Help
FortiADC
FortiADC enhances the scalability, performance, and security of your applications whether they are hosted on premises or in the cloud.
kmak
Staff
Staff

Created on ‎09-04-2024 01:06 AM

Article Id 338947

Technical Tip: How to use LUA script for content routing with the matching of the user's IP address

Description This article describes using the LUA script to match the user's IP address for content routing.
Scope FortiADC.
Solution

Prerequisite:

  • FortiADC version 7.6.0 and above.
  • The user's IP does not source NAT from upstream.

 

FortiADC Server Load-Balance (SLB) supports content routing based on clients’ IP addresses. Each content routing policy can only match 1 single IP address or 1 subnet address. If there is more than one single IP address or subnet range address, it is required to create multiple content routing policies for each IP address or subnet range address.

 

Alternatively, it is possible to use a LUA script to do content routing for the FortiADC SLB.

 

  1. First, create the Content Routing Policy in the FortiADC SLB settings. Assign the respective real server pool to the Content Routing Policy.

kmak_0-1725436123311.jpeg

 

  1. Leave the matching condition empty in the Content Routing Policy.
                                       

    kmak_1-1725436123322.jpeg

     

     

  2. Create a SLB script in FortiADC -> Server Load Balance -> Scripting.
                                                           

    kmak_2-1725436123329.jpeg

     

     

  3. Insert the below scripts into the FortiADC new script.

    when RULE_INIT{
    --initialize the address group here
    --for IPv4 address, mask can be a number between 0 to 32 or a dotted format
    --support both IPv4 and IPv6, for IPv6, the mask is a number between 0 and 128
    --for each IP address/subnet, add into new line of addr_group=
    addr_group = "192.168.0.0/24"
    addr_group = addr_group..",192.168.1.128/27"
    addr_group = addr_group..",10.253.0.22/32"
    }

    when HTTP_REQUEST{
    client_ip = HTTP:client_addr()
    matched = cmp_addr(client_ip, addr_group)
    if matched then
    LB:routing("sp1")
    else
    LB:routing("sp2")
    end
    }

                                                                           

     

  4. In the sample script, it will match the user's IP address to the 3 IP address groups, the range 192.168.0.0/24, 192.168.1.128/27, and 10.253.0.22/32. More IP addresses or subnet ranges can be added by adding the 'addr_group=' below each addr_group.

    For IP address matching with the IP groups, the script will route the request to the sp1 content routing policy (server pool in sp1), else it will be routed to sp2.

     

     

  5. In the FortiADC SLB Virtual Server, enable Content Routing and select the created Content Routing Policy.
                                                 

    kmak_3-1725436123337.jpeg

     

     

  6. In the General tab, enable Scripting and select the script that has been created for the content routing.
                                                          

    kmak_4-1725436123360.jpeg

     

     

  7. Test browsing the Virtual Server and check out the traffic log to verify the HTTP request content routing.
                                                      

    kmak_5-1725436123374.png

     

     

Related document:

LUA script for content routing
Labels:
171
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.