Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- maximal amount of Load Balance rules
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 10-27-2010 01:37 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximal amount of Load Balance rules
Hi to Fortinet community,
I' m pretty new to FortiOS and a few last days I' ve been struggling with setting of Load Balancing over Virtual/Real servers.
Scenario is classic, two (or more) webservers in DMZ behind FortiGate 60C in HA (Active-passive mode). Firmware used is v4.0,build5352,101007 (MR2).
Everything is OK, until I try to add more than one Virtual IP -> Real server(s) mapping.
When I try to add second (or another) rule, web GUI says " unknown error occured" . I was curious about this weird message so I tried to add rule in CLI..
And CLI says " Virtual server limit reached!"
This is getting me to thoughts like there was a maximal limit of one(?!) Virtual server rule.. I tried to find some info about this issue, but after a few hours..ended here :).
Could some of you guys explain to me, what I' m doing wrong?
Thank you!
Jiri
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
and welcome to the Forums!
According to the Maximum Values table for model 60C, there is a maximum of 1 (one) virtual server and 3 (three) real servers per virtual server.
Same for 50B, 80C. For 110C=3 virtuals, higher models = 500.
Seems that either load balancing is too CPU intensive or this (included for free) feature is saved for the higher models.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recently attempted to update my 60B from FortiOS 3, which doesn' t have this limitation, and ran into this problem. I' m kind of horrified that this was limit was added (and I' m really nonplussed that, as far as I can find, this change wasn' t indicated in the update notes anywhere, which led me to hours of frustration before I realized that the Fortigate had silently dropped that part of my configuration).
I don' t even actually *need* two virtual IPs—I just need to be able to virtualize two different *ports* on the same IP, which I can do under the older OS, but can' t figure out how to do on FortiOS 4 on the 60B.
Might there be any workarounds available to me?
Not applicable
Created on 10-27-2010 03:30 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for reply,
even thought I can' t cay you pleased me.
OK, I will have to live with this limitation. Err, customer will have to live with this limitation :).
Kind regards,
Jiri
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At first I thought " though luck!" but then I spotted that there are 2 load-balancing types of VIP: load-balance and server-load-balance. So I did this in the CLI:
config firewall vip
edit " vserver"
set type load-balance
set extip 1.2.3.4
set extintf " wan1"
set portforward enable
set mappedip 192.168.234.50
set extport 8080
set mappedport 8080
next
edit " vserver2"
set type load-balance
set extip 1.2.3.4
set extintf " wan1"
set portforward enable
set mappedip 192.168.234.50
set extport 8081
set mappedport 8081
next
end
This is a valid configuration. I cannot test this here but maybe you can, and report back if that works for you.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That sounds promising! I' m not sure when I might be able to afford the downtime to test it just now, though. Might take me a week or more.
Do you have any idea what the functional difference (if any) might be between " load-balance" and " server-load-balance" ?
Also, going through the config files from my brief foray into 4, I noticed the following line under config system fortiguard:
set load-balance-servers 1
Is there any chance that just changing that to a 2 would do the trick?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lmao...seriously, do you think so?
no this relates to Fortiguard services only, apparently you can source more than one to improve response time e.g. for web filter rating.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Makes sense....
(I realize I was being hopeful, but it is, after all, clearly an arbitrary limit, since the hardware is happy to do just want i want it to do under the older OS...)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don' t totally agree here...the load-balancing feature has been expanded substantially in FortiOS 4 with configurable, reuseable monitors, not only using ping but higher application level protocols like HTTP, and more granularity. This takes it to a different level. Now compare this kind of load balancer with standalone units built just for this purpose and you' ll see that their prices start where even powerful mid-range Fortigates stop. It wouldn' t be wise to make such a feature available unlimited even on the cheapest box of the range (read: $500), would it?
But -- Fortigate chose to enable it for 1 virtual server with up to 8 real servers on the entry line FGT' s and gradually expand that to 500 virtual servers on higher models. Compared to the choice of just dropping that feature alltogether on all Fortigates below a 200B (or such) it' s quite a deal.
That' s for that. In your case it looks like you could get away with the ' simple' l-b VIP I cited. So that would mean you wouldn' t have any drawbacks at all. Just give it a try, please.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I totally agree with Ede, it' s a nice feature to have even on small boxes, the limitation are not quite arbitrary. There is a huge risk to overload a small box with this kind of features.
Furthermore you can configure 4 load-balancers on a FG80C although the max value matrix says 1. (4.0 MR2)
So bonus for free.
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Labels
-
FortiGate
10,784 -
FortiClient
2,204 -
FortiManager
902 -
FortiAnalyzer
689 -
5.2
687 -
5.4
638 -
FortiSwitch
595 -
FortiClient EMS
579 -
FortiAP
568 -
IPsec
443 -
6.0
416 -
SSL-VPN
391 -
FortiMail
380 -
5.6
362 -
FortiNAC
297 -
Fortiweb
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
205 -
FortiAuthenticator
185 -
FortiGuard
161 -
5.0
152 -
Firewall policy
148 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
118 -
FortiSIEM
114 -
FortiToken
114 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
93 -
Customer Service
88 -
FortiProxy
79 -
SAML
78 -
ZTNA
77 -
Routing
76 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
BGP
72 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
RADIUS
63 -
LDAP
63 -
FortiLink
59 -
SSO
57 -
FortiSandbox
55 -
NAT
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
44 -
FortiDNS
43 -
Logging
42 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
SSL SSH inspection
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Fortigate Cloud
26 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
20 -
OSPF
20 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSoar
18 -
FortiDDoS
17 -
FortiAP profile
17 -
FortiGate v5.0
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiAI
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2691 | |
| 1412 | |
| 810 | |
| 710 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.