Patroni = patroni-2.1.4-1.rhel8.x86_64 & patroni-etcd-2.1.4-1.rhel8.x86_64 OS = RHEL = 8.x
We have a setup of Postgres Cluster with 2 nodes. On top of Postgres Cluster a load balancer (name HAproxy) is also installed. Additionally the Postgres Cluster use Patroni software for HA related activities against Postgres Cluster. Patroni update the HAproxy to let him know who is Active / Leader node of Postgres Cluster thru API. So HAproxy know who is Active node of Postgres Cluster and send traffic to only Active node of Postgres.
My Query: Does Fortinet Firewall have support for Postgres Cluster and can we use Fortinet Firewall in place of HAproxy in above mentioned environment
As mentioned in a previous response to make it work for the intra-interface (i.e. Trust to Trust) you must disable "Preserve Client IP" in the Server Load Balance config and you must enable NAT on the FW Policy.
Do you have any PostgresSQL related fortigate article ? Usually any load balancer also do a round robin traffic distribution of traffic towards nodes which is not is the case of Postgres HA, Actually the HAproxy connect with Patroni thru API on port 8008 to validate the health of node. is it possible that you may share something specific to Postgres ?
I am still waiting if Fortinet may respond on my query. Below is my environment details for reference again in pictorial view
"KONG API Gateway" is a two tier product. KONG Application & KONG database. KONG application connect with KONG database thru load balancer (HAPROXY) in case there is a need to HA the "KONG API Gateway" product. In our environment we have two KONG applications and two database machines. The database is PostgreSQL and configured as Active/Passive
Both KONG Applications send requests to load balancer on port 5000(as example port) and then load balancer forward that request to KONG database (Active node) on port 5432.
Now you may have a question that how the load balancer recognize the Active database node so that the load balancer forward the request on to port 5432 at only Active database node. Below is the way to understand
8121 is a rest api port listening on both database machines. In our case please consider 10.10.64.11 and 10.10.64.12 are database machines - If any node from 10.10.64.11,10.10.64.12 is running as a Active Database, the machine will respond to Load Balancer on request 'GET /' with http status code 200, - If any node from 10.10.64.11,10.10.64.12 is running as a Replica/Slave Database, the machine will respond to Load Balancer on request 'GET /' with http status code 503.
So when the Load Balancer receive status code 200 from any 10.10.64.11 OR 10.10.64.12 machine from port 8121, the Load Balancer will recognize it as Active node and forward all inbound requests(received on Load Balancer port 5000) to 5432 port on that machine who return status code 200
"AGENDA" We need to replace HAPROXY as load balancer by FORTIGATE. We have FORTIGATE 200F. We are unable to get a way in FORTIGATE load balancer tool so that we can replace HAPROXY. Following is a detail link of configuration for your reference
Per the admin guide linked previously, please review the "Health Check Monitoring" section.
Since you are determining active PostgreSQL database server by using HTTP GET requests you will use an HTTP Health Check and put the appropriate response you want to see (in this case status code 200).
Please find my configuration as per the admin guide instructions.
Virtual Server = 192.168.3.254
Virtual port = 5000
Backend Servers = 192.168.3.78 and 192.168.3.79
Backend Servers = Active - Passive
Backend Servers Port = 5432
Backend Servers API Port which update the http status code to load balancer = 8121
Backend Server / PostgreSQL port = 5432
Unable to get session established
If we use Backend Server PostgreSQL port 5432 instead of Backend Server API port 8121 at Fortinet. Both Backend Servers receives the request (which should not be). However the connection get Time_Wait instead of ESTABLISHED. Below is the result
You need to define matched content in the HTTP health check. At this point it's going to think both of your servers are reachable and able to take connections because they both respond on port 8121. Just like HAProxy you need to tell FortiGate what content you are looking for on the GET request to determine server usability.
And since this is coming from same subnet you'll need to enable NAT on the policy and disable 'preserve client IP' on the Server Load balance VIP.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.