maximal amount of Load Balance rules

Report Inappropriate Content · ‎10-27-2010

Hi to Fortinet community, I' m pretty new to FortiOS and a few last days I' ve been struggling with setting of Load Balancing over Virtual/Real servers. Scenario is classic, two (or more) webservers in DMZ behind FortiGate 60C in HA (Active-passive mode). Firmware used is v4.0,build5352,101007 (MR2). Everything is OK, until I try to add more than one Virtual IP -> Real server(s) mapping. When I try to add second (or another) rule, web GUI says " unknown error occured" . I was curious about this weird message so I tried to add rule in CLI.. And CLI says " Virtual server limit reached!" This is getting me to thoughts like there was a maximal limit of one(?!) Virtual server rule.. I tried to find some info about this issue, but after a few hours..ended here :). Could some of you guys explain to me, what I' m doing wrong? Thank you! Jiri

ede_pfau · ‎10-27-2010

Hi, and welcome to the Forums! According to the Maximum Values table for model 60C, there is a maximum of 1 (one) virtual server and 3 (three) real servers per virtual server. Same for 50B, 80C. For 110C=3 virtuals, higher models = 500. Seems that either load balancing is too CPU intensive or this (included for free) feature is saved for the higher models.

Ede Kernel panic: Aiee, killing interrupt handler!

Vic_Wertz · ‎04-11-2011

I recently attempted to update my 60B from FortiOS 3, which doesn' t have this limitation, and ran into this problem. I' m kind of horrified that this was limit was added (and I' m really nonplussed that, as far as I can find, this change wasn' t indicated in the update notes anywhere, which led me to hours of frustration before I realized that the Fortigate had silently dropped that part of my configuration). I don' t even actually *need* two virtual IPsâ€”I just need to be able to virtualize two different *ports* on the same IP, which I can do under the older OS, but can' t figure out how to do on FortiOS 4 on the 60B. Might there be any workarounds available to me?

Report Inappropriate Content · ‎10-27-2010

Thank you for reply, even thought I can' t cay you pleased me. OK, I will have to live with this limitation. Err, customer will have to live with this limitation :). Kind regards, Jiri

ede_pfau · ‎04-12-2011

At first I thought " though luck!" but then I spotted that there are 2 load-balancing types of VIP: load-balance and server-load-balance. So I did this in the CLI:

 config firewall vip
     edit " vserver" 
         set type load-balance
         set extip 1.2.3.4
         set extintf " wan1" 
         set portforward enable
         set mappedip 192.168.234.50
         set extport 8080
         set mappedport 8080
     next
     edit " vserver2" 
         set type load-balance
         set extip 1.2.3.4
         set extintf " wan1" 
         set portforward enable
         set mappedip 192.168.234.50
         set extport 8081
         set mappedport 8081
     next
 end

This is a valid configuration. I cannot test this here but maybe you can, and report back if that works for you.

Ede Kernel panic: Aiee, killing interrupt handler!

Vic_Wertz · ‎04-12-2011

That sounds promising! I' m not sure when I might be able to afford the downtime to test it just now, though. Might take me a week or more. Do you have any idea what the functional difference (if any) might be between " load-balance" and " server-load-balance" ? Also, going through the config files from my brief foray into 4, I noticed the following line under config system fortiguard: set load-balance-servers 1 Is there any chance that just changing that to a 2 would do the trick?

ede_pfau · ‎04-12-2011

lmao...seriously, do you think so? no this relates to Fortiguard services only, apparently you can source more than one to improve response time e.g. for web filter rating.

Ede Kernel panic: Aiee, killing interrupt handler!

Vic_Wertz · ‎04-13-2011

Makes sense.... (I realize I was being hopeful, but it is, after all, clearly an arbitrary limit, since the hardware is happy to do just want i want it to do under the older OS...)

ede_pfau · ‎04-14-2011

I don' t totally agree here...the load-balancing feature has been expanded substantially in FortiOS 4 with configurable, reuseable monitors, not only using ping but higher application level protocols like HTTP, and more granularity. This takes it to a different level. Now compare this kind of load balancer with standalone units built just for this purpose and you' ll see that their prices start where even powerful mid-range Fortigates stop. It wouldn' t be wise to make such a feature available unlimited even on the cheapest box of the range (read: $500), would it? But -- Fortigate chose to enable it for 1 virtual server with up to 8 real servers on the entry line FGT' s and gradually expand that to 500 virtual servers on higher models. Compared to the choice of just dropping that feature alltogether on all Fortigates below a 200B (or such) it' s quite a deal. That' s for that. In your case it looks like you could get away with the ' simple' l-b VIP I cited. So that would mean you wouldn' t have any drawbacks at all. Just give it a try, please.

Ede Kernel panic: Aiee, killing interrupt handler!

FortiRack_Eric · ‎04-14-2011

I totally agree with Ede, it' s a nice feature to have even on small boxes, the limitation are not quite arbitrary. There is a huge risk to overload a small box with this kind of features. Furthermore you can configure 4 load-balancers on a FG80C although the max value matrix says 1. (4.0 MR2) So bonus for free. Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

maximal amount of Load Balance rules

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website