Chapter 12 Load Balancing for FortiOS 5.0 : Load balancing configuration examples : Example: HTTP load balancing to three real web servers : Web-based manager configuration
  
Web-based manager configuration
Use the following procedures to configure this load balancing setup from the web‑based manager.
To add an HTTP health check monitor
In this example, the HTTP health check monitor includes the URL “/index.html” and the Matched Phrase “Fortinet products”.
1. Go to Firewall Objects > Load Balance > Health Check.
2. Select Create New.
3. Add an HTTP health check monitor that sends get requests to http://<real_server_IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.
Name
HTTP_health_chk_1
Type
HTTP
Port
80
URL
/index.html
Matched Content
Fortinet products
Interval
10 seconds
Timeout
2 seconds
Retry
3
4. Select OK.
To add the HTTP virtual server
1. Go to Firewall Objects > Load Balance > Virtual Server.
2. Select Create New.
3. Add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network. In this example, the FortiGate wan1 interface is connected to the Internet.
Name
Load_Bal_VS1
Type
HTTP
Interface
wan1
Virtual Server IP
192.168.37.4
The public IP address of the web server.
The virtual server IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.
Virtual Server Port
80
Load Balance Method
First Alive
Persistence
HTTP cookie
HTTP Multiplexing
Select.
The FortiGate unit multiplexes multiple client into a few connections between the FortiGate unit and each real HTTP server. This can improve performance by reducing server overhead associated with establishing multiple connections.
Preserve Client IP
Select
The FortiGate unit preserves the IP address of the client in the X-Forwarded-For HTTP header.
Health Check
Move the HTTP_health_chk_1 health check monitor to the Selected list.
4. Select OK.
To add the real servers and associate them with the virtual server
1. Go to Firewall Objects > Load Balance > Real Server.
2. Select Create New.
3. Configure three real servers that include the virtual server Load_Bal_VS1. Each real server must include the IP address of a real server on the internal network.
Configuration for the first real server.
Virtual Server
Load_Bal_VS1
IP Address
10.10.10.42
Port
80
Weight
Cannot be configured because the virtual server does not include weighted load balancing.
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of connections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.
Configuration for the second real server.
Virtual Server
Load_Bal_VS1
IP Address
10.10.10.43
Port
80
Weight
Cannot be configured because the virtual server does not include weighted load balancing.
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of connections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.
Configuration for the third real server.
Virtual Server
Load_Bal_VS1
IP Address
10.10.10.44
Port
80
Weight
Cannot be configured because the virtual server does not include weighted load balancing.
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of connections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.
To add the virtual server to a security policy
Add a wan1 to dmz1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.
1. Go to Policy > Policy > Policy.
2. Select Create New.
3. Configure the security policy:
Policy Type
Firewall
Policy Subtype
Address
Incoming Interface
wan1
Source Address
all (or a more specific address)
Outgoing Interface
dmz1
Destination Address
Load_Bal_VS1
Schedule
always
Service
HTTP
Action
ACCEPT
Log Allowed Traffic
Select to log virtual server traffic
Enable NAT
Select this option and select Use Destination Interface Address.
4. Select other security policy options as required.
5. Select OK.