FortiGate: How to use a FortiGate as a load balancer

The chances are if you have FortiGate's in your business you have then in HA and you have them on the perimeter of your network protecting things like web servers. The changes are that you also load balance web traffic through something expensive that you don't fully get along with. Sound familiar?

Well FortiGate's can be load balancers, and bloody good ones, and if there are in HA, them your LB is now HA... And it doesn't cost anything extra, and all Frotigates have this.

I am setting up this example on a FG60E that I bought from Facebook for £40, and I do not have subscription on it.

Don't be scared of it, stop buying dedicated LB's.  I have set up massive web farms using FortiGate's as load balancers that work perfectly. That includes one national Police force. Yea, how ace am I?

I am going to use 'Load Balancer' and 'LB' interchangeably. You're going to have to make your peace with that.

How to do it

By default the LB features of a FortiGate are there but they are not visible. Log into your device and  navigate to 'System' -> 'Feature Visibility'

In here you will see lots of things you probably didn't know your FortiGate was capable of but we are looking for:

Turn that baby on and click apply

This has added the Load Balancing options to the 'Policy & Objects' menu. They are right at the bottom. 'Virtual servers' and 'Health check'

Here is where its probably a good idea to go over some of the concepts we are about to be looking at and why this menu doesn't just say 'Load balance'

When you configure a LB on you are creating a single point of access. Traffic is then sent form that point to an an application server based on a policy which can take into account availability or load or just something simple like a round robin.

From the clients perspective they just see the one end point and have no knowledge of the fancy LB stuff that happens in the background.

So in essence when you create a LB end point you are creating a 'Virtual Server' that the client sees. Hence we have the 'Virtual Servers' menu.

Before we can create a virtual server we need to create a 'Health Check', but first let me explain what this is for.

Health check allows you to define a test that firewall will constantly run on the App servers to make sure they are up and ready to accept traffic. If the App server fails this test it will not be sent any traffic.

Here i have created a simple ping test called 'Ping test'. This pings the IP of the apps server and a failed state is if the server doesn't respond after 2 seconds 3 times.

Now we can create the virtual server. Click on 'Virtual Servers' -> 'Create New'

  • Type - There are some pre-defined services here that you can use.  I am using Http but you can use IP to LB all traffic or TCP/UDP for specific ports.
  • Interface - For me the traffic is coming from the internet
  • Virtual server IP - What is the address you want to use for the service.
  • Virtual server port - The port the service is on.
  • Load balancing method - How the traffic will be balanced. I am opting for Round robin
  • Persistence - if you web site has a log in area or the need for other persistence you can use a HTTP cookie to make sure the user always hits the same server, if its available.
  • Health Check - I have used the one we defined earlier
  • HTTP multiplexing - I don't understand this enough to use it.  
  • Preserve client IP - If you tick this the webserver will see the client IP. If not it will see all traffic coming from the LB IP.

Now we need to define the app servers. Click 'Create New'

and now we add the server using its IP and the port the service is on. If Max connections is set to 0, max connections is unlimited.

As you can see i have added 2 servers and set them both to active.

and you can see them from 'Virtual Servers'

Its a good idea to add a monitor so we can easily see the status of the app servers. Click 'add monitor'

and add the 'Load Balance' monitor

This will then appear on the left, and show us the status of the app servers in the virtual server at a glance

Finally we need to create a policy to allow traffic through the firewall in the usual way.

Congratulations you have now created a LB policy! Now go share this with the world.