Posted in Firewall, networking

Server load balancing on Fortigate

   06/02/2020  Leave a comment

One of our customer asked us to provide a redundancy for a PAM solution distributed over 2 locations. The two servers was already in active-active state but only for database synchronization. That’s mean if the first one is dead, you have to connect manually to the second one.
From the practical point of view, users are connecting to a Virtual IP, then the FGT is doing the redirection to the working server behind.
Note that you have to enable the “load balance” feature in GUI unless you want to configure it through CLI.

This is the sample topology I used on my lab :

I used the Server load-balancing feature on fortigate to have redundancy. That’s like a VIP but you can add tests on the real servers behind.
You just have to define the test you want to perform the health check monitoring. In my case, I just want to test if the web page is working :

health server check

Then, you can configure the Virtual server:

Virtual server configuration

The secondary server is only used when the primary is down, but you can configure them to be active/active, so you can load-balance traffic between them.
Don’t forget to add a firewall policy (proxy mode) to allow traffic going through the VS IP.

Troubleshooting steps:
Watch the menu “monitor -> loadbalance monitor” or go through the CLI :

Diag firewall vip realserver list

Source :
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/713497/virtual-server

Author: Kévin SAS

I am Kévin SAS and live in France. I am an engineer in network and security. I worked for a lot of customers in these domains : Wireless, LAN, Datacenter, VoIP with several brands like Cisco, HPE, Aruba, Palo Alto amongst others. Previously working for a service provider. I currently work for an integrator while giving me lots of opportunity to learn. This blog stores some technicals notes I wanted to share.

Leave a Reply

Your email address will not be published. Required fields are marked *