis and load balance sessions to the workers. If a worker fails the FortiController detects the failure and stops load balancing sessions to that worker. The sessions that the worker is processing when it fails are lost.
Changing the heartbeat VLAN
To change the VLAN from the FortiController GUI, from the System Information dashboard widget, beside HA Status, select Configure. Change the VLAN to use for HA heartbeat traffic(1-4094) setting.
You can also change the heartbeat VLAN ID from the FortiController CLI. For example, to change the heartbeat VLAN ID to 333, enter the following:
config system ha set hbdev-vlan-id 333
Setting the mgmt interface as a heartbeat interface
To add the mgmt interface to the list of heartbeat interfaces used, on the FortiController-5103B, enter the following:
config system ha set hbdev b1 b2 mgmt end
This example adds the mgmt interface for heartbeats to the B1 and B2 interfaces. The B1 and B2 ports are recommended because they are 10G ports and the Mgmt interface is a 100Mb interface.
Changing the heartbeat interface mode
By default, only the first heartbeat interface (usually B1) is used for heartbeat traffic. If this interface fails on any of the FortiControllers in a cluster, then the second heartbeat interface is used (B2).
To simultaneously use all heartbeat interfaces for heartbeat traffic, enter the following command:
config load-balance-setting set base-mgmt-interface-mode active-active end
Changing the base control subnet and VLAN
You can change the base control subnet and VLAN from the FortiController CLI. For example, to change the base control subnet to 10.122.11.0/255.255.255.0 and the VLAN ID to 320, enter the following:
config load-balance setting set base-ctrl-network 10.122.11.0 255.255.255.0 config base-ctrl-interfaces edit b1 set vlan-id 320
next edit b2 set vlan-id 320
Changing the base management subnet and VLAN
You can change the base management subnet from the FortiController GUI under Load Balance > Config and changing the Internal Management Network.
You can also change the base management subnet and VLAN ID from the FortiController CLI. For example, to change the base management subnet to 10.121.10.0/255.255.255.0 and the VLAN to 131, enter the following:
config load-balance setting set base-mgmt-internal-network 10.121.10.0 255.255.255.0 config base-mgt-interfaces edit b1 set vlan-id 131
next edit b2 set vlan-id 131
If required, you can use different VLAN IDs for the B1 and B2 interface.
Changing this VLAN only changes the VLAN used for base management traffic between chassis. Within a chassis the default VLAN is used.
Enabling and configuring the session sync interface
To enable session synchronization in a two chassis configuration, enter the following command:
config load-balance setting set session-sync enable
You will then need to select the interface to use for session sync traffic. The following example sets the FortiController-5103B session sync interface to F4: config system ha set session-sync-port f4
The FortiController-5903C and FortiController-5913C use b1 and b2 as the session sync interfaces so no configuration changes are required.
FGCP to SLBC migration
You can convert a FGCP virtual cluster (with VDOMs) to an SLBC cluster. The conversion involves replicating the VDOM, interface, and VLAN configuration of the FGCP cluster on the SLBC cluster primary worker, then backing up the configuration of each FGCP cluster VDOM. Each of the VDOM configuration files is manually edited to adjust interface names. These modified VDOM configuration files are then restored to the corresponding SLBC cluster primary worker VDOMs.
For this migration to work, the FGCP cluster and the SLBC workers must be running the same firmware version, the VDOMS are enabled on the FGCP cluster, and the SLBC workers have been registered and licensed. However, the FGCP cluster units do not have to be the same model as the SLBC cluster workers.
Only VDOM configurations are migrated. You have to manually configure primary worker management and global settings.
- Add VDOM(s) to the SLBC primary worker with names that match those of the FGCP cluster.
- Map FGCP cluster interface names to SLBC primary worker interface names. For example, you can map the FGCP cluster port1 and port2 interfaces to the SLBC primary worker fctl/f1 and fctl/f2 interfaces. You can also map FGCP cluster interfaces to SLBC trunks, and include aggregate interfaces.
- Add interfaces to the SLBC primary worker VDOMs according to your mapping. This includes moving SLBC physical interfaces into the appropriate VDOMs, creating aggregate interfaces, and creating SLBC trunks if required.
- Add VLANs to the SLBC primary worker that match VLANs in the FGCP cluster. They should have the same names as the FGCP VLANs, be added to the corresponding SLBC VDOMs and interfaces, and have the same VLAN IDs.
- Add inter-VDOM links to the SLBC primary worker that match the FGCP cluster.
- Backup the configurations of each FGCP cluster VDOM, and SLBC primary worker VDOM.
- Use a text editor to replace the first four lines of each FGCP cluster VDOM configuration file with the first four lines of the corresponding SLBC primary worker VDOM configuration file. Here are example lines from an SLBC primary
worker VDOM configuration file:
- With the text editor, edit each FGCP cluster VDOM configuration file and replace all FGCP cluster interface names with the corresponding SLBC worker interface names, according to the mapping you created in step 2.
- Set up a console connection to the SLBC primary worker to check for errors during the following steps.
- From the SLBC primary worker, restore each FGCP cluster VDOM configuration file to each corresponding SLBC primary worker VDOM.
- Check the following on the SLBC primary worker:
- Make sure set type fctrl-trunk is enabled for SLBC trunk interfaces.
- Enable the global and management VDOM features that you need, including SNMP, logging, connections to FortiManager, FortiAnalyzer, and so on.
- If there is a FortiController in chassis slot 2, make sure the worker base2 interface status is up. l Remove snmp-index entries for each interface.
- Since you can manage the workers from the FortiController you can remove management-related configurations using the worker mgmt1 and mgmt2 interfaces (Logging, SNMP, admin access, etc.) if you are not going to use these interfaces for management.
How to set up SLBC with one FortiController-5103B
This example describes the basics of setting up a Session-aware Load Balancing Cluster (SLBC) that consists of one FortiController-5103B, installed in chassis slot 1, and three FortiGate-5001C workers, installed in chassis slots 3, 4, and 5.
This SLBC configuration can have up to eight 10Gbit network connections.
Configuring the hardware
- Install a FortiGate-5000 series chassis and connect it to power. Install the FortiController in slot 1. Install the workers in slots 3, 4, and 5. Power on the chassis.
- Check the chassis, FortiController, and FortiGate LEDs to verify that all components are operating normally. (To check normal operation LED status see the FortiGate-5000 series documents available here.)
- Check the FortiSwitch-ATCA release notes and install the latest supported firmware on the FortiController and on the workers. Get FortiController firmware from the Fortinet Support site. Select the FortiSwitch-ATCA product.
Configuring the FortiController
To configure the FortiController, you will need to either connect to the FortiController GUI or CLI with the default IP address of http://192.168.1.99. Log in using the admin account (no password).
- Add a password for the admin account. Use the Administrators widget in the GUI, or enter the following CLI command:
config admin user edit admin set password <password>
- Change the FortiController mgmt interface IP address. Use the Management Port widget in the GUI, or enter the following CLI command:
config system interface edit mgmt set ip 172.20.120.151/24
- If you need to add a default route for the management IP address, enter the following command:
config route static edit route 1 set gateway 172.20.121.2
- To set the chassis type that you are using, enter the following CLI command:
config system global set chassic-type fortigate-5140
- Go to Load Balance > Config and add workers to the cluster by selecting Edit and moving the slots that contain workers to the Member The Config page shows the slots in which the cluster expects to find workers. Since the workers have not been configured yet, their status is Down.
Configure the External Management IP/Netmask. Once the workers are connected to the cluster, you can use
this IP address to manage and configure them.
- You can also enter the following CLI command to add slots 3, 4, and 5 to the cluster:
config load-balance setting config slots edit 3
next edit 4
next edit 5
- You can also enter the following command to configure the external management IP/Netmask and management access to the following address:
config load-balance setting set base-mgmt-external-ip 172.20.120.100 255.255.255.0 set base-mgmt-allowaccess https ssh ping
Adding the workers
Before you begin adding workers to the cluster, make sure you enter the execute factoryreset command in the CLI so the workers are set to factory default settings. If the workers are going to run FortiOS Carrier, add the FortiOS Carrier licence instead – this will reset the worker to factory default settings.
Also make sure to register and apply licenses to each worker, including FortiClient licensing, FortiCloud activation, and entering a license key if you purchased more than 10 Virtual Domains (VDOMs). You can also install any third-party certificates on the primary worker before forming the cluster. Once the cluster is formed, third-party certificates are synchronized to all of the workers. FortiToken licenses can be added at any time, which will also synchronize across all of the workers.
- Log in to each of the worker’s CLI and enter the following CLI command to set the worker to operate in FortiController mode:
config system elbc set mode fortincontroller
Once the command is entered, the worker restarts and joins the cluster.
- On the FortiController, go to Load Balance > Status. You will see the workers appear in their appropriate slots. The worker in the lowest slot number usually becomes the primary unit.
You can now manage the workers in the same way as you would manage a standalone FortiGate. You can connect to the worker GUI or CLI using the External Management IP. If you had configured the worker mgmt1 or mgmt2 interfaces you can also connect to one of these addresses to manage the cluster.
To operate the cluster, connect networks to the FortiController front panel interfaces and connect to a worker GUI or CLI to configure the workers to process the traffic they receive. When you connect to the External Management IP you connect to the primary worker. When you make configuration changes they are synchronized to all workers in the cluster.
Managing the devices in an SLBC with the External Management IP
The External Management IP address is used to manage all of the individual devices in a SLBC by adding a special port number. This special port number begins with the standard port number for the protocol you are using and is followed by two digits that identify the chassis number and slot number. The port number can be calculated
using the following formula:
service_port x 100 + (chassis_id – 1) x 20 + slot_id Where:
- service_port is the normal port number for the management service (80 for HTTP, 443 for HTTPS and so on). l chassis_id is the chassis ID specified as part of the FortiController HA configuration and can be 1 or 2.
- slot_id is the number of the chassis slot.
By default, chassis 1 is the primary chassis and chassis 2 is the backup chassis. However, the actual primary chassis is the one with the primary FortiController, which can be changed independently of the chassis number. Additionally, the chassis_id is defined by the chassis number, not whether the chassis contains the primary
- HTTPS, chassis 1, slot 2: 443 x 100 + (1 – 1) x 20 + 2 = 44300 + 0 + 2 = 44302: browse to: https://172.20.120.100:44302
- HTTP, chassis 2, slot 4: 80 x 100 + (2 – 1) x 20 + 4 = 8000 + 20 + 4 = 8024: browse to http://172.20.120.100/8024
- HTTPS, chassis 1, slot 10: 443 x 100 + (1 – 1) x 20 + 10 = 44300 + 0 + 10 = 44310: browse to https://172.20.120.100/44310
Single chassis or chassis 1 special management port numbers
|Slot number||HTTP (80)||HTTPS (443) Telnet (23)||SSH (22)||SNMP (161)|
|Slot 1||8001||44301 2301||2201||16101|
|Slot 2||8002||44302 2302||2202||16102|
|Slot 3||8003||44303 2303||2203||16103|
|Slot 4||8004||44304 2304||2204||16104|
|Slot 5||8005||44305 2305||2205||16105|
|Slot 6||8006||44306 2306||2206||16106|
|Slot 7||8007||44307 2307||2207||16107|
|Slot 8||8008||44308 2308||2208||16108|
|Slot 9||8009||44309 2309||2209||16109|
|Slot number||HTTP (80)||HTTPS (443) Telnet (23)||SSH (22)||SNMP (161)|
|Slot 10||8010||44310 2310||2210||16110|
|Slot 11||8011||44311 2311||2211||16111|
|Slot 12||8012||44312 2312||2212||16112|
|Slot 13||8013||44313 2313||2213||16113|
|Slot 14||8014||44314 2314||2214||16114|
Chassis 2 special management port numbers
|Slot number||HTTP (80)||HTTPS (443) Telnet (23)||SSH (22)||SNMP (161)|
|Slot 1||8021||44321 2321||2221||16121|
|Slot 2||8022||44322 2322||2222||16122|
|Slot 3||8023||44323 2323||2223||16123|
|Slot 4||8024||44324 2324||2224||16124|
|Slot 5||8025||44325 2325||2225||16125|
|Slot 6||8026||44326 2326||2226||16126|
|Slot 7||8027||44327 2327||2227||16127|
|Slot 8||8028||44328 2328||2228||16128|
|Slot 9||8029||44329 2329||2229||16129|
|Slot 10||8030||44330 2330||2230||16130|
|Slot 11||8031||44331 2331||2231||16131|
|Slot 12||8032||44332 2332||2232||16132|
|Slot 13||8033||44333 2333||2233||16133|
|Slot 14||8034||44334 2334||2234||16134|
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!