Technical Tip: Configure a virtual server on a FortiGate running in multi-VDOM mode

In this FortiGate configuration, HTTP traffic from the internet is load-balanced across two internal web servers. The FortiGate accepts connections on interface Port10 (destination IP: 10.56.240.118, port 8080) and forwards them to the internal servers. During forwarding, the destination address is translated to the specific web server chosen by the load balancer.

This load-balancing setup utilizes several features:

• Session Persistence: Maintains user sessions by using HTTP cookies.
• Round-Robin Load Balancing: Distributes traffic evenly across both servers.
• TCP Health Monitoring: Ensures server availability by checking their ability to respond to network traffic (using TCP).

Note: This configuration assumes the Internet connection is present only on the ‘EXT-VDOM’ and the web servers are placed behind the ‘INT-VDOM’ on the FortiGate.

Configuration On EXT-VDOM:

Virtual Server Configuration on EXT-VDOM.

The virtual server is configured with a load-balancing method of Round Robin.

Configure a Static Route to the Virtual Server:

The static route is configured as the destination is set to the subnet of the servers and the gateway is set to the internal interface connecting the VDOMs (inter-VDOM link).

Firewall Policy Configuration:

For the virtual server to be included in the firewall policy, the inspection mode needs to be set to 'Proxy-based'.

Configuration On INT-VDOM.

Static Route config:

Configuration of firewall policy:

Related documents:

• Technical Tip: Round-robin virtual server load balancing method
• Virtual server load balance - FortiGate administration guide