Справочник Пользователя для Fortinet 5103b
FortiController-5103B session-aware load balancing
FortiController-5103B system
FortiController-5103B Session-Aware Load Balancer Guide
10
10-500-161552-20140822
FortiController-5103B session-aware load balancing
The FortiController-5103B board uses three on-board FortiASIC DP processors to
perform high-performance session-aware load balancing. Under ideal conditions, the
FortiController-5103B is capable of forming a session-aware load balanced cluster of one
FortiController-5103B board and up to 12 FortiGate-5000 workers. A single
FortiController-5103B board can distribute up to 96 million concurrent sessions and start
36 million new sessions a second. A second FortiController-5103B board can be added
for redundancy or to create a dual-mode cluster that doubles the number of network
interfaces. You can also install a second chassis with one or two FortiController-5103B
boards for chassis failover.
perform high-performance session-aware load balancing. Under ideal conditions, the
FortiController-5103B is capable of forming a session-aware load balanced cluster of one
FortiController-5103B board and up to 12 FortiGate-5000 workers. A single
FortiController-5103B board can distribute up to 96 million concurrent sessions and start
36 million new sessions a second. A second FortiController-5103B board can be added
for redundancy or to create a dual-mode cluster that doubles the number of network
interfaces. You can also install a second chassis with one or two FortiController-5103B
boards for chassis failover.
As a session-aware load balancer, the FortiController-5103B board maintains the state
for each session and is capable of directing any session to any worker installed in the
same chassis. This session-awareness means that all traffic being processed by a
specific worker continues to be processed by the same worker. Session-awareness also
means that more complex networking features such as network address translation
(NAT), fragmented packets, complex UDP protocols, and complex protocols such as SIP
that use pinholes, can be load balanced by the cluster.
for each session and is capable of directing any session to any worker installed in the
same chassis. This session-awareness means that all traffic being processed by a
specific worker continues to be processed by the same worker. Session-awareness also
means that more complex networking features such as network address translation
(NAT), fragmented packets, complex UDP protocols, and complex protocols such as SIP
that use pinholes, can be load balanced by the cluster.
In a FortiController-5103B load balanced cluster, when a worker that is processing SIP
traffic creates a pinhole, this information is communicated to the FortiController-5103B.
The FortiController-5103B then knows to distribute the voice and media sessions to this
worker.
traffic creates a pinhole, this information is communicated to the FortiController-5103B.
The FortiController-5103B then knows to distribute the voice and media sessions to this
worker.
MGMT
RJ-45
10/100/1000
Base-T
Base-T
Ethernet
Copper 1-gigabit connection
to 10/100/1000Base-T copper
networks for management or
system administration. The
unlabeled interface beside the
MGMT interface is not used.
Its LEDs may be lit in some
cases but the stat of these
LEDs can be ignored.
to 10/100/1000Base-T copper
networks for management or
system administration. The
unlabeled interface beside the
MGMT interface is not used.
Its LEDs may be lit in some
cases but the stat of these
LEDs can be ignored.
Table 3: FortiController-5103B connectors
Connector
Type
Speed
Protocol
Description
The SIP protocol uses known SIP ports for control traffic but dynamically uses a wide
range of ports for voice and other media traffic. To successfully pass SIP traffic through
a firewall, the firewall must use a session helper or application gateway to look inside the
SIP control traffic and determine the ports to open for voice and media. To allow the
voice and media traffic, the firewall temporarily opens these ports, creating what’s
known as a pinhole that temporarily allows traffic on a port as determined by the SIP
control traffic. The pinhole is closed when the voice or media session ends.
range of ports for voice and other media traffic. To successfully pass SIP traffic through
a firewall, the firewall must use a session helper or application gateway to look inside the
SIP control traffic and determine the ports to open for voice and media. To allow the
voice and media traffic, the firewall temporarily opens these ports, creating what’s
known as a pinhole that temporarily allows traffic on a port as determined by the SIP
control traffic. The pinhole is closed when the voice or media session ends.
Session-aware load balancing does not support traffic shaping.