Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DirkDuesentrieb
New Contributor

server load balancing finally works since FOS 6.4

Hi,
the Fortigate has the vip type "server-load-balance" for a while and some features eg https offloading and cookie persitence looked promising, but there was a bug in the cookie handling that spoiled it all.

Since FOS 6.4 this is fixed and we use this simple slb for a while without issues. So if you think about replacing a fully blown ADC (F5,A10,FortiADC) with this feature, the following might be interesting for you.

 

Features

  • Supported Protocols: https, generic ssl, http, tcp, udp and generic ip
  • https offloading with optional crypto tuning
  • http redirect to https
  • HSTS and HPKP
  • secure cookies
  • simple http header manipulation (via web-proxy profile)
  • usable health checks
  • Automation through FGs standard REST API

Limitations

  • SNAT is limited to FGs interface IP 
  • Event logging can't show VIP or real server. Works with FAZ though
  • LB Monitor Dashboard shows only (static) configured state and not the health status
  • max 16 real server on 1HU devices
  • health checks might be redundant if real servers are reused in multiple VIPs

Missing

Advanced ADC features like

  • Content rewriting
  • Scripting (irules/aflex)
  • Caching
  • SNI

 

I like this feature because we didn't need a different dedicated box with individual handling, training, contracts and all. My hope: more admins use it and someone at FTN finds time to improve at least the dashboard limitation. Why did they make a dashboard that is static???

 

Regards,

Dirk

17 REPLIES 17
DirkDuesentrieb

Hi @jintrah_FTNT ,

 

yes, but if you look closely, you see that the circle only shows the "Mode" not the "Status". So in your case you have two servers down (means your service is offline!) and the circle looks all good. Not what you expect, right?

 

The table is grouped by the IP of the virtual servers, okay but the server name would help more.

 

Regards,
Dirk

jintrah_FTNT

Hi Dirk,

 

Indeed its mentioned about the Mode and not the status looking at the circle. To see the status, refer the column

 

jintrah_FTNT_0-1652863534622.png

 

Best regards,

Jin

DirkDuesentrieb
New Contributor

Hello @jintrah_FTNT ,

 

I did a quick retest and you are right it works (now), what was a bit surprising to me be because I had lots of sniffer dumps from my previous tests that showed a different behavior. The important change was unsetting http-multiplexing! Because it's turned off now, SNAT works. Bug or Feature? At least something to add to the article. Can you correct it?

 

Regards,

Dirk

jintrah_FTNT

Hi Dirk,

 

You should be able to get it working with http-multiplexing or without, the snapshot I shared earlier was taken when the multiplexing setting was enabled.

 

Best regards,

Jin

DirkDuesentrieb

Hi @jintrah_FTNT ,

 

my box has FOS6.4.9. If I turn on http-multiplex for a VIP, the SNAT-Pool is ignored and the interface VIP is used to connect to the real server. 
If I turn it off (and wait for sessions to time out) SNAT works again.

Just ran a tcpdump to confirm, because the traffic log claims that it it uses the pool IP - but it doesn't.

 

Regards,
Dirk

jintrah_FTNT

Hi Dirk,

 

I am not sure on this behavior, but ideally in production one would not keep switching these setting ON and OFF, so sessions from the beginning would be snat'ed anyway.

 

Best regards,

Jin

DirkDuesentrieb

Hi @jintrah_FTNT ,

 

I just reenabled the option to reproduce the bug. Of course in production you have it ON or OFF, but if you have it ON, the SNAT-Pool will not work.

 

Regards,

Dirk

jintrah_FTNT

Hi Dirk,

 

If turning ON multiplexing, and SNAT-Pool never worked, you may want to open a support ticket to check with TAC. But if it works after all sessions are cleared after toggling the multiplex settings on/off everytime, then it may be expected.

 

Best regards,

Jin

 

 

Labels
Top Kudoed Authors