Help
FortiADC
FortiADC enhances the scalability, performance, and security of your applications whether they are hosted on premises or in the cloud.
mricardez
Staff
Staff

Created on ‎10-05-2016 09:15 PM

Article Id 192247

Technical Note: FortiADC SLB L7 Content Routing

Description
FortiADC content routing is a feature which allows route decisions to be made by HTTP Header.

Normally, a Virtual Server with Static IP address and port can be created to receive all traffic by external Interface, and the FortiADC balance the traffic to the Backend Server.

However, if few IP addresses are available, the DNS resolution can be made to point to multiple applications at the same Virtual Server IP address, and by FortiADC policies Content Routing makes decision to which Backend Server to deliver the request.

The Content Routing decision is done by the following HTTP Header:
  • HTTP Host Header
  • HTTP request URL
  • HTTP Referer Header

For example, a VS can be enabled with IP 192.168.100.2 port 80, so the following decision can then be made:
  • Traffic coming with HTTP URL  /detect/ to send a Backend Server EPI.
  • Traffic coming with whichever HTTP URL to send a Backend Server Debian-HTTP.

Scope
  • FortiADC, v4.5.2 and earlier
  • SLB L7
  • Content Routing
  • Two Backend Servers

Solution
1. Create a Health Check HTTP to Real Server.
config system health-check
edit "LB_HTLHCK_HTTP_Debian"
set type http
next
end

2. Create the Two Real Server pool.
config load-balance pool

edit "Debian-HTTP"
set health-check-ctrl enable
set health-check-list LB_HTLHCK_HTTP_Debian
set real-server-ssl-profile NONE
config pool_member
edit 1
set ip 192.168.100.2
set pool_member_cookie Debian-HTTP
set pool_member_server_name Debian-HTTP
next
end
next
edit "EPI"
set health-check-ctrl enable
set health-check-list LB_HLTHCK_HTTP
set real-server-ssl-profile NONE
config pool_member
edit 1
set ip 200.52.66.111
set pool_member_cookie EPi
set pool_member_server_name EPi
next
end
next
end

3. Create the Content-Routing Policy, a default policy must be created to match all traffic not used by the previews content route policy.
config load-balance content-routing
edit "Test-CRByURL"
set load-balance-persistence LB_PERSIS_HASH_COOKIE
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool EPI
config match-condition
edit 1
set object http-request-url
set content ^/detect/.*
next
end
next
edit "Debian-default"
set load-balance-persistence LB_PERSIS_HASH_COOKIE
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool Debian-HTTP
config match-condition
edit 1
set object http-request-url
set content .*
next
end
next
end

4. Create the Virtual Server, enabling Content Routing.  When using content Routing, the VS will not have Real Sever Profile, so the VS profile will need to have a default content Routing Policy.
config load-balance virtual-server
edit "Debian-VS-HTTP"
set type l7-load-balance
set interface port1
set ip 192.168.100.150
set load-balance-profile LB_PROF_HTTP
set content-routing enable
set content-routing-list Test-CRByURL,Debian-default
set load-balance-persistence LB_PERSIS_HASH_SRC_ADDR_PORT
set load-balance-method LB_METHOD_ROUND_ROBIN
set traffic-log enable
next
end

5. Traffic coming to HTTP URL /detect/ will be delivered to EPI.

6. Traffic coming to whichever URL will be delivered to Debien-HTTP.

4056
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.