FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This artilce describes how to configure Fortigate-VM load balancer using dynamic address objects.
Solution FortiOS supports using dynamic firewall addresses in real servers under a virtual server load balancing configuration. It is not necessary to manually change each server's IP address whenever a scale in/out action occurs, as FortiOS dynamically updates the IP addresses following each scale in/out action. Consider a scenario where the FortiGate-VM is deployed on AWS and load balancing for three servers.
The Fabric connector configured in FortiOS dynamically loads the server IP addresses. If a scale in action occurs, the load balancer dynamically updates to load balance to the two remaining servers.
The following instructions assume the following: 1) An AWS Fabric connector is configured and up. 2) An AWS dynamic firewall address with a filter is configured.
To configure a dynamic address object in a real server under virtual server load balance:
CLI commands introduced in FortiOS 6.4 are shown below.
# config firewall vip edit "0" set id 0 set uuid 0949dfbe-7512-51ea-4671-d3a706b09657 set comment '' set type server-load-balance set extip 0.0.0.0 set extintf "port1" set arp-reply enable set server-type http set nat-source-vip disable set gratuitous-arp-interval 0 set http-ip-header disable set color 0 set ldb-method static set http-redirect disable set persistence none set extport 80 # config realservers edit 1 set type address set address "aws addresses" <----- This is a custom address object with type 'Dynamic'. set port 8080 set status active set holddown-interval 300 set healthcheck vip set max-connections 0 unset client-ip next end set http-multiplex disable set max-embryonic-connections 1000 next end
