Load balancing with FortiGate

Last update: September 26 2024

Load balancing with FortiGate

Load balancing with FortiGate includes all the features you need to distribute traffic across multiple servers in your infrastructure deployed in Selectel, including both dedicated hardware servers and virtual servers in the Selectel Cloud Platform.

FortiGate provides comprehensive protection for your infrastructure and balances server loads by distributing traffic flows according to predefined rules, allowing you to combine load balancer, Next Generation Firewall (NGFW), and threat protection in a single appliance.

Load balancing based on FortiGate solutions provides:

• fast and reliable processing of requests;
• significant simplification of the network architecture;
• reduction of operating costs.

The load balancer supports HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL or lower-level TCP/UDP or IP protocols. Session persistence is supported based on an SSL session ID or based on an entered HTTP cookie.

Health Check is a mechanism for checking the health of servers to prevent load balancing traffic from being sent to idle servers. The check uses ICMP ping or other more sophisticated testing of TCP connections. Health Check removes idle real servers from the load balancing cluster. Removing real servers from clusters is based on configuration:

• Interval — at what frequency the server is checked;
• Timeout — The maximum allowable response time before the server is considered unavailable;
• Retry — the number of failures before the server is considered unavailable, after which it is deleted.

Types of Health Check by protocols: TCP, HTTP, PING.

Virtual Server — A virtual server whose external IP address receives traffic that is forwarded to the load balancer.

Real Server — the actual, real, server to which requests are received after balancing. Several real servers can be assigned to each virtual server. The Real Server configuration includes the IP address and port number on which the Real Server receives sessions. The FortiGate unit sends sessions to the IP address of the real server using the destination port number in the real server configuration. The server configuration includes its IP address and the port number on which it accepts sessions.

SSL Offloading is a mechanism for accelerating SSL client-to-server connections where encryption operations are performed on the FortiGate unit instead of the servers themselves using a separate, dedicated processor. This mechanism can only be applied if the load balancing is set to one of the SSL protocol types (HTTPS, IMAPS, POP3S, SMTPS, SSL). FortiGate provides the ability to select which segments of the SSL connection will receive SSL offload by defining the mode:

• Client ⟷ FortiGate — A mode that hardware-accelerated SSL/TLS processing only for the portion of the connection between the client and the FortiGate unit. This mode is referred to as half mode SSL offloading. The segment between the FortiGate unit and the server will use an open (clear text) connection for better performance;
• Full — A mode that applies hardware-accelerated SSL processing to both parts of the connection: the segment between the client and the FortiGate unit and the segment between the FortiGate unit and the server, that is, Client ⟷ FortiGate ⟷ Server. The segment between the FortiGate unit and the server will use an encrypted connection, but the "handshakes" will be reduced. This is not as efficient as offloading SSL in half mode, but still improves performance.

HTTP multiplexing is a feature that allows a web client to use a single TCP connection for all requests to the server. This feature reduces the load on the web server by establishing a single connection over which requests and responses are sent in parallel. Each fragment is associated using special built-in meta-data, which provides the ability to correctly process multiple unrelated HTTP or HTTPS requests in different order on the same connection. Moreover, responses are received as they are ready, hence heavy requests will not block processing and delivery of simpler objects.

For example, if users' web browsers are only compatible with HTTP 1.0, which does not implement this feature, enabling HTTP multiplexing can improve performance between the web server and the FortiGate.

Persistence is a parameter that stores and tracks session data to ensure that a user connects to the same server each time they make a request that is part of the same session or subsequent sessions. HTTP cookie persistence uses embedded cookies to ensure persistence.

When Persistence is configured, the FortiGate unit load balances the load of the new session on the live server according to the load balancing method. If the session has an HTTP cookie or SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same live server.

Load balancing methods⁠

Traffic can be distributed among servers based on methods:

• static — even distribution of load between servers according to a predefined algorithm, not taking into account the occupancy of servers;
• round-robin — allocation based on the round-robin algorithm, which performs a round-robin search of peer servers, regardless of response time or number of connections;
• weighted — distribution based on assigned weights to servers to account for features and differences, where servers with a higher weight value receive a higher percentage of connections;
• least-session — distribution, in which requests are directed to the server with the smallest number of current connections, it is recommended to use in case of similar server capabilities;
• least-rtt — Round-Trip-Time based distribution, where requests are routed to the server with the lowest such rate, which is determined by the Ping health check monitor and defaults to 0 if Ping health check is not set;
• first-alive — distributing the load to the first running server, providing protection against failure: sessions are not distributed among servers, but are processed by one "first" while it is "alive" and then switched to another running server;
• http-host — an allocation based on the HTTP header of the host to direct the connection to a specific server.

Before setting up the balancer⁠

Before configuring load balancing in the GUI, enable the display of the special settings section.

1. Go to System → Feature Visibility.
2. Turn it on Load Balance listed Additional Features.

This example will look at Load Balancing settings for HTTP and HTTPS on hardware FortiGate-100E The initial basic configuration of which can be carried out according to instructions on how to configure firewalls. Cloud servers in the Selectel Cloud Platform are used as servers.

FortiGate and the project in the Cloud platform are connected by a private network that uses a global router network to connect between regions and services, allowing dedicated servers and VMware-based servers in the Cloud to be installed behind the firewall as well.

Customize the balancer⁠

In this configuration, the balancer distributes HTTP traffic from the Internet to three web servers on the internal network. HTTP sessions are received on interface wan1 with a destination IP address of 172.20.120.121 on TCP port 3080 and forwarded from the internal interface to the Web servers. During the forwarding, the destination address of the sessions is converted to the IP address of one of the web servers.

HTTPS traffic is balanced in a similar manner.

Create Health Check⁠

HTTP⁠

For health checks, create a Health Check at the HTTP level, for which you can customize the URL in detail /index.html and content ctel.

To configure Health Check, which sends get requests to the address http://<real_server_IP_address>/index.html and searches the returned web page for the phrase "Selectel", perform the following steps:

1. Go to the section Policy & Objects → Health Check.
2. Press the button Create New.
3. Enter a name in the field Name.
4. Specify the type HTTP in the field Type.
5. Enter the port in the field Port (the default for HTTP traffic is 80).
6. Enter the desired phrase in the field Matched content.
7. Specify other parameters if necessary.

HTTPS⁠

To monitor the health of servers at the HTTPS level, a similar Health Check is created, only without the detailed content and URL checking.

Create Virtual server⁠

HTTP⁠

Virtual Server for HTTP⁠

A Virtual server is created, which will receive HTTP requests.

1. Go to the section Policy & Objects → Virtual Servers.
2. Press the button Create New.
3. Enter a name in the field Name, HTTP type in the field Type, interface in the field Interface.
4. В Virtual server IP и Virtual server port — external IP address and port to which requests will be received.
5. In the drop-down menu. Load balancing method Select the load balancing method that is appropriate for your case.
6. Enable the option Persistenceto save session data by selecting the value HTTP Cookie.
7. Select the Health check health check performance monitor you created earlier by tapping +.
8. Enable the option HTTP multiplexingIf you want to use a single TCP connection between the web client and the server, including for incoming unrelated requests and responses.
9. Enable the option Preserve client IP to store the client's IP address in the HTTP header X-Forwarded-For. This can be useful when enabling HTTP multiplexing if real servers are required to store the client's source IP address, e.g. in log messages.

Bind real servers to virtual server⁠

1. In the section Policy & Objects → Virtual Serverswhere you continue to configure Virtual Server, create a Real Servers.
2. In the table Real Servers click Create New.
3. In the window that opens, add the IP address and port of the server you want to connect to. In this case, the HTTP server is deployed on port 80.
4. Press the button OK.
5. Add all servers involved in load balancing by repeating steps 1-4.
6. Save your settings Virtual Serverby pressing the button OK.

HTTPS⁠

The FortiGate load balancer requires an SSL certificate to be downloaded.

Add SSL Certificate⁠

1. Go to the section System → Certificates.
2. Make sure that in the System → Feature Visibility included Certificates.
3. Select Import → Local Certificate.
4. In the window that opens, set Type — Certificatedownload Certificate file и Key file for your certificate.
5. Enter the password in the field Password.

After the actions performed, the server certificate will appear in the list Certificates.

Virtual Server for HTTPS⁠

For HTTPS, a virtual server is created in the same way as for HTTP, by specifying the type of Virtual Server in the field Type on HTTPS.

As. Persistence it is possible to install SSL Session ID besides HTTP Cookie.

To speed up the SSL connection in the subsection SSL Offloading select the desired mode in the field ModeIn this way, you can determine which network segment will be unloaded: Client-FortiGate or Full.

Also select SSL Certificate from the drop-down menu in the field Certificateimported earlier.

Bind a real server to a virtual server⁠

In the subsection Real Servers Similarly, add real servers between which the load will be balanced. Specify the correct ports on which the web servers are deployed for HTTPS traffic, the default port is 443.

Create a policy⁠

To create a security policy that includes the load balancing virtual server as the destination address:

1. Go to the section Policy & Objects → Pv4 Policy.
2. Press the button Create New.
3. Specify the name of the policy in the field Name.
4. Specify the incoming interface — Incoming interface, outgoing interface — Outgoing interfacebehind which the servers are connected.
5. In the field source select an object allby pressing +.
6. In the field destination Select the load balancing virtual server that was created earlier. It is important that the Inspection mode is set to Proxy-based in the policy settings. If the mode is set to Flow-based, the virtual server will be unavailable.*
7. Turn off NAT mode so that the servers can "see" the IP addresses of connected clients.
8. For the HTTP and HTTPS balancer, policies are created in the same way. The only difference is the selection of the virtual server in the field Destination.
9. Press the button OKbutton to save the policy settings.

Result⁠

In this example, HTTP traffic load balancing was configured between three servers.

Requests received at the virtual server address 172.20.120.121:3080are redirected to the real servers one by one according to the selected method.

Below is a demonstration of how switching between servers occurs when accessing the same address. For clarity, the content on each server is different.

To enable graphical display of balancer server statuses, go to the Monitor → Load Balance Monitor (for FortiOS version 6.2).

You can use the following diagnostic console commands to view status information about load-balanced virtual and real servers:

# diagnose firewall vip realserver ?

For example, the following commands list and display status information about all real servers:

# diagnose firewall vip virtual-server real-server
...
# diagnose firewall vip realserver list

Many diagnostic commands include obtaining information about one or more virtual servers. To control which servers are requested, you can define a filter:

# diagnose firewall vip virtual-server filter ?

The most obvious check is the packet sniffer. The following command in FortiGate can be used to track traffic distribution with port and interface filters set for easier viewing:

# diagnose sniffer pa lan ' port 80 ' ?
...
# diagnose sniffer  pa lan  ' port 80' 5

You can also track traffic on the server itself, for example, by using the tcpdump command. The following shows traffic with NAT disabled when configuring a policy for the balancer on the FortiGate, so you can track the outbound IP address of the client.

root@server1:~# tcpdump -n -i eth1 port 80 and host 192.168.101.2

When NAT is enabled, the FortiGate address is displayed as the outgoing IP address:

root@server1:~# tcpdump -n -i eth1 port 80 and host 192.168.101.2