FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sdabhade
Staff
Staff
Article Id 230800
Description This article describes the reason behind the 'Access Denied' error while accessing the Virtual Server with HTTP and HTTPS cookie persistence.
Scope FortiGate.
Solution

The HTTP cookie persistence ensures that the user should connect to the same server, however, if that server gets unreachable then the user will face the 'Access Denied' error.

 

sdabhade_0-1669304774279.png

 

To fix the issue, it could be understood with the help of the below Virtual Server configuration.

 

# config firewall VIP
    edit VIRTUAL-SERVER
        set type server-load-balance
        set server-type https
        set extport 443
        set extintf wan1
        set extip 172.30.1.1
        set persistence http-cookie

 

# config realservers
    edit 1
        set ip 192.168.1.1
        set port 80
    next
    edit 2
        set ip 192.168.1.2
        set port 80
    next
    edit 3
        set ip 192.168.1.3
        set port 80
end

 

If the real server 192.168.1.1 becomes unreachable then the users trying to access the Virtual Server with the HTTP cookies already injected in the user's web browser will face an 'Access Denied' error.

 

The rest of the real servers 192.168.1.2 and 192.168.1.3 would be accessible using their respective HTTP cookies already injected in the user's web browsers.

 

New users with no HTTP cookies stored in the Web Browser will not face any issues as a new session would be created either with a real server 192.168.1.2 or 192.168.1.3 according to the Load Balance Method configured.


Related Article:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/63877/http-and-https-load-balancing-mult...
https://docs.fortinet.com/document/fortigate/7.0.4/administration-guide/713497/virtual-server-load-b...