Description
This article describes how to configure a virtual server.
Scope
FortiGate.
Solution
From the GUI:
- Go to System -> Feature Visibility and enable 'Load Balance'.
- Go to Policy & Objects -> Virtual Servers and select 'Create New'.
The virtual server IP is an external IP. The real server is an internal IP address for load-balancing purposes. - Health Check can also be added from Policy & Objects -> Health Check.
In a virtual server, a health check is used to monitor the members' availability in the real server pool. It tests whether an application is accessible by polling the servers. If a server fails the health check and retries also fail, it is considered unavailable, and traffic is disabled to that server. This helps ensure that only healthy servers receive connections, improving overall system performance.
- Go to Policy & Objects -> Firewall Policy and select 'Create New'.
Remember to change the inspection mode to 'proxy-based'. If this step is not taken, it will not be possible to find the 'object virtual_server' in the policy.
Note: If the option to change the inspection mode from flow-based to proxy-based is not visible, refer to the following article.- Inspection mode option is not visible under Policy
Now, the virtual server will be working and will use load balancing to the internal server.
- Inspection mode option is not visible under Policy
From the CLI:
- Enable Load Balancing:
config system settings
set gui-load-balance enable
end
- Create a virtual server:
config firewall vip
edit "Vserver"
set type server-load-balance
set extip 172.20.120.121
set extintf "any"
set server-type http
set monitor "Test"
set ldb-method round-robin
set persistence http-cookie
set extport 8080
config realservers
edit 1
set type ip
set ip 10.31.101.30
set port 80
next
end
Ornstein-kvm40 (Test) # sh full
config firewall ldb-monitor
edit "Test"
set type http
set interval 10
set timeout 2
set retry 3
set port 0
set src-ip 0.0.0.0
set http-get "www.test.com"
set http-match ''
set http-max-redirects 2
next
end
Note:
If one or more real servers are located outside of the FortiGate network and connected through an IPSEC tunnel use the 'set src-ip' to specify a valid IP address that will be accepted over the tunnel.
- Add the virtual server to a policy as the destination address:
config firewall policy
edit 2
set name "Virtual_Server"
set inspection-mode proxy <- Inspection needs to be in Proxy mode.
set srcintf "wan"
set dstintf "LAN"
set srcaddr "all"
set dstaddr "Vserver"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set fsso disable
set nat enable
next
end
Users may like to use cipher suites for SSL load balancing.
Generally, the matching cipher suite is automatically selected, but it is possible to limit the set of cipher suites available for a given SSL offloading configuration. If a custom one is configured, make sure actual servers support it. Otherwise, load-balancing traffic will fail even though communication is established with the servers.
config firewall vip
edit "Vserver"
set type server-load-balance
set server-type https
set ssl-algorithm custom <- This can be set to low, medium, high, and custom.
edit "Vserver"
set type server-load-balance
set server-type https
set ssl-algorithm custom <- This can be set to low, medium, high, and custom.
config ssl-cipher-suites
edit 1
set cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
next
edit 2
set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
next
edit 3
set cipher TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
end
end
edit 1
set cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
next
edit 2
set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
next
edit 3
set cipher TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
end
end
Related articles:
Technical Tip: Round-robin virtual server load balancing method
Technical Tip: Configuring Virtual server with two real servers when central NAT is enabled
Virtual server load balance - FortiGate administration guide
