Fortinet black logo

Handbook

Example HTTP and HTTPS persistence configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:742232
Download PDF

Example HTTP and HTTPS persistence configuration

This example shows how to add a virtual server named HTTP_Load_Balance that load balances HTTP traffic using port 80 and a second virtual server named HTTPS_Load_Balance that load balances HTTPS traffic using port 443. The Internet is connected to port2 and the virtual IP address of the virtual server is 192.168.20.20. Both server load balancing virtual IPs load balance sessions to the same three real servers with IP addresses 10.10.10.2, 10.10.10.2, and 10.10.10.3. The real servers provide HTTP and HTTPS services.

For both virtual servers, persistence is set to HTTP Cookie to enable HTTP cookie persistence.

To add the HTTP and HTTPS virtual servers
  1. Go to Policy & Objects > Virtual Servers.
  2. Add the HTTP virtual server that includes HTTP Cookie persistence.
  3. Name

    HTTP_Load_Balance

    Type

    HTTP

    Interface

    port2

    Virtual Server IP

    192.168.20.20

    Virtual Server Port

    80

    In this example the virtual server uses port 8080 for HTTP sessions instead of port 80.

    Load Balance Method

    Static

    Persistence

    HTTP cookie

  4. Under Real Servers select Create New.
  5. Add three real servers.

    Configuration for the first real server.
  6. IP Address

    10.10.10.1

    Port

    80

    Max Connections

    0

    Mode

    Active

    Configuration for the second real server.

    IP Address

    10.10.10.2

    Port

    80

    Maximum Connections

    0

    Mode

    Active

    Configuration for the third real server.

    IP Address

    10.10.10.3

    Port

    80

    Max Connections

    0

    Mode

    Active

  7. Select OK.
  8. Select Create New to add the HTTPS virtual server that also includes HTTP Cookie persistence.
  9. Name

    HTTPS_Load_Balance

    Type

    HTTPS

    Interface

    port2

    Virtual Server IP

    192.168.20.20

    Virtual Server Port

    443

    Load Balance Method

    Static

    Persistence

    HTTP cookie

  10. Under Real Servers select Create New
  11. Add three real servers.

    Configuration for the first real server.
  12. IP Address

    10.10.10.1

    Port

    443

    Max Connections

    0

    Mode

    Active

    Configuration for the second real server.

    IP Address

    10.10.10.2

    Port

    443

    Max Connections

    0

    Mode

    Active

    Configuration for the third real server.

    IP Address

    10.10.10.3

    Port

    443

    Max Connections

    0

    Mode

    Active

To add the virtual servers to security policies

Add a port2 to port1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Configure the HTTP security policy:
  4. Name

    Policy name.

    Incoming Interface

    port2

    Outgoing Interface

    port1

    Source

    all

    Destination

    HTTP_Load_Balance

    Schedule

    always

    Service

    HTTP

    Action

    ACCEPT

    NAT

    Select this option and select Use Destination Interface Address.

  5. Select other security policy options as required.
  6. Select OK.
  7. Select Create New.
  8. Configure the HTTP security policy:
  9. Name

    Policy name.

    Incoming Interface

    port2

    Outgoing Interface

    port1

    Source

    all

    Destination

    HTTPS_Load_Balance

    Schedule

    always

    Service

    HTTPS

    Action

    ACCEPT

    NAT

    Select this option and select Use Destination Interface Address.

  10. Select other security policy options as required.
  11. Select OK.

CLI configuration: adding persistence for a specific domain

Load balancing is configured from the CLI using the config firewall vip command and by setting type to server-load-balance.

For the CLI configuration, both virtual servers include setting http-cookie-domain to .example.org because HTTP cookie persistence is just required for the example.org domain.

First, the configuration for the HTTP virtual IP:

config firewall vip

edit HTTP_Load_Balance

set type server-load-balance

set server-type http

set extport 8080

set extintf port2

set extip 192.168.20.20

set persistence http-cookie

set http-cookie-domain .example.org

config realservers

edit 1

set ip 10.10.10.1

next

edit 2

set ip 10.10.10.2

next

edit 3

set ip 10.10.10.3

end

end

Second, the configuration for the HTTPS virtual IP. In this configuration you don’t have to set extport to 443 because extport is automatically set to 443 when server-type is set to https.

config firewall vip

edit HTTPS_Load_Balance

set type server-load-balance

set server-type https

set extport 443

set extintf port2

set extip 192.168.20.20

set persistence http-cookie

set http-cookie-domain .example.org

config realservers

edit 1

set ip 10.10.10.1

next

edit 2

set ip 10.10.10.2

next

edit 3

set ip 10.10.10.3

end

end

Example HTTP and HTTPS persistence configuration

This example shows how to add a virtual server named HTTP_Load_Balance that load balances HTTP traffic using port 80 and a second virtual server named HTTPS_Load_Balance that load balances HTTPS traffic using port 443. The Internet is connected to port2 and the virtual IP address of the virtual server is 192.168.20.20. Both server load balancing virtual IPs load balance sessions to the same three real servers with IP addresses 10.10.10.2, 10.10.10.2, and 10.10.10.3. The real servers provide HTTP and HTTPS services.

For both virtual servers, persistence is set to HTTP Cookie to enable HTTP cookie persistence.

To add the HTTP and HTTPS virtual servers
  1. Go to Policy & Objects > Virtual Servers.
  2. Add the HTTP virtual server that includes HTTP Cookie persistence.
  3. Name

    HTTP_Load_Balance

    Type

    HTTP

    Interface

    port2

    Virtual Server IP

    192.168.20.20

    Virtual Server Port

    80

    In this example the virtual server uses port 8080 for HTTP sessions instead of port 80.

    Load Balance Method

    Static

    Persistence

    HTTP cookie

  4. Under Real Servers select Create New.
  5. Add three real servers.

    Configuration for the first real server.
  6. IP Address

    10.10.10.1

    Port

    80

    Max Connections

    0

    Mode

    Active

    Configuration for the second real server.

    IP Address

    10.10.10.2

    Port

    80

    Maximum Connections

    0

    Mode

    Active

    Configuration for the third real server.

    IP Address

    10.10.10.3

    Port

    80

    Max Connections

    0

    Mode

    Active

  7. Select OK.
  8. Select Create New to add the HTTPS virtual server that also includes HTTP Cookie persistence.
  9. Name

    HTTPS_Load_Balance

    Type

    HTTPS

    Interface

    port2

    Virtual Server IP

    192.168.20.20

    Virtual Server Port

    443

    Load Balance Method

    Static

    Persistence

    HTTP cookie

  10. Under Real Servers select Create New
  11. Add three real servers.

    Configuration for the first real server.
  12. IP Address

    10.10.10.1

    Port

    443

    Max Connections

    0

    Mode

    Active

    Configuration for the second real server.

    IP Address

    10.10.10.2

    Port

    443

    Max Connections

    0

    Mode

    Active

    Configuration for the third real server.

    IP Address

    10.10.10.3

    Port

    443

    Max Connections

    0

    Mode

    Active

To add the virtual servers to security policies

Add a port2 to port1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Configure the HTTP security policy:
  4. Name

    Policy name.

    Incoming Interface

    port2

    Outgoing Interface

    port1

    Source

    all

    Destination

    HTTP_Load_Balance

    Schedule

    always

    Service

    HTTP

    Action

    ACCEPT

    NAT

    Select this option and select Use Destination Interface Address.

  5. Select other security policy options as required.
  6. Select OK.
  7. Select Create New.
  8. Configure the HTTP security policy:
  9. Name

    Policy name.

    Incoming Interface

    port2

    Outgoing Interface

    port1

    Source

    all

    Destination

    HTTPS_Load_Balance

    Schedule

    always

    Service

    HTTPS

    Action

    ACCEPT

    NAT

    Select this option and select Use Destination Interface Address.

  10. Select other security policy options as required.
  11. Select OK.

CLI configuration: adding persistence for a specific domain

Load balancing is configured from the CLI using the config firewall vip command and by setting type to server-load-balance.

For the CLI configuration, both virtual servers include setting http-cookie-domain to .example.org because HTTP cookie persistence is just required for the example.org domain.

First, the configuration for the HTTP virtual IP:

config firewall vip

edit HTTP_Load_Balance

set type server-load-balance

set server-type http

set extport 8080

set extintf port2

set extip 192.168.20.20

set persistence http-cookie

set http-cookie-domain .example.org

config realservers

edit 1

set ip 10.10.10.1

next

edit 2

set ip 10.10.10.2

next

edit 3

set ip 10.10.10.3

end

end

Second, the configuration for the HTTPS virtual IP. In this configuration you don’t have to set extport to 443 because extport is automatically set to 443 when server-type is set to https.

config firewall vip

edit HTTPS_Load_Balance

set type server-load-balance

set server-type https

set extport 443

set extintf port2

set extip 192.168.20.20

set persistence http-cookie

set http-cookie-domain .example.org

config realservers

edit 1

set ip 10.10.10.1

next

edit 2

set ip 10.10.10.2

next

edit 3

set ip 10.10.10.3

end

end