This article describes how to enable the option load-balance-servers, how this option works, and the expected outcome.
FortiOS 6.0 and newer releases.
The configuration of load-balance-servers is straightforward and by default, it is set to 1 which means no load balance.
The example below enables load-balance where the 10 best servers would be used.
Notice that the fortiguard-anycast option was disabled so it is possible to have more 'static' servers in the list.
config system fortiguard
set fortiguard-anycast disable
set load-balance-servers 10
end
Let's take the following output from the command 'diag debug rating' where after enabling the option above, the following can be observed:
Example 2.
The example below still uses load-balance-servers 10, however, it enables fortiguard-anycast.
Anycast leverages DNS resolution to find the closest IPs to the user's location and it may populate fewer servers.
config system fortiguard
set load-balance-servers 10
end
In the following output from the command 'diag debug rating' the following can be observed:
Further Debugging the web filter category rating requests:
fg_edge # diag debug application urlfilter -1
Debug messages will be on for 30 minutes.
fg_edge # diag debug enable
0(6695) action=12(ftgd-monitor) wf-act=0(MONITOR) user="N/A" src=172.16.45.51 sport=46348 dst=17.253.144.10 dport=80 service="http" cat=52 url_cat=52 ip_cat=52 hostname="apple.com" url="/"
0(6695) (warning) connect to 2620:101:9000:140:173:243:140:16 failed 101:Network is unreachable
The above is an expected behavior associated with how the load-balance-servers options work and may ignore other flags from the list.
One possible workaround, if there are 4x servers on the list is to set the load-balance-servers=3 and not cover for the last entry.
Another possible workaround is to disable fortiguard-anycast so the system can populate only IPV4 and valid entries.
config system fortiguard
set fortiguard-anycast disable
end
The known Bug #931299 fixed on FOS 7.4.2, 7.2.8, and 7.0.13 addresses the behavior where only one IPV6 entry may be added to the list thus causing a general failure. This Bug will only prevent a single IPV6 entry from being added to the list and may still allow IPV6 entries to be followed by IPV4 ones.
Related documents:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.