Example: HTTP and HTTPS persistence configuration
This example shows how to add a virtual server named Http_Load_Balance that load balances HTTP traffic using port 80 and a second virtual server named Https_Load_Balance that load balances HTTPS traffic using port 443. The Internet is connected to port2 and the virtual IP address of the virtual server is 192.168.20.20. Both server load balancing virtual IPs load balance sessions to the same three real servers with IP addresses 10.10.10.2, 10.10.10.2, and 10.10.10.3. The real servers provide HTTP and HTTPS services.
For both virtual servers, persistence is set to HTTP Cookie to enable HTTP cookie persistence.
To add the HTTP and HTTPS virtual servers
1. Go to Firewall Objects > Load Balance > Virtual Server.
2. Add the HTTP virtual server that includes HTTP Cookie persistence.
Name | HTTP_Load_Balance |
Type | HTTP |
Interface | port2 |
Virtual Server IP | 192.168.20.20 |
Virtual Server Port | 80 In this example the virtual server uses port 8080 for HTTP sessions instead of port 80. |
Load Balance Method | Static |
Persistence | HTTP cookie |
3. Select OK.
4. Select Create New.
5. Add the HTTPs virtual server that also includes HTTP Cookie persistence.
Name | HTTPS_Load_Balance |
Type | HTTPS |
Interface | port2 |
Virtual Server IP | 192.168.20.20 |
Virtual Server Port | 443 |
Load Balance Method | Static |
Persistence | HTTP cookie |
6. Select OK.
To add the real servers and associate them with the virtual servers
1. Go to Firewall Objects > Load Balance > Real Server.
2. Select Create New.
3. Configure three real servers for HTTP that include the virtual server HTTP_Load_Balance.
Configuration for the first HTTP real server.
Virtual Server | HTTP_Load_Balance |
IP Address | 10.10.10.1 |
Port | 80 |
Weight | Cannot be configured because the virtual server does not include weighted load balancing. |
Maximum Connections | 0 |
Configuration for the second HTTP real server.
Virtual Server | HTTP_Load_Balance |
IP Address | 10.10.10.2 |
Port | 80 |
Weight | Cannot be configured because the virtual server does not include weighted load balancing. |
Maximum Connections | 0 |
Configuration for the third HTTP real server.
Virtual Server | HTTP_Load_Balance |
IP Address | 10.10.10.3 |
Port | 80 |
Weight | Cannot be configured because the virtual server does not include weighted load balancing. |
Maximum Connections | 0 |
4. Configure three real servers for HTTPS that include the virtual server HTTPS_Load_Balance.
Configuration for the first HTTPS real server.
Virtual Server | HTTP_Load_Balance |
IP Address | 10.10.10.1 |
Port | 443 |
Weight | Cannot be configured because the virtual server does not include weighted load balancing. |
Maximum Connections | 0 |
Configuration for the second HTTPS real server.
Virtual Server | HTTP_Load_Balance |
IP Address | 10.10.10.2 |
Port | 443 |
Weight | Cannot be configured because the virtual server does not include weighted load balancing. |
Maximum Connections | 0 |
Configuration for the third HTTPS real server.
Virtual Server | HTTPS_Load_Balance |
IP Address | 10.10.10.3 |
Port | 443 |
Weight | Cannot be configured because the virtual server does not include weighted load balancing. |
Maximum Connections | 0 |
To add the virtual servers to security policies
Add a port2 to port1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.
1. Go to Policy > Policy > Policy.
2. Select Create New.
3. Configure the HTTP security policy:
Policy Type | Firewall |
Policy Subtype | Address |
Incoming Interface | port2 |
Source Address | all |
Outgoing Interface | port1 |
Destination Address | HTTP_Load_Balance |
Schedule | always |
Service | HTTP |
Action | ACCEPT |
Enable NAT | Select this option and select Use Destination Interface Address. |
4. Select other security policy options as required.
5. Select OK.
6. Select Create New.
7. Configure the HTTP security policy:
Policy Type | Firewall |
Policy Subtype | Address |
Incoming Interface | port2 |
Source Address | all |
Outgoing Interface | port1 |
Destination Address | HTTPS_Load_Balance |
Schedule | always |
Service | HTTPS |
Action | ACCEPT |
Enable NAT | Select this option and select Use Destination Interface Address. |
8. Select other security policy options as required.
9. Select OK.