FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 26 - Server Load Balancing > Example HTTP and HTTPS persistence configuration

Example HTTP and HTTPS persistence configuration

This example shows how to add a virtual server named HTTP_Load_Balance that load balances HTTP traffic using port 80 and a second virtual server named HTTPS_Load_Balance that load balances HTTPS traffic using port 443. The Internet is connected to port2 and the virtual IP address of the virtual server is 192.168.20.20. Both server load balancing virtual IPs load balance sessions to the same three real servers with IP addresses 10.10.10.2, 10.10.10.2, and 10.10.10.3. The real servers provide HTTP and HTTPS services.

For both virtual servers, persistence is set to HTTP Cookie to enable HTTP cookie persistence.

To add the HTTP and HTTPS virtual servers
  1. Go to Policy & Objects > Virtual Servers.
  2. Add the HTTP virtual server that includes HTTP Cookie persistence.
Name HTTP_Load_Balance
Type HTTP
Interface port2
Virtual Server IP 192.168.20.20
Virtual Server Port 80

In this example the virtual server uses port 8080 for HTTP sessions instead of port 80.
Load Balance Method Static
Persistence HTTP cookie
  1. Select OK.
  2. Select Create New.
  3. Add the HTTPs virtual server that also includes HTTP Cookie persistence.
Name HTTPS_Load_Balance
Type HTTPS
Interface port2
Virtual Server IP 192.168.20.20
Virtual Server Port 443
Load Balance Method Static
Persistence HTTP cookie
  1. Select OK.
To add the real servers and associate them with the virtual servers
  1. Go to Policy & Objects > Real Servers.
  2. Select Create New.
  3. Configure three real servers for HTTP that include the virtual server HTTP_Load_Balance.

    Configuration for the first HTTP real server.
Virtual Server HTTP_Load_Balance
IP Address 10.10.10.1
Port 80
Weight Cannot be configured because the virtual server does not include weighted load balancing.
Maximum Connections 0

Configuration for the second HTTP real server.

Virtual Server HTTP_Load_Balance
IP Address 10.10.10.2
Port 80
Weight Cannot be configured because the virtual server does not include weighted load balancing.
Maximum Connections 0

Configuration for the third HTTP real server.

Virtual Server HTTP_Load_Balance
IP Address 10.10.10.3
Port 80
Weight Cannot be configured because the virtual server does not include weighted load balancing.
Maximum Connections 0
  1. Configure three real servers for HTTPS that include the virtual server HTTPS_Load_Balance.

    Configuration for the first HTTPS real server.
Virtual Server HTTP_Load_Balance
IP Address 10.10.10.1
Port 443
Weight Cannot be configured because the virtual server does not include weighted load balancing.
Maximum Connections 0

Configuration for the second HTTPS real server.

Virtual Server HTTP_Load_Balance
IP Address 10.10.10.2
Port 443
Weight Cannot be configured because the virtual server does not include weighted load balancing.
Maximum Connections 0

Configuration for the third HTTPS real server.

Virtual Server HTTPS_Load_Balance
IP Address 10.10.10.3
Port 443
Weight Cannot be configured because the virtual server does not include weighted load balancing.
Maximum Connections 0
To add the virtual servers to security policies

Add a port2 to port1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Configure the HTTP security policy:
Policy Type Firewall
Policy Subtype Address
Incoming Interface port2
Source Address all
Outgoing Interface port1
Destination Address HTTP_Load_Balance
Schedule always
Service HTTP
Action ACCEPT
Enable NAT Select this option and select Use Destination Interface Address.
  1. Select other security policy options as required.
  2. Select OK.
  3. Select Create New.
  4. Configure the HTTP security policy:
Policy Type Firewall
Policy Subtype Address
Incoming Interface port2
Source Address all
Outgoing Interface port1
Destination Address HTTPS_Load_Balance
Schedule always
Service HTTPS
Action ACCEPT
Enable NAT Select this option and select Use Destination Interface Address.
  1. Select other security policy options as required.
  2. Select OK.

CLI configuration: adding persistence for a specific domain

Load balancing is configured from the CLI using the config firewall vip command and by setting type to server-load-balance.

For the CLI configuration, both virtual servers include setting http-cookie-domain to .example.org because HTTP cookie persistence is just required for the example.org domain.

First, the configuration for the HTTP virtual IP:

config firewall vip

edit HTTP_Load_Balance

set type server-load-balance

set server-type http

set extport 8080

set extintf port2

set extip 192.168.20.20

set persistence http-cookie

set http-cookie-domain .example.org

config realservers

edit 1

set ip 10.10.10.1

next

edit 2

set ip 10.10.10.2

next

edit 3

set ip 10.10.10.3

end

end

Second, the configuration for the HTTPS virtual IP. In this configuration you don’t have to set extport to 443 because extport is automatically set to 443 when server-type is set to https.

config firewall vip

edit HTTPS_Load_Balance

set type server-load-balance

set server-type https

set extport 443

set extintf port2

set extip 192.168.20.20

set persistence http-cookie

set http-cookie-domain .example.org

config realservers

edit 1

set ip 10.10.10.1

next

edit 2

set ip 10.10.10.2

next

edit 3

set ip 10.10.10.3

end

end