Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎03-08-2021 10:43 PM Edited on ‎07-15-2025 02:59 AM By Community Manager

Article Id 198274

Technical Tip: Setting up a VIP load-balance with HTTP-host check in HTTP header

Description


This article describes a basic scenario for configuring a VIP load-balance with an HTTP-header check, also known as a reverse proxy.
This helps set up a scenario where the Public IP is mapped to different real servers based on the request in the HTTP header (URL accessed by the customer).

 

Scope


FortiGate.

 

Solution

Note the following prerequisites for a VIP load-balance:
  • FortiGate must be operating in Profile-based mode.
  • The firewall policy for the specific traffic must be in proxy inspection mode.
  • If the intended mode is HTTPS, then the hardware must support SSL offloading.

Focus on the following specific scenario:


 
Firewall VIP configuration to achieve this:
 
config firewall vip
    edit " Vserver-HTTPS-LB"
        set type server-load-balance
        set extip 123.45.67.89
        set extintf "wan1"
        set server-type https
        set ldb-method http-host
        set extport 45678
            config realservers
                edit 1
                    set ip 192.168.1.1
                    set port 443
                    set http-host "test1.clientdomain.com"
                next
                edit 2
                    set ip 192.168.1.2
                    set port 443
                    set http-host "test2.clientdomain.com"
                next
                edit 3
                    set ip 192.168.1.3
                    set port 443
                    set http-host "test3.clientdomain.com"
                next
            end
            set ssl-mode full
            set ssl-certificate "clientdomain_certificate"
        next
end
 
Sample firewall policy to allow traffic:
 
config firewall policy
    edit 0
        set name "VIP-LB-policy"
        set inspection-mode proxy
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "Vserver-HTTPS-LB"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
 
NoteThe 3 servers in this setup are all connected to the 'internal' switch of the FortiGate (and all the server ports are part of this switch), or can be connected to a single port to a local switch.
 
Therefore, one condition must be observed:
  • Before v6.2: all the real servers must be on the same subnet.
    v6.2 and newer: The real servers may be on different subnets, as long as (s)NAT is disabled on the firewall policy (set nat disable).
  • It is important to note that there is a limitation on the number of real servers that can be configured under every VIP check for the platform and FortiOS version used, by using the command 'print tablesize'  or check the Maximum Values Table portal. Look for the parameter 'firewall.vip:realservers' which will show how many real servers can be configured for every VIP object. For example, for 100E and FortiOS 7.2.4, the value for 'firewall.vip:realservers' is 16 which means 16 real servers for every VIP can be configured.

This scenario is not possible before v6.2:
 
 
This is possible to configure from the web interface; however, it is required to enable the option at 'Feature Visibility':
 
  1. In the left panel option, go to System -> Feature Visibility.

Screenshot 2024-11-28 183848.jpg
 
  1. In the column 'Additional Feature', search for 'Load Balance'.
                                                      
    Screenshot 2024-11-28 183909.jpg
     
  2. Once enabled, under the section 'Policy and Objects', the new feature is seen as 'Virtual Servers'.
                                                                                   
    Screenshot 2024-11-28 184147.jpg
     
  3. Select to create a new Virtual Server to see the previously mentioned options.
                                                                                                 
Screenshot 2024-11-28 204613.jpg
 
Note: Starting FortiOS 7.4.4, this feature is not supported anymore on FortiGate models with 2GB RAM or less, since Proxy-related features are not supported on FortiGate 2GB RAM models to enhance performance and optimize memory usage. See: Proxy-related features not supported on FortiGate 2 GB RAM models NEW for more info.
 
Related documents:

Virtual server - FortiGate 6.2.3 cookbook

Virtual server - FortiGate 7.4.4

 

Related articles:

Technical Tip: Active-Standby Virtual Servers (Server Load balancing)

Technical Note: How to configure Load Balance VIP using health monitor in SLBC environment

Technical Tip: Changing the inspection mode of the firewall

Maximum Values Table

Proxy-related features not supported on FortiGate 2 GB RAM models

Labels:
34320
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.