IP, TCP, and UDP load balancing

IP, TCP, and UDP load balancing

You can load balance all IP, TCP or UDP sessions accepted by the security policy that includes a load balancing virtual server with the type set to IP, TCP, or UDP. Traffic with destination IP and port that matches the virtual server IP and port is load balanced. For these protocol-level load balancing virtual servers you can select a load balance method and add real servers and health checking. However, you can’t configure persistence, HTTP multiplexing and SSL offloading.

Example HTTP load balancing to three real web servers

In this example, a virtual web server with IP address 192.168.37.4 on the Internet, is mapped to three real web servers connected to the FortiGate unit dmz1 interface. The real servers have IP addresses 10.10.123.42, 10.10.123.43, and 10.10.123.44. The virtual server uses the First Alive load balancing method. The configuration also includes an HTTP health check monitor that includes a URL used by the FortiGate unit for get requests to monitor the health of the real servers.

Connections to the virtual web server at IP address 192.168.37.4 from the Internet are translated and load balanced to the real servers by the FortiGate unit. First alive load balancing directs all sessions to the first real server. The computers on the Internet are unaware of this translation and load balancing and see a single virtual server at IP address 192.168.37.4 rather than the three real servers behind the FortiGate unit.

Virtual server configuration example

GUI configuration

Use the following procedures to configure this load balancing setup from the GUI.

To add an HTTP health check monitor

In this example, the HTTP health check monitor includes the URL “/index.html” and the Matched Phrase “Fortinet products”.

  1. Go to Policy & Objects > Health Check.
  2. Select Create New.
  3. Add an HTTP health check monitor that sends get requests to http://<real_server_IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.
Name HTTP_health_chk_1
Type HTTP
Port 80
URL /index.html
Matched Content Fortinet products
Interval 10 seconds
Timeout 2 seconds
Retry 3
  1. Select OK.

To add the HTTP virtual server and the real servers

  1. Go to Policy & Objects > Virtual Servers.
  2. Select Create New.
  3. Add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network.

In this example, the FortiGate wan1 interface is connected to the Internet.

Name Load_Bal_VS1
Type HTTP
Interface wan1
Virtual Server IP 192.168.37.4

The public IP address of the web server.

The virtual server IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.

Virtual Server Port 80

 

Load Balance Method First Alive
Persistence HTTP cookie
Health Check HTTP_health_chk_1
HTTP Multiplexing Turn on.

The FortiGate unit multiplexes multiple client into a few connections between the FortiGate unit and each real HTTP server. This can improve performance by reducing server overhead associated with establishing multiple connections.

Preserve Client IP Turn on.

The FortiGate unit preserves the IP address of the client in the XForwarded-For HTTP header.

  1. Add three real servers to the virtual server. Each real server must include the IP address of a real server on the internal network.

Configuration for the first real server.

IP Address 10.10.10.42
Port 80
Max Connections 0

Setting Max Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of connections to each real server to limit the traffic received by each server. In this example, the Max Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

Mode Active

Configuration for the second real server.

IP Address 10.10.10.43
Port 80
Max Connections 0
Mode Active

Configuration for the third real server.

IP Address   10.10.10.44
Port   80

 

HTTP load balancing to three real web servers

Max Connections 0
Mode Active

To add the virtual server to a security policy

Add a wan1 to dmz1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Configure the security policy:
Name Add a name for the policy.
Incoming Interface wan1
Outgoing Interface dmz1
Source all (or a more specific address)
Destination Load_Bal_VS1
Schedule always
Service HTTP
Action ACCEPT
NAT Select this option and select Use Destination Interface Address.
Log Allowed Traffic Select to log virtual server traffic
  1. Select other security policy options as required.
  2. Select OK.

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.