Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cpagare
Staff
Staff

Created on ‎09-20-2021 02:43 AM Edited on ‎11-23-2023 06:19 PM By Moderator

Article Id 194457

Technical Tip: Configure a virtual server

Description

 

This article describes how to configure a virtual server.

 

Scope

 

FortiGate.

Solution

 

From the GUI:

 

  1. Go to System -> Feature Visibility and enable 'Load Balance'.

 
  1. Go to Policy & Objects -> Virtual Servers and select 'Create New'.
    The virtual server IP is an external IP. The real server is an internal IP address for load balancing purposes.
 
 
 
  1. Go to Policy & Objects -> Firewall Policy and select 'Create New'.
    Remember to change the inspection mode to 'proxy-based'. If this step is not taken, it will not be possible to find the 'object virtual_server' in the policy.

    Now, the virtual server will be working and will use load balancing to the internal server.
  
 
 
From the CLI:
 
  1. Enable Load Balancing:

config system settings
    set gui-load-balance enable
end

 

  1. Create a virtual server:

config firewall vip

edit "Vserver"

set type server-load-balance
set extip 172.20.120.121
set extintf "any"
set server-type http
set monitor ""
set ldb-method round-robin
set persistence http-cookie
set extport 8080

config realservers

edit 1

set type ip

set ip 10.31.101.30

set port 80

next

end

 

  1. Add the virtual server to a policy as the destination address:

config firewall policy
    edit 2
        set name "Virtual_Server"
        set inspection-mode proxy  <- Inspection needs to be Proxy mode.
        set srcintf "wan"
        set dstintf "LAN"
        set srcaddr "all"
        set dstaddr "Vserver"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set fsso disable
        set nat enable
    next
end

 
Customers may like to use cipher suites for SSL load balancing. 
Generally, the matching cipher suite is automatically selected, but it is possible to limit the set of cipher suites available for a given SSL offloading configuration. If a custom one is configured, make sure actual servers support it. Otherwise, load-balancing traffic will fail even though communication is established with the servers.
 
config firewall vip
    edit "Vserver"
        set type server-load-balance
        set server-type https
        set ssl-algorithm custom <- This can be set to low, medium, high, and custom.

config ssl-cipher-suites
    edit 1
        set cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
    next
        edit 2
            set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
       next
            edit 3
                set cipher TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
            end
        end
 

Related articles:

21144
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.