FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lcamilo
Staff
Staff
Article Id 333861
Description

 

This article describes how to enable the option load-balance-servers, how this option works, and the expected outcome.

Scope

 

FortiOS 6.0 and newer releases.

Solution

 

The configuration of load-balance-servers is straightforward and by default, it is set to 1 which means no load balance.
The example below enables load-balance where the 10 best servers would be used. 
Notice that the fortiguard-anycast option was disabled so it is possible to have more 'static' servers in the list. 


config system fortiguard
    set fortiguard-anycast disable

    set load-balance-servers 10
end

 

Let's take the following output from the command 'diag debug rating' where after enabling the option above, the following can be observed: 


diag_debug_rating_01.png

 

  • The option can load-balance up to 10x servers, however only 5x servers are available, so all 5x servers will be used. 
  • Requests are evenly distributed to all 5x servers.
  • Some servers may have better RTT (round trip time) and offer faster responses. 
  • The Weight attribute is ignored as the load-balance option evenly distributes web filter rating queries to all servers. 
  • Flags (Technical Tip : FortiGuard Flags and Meanings) are also ignored as the load-balance option evenly distributes web filter rating queries to all servers.

 

Example 2.

The example below still uses load-balance-servers 10, however, it enables fortiguard-anycast

Anycast leverages DNS resolution to find the closest IPs to the user's location and it may populate fewer servers.  

 

config system fortiguard
    set load-balance-servers 10
end


In the following output from the command 'diag debug rating' the following can be observed:

 

diag_debug_rating_02.png

  • The option can load-balance up to 10x servers, however only 2x servers are available, so all 2x servers will be used. 
  • Requests are evenly distributed to all 2x servers.
  • Flags are also ignored as the load-balance option evenly distributes web filter rating queries to all servers
  • The DNS resolution returned one IPv6 server entry which will fail because this system does not have IPV6 enabled. 
  • The IPv6 entry received the 'F' Flag (failed), however, that is ignored and the IPv6 entry will be used.
  • The IPv6 entry is incrementing constantly losses and causing web filter rating errors.
     

webfilter_rating_errors.png

 

Further Debugging the web filter category rating requests: 

 

fg_edge # diag debug application urlfilter -1
Debug messages will be on for 30 minutes.

fg_edge # diag debug enable

 

0(6695) action=12(ftgd-monitor) wf-act=0(MONITOR) user="N/A" src=172.16.45.51 sport=46348 dst=17.253.144.10 dport=80 service="http" cat=52 url_cat=52 ip_cat=52 hostname="apple.com" url="/"
0(6695) (warning) connect to 2620:101:9000:140:173:243:140:16 failed 101:Network is unreachable

 

The above is an expected behavior associated with how the load-balance-servers options work and may ignore other flags from the list. 

One possible workaround, if there are 4x servers on the list is to set the load-balance-servers=3  and not cover for the last entry. 

Another possible workaround is to disable fortiguard-anycast so the system can populate only IPV4 and valid entries.


config system fortiguard
    set fortiguard-anycast disable
end

 

The known Bug #931299 fixed on FOS 7.4.2, 7.2.8, and 7.0.13 addresses the behavior where only one IPV6 entry may be added to the list thus causing a general failure. This Bug will only prevent a single IPV6 entry from being added to the list and may still allow IPV6 entries to be followed by IPV4 ones. 

Resolved issues

 

Related documents: