FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cpagare
Staff
Staff
Article Id 194457

Description

 

This article describes how to configure a virtual server.

 

Scope

 

FortiGate.

Solution

 

From the GUI:

 

  1. Go to System -> Feature Visibility and enable 'Load Balance'.

 
  1. Go to Policy & Objects -> Virtual Servers and select 'Create New'.
    The virtual server IP is an external IP. The real server is an internal IP address for load-balancing purposes.

  2. Health Check can also be added from Policy & Objects -> Health Check.
 
Screenshot 2024-08-08 102703.png

 

Screenshot 2024-08-08 102837.png

 

In a virtual server, a health check is used to monitor the members' availability in the real server pool. It tests whether an application is accessible by polling the servers. If a server fails the health check and retries also fail, it is considered unavailable, and traffic is disabled to that server. This helps ensure that only healthy servers receive connections, improving overall system performance.

  1. Go to Policy & Objects -> Firewall Policy and select 'Create New'.
    Remember to change the inspection mode to 'proxy-based'. If this step is not taken, it will not be possible to find the 'object virtual_server' in the policy.
    Note: If the option to change the inspection mode from flow-based to proxy-based is not visible, refer to the following article. 
  
 
From the CLI:
 
  1. Enable Load Balancing:

config system settings
    set gui-load-balance enable
end

 

  1. Create a virtual server:

config firewall vip
    edit "Vserver"
        set type server-load-balance
        set extip 172.20.120.121
        set extintf "any"
        set server-type http
        set monitor "Test"
        set ldb-method round-robin
        set persistence http-cookie
        set extport 8080

            config realservers

             edit 1

                 set type ip

                 set ip 10.31.101.30

                 set port 80

            end

end 

 

Ornstein-kvm40 (Test) # sh full

   config firewall ldb-monitor

    edit "Test"

        set type http

        set interval 10

        set timeout 2

        set retry 3

        set port 0

        set src-ip 0.0.0.0

        set http-get "www.test.com"

        set http-match ''

        set http-max-redirects 2  

end

 

Note:

If one or more real servers are located outside of the FortiGate network and connected through an IPsec tunnel, use the 'set src-ip' to specify a valid IP address that will be accepted over the tunnel.

 

  1. Add the virtual server to a policy as the destination address: 

config firewall policy
    edit 2
        set name "Virtual_Server"
        set inspection-mode proxy  <- Inspection needs to be in Proxy mode.
        set srcintf "wan"
        set dstintf "LAN"
        set srcaddr "all"
        set dstaddr "Vserver"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set fsso disable
        set nat enable
end

 
Users may like to use cipher suites for SSL load balancing. 
Generally, the matching cipher suite is automatically selected, but it is possible to limit the set of cipher suites available for a given SSL offloading configuration. If a custom one is configured, make sure actual servers support it. Otherwise, load-balancing traffic will fail even though communication is established with the servers.
 
config firewall vip
    edit "Vserver"
        set type server-load-balance
        set server-type https
        set ssl-algorithm custom <- This can be set to low, medium, high, and custom.
            config ssl-cipher-suites
                edit 1
                    set cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
                next
                edit 2
                    set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
                next
                edit 3
                    set cipher TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
            end
   end
 
Note:
Server load balancing is supported on most FortiGate devices and includes up to 10,000 virtual servers on high-end systems.
As part of improvements to enhance performance and optimize memory usage on FortiGate models with 2 GB RAM or less, starting from version 7.4.4, FortiOS no longer supports proxy-related features. This change impacts the FortiGate/FortiWiFi 40F, 60E, 60F, 80E, and 90E series of devices and their variants, and FortiGate-Rugged 60F (2 GB versions only).
 

Related documents:

Technical Tip: Round-robin virtual server load balancing method

Technical Tip: Configuring Virtual server with two real servers when central NAT is enabled

Virtual server load balance - FortiGate administration guide

Proxy-related features not supported on FortiGate 2 GB RAM models