
The Fortinet Load Balancer is a powerful tool designed to distribute network traffic efficiently, ensuring that no single server is overwhelmed and becomes a bottleneck. It's a game-changer for businesses with high-traffic websites or applications.
With the Fortinet Load Balancer, you can expect improved scalability, reliability, and performance. This is achieved through the load balancer's ability to detect and redirect traffic in real-time, ensuring that users always get a fast and responsive experience.
One of the key features of the Fortinet Load Balancer is its ability to support multiple protocols, including HTTP, HTTPS, and TCP. This means you can use it to load balance a wide range of applications and services.
Suggestion: Azure Traffic Manager vs Load Balancer
Key Features
FortiADC offers advanced security features such as WAF, DDoS, and AV for robust protection.
It also provides high-performance physical and virtual ADC and reverse proxy for seamless network operations.
User-Aware Access Management makes easy administration of access permissions possible, enhancing the user experience.
Web Application Protection is integrated with adaptive learning and policy creation to defend against zero-day and known exploits.
FortiADC includes DDoS, web filtering, IPS, GEO-IP, and IP rep using SSL forward proxy for secure traffic inspection.
Security Fabric Integration helps identify and analyze multi-pronged security threats for proactive protection.
FortiADC provides unmatched application acceleration, load balancing, and web security, delivering availability, performance, and security in a single, all-inclusive license.
This solution includes application acceleration, WAF, IPS, SSLi, link load balancing, and user authentication in one solution, making it a comprehensive and efficient choice.
On a similar theme: Fortinet Web Filter
Features and Benefits
FortiADC offers advanced security features like WAF, DDoS, and AV, and application connectors for easy deployment and full visibility of your networks and applications.
Its Layer 4-7 ADC capabilities provide high-performance physical and virtual ADC and reverse proxy.
User-Aware Access Management simplifies the administration of access permissions for a better user experience.
The integrated WAF with adaptive learning and policy creation defends against zero-day and known exploits, providing robust web application protection.
For another approach, see: Fortinet Waf

Enhanced Security features include DDoS, web filtering, IPS, GEO-IP, and IP rep using SSL forward proxy for secure traffic inspection.
Security Fabric Integration helps identify and analyze multi-pronged security threats, streamlining your security operations.
Threat Analytics streamlines workflows with recommended playbooks and threat-hunting capabilities, giving you an edge in threat detection and response.
Consider reading: Fortinet Security Fabric
Agentless Application Gateway
The Agentless Application Gateway is a centralized portal that provides access to internal applications. It's a game-changer for remote workers who need to access company resources.
This portal is user-aware, meaning it recognizes who's trying to access what, and it's got authentication and access permissions in place to keep things secure. FortiADC is the name of this innovative solution.
With FortiADC, remote users can access a variety of resources without needing any client-side agents. This makes it easy to get up and running quickly, without the hassle of installing software on every device.
Models and Specifications
FortiADC models are available in various forms, including hardware appliances, virtual machines, and public cloud VMs. This flexibility makes it easy to choose the right model for your needs.

Whether you prefer a hardware appliance or a virtual machine, FortiADC has got you covered. You can even deploy it in the public cloud, which is a great option if you need to scale quickly.
The throughput of FortiADC models ranges from 1 Gbps to 200 Gbps. This is a significant range, and you can choose the model that best fits your requirements.
Here's a breakdown of the different FortiADC models and their specifications:
The number of ports also varies across different models. For example, some models have 4x GE RJ45 ports, while others have 8x RJ45 GE ports or 12x 10GbE SFP+ ports.
You can choose the model that best fits your needs, depending on the number of ports and throughput you require.
Session Persistence
Session Persistence is a crucial feature that ensures a user is connected to the same real server every time they make an HTTP, HTTPS, or SSL request that's part of the same user session.
This is particularly important for eCommerce sites, where users may start multiple sessions as they navigate the site. In most cases, all the sessions started by this user during one eCommerce session should be processed by the same real server.
The HTTP protocol keeps track of these related sessions using cookies. HTTP cookie persistence ensures all sessions that are part of the same user session are processed by the same real server.
To configure persistence, the FortiGate unit load balances a new session to a real server according to the load balance method. If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server.
By using persistence, you can ensure that users have a seamless and efficient experience on your eCommerce site, with all their sessions processed by the same real server.
Layer-4 Vs
Layer-4 vs is a crucial distinction in network architecture.
In a Layer-4 network, data is routed based on the destination IP address, which is a unique identifier for each device on the network.
This approach is typically used in traditional network architectures, where data is transmitted in a linear fashion from source to destination.
However, in modern network architectures, Layer-4 vs has become less relevant, as many applications now use more advanced routing techniques.
For example, in a cloud-based network, data may be routed based on a combination of factors, including IP address, port number, and application-specific routing rules.
This allows for greater flexibility and scalability, but also introduces complexity that traditional Layer-4 networks can't handle.
In summary, while Layer-4 vs is still relevant in some contexts, it's largely been replaced by more advanced routing techniques in modern network architectures.
A different take: Airtel India Data Balance Check
Deployment Options
You've got several options for deploying a Fortinet load balancer to suit your needs. FortiADC is available as a high-performance hardware appliance.
You can also deploy it as a virtual appliance, which is a great option if you want the flexibility to run it on a variety of platforms.
Flexible Deployment Options
When choosing a deployment option, consider that FortiADC offers flexibility to meet your needs.
You can deploy FortiADC as a high-performance hardware appliance, providing a robust and reliable solution for demanding environments.
FortiADC is also available as a virtual appliance, making it easier to integrate with your existing virtual infrastructure.
This flexibility is particularly useful for organizations with varying network requirements and scalability needs.
FortiADC can be deployed on-demand via popular cloud marketplaces, including AWS, Azure, Google Cloud, and Oracle Cloud.
This cloud-based deployment option allows for fast and efficient setup, with minimal upfront costs and infrastructure requirements.
Requirements
To create a new virtual server, you must configure several options. These include Virtual Server Type, Load Balancing Methods, Health check monitoring (optional), Session persistence (optional), Virtual Server IP (External IP Address), Virtual Server Port (External Port), and Real Servers (Mapped IP Address & Port).
To set up the firewall policy, go to Policy & Objects > Firewall Policy and click Create New. Set the Inspection Mode to Proxy-based, as a flow-based firewall policy can only accept TCP/UDP/IP type virtual servers.
Explore further: Create Azure Load Balancer Basic Sku
To enable NAT, you must set IP Pool Configuration to Use Outgoing Interface Address. Also, enable AntiVirus and select an antivirus profile. This will ensure proper configuration for your virtual server.
Here are the key options to configure for your virtual server:
- Virtual Server Type
- Load Balancing Methods
- Health check monitoring (optional)
- Session persistence (optional)
- Virtual Server IP (External IP Address)
- Virtual Server Port (External Port)
- Real Servers (Mapped IP Address & Port)
FortiADC SLB4 Deployment with FullNAT and WRR
To deploy FortiADC SLB4 with FullNAT and WRR, you'll need to configure the virtual server type and load balancing methods. This involves selecting the Virtual Server Type, Load Balancing Methods, and Health check monitoring (optional) when creating a new virtual server.
The virtual server also requires a Virtual Server IP (External IP Address) and Virtual Server Port (External Port). You'll need to specify the Real Servers (Mapped IP Address & Port) as well.
To configure the load balancing policy, go to Policy & Objects > Firewall Policy and click Create New. Set the Inspection Mode to Proxy-based, as a flow-based firewall policy can only accept TCP/UDP/IP type virtual servers.
Here's an interesting read: Nextjs Loading Indicator Server
You'll also need to enable NAT and set IP Pool Configuration to Use Outgoing Interface Address, as well as enable AntiVirus and select an antivirus profile. Finally, click OK to save the changes.
When configuring the real servers, you can specify the weight (if the load balance method is set to Weighted) and limit the maximum number of open connections between the FortiGate unit and the real server.
Here's a summary of the steps:
- Create a new virtual server with the required options (Virtual Server Type, Load Balancing Methods, Health check monitoring, etc.)
- Configure the load balancing policy with Proxy-based inspection mode and enable NAT and AntiVirus
- Specify the real servers with IP address, port number, weight (if needed), and maximum connections
By following these steps, you can successfully deploy FortiADC SLB4 with FullNAT and WRR.
Technical Details
Fortinet's load balancer is built on top of the FortiOS operating system, which provides a robust and scalable platform for load balancing and traffic management.
Fortinet's load balancer supports multiple protocols, including HTTP, HTTPS, and TCP, allowing for flexible and adaptable traffic management.
The load balancer can be configured to use various load balancing algorithms, such as Round Robin and Least Connection, to ensure optimal traffic distribution and minimize downtime.
Fortinet's load balancer also supports advanced security features, including SSL/TLS inspection and intrusion prevention, to protect against cyber threats and ensure a secure network environment.
Unmatched Application Acceleration

FortiADC offers unmatched application acceleration, load balancing, and web security, making it a robust solution for applications of any scale. It can handle applications within a single data center or serve multiple applications for millions of users worldwide.
The solution includes application acceleration, which ensures fast and efficient delivery of applications to users. This is crucial for businesses that rely on their applications to drive revenue and customer engagement.
FortiADC also includes Web Application Firewall (WAF), Intrusion Prevention System (IPS), and SSL inspection (SSLi) for comprehensive web security. This means businesses can have peace of mind knowing their applications are protected from common web threats.
Link load balancing and user authentication are also part of the FortiADC solution. These features help ensure that applications are always available and accessible to users, even during periods of high traffic or network congestion.
A different take: Application Gateway vs Load Balancer Azure
Dnat Mode
DNAT mode is a common configuration in load balancing. Typically, it uses two interfaces connecting to a client and a real server.
The packet's destination IP is changed after going through the FortiADC VS. This requires setting the default gateway on each server to FortiADC's IP address on the same subnet/VLAN. Alternatively, static routes can be used to send responses to FortiADC's IP address.
To implement DNAT mode, you must use DNAT as the packet forwarding method.
Fullnat Mode
In Fullnat mode, the packet's source and destination address are changed before sending it to real servers. This allows for a high level of customization and flexibility in network configuration.
The user can define their own pool IP address range in the NAT source pool, which is a key feature of Fullnat mode. This means you can choose the specific IP addresses that will be used for NAT.
The NAT source pool's address range is typically in the same network subnet as the real server, which helps to simplify network setup and configuration.
You might enjoy: Devtools Failed to Load Sourcemap: Could Not Load Content
Configuration and Management
Configuring a load balancing virtual server in Fortinet can be done through the GUI or CLI. To create one in the GUI, navigate to Policy & Objects > Virtual Servers, click Create New, and set the real server's IP address and port.
You can also configure multiple real servers with the same settings, such as IP addresses 10.31.101.40 and 10.31.101.50, and the same settings as the first real server.
In the CLI, you can create a health check monitor, virtual server, and add it to a policy as the destination address. This involves creating a health check monitor, a virtual server, and a policy, as shown in the following table:
Configure via GUI
To configure a load balancing virtual server via the GUI, you'll want to start by going to the Policy & Objects section and clicking on Virtual Servers. From there, click on Create New and set the necessary settings for your virtual server.
You'll need to create real servers by clicking on the Real Servers table and then clicking on Create New. For the first real server, set the IP address to 10.31.101.30 and the port to 80. Click OK to save the settings, then repeat the process for two more real servers with IP addresses 10.31.101.40 and 10.31.101.50, using the same settings as the first real server.
The process is relatively straightforward, but it's worth noting that you'll need to configure at least three real servers for load balancing to work effectively.
Https Sessions
HTTPS sessions can be tricky to load balance, especially when proxy inspection is enabled.
In proxy inspection mode, active-active HA doesn't load balance HTTPS sessions with SSL deep packet scanning or certificate inspection enabled.
This is because the traffic must be processed by the primary HA unit in proxy inspection mode.
FortiGate identifies HTTPS sessions as all sessions received on the HTTPS TCP port, which is the default port 443.
A different take: How to Check Google Play Gift Card Balance

If you change the HTTPS port in the SSL/SSH inspection profile applied in the firewall policy, FGCP stops load balancing all sessions that use the custom HTTPS port.
However, HTTPS traffic passing through a firewall policy that doesn't meet the proxy inspection mode criteria can still be load balanced when load-balance-all is enabled.
Product Demo and Examples
You can explore FortiADC's secure application delivery features with a self-guided product demo. This demo is a great way to learn about load balancing and traffic management.
The demo covers three main topics: deploying and configuring load balancing and traffic management, advanced security features and services, and integrations with third-party and Security Fabric tools.
To get started with FortiADC's load balancing capabilities, you can check out the example of HTTP load balancing to three real web servers. This example shows how to configure load balancing for HTTP traffic from the Internet to three HTTP servers on the internal network.
Here's a step-by-step overview of the load balancing configuration:
- Create a health check monitor with a ping health check that pings the real servers every 10 seconds.
- Create a load balance virtual server with three real servers.
- Add the load balancing virtual server to a policy as the destination address.
HTTP to Web Sample

HTTP load balancing can be a lifesaver for web servers under heavy traffic. In this example, a FortiGate unit is load balancing HTTP traffic from the Internet to three HTTP servers on the internal network.
The FortiGate unit accepts HTTP sessions at the wan1 interface with destination IP address 172.20.120.121 on TCP port 8080. It then forwards the sessions from the internal interface to the web servers, translating the destination address to the IP address of one of the web servers.
A health check monitor is created to ensure the web servers can respond to network traffic. This monitor causes the FortiGate to ping the real servers every 10 seconds.
If one of the servers does not respond within 2 seconds, the FortiGate unit will retry the ping 3 times before assuming that the HTTP server is not responding.
To create a load balancing configuration, you'll need to:
- Create a health check monitor, such as a ping health check monitor.
- Create a load balance virtual server with three real servers.
- Add the load balancing virtual server to a policy as the destination address.
FortiADC Product Demo
The FortiADC Product Demo is a self-guided experience that lets you explore secure application delivery. You can learn how to easily deploy and configure load balancing and traffic management.
You'll also get to go over the advanced security features and services of FortiADC. This includes checking out the integrations with third-party and Security Fabric tools.
Here's a breakdown of what you can expect:
- Learn how to easily deploy and configure load balancing and traffic management
- Go over the advanced security features and services of FortiADC
- Check out the integrations with third-party and Security Fabric tools
Monitoring and Logging
Monitoring and Logging is a crucial aspect of Fortinet Load Balancer management. You can configure health check monitoring to verify real servers' responsiveness to network connection attempts.
To enable health check monitoring, go to Policy & Objects > Health Check, click Create New, and set the protocol to match the traffic being load balanced. You can use a single health check monitor for multiple load balancing configurations.
You can also check traffic log and session table information to ensure your load balancer is working as expected. To do this, enable traffic log in virtual server and Log&Report, and check the traffic log for WRR method performance. From the traffic log, you can see traffic distribution according to real server weights.
Here's a quick reference to get you started:
- Protocol options for health check monitors: TCP, HTTP, DNS, and ping
- Recommended protocol for HTTP load balancing: HTTP health check monitor
Health Check Monitoring
Health check monitoring is a crucial aspect of ensuring the reliability of your network. You can configure health check monitoring in the FortiGate GUI to verify that real servers are responding to network connection attempts.
To access the health check monitoring configuration, go to Policy & Objects > Health Check. From there, you can create a new health check monitor by clicking Create New.
The health check monitor configuration determines how the load balancer tests real servers. You can use a single health check monitor for multiple load balancing configurations.
You can configure TCP, HTTP, DNS, and ping health check monitors. It's usually best to set the health check monitor to use the same protocol as the traffic being load balanced to it.
Here are the steps to create a new health check monitor:
- Go to Policy & Objects > Health Check.
- Click Create New.
- Set the follo
Click OK.
By setting up health check monitoring, you can ensure that your load balancer is directing traffic to real servers that are actually responding to requests.
Check Traffic Log and Session Info
To check traffic log and session info, start by enabling traffic log in your virtual server and Log&Report. Enable traffic log to see how traffic is being distributed.
The traffic log will show you how traffic is being directed to real servers based on their weights. For example, if RS1 and RS2 have weights of 1 and 2 respectively, the traffic log will show traffic going to RS2 twice as often as RS1.
From the traffic log, you can verify that the Weighted Round-Robin (WRR) method is working as expected. Check the session table to see which real servers are currently handling sessions.
The session table will show you which real servers are currently active and handling sessions, based on the weights you've assigned.
Failover and Scheduling
Failover is a crucial aspect of Fortinet load balancer, and it's designed to keep your network running smoothly even in the event of a failure.
If a subordinate unit fails, the primary unit redistributes the sessions that the subordinate was processing among the remaining active cluster members.
The load balancing schedule controls how the primary unit distributes packets to all cluster units, with options including least connection, round robin, weighted round robin, random, IP, and IP port.
In the event of a primary unit failure, the subordinate units negotiate to select a new primary unit, which continues to distribute packets among the remaining active cluster units.
Here's a summary of the load balancing schedule options:
Active-Active Failover
Active-Active Failover is a key component of high availability systems, ensuring that traffic is always directed to an active unit.
If a subordinate unit fails, the primary unit takes over its sessions, redistributing them among the remaining active cluster members.
In a two-unit cluster, if the primary unit fails, the subordinate unit becomes the new primary unit, negotiating to assume control of the HA virtual MAC address for all its interfaces.
The single remaining unit continues to function as a primary unit, processing all traffic and maintaining the HA virtual MAC address for its interfaces.
Schedules
Schedules are a crucial aspect of load balancing, and they determine how the primary unit distributes packets to all cluster units. The load balancing schedule controls the distribution of traffic, and there are several options to choose from.
The "None" option is a simple choice that disables load balancing altogether. This is useful when the cluster interfaces are connected to load balancing switches, and the primary unit doesn't need to load balance traffic.
The "Least connection" schedule distributes traffic to the cluster unit currently processing the fewest connections. This helps to ensure that no single unit becomes overwhelmed with traffic.
Here are the load balancing schedule options in a table:
The "Round robin" schedule is another option that distributes traffic to the next available cluster unit. This helps to ensure that all units are utilized equally.
Security and Protocols
Fortinet's load balancer, FortiGate, offers robust security and protocol support. FortiGate SSL/TLS offloading accelerates key exchange and encryption/decryption tasks using FortiASIC technology, providing significantly more performance than a standard server or load balancer.
Discover more: Fortinet Fortigate 800d Ngfw End of Life
This offloading frees up valuable resources on the server farm, allowing for better response to business operations. FortiGate SSL offloading supports most SSL/TLS versions, including SSL 3.0, TLS 1.0, TLS 1.2, and TLS 1.3.
The FortiGate load balancer also allows for SSL/TLS content inspection, which prevents intrusion attempts, blocks viruses, stops unwanted applications, and prevents data loss. This is achieved by inspecting the application payload before it reaches the servers.
Here are the supported SSL/TLS versions for FortiGate SSL offloading:
- SSL 3.0
- TLS 1.0
- TLS 1.1
- TLS 1.2
- TLS 1.3
Ssl/Tls
SSL/TLS offloading is a crucial feature in FortiGate that allows for the acceleration of key exchange and encryption/decryption tasks using FortiASIC technology.
This technology provides significantly more performance than a standard server or load balancer, freeing up valuable resources on the server farm to give better response to business operations.
Server load balancing offloads most SSL/TLS versions, including SSL 3.0, TLS 1.0, TLS 1.2, and TLS 1.3, and supports full mode or half mode SSL offloading with DH key sizes up to 4096 bits.
The certificate used for SSL/TLS offloading by the virtual server configuration may contain multiple domain names, including wildcard domains.
This certificate is returned to clients attempting to connect to the real server behind the FortiGate.
SSL/TLS content inspection supports TLS versions 1.0, 1.1, 1.2, and 1.3 and SSL versions 1.0, 1.1, 1.2, and 3.0.
Here are the supported SSL/TLS versions:
- SSL 3.0
- TLS 1.0
- TLS 1.1
- TLS 1.2
- TLS 1.3
By offloading SSL/TLS tasks to the FortiGate unit, you can prevent intrusion attempts, block viruses, stop unwanted applications, and prevent data loss by inspecting the application payload before it reaches your servers.
Additional reading: Email Message Your Network Settings Prevent Content from Loading Privately
Tunneling Mode
Tunneling mode is a method of routing packets, where the original packet is encapsulated inside an ipip packet, allowing the real server to receive the original packet.
The FortiADC VS uses direct routing mode as a basis for tunneling mode, encapsulating the original packet with the client's IP and Virtual Server IP inside an ipip packet of the ADC IP and real server IP.
This encapsulated packet is then routed to the real server, where it's received on a tunl0 device and decapsulated, revealing the original packet.
Deployment Scenarios
Fortinet load balancer offers flexible deployment options, allowing you to choose the best fit for your organization.
You can deploy Fortinet load balancer as a high-performance hardware appliance, providing a robust and reliable solution for demanding environments.
Alternatively, you can opt for a virtual appliance, which offers greater flexibility and ease of deployment.
Fortinet load balancer is also available on-demand via major cloud marketplaces, including AWS, Azure, Google Cloud, and Oracle Cloud, making it easy to get started quickly.
This flexibility allows you to deploy Fortinet load balancer in a variety of scenarios, from on-premises data centers to cloud-based environments.
Frequently Asked Questions
What is load balance in FortiGate?
Load balancing in FortiGate distributes traffic across multiple servers to ensure efficient use of resources and high availability. It automatically skips non-responsive servers, ensuring uninterrupted traffic flow.
Featured Images: pexels.com

