- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
server load balancing finally works since FOS 6.4
Hi,
the Fortigate has the vip type "server-load-balance" for a while and some features eg https offloading and cookie persitence looked promising, but there was a bug in the cookie handling that spoiled it all.
Since FOS 6.4 this is fixed and we use this simple slb for a while without issues. So if you think about replacing a fully blown ADC (F5,A10,FortiADC) with this feature, the following might be interesting for you.
Features
- Supported Protocols: https, generic ssl, http, tcp, udp and generic ip
- https offloading with optional crypto tuning
- http redirect to https
- HSTS and HPKP
- secure cookies
- simple http header manipulation (via web-proxy profile)
- usable health checks
- Automation through FGs standard REST API
Limitations
- SNAT is limited to FGs interface IP
- Event logging can't show VIP or real server. Works with FAZ though
- LB Monitor Dashboard shows only (static) configured state and not the health status
- max 16 real server on 1HU devices
- health checks might be redundant if real servers are reused in multiple VIPs
Missing
Advanced ADC features like
- Content rewriting
- Scripting (irules/aflex)
- Caching
- SNI
I like this feature because we didn't need a different dedicated box with individual handling, training, contracts and all. My hope: more admins use it and someone at FTN finds time to improve at least the dashboard limitation. Why did they make a dashboard that is static???
Regards,
Dirk
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jintrah_FTNT ,
yes, but if you look closely, you see that the circle only shows the "Mode" not the "Status". So in your case you have two servers down (means your service is offline!) and the circle looks all good. Not what you expect, right?
The table is grouped by the IP of the virtual servers, okay but the server name would help more.
Regards,
Dirk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dirk,
Indeed its mentioned about the Mode and not the status looking at the circle. To see the status, refer the column
Best regards,
Jin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jintrah_FTNT ,
I did a quick retest and you are right it works (now), what was a bit surprising to me be because I had lots of sniffer dumps from my previous tests that showed a different behavior. The important change was unsetting http-multiplexing! Because it's turned off now, SNAT works. Bug or Feature? At least something to add to the article. Can you correct it?
Regards,
Dirk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dirk,
You should be able to get it working with http-multiplexing or without, the snapshot I shared earlier was taken when the multiplexing setting was enabled.
Best regards,
Jin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jintrah_FTNT ,
my box has FOS6.4.9. If I turn on http-multiplex for a VIP, the SNAT-Pool is ignored and the interface VIP is used to connect to the real server.
If I turn it off (and wait for sessions to time out) SNAT works again.
Just ran a tcpdump to confirm, because the traffic log claims that it it uses the pool IP - but it doesn't.
Regards,
Dirk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dirk,
I am not sure on this behavior, but ideally in production one would not keep switching these setting ON and OFF, so sessions from the beginning would be snat'ed anyway.
Best regards,
Jin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jintrah_FTNT ,
I just reenabled the option to reproduce the bug. Of course in production you have it ON or OFF, but if you have it ON, the SNAT-Pool will not work.
Regards,
Dirk
Created on 05-18-2022 02:20 AM Edited on 05-18-2022 02:21 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dirk,
If turning ON multiplexing, and SNAT-Pool never worked, you may want to open a support ticket to check with TAC. But if it works after all sessions are cleared after toggling the multiplex settings on/off everytime, then it may be expected.
Best regards,
Jin
- « Previous
-
- 1
- 2
- Next »