Skip to main content

Load Balancing with FortiGate

Last update:

Load balancing with FortiGate includes all the necessary features for distributing traffic between multiple servers in your infrastructure deployed in Selectel, including both dedicated hardware servers and virtual servers in the Selectel Cloud Platform.

Load balancing based on FortiGate solutions provides:

  • fast and reliable request processing;
  • significant simplification of the network architecture;
  • reduction in operational costs.

The load balancer supports HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL, or lower-level TCP/UDP or IP protocols. Session persistence is supported based on the SSL session ID or based on the injected HTTP cookie.

Health Check is a mechanism for verifying server health to prevent load balancer traffic from being sent to non-functioning servers. ICMP ping or other more complex TCP connection tests are used for verification. Health Check removes non-functioning real servers from the load balancing cluster. Real server removal from clusters is based on the following settings:

  • Interval — how often the server is checked;
  • Timeout — the maximum allowed response time before a server is considered unavailable;
  • Retry — the number of failures before a server is considered unavailable, after which it is removed.

Health Check types by protocol: TCP, HTTP, PING.

Virtual Server — a virtual server whose external IP address receives traffic that is redirected to the load balancer.

Real Server — a functional, real server that receives requests after load balancing. Multiple real servers can be assigned to each virtual server. The real server configuration includes the IP address and port number on which the real server accepts sessions. The FortiGate device sends sessions to the real server IP address using the destination port number in the real server configuration. The server configuration includes its IP address and the port number on which it accepts sessions.

SSL Offloading is an SSL connection acceleration mechanism where encryption operations are performed on the FortiGate instead of on the servers themselves using a separate dedicated processor. This mechanism can only be applied if one of the SSL protocols (HTTPS, IMAPS, POP3S, SMTPS, SSL) is set for load balancing. FortiGate allows you to choose which segments of the SSL connection will receive SSL offloading by defining a mode:

  • Client ⟷ FortiGate — a mode in which hardware-accelerated SSL/TLS processing applies only to the part of the connection between the client and the FortiGate device. This mode is called half mode SSL offloading. The segment between the FortiGate device and the server will use a clear text connection, which will provide better performance;
  • Full — a mode in which hardware-accelerated SSL processing is applied to both parts of the connection: the segment between the client and the FortiGate appliance and the segment between the FortiGate appliance and the server, i.e., Client ⟷ FortiGate ⟷ Server. The segment between the FortiGate device and the server will use an encrypted connection, but "handshakes" will be reduced. This is not as efficient as SSL offloading in half mode, but it still increases performance.

HTTP multiplexing is a feature that allows a web client to use a single TCP connection for all server requests. This feature reduces the load on the web server by establishing a single connection through which requests and responses are sent in parallel. Each fragment is associated using special built-in metadata, which enables the correct processing of multiple unrelated HTTP or HTTPS requests in different orders within the same connection. Furthermore, responses are received as they become ready; therefore, heavy requests will not block the processing and delivery of simpler objects.

For example, if user web browsers are only compatible with HTTP 1.0, in which this feature is not implemented, enabling the HTTP multiplexing option can improve performance between the web server and FortiGate.

Persistence — a parameter that preserves and tracks session data to ensure that a user connects to the same server every time they make a request that is part of the same session or subsequent sessions. HTTP cookie persistence uses embedded cookies to ensure persistence.

When Persistence is configured, FortiGate balances the new session load across the real server according to the load balancing method. If a session has an HTTP cookie or SSL session ID, the FortiGate device sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server.

Load balancing methods

Traffic can be distributed between servers based on the following methods:

  • static — uniform load distribution between servers according to a predefined algorithm, without considering server load;
  • round-robin — distribution based on the round-robin algorithm, which cycles through equivalent servers independently of response time or the number of connections;
  • weighted — distribution based on assigned weights for servers to account for features and differences, where servers with a higher weight value receive a larger percentage of connections;
  • least-session — distribution in which requests are directed to the server with the least number of current connections; it is recommended for use when servers have similar capabilities;
  • least-rtt — distribution based on Round-Trip-Time, in which requests are directed to the server with the lowest value, which is determined by the Ping health check monitor and is 0 by default if the Ping health check is not set;
  • first-alive — distributing the load to the first active server, providing protection against failure: sessions are not distributed between servers but are handled by one “first” server as long as it is “alive,” then it switches to another working server;
  • http-host — distribution based on the HTTP host header to direct the connection to a specific server.

Before configuring the load balancer

Before configuring load balancing in the graphical interface, enable the display of a special settings section.

  1. Go to SystemFeature Visibility.
  2. Enable Load Balance in the Additional Features list.

In this example, we will consider Load Balancing settings for HTTP and HTTPS on a hardware FortiGate-100E, the initial basic configuration of which can be performed according to the firewall configuration instructions. Cloud servers in the Selectel Cloud Platform are used as servers.

FortiGate and the project in the Cloud platform are connected by a private network that uses a global router network to connect regions and services, allowing dedicated servers and VMware-based cloud servers to be installed behind the firewall as well.

Configure the load balancer

The settings in the instructions are relevant for FortiOS versions 6.x and 7.x. If you have a different version of FortiOS, you can find the documentation for it in the FortiGate control panel in the upper right corner or on the official FortiGate website.

In this configuration, the load balancer distributes HTTP traffic from the internet to three web servers located on the internal network. HTTP sessions are received on the wan1 interface with the destination IP address 172.20.120.121 on TCP port 3080 and are redirected from the internal interface to the web servers. When forwarding, the session destination address is translated into the IP address of one of the web servers.

HTTPS traffic is balanced in a similar way.

Create a Health Check

HTTP

To check functionality, create a Health Check at the HTTP level for which you can configure the URL /index.html and the content ctel.

To configure a Health Check that sends get requests to http://<real_server_IP_address>/index.html and searches for the phrase "Selectel" on the returned web page, follow these steps:

  1. Go to Policy & ObjectsHealth Check.
  2. Click the Create New button.
  3. Specify a name in the Name field.
  4. Specify the HTTP type in the Type field.
  5. Enter the port in the Port field (default for HTTP traffic is 80).
  6. Enter the search phrase in the Matched content field.
  7. If necessary, specify other parameters.

HTTPS

To monitor the health of servers at the HTTPS level, a similar Health Check is created, except without detailed content and URL verification.

Create a Virtual server

HTTP

Virtual Server for HTTP

A Virtual server is created to receive HTTP requests.

  1. Go to Policy & ObjectsVirtual Servers.
  2. Click the Create New button.
  3. Specify a name in the Name field, HTTP type in the Type field, and an interface in the Interface field.
  4. Virtual server IP and Virtual server port are the external IP address and port that will receive requests.
  5. In the Load balancing method drop-down menu, select the load balancing method that suits your case.
  6. Enable the Persistence option to preserve session data by selecting HTTP Cookie.
  7. Select the health check monitor created earlier by clicking +.
  8. Enable the HTTP multiplexing option if you need to use a single TCP connection between the web client and server, including for incoming unrelated requests and responses.
  9. Enable the Preserve client IP option to preserve the client's IP address in the X-Forwarded-For HTTP header. This can be useful when HTTP multiplexing is enabled, if the real servers need to keep the original client IP address, for example, in logs.
Bind real servers to the virtual one
  1. In the Policy & ObjectsVirtual Servers section, where you continue to configure the Virtual Server, create Real Servers.
  2. In the Real Servers table, click Create New.
  3. In the window that opens, add the server IP address and port to which the connection is required. In this case, the HTTP server is deployed on port 80.
  4. Click the OK button.
  5. Add all servers participating in load balancing by repeating steps 1-4.
  6. Save the Virtual Server settings by clicking the OK button.

HTTPS

To operate the FortiGate load balancer, you need to upload an SSL certificate.

Add an SSL certificate
  1. Go to SystemCertificates.
  2. Ensure that SystemFeature Visibility has Certificates enabled.
  3. Select ImportLocal Certificate.
  4. In the window that opens, set Type — Certificate, upload the Certificate file and Key file for your certificate.
  5. Enter the password in the Password field.

After performing these actions, the server certificate will appear in the Certificates list.

Virtual Server for HTTPS

For HTTPS, a virtual server is created in the same way as for HTTP, by specifying the Virtual Server type in the Type field set to HTTPS.

For Persistence, you can set the SSL Session ID in addition to HTTP Cookie.

To accelerate the SSL connection, in the SSL Offloading subsection, select the required mode in the Mode field, thereby defining which network segment will be offloaded: Client-FortiGate or Full.

Also, select the SSL certificate imported earlier in the Certificate drop-down menu.

Bind a real server to the virtual one

In the Real Servers subsection, add the real servers between which load will be balanced in the same way. Specify the correct ports on which the web servers are deployed for HTTPS traffic; this is port 443 by default.

Create a policy

To create a security policy that includes the load balancer virtual server as a destination address:

  1. Go to Policy & ObjectsPv4 Policy.
  2. Click the Create New button.
  3. Specify a policy name in the Name field.
  4. Specify the incoming interface — Incoming interface, and the outgoing interface — Outgoing interface behind which the servers are connected.
  5. In the source (Source) field, select the all object by clicking +.
  6. In the destination (Destination) field, select the virtual load balancer server created earlier. It is important that the Inspection mode is set to Proxy-based in the policy settings. If the mode is set to Flow-based, the virtual server will be inaccessible.*
  7. Disable the NAT mode so that the servers can "see" the IP addresses of the connected clients.
  8. For HTTP and HTTPS load balancers, policies are created in the same way. The only difference is in the selection of the virtual server in the Destination field.
  9. Click the OK button to save the policy settings.

Result

In this example, load balancing for HTTP traffic was configured between three servers.

Requests arriving at the virtual server address 172.20.120.121:3080 are redirected to real servers one by one according to the selected method.

Shown below is how switching between servers occurs when accessing the same address. For clarity, the content on each server is different.

To enable graphical display of load balancer server statuses, go to MonitorLoad Balance Monitor (for FortiOS version 6.2).

You can use the following console diagnostic commands to view information about the status of virtual and real servers with load balancing:

# diagnose firewall vip realserver ?

For example, the following commands list and display information about the status of all real servers:

# diagnose firewall vip virtual-server real-server
...
# diagnose firewall vip realserver list

Many diagnostic commands include retrieving information about one or more virtual servers. To control which servers are queried, you can define a filter:

# diagnose firewall vip virtual-server filter ?

The most illustrative test is a packet sniffer. Use the following command in FortiGate to track traffic distribution with port and interface filters set for easier viewing:

# diagnose sniffer pa lan ' port 80 ' ?
...
# diagnose sniffer  pa lan  ' port 80' 5

You can also track traffic on the server itself, for example, using the tcpdump command. Shown below is traffic with NAT disabled when configuring a policy for the load balancer on FortiGate, which allows you to track the client's source IP address.

root@server1:~# tcpdump -n -i eth1 port 80 and host 192.168.101.2

When NAT is enabled, the FortiGate address is displayed as the source IP address:

root@server1:~# tcpdump -n -i eth1 port 80 and host 192.168.101.2