Technical Tip: HTTP cookie persistence option in Virtual Server

Description

 

This article describes how to enable the HTTP cookie persistence in Virtual Server and verify the cookie insertion using the Wireshark packet capture.

 

Scope

 

FortiGate

 

Topology:

 

Pre-requisites:

 

The virtual server is configured for HTTP service and the real servers are reachable from the outside network.

 

Related article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-virtual-server/ta-p/194457

 

Solution

 

• Enable the HTTP cookie persistence on the configured virtual server

From GUI:

Navigate to Policy & Objects -> Virtual Servers and enable HTTP cookie persistence.

 

 

From CLI:

 

config firewall vip

    edit "Test-Website"

        set uuid 94489f16-3561-51ee-c442-09f1dcbea373

        set type server-load-balance

        set extip 192.168.55.1

        set extintf "any"

        set server-type http

        set ldb-method round-robin

        set persistence http-cookie <-----

        set extport 80

        config realservers

            edit 1

                set ip 192.168.60.10

                set port 80

            next

            edit 2

                set ip 192.168.60.20

                set port 80

            next

        end

 

HTTP cookie persistence works by using the injected cookies. The FortiGate distributes a new session to an actual server based on the selected Load Balance Method. If an HTTP cookie is present during the session, the FortiGate unit will direct all subsequent sessions with the identical HTTP cookie to the corresponding real server.

 

• After enabling the HTTP cookie persistence, run the packet capture at the external IP interface to verify the HTTP cookie injected by the FortiGate.

 

FortiGate will inject the cookie into the HTTP header of the server response packet.

 

 

The browser will also install the respective cookies after enabling cookie persistence. Check the browser cookies for confirmation:

 

 

Compare the forward traffic logs before and after enabling the HTTP cookie persistence to verify if the FortiGate is forwarding the traffic to the same real server.

 

Below are the Forward traffic logs before enabling HTTP cookie persistence: The traffic is load balanced to both servers in this case:

 

 

Below are the Forward traffic logs after enabling HTTP cookie persistence: FortiGate is forwarding the traffic to a single server for all sessions:

 

 

•  There are additional options available to modify the HTTP cookie, which is accessible from the CLI only.

 

The following options are available for the 'config firewall vip' command when the type server is set to load-balance, server-type is set to HTTP or HTTPS and persistence is set to http-cookie:

 

http-cookie-domain-from-host

http-cookie-domain

http-cookie-path

http-cookie-age

 

• If 'http-cookie-domain-from-host' is enabled, then FortiGate will extract the cookie domain from the host header in the HTTP request.
• For example, the cookie is restricted to www.testwebsite.com in this case if the same packet capture is run after enabling 'http-cookie-domain-from-host'.

 

From CLI :

 

config firewall vip

    edit "Test-Website"

        set uuid 94489f16-3561-51ee-c442-09f1dcbea373

        set type server-load-balance

        set extip 192.168.55.1

        set extintf "any"

        set server-type http

        set ldb-method round-robin

        set persistence http-cookie

        set extport 80

        config realservers

            edit 1

                set ip 192.168.60.10

                set port 80

            next

            edit 2

                set ip 192.168.60.20

                set port 80

            next

        end

        set http-cookie-domain-from-host enable  <-----

    next

end

 

• If the requirement is to restrict the domain that the cookie should apply to, use 'http-cookie-domain' to manually define the domain for the cookie. For example, to manually restrict the cookie domain to www.testwebsite.com use the below command:

         set http-cookie-domain www.testwebsite.com

 

 

From CLI:

 

config firewall vip

    edit "Test-Website"

        set uuid 94489f16-3561-51ee-c442-09f1dcbea373

        set type server-load-balance

        set extip 192.168.55.1

        set extintf "any"

        set server-type http

        set ldb-method round-robin

        set persistence http-cookie

        set extport 80

        config realservers

            edit 1

                set ip 192.168.60.10

                set port 80

            next

            edit 2

                set ip 192.168.60.20

                set port 80

            next

        end

        set http-cookie-domain www.testwebsite.com <-----

   next

end

 

• Use 'http-cookie-path' to limit the cookies to a particular path. For example, to limit cookies to the path /contact.html, use the command set http-cookie-path "/contact.html".

 

 

From CLI:

 

config firewall vip

    edit "Test-Website"

        set uuid 94489f16-3561-51ee-c442-09f1dcbea373

        set type server-load-balance

        set extip 192.168.55.1

        set extintf "any"

        set server-type http

        set ldb-method round-robin

        set persistence http-cookie

        set extport 80

        config realservers

            edit 1

                set ip 192.168.60.10

                set port 80

            next

            edit 2

                set ip 192.168.60.20

                set port 80

            next

        end

        set http-cookie-domain "www.testwebsite.com"

        set http-cookie-path "/contact.html" <-----

    next

end

 

• Use 'http-cookie-age' to change how long the browser caches the cookie. Enter age in minutes or set the age to 0 to make the browser keep the cookie indefinitely. For example, to set the age to 10 minutes use the below command:

         set http-cookie-age 10

 

Confirm the cookie age from the browser cookie output: