- Published on
How to use Fortigate Load Balancer
- Authors
- Name
- Sunway
- 1 Enable Load Balance Feature
- 2 Import a Certificate
- 3 Create a Virtual Server
- Create a http virtual server
- Create a https virtual server
- 4 Redirect http to https
- 5 Use virtual server to create firewall policy
- 6 Add DNS Record
- 7 Summary
1 Enable Load Balance Feature
![EnableLoadBalanceFeature](/static/images/EnableLoadBalanceFeature.png)
2 Import a Certificate
You can import your own certificate to implement your custom https connection
![FortiImportCA](/static/images/FortiImportCA.png)
3 Create a Virtual Server
Create a http virtual server
If you do not have your own certificate and do not want to use fortigate default certificate, you can set to ![FortiVirtualServer](/static/images/FortiVirtualServer.png)
http
type ![FortiVirtualServer](/static/images/FortiVirtualServer.png)
Create a https virtual server
If you import your own certificate, your can set to ![FortiVirtualServerHttps](/static/images/FortiVirtualServerHttps.png)
https
type and select your own certificate; otherwise, your can use fortigate default certificate to implement a https connection ![FortiVirtualServerHttps](/static/images/FortiVirtualServerHttps.png)
SSL Mode:
Client <-> FortiGate
: Client(https) --> Fortigate(https) --> Server(http)Full
: Client(https) --> Fortigate(https) --> Server(https)
4 Redirect http to https
Add a Firewall Policy to redirect 80 to 443 so that client can auto access to https://uat.example.com from http://uat.example.com
![Forti80To443](/static/images/Forti80To443.png)
5 Use virtual server to create firewall policy
You must select Proxy-based
mode so that you can find virtual server
in policy Destination
![FortiVirtualServerPolicy](/static/images/FortiVirtualServerPolicy.png)
6 Add DNS Record
Add uat.example.com
and prd.example.com
's type A resolution to Fortigate WAN IP.
7 Summary
Finally, you can implement an architecture like that:
![FortiVirtualServerArchitecture](/static/images/FortiVirtualServerArchitecture.png)
In my case, the IP 10.210.0.2
is a real server in internal network, but IP 10.210.11.170
is a SLB in AlibabaCloud