Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiAppSec Cloud User Guide

    Load balance FortiGate VPN servers to GSLB

    Load balance FortiGate VPN servers to GSLB

    FortiAppSec Cloud enables clients to automatically connect to the most optimal FortiGate VPN server, ensuring efficient, high-speed access and reliable connectivity regardless of their location.

    This section covers the following:

    Configuration Prerequisites

    • A valid GSLB QPS license

    • A valid HealthCheck license

    • Allow the GSLB source IP addresses to access the FortiGate's restAPI. The source IP could be found at

    Example Use case

    In the following scenario, you have FortiGate VPN servers in two locations, each supporting a VPN service that connects to the company HQ.
    GSLB manages these servers within a single pool, allowing for geographic load balancing of incoming traffic and real-time monitoring of the VPN servers’ status.

    If traffic originates from one location, GSLB directs it to the nearest available server. If that server becomes unavailable, the traffic is automatically redirected to the next available VPN server.

    This setup ensures that clients from any location can enjoy optimal VPN performance and a fast connection to the company HQ, even while traveling.

    Example solution

    The diagram below illustrates the solution for when all the client’s incoming traffic comes from one location.

    Configuration Steps

    1. Create a new FQDN for your FortiGate VPN in GSLB Services.
      1. For this example, the name of the FQDN will be 'VPN-hq.fgt.com'.
      2. For details on creating an FQDN, refer to Configuring GSLB Objects.

    2. FQDN Member and Virtual Server Setup.

      1. Click Create Member. This option appears when you save the parent record from the previous step.
      2. Create a new virtual server. In this example, we will call it 'Pool1'.
        1. If you would like to load balance based on physical location, select GEO as the preferred method.
        2. Click Save.
    3. Create a pool member, a FortiGate connector, and a new connector member
      1. Create a pool member for 'Pool1' and create a new FortiGate Connector. We will refer to this connector as 'fgt-VPN1'.

      2. Create a new Data Center and create a new connector member. We can refer to this member as 'VPN1-DC1'.
      3. Add FortiGate 'VPN IP VPN1-DC1' Public IP and enable health check of your choice. In this case, we have enabled 'Default_HLTHCK_ICMP'.
    4. Repeat step 3 for all additional Virtual Servers.

    Note: The virtual server from the FortiGate Connector will be added into Pool and Connector directly and will work in GSLB services.

    Sample topology view in GSLB

    We have added each FortiGate VPN server into the GSLB pool. GSLB will load balance client traffic geographically using connector locations.

    After completing these steps, the customer can monitor the VPN service status from both Location DC1 and Location DC2 on the GSLB Service detail page. The GSLB will load balance the traffic to the connector that have the nearest location. If the nearest location VPN server is down, the GSLB will direct the traffic to other available location. If both VPN service servers are not available, the GSLB will direct traffic to the default VPN server.

    Note: The virtual servers from the FortiGate connector will be added into Pool and Connector directly and will work in GSLB Services.

    Previous
    Next

    Load balance FortiGate VPN servers to GSLB

    Load balance FortiGate VPN servers to GSLB

    FortiAppSec Cloud enables clients to automatically connect to the most optimal FortiGate VPN server, ensuring efficient, high-speed access and reliable connectivity regardless of their location.

    This section covers the following:

    Configuration Prerequisites

    • A valid GSLB QPS license

    • A valid HealthCheck license

    • Allow the GSLB source IP addresses to access the FortiGate's restAPI. The source IP could be found at

    Example Use case

    In the following scenario, you have FortiGate VPN servers in two locations, each supporting a VPN service that connects to the company HQ.
    GSLB manages these servers within a single pool, allowing for geographic load balancing of incoming traffic and real-time monitoring of the VPN servers’ status.

    If traffic originates from one location, GSLB directs it to the nearest available server. If that server becomes unavailable, the traffic is automatically redirected to the next available VPN server.

    This setup ensures that clients from any location can enjoy optimal VPN performance and a fast connection to the company HQ, even while traveling.

    Example solution

    The diagram below illustrates the solution for when all the client’s incoming traffic comes from one location.

    Configuration Steps

    1. Create a new FQDN for your FortiGate VPN in GSLB Services.
      1. For this example, the name of the FQDN will be 'VPN-hq.fgt.com'.
      2. For details on creating an FQDN, refer to Configuring GSLB Objects.

    2. FQDN Member and Virtual Server Setup.

      1. Click Create Member. This option appears when you save the parent record from the previous step.
      2. Create a new virtual server. In this example, we will call it 'Pool1'.
        1. If you would like to load balance based on physical location, select GEO as the preferred method.
        2. Click Save.
    3. Create a pool member, a FortiGate connector, and a new connector member
      1. Create a pool member for 'Pool1' and create a new FortiGate Connector. We will refer to this connector as 'fgt-VPN1'.

      2. Create a new Data Center and create a new connector member. We can refer to this member as 'VPN1-DC1'.
      3. Add FortiGate 'VPN IP VPN1-DC1' Public IP and enable health check of your choice. In this case, we have enabled 'Default_HLTHCK_ICMP'.
    4. Repeat step 3 for all additional Virtual Servers.

    Note: The virtual server from the FortiGate Connector will be added into Pool and Connector directly and will work in GSLB services.

    Sample topology view in GSLB

    We have added each FortiGate VPN server into the GSLB pool. GSLB will load balance client traffic geographically using connector locations.

    After completing these steps, the customer can monitor the VPN service status from both Location DC1 and Location DC2 on the GSLB Service detail page. The GSLB will load balance the traffic to the connector that have the nearest location. If the nearest location VPN server is down, the GSLB will direct the traffic to other available location. If both VPN service servers are not available, the GSLB will direct traffic to the default VPN server.

    Note: The virtual servers from the FortiGate connector will be added into Pool and Connector directly and will work in GSLB Services.

    Previous
    Next