Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DirkDuesentrieb
New Contributor

Created on ‎05-04-2022 01:29 AM

server load balancing finally works since FOS 6.4

Hi,
the Fortigate has the vip type "server-load-balance" for a while and some features eg https offloading and cookie persitence looked promising, but there was a bug in the cookie handling that spoiled it all.

Since FOS 6.4 this is fixed and we use this simple slb for a while without issues. So if you think about replacing a fully blown ADC (F5,A10,FortiADC) with this feature, the following might be interesting for you.

 

Features

  • Supported Protocols: https, generic ssl, http, tcp, udp and generic ip
  • https offloading with optional crypto tuning
  • http redirect to https
  • HSTS and HPKP
  • secure cookies
  • simple http header manipulation (via web-proxy profile)
  • usable health checks
  • Automation through FGs standard REST API

Limitations

  • SNAT is limited to FGs interface IP 
  • Event logging can't show VIP or real server. Works with FAZ though
  • LB Monitor Dashboard shows only (static) configured state and not the health status
  • max 16 real server on 1HU devices
  • health checks might be redundant if real servers are reused in multiple VIPs

Missing

Advanced ADC features like

  • Content rewriting
  • Scripting (irules/aflex)
  • Caching
  • SNI

 

I like this feature because we didn't need a different dedicated box with individual handling, training, contracts and all. My hope: more admins use it and someone at FTN finds time to improve at least the dashboard limitation. Why did they make a dashboard that is static???

 

Regards,

Dirk

Labels:
4830
0 Kudos
17 REPLIES 17
Anonymous
Not applicable

Created on ‎05-10-2022 10:00 AM Edited on ‎05-17-2022 08:25 AM

 
Thank you for using the Community Forum. We appreciate the information you have shared in the forum, although we think it is better suited to be an article instead so that everyone can make use of this useful information. We will work on this to create an article. We thank you for this great information.
 
Thanks,
2680
0 Kudos
DirkDuesentrieb
New Contributor

Created on ‎05-12-2022 06:08 AM Edited on ‎05-12-2022 06:09 AM

Hello @Anonymous ,

 

yes I'll need help - I don't know where/how to create an article.

 

Regards,

Dirk

2674
0 Kudos
DirkDuesentrieb
New Contributor

Created on ‎05-17-2022 05:24 AM

Hello all,

please note that at time of writing this, http-multiplex must be unset! Otherwise some clients will have connectivity issues in case of a realserver going down, because rebalancing of sessions with existing cookies will not work.

 

Regards,

Dirk

2657
0 Kudos
Debbie_FTNT
Staff
Staff
In response to DirkDuesentrieb

Created on ‎05-17-2022 07:57 AM

Hey Dirk,

at the moment, (KB) articles can only be created by Staff, not other community members.

I'm not sure if this will change, but I will reach out to the dedicated community team regarding your thread to see what can be done :).

Again, thanks for compiling the information in such an easily accessible format!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2652
0 Kudos
jintrah_FTNT
Staff
Staff

Created on ‎05-18-2022 01:16 AM

Hi Dirk,

 

The SNAT is not limited to interface IP, we can have IP-Pools for SNAT.

 

jintrah_FTNT_0-1652861648710.png

 

best regards,

Jin

2628
jintrah_FTNT
Staff
Staff
In response to jintrah_FTNT

Created on ‎05-18-2022 01:22 AM

The realtime health monitor is available in the dashboard with healthcheck status. A sample below,

 

jintrah_FTNT_1-1652862126927.png

 

best regards,

Jin

 

2627
0 Kudos
jintrah_FTNT
Staff
Staff
In response to jintrah_FTNT

Created on ‎05-18-2022 01:26 AM

Dear Dirk,

 

You mentioned "Event logging can't show VIP or real server. Works with FAZ though"

 

But I think whatever generated on FortiGate is only viewable in FAZ. Is there any sample log you can provide which you didnt see on FortiGate but on FAZ(RAW log please and no csv, please).

 

Best regards,

Jin

2626
0 Kudos
DirkDuesentrieb
New Contributor
In response to jintrah_FTNT

Created on ‎05-18-2022 01:48 AM

Hello @jintrah_FTNT ,

ok, to put it more clearly: there is no column for VIP, so you can not filter on it.
columns.png

 

It is possible to check every log lines details to find the VIP.

log details.png

 

But ist is not the same as with FAZ, where you can see the VIP as a column and filter on it.

faz.png

 

Regards,

Dirk

2620
0 Kudos
jintrah_FTNT
Staff
Staff
In response to DirkDuesentrieb

Created on ‎05-18-2022 02:00 AM Edited on ‎05-18-2022 02:03 AM

Hi Dirk,

 

Thanks to make it clear about the search fields/column options in FAZ, rather misunderstanding for logs being unavailable on FortiGate.

 

Best regards,

Jin

 

2619
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.