Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ZAHIDHASEEB
New Contributor III

Fortinet Firewall Support for Postgres Cluster

Environment

PostgresSQL = 15

Patroni = patroni-2.1.4-1.rhel8.x86_64 & patroni-etcd-2.1.4-1.rhel8.x86_64
OS = RHEL = 8.x

Detail

We have a setup of Postgres Cluster with 2 nodes. On top of Postgres Cluster a load balancer (name HAproxy) is also installed. Additionally the Postgres Cluster use Patroni software for HA related activities against Postgres Cluster. Patroni update the HAproxy to let him know who is Active / Leader node of Postgres Cluster thru API. So HAproxy know who is Active node of Postgres Cluster and send traffic to only Active node of Postgres.

 

My Query: Does Fortinet Firewall have support for Postgres Cluster and can we use Fortinet Firewall in place of HAproxy in above mentioned environment  

1 Solution
gfleming

As mentioned in a previous response to make it work for the intra-interface (i.e. Trust to Trust) you must disable "Preserve Client IP" in the Server Load Balance config and you must enable NAT on the FW Policy.

Cheers,
Graham

View solution in original post

22 REPLIES 22
gfleming
Staff
Staff

Fortigate supports some basic load balancing/proxying. Review the docs for more details: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/713497/virtual-server-load-b...

 

Not sure how Patroni works but it's possible you can use the FortiGate to determine this without using Patroni.

 

Fortinet also makes FortiADC a far more advanced application delivery controller. https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiADC.pdf

Cheers,
Graham
ZAHIDHASEEB
New Contributor III

Do you have any PostgresSQL related fortigate article ? Usually any load balancer also do a round robin traffic distribution of traffic towards nodes which is not is the case of Postgres HA, Actually the HAproxy connect with Patroni thru API on port 8008 to validate the health of node. is it possible that you may share something specific to Postgres ?

gfleming

The capabilities of the FortiGate load balancer are outlined in the link I provided. If they aren't sufficient as I mentioned there is also FortiADC which is more advanced.

Cheers,
Graham
ZAHIDHASEEB
New Contributor III

I am still waiting if Fortinet may respond on my query. Below is my environment details for reference again in pictorial view

 

1- HAPROXY Load Balancer status code 200 - 503.jpg

 

2- HAPROXY Load Balancer status code 200 - 503.jpg

 

"ENVIRONMENT DETAIL"

"KONG API Gateway" is a two tier product. KONG Application & KONG database. KONG application connect with KONG database thru load balancer (HAPROXY) in case there is a need to HA the "KONG API Gateway" product. In our environment we have two KONG applications and two database machines. The database is PostgreSQL and configured as Active/Passive

Both KONG Applications send requests to load balancer on port 5000(as example port) and then load balancer forward that request to KONG database (Active node) on port 5432.

Now you may have a question that how the load balancer recognize the Active database node so that the load balancer forward the request on to port 5432 at only Active database node. Below is the way to understand

8121 is a rest api port listening on both database machines. In our case please consider 10.10.64.11 and 10.10.64.12 are database machines
- If any node from 10.10.64.11,10.10.64.12 is running as a Active Database, the machine will respond to Load Balancer on request 'GET /' with http status code 200,
- If any node from 10.10.64.11,10.10.64.12 is running as a Replica/Slave Database, the machine will respond to Load Balancer on request 'GET /' with http status code 503.

So when the Load Balancer receive status code 200 from any 10.10.64.11 OR 10.10.64.12 machine from port 8121, the Load Balancer will recognize it as Active node and forward all inbound requests(received on Load Balancer port 5000) to 5432 port on that machine who return status code 200

"AGENDA"
We need to replace HAPROXY as load balancer by FORTIGATE. We have FORTIGATE 200F. We are unable to get a way in FORTIGATE load balancer tool so that we can replace HAPROXY. Following is a detail link of configuration for your reference

https://digitalis.io/blog/postgresql/part1-postgresql-ha-patroni-etcd-haproxy/
https://digitalis.io/blog/postgresql/deploying-postgresql-for-high-availability-with-patroni-etcd-an...

 

gfleming

You have indeed received responses to your queries. Have you read the documentation for Virtual Server Load Balancing that was provided before?

 

Everything you have outlined should be possible using Virtual Server Load Balancing on the FortiGate.

 

Please let us know if you have any specific questions regarding configuration.

Cheers,
Graham
ZAHIDHASEEB
New Contributor III


Please let us know if you have any specific questions regarding configuration.


Kindly share a Fortinet document which help me specifically in configuring load balancer decision against status code 200 & 503 which I mentioned above

gfleming

Per the admin guide linked previously, please review the "Health Check Monitoring" section.

 

Since you are determining active PostgreSQL database server by using HTTP GET requests you will use an HTTP Health Check and put the appropriate response you want to see (in this case status code 200).

Cheers,
Graham
ZAHIDHASEEB
New Contributor III

Please find my configuration as per the admin guide instructions.

Virtual Server = 192.168.3.254

Virtual port = 5000

Backend Servers = 192.168.3.78 and 192.168.3.79

Backend Servers = Active - Passive 

Backend Servers Port = 5432

Backend Servers API Port which update the http status code to load balancer = 8121

Backend Server / PostgreSQL port = 5432

 

ZAHIDHASEEB_0-1674638352837.png

 

ZAHIDHASEEB_1-1674638415403.png

 

ZAHIDHASEEB_2-1674638494721.png

 

Unable to get session established

ZAHIDHASEEB_3-1674638563764.png

 

If we use Backend Server PostgreSQL port 5432 instead of Backend Server API port 8121 at Fortinet. Both Backend Servers receives the request (which should not be). However the connection get Time_Wait instead of ESTABLISHED. Below is the result

ZAHIDHASEEB_0-1674641154360.png

 

ZAHIDHASEEB_1-1674641383480.png

 

 

 

 

gfleming

You need to define matched content in the HTTP health check. At this point it's going to think both of your servers are reachable and able to take connections because they both respond on port 8121. Just like HAProxy you need to tell FortiGate what content you are looking for on the GET request to determine server usability.

 

And since this is coming from same subnet you'll need to enable NAT on the policy and disable 'preserve client IP' on the Server Load balance VIP.

 

Cheers,
Graham
Top Kudoed Authors