FortiGate Virtual Server Load Balancing
I thought I would blog about one of the less used features that Soft Source vBridge FWaaS offers which is FortiGate Virtual Server Load Balancing. This feature could help save time or money depending on your use case or design and best of all, this feature is available on all vDOM's sizes and doesn't require additional licensing or upgrading of tiers to be used.
If you have multiple backend servers (normally webservers) in a cluster environment you would normally do some form of load balancing, one product that dominates the market is F5’s, these appliances offer some advance features and are expensive, but what if your environment is relativity simple? FortiGate’s Virtual Server Load Balancing maybe a solution for you. Below explains elements of this feature.
Health Monitoring – This feature can be setup to monitor the health of a server in the pool, this ensure that when traffic is sent to a cluster member that the server is online and available. The 5 health types are
Ping – Sends a ICMP ping to each pool member, least preferred.
TCP – Sends a TCP hello packet, which is just a TCP Syn/Syn-Ack/Ack then Close on a port.
HTTP and HTTPS – Sends a http/https get request is sent to each of the pool members.
DNS – Sends a DNS request to each server.
If the health monitor on the FortiGate doesn’t receives the correct reply ie ping reply, TCP Syn-Ack or HTTP data from the server, it’s marked as down or offline and traffic isn’t sent to the server, pretty simple. If the backend servers are web servers, then using HTTP/HTTPS is best as this is monitoring at the application level.
SSL Offloading
If you are running web servers that are using SSL/TLS signed certificates, then you can use SSL offloading for better management of the certificates. Rather than installed SSL/TLS signed certs on each individual server you can install the signed certificate on the FortiGate, this means you only need to manage the certificates from the FortiGate. You can still use TLS from the FortiGate to the Servers if that is a requirement. SSL offloading can improved SSL/TLS performance as hardware models with ASIC chips SSL accelerators can encrypt and decrypt packets at better speeds than a back-end server with a general-purpose CPU.
Loading Balancing
You can configure how the FortiGate shares the connections to each of the pool members (also called “Real Servers”) with the following methods.
Static – The traffic load is statically spread evenly across all pool members. Sessions are not assigned according to how busy individual real servers are so not recommended in most environments.
Round Robin - Directs new requests to the next pool member, and treats all real servers as equals regardless of response time or number of connections.
Weighted - Real servers with a higher weight value receive a larger percentage of connections. Set the real server weight when adding a real server.
Least Session - Directs requests to the real server that has the least number of current connections. This method works best in environments where the real servers or other equipment you are load balancing all have similar capabilities. This load balancing method uses the FortiGate session table to track the number of sessions being processed by each real server. The FortiGate unit cannot detect the number of sessions being processed by a real server.
Lastly, Load Balancing also has the benefit of better maintenance of pool members as you are able to mark a pool member as unavailable/offline and traffic will be redirected to other pool members, thus allowing you to patch or reboot the server without affecting services.
