This FortiController-5103B Session-Aware Load Balancer Guide describes FortiController-5103B hardware features, how
to install a FortiController-5103B board in a FortiGate-5000 series chassis, and how to configure the
FortiController-5103B system for your network.
The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000 page of
the Fortinet Technical Documentation web site (http://docs.fortinet.com).
Access to Fortinet customer services, such as firmware updates, support, and FortiGuard services, requires product
registration. You can register your FortiController-5103B at http://support.fortinet.com.
Only trained and qualified personnel should be allowed to install or maintain
FortiGate-5000 series equipment. Read and comply with all warnings, cautions and
notices in this document.
• Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used
Batteries According to the Instructions.
• Turning off all power switches may not turn off all power to the FortiGate-5000 series
equipment. Some circuitry in the FortiGate-5000 series equipment may continue to
operate even though all power switches are off.
• FortiGate-5000 equipment must be protected by a readily accessible disconnect
device or circuit breaker that can be used for product power down emergencies.
• Many FortiGate-5000 components are hot swappable and can be installed or
removed while the power is on. But some of the procedures in this document may
require power to be turned off and completely disconnected. Follow all instructions in
the procedures in this document that describe disconnecting FortiGate-5000 series
equipment from power sources, telecommunications links and networks before
installing, or removing FortiGate-5000 series components, or performing other
maintenance tasks. Failure to follow the instructions in this document can result in
personal injury or equipment damage.
• Install FortiGate-5000 series chassis at the lower positions of a rack to avoid making
the rack top-heavy and unstable.
• Do not insert metal objects or tools into open chassis slots.
• Electrostatic discharge (ESD) can damage FortiGate-5000 series equipment. Only
perform the procedures described in this document from an ESD workstation. If no
such station is available, you can provide some ESD protection by wearing an
anti-static wrist strap and attaching it to an available ESD connector such as the ESD
sockets provided on FortiGate-5000 series chassis.
• Make sure all FortiGate-5000 series components have reliable grounding. Fortinet
recommends direct connections to the building ground.
• If you install a FortiGate-5000 series component in a closed or multi-unit rack
assembly, the operating ambient temperature of the rack environment may be greater
than room ambient. Make sure the operating ambient temperature does not exceed
Fortinet’s maximum rated ambient temperature.
• Installing FortiGate-5000 series equipment in a rack should be such that the amount
of airflow required for safe operation of the equipment is not compromised.
• FortiGate-5000 series chassis should be installed by a qualified electrician.
• FortiGate-5000 series equipment shall be installed and connected to an electrical
supply source in accordance with the applicable codes and regulations for the
location in which it is installed. Particular attention shall be paid to use of correct wire
type and size to comply with the applicable codes and regulations for the installation /
location. Connection of the supply wiring to the terminal block on the equipment may
be accomplished using Listed wire compression lugs, for example, Pressure Terminal
Connector made by Ideal Industries Inc. or equivalent which is suitable for AWG-10.
Particular attention shall be given to use of the appropriate compression tool specified
by the compression lug manufacturer, if one is specified.
• This product is only intended for use in a Restricted Access Location.
The FortiController-5103B board is an Advanced Telecommunications Computing
Architecture (ATCA) compliant session-aware load balancing hub/switch board that
distributes IPv4 TCP and UDP sessions to multiple FortiGate-5000-series boards (called
workers) over the ATCA chassis fabric backplane. The FortiController-5103B board forms
a session-aware load balanced cluster with up to 12 FortiGate-5000 boards operating as
workers and uses FortiASIC DP processors to load balance millions of sessions to the
cluster, providing 10 Gbps of traffic to each cluster member. Performance of the cluster
shows linear improvement if more workers are added.
Clusters can be formed with one or two FortiController-5103B boards and up to 12
workers. All of the workers must be the same model. Currently FortiGate-5001B,
FortiGate-5001C, FortiGate-5101C, and FortiGate-5001D models are supported.
The FortiController-5103B board can be installed in any ATCA chassis that can provide
sufficient power and cooling. Supported FortiGate chassis include the 14-slot
FortiGate-5140B and the 6-slot FortiGate-5060 chassis.
You can also install the FortiController-5103B board in a FortiGate-5144C chassis but
this is not recommended because the 5144C chassis has a 40Gbit fabric backplane while
the FortiController-5103B only supports 10Gbit fabric backplane connections. Older
FortiGate-5000 chassis do not supply the power and cooling required for the
FortiController-5103B board.
In all ATCA chassis, FortiController-5103B boards are installed in the first and second
hub/switch slots (usually slots 1 and 2). A single FortiController-5103B board should be
installed in slot 1 (but you can install it in slot 2). If you add a second board it should be
installed in slot 2.
Figure 1: FortiController-5103B front panel
Two FortiController-5103B boards can be installed in an active-passive HA configuration
that provides session failover protection. Two FortiController-5103B boards can also be
installed in the same chassis in dual FortiController mode doubling the amount of
network interfaces. The FortiController-5103B board in slot 1 always becomes the
primary board and the one in slot 2 becomes the backup.
You can also install FortiController-5103B boards in a second chassis with another set of
workers to provide chassis failover protection. In an active-passive HA configuration you
can install one or two FortiController-5103B boards in each chassis. In dual
FortiController-5103B configuration, each chassis has two FortiController-5103B boards.
The FortiController-5103B board includes the following hardware features:
• One 1-gigabit base backplane channel for layer-2 base backplane switching between
FortiGate-5000 boards installed in the same chassis as the FortiController-5103B
board. This base backplane channel includes 13 1-gigabit connections to up to 13
other slots in the chassis (slots 2 to 14).
• One 10-gigabit fabric backplane channel for layer-2 fabric backplane switching
between FortiGate-5000 boards installed in the same chassis as the
FortiController-5103B board. This fabric backplane channel includes 13 10-gigabit
connections to up to 13 other slots in the chassis (slots 2 to 14).
• Eight front panel 10-gigabit SFP+ FortiGate interfaces (1 to 8). In a session-aware load
balanced cluster these interfaces are connected to 10-gigabit networks to distribute
sessions to FortiGate-5000 boards installed in chassis slots 3 to 14. These interfaces
can also be configured to operate as 1-gigabit SFP interfaces to be connected to
1-gigabit networks.
• Two front panel base backplane 10-gigabit SFP+ interfaces (B1 and B2) that connect
to the base backplane channel. These interfaces are used for heartbeat and
management communication between FortiController-5103B boards. These
interfaces can also be configured to operate as 1-gigabit SFP interfaces.
• On-board FortiASIC DP processors to provide high-capacity session-aware load
balancing.
• One 1-gigabit out of band management ethernet interface (MGMT).
• One RJ-45, RS-232 serial console connection (CONSOLE).
FortiController-5103B system Front panel LEDs and connectors
Front panel LEDs and connectors
From the FortiController-5103B font panel you can view the status of the board LEDs to
verify that the board is functioning normally. You also connect the FortiController-5103B
board to your 10-gigabit network using the 1 to 8 front panel SFP+ connectors. The front
panel also includes B1 and B2 connectors for the base channels, an Ethernet
management interface (MGMT), an RJ-45 console port for connecting to the
FortiController-5103B CLI and a USB port. The USB port can be used with any USB key
for backing up and restoring configuration files.
FortiController-5103B front panel interfaces F1 to F8 appear on the
FortiController-5103B web-based manager and CLI as interfaces f1 to f8. In single
FortiController-5103B mode, workers see these as fctrl/1 to fctrl/8. In dual
FortiController-5103B mode, workers see these as fctrl1/1 to fctrl1/8 and fctrl2/1 to
fctrl2/8.
LEDs
Table 2: FortiController-5103B LEDs
LEDStateDescription
GreenFabric backplane interface is connected at 10 Gbps or 1
Gbps. Backplane Fabric interface slot-14 is not
Fabric
(1/2 to 14)
Flashing
Green
accessible.
Network activity at the fabric backplane interface.
OffNo link is established.
GreenBase backplane interface is connected at 1 Gbps.
Base (1/2 to 14)
OOS
(Out of Service)
PWR (Power)GreenThe FortiController-5103B board is powered on.
STA (Status)
ACC (Disk
activity)
Flashing
Green
OffNo link is established.
OffNormal operation.
AmberA fault condition exists and the FortiController-5103B
OffThe FortiController-5103B board is powered on.
Flashing
Green
Off or
Flashing
green
Network activity at the base backplane interface.
blade is out of service (OOS). This LED may also flash
very briefly during normal startup.
The FortiController-5103B is starting up. If this LED is
flashing at any time other than system startup, a fault
condition may exist.
The ACC LED flashes green when the
FortiController-5103B board accesses the flash disk. The
flash disk stores the current firmware build and
configuration files. The system accesses the flash disk
when starting up, during a firmware upgrade, or when an
administrator is using the CLI or GUI to change the
FortiController-5103B configuration. Under normal
operating conditions this LED flashes occasionally, but is
mostly off.
Front panel LEDs and connectorsFortiController-5103B system
Table 2: FortiController-5103B LEDs (Continued)
LEDStateDescription
SH1
SH2
1 to 8
B1 and B2
MGMT
Link/Act
(Left
LED)
Speed
(Right
LED)
Not used in the default configuration. See “About the SH1 and SH2
LEDs” on page 9.
Green or
Flashing
Green
Network activity between the FortiController-5103B
board and one of the shelf managers across the chassis
backplane. If the FortiController-5103B board is installed
in chassis slot 1, this LED indicates a connection to shelf
manager 2. If the FortiController-5103B board is installed
in chassis slot 2, this LED indicates a connection to shelf
manager 1.
GreenThe correct cable is connected to the interface and the
connected equipment has power.
Flashing
Network activity at the interface.
Green
OffNo link is established.
GreenThe correct cable is connected to the interface and the
connected equipment has power.
Flashing
Network activity at the interface.
Green
OffNo link is established.
Solid
Green
Blinking
Indicates this interface is connected with the correct
cable and the attached network device has power.
Indicates network traffic on this interface.
Green
OffNo Link
GreenConnection at 1 Gbps.
AmberConnection at 100 Mbps.
OffConnection at 10 Mbps.
The unlabeled interface beside the MGMT interface is not used.
BlueThe FortiController-5103B is ready to be hot-swapped
(removed from the chassis). If the IPM light is blue and no
other LEDs are lit the FortiController-5103B board has
lost power
IPM
Flashing
Blue
The FortiController-5103B is changing from hot swap to
running mode or from running mode to hot swap. This
happens when the FortiController-5103B board is starting
up or shutting down.
OffNormal operation. The FortiController-5103B board is in
FortiController-5103B system Front panel LEDs and connectors
About the SH1 and SH2 LEDs
SH1 and SH2 are base channel interfaces that can be used to connect the
FortiController-5103B board to the chassis shelf managers over the chassis backplane.
The SH1 and SH2 LEDs indicate the status of the connections between the
FortiController-5103B board and a shelf manager. Whether or not these LEDs are lit
depends on the configuration of the SH1 and SH2 interfaces on the
FortiController-5103B board, the configuration of the chassis backplane, and if one or
both shelf managers are installed and configured to connect using the backplane or their
front panel Ethernet interfaces.
By default the SH1 interface is disabled so the SH1 LED will not light.
By default, the SH2 interface is enabled so the SH2 LED will be lit if it can connect to a
shelf manager over the chassis blackplane. If the FortiController-5103B board is installed
in chassis slot 1, the SH2 LED indicates a connection to shelf manager 2. If the
FortiController-5103B board is installed in chassis slot 2, the SH2 LED indicates a
connection to shelf manager 1.
Front panel connectors
Table 3: FortiController-5103B connectors
Connector TypeSpeedProtocolDescription
CONSOLE
USBUSBNot used.
1 to 8
B1 and B2
RJ-459600 bps
8/N/1
SFP+ (10
gigabit) or
SPF (1
gigabit)
SFP+ (10
gigabit) or
SPF (1
gigabit)
10-gigabit full
1-gigabit
auto
1-gigabit full
10-gigabit full
1-gigabit
auto
1-gigabit full
RS-232
serial
Ethernet10-gigabit SPF+ connection to
Ethernet10-gigabit SPF+ connection to
Serial connection to the
command line interface.
10-gigabit networks or 1gigabit SPF connection to
1-gigabit networks. Small
form-factor pluggable
transceiver. On the
FortiController-5103B GUI and
CLI these interfaces are f1 to
f8. In single
FortiController-5103B mode,
workers see these as fctrl/1 to
fctrl/8. In dual
FortiController-5103B mode,
workers see these as fctrl1/1
to fctrl1/8 and fctrl2/1 to
fctrl2/8.
10-gigabit networks or 1gigabit SPF connection to
1-gigabit networks. Small
form-factor pluggable
transceiver. For heartbeat and
management communication
between FortiController-5103B
boards.
FortiController-5103B session-aware load balancingFortiController-5103B system
Table 3: FortiController-5103B connectors
Connector TypeSpeedProtocolDescription
RJ-4510/100/1000
Base-T
MGMT
EthernetCopper 1-gigabit connection
to 10/100/1000Base-T copper
networks for management or
system administration. The
unlabeled interface beside the
MGMT interface is not used.
Its LEDs may be lit in some
cases but the stat of these
LEDs can be ignored.
The FortiController-5103B board uses three on-board FortiASIC DP processors to
perform high-performance session-aware load balancing. Under ideal conditions, the
FortiController-5103B is capable of forming a session-aware load balanced cluster of one
FortiController-5103B board and up to 12 FortiGate-5000 workers. A single
FortiController-5103B board can distribute up to 96 million concurrent sessions and start
36 million new sessions a second. A second FortiController-5103B board can be added
for redundancy or to create a dual-mode cluster that doubles the number of network
interfaces. You can also install a second chassis with one or two FortiController-5103B
boards for chassis failover.
As a session-aware load balancer, the FortiController-5103B board maintains the state
for each session and is capable of directing any session to any worker installed in the
same chassis. This session-awareness means that all traffic being processed by a
specific worker continues to be processed by the same worker. Session-awareness also
means that more complex networking features such as network address translation
(NAT), fragmented packets, complex UDP protocols, and complex protocols such as SIP
that use pinholes, can be load balanced by the cluster.
In a FortiController-5103B load balanced cluster, when a worker that is processing SIP
traffic creates a pinhole, this information is communicated to the FortiController-5103B.
The FortiController-5103B then knows to distribute the voice and media sessions to this
worker.
The SIP protocol uses known SIP ports for control traffic but dynamically uses a wide
range of ports for voice and other media traffic. To successfully pass SIP traffic through
a firewall, the firewall must use a session helper or application gateway to look inside the
SIP control traffic and determine the ports to open for voice and media. To allow the
voice and media traffic, the firewall temporarily opens these ports, creating what’s
known as a pinhole that temporarily allows traffic on a port as determined by the SIP
control traffic. The pinhole is closed when the voice or media session ends.
Session-aware load balancing does not support traffic shaping.