Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortDoog
New Contributor III

Created on ‎09-13-2023 06:58 AM

Migrate from VIP to a single LoadBalancer

Hi.

I was wondering how to solve the following issue:

 

Right now, I have several customers connected via ipsec individually, each one with a different virtual IP to several servers inside my network.

Untitled Diagram-Copy of Page-1.jpg

 

What I want is to transform that into a single load balancer for all of them, BUT, without changing the IP on the client side. In that why I do not have to modify any phase02 on the tunnels, I want it to be as transparent as possible for the clients with a somewhat minimal disruption.

Untitled Diagram-Page-1.jpg

 

I was wondering if that is possible with a single FW?, and if (please) anyone could give me a pointer for that.

 

So far, what I was thinking was to create a LB for each client, but, I mean, it doesn´t feel optimal.

Instead, a single LB for all the customers would be more effective.

 

My issue is that I do not see a way to do it, like, pointing all current VIP to a single LB IP, but all inside the FW.

Untitled Diagram-Page-3.jpg

 

So far, I do not see it without the need of another FW, and without messing up the client side of things.

 

Any ideas?

"Well, hello there"
"Well, hello there"
Labels:
970
0 Kudos
5 REPLIES 5
AlexC-FTNT
Staff
Staff

Created on ‎09-13-2023 08:03 AM

You're correct. As long as all those tunnels point to individual VIPs, then you will need all of the VIPs.

And to use a single VIP will require the clients to point to that one single IP.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
953
0 Kudos
FortDoog
New Contributor III
In response to AlexC-FTNT

Created on ‎02-14-2024 01:26 AM Edited on ‎02-14-2024 04:45 AM

Good day all.

I know, it´s been a while. But something came up to my mind.

EDIT:

Can the FW do the following while having multiple vdoms?

 

In vdom mode; "technically"; I could point all the VIPs to a LB in another vdom; right?; and I could do this without service interruption (the firewall already has 2 vdoms).

 

But the thing is, can the FW software understand all of this correctly? Is not a fancy solution BUT, if it works...

"Well, hello there"
"Well, hello there"
685
0 Kudos
Jakob-AHHG
Contributor II

Created on ‎02-14-2024 02:55 AM

Does the FortiGate handle the IPsec?

If so, it should be easy to setup a loadbalancer behind the FG, make a cluster that points to the server(s) that can handle the customer and then flip the VIP's internal IP to the loadbalancer IP.

We have an internal LB from loadbalancer.org that handle both layer4 & layer 7 services, but we don't have IPsec tunnels in front of it (yet).

We have the LB in a DMZ range, balancing trafic in to webservers and internally to other systems.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
678
0 Kudos
FortDoog
New Contributor III

Created on ‎02-16-2024 11:04 AM

Let´s use graphs again,

The problem:

Untitled Diagram-Problem.jpg

 

And what I think could be the solution, using a second vdom:

Untitled Diagram-Solution.jpg

Is this a valid solution? poiting all the VIP to a virtual server in another vdom in the same firewall?

"Well, hello there"
"Well, hello there"
660
0 Kudos
Jakob-AHHG
Contributor II
In response to FortDoog

Created on ‎02-16-2024 03:15 PM

Hmm, no, in my mind, the solution would be to:

 

  1. Setup a loadbalancer behind the FortiGate.
  2. Set up rules on it, to allow it to serve the app's in the Cluster.
  3. Make a test VIP with/without an IPsec tunnel and test it works
  4. Move over one VIP to point to the Loadbalancer (in a service window as needed)
  5. Move the rest when allowed.

There should, in my knowledge, be no reason to implement another VDOM for this, unless you have other reasons.

We only have 2 VDOM's (+Global) at our main site, because the inbound SDWAN/ISP connections is moved there.

All VIP's and other rules, are ate the root VDOM.

Hope it makes sense.

 

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
649
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.