Week 10

Posted on by Sinhara Silva

I am going to blog about a Fortinet firewall performance test case created using Client-Server iPerf PC pair.

Test : Load balancing


Aim: Confirm 1500D is capable of load balancing in a variety of configurations.

Test Setup: Two IPerf Host test appliances, one connected to a 1Gbps input port on Firewall and one connected to a 1Gbps output port on Firewall Configuration: Unicast policy configured to permit TCP traffic from source IP 192.168.1.1 to multiple destinations –
each destination VIP using a different health check and load balancing method. For VIPs that contain backup servers, the active servers were removed from the IPerf Host configuration to confirm sessions were then sent to the backup servers that should have become active.


Expected Result: 1500D should be able load balance in the same way that our existing load balancers are capable of.
.
Below is a diagram of the test setup:

Test results:
Results are as follows:

All the above combinations were tested. One limitation, is that a real server IP can only exist as a real server for a single VIP, so would mean a difference to where currently we are able to use a real server IP address within multiple real server groups but listening on a different port each time.

There was an issue encountered, is that if within a VIP that contains active and standby real servers, all active servers are gracefully disabled – the standby servers do not become active. Also, if a group contains active and standby servers and the active servers are not listening, so the standby servers have become active-  but then one of the failed servers is gracefully disabled via the firewall GUI, this causes all the standby servers that are currently active to change mode to standby in the GUI – although open TCP sessions still seem to remain active. What is reported in the GUI does not always appear to be accurate.

Note that other load balancing options available were:

  • Weighted
  • First alive
  • Least RTT
  • HTTP host header

These were not tested as we do not currently use any of these methods within our production environments.

Another option that was testes was for HTTP based VIPs, that multiple TCP sessions can be multiplexed by the firewall – reducing the number of sessions to the web server – with the ability to either hide clients behind the firewall interface IP, or to present this single session as if it is the original client IP.

Leave a comment