Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎04-15-2009 05:59 AM

Article Id 193520

Feature Description - v4.0 Firewall VIP Load Balance

Description
This article provides an example of the steps required to use FortiOS in Load Balance mode for a cluster of HTTP servers.

Firewall Virtual IP Load balance features were present in v3.0.  This only included traffic at the Network Layer; layer 3.  FortiOS 4.0 now includes features to balance traffic at layer 3 as well as the application layer, layer 7.
 
FortiOS 4.0 VIP Load Balancing feature uses a combination of three features: SSL Acceleration, HTTP multiplexing and Extended Health checking.

Scope
FortiOS 4.0 in NAT Mode.
Solution

In order to create a load balance scenario, HTTP in this example, the 'Load Balance' menu item in the firewall menu will be used. This menu allows user to configure all the new Server Load Balancing components.

 
1. Create Virtual Server.
 
A Virtual server is to be created as the publicly facing server clients are connecting to. This server will handle connections to one or many Real servers.
Firewall > Load Balance, new Virtual Server.
 
sotoole_100152_100152_new_virtual_server.jpg
 

When defining Virtual Servers, users will define the Protocol, IP address, physical interface as well as the method to be used to load balance.  At this point remaining features may also be enabled.  Such as HTTP Multiplexing, Extended Health Checking and SSL Offloading (SSL and HTTPS only).

Choose Load Balance Method.

sotoole_100152_100152_load_balance_method.jpg
 
 
2. Create Real Server(s).
 
Once a Virtual Server has been created Real servers will be created to represent each server being accessed.
 
Firewall - Load Balance menu, Real Server tab.
 
sotoole_100152_100152_new_real_server.jpg

In creating a Real Server, the selection is made to choose which Virtual Server this server will be accessed through. Multiple Real Servers will be used by one Virtual server when creating a load balance scenario.

CLI: From the CLI Virtual servers as well as Real servers may be configured:

#config firewall virtual server


FG300B3908604677 (vip) #
edit add/edit a table value
delete delete a table value
purge clear all table value
rename rename a table entry
get get dynamic and system information
show show configuration
end end and save last config

FG300B3908604677 (vip) # edit
name virtual ip name
Virtual

FG300B3908604677 (vip) # edit Virtual
<Enter>

FG300B3908604677 (Virtual) # config
realservers real servers

As the goal of this feature is to allow more than one Real server to use one Virtual Server, user will normally set more than one Real server to a virtual server definition.

Multiple Real Servers using one Virtual Server.

 
sotoole_100152_100152_multiple_real_one.jpg
 
 
sotoole_100152_100152_multiple_real_one.jpg3.  Apply Virtual server to policy.
 
Using the newly created Virtual Server as a destination.  Create the corresponding policy.  The source interface must be that which was associated to the Virtual Server when it was created.  In this example using Port2.
 
Once this policy is created using the correct source interface, destination address selected may be the Virtual Server.  This server in turn handles Load Balancing attributes previously configured.
 
Virtual Server Policy
 
sotoole_100152_100152_lb_policy.jpg
 
 

Related Articles

Technical Tip : Troubleshoot and verify if traffic is hitting a Firewall Policy

Labels:
4614
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.