FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article discusses Virtual Server Load Balancer's behavior when using IP-based load-balancing on Active-Passive Real servers.
Scope
FortiGate.
Solution
The original behavior for a server-load-balance VIP that has both active and standby real servers is if the active server is down and traffic is being forwarded to the standby server and when the active server is re-activated (or comes back up), traffic does not go (move) to the active server immediately because traffic matches an existing firewall session and would still forward traffic to the standby server. This behavior is changed in and after firmware 7.2.4 and 7.4.0 GA. The change is that the old firewall session is marked dirty and re-validated after the active server is re-activated. All the existing sessions pointing to the standby server will be moved over to the original active server after re-validation.
