- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: sticky connections / Sticky IP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 06-19-2008 12:47 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sticky connections / Sticky IP
we want to load balance 3 web boxes. these boxes host sites where users can shop and add stuff to carts and make purchases. So as such we need to employ some kind of sticky connection or sticky ip so the user remains on the same web box and maintains their session when browsing various pages.
how do we enable this feature on the fortigate 300A
thanks
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as long as you are using v3 firmware, you can use server load balancing on the VIP. so one external IP maps to multiple internal webservers.
The box should be intelligent enough to only map one user(ip) to one server at a time. I would be surprised if it didnt.
Other way is to use one external IP per webserver, and just do simple static nats, and use multiple IP entries in the DNS entry, but this provides no failover.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for the reply.
so what you are describing sounds like a " sticky ip" . i don’t see anywhere in the box where it says that it does that, but i sure hope that it does. i have the box all configured and am going to roll it out into production soon.
my old sonicwall firewall did the balancing, but no sticky ip or sticky connection. that is important because as people browse the site and add items to their cart it is done via http. once they sign in or click to checkout it goes https. so as they browse the various pages on the site it is important they remain on a single web server in the farm as to not lose their session data and cart contents.
I guess i' ll find out son enough when i roll it out. I just wish i had some definitive information on it. the administration guide and online help offer no information on any kind of sticky connections.
the other idea you offered w/ dns resolving to each web box would work if we had as many public IP addresses as we had web servers in our farm. unfortunately we don' t. also as you said it offers no fault tolerance. if a box goes down i can delete the dns entry for it, but that can take 24 hours to propagate throughout the internet. i most likely would have the server running again before dns finished propagating.
i hope someone out there has some definitive answers, i would like to roll these boxes into production early next week. I really have no way of testing that either until they are in production and available via the public network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pass the question to support. As long as they don' t have to fix anything, you may get a quick answer.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I seem to remember reading somewhere that it kind of binds the source IP to one server. But cannot remember where i read that.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have submitted the question to support. i will post the results here as i do think this information would be useful to more than just myself.
thanks
zack
Not applicable
Created on 06-23-2008 01:25 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here is the reply from tech support:
" Hi Zack,
Weighted or static will remain the same session to same server; Client accessing to your public web pages will always be directed to the same internal balanced web server as long as their public ip remains unchanged (same session).
By default the session-ttl is set to 3600 sec (an hour); please use this CLI command to verify the setting:
FGT # get sys session-ttl
Thank you
Cliff"
hope this info helps others out there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Confirmed what i remembered, it maps an external IP to the one internal server.
Lets face it though, if it didn' t, it wouldnt work at all. A typical IE browser will open four simultaneous connections to a webserver.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We just set this up using the " static" method and it works great for our customer' s virtual exchange cluster. Static is want you what.
John
CISSP, FCNSP
Adv(thanks)ance
John CISSP, FCNSP Adv(thanks)ance
Related Posts
- VRRP MAC pointed to wrong port 466 Views
- Forti Switch Static MAC ADDRESS on... 1576 Views
- No response from webservers if IP... 1431 Views
- SD-WAN best load balance algorithm? 5406 Views
- Meru sticky user 153 Views
Labels
-
FortiGate
6,958 -
FortiClient
1,370 -
5.2
801 -
5.4
639 -
FortiManager
602 -
FortiAnalyzer
440 -
6.0
416 -
5.6
362 -
FortiAP
362 -
FortiSwitch
361 -
FortiClient EMS
281 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
123 -
FortiGuard
111 -
IPsec
101 -
FortiGateCloud
92 -
FortiSIEM
91 -
SSL-VPN
87 -
FortiCloud Products
85 -
FortiToken
76 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
SD-WAN
43 -
FortiEDR
42 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
High Availability
28 -
FortiAuthenticator
27 -
VLAN
27 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
DNS
20 -
FortiGate v5.2
19 -
FortiPortal
18 -
Certificate
18 -
FortiSwitch v6.2
17 -
SAML
17 -
LDAP
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
FortiLink
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Fortigate Cloud
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Web profile
9 -
Application control
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
IPS signature
5 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
Web rating
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1005 | |
| 837 | |
| 476 | |
| 440 | |
| 136 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.