Description

Load balancing with FortiGate contains all the features you would expect to distribute traffic across multiple servers in your infrastructure deployed at Selectel, including both dedicated servers and virtual servers in the Selectel Cloud platform.

FortiGate provides comprehensive protection for your infrastructure and balances server workloads by distributing traffic flows according to specified rules, which allows you to combine the functions of load balancer, Next Generation Firewall (NGFW), and threat management solutions in a single device.

Load balancing based on FortiGate solutions provides:

  • faster processing of requests;
  • significant simplification of the network architecture;
  • reduced operating expenses.

The load balancer supports HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL, and generic TCP/UDP and IP protocols. Session persistence is supported based on the SSL session ID, based on an injected HTTP cookie.

Before Getting Started

Before you configure server load balancing on the GUI, enable the display of a special settings section:

  1. Go to SystemFeature Visibility.
  2. Enable Load Balance in the Additional Features list.

This example shows the Load Balancing settings for HTTP and HTTPS on the hardware FortiGate-100EВ. Its initial basic configuration can be performed according to the instructions for configuring firewalls. Cloud servers in the Selectel Cloud Platform are used as the servers.

FortiGate and the project of the Cloud platform are connected by a private network. L3VPN is used between regions and services to connect the network, which allows you to install dedicated servers and servers in the Cloud powered by VMware behind the firewall.

Terms and Definitions

Load Balancing Methods

Traffic can be spread between servers based on the following methods:

  • static — even distribution of the load across servers according to the predefined algorithm, not taking into account how busy the servers are;
  • round-robin — distribution based on the round-robin algorithm, which iterates through identical servers in a cycle regardless of response time or number of connections;
  • weighted — distribution based on the weights assigned to the servers to account the features and differences, where the servers with a higher weight value receive a larger percentage of connections;
  • least-session — directs requests to the server that has the least number of current connections. This method works best in environments where the servers have similar capabilities;
  • least-rtt — distribution based on Round-Trip-Time, in which requests are sent to the server with the lowest indicator, which is determined by a Ping health check monitor and is defaulted to 0 if the Ping health check is not installed;
  • first-alive — load distribution to the first alive server, providing failover protection: sessions are not distributed to servers, but are processed by the “first” real server only, and if that server fails, sending all sessions to the next alive server;
  • http-host — distribution based on the host’s HTTP header to guide the connection to the correct server.

Health Check

Health Check is a server health checking mechanism to prevent sending load balancing traffic to failed servers. Server health can be monitored using ICMP ping or more sophisticated TCP testing. Health Check removes failed real servers from the load balancing cluster. The removal of real servers from the clusters is based on the following settings:

  • Interval — how often to test the server;
  • Timeout — what maximum response time is permissible before a server is treated as non-functional;
  • Retry — how many failures before the server is considered “dead” and removed from the cluster.

The protocol is either TCP, HTTP, or PING.

Virtual Server

Virtual Server is a virtual server whose external IP address receives traffic that is redirected to the load balancer.

Real Server

Real Server is an actual real server that receives requests after load balancing. Several real servers can be assigned to each virtual server. A real server configuration includes the IP address of the real server and port number that the real server receives sessions on. The FortiGate unit sends sessions to the real server’s IP address using the destination port number in the real server configuration. The server configuration includes its IP address and the port number on which it receives sessions.

SSL Offloading

SSL Offloading is designed for accelerating SSL connections between clients and a server, where encryption operations are performed on FortiGate instead of the servers themselves using a separate special processor. You can only use this mechanism if one of the SSL protocol types (HTTPS, IMAPS, POP3S, SMTPS, SSL) is selected for load balancing. FortiGate provides the ability to choose which segments of the SSL connection will receive SSL offloading by specifying the mode:

  • select Client ⟷ FortiGate to apply hardware accelerated SSL/TLS processing only to the part of the connection between the client and the FortiGate unit. This mode is called half mode SSL offloading. The segment between the FortiGate unit and the server will use the clear text connection which results in best performance;
  • select Full to apply hardware accelerated SSL processing to both parts of the connection: the segment between client and the FortiGate unit, and the segment between the FortiGate unit and the server (that is, Client ⟷ FortiGate ⟷ Server.) The segment between the FortiGate unit and the server uses encrypted connection, but the “handshakes” are abbreviated. This is not as efficient as half mode SSL offloading, but still improves performance.

HTTP multiplexing

HTTP multiplexing is a feature that allows a web client to use a single TCP connection for all requests to the server. It helps reduce the load on the web server by establishing a single connection through which requests and responses are sent in parallel. Each fragment is associated with special injected metadata, which allows multiple unrelated HTTP or HTTPS requests to be correctly processed in different order on the same connection. Furthermore, responses are received as soon as they are ready, therefore, heavy requests will not block the processing and issuance of simpler objects.

For example, if users web browsers are only compatible with HTTP 1.0, then enabling HTTP multiplexing can also improve performance between a web server and the FortiGate.

Persistence

Persistence is a feature that helps persist and track session data to ensure that a user is connected to the same server every time they make a request that is part of the same session. HTTP cookie persistence uses injected cookies to enable persistence.

When configuring Persistence, FortiGate balances a new session to a real server according to the Load balancing method. If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server.