Load balancing configuration examples

Load balancing configuration examples

Example HTTP load balancing to three real web servers

In this example, a virtual web server with IP address 192.168.37.4 on the Internet, is mapped to three real web servers connected to the FortiGate unit dmz1 interface. The real servers have IP addresses 10.10.123.42, 10.10.123.43, and 10.10.123.44. The virtual server uses the First Alive load balancing method. The configuration also includes an HTTP health check monitor that includes a URL used by the FortiGate unit for get requests to monitor the health of the real servers.

Connections to the virtual web server at IP address 192.168.37.4 from the Internet are translated and load balanced to the real servers by the FortiGate unit. First alive load balancing directs all sessions to the first real server. The computers on the Internet are unaware of this translation and load balancing and see a single virtual server at IP address 192.168.37.4 rather than the three real servers behind the FortiGate unit.

 

 

Webbased manager configuration

Use the following procedures to configure this load balancing setup from the web-based manager.

 

To add an HTTP health check monitor

In this example, the HTTP health check monitor includes the URL “/index.html” and the Matched Phrase “Fortinet products”.

1. Go to Policy & Objects > Health Check.

2. Select Create New.

3. Add an HTTP health check monitor that sends get requests to http://<real_server_IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.

 

  Name HTTP_health_chk_1
Type HTTP
Port 80
URL /index.html
Matched Content Fortinet products
Interval 10 seconds
Timeout 2 seconds
Retry 3
 

4.

 

Select OK.

 

 

To add the HTTP virtual server

1. Go to Policy & Objects > Virtual Servers.

2. Select Create New.

3. Add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network.

In this example, the FortiGate wan1 interface is connected to the Internet.

Name                                           Load_Bal_VS1

Type                                            HTTP

Interface                                     wan1

Virtual Server IP                        192.168.37.4

The public IP address of the web server.

The virtual server IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.

Virtual Server Port                    80

Load Balance Method              First Alive

Persistence                                HTTP cookie

HTTP Multiplexing                    Select.

The FortiGate unit multiplexes multiple client into a few connections between the FortiGate unit and each real HTTP server. This can improve performance by reducing server overhead associated with establishing mul- tiple connections.

 

Preserve Client IP                     Select

The FortiGate unit preserves the IP address of the client in the X-For- warded-For HTTP header.

 

Health Check                             Move the HTTP_health_chk_1 health check monitor to the Selected list.

4. Select OK.

 

To add the real servers and associate them with the virtual server

1. Go to Policy & Objects > Real Servers.

2. Select Create New.

3. Configure three real servers that include the virtual server Load_Bal_VS1. Each real server must include the IP address of a real server on the internal network. Configuration for the first real server.

Virtual Server                             Load_Bal_VS1

IP Address                                 10.10.10.42

Port                                             80

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of con- nections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

Configuration for the second real server.

Virtual Server                             Load_Bal_VS1

IP Address                                 10.10.10.43

Port                                             80

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of con- nections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

Configuration for the third real server.

Virtual Server                             Load_Bal_VS1

IP Address                                 10.10.10.44

Port                                             80

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of con- nections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

 

To add the virtual server to a security policy

Add a wan1 to dmz1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New.

3. Configure the security policy:

Policy Type                                Firewall

Policy Subtype                          Address

Incoming Interface                   wan1

Source Address                        all (or a more specific address)

Outgoing Interface                   dmz1

Destination Address                 Load_Bal_VS1

Schedule                                    always

Service                                       HTTP

Action                                         ACCEPT

Log Allowed Traffic                  Select to log virtual server traffic

Enable NAT                                Select this option and select Use Destination Interface Address.

4. Select other security policy options as required.

5. Select OK.

 

CLI configuration

Use the following procedure to configure this load balancing setup from the CLI.

 

To configure HTTP load balancing

1. Use the following command to add an HTTP health check monitor that sends get requests to http://<real_server_ IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.

config firewall ldb-monitor edit HTTP_health_chk_1

set type http set port 80

set http-get /index.html

set http-match “Fortinet products”

set interval 10 set timeout 2 set retry 3

end

2. Use the following command to add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network. In this example, the FortiGate wan1 interface is connected to the Internet.

config firewall vip edit Load-Bal_VS1

set type server-load-balance set server-type http

set ldb-method first-alive set http-multiplex enable set http-ip-header enable set extip 192.168.37.4

set extintf wan1 set extport 80

set persistence http-cookie set monitor HTTP_health_chk_1

config realservers edit 1

set ip 10.10.10.42 set port 80

next edit 2

set ip 10.10.10.43 set port 80

next edit 3

set ip 10.10.10.44 set port 80

end

end

3. Use the following command to add a security policy that includes the load balance virtual server as the destination address.

config firewall policy edit 0

set srcintf wan1 set srcaddr all set dstintf dmz1

set dstaddr Load-Bal_VS1 set action accept

set schedule always set service ALL

set nat enable end

Configure other security policy settings as required.

This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “Load balancing configuration examples

  1. Antonio Santos

    hello, my name is Antonio Santos
    I trying implemente a simple load balance with 2 real servers and 1 virtual IP
    Both are in my inboud, because they are two mail servers and all the clientes, all in my internal network connected to the fortigate by the same interface (inbound).
    My big problem is that when they share the same interface, fortigate aply NAT, but i need the real ip from the clientes.
    Fortinet say that is by design.
    do you now any way to make the real IP from the clients Reach the server?

    thanks very mutch
    ambsantos@gmail.com

    Reply
    1. Mike Post author

      Antonio,

      You want to see the external clients IP when hitting the email server? I assume this is the case. I just want to make sure before I dive in.

      Reply
  2. Rikard

    Hi,
    I am trying to create a monitor for a http load balancer but struggle with getting the fortigate unit understand that the real server is alive. The loadbalancer it self is distributing tcp to two servers on port 443, but since these packets are received by apache servers which forward traffic to jboss appservers and I want the whole chain verified. So I have a status-app on the Jboss that replies a http status page that says ACTIVE, The monitor is pulling port 80 on apache that performs proxyPass on to the app. and I can browse to the same URL http://apache1/status and get ACTIVE back. But the Health check monitor that has port 80 and URL /status and looks for ACTIVE reports the real server down…why

    Reply
    1. Mike Post author

      If you want, you can check out our forums and post some screen shots and some sanitized config dumps and we can see if we can find the issue for you.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.