Hi,
the Fortigate has the vip type "server-load-balance" for a while and some features eg https offloading and cookie persitence looked promising, but there was a bug in the cookie handling that spoiled it all.
Since FOS 6.4 this is fixed and we use this simple slb for a while without issues. So if you think about replacing a fully blown ADC (F5,A10,FortiADC) with this feature, the following might be interesting for you.
Features
Limitations
Missing
Advanced ADC features like
I like this feature because we didn't need a different dedicated box with individual handling, training, contracts and all. My hope: more admins use it and someone at FTN finds time to improve at least the dashboard limitation. Why did they make a dashboard that is static???
Regards,
Dirk
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @jintrah_FTNT ,
yes, but if you look closely, you see that the circle only shows the "Mode" not the "Status". So in your case you have two servers down (means your service is offline!) and the circle looks all good. Not what you expect, right?
The table is grouped by the IP of the virtual servers, okay but the server name would help more.
Regards,
Dirk
Hi Dirk,
Indeed its mentioned about the Mode and not the status looking at the circle. To see the status, refer the column
Best regards,
Jin
Hello @jintrah_FTNT ,
I did a quick retest and you are right it works (now), what was a bit surprising to me be because I had lots of sniffer dumps from my previous tests that showed a different behavior. The important change was unsetting http-multiplexing! Because it's turned off now, SNAT works. Bug or Feature? At least something to add to the article. Can you correct it?
Regards,
Dirk
Hi Dirk,
You should be able to get it working with http-multiplexing or without, the snapshot I shared earlier was taken when the multiplexing setting was enabled.
Best regards,
Jin
Hi @jintrah_FTNT ,
my box has FOS6.4.9. If I turn on http-multiplex for a VIP, the SNAT-Pool is ignored and the interface VIP is used to connect to the real server.
If I turn it off (and wait for sessions to time out) SNAT works again.
Just ran a tcpdump to confirm, because the traffic log claims that it it uses the pool IP - but it doesn't.
Regards,
Dirk
Hi Dirk,
I am not sure on this behavior, but ideally in production one would not keep switching these setting ON and OFF, so sessions from the beginning would be snat'ed anyway.
Best regards,
Jin
Hi @jintrah_FTNT ,
I just reenabled the option to reproduce the bug. Of course in production you have it ON or OFF, but if you have it ON, the SNAT-Pool will not work.
Regards,
Dirk
Created on 05-18-2022 02:20 AM Edited on 05-18-2022 02:21 AM
Hi Dirk,
If turning ON multiplexing, and SNAT-Pool never worked, you may want to open a support ticket to check with TAC. But if it works after all sessions are cleared after toggling the multiplex settings on/off everytime, then it may be expected.
Best regards,
Jin
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.