Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Server load balancing

Server load balancing (SLB) features are designed to give you flexible options for maximizing performance of your backend servers. The following topics give an overview of SLB features:

Feature summary

Server load balancing features summarizes server load balancing features.

Server load balancing features

Features Summary
Methods
  • Round robin
  • Weighted round robin
  • Least connections
  • Fastest response
  • Hash of URI, domain, host, destination IP
Health check Checks based on Layer 3, Layer 4, or Layer 7 data.
Server management
  • Warm up
  • Rate limiting
  • Maintenance mode with session ramp down
Persistence

Based on:

  • Cookies
  • TCP/IP header matches
  • A hash of TCP/IP header values
  • TLS/SSL session ID
  • RADIUS attribute
  • RDP Session Broker cookie
  • SIP caller ID
Layer 7

Profiles: HTTP, HTTPS, HTTP Turbo, RADIUS, RDP, SIP, TCPS

Content routing: HTTP Host, HTTP Referer, HTTP Request URL, SNI hostname, Source IP address

Content rewriting: URL redirect, 403 Forbidden, or HTTP request/response rewrite

Layer 4

Profiles: FTP, TCP, UDP

Content routing: Source IP address

Layer 2

Profiles: HTTP, HTTPS, TCP, TCPS, UDP

Note: Layer 2 load balancing is useful when the request’s destination IP is unknown and you need to load balance connections between multiple next-hop gateways.

For detailed information, see Chapter 4: Server Load Balancing.

Authentication

FortiADC SLB supports offloading authentication from backend servers. The auth policy framework supports authentication against local, LDAP, and RADIUS authentication servers, and it enables you to assign users to groups that are authorized to access protected sites.

For configuration details, see Configuring authentication policies.

Caching

FortiADC SLB supports both static and dynamic caching. Caching reduces server overload, bandwidth saturation, high latency, and network performance issues.

When caching is enabled for a virtual server profile, the FortiADC appliance dynamically stores application content such as images, videos, HTML files and other file types to alleviate server resources and accelerate overall application performance.

For configuration details, see Using caching features.

Compression

FortiADC SLB supports compression offloading. Compression offloading means the ADC handles compression processing instead of the backend servers, allowing them to dedicate resources to their own application processes.

When compression is enabled for a virtual server profile, the FortiADC system intelligently compresses HTTP and HTTPS traffic. Reducing server reply content size accelerates performance and improves response times. FortiADC supports both industry standard GZIP and DEFLATE algorithms.

For configuration details, see Configuring compression rules.

Decompression

FortiADC SLB also supports decompression of HTTP request body before sending it to the Web Application Firewall (WAF) for scanning according to the content-encoding header. Upon receiving a compressed HTTP request body, FortiADC first uses the zlib library to extract the HTTP body to a temporary buffer and then sends the buffer to the WAF engine for scanning.

Content rewriting

FortiADC SLB supports content rewriting rules that enable you to rewrite HTTP requests and responses so that you can cloak the details of your internal network. You can also create rules to redirect requests.

For configuration details and examples, see Using content rewriting rules.

Content routing

FortiADC SLB supports content routing rules that direct traffic to backend servers based on source IP address or HTTP request headers.

For configuration details, see Configuring content routes.

Scripting

FortiADC SLB supports Lua scripts to perform actions that are not currently supported by the built-in feature set. Scripts enable you to use predefined script commands and variables to manipulate the HTTP request/response or select a content route. The multi-script support feature enables you to use multiple scripts by setting their sequence of execution.

For configuration details, see Using predefined scripts and commands.

SSL transactions

FortiADC SLB supports SSL offloading. SSL offloading means the ADC handles SSL decryption and encryption processing instead of the backend servers, allowing the backend servers to dedicate resources to their own application processes.

SSL offloading results in improved SSL/TLS performance. On VM models, acceleration is due to offloading the cryptographic processes from the backend server. On hardware models with ASIC chips, cryptography is also hardware-accelerated: the system can encrypt and decrypt packets at better speeds than a backend server with a general-purpose CPU.

FortiADC SLB also supports SSL decryption by forward proxy in cases where you cannot copy the server certificate and private key to the FortiADC, either because it is impractical or impossible (in the case of outbound traffic to unknown Internet servers).

For detailed information, see Chapter 17: SSL Transactions.

Server load balancing

Server load balancing (SLB) features are designed to give you flexible options for maximizing performance of your backend servers. The following topics give an overview of SLB features:

Feature summary

Server load balancing features summarizes server load balancing features.

Server load balancing features

Features Summary
Methods
  • Round robin
  • Weighted round robin
  • Least connections
  • Fastest response
  • Hash of URI, domain, host, destination IP
Health check Checks based on Layer 3, Layer 4, or Layer 7 data.
Server management
  • Warm up
  • Rate limiting
  • Maintenance mode with session ramp down
Persistence

Based on:

  • Cookies
  • TCP/IP header matches
  • A hash of TCP/IP header values
  • TLS/SSL session ID
  • RADIUS attribute
  • RDP Session Broker cookie
  • SIP caller ID
Layer 7

Profiles: HTTP, HTTPS, HTTP Turbo, RADIUS, RDP, SIP, TCPS

Content routing: HTTP Host, HTTP Referer, HTTP Request URL, SNI hostname, Source IP address

Content rewriting: URL redirect, 403 Forbidden, or HTTP request/response rewrite

Layer 4

Profiles: FTP, TCP, UDP

Content routing: Source IP address

Layer 2

Profiles: HTTP, HTTPS, TCP, TCPS, UDP

Note: Layer 2 load balancing is useful when the request’s destination IP is unknown and you need to load balance connections between multiple next-hop gateways.

For detailed information, see Chapter 4: Server Load Balancing.

Authentication

FortiADC SLB supports offloading authentication from backend servers. The auth policy framework supports authentication against local, LDAP, and RADIUS authentication servers, and it enables you to assign users to groups that are authorized to access protected sites.

For configuration details, see Configuring authentication policies.

Caching

FortiADC SLB supports both static and dynamic caching. Caching reduces server overload, bandwidth saturation, high latency, and network performance issues.

When caching is enabled for a virtual server profile, the FortiADC appliance dynamically stores application content such as images, videos, HTML files and other file types to alleviate server resources and accelerate overall application performance.

For configuration details, see Using caching features.

Compression

FortiADC SLB supports compression offloading. Compression offloading means the ADC handles compression processing instead of the backend servers, allowing them to dedicate resources to their own application processes.

When compression is enabled for a virtual server profile, the FortiADC system intelligently compresses HTTP and HTTPS traffic. Reducing server reply content size accelerates performance and improves response times. FortiADC supports both industry standard GZIP and DEFLATE algorithms.

For configuration details, see Configuring compression rules.

Decompression

FortiADC SLB also supports decompression of HTTP request body before sending it to the Web Application Firewall (WAF) for scanning according to the content-encoding header. Upon receiving a compressed HTTP request body, FortiADC first uses the zlib library to extract the HTTP body to a temporary buffer and then sends the buffer to the WAF engine for scanning.

Content rewriting

FortiADC SLB supports content rewriting rules that enable you to rewrite HTTP requests and responses so that you can cloak the details of your internal network. You can also create rules to redirect requests.

For configuration details and examples, see Using content rewriting rules.

Content routing

FortiADC SLB supports content routing rules that direct traffic to backend servers based on source IP address or HTTP request headers.

For configuration details, see Configuring content routes.

Scripting

FortiADC SLB supports Lua scripts to perform actions that are not currently supported by the built-in feature set. Scripts enable you to use predefined script commands and variables to manipulate the HTTP request/response or select a content route. The multi-script support feature enables you to use multiple scripts by setting their sequence of execution.

For configuration details, see Using predefined scripts and commands.

SSL transactions

FortiADC SLB supports SSL offloading. SSL offloading means the ADC handles SSL decryption and encryption processing instead of the backend servers, allowing the backend servers to dedicate resources to their own application processes.

SSL offloading results in improved SSL/TLS performance. On VM models, acceleration is due to offloading the cryptographic processes from the backend server. On hardware models with ASIC chips, cryptography is also hardware-accelerated: the system can encrypt and decrypt packets at better speeds than a backend server with a general-purpose CPU.

FortiADC SLB also supports SSL decryption by forward proxy in cases where you cannot copy the server certificate and private key to the FortiADC, either because it is impractical or impossible (in the case of outbound traffic to unknown Internet servers).

For detailed information, see Chapter 17: SSL Transactions.