Fortinet white logo
Fortinet white logo

External Load Balancer Configuration

External Load Balancer Configuration

This section provides guidance on how to configure FortiWEB load balancer to work with FortiSIEM Active-Active Supervisor cluster. Most load balancers can also be used. For additional information on FortiWEB configuration, see the FortiWeb documentation library. The example configuration here assumes FortiWeb will have at a minimum, two interfaces.

Port1: External network / subnet - This is where collector / user traffic connects to.

Port2: Internal network / subnet - This is where appServers and Workers reside.

In this example, VMware interfaces map to FortiWeb virtual interfaces when you deploy OVF

Virtual interface 1 is port1 in FortiWeb - 172.30.57.88/22 .1 GW

Virtual interface 2 is port2 in FortiWeb - 10.65.148.3/22

The default route: 172.30.56.1

The general configuration step are:

Define Virtual IPs

  1. Navigate to Network > Virtual IP.

    This is the Load Balancer IPs.

  2. Define one unique free IP in the external subnet for AppServer Load Balancer and Worker Load Balancer

  3. Click Create New.

  4. In the Name field, enter a name, for example, " AppServerLB".

  5. In the IPV4 Address field, enter your IP address. In our example, "172.30.57.89/32".

  6. In the Interface field, enter/select your port. In our example,"port1".

  7. Repeat steps 1 through 7 here in Define Virtual IPs for the Worker Load Balancer, then proceed to Define Virtual Server.

Define Virtual Server

  1. Navigate to Server Objects > Server > Virtual Server.

  2. Click Create New.

  3. In the Name field, enter a name for the virtual server, for example, "AppServer_VS".

  4. Click OK.

  5. Under this setup, click Create New.

  6. Select the Virtual IP that was created earlier.

  7. Click OK.

  8. In Status select Enable.

  9. Leave other options default, and click OK.

Define Supervisor Health Check

  1. Navigate to Server Objects > Server > Health Check.

  2. Click Create New.

  3. In the Name field, enter a name for the Health Check trigger, for example, "AppServerHealthCheck".

  4. For Relationship, select And.

  5. Click OK.

  6. In Rule List, click Create New.

  7. For Type, select TCP SSL and leave the options as default.

  8. Click OK.

  9. In Rule List, click Create New again.

  10. For Type, select HTTP.

  11. In the URL Path field, enter "/phoenix/login.html"

  12. For Method , select GET.

  13. For Match Type, select Response Code.

  14. For Response Code, enter "200".

  15. Click OK on each page.

Define Server Pool

  1. Navigate to Server Objects > Server > Server Pool.

  2. Click Create New.

  3. In the Name field, enter a name for the server pool, for example, "AppServerPool".

  4. For Proto , select HTTP.

  5. For Type, select Reverse Proxy.

  6. For Single Server / Server Balance, select Server Balance.

  7. For Server Health Check, from the drop-down list, select the server health check you created in Define Supervisor Health Check.

  8. For Load Balancing Algorithm, from the drop-down list, select Least Connection or Round Robin.

  9. Click OK.

  10. At the bottom of the page, click Create New.

  11. For each Server in your server pool, in this example AppServer Pool, do the following.

    1. For Status, select Enable.

    2. For Server Type, select IP.

    3. For IP / Domain, enter the IP address range, for example, "#.#.#.#/32".

    4. For Port, enter "443".

    5. For SSL, check it, but ignore client certificate.

    6. Click OK.

Define Server Policy

  1. Navigate to Policy > Server Policy.

  2. In the Name field, enter a name for the server policy, for example, "AppServerPolicy".

  3. For Deployment Mode, select Single Server/Server Balance.

  4. For Virtual Server, select the virtual server you created in Define Virtual Server.

  5. For Server Pool, select the server pool you created in Define Server Pool.

  6. For HTTP Service, select HTTP.

  7. For HTTPS Service, select HTTPS.

  8. For Monitor Mode, enable it.

  9. For Enable Traffic Log, enable it.

  10. Click OK.

Define Static Routes in FortiWeb

For FortiWeb to route non HTTP/HTTPS traffic through FortiWeb, create two policy routes.

  1. Navigate to Network > Route. (See https://docs.fortinet.com/document/fortiweb/7.0.2/administration-guide/55130/configuring-the-network-settings)

  2. Select Policy Route.

  3. Configure the following rules to allow non HTTP/HTTPS traffic inbound.

    1. For If traffic matches Incoming Interface, select your port.

    2. For If traffic matches Source address/mask (IPv4/IPv6), enter the IP range.

    3. For If traffic matches Destination address/mask (IPv4/IPv6), enter the IP range.

    4. For Force traffic to Action, select Stop Policy Routing.

    5. For Force traffic to Priority, enter "200".

    6. Click OK.

  4. Configure the following rules to allow outbound traffic.

    1. For If traffic matches Incoming Interface, select your port.

    2. For If traffic matches Source address/mask (IPv4/IPv6), enter the IP range.

    3. For If traffic matches Destination address/mask (IPv4/IPv6), enter the IP range.

    4. For Force traffic to Action, select Stop Policy Routing.

    5. For Force traffic to Priority, enter "100".

    6. Click OK.

For each "AppServerIP" defined in the server pool, a FortiSIEM leader/follower cluster should use those IPs.

External Load Balancer Configuration

External Load Balancer Configuration

This section provides guidance on how to configure FortiWEB load balancer to work with FortiSIEM Active-Active Supervisor cluster. Most load balancers can also be used. For additional information on FortiWEB configuration, see the FortiWeb documentation library. The example configuration here assumes FortiWeb will have at a minimum, two interfaces.

Port1: External network / subnet - This is where collector / user traffic connects to.

Port2: Internal network / subnet - This is where appServers and Workers reside.

In this example, VMware interfaces map to FortiWeb virtual interfaces when you deploy OVF

Virtual interface 1 is port1 in FortiWeb - 172.30.57.88/22 .1 GW

Virtual interface 2 is port2 in FortiWeb - 10.65.148.3/22

The default route: 172.30.56.1

The general configuration step are:

Define Virtual IPs

  1. Navigate to Network > Virtual IP.

    This is the Load Balancer IPs.

  2. Define one unique free IP in the external subnet for AppServer Load Balancer and Worker Load Balancer

  3. Click Create New.

  4. In the Name field, enter a name, for example, " AppServerLB".

  5. In the IPV4 Address field, enter your IP address. In our example, "172.30.57.89/32".

  6. In the Interface field, enter/select your port. In our example,"port1".

  7. Repeat steps 1 through 7 here in Define Virtual IPs for the Worker Load Balancer, then proceed to Define Virtual Server.

Define Virtual Server

  1. Navigate to Server Objects > Server > Virtual Server.

  2. Click Create New.

  3. In the Name field, enter a name for the virtual server, for example, "AppServer_VS".

  4. Click OK.

  5. Under this setup, click Create New.

  6. Select the Virtual IP that was created earlier.

  7. Click OK.

  8. In Status select Enable.

  9. Leave other options default, and click OK.

Define Supervisor Health Check

  1. Navigate to Server Objects > Server > Health Check.

  2. Click Create New.

  3. In the Name field, enter a name for the Health Check trigger, for example, "AppServerHealthCheck".

  4. For Relationship, select And.

  5. Click OK.

  6. In Rule List, click Create New.

  7. For Type, select TCP SSL and leave the options as default.

  8. Click OK.

  9. In Rule List, click Create New again.

  10. For Type, select HTTP.

  11. In the URL Path field, enter "/phoenix/login.html"

  12. For Method , select GET.

  13. For Match Type, select Response Code.

  14. For Response Code, enter "200".

  15. Click OK on each page.

Define Server Pool

  1. Navigate to Server Objects > Server > Server Pool.

  2. Click Create New.

  3. In the Name field, enter a name for the server pool, for example, "AppServerPool".

  4. For Proto , select HTTP.

  5. For Type, select Reverse Proxy.

  6. For Single Server / Server Balance, select Server Balance.

  7. For Server Health Check, from the drop-down list, select the server health check you created in Define Supervisor Health Check.

  8. For Load Balancing Algorithm, from the drop-down list, select Least Connection or Round Robin.

  9. Click OK.

  10. At the bottom of the page, click Create New.

  11. For each Server in your server pool, in this example AppServer Pool, do the following.

    1. For Status, select Enable.

    2. For Server Type, select IP.

    3. For IP / Domain, enter the IP address range, for example, "#.#.#.#/32".

    4. For Port, enter "443".

    5. For SSL, check it, but ignore client certificate.

    6. Click OK.

Define Server Policy

  1. Navigate to Policy > Server Policy.

  2. In the Name field, enter a name for the server policy, for example, "AppServerPolicy".

  3. For Deployment Mode, select Single Server/Server Balance.

  4. For Virtual Server, select the virtual server you created in Define Virtual Server.

  5. For Server Pool, select the server pool you created in Define Server Pool.

  6. For HTTP Service, select HTTP.

  7. For HTTPS Service, select HTTPS.

  8. For Monitor Mode, enable it.

  9. For Enable Traffic Log, enable it.

  10. Click OK.

Define Static Routes in FortiWeb

For FortiWeb to route non HTTP/HTTPS traffic through FortiWeb, create two policy routes.

  1. Navigate to Network > Route. (See https://docs.fortinet.com/document/fortiweb/7.0.2/administration-guide/55130/configuring-the-network-settings)

  2. Select Policy Route.

  3. Configure the following rules to allow non HTTP/HTTPS traffic inbound.

    1. For If traffic matches Incoming Interface, select your port.

    2. For If traffic matches Source address/mask (IPv4/IPv6), enter the IP range.

    3. For If traffic matches Destination address/mask (IPv4/IPv6), enter the IP range.

    4. For Force traffic to Action, select Stop Policy Routing.

    5. For Force traffic to Priority, enter "200".

    6. Click OK.

  4. Configure the following rules to allow outbound traffic.

    1. For If traffic matches Incoming Interface, select your port.

    2. For If traffic matches Source address/mask (IPv4/IPv6), enter the IP range.

    3. For If traffic matches Destination address/mask (IPv4/IPv6), enter the IP range.

    4. For Force traffic to Action, select Stop Policy Routing.

    5. For Force traffic to Priority, enter "100".

    6. Click OK.

For each "AppServerIP" defined in the server pool, a FortiSIEM leader/follower cluster should use those IPs.