| Description | This article describes how to troubleshoot when some Government, Banking, and some websites do not load when Load Balancing is configured. |
| Scope | FortiGate, SD-WAN. |
| Solution |
Government and Banking websites generally use the IP address as a security measure. To ensure someone is not hijacking, the session these websites require the IP address to stay the same.
When using Load Balancers like SD-WAN, the session would carry several IPs and hence, the connection from these websites would not be honored or terminated.
To mitigate this, the Load Balance Strategy with Load Balance Hash Mode/Algorithm should be used with either 'source-ip-based' or 'source-dest-ip-based'.
Refer to this screenshot below for more information on Load Balance Algorithms:
To isolate if the issue is due to Load Balancing, create a Policy Route for one user, and test the traffic. If the website loads without issues, then it will be related to Load Balancing.
Steps to configure SD-WAN Rule using Load Balancing with appropriate Algorithm/Hash-mode:
For firmware versions before v7.4.1:
config system sdwan config service edit 1 <----- The SD-WAN Rule ID that was created above. set hash-mode 'source-ip-based' or 'source-dest-ip-based' end end
For firmware version 7.4.1 and later:
config system sdwan config service edit 1 <----- The SD-WAN Rule ID that was created with the Load Balance strategy. set hash-mode 'source-ip-based' or 'source-dest-ip-based' end end
By following the steps above, all Government and Banking websites will be loaded without errors.
Note: If the default Implicit SD-WAN rule is used for all Internet traffic, then choose 'Source IP' or 'Source-Destination IP' as the load-balancing algorithm. |
