There are 3 different modes on the FortiGate to balance the load on Link Aggregation ports.
set algorithm L2 Use layer 2 address for distribution. L3 Use layer 3 address for distribution. L4 Use layer 4 information for distribution. L2 is using SMAC/DMAC L3 is using SIP/DIP L4 is using SPORT/DPORT/PROTO
But the debug command to calculate the port to be selected also considers other options.
diagnose netlink aggregate port <aggregate-interface> [ src-mac <mac-addr> ] [ dst-mac <mac-addr> ] [ src-ip <IPv4-addr> ] [ dst-ip <IPv4-addr> ] [ proto <IP-protocol> ] [ src-port <TCP/UDP port> ] [ dst-port <TCP/UDP port> ] [ vlan-id <VLAN-Id> ] [ spi <IPsec-SPI> ] [ frag (offset|flag) ]
Can VLAN ID, SPI be criteria to select the port? Let's put it this way: if I have a single IPSec tunnel over LACP, creating multiple SAs under it, will it allow me to split the traffic among LACP members?