Hi.
I was wondering how to solve the following issue:
Right now, I have several customers connected via ipsec individually, each one with a different virtual IP to several servers inside my network.
What I want is to transform that into a single load balancer for all of them, BUT, without changing the IP on the client side. In that why I do not have to modify any phase02 on the tunnels, I want it to be as transparent as possible for the clients with a somewhat minimal disruption.
I was wondering if that is possible with a single FW?, and if (please) anyone could give me a pointer for that.
So far, what I was thinking was to create a LB for each client, but, I mean, it doesn´t feel optimal.
Instead, a single LB for all the customers would be more effective.
My issue is that I do not see a way to do it, like, pointing all current VIP to a single LB IP, but all inside the FW.
So far, I do not see it without the need of another FW, and without messing up the client side of things.
Any ideas?
You're correct. As long as all those tunnels point to individual VIPs, then you will need all of the VIPs.
And to use a single VIP will require the clients to point to that one single IP.
Created on 02-14-2024 01:26 AM Edited on 02-14-2024 04:45 AM
Good day all.
I know, it´s been a while. But something came up to my mind.
EDIT:
Can the FW do the following while having multiple vdoms?
In vdom mode; "technically"; I could point all the VIPs to a LB in another vdom; right?; and I could do this without service interruption (the firewall already has 2 vdoms).
But the thing is, can the FW software understand all of this correctly? Is not a fancy solution BUT, if it works...
Does the FortiGate handle the IPsec?
If so, it should be easy to setup a loadbalancer behind the FG, make a cluster that points to the server(s) that can handle the customer and then flip the VIP's internal IP to the loadbalancer IP.
We have an internal LB from loadbalancer.org that handle both layer4 & layer 7 services, but we don't have IPsec tunnels in front of it (yet).
We have the LB in a DMZ range, balancing trafic in to webservers and internally to other systems.
Let´s use graphs again,
The problem:
And what I think could be the solution, using a second vdom:
Is this a valid solution? poiting all the VIP to a virtual server in another vdom in the same firewall?
Hmm, no, in my mind, the solution would be to:
There should, in my knowledge, be no reason to implement another VDOM for this, unless you have other reasons.
We only have 2 VDOM's (+Global) at our main site, because the inbound SDWAN/ISP connections is moved there.
All VIP's and other rules, are ate the root VDOM.
Hope it makes sense.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.