FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Description


This article explains a basic scenario for configuring a VIP load-balance with HTTP-header check, also known as a reverse proxy.
This helps set up a scenario where the Public IP is mapped to different real servers based on the request in the HTTP header (URL accessed by the customer).

 

Scope


FortiGate

 

Solution

Note the following prerequisites for a VIP load-balance:
- the firewall must be running in proxy-based mode.
- if the intended mode is HTTPS, then the hardware must support SSL offloading.

Focus on the following specific scenario:


 
Firewall VIP configuration to achieve this:
 
# config firewall vip
    edit " Vserver-HTTPS-LB"
        set type server-load-balance
        set extip 123.45.67.89
        set extintf "wan1"
        set server-type https
        set ldb-method http-host
        set extport 45678
        # config realservers
            edit 1
                set ip 192.168.1.1
                set port 443
                set http-host "test1.clientdomain.com"
            next
            edit 2
                set ip 192.168.1.2
                set port 443
                set http-host "test2.clientdomain.com"
            next
            edit 3
                set ip 192.168.1.3
                set port 443
                set http-host "test3.clientdomain.com"
            next
        end
        set ssl-mode full
        set ssl-certificate "clientdomain_certificate"
    next
end
 
Sample firewall policy to allow traffic:
 
# config firewall policy
    edit 0
        set name "VIP-LB-policy"
        set inspection-mode proxy
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "Vserver-HTTPS-LB"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
 
Note: The 3 servers in this setup are all connected to the 'internal' switch of the FortiGate (and all the server ports are part of this switch), or can be connected to a single port to a local switch.
 
Therefore, one condition must be observed:
- Prior to FortiOS 6.2: all the real servers must be on the same subnet.
FortiOS 6.2 and newer: the real servers may be on different subnets, as long as (s)NAT is disabled on the firewall policy (set nat disable)

This scenario is not possible prior to FortiOS 6.2:
 
 

 

 
Related document.

https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/713497/virtual-server

 

Related Articles

Technical Tip: Active-Standby Virtual Servers (Server Load balancing)

Technical Note: How to configure Load Balance VIP using health monitor in SLBC environment

Contributors