Fortinet black logo

Handbook

Example HTTP load balancing to three real web servers

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:628360
Download PDF

Example HTTP load balancing to three real web servers

In this example, a virtual web server with IP address 192.168.37.4 on the Internet, is mapped to three real web servers connected to the FortiGate unit dmz1 interface. The real servers have IP addresses 10.10.123.42, 10.10.123.43, and 10.10.123.44. The virtual server uses the First Alive load balancing method. The configuration also includes an HTTP health check monitor that includes a URL used by the FortiGate unit for get requests to monitor the health of the real servers.

Connections to the virtual web server at IP address 192.168.37.4 from the Internet are translated and load balanced to the real servers by the FortiGate unit. First alive load balancing directs all sessions to the first real server. The computers on the Internet are unaware of this translation and load balancing and see a single virtual server at IP address 192.168.37.4 rather than the three real servers behind the FortiGate unit.

Virtual server configuration example

GUI configuration

Use the following procedures to configure this load balancing setup from the GUI.

To add an HTTP health check monitor

In this example, the HTTP health check monitor includes the URL “/index.html” and the Matched Phrase “Fortinet products”.

  1. Go to Policy & Objects > Health Check.
  2. Select Create New.
  3. Add an HTTP health check monitor that sends get requests to http://<real_server_IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.
  4. Name

    HTTP_health_chk_1

    Type

    HTTP

    Port

    80

    URL

    /index.html

    Matched Content

    Fortinet products

    Interval

    10 seconds

    Timeout

    2 seconds

    Retry

    3

  5. Select OK.
To add the HTTP virtual server and the real servers
  1. Go to Policy & Objects > Virtual Servers.
  2. Select Create New.
  3. Add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network. In this example, the FortiGate wan1 interface is connected to the Internet.
  4. Name

    Load_Bal_VS1

    Type

    HTTP

    Interface

    wan1

    Virtual Server IP

    192.168.37.4

    The public IP address of the web server.

    The virtual server IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.

    Virtual Server Port

    80

    Load Balance Method

    First Alive

    Persistence

    HTTP cookie

    Health Check

    HTTP_health_chk_1

    HTTP Multiplexing

    Turn on.

    The FortiGate unit multiplexes multiple client into a few connections between the FortiGate unit and each real HTTP server. This can improve performance by reducing server overhead associated with establishing multiple connections.

    Preserve Client IP

    Turn on.

    The FortiGate unit preserves the IP address of the client in the X-Forwarded-For HTTP header.

  5. Add three real servers to the virtual server. Each real server must include the IP address of a real server on the internal network.

    Configuration for the first real server.

  6. IP Address

    10.10.10.42

    Port

    80

    Max Connections

    0

    Setting Max Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of connections to each real server to limit the traffic received by each server. In this example, the Max Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

    Mode

    Active

    Configuration for the second real server.

    IP Address

    10.10.10.43

    Port

    80

    Max Connections

    0

    Mode

    Active

    Configuration for the third real server.

    IP Address

    10.10.10.44

    Port

    80

    Max Connections

    0

    Mode

    Active

To add the virtual server to a security policy

Add a wan1 to dmz1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Configure the security policy:
  4. Name

    Add a name for the policy.

    Incoming Interface

    wan1

    Outgoing Interface

    dmz1

    Source

    all (or a more specific address)

    Destination

    Load_Bal_VS1

    Schedule

    always

    Service

    HTTP

    Action

    ACCEPT

    NAT

    Select this option and select Use Destination Interface Address.

    Log Allowed Traffic

    Select to log virtual server traffic

  5. Select other security policy options as required.
  6. Select OK.

CLI configuration

Use the following procedure to configure this load balancing setup from the CLI.

To configure HTTP load balancing
  1. Use the following command to add an HTTP health check monitor that sends get requests to http://<real_server_IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.
  2. config firewall ldb-monitor

    edit HTTP_health_chk_1

    set type http

    set port 80

    set http-get /index.html

    set http-match “Fortinet products”

    set interval 10

    set timeout 2

    set retry 3

    end

  3. Use the following command to add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network. In this example, the FortiGate wan1 interface is connected to the Internet.
  4. config firewall vip

    edit Load-Bal_VS1

    set type server-load-balance

    set server-type http

    set ldb-method first-alive

    set http-multiplex enable

    set http-ip-header enable

    set extip 192.168.37.4

    set extintf wan1

    set extport 80

    set persistence http-cookie

    set monitor HTTP_health_chk_1

    config realservers

    edit 1

    set ip 10.10.10.42

    set port 80

    next

    edit 2

    set ip 10.10.10.43

    set port 80

    next

    edit 3

    set ip 10.10.10.44

    set port 80

    end

    end

  5. Use the following command to add a security policy that includes the load balance virtual server as the destination address.
  6. config firewall policy

    edit 0

    set name <policy-name>

    set srcintf wan1

    set srcaddr all

    set dstintf dmz1

    set dstaddr Load-Bal_VS1

    set action accept

    set schedule always

    set service ALL

    set nat enable

    end

    Configure other security policy settings as required.

Example HTTP load balancing to three real web servers

In this example, a virtual web server with IP address 192.168.37.4 on the Internet, is mapped to three real web servers connected to the FortiGate unit dmz1 interface. The real servers have IP addresses 10.10.123.42, 10.10.123.43, and 10.10.123.44. The virtual server uses the First Alive load balancing method. The configuration also includes an HTTP health check monitor that includes a URL used by the FortiGate unit for get requests to monitor the health of the real servers.

Connections to the virtual web server at IP address 192.168.37.4 from the Internet are translated and load balanced to the real servers by the FortiGate unit. First alive load balancing directs all sessions to the first real server. The computers on the Internet are unaware of this translation and load balancing and see a single virtual server at IP address 192.168.37.4 rather than the three real servers behind the FortiGate unit.

Virtual server configuration example

GUI configuration

Use the following procedures to configure this load balancing setup from the GUI.

To add an HTTP health check monitor

In this example, the HTTP health check monitor includes the URL “/index.html” and the Matched Phrase “Fortinet products”.

  1. Go to Policy & Objects > Health Check.
  2. Select Create New.
  3. Add an HTTP health check monitor that sends get requests to http://<real_server_IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.
  4. Name

    HTTP_health_chk_1

    Type

    HTTP

    Port

    80

    URL

    /index.html

    Matched Content

    Fortinet products

    Interval

    10 seconds

    Timeout

    2 seconds

    Retry

    3

  5. Select OK.
To add the HTTP virtual server and the real servers
  1. Go to Policy & Objects > Virtual Servers.
  2. Select Create New.
  3. Add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network. In this example, the FortiGate wan1 interface is connected to the Internet.
  4. Name

    Load_Bal_VS1

    Type

    HTTP

    Interface

    wan1

    Virtual Server IP

    192.168.37.4

    The public IP address of the web server.

    The virtual server IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.

    Virtual Server Port

    80

    Load Balance Method

    First Alive

    Persistence

    HTTP cookie

    Health Check

    HTTP_health_chk_1

    HTTP Multiplexing

    Turn on.

    The FortiGate unit multiplexes multiple client into a few connections between the FortiGate unit and each real HTTP server. This can improve performance by reducing server overhead associated with establishing multiple connections.

    Preserve Client IP

    Turn on.

    The FortiGate unit preserves the IP address of the client in the X-Forwarded-For HTTP header.

  5. Add three real servers to the virtual server. Each real server must include the IP address of a real server on the internal network.

    Configuration for the first real server.

  6. IP Address

    10.10.10.42

    Port

    80

    Max Connections

    0

    Setting Max Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of connections to each real server to limit the traffic received by each server. In this example, the Max Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

    Mode

    Active

    Configuration for the second real server.

    IP Address

    10.10.10.43

    Port

    80

    Max Connections

    0

    Mode

    Active

    Configuration for the third real server.

    IP Address

    10.10.10.44

    Port

    80

    Max Connections

    0

    Mode

    Active

To add the virtual server to a security policy

Add a wan1 to dmz1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Configure the security policy:
  4. Name

    Add a name for the policy.

    Incoming Interface

    wan1

    Outgoing Interface

    dmz1

    Source

    all (or a more specific address)

    Destination

    Load_Bal_VS1

    Schedule

    always

    Service

    HTTP

    Action

    ACCEPT

    NAT

    Select this option and select Use Destination Interface Address.

    Log Allowed Traffic

    Select to log virtual server traffic

  5. Select other security policy options as required.
  6. Select OK.

CLI configuration

Use the following procedure to configure this load balancing setup from the CLI.

To configure HTTP load balancing
  1. Use the following command to add an HTTP health check monitor that sends get requests to http://<real_server_IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.
  2. config firewall ldb-monitor

    edit HTTP_health_chk_1

    set type http

    set port 80

    set http-get /index.html

    set http-match “Fortinet products”

    set interval 10

    set timeout 2

    set retry 3

    end

  3. Use the following command to add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network. In this example, the FortiGate wan1 interface is connected to the Internet.
  4. config firewall vip

    edit Load-Bal_VS1

    set type server-load-balance

    set server-type http

    set ldb-method first-alive

    set http-multiplex enable

    set http-ip-header enable

    set extip 192.168.37.4

    set extintf wan1

    set extport 80

    set persistence http-cookie

    set monitor HTTP_health_chk_1

    config realservers

    edit 1

    set ip 10.10.10.42

    set port 80

    next

    edit 2

    set ip 10.10.10.43

    set port 80

    next

    edit 3

    set ip 10.10.10.44

    set port 80

    end

    end

  5. Use the following command to add a security policy that includes the load balance virtual server as the destination address.
  6. config firewall policy

    edit 0

    set name <policy-name>

    set srcintf wan1

    set srcaddr all

    set dstintf dmz1

    set dstaddr Load-Bal_VS1

    set action accept

    set schedule always

    set service ALL

    set nat enable

    end

    Configure other security policy settings as required.