Server Load Balancing – FortiBalancer

6.3.9.3 Persistence Method Collaborating with an SLB Persistence Policy

  • Configuration purpose:

To implement session persistence by applying both the persistence method and a Layer 7 SLB persistence policy. In this case, the session ID is obtained through the policy. The following table describes the configuration for the method and policy:

Table 6-13 Configurations of the Method and Policy

Item   Configurations
Policy Ÿ The header policy is configured to obtain the content of

“x-up-calling-line-id” in the HTTP request header as the target string.

  Ÿ The default policy is configured.
Persistence method Ÿ

Ÿ

Ÿ

The first choice method is round robin (rr).

The session ID is of the string type.

Whether to obtain the session ID from the client request or server response is not specified.

  Ÿ The offset and ID length for obtaining the session ID are specified.

Once configured, the FortiBalancer appliance will:

  • If the request from the client matches with the header policy, the FortiBalancer appliance will obtain the session ID based on the offset and ID length from the content of “x-up-calling-line-id”.
  • If the request from the client matches with the default policy, the FortiBalancer appliance will use the first choice method to direct the request to a real server and not implement session persistence.
  • Prerequisites:
    • Layer 4 or 7 real services r1 and r2 are already defined. In this example, the real services are of the HTTP type.
    • A Layer 4 or 7 virtual service v1 is already defined. In this example, the virtual service is of the HTTP type.
  • web UI:
    1. Select Server Load Balance > Groups > Groups. In the Add Group area, select “Persistence” from the Group Method drop-down list and “string” from the Session

Type drop-down list. Specify other parameters as required. Click the Add action link.

 

  1. In the Group List area, double-click the group. In the Group Members area of the displayed page, click the Add action link. In the Add Group Member area of the displayed page, specify the required parameters and click Save to save the configuration.

 

  1. Select Server Load Balance > Virtual Services > Virtual Services. In the Virtual Service List area, double-click the virtual service. In the Associate Groups area of the displayed page, specify the required parameters and click the Add action link.

 

  1. Select Server Load Balance > Groups > Groups. In the Group List area, double-click the group. In the Group Settings area of the displayed page, specify the Persistence Timeout, Persistence Timeout Mode, Persistence Session ID Offset, and Persistence Session ID Length Click the Set action link.

 

  • CLI:
    1. Execute the following command to configure the service group and persistence method:

slb group method <group_name> persistence <session_id_type> [rr|sr|lc] [threshold]

For example:

FortiBalancer(config)#slb group method g1 persistence string rr

  1. Execute the following command to add real services to the service group:

slb group member <group_name> <real_name> [weight]

For example:

FortiBalancer(config)#slb group member g1 r1 1 0

FortiBalancer(config)#slb group member g1 r2 1 0

  1. Execute the following command to bind the service group and virtual service with the header and default policies:

slb policy header <policy_name> {virtual_name|vlink_name}

{group_name|vlink_name} <header_name> <header_pattern> <precedence> slb policy default {virtual_name|vlink_name} {group_name|vlink_name}

For example:

FortiBalancer(config)#slb policy header p1 v1 g1 “x-up-calling-line-id” “^1” 1 FortiBalancer(config)#slb policy default v1 g1

  1. Execute the following command to configure the offset and length for the session ID.

slb group persistence value <group_name> <offset> [session_id_length]

For example:

FortiBalancer(config)#slb group persistence request header g1 abc user y 0 FortiBalancer(config)#slb group persistence value g1 4 3

  1. Execute the following command to configure the time out mode:

slb persistence timeout <timeout_minutes> [group_name] [idle|timeout]

For example:

FortiBalancer(config)#slb persistence timeout 5 g1 idle

 

 

6.4 SLB Summary

SLB Type Priority (1 is the highest) Virtual

Service

Real Service Health check Scenarios
Layer 7

HTTP/HTTP

S

2 IP + Port + proto

(HTTP,

HTTPS)

IP + Port + proto

(HTTP,

HTTPS)

None

HTTP

HTTPS

TCP

TCPS

ICMP

Additional

Script

1.                Balance traffic according to application protocol headers. e.g. HTTP headers

2.                Cache feature is needed

Layer 7 DNS 2 IP + Port + proto (DNS) IP + Port + proto (DNS) None

DNS

ICMP

Additional

Script

DNS requests DNS cache feature can be applied for better performance
Layer 7 FTP 2 IP + Port + proto (FTP) IP + Port + proto (FTP) None

TCP

ICMP

Additional

Script

FTP traffic
Layer 7 SIP 2 IP + Port + proto

(SIP-TCP,

SIP-UDP)

IP + Port + proto

(SIP-TCP,

SIP-UDP)

None

TCP

TCPS

ICMP

Additional

Script

SIP-TCP

SIP-UDP

Balance VOIP traffic
Layer 7 RTSP 2 IP + Port + proto (RTSP) IP + Port + proto (RTSP) None

TCP

ICMP

Additional

Script

RTSP-TCP

Balance real time media traffic
Layer 4 2 IP + port IP + Port None

TCP

TCPS

ICMP

Additional

Script

1. Balance traffic according to

TCP/UDP headers.  2.TCP port or UDP

port is specified to determine a particular service

Port range

(for Layer 7)

3 Layer 7 VS + Port range Layer 7 RS

Layer 7 RS

(0 port)

Non-zero port RS: Layer 7 health check Zero port RS:

ICMP

Additional

In addition to Layer 7 SLB, cross-port and dynamic port application traffic balance is supported
Port range

(for Layer 4)

3 Layer 4 VS + Port range Layer 4 RS

Layer 4 RS

(0 port)

Non-zero port RS: Layer 4 health check Zero port In addition to Layer 4 SLB, cross-port and dynamic port application traffic balance is supported

Fortinet Technologies Inc.                          102                FortiBalancer 8.4 User Guide

 

SLB Type Priority (1 is the highest) Virtual

Service

Real Service Health check Scenarios
        RS:

ICMP

Additional

 
Layer 3 4 IP IP None

ICMP

Additional

In addition to port range SLB, cross-protocol application traffic balance is supported. Currently, only TCP and UDP protocol are supported
Layer 2 1 IP + port ranges IP, MAC ARP

Additional

(only ICMP)

1.                The backend real services do not have usable IP addresses so that the traffic cannot be balanced according to IP addresses;

2.                The backend real services are not the destination of the input traffic (e.g.

virus scanners check every packet before forwarding it to the real destination).


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.