IP, TCP, and UDP load balancing
You can load balance all IP, TCP or UDP sessions accepted by the security policy that includes a load balancing virtual server with the type set to IP, TCP, or UDP. Traffic with destination IP and port that matches the virtual server IP and port is load balanced. For these protocol-level load balancing virtual servers you can select a load balance method and add real servers and health checking. However, you can’t configure persistence, HTTP multiplexing and SSL offloading.
Example HTTP load balancing to three real web servers
In this example, a virtual web server with IP address 192.168.37.4 on the Internet, is mapped to three real web servers connected to the FortiGate unit dmz1 interface. The real servers have IP addresses 10.10.123.42, 10.10.123.43, and 10.10.123.44. The virtual server uses the First Alive load balancing method. The configuration also includes an HTTP health check monitor that includes a URL used by the FortiGate unit for get requests to monitor the health of the real servers.
Connections to the virtual web server at IP address 192.168.37.4 from the Internet are translated and load balanced to the real servers by the FortiGate unit. First alive load balancing directs all sessions to the first real server. The computers on the Internet are unaware of this translation and load balancing and see a single virtual server at IP address 192.168.37.4 rather than the three real servers behind the FortiGate unit.
Virtual server configuration example
GUI configuration
Use the following procedures to configure this load balancing setup from the GUI.
To add an HTTP health check monitor
In this example, the HTTP health check monitor includes the URL “/index.html” and the Matched Phrase “Fortinet products”.
- Go to Policy & Objects > Health Check.
- Select Create New.
- Add an HTTP health check monitor that sends get requests to http://<real_server_IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.
| Name | HTTP_health_chk_1 |
| Type | HTTP |
| Port | 80 |
| URL | /index.html |
| Matched Content | Fortinet products |
| Interval | 10 seconds |
| Timeout | 2 seconds |
| Retry | 3 |
- Select OK.
To add the HTTP virtual server and the real servers
- Go to Policy & Objects > Virtual Servers.
- Select Create New.
- Add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network.
In this example, the FortiGate wan1 interface is connected to the Internet.
| Name | Load_Bal_VS1 |
| Type | HTTP |
| Interface | wan1 |
| Virtual Server IP | 192.168.37.4
The public IP address of the web server. The virtual server IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address. |
| Virtual Server Port | 80 |
| Load Balance Method | First Alive |
| Persistence | HTTP cookie |
| Health Check | HTTP_health_chk_1 |
| HTTP Multiplexing | Turn on.
The FortiGate unit multiplexes multiple client into a few connections between the FortiGate unit and each real HTTP server. This can improve performance by reducing server overhead associated with establishing multiple connections. |
| Preserve Client IP | Turn on.
The FortiGate unit preserves the IP address of the client in the XForwarded-For HTTP header. |
- Add three real servers to the virtual server. Each real server must include the IP address of a real server on the internal network.
Configuration for the first real server.
| IP Address | 10.10.10.42 |
| Port | 80 |
| Max Connections | 0
Setting Max Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of connections to each real server to limit the traffic received by each server. In this example, the Max Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic. |
| Mode | Active |
Configuration for the second real server.
| IP Address | 10.10.10.43 |
| Port | 80 |
| Max Connections | 0 |
| Mode | Active |
Configuration for the third real server.
| IP Address | 10.10.10.44 | |
| Port | 80 |
HTTP load balancing to three real web servers
| Max Connections | 0 |
| Mode | Active |
To add the virtual server to a security policy
Add a wan1 to dmz1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.
- Go to Policy & Objects > IPv4 Policy.
- Select Create New.
- Configure the security policy:
| Name | Add a name for the policy. |
| Incoming Interface | wan1 |
| Outgoing Interface | dmz1 |
| Source | all (or a more specific address) |
| Destination | Load_Bal_VS1 |
| Schedule | always |
| Service | HTTP |
| Action | ACCEPT |
| NAT | Select this option and select Use Destination Interface Address. |
| Log Allowed Traffic | Select to log virtual server traffic |
- Select other security policy options as required.
- Select OK.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!