Server Load Balancing – FortiBalancer

6.3.8 Policy Nesting

6.3.8.1 Configuration Guidelines

The commands used to configure Policy Nesting are summarized in the following table:

Table 6-12 General Settings of Policy Nesting

Operation Command
Configure real services slb real http <real_name> <ip> [port] [max_conn]

[http|tcp|icmp|script-tcp|script-udp|sip-tcp|sip-udp|dns] [hc_up]

[hc_down]

slb real https <real_name> <ip> [port] [max_conn]

[https|tcp|tcps|icmp|script-tcp|script-udp|script-tcps|sip-tcp|sip-udp|dns] [hc_up] [hc_down]

Define group methods slb group method <group_name> [algorithm]
Add the real servers into the group slb group member <group_name> <real_name> [weight]
Define virtual services slb virtual {http|https|dns|siptcp|sipudp} <virtual_name> <vip> [vport]

[arp|noarp] [max_conn] slb virtual {tcp|tcps|udp} <virtual_name> <vip> <vport> [arp|noarp]

[max_conn]

slb virtual rtsp <virtual_name> <vip> [vport] [mode] [arp|noarp]

[max_conn]

slb virtual {ftp|ftps} <virtual_name> <vip> [vport] [max_conn]

Create the vlink slb vlink <vlink_name>
Bind the group to the virtual service or the vlink slb policy default {virtual_name|vlink_name} {group_name|vlink_name} slb policy static <virtual_name> <real_name>

slb policy icookie <policy_name> {virtual_name|vlink_name}

<group_name> <precedence>

slb policy rcookie <policy_name> {virtual_name|vlink_name}

<group_name> <precedence>

slb policy persistent cookie <policy_name> {virtual_name|vlink_name}

<group_name> <cookie_name> <precedence>

slb policy persistent url <policy_name> {virtual_name|vlink_name}

<group_name> <url_tag> <precedence>

6.3.8.2 Configuration Example via CLI

To help you better understand the example, the following graphic shows the logical relationship among VIPs, vlinks and groups.

Figure 6-15 Policy Nesting

  • Step 1 Define the real services

Six HTTP real services are configured in this example:

FortiBalancer(config)#slb real http “rhttp1” 172.16.85.109 80 1000 http 3 3

FortiBalancer(config)#slb real http “rhttp2” 172.16.85.110 8081 1000 http 3 3

FortiBalancer(config)#slb real http “rhttp3” 172.16.85.111 8080 1000 http 3 3

FortiBalancer(config)#slb real http “rhttp4” 172.16.85.112 112 1000 tcp 3 3

FortiBalancer(config)#slb real http “rhttp5” 172.16.85.113 113 1000 tcp 3 3 FortiBalancer(config)#slb real http “rhttp6” 172.16.85.114 114 1000 tcp 3 3

  • Step 2 Create the groups

FortiBalancer(config)#slb group method group1 rr

FortiBalancer(config)#slb group method group2 rr FortiBalancer(config)#slb group method group3 rr FortiBalancer(config)#slb group method group4 rr

  • Step 3 Add the real services into the groups

FortiBalancer(config)#slb group member group1 rhttp1 1

FortiBalancer(config)#slb group member group1 rhttp2 2

FortiBalancer(config)#slb group member group2 rhttp3 1

FortiBalancer(config)#slb group member group2 rhttp4 2

FortiBalancer(config)#slb group member group3 rhttp5 1 FortiBalancer(config)#slb group member group4 rhttp6 1

  • Step 4 Create a virtual service

FortiBalancer(config)#slb virtual http vhttp 172.16.63.109 80 arp 0

  • Step 5 Create the vlinks

FortiBalancer(config)#slb vlink vlink1

FortiBalancer(config)#slb vlink vlink2

  • Step 6 Associate a group to a virtual service or a vlink

FortiBalancer(config)#slb policy qos network policy1 vhttp vlink1 192.168.2.3 255.255.255.255

1

FortiBalancer(config)#slb policy default vhttp group1

FortiBalancer(config)#slb policy qos url policy2 vlink1 vlink2 “news” 1 FortiBalancer(config)#slb policy default vlink1 group2

FortiBalancer(config)#slb policy qos url policy3 vlink2 group3 “sport” 1 FortiBalancer(config)#slb policy default vlink2 group4

In this example:

  • If the source IP address of a request is within the sub network, it will match policy1 and go to vlink1. Otherwise, the request will be distributed to group1.
  • If the request goes to vlink1 and there is “news” in the URL, it will match policy2 and go to vlink2. Otherwise, the request will be forwarded to group2.
  • If the request goes to vlink2 and there is “sports” in the URL, it will match policy3 and go to group3. Otherwise, the request will be sent to group 4.

6.3.9 SLB Session Persistence Configuration

6.3.9.1Independently Applying the Persistence Method for SessionPersistence (ip)

  • Configuration purpose:

To implement session persistence by independently using the persistence method with the client IP address as the session ID. Once configured, the FortiBalancer appliance will:

  • Send the first access request from a client to the real server selected by the first choice method (rr in this example).
  • Obtain and record the client IP address as the unique session ID.
  • Send subsequent requests from the client to the same real server. If the client remains idle (for example, no new client requests are detected) for 5 minutes, the FortiBalancer appliance will terminate the client’s session and clear the session ID.

The detailed configuration procedure is as follows:

  • Prerequisites:
    • Layer 4 or 7 real services r1 and r2 are already defined. In this example, real services are of the HTTP type.
    • A Layer 4 or 7 virtual service v1 is already defined. In this example, the virtual service is of the HTTP type.
  • web UI:
    1. Select Server Load Balance > Groups > Groups. In the Add Group area, select “Persistence” from the Group Method drop-down list and “ip” from the Session Type drop-down list. Specify other parameters as required. Click the Add action link.

 

  1. In the Group List area, double-click the group. In the Group Members area of the displayed page, click the Add action link. In the Add Group Member area of the displayed page, specify the required parameters and click the Save action link to save the configuration.

 

  1. Select Server Load Balance > Virtual Services > Virtual Services. In the Virtual Service List area, double-click the virtual service. In the Associate Groups area of the displayed page, specify the required parameters and click the Add action link.

 

  1. Select Server Load Balance > Groups > Groups. In the Group List area, double-click the group. In the Group Settings area of the displayed page, specify the Persistence Timeout and Persistence Timeout Mode Click the Set action link.

 

  • CLI:
    1. Execute the following command to configure the service group and persistence method:

slb group method <group_name> persistence <session_id_type> [rr|sr|lc] [threshold]

For example:

FortiBalancer(config)#slb group method g1 persistence ip rr

  1. Execute the following command to add real services to the service group:

slb group member <group_name> <real_name> [weight]

For example:

FortiBalancer(config)#slb group member g1 r1 1 0

FortiBalancer(config)#slb group member g1 r2 1 0

  1. Execute the following command to bind the service group and virtual service with the default policy:

slb policy default {virtual_name|vlink_name} {group_name|vlink_name}

For example:

FortiBalancer(config)#slb policy default v1 g1

  1. Execute the following command to configure the time out mode:

slb persistence timeout <timeout _ minutes> [group_name] [idle|timeout]

For example:

FortiBalancer(config)#slb persistence timeout 5 g1 idle

6.3.9.2 Independently Applying the Persistence Method for Session Persistence (string)

  • Configuration purpose:

To implement session persistence by independently using the persistence method with a specified string (obtained from the HTTP response cookie) as the session ID. Once configured, the FortiBalancer appliance will:

  • Send the first access request from a client to the real server selected by the first choice method (rr in this example).
  • Obtain the “mycookie” value from the real server response and record it as the session ID.
  • When receiving subsequent requests from the client, check whether the value of “telnum” in the request URL Query matches with the session ID. If yes, send the request to the same real server. If the client remains idle (for example, no new client requests are detected) for 5 minutes, the FortiBalancer appliance will terminate the client’s session and clear the session ID.

The detailed configuration procedure is as follows:

  • Prerequisites:
    • Layer 4 or 7 real services r1 and r2 are already defined. In this example, the virtual service is of the HTTP type.
    • A Layer 4 or 7 virtual service v1 is already defined. In this example, the virtual service is of the HTTP type.
  • web UI:
    1. Select Server Load Balance > Groups > Groups. In the Add Group area, select “Persistence” from the Group Method drop-down list and “string” from the Session

Type drop-down list. Specify other parameters as required. Click the Add action link.

 

  1. In the Group List area, double-click the group. In the Group Members area of the displayed page, click the Add action link. In the Add Group Member area of the displayed page, specify the required parameters and click Save to save the configuration.

 

  1. In the Persistence List area, click the Add action link. In the Add Persistence Entry area of the displayed page, specify the response cookie-related parameters and click Save to save the configuration.

 

  1. In the Persistence List area, click the Add action link. In the Add Persistence Entry area of the displayed page, specify the request-related parameters and click Save to save the configuration.

 

  1. Select Server Load Balance > Virtual Services > Virtual Services. In the Virtual Service List area, double-click the virtual service. In the Associate Groups area of the displayed page, specify the required parameters and click the Add action link.

 

  1. Select Server Load Balance > Groups > Groups. In the Group List area, double-click the group. In the Group Settings area of the displayed page, specify the Persistence Timeout and Persistence Timeout Mode Click the Set action link.

 

  • CLI:
    1. Execute the following command to configure the service group and persistence method:

slb group method <group_name> persistence <session_id_type> [rr|sr|lc] [threshold]

For example:

FortiBalancer(config)#slb group method g1 persistence string rr

  1. Execute the following command to add real services to the service group:

slb group member <group_name> <real_name> [weight]

For example:

FortiBalancer(config)#slb group member g1 r1 1 0

FortiBalancer(config)#slb group member g1 r2 1 0

  1. Execute the following commands to obtain the value of “mycookie” in the response from the real server as the session ID:

slb group persistence request urlquery <group_name> <query_name> slb group persistence response cookie <group_name> <cookie_name>

For example:

FortiBalancer(config)#slb group persistence request urlquery g1 telnum

FortiBalancer(config)#slb group persistence response cookie g1 mycookie

  1. Execute the following command to bind the service group and virtual service with the default policy:

slb policy default {virtual_name|vlink_name} {group_name|vlink_name}

For example:

FortiBalancer(config)#slb policy default v1 g1

  1. Execute the following command to configure the time out mode:

slb persistence timeout <timeout_minutes> [group_name] [idle|timeout]

For example:

FortiBalancer(config)#slb persistence timeout 5 g1 idle

Note:

Before configuring the FortiBalancer to implement session persistence based on the HTTP cookie, you need to specify the cookie in the real service configurations to ensure that the HTTP response can carry the corresponding cookie.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.