Virtual server
This topic shows a special virtual IP type: virtual server. Use this type of VIP to implement server load balancing.
The FortiOS server load balancing contains all the features of a server load balancing solution. You can balance traffic across multiple backend servers based on multiple load balancing schedules including:
- Static (failover)
- Round robin
- Weighted (to account for different sized servers or based on the health and performance of the server including round trip time and number of connections)
The load balancer supports HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL/TLS, and generic TCP/UDP and IP protocols. Session persistence is supported based on the SSL session ID based on an injected HTTP cookie, or based on the HTTP or HTTPS host. SSL/TLS load balancing includes protection from protocol downgrade attacks. Server load balancing is supported on most FortiGate devices and includes up to 10,000 virtual servers on high end systems.
Sample topology
SSL/TLS offloading
FortiGate SSL/TLS offloading is designed for the proliferation of SSL/TLS applications. The key exchange and encryption/decryption tasks are offloaded to the FortiGate unit where they are accelerated using FortiASIC technology which provides significantly more performance than a standard server or load balancer. This frees up valuable resources on the server farm to give better response to business operations. Server load balancing offloads most SSL/TLS versions including SSL 3.0, TLS 1.0, and TLS 1.2, and supports full mode or half mode SSL offloading with DH key sizes up to 4096 bits.
FortiGate SSL offloading allows the application payload to be inspected before it reaches your servers. This prevents intrusion attempts, blocks viruses, stops unwanted applications, and prevents data leakage. SSL/TLS content inspection supports TLS versions 1.0, 1.1, and 1.2 and SSL versions 1.0, 1.1, 1.2, and 3.0.
Virtual server requirements
When creating a new virtual server, you must configure the following options:
- Virtual Server Type.
- Load Balancing Methods.
- Health check monitoring (optional).
- Session persistence (optional).
- Virtual Server IP (External IP Address).
- Virtual Server Port (External Port).
- Real Servers (Mapped IP Address & Port).
Virtual server types
Select the protocol to be load balanced by the virtual server. If you select a general protocol such as IP, TCP, or UDP, the virtual server load balances all IP, TCP, or UDP sessions. If you select specific protocols such as HTTP, HTTPS, or SSL, you can apply additional server load balancing features such as Persistence and HTTP Multiplexing.
HTTP |
Select HTTP to load balance only HTTP sessions with the destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 80 for HTTP sessions). You can enable HTTP Multiplexing. You can also set Persistence to HTTP Cookie to enable cookie-based persistence. |
HTTPS |
Select HTTPS to load balance only HTTPS sessions with the destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 443 for HTTPS sessions). You can enable HTTP Multiplexing. You can also set Persistence to HTTP Cookie to enable cookie-based persistence, or you can set Persistence to SSL Session ID. |
IMAPS |
Select IMAPS to load balance only IMAPS sessions with the destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 993 for IMAPS sessions). You can also set Persistence to SSL Session ID. |
POP3S |
Select POP3S to load balance only POP3S sessions with the destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 995 for POP3S sessions). You can also set Persistence to SSL Session ID. |
SMTPS |
Select SMTPS to load balance only SMTPS sessions with the destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 465 for SMTPS sessions). You can also set Persistence to SSL Session ID. |
SSL |
Select SSL to load balance only SSL sessions with the destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced. You can also set Persistence to SSL Session ID. |
TCP |
Select TCP to load balance only TCP sessions with the destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced. |
UDP |
Select UDP to load balance only UDP sessions with the destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced. |
IP |
Select IP to load balance all sessions accepted by the security policy that contains this virtual server. |
Load balancing methods
The load balancing method defines how sessions are load balanced to real servers.
All load balancing methods do not send traffic to real servers that are down or not responding. FortiGate can only determine if a real server is not responding by using a health check monitor. You should always add at least one health check monitor to a virtual server or to real servers; otherwise load balancing might try to distribute sessions to real servers that are not functioning.
Static |
The traffic load is statically spread evenly across all real servers. Sessions are not assigned according to how busy individual real servers are. This load balancing method provides some persistence because all sessions from the same source address always go to the same real server. Because the distribution is stateless, so if a real server is added, removed, or goes up or down, the distribution is changed and persistence might be lost. |
Round Robin |
Directs new requests to the next real server. This method treats all real servers as equals regardless of response time or the number of connections. This method does not direct requests to real servers that down or non responsive. |
Weighted |
Real servers with a higher weight value receive a larger percentage of connections. Set the real server weight when adding a real server. |
Least Session |
Directs requests to the real server that has the least number of current connections. This method works best in environments where the real servers or other equipment you are load balancing all have similar capabilities. This load balancing method uses the FortiGate session table to track the number of sessions being processed by each real server. The FortiGate unit cannot detect the number of sessions actually being processed by a real server. |
Least RTT |
Directs sessions to the real server with the lowest round trip time. The round trip time is determined by a ping health check monitor. The default is 0 if no ping health check monitors are added to the virtual server. |
First Alive |
Directs sessions to the first live real server. This load balancing schedule provides real server failover protection by sending all sessions to the first live real server. If a real server fails, all sessions are sent to the next live real server. Sessions are not distributed to all real servers so all sessions are processed by the first real server only. |
HTTP Host |
Load balances HTTP host connections across multiple real servers using the host’s HTTP header to guide the connection to the correct real server. |
Health check monitoring
In the FortiGate GUI, you can configure health check monitoring so that the FortiGate unit can verify that real servers are able respond to network connection attempts. If a real server responds to connection attempts, the load balancer continues to send sessions to it. If a real server stops responding to connection attempts, the load balancer assumes that the server is down and does not send sessions to it. The health check monitor configuration determines how the load balancer tests real servers. You can use a single health check monitor for multiple load balancing configurations. You can configure TCP, HTTP, and Ping health check monitors. You usually set the health check monitor to use the same protocol as the traffic being load balanced to it. For example, for an HTTP load balancing configuration, you would normally use an HTTP health check monitor.
Session persistence
Use persistence to ensure a user is connected to the same real server every time the user makes an HTTP, HTTPS, or SSL request that is part of the same user session. For example, if you are load balancing HTTP and HTTPS sessions to a collection of eCommerce web servers, when users make a purchase, they will be starting multiple sessions as they navigate the eCommerce site. In most cases, all the sessions started by this user during one eCommerce session should be processed by the same real server. Typically, the HTTP protocol keeps track of these related sessions using cookies. HTTP cookie persistence ensure all sessions that are part of the same user session are processed by the same real server.
When you configure persistence, the FortiGate unit load balances a new session to a real server according to the load balance method. If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server.
Real servers
Add real servers to a load balancing virtual server to provide information the virtual server requires to send sessions to the server. A real server configuration includes the IP address of the real server and port number the real server receives sessions on. The FortiGate unit sends sessions to the real server’s IP address using the destination port number in the real server configuration.
When configuring a real server, you can also specify the weight (if the load balance method is set to Weighted) and you can limit the maximum number of open connections between the FortiGate unit and the real server. If the maximum number of connections is reached for the real server, the FortiGate unit automatically switches all further connection requests to other real servers until the connection number drops below the limit. Setting Maximum Connections to 0 means that the FortiGate unit does not limit the number of connections to the real server.
Sample of HTTP load balancing to three real web servers
This example describes the steps to configure the load balancing configuration below. In this configuration, a FortiGate unit is load balancing HTTP traffic from the Internet to three HTTP servers on the internal network. HTTP sessions are accepted at the wan1 interface with destination IP address 172.20.120.121 on TCP port 8080, and forwarded from the internal interface to the web servers. When forwarded, the destination address of the session is translated to the IP address of one of the web servers.
This load balancing configuration also includes session persistence using HTTP cookies, round-robin load balancing, and TCP health monitoring for the real servers. Ping health monitoring consists of the FortiGate unit using ICMP ping to ensure the web servers can respond to network traffic.
General steps:
- Create a health check monitor.
A ping health check monitor causes the FortiGate to ping the real servers every 10 seconds. If one of the servers does not respond within 2 seconds, the FortiGate unit will retry the ping 3 times before assuming that the HTTP server is not responding.
- Create a load balance virtual server with three real servers.
- Add the load balancing virtual server to a policy as the destination address.
To see the virtual servers and health check monitors options in the GUI, Load Balance must be selected in Feature Visibility > Additional Features. See Feature visibility on page 1 for details. |
Configure a load balancing virtual server in the GUI
To create a health check monitor:
- Go to Policy & Objects > Health Check.
- Click Create New.
- Set the following:
- Name to Ping-mon-1
- Type to Ping
- Interval to 10 seconds
- Timeout to 2 seconds
- Retry to 3 attempt(s)
- Click OK.
To create a virtual server:
- Go to Policy & Objects > Virtual Servers.
- Click Create New.
- Set the following:
- Name to Vserver-HTTP-1
- Type to HTTP
- Interface to wan1
- Virtual Server IP to 172.20.120.121
- Virtual Server Port to 8080
- Load Balance Method to Round Robin
- Persistence to HTTP Cookie
- Health Check to Ping-mon-1
- In the Real Servers table, click Create New.
- Set the following for the first real server:
- Type to IP
- IP Address to 10.31.101.30
- Port to 80
- Max Connections to 0
- Mode to Active
- Configure two more real servers with IP addresses 10.31.101.40 and 10.31.101.50, and the remaining settings the same as the first real server.
- Click OK.
To create a security policy that includes the load balance virtual server as the destination address:
- Go to Policy & Objects > Firewall Policy.
- Click Create New.
- Set the Inspection Mode to Proxy-based. The new virtual server will not be available if the inspection mode is Flow-based.
- Set the following:
- Name to LB-policy
- Incoming Interface to wan1
- Outgoing Interface to internal
- Source to all
- Destination to Vserver-HTTP-1
- Schedule to always
- Service to ALL
- Action to ACCEPT
- Enable NAT and set IP Pool Configuration to Use Outgoing Interface Address.
- Enable AntiVirus and select an antivirus profile.
- Click OK.
Configure a load balancing virtual server in the CLI
To configure HTTP load balancing to three real web servers in the CLI:
- Create a health check monitor:
config firewall ldb-monitor edit "Ping-mon-1" set type ping set interval 10 set timeout 2 set retry 3 next end
- Create a virtual server:
config firewall vip edit "Vserver-HTTP-1" set type server-load-balance set extip 172.20.120.121 set extintf "any" set server-type http set monitor "Ping-mon-1" set ldb-method round-robin set persistence http-cookie set extport 8080 config realservers edit 1 set type ip set ip 10.31.101.30 set port 80 next edit 2 set type ip set ip 10.31.101.40 set port 80 next edit 3 set type ip set ip 10.31.101.50 set port 80 next end next end
- Add the load balancing virtual server to a policy as the destination address:
config firewall policy edit 2 set name "LB-policy" set inspection-mode proxy set srcintf "wan1" set dstintf "internal" set srcaddr "all" set dstaddr "Vserver-HTTP-1" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set av-profile "default" set fsso disable set nat enable next end
Results
Traffic accessing 172.20.120.121:8080 is forwarded in turn to the three real servers.
If the access request has an http-cookie, FortiGate forwards the access to the corresponding real server according to the cookie.