1,114 163 39MB
English Pages [317]
DO NOT REPRINT © FORTINET
FortiADC Study Guide for FortiADC 6.2
DO NOT REPRINT © FORTINET Fortinet Training https://training.fortinet.com Fortinet Document Library https://docs.fortinet.com Fortinet Knowledge Base https://kb.fortinet.com Fortinet Fuse User Community https://fusecommunity.fortinet.com/home Fortinet Forums https://forum.fortinet.com Fortinet Support https://support.fortinet.com FortiGuard Labs https://www.fortiguard.com Fortinet Network Security Expert Program (NSE) https://training.fortinet.com/local/staticpage/view.php?page=certifications Fortinet | Pearson VUE https://home.pearsonvue.com/fortinet Feedback Email: [email protected]
12/22/2021
DO NOT REPRINT © FORTINET
TABLE OF CONTENTS 01 Introduction and Initial Configuration 02 Virtual Servers and Load Balancing 03 Advanced Server Load Balancing 04 Link Load Balancing and Advanced Networking 05 Global Load Balancing 06 Security 07 Advanced Configurations 08 Monitoring, Troubleshooting, and System Maintenance
4 32 81 118 156 193 250 288
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
In this lesson, you will learn about application delivery networks, features and benefits of FortiADC, and how to configure initial system settings.
FortiADC 6.2 Study Guide
4
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiADC 6.2 Study Guide
5
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding the basics of application delivery, the benefits offered by FortiADC, and accessing the FortiADC using the CLI and GUI, you will be able to implement FortiADC and its features in your network.
FortiADC 6.2 Study Guide
6
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
An application delivery network (ADN) is a network infrastructure designed specifically to provide application and web services availability, security, and acceleration to users. Today’s business services, such as global ecommerce and multimedia streaming, are evolving rapidly, causing rigorous demands on ADN availability, performance, and cybersecurity protection. To support this ever-growing digital transformation trend, the ADN in modern data center and cloud environments typically comprises high-end routing and switching equipment, WAN acceleration appliances, next generation firewalls, application delivery controllers (ADCs), storage area networks (SANs), and servers. The example on this slide illustrates an enterprise ADN design using various Fortinet products. At the center of the ADN are the FortiGate and FortiADC devices. FortiGate is the foundation of the Security Fabric that integrates FortiADC and other fabric-ready network devices into a unified security landscape. This greatly streamlines the security management, creating a single-pane-of-glass management structure. A pair of FortiADC devices, the application delivery controller, form a high availability cluster for Layer 4 and advanced Layer 7 server load balancing. FortiADC supports global server load balancing across multiple data centers or cloud environments, and distributes user traffic to the application servers based on data MIME types, session persistence, server health, DNS round robin, or geographical proximity. Besides server load balancing, FortiADC can offload HTTPS SSL decryption and encryption from the application servers to improve server performance. The HTTP compression, QoS, and TCP multiplexing features on FortiADC reduce network bandwidth usage. The SSL offloading and application layer processing are essential for application acceleration.
FortiADC 6.2 Study Guide
7
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
An ADN is composed of a suite of network equipment working seamlessly together to maximize the application performance and security protection. Conducting a detailed ADN requirement analysis before deploying firewalls and ADCs is key to building an adaptive and resilient ADN. The primary function of the application security network is to provide efficient and secure application delivery with the ability to scale, as needed, for any size organization. You can achieve reliability and scalability by managing traffic more efficiently using load balancers. Load balancers also provide health check and redundancy, and can automatically reroute traffic, when needed. You can improve performance by using compression technologies, offloading encryption, and providing content routing. You can enhance security with IP filtering, delayed binding, application firewalls, and SSL encryption. FortiADC offers the features you need to achieve each of these goals.
FortiADC 6.2 Study Guide
8
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
What is an ADC? Traditional load balancers work mostly at Layer 4, balancing TCP/UDP sessions, with very limited Layer 7 support. They usually have very basic health check mechanisms and algorithms to distribute traffic between servers. Some of them have session persistence, but only by source IP address. Today, web servers don’t just deliver static content. They deliver dynamic, content-rich applications. Simple load balancing is no longer sufficient to meet the basic needs of most organizations. An ADC improves what a traditional load balancer does, so you have more control and can make better decisions about what happens at Layer 7. FortiADC is an advanced ADC that optimizes application performance and availability, while securing the application both with its own native security tools, and by integrating application delivery in to the Fortigatecentric security fabric and FortiGuard Cloud Services. FortiADC supports global server load balancing (GSLB), which allows you to load balance traffic among servers at geographically distant locations. FortiADC includes application acceleration, WAF, intrusion prevention system (IPS), SSL offloading, link load balancing, and user authentication in one solution. You can deploy FortiADC as a physical or virtual machine (VM), or as a cloud solution.
FortiADC 6.2 Study Guide
9
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
FortiADC provides enterprise-class application delivery and additional features that make applications reliable, responsive, and easy to manage. First and foremost, FortiADC is a server load balancer that allows applications to scale reliably across multiple servers in a data center. Persistence ensures user connections are routed back to the correct server for seamless and transparent continuity of applications. SSL offloading relieves servers and firewalls from the CPU-intensive tasks of decryption and encryption of secure application traffic. HTTP compression and content caching speed the delivery of content to users and reduce bandwidth needs. Quality of service (QoS) can be used to prioritize traffic by type, to minimize disruptions to applications that are sensitive to latency. Contentbased routing sends traffic to specific servers, based on URL or business rules by traffic type. Global server load balancing provides disaster recovery by spanning applications across multiple data centers or cloud. Link load balancing provides ISP redundancy and increases application bandwidth. Advanced WAF detects zero-day attacks and protects from OWASP top-10 threats. IPS detects and blocks network attacks with signature-based defense.
FortiADC 6.2 Study Guide
10
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
11
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Good job! You now understand application delivery networks and have an overview of some of the features and benefits of the FortiADC.
FortiADC 6.2 Study Guide
12
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding deployment options, initial network and system configurations, and the management of administrator accounts, you will be able perform an initial FortiADC deployment.
FortiADC 6.2 Study Guide
13
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
There are many deployment options for FortiADC, ranging from a standalone FortiADC that directly connects to the internet, all the way to the globally distributed FortiADC devices in complex enterprise and cloud data center environments. Before deploying FortiADC to a network, the designer should evaluate the requirements, including the servers and type of applications, and the network requirements. The following are important design considerations: • • • •
Network design Performance Security High availability (HA)
Before you deploy FortiADC, conducting a detailed design analysis of your server load balancing objectives and performance requirements, including the network, security, servers, and applications, ensures a robust and scalable network design.
FortiADC 6.2 Study Guide
14
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
There are many deployment options, ranging from a standalone FortiADC that performs basic Layer 4 and Layer 7 load balancing, to globally distributed FortiADC devices in complex enterprise and multi-tenant cloud data center environments. FortiADC is typically deployed behind the firewall and in front of the application servers in an ADC network. The topology shown on this slide illustrates a basic server load balancing setup in a single network path. This is the most standard load balancing deployment mode. It is also called router mode. In this mode, FortiADC is the default gateway of the servers, so all client traffic is sent through FortiADC. Clients send HTTP requests to the FortiADC virtual server IP address or fully qualified domain name (FQDN), which functions as a reverse proxy. And FortiADC load balances the traffic between the Web Servers. The FortiADC network interfaces are connected to a FortiGate, which is the firewall and default gateway for the FortiADC, a subnet for management; a subnet for real servers A, B, and C; and another subnet for real servers D, E, and F. Real servers are hosted in the different subnets for redundancy, or to segregate different application resources. The FortiADC system performs health checks on the real servers, and distributes traffic to the application servers based on the user-configured load balancing algorithms and settings. FortiADC supports additional features, including SSL encryption/decryption, WAF protection, Gzip compression, and NAT routing processes, to enhance application security and performance. This deployment model improves server performance, provides application availability and scalability, and protects servers from the security breaches.
FortiADC 6.2 Study Guide
15
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
The example on this slide illustrates a service provider ADN for a multi-tenant environment. The ADN supports local and global load balancing across multiple data centers. The use case for this model is to build a cost-effective, high-availability, fully-redundant, and secure ADN infrastructure. The key components in each data center are a pair of FortiGate and FortiADC devices running in their HA cluster. FortiGate and FortiADC connection is a mesh topology. HA clusters provide software redundancy and the mesh topology ensures uninterrupted connectivity upon link layer failure. FortiGate protects the data center against sophisticated cyber threats. FortiGate devices have dual-homed connections to the ISP through static routes. In each FortiADC pair, VDOMs are configured for each tenant. A VDOM, analogous to a virtual machine, is a complete FortiADC instance running on the FortiADC device. Each VDOM runs separately and provides complete ADC services for each tenant, thus achieving cost-effective multi-tenant hosting. FortiADC supports DNS-based global server load balancing. The FortiADC in the primary data center is the authoritative DNS server for all virtual servers in the global server load balancer (GSLB) framework. Remote users connect to virtual servers through a DNS query, and FortiADC distributes the traffic to the nearest data center or to the application servers, based on the user-configured load balancing algorithms and settings. Optionally, service providers can leverage the AI-powered FortiSandbox Cloud service to safeguard the network from malware, ransomware, and evolving zero-day attacks.
FortiADC 6.2 Study Guide
16
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
FortiADC-VM is a virtual appliance version of FortiADC. The hypervisor environments that FortiADC-VM supports include VMware ESX/ESXi, Citrix XenServer, Open Source Xen, Microsoft Hyper-V, and KVM. FortiADC-VM also supports AWS, Azure, Google Cloud, and Oracle Cloud deployments. The VM instance has the same Layer 4 and Layer 7 local and global server load balancing, VDOM, HA, and security features as the hardware appliance, except for the ASIC hardware SSL offloading acceleration. The actual performance of FortiADC-VM depends on the host machine hardware. The best practice is to install FortiADC-VM on a bare metal hypervisor to fully utilize the hypervisor and hardware computing resources. FortiADC-VM is suitable for small, medium, and large enterprises deployment. The network diagram on the slide shows FortiADC-VM deployed in VMware, Hyper-V, and KVM hypervisors together with the application server virtual machines in two sites. FortiADC-VM connects to FortiGate and application servers through virtual switches. Clients access application servers through FortiADC virtual servers, and client connections are distributed to the application servers according to user-configured load balancing algorithms and settings. FortiADC-VM requires periodic license validation with FortiGuard services. If the license is not validated for 24 hours, access to FortiADC-VM web UI and CLI are locked.
FortiADC 6.2 Study Guide
17
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Like many Fortinet devices, FortiADC offers two user interfaces: a GUI and a CLI. You can access the CLI using SSH, Telnet, or the console port, which is usually located on the front panel of FortiADC. You will need to configure a password for the admin user during the initial login. You can also use the console widget located in the upper-right corner of the FortiADC GUI.
FortiADC 6.2 Study Guide
18
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
To access the GUI, use a browser and HTTP or HTTPS. By default, port1 of FortiADC has the IP address of 192.168.1.99. A default administrator user is configured on FortiADC. You cannot delete the default administrator user account. Keep in mind that if the initial login was performed using CLI, the admin user will need to use the password set at that time. Remember to change the default password as soon as possible after deploying the FortiADC.
FortiADC 6.2 Study Guide
19
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
When you log in to the FortiADC GUI for the first time, the GUI will display the System Getting Started Wizard. This wizard will guide you through the basic setup of your FortiADC, including: • • • • • •
Date, time, and NTP server HA management Gateway Interfaces Virtual servers Real servers
FortiADC 6.2 Study Guide
20
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
This slide shows a screen shot of the FortiADC dashboard, which contains multiple widgets and tabs. You can customize the dashboard using the Edit button, or add additional dashboards from the menu on the left side of the window, using the Create Dashboard button. The System Information widgets and header bar display the host name, system time and uptime, serial number and firmware version, as well as shutdown, reboot, and factory reset commands. The License widget displays license status and provides a link to more detailed support information, such as service contract expiry dates. The Log Event widget displays recent activity. The Resource Usage widget allows an administrator to monitor CPU, RAM, and disk usage, as well as system metrics. To launch the console widget, in the upper-right corner of the header bar, click the console icon.
FortiADC 6.2 Study Guide
21
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
One of the first settings you must configure for any FortiADC is the network interface configuration. You can assign an IP address to each FortiADC interface, and specify the permitted administrative access protocols for each interface. To create a VLAN interface, click Create New.
FortiADC 6.2 Study Guide
22
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Any FortiADC must have at least one default gateway and one default static route. On the Routing screen, which is shown on this slide, you can add the default route and gateway, as well as create static routes to the subnets in your network.
FortiADC 6.2 Study Guide
23
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
On the Settings view, you can configure a primary and a secondary DNS server. FortiADC uses the primary DNS server until the primary DNS server fails to respond. Then, FortiADC switches to the secondary DNS server. You can configure other top-level FortiADC settings from this view, including: • Hostname • Interface language • Idle timeout • TCP ports used for administrative access, which you can change from their default settings • Primary DNS and secondary DNS • Virtual domain
FortiADC 6.2 Study Guide
24
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
If you don’t have access to the GUI, you can use the CLI to configure a network interface. The command shown on this slide allows you to access interface configuration subcommands. Using the edit subcommand and substituting the interface name, such as port1, as an argument allows you to configure various interface options for that interface. You can then use the set subcommand to configure individual parameters available for the network interface. In the example shown on this slide, the set ip address subcommand and object specify which IP address and subnet mask to use. You can also use the set allowaccess subcommand to specify which administrative access protocols to permit over that interface.
FortiADC 6.2 Study Guide
25
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Using FortiADC, you can aggregate multiple physical interfaces into a single logical interface known as a link aggregation. Link aggregations are used most often to combine the bandwidth of two interfaces to increase throughput or to add redundancy to a network connection. You can configure link aggregations using only the CLI, not the GUI. This slide shows the commands you use to configure an aggregated link. After you configure the link aggregation, you can assign a single IP address to it. Link aggregation technology is based on the Link Aggregation Control Protocol (LACP), which is part of the IEEE 802.3ad specification, and is commonly referred to as port trunking, bonding, or teaming.
FortiADC 6.2 Study Guide
26
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Each administrator account is assigned an access profile in which you specify the level of access the administrator has for commands and configuration sections. For example, you could create a special administrator access profile to delegate security permissions, allowing personnel to manage the device’s security settings, while also denying them the right to modify router, server load balancing, link load balancing, and global load balancing features, which the organization could be using to provide a chargeable service to their clients.
FortiADC 6.2 Study Guide
27
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
This slide shows the screen you use to create an administrator account. You can set up an administrator account to allow the administrator to access FortiADC only from a specific trusted host subnet. In an administrator account, you can set permissions to allow or disallow the administrator to change global system settings. You can associate a specific administrator access profile with the administrator account. If VDOMs are enabled on FortiADC, you can assign VDOMs to an administrator account, limiting the their administrative capabilities to just the selected VDOMs.
FortiADC 6.2 Study Guide
28
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
29
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 6.2 Study Guide
30
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
This slide shows the objectives you covered in this lesson. By mastering the basics of FortiADC, you can identify how FortiADC would benefit your network, and deploy a FortiADC in your network.
FortiADC 6.2 Study Guide
31
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
In this lesson, you will learn about virtual servers, their components, and the basic settings necessary to configure FortiADC to load balance.
FortiADC 6.2 Study Guide
32
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiADC 6.2 Study Guide
33
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding virtual servers and application delivery control, you will be better able to design a FortiADC deployment.
FortiADC 6.2 Study Guide
34
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Virtual servers are positioned between connecting clients and pools of real servers to perform application delivery control (ADC). The clients are likely not aware the virtual server is not the actual server they receive content from. This architecture allows the incoming traffic to be evaluated and processed for security control, performance, and load balancing. Server pools are assigned to virtual servers, and each server pool contains one or more real servers. Three types of virtual servers can be configured on the FortiADC for application delivery control, depending on the desired capabilities. The three types are: Layer 7, Layer 4 and Layer 2.
FortiADC 6.2 Study Guide
35
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
With Layer 7 virtual servers, application traffic decisions are made more intelligently. However, more packets are required for the decisions to be made, so making the decisions takes more time than it does on Layer 4 virtual servers. HTTP content can be inspected and modified, and load balancing decisions can be made based on content. IPv4 and IPv6 are supported on Layer 7 virtual servers.
FortiADC 6.2 Study Guide
36
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
When you use Layer 4 virtual servers, traffic is processed using the first packet of any new session. This method is the fastest option, and it supports IPv4 and IPv6. Destination NAT (DNAT) is the default method used for packet forwarding with Layer 4 virtual servers, and it should be noted that if the FortiADC is not the default gateway for the real servers, asymmetric routing issues can occur.
FortiADC 6.2 Study Guide
37
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
When you use Layer 2 ADC, traffic is balanced among multiple next hop gateways. Like Layer 7 ADC, Layer 2 also supports the inspection and modification of HTTP content. However, only IPv4 is supported with Layer 2 virtual servers. Layer 2 can be used to balance traffic among multiple gateways or links when the real server IP addresses are not known.
FortiADC 6.2 Study Guide
38
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
When you use Layer 4 ADC, FortiADC simply forwards traffic to the real server, which is why it is the fastest of the three methods. When you use Layer 2 and Layer 7 ADC, FortiADC proxies the TCP traffic to the real server. This means that the three-way handshake happens first between the client and FortiADC. Once the TCP session is up, FortiADC establishes a new TCP session with the server by performing another three-way handshake. This means that a FortiADC using Layer 2 and Layer 7 ADC splits the TCP session into two parts: one between the client and the FortiADC device, and one between the FortiADC device and the server.
FortiADC 6.2 Study Guide
39
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
When you configure virtual servers on FortiADC, you configure many objects: some are mandatory and some are optional. The mandatory objects are the real servers, server pool, application profile, and load balancing method. This slide shows a summary of the objects that you can create in a FortiADC configuration. It also shows which objects are mandatory, or are the minimum required for configuration of FortiADC. In this lesson, you will learn how each of the mandatory objects is created, as well as a server health check, one of the most common optional objects used.
FortiADC 6.2 Study Guide
40
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
There are two options for virtual server configuration in FortiADC: basic mode and advanced mode. Basic mode is intended for less experienced FortiADC users. You only need to specify the basic settings needed to configure a virtual server. More advanced parameters are automatically set using default values. Advanced mode is intended for experienced users. In this mode, advanced options and settings are available for configuration.
FortiADC 6.2 Study Guide
41
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
42
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Good job! You now understand the concepts of virtual servers and application delivery control. Now, you will learn about health checks, real servers and server pools.
FortiADC 6.2 Study Guide
43
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding real server health checks, server pools, and real servers, you will be able to deploy virtual servers with the appropriate capabilities.
FortiADC 6.2 Study Guide
44
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Real server health checks are one of the most commonly used optional components of a virtual server. Servers are polled frequently to determine the server state as defined in the health check. The server is considered down or unresponsive to the polls within the timeout period. The server is considered up when it responds to a user-specified number of consecutive polls.
FortiADC 6.2 Study Guide
45
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
There are many different methods that you can use to perform a health check with FortiADC. The most basic method is to send an ICMP or TCP echo request. Using this method, the FortiADC sends an ICMP or TCP echo request to the server, and waits for a reply. The sending of a GET or HEAD request can be used to validate HTTP or HTTPS servers. The response content from the server can be evaluated, allowing for a more granular determination of health. The completion of a three-way TCP handshake to a specific port can be used to validate that the server supports TCP. If the server is a domain name system (DNS) server, FortiADC can send a DNS A record request to the server and wait for a specific IP address as a response to confirm that DNS is running correctly. If the server is a RADIUS, SMTP, POP3, or IMAP4 server, you can configure FortiADC to log in to the server to confirm that the service is running.
FortiADC 6.2 Study Guide
46
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
If the server is an FTP server, you can configure FortiADC to log in to the FTP server to check that a specific file is there. FortiADC can use SNMP to poll the server using the SNMP protocol to get the current CPU, memory, and disk usage. The server is assumed to be unresponsive if it doesn’t reply, or if any of those usage values goes above a preconfigured threshold. FortiADC can also perform a TCP half open check. FortiADC sends the sync and waits for the sync acknowledge. As soon as the sync acknowledge is received, FortiADC sends a reset to close the session. For protocols based on SSL over TCP, FortiADC can establish an SSL connection to check if the service is up. The result of the SSL connection will verify the status of the server.
FortiADC 6.2 Study Guide
47
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
The physical servers that exist in the application delivery network are represented by objects called real servers in the FortiADC.
FortiADC 6.2 Study Guide
48
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Server pools are groups of real servers. A FortiADC virtual server will use these server pools for load balancing and can monitor the state of the member servers using health checks.
FortiADC 6.2 Study Guide
49
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
When adding real servers to a server pool, they can be selected from a list of existing real servers, or they can be created and added directly from within the server pool configuration. Real servers that have been added as members to a server pool can be further configured with settings for things like connection limits, warm up times, rates, and so on.
FortiADC 6.2 Study Guide
50
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
For each server, you can configure a maximum number of concurrent connections. That maximum rate is used under normal operating conditions. You can also configure a lower rate than FortiADC uses while the server is rebooting or is finished rebooting, but isn’t ready to operate at full capacity. This is called the warm rate. When you configure a Warm Rate setting, FortiADC uses it during a warm-up period, specified in the Warm Up setting, when the server is back online after a health check, or when the status of the server is set to Enabled, from Maintain, or Disabled.
FortiADC 6.2 Study Guide
51
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
52
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Good job! You now understand health checks, real servers, and server pools. Now, you will learn about application profiles.
FortiADC 6.2 Study Guide
53
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objective shown on this slide. By demonstrating competence in configuring and using application profiles, you will be able to effectively utilize them as part of a virtual servers configuration.
FortiADC 6.2 Study Guide
54
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Application profiles specify the protocol of the traffic to be load balanced. There are many different profile types, and not all of them are supported by the three different virtual server types. This table shows some of the profiles, and which ones are supported by each type of virtual server. FortiADC supports nearly 20 predefined profiles, as well as the ability to create custom profiles.
FortiADC 6.2 Study Guide
55
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
TCP, UDP, and FTP profiles require the configuration of session timeout and the TCP session timeout after FIN. The Timeout TCP Session setting specifies how long a TCP session without traffic remains in memory. The TCP session time out after FIN setting specifies how long a session remains in memory after a FIN packet has been sent, and while no FIN acknowledge packets have been received.
FortiADC 6.2 Study Guide
56
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
The images on this slide show the HTTP profile. If the Client Address setting is enabled, FortiADC uses the client IP address to set up the connection to the back-end server, so it will not change the source IP address of the packets. If the client traffic contains the X-Forwarded-For field, FortiADC gets the client IP address from there. If the setting is disabled, FortiADC uses its own IP address to connect to the back-end server so it will be doing source NAT.
FortiADC 6.2 Study Guide
57
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
The HTTPS profile is the same as the HTTP profile, allowing for configurations including IP reputation, compression, caching, Geo IP options and so on. However, when a virtual server is assigned an HTTPS profile, a resources option is displayed for selection of a client SSL profile. Within the client SSL profile, you specify the digital certificate that is presented to clients that want to connect to the server.
FortiADC 6.2 Study Guide
58
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
The X-Forwarded-For Header field is the standard that identifies the original client IP address. It’s appended by some devices that change the source IP address such as web proxies, or load balancers, or devices doing source NAT. FortiADC can add this field or can use it to make decisions related to load balancing.
FortiADC 6.2 Study Guide
59
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
HTTP turbo is similar to the HTTP profile except that it doesn’t support advanced ADC features, such as caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT (SNAT). You can use it with content routing and DNAT, as long as the HTTP request is contained in the first data packet. It enables packet-based forwarding, which reduces network latency and system CPU usage. However, HTTP turbo is not recommended if you anticipate dropped or out-of-order packets.
FortiADC 6.2 Study Guide
60
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
61
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Good job! You now understand the concepts of virtual server application delivery control. Now, you will learn about basic load balancing and FortiView analytics.
FortiADC 6.2 Study Guide
62
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in describing the different load balancing configuration objects and methods, you will be able to apply them to FortiADC to balance the traffic load in your network.
FortiADC 6.2 Study Guide
63
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
There is a predefined list of load balancing configurations, including options for all methods. Additional configurations can be created; however, the created configurations will work the same as the pre-existing ones, but with user-specified names. This may be desirable to leverage a specific naming convention. This table shows which methods are supported by each type of virtual server. The dynamic load method relies on the use of an SNMP health check. The check evaluates the CPU, memory, and disk usage of a server, and compares the results to defined thresholds.
FortiADC 6.2 Study Guide
64
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
A list of load balancing methods is shown on this slide, and these methods work as follows: • Round robin: The traffic load is balanced by rotating through the servers in sequence. For example, server 1, then server 2, then server 3, and so on. • Least connections: Selects the server with the fewest connections. • Fastest response: Selects the server with the fastest response to health check tests. • Destination IP hash: Selects the next hop based on a hash of the destination IP address. This method is only available when you are using a Layer 2 virtual server. • Dynamic load: Selects the server based on SNMP health check results. Weight is assigned based on CPU, memory, and disk usage.
FortiADC 6.2 Study Guide
65
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
This slide shows a list of the Layer 4 packet forwarding methods. Multiple methods for packet forwarding are available for Layer 4 virtual servers. These methods are: • Direct routing • DNAT • Full NAT • Tunneling • NAT46 • NAT64
FortiADC 6.2 Study Guide
66
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Using the direct routing packet forwarding method, known elsewhere as direct server return, FortiADC doesn’t change the IP addresses in the packets coming from the client. Instead, FortiADC forwards packets to the server keeping the same source IP address and the same destination IP address. This means that the virtual server IP address must match the real server IP address. Server replies can go either through FortiADC or directly to the client without passing through the FortiADC device. The direct routing method is often configured on a single VLAN or subnet, where the cluster IP and the server IP addresses are all on the internal interface. It can also be used in multiple VLAN configurations, although this is less common. For FTP profiles, you must use a persistence method.
FortiADC 6.2 Study Guide
67
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Using DNAT, FortiADC changes the destination IP address of the packets coming from the client. When configuring DNAT, you should note that the real server will respond to the client requests using their default gateway. If the FortiADC is not also the default gateway for the real server, asymmetric routing issues can be introduced.
FortiADC 6.2 Study Guide
68
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Using full NAT, FortiADC changes both the source IP address and the destination IP address. In order to specify the NAT IP addresses for the source IP address, you have to create a source pool. This is often used when the real server gateway is not the load balancer and you want to avoid asymmetric traffic. You would use Full NAT primarily when you are using FortiADC in a one-arm configuration.
FortiADC 6.2 Study Guide
69
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
FortiADC also supports tunneling. This allows FortiADC to send client requests to real servers through Layer 4 IP tunnels. FortiADC encapsulates the original packet, with the client to virtual server IP addresses, and routes the packets to the real server. The real server will decapsulate the packet (containing the client IP to virtual server IP) and respond to the client. The real servers will be configured with a secondary IP that is the same as the virtual server.
FortiADC 6.2 Study Guide
70
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Using NAT46, FortiADC replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses. The source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the back-end server selected by the load balancer.
FortiADC 6.2 Study Guide
71
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Using NAT64, FortiADC replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses. The source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the back-end server selected by the load balancer.
FortiADC 6.2 Study Guide
72
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
The FortiView pages display important information about FortiADC, which includes the logical topology of real server pools and their members within each virtual server, server load balancing information, security, and some other system events and alerts.
FortiADC 6.2 Study Guide
73
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
The server load balance logical topology page uses a tree view format to show the internal configuration of each virtual server on FortiADC. Depending on the configuration, the diagram may show content routing, schedule pools, real server pools, and real server pool members configured on a virtual server. Clicking on a virtual server will give you the ability to edit the server configuration, delete the virtual server, or view detailed server analytics.
FortiADC 6.2 Study Guide
74
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Clicking on a server pool provides you with the ability to edit the server pool configuration or view detailed analytics about the server pool.
FortiADC 6.2 Study Guide
75
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Clicking on individual real servers will provide you the ability to change the current server status (enable, disable, maintain), edit the current settings, delete the server, or view detailed analytics for the server.
FortiADC 6.2 Study Guide
76
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
The virtual servers dashboard allows you to monitor all of the virtual servers on FortiADC, and access the real server dashboard for each virtual server. The real server dashboard provides a live, up-to-date view of the individual real server pool members underpinning the virtual server.
FortiADC 6.2 Study Guide
77
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
78
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 6.2 Study Guide
79
Virtual Servers and Load Balancing
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering server load balancing, you learned how to deploy FortiADC in your network and improve the efficiency of your resources.
FortiADC 6.2 Study Guide
80
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
In this lesson, you will learn about advanced server load balancing.
FortiADC 6.2 Study Guide
81
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiADC 6.2 Study Guide
82
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objective shown on this slide. By demonstrating competence in understanding server persistence and the available persistence methods, you will be able to leverage this capability in your environment.
FortiADC 6.2 Study Guide
83
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
In the Virtual Servers and Load Balancing lesson, you learned how to create and use many of the most common objects associated with virtual servers. In this lesson, you will learn how to create several of the optional objects, many of which can be used to enhance application delivery performance.
FortiADC 6.2 Study Guide
84
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Persistence rules identify traffic that should not be load balanced, but instead forwarded to the back-end server that has seen requests from that source before. Persistence rules are often needed to support server transactions that depend on an established client-server session, such as e-commerce transactions or SIP voice calls. FortiADC maintains persistence session tables to forward client traffic to back-end servers based on persistence rule matches. FortiADC provides a set of predefined persistence rules to simplify configuration, and supports a large number of persistence rule types for custom rule creation.
FortiADC 6.2 Study Guide
85
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
The different persistence rule types allow you flexibility when choosing the best option for any given environment. Most persistence rules have timeout settings to provide further customization. The rule types listed on this slide are evaluated in the following ways: Source Address: Persistence is based on the source IP address of the client. Source Address Hash: Persistence is based on a hash of the source IP address of the client making an initial request. Address-Port Hash: Persistence is based on a hash of both the source IP address and TCP/UDP port number. HTTP Header Hash: Persistence is based on a hash of the HTTP header. HTTP Request Hash: Persistence is based on a hash of the specified URL parameters in the initial client request.
FortiADC 6.2 Study Guide
86
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
The insert cookie rule type takes advantage of the browser’s cookie caching behavior. When the user connects for the first time and sends the first HTTP GET request, FortiADC uses the load balancing method to send the GET request to any of the servers available in the pool. When a server replies with the web content, FortiADC inserts a cookie in the content that is forwarded to the user. From this point on, each time the client issues a GET request, the browser includes the cookie, and FortiADC uses that cookie to determine which server the HTTP GET should go to. This rule type allows you to set a timeout for the server-side session, so that after the specified timeout period elapses, FortiADC won’t forward the request based on the cookie, and will instead select the server using the method specified in the virtual server configuration.
FortiADC 6.2 Study Guide
87
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
With the embedded cookie rule type, FortiADC waits for the reply from the server and searches for a specific cookie in the server reply. Once FortiADC finds that cookie, FortiADC adds the server ID as a prefix to the cookie. After that, the client sends the cookie with the server ID prefix and FortiADC uses that prefix to identify which server the traffic should be forwarded to.
FortiADC 6.2 Study Guide
88
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
The rule types listed on this slide are evaluated in the following ways: Cookie Hash: Persistence is based on a hash of the cookie provided by the server. RADIUS Attribute: Persistence is based on selected RADIUS attribute information. SSL Session ID: Persistence is based on the SSL session ID. Persistent Cookie: The persistent cookie method is similar to the insert cookie method, but if the real server produces a cookie with the same name, then FortiADC won’t modify it. Like the insert cookie method, the persistent cookie method also supports specifying a session time out. Rewrite Cookie: Using this rule type, the cookie is provided by the real server and FortiADC modifies its value.
FortiADC 6.2 Study Guide
89
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
90
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Good job! You now understand persistence rules. Now, you will learn about HTTP(S) delivery optimization.
FortiADC 6.2 Study Guide
91
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in advanced load balancing features, you will be able to configure Layer 7 content routing and rewriting, set up web caching and compression, and import digital certificates in order to configure SSL offloading.
FortiADC 6.2 Study Guide
92
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Page speed profiles can be configured to optimize the delivery of HTML, CSS, and image content. The HTML and Move CSS to Head will move any link or style tag content to the head section of the page. This reduces the number of times a browser must reflow the document because the styles are parsed before the elements in the body are introduced. Using the CSS and Combine CSS options combine multiple CSS elements into one. This can reduce the number HTTP/HTTPS requests that a browser makes during page refresh. You can reduce the size of image files or the JPEG sampling to reduce the amount of data that is transferred when a page is loaded. You select these profiles when you configure page speed.
FortiADC 6.2 Study Guide
93
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Page control allows you to specify if FortiADC will process a web page or not, based on specified URI patterns using regular expressions. You define the cache limits, page speed profile, page control, and resource control in the page speed configuration.
FortiADC 6.2 Study Guide
94
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
TCP multiplexing provides enhanced web server and application performance by using existing TCP connections between FortiADC and the real servers. This capability is available only on Layer 7 virtual servers. Connection pools are defined and assigned to the virtual servers using the CLI commands shown on this slide.
FortiADC 6.2 Study Guide
95
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Compression offloading is another FortiADC capability. Compression of content on high traffic sites impacts server performance. Removing the need for the server to perform this function will lessen demand on the server. Using compression offloading, FortiADC compresses data being sent to clients, if the browser supports GZIP. FortiADC receives the web content from the server in uncompressed form. If the content supports compression, the FortiADC compresses the web content and sends it to the users. Web pages that support compression include HTML, JavaScript, CSS, and other MIME types.
FortiADC 6.2 Study Guide
96
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Configuration of a compression profile is necessary to leverage compression offloading. The profile is used to define which content to include or exclude from compression. URI rules are used to match page requests and must use regular expression. The content type section is used to build a list of types to compress or not compress depending on the rule type. The compression configurations are then assigned to application profiles.
FortiADC 6.2 Study Guide
97
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Content caching is another FortiADC performance enhancing feature. Cached content is maintained locally on FortiADC and delivered directly to the requesting host without the need to query the server for it. If a client requests content that is not yet in cache memory, FortiADC forwards the request to the server to get that content. FortiADC then caches the content locally in its cache memory, and sends it to the client.
FortiADC 6.2 Study Guide
98
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
After that, if a client requests that same content (that is now in cache memory), FortiADC does not connect to the server again. It sends the cached content to the client on the server’s behalf. This capability reduces server workload as well as the bandwidth utilization between FortiADC and the back-end servers.
FortiADC 6.2 Study Guide
99
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
You configure caching by defining the maximum values for object size, cache size, entries, and age. Content that matches entries in the URI Exclude List is never cached. Content that matches entries in the Dynamic Cache Rule List is cached. The URI Exclude List takes precedence over the Dynamic Cache Rule List. You select the caching configuration type in the HTTP or HTTPS virtual server application profile.
FortiADC 6.2 Study Guide
100
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
With Layer 4 content routing, FortiADC routes traffic to a specific server pool based on literal or regular expression matches of the client’s source IP address. For example, all traffic from a particular subnet could be load balanced to a specific server pool.
FortiADC 6.2 Study Guide
101
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Using Layer 7 content routing, FortiADC can make smarter load balancing decisions. With Layer 7 content routing, decisions are made based on URL. For example, requests for a specific file or file type, such as media content, can be forwarded to server pools built to better handle that specific content type.
FortiADC 6.2 Study Guide
102
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Using Layer 7 content rewrite, FortiADC can modify the host field in the HTTP header, the URL, or the referrer field. It can also be configured to reply with an HTTP redirect, or it can be configured to reply with a forbidden error. For example, a client connecting to webmail.example.com could be redirected to webmail.example.com/owa.
FortiADC 6.2 Study Guide
103
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
This slide shows an overview of a Layer 7 content rewrite configuration. On the Content Rewriting screen, you specify the action and a set of rules. Each time the traffic matches any of those rules, the action is taken.
FortiADC 6.2 Study Guide
104
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
You can configure FortiADC to present an error page to clients when all the servers are unavailable. Error pages can only be used with Layer 7 virtual servers. After you’ve created an error page configuration object, you can select it in the virtual server configuration. To configure an error page configuration object, copy the error message file to a location you can reach from your browser. The error message file must be named index.html and must be contained in a ZIP file. You must have read-write permission for load balance settings.
FortiADC 6.2 Study Guide
105
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
106
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Good job! You now understand HTTP(S) delivery optimization. Now, you will learn about SSL offloading, acceleration, and SSLi.
FortiADC 6.2 Study Guide
107
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in SSL offloading and understanding SSLi and its use cases, you will be able to take advantage of these features in your environment.
FortiADC 6.2 Study Guide
108
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
FortiADC supports SSL offloading and acceleration. SSL offloading moves the SSL encryption and decryption from the servers to the load balancer. Because the SSL encryption is terminated in the FortiADC device, the system can inspect and make decisions based on SSL content. In order to do that, the server’s signed digital certificate and private key must be installed on FortiADC.
FortiADC 6.2 Study Guide
109
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
When you use SSL offloading, a single device is used for SSL and HTTPS management, so all the certificates are stored on one device. This lowers the SSL management and operational costs. More importantly, when you use SSL offloading, the server doesn't have to run expensive crypto tasks, so the workload on the servers is lower because the SSL traffic is moved to a dedicated ASIC processor on hardware-accelerated FortiADC devices. This also reduces the bandwidth utilization between FortiADC and your back-end servers.
FortiADC 6.2 Study Guide
110
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Using SSL re-encryption, FortiADC can decrypt the data coming from the user and re-encrypt it before sending it to the server. Two separate SSL sessions are established: one from the client to FortiADC and another one from FortiADC to the server. Both SSL sessions terminate at FortiADC. FortiADC can still inspect and make decisions based on the content inside the HTTPS traffic. Different sized keys can be used on each side of the FortiADC. For example, a smaller key size could be used between FortiADC and the real servers as a means to reduce processing overhead.
FortiADC 6.2 Study Guide
111
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
As more and more traffic is becoming encrypted traffic, the process of encryption and decryption can weigh heavily on the CPU resources of security devices. This, coupled with the immense possibility of cyber threats propagating through encrypted traffic, makes it essential for organizations to inspected this traffic. When configured in SSLi mode, FortiADC is dedicated to the encryption and decryption of SSL traffic for the purpose of offloading that task from a dedicated security device. Enabling SSLi mode on FortiADC reverts the FortiADC to factory defaults. This can only be done through the CLI with the command shown on this slide. When you configure it this way, the SSLi Proxy menu option becomes available in the GUI. All SSLi configurations are performed through the GUI. The following features are not supported when in SSLi mode, and menu options are removed: • Global load balancing • Link load balancing • IP reputation • Geo IP Protection • Central management • User authentication
FortiADC 6.2 Study Guide
112
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
When deployed in SSLi mode, FortiADC works as an SSL proxy between the client and the server. Real server objects are created on FortiADC for both the security device and the gateway. Two virtual servers are created and static routes are configured for traffic flow. The traffic flow process is as follows: 1. Traffic is passed from the client to the client side virtual server for decryption. 2. FortiADC passes the decrypted traffic to the security device. 3. The security device inspects the traffic and forwards it to the server side virtual server. 4. The server side virtual server encrypts and forwards the traffic to the gateway. It should be noted that SSLi mode is not a requirement for decryption and encryption of traffic for inspection by an external security device. However, it can provide some performance advantages.
FortiADC 6.2 Study Guide
113
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
To use SSL offloading or SSL encryption, you have to install the signed digital certificates and private keys for your servers. There are two ways of doing this. You can do it manually by importing the certificate files, or you can submit a certificate signing request to a CA.
FortiADC 6.2 Study Guide
114
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
115
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 6.2 Study Guide
116
Advanced Server Load Balancing
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering server load balancing, you can deploy FortiADC in your network and improve the efficiency of your resources.
FortiADC 6.2 Study Guide
117
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
In this lesson, you will learn about link load balancing and advanced networking.
FortiADC 6.2 Study Guide
118
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiADC 6.2 Study Guide
119
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in link load balancing, you will be able to configure link load balancing, create virtual tunnels, and link groups.
FortiADC 6.2 Study Guide
120
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Using link load balancing, FortiADC balances traffic among multiple upstream links. If the primary link fails, traffic is seamlessly redirected through a backup link. You can configure link load balancing for inbound traffic, outbound traffic, or both. Outbound link load balancing is the most commonly used configuration. Link load balancing provides reduced risk of outages, additional bandwidth, and potentially reduced ISP costs.
FortiADC 6.2 Study Guide
121
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Many of the optional objects are configured as system-wide shared resources. Examples of optional objects include schedule, address, service, and health check. Link policies apply to either link groups or virtual tunnels.
FortiADC 6.2 Study Guide
122
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Link policies specify the traffic to be balanced by each link group and virtual tunnel. The example on this slide shows a table containing three link policies. These policies specify that: • • •
All the traffic that comes from 172.16.1.0/24 and goes to 172.16.2./24 uses Virtual Tunnel 1. All the traffic that goes to 172.16.3.0/24 uses Link Group 2. All the traffic that goes to the Internet uses Link Group 1 .
Link policies can match on more than simple source and destination address. For example, a link policy can balance based on a service, such as HTTP or HTTPS. You can also apply schedules to define when policies are enforced.
FortiADC 6.2 Study Guide
123
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Using outbound link load balancing, FortiADC balances traffic that leaves the network among the links that are part of the same link group.
FortiADC 6.2 Study Guide
124
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
You can configure persistence for outbound link load balancing so FortiADC can maintain the same outgoing gateway for packets with the same source or destination IP address. There are four types of outbound LLB persistence: • Source destination pair: • Based on the source and destination IP addresses • Source destination address: • Based on the source subnet and the destination subnet • Source address: • Based on the source subnet only • Destination address: • Based on the destination subnet only
FortiADC 6.2 Study Guide
125
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Configure FortiADC to do outbound link load balancing based on proximity route dynamic detection. Dynamic detection of proximity routes uses a proximity cache. The proximity cache contains the delay from all the links to all the destination subnets (/24). For example, If a client sends a new connection to the IP address 10.10.1.1, FortiADC checks if subnet 10.10.1.0/24 is in the cache table. If the subnet isn’t in the table, the packet is routed normally, based on the specified balancing algorithm. In addition, FortiADC sends ICMP ping packets to the destination IP address through each of the links that are part of the link group.
FortiADC 6.2 Study Guide
126
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Next, the round-trip delay for each ping through each link is recorded in the proximity cache table. So, next time there is a packet to the same /24 subnet from the same user or from a different user, FortiADC uses the link with the smallest delay to the destination. All entries in the cache table are aged out after their inactivity timeout expires.
FortiADC 6.2 Study Guide
127
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
There are three methods FortiADC uses to select proximity routes: • Dynamic detect only: • Uses the proximity route cache table to select the link with the lowest delay • Static table only: • Uses a static table that is manually configured by the administrator instead of using the proximity route cache table • Static table first: • Checks if there is a matching destination in the static table that was manually configured by the administrator • If there is no matching destination in the static table, FortiADC uses the proximity route cache table
FortiADC 6.2 Study Guide
128
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Outbound link load balancing for FortiADC allows virtual tunneling. You can build IP tunnels between two FortiADC devices. These tunnels use a generic routing encapsulation (GRE)-based proprietary protocol that allows data to travel unencrypted. You can group all the IP tunnels you create into virtual tunnels. You can also balance outbound traffic among tunnels that are part of the same virtual tunnel. Next, you will learn how to configure load balancing algorithms for outbound link load balancing virtual tunneling.
FortiADC 6.2 Study Guide
129
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Outbound link load balancing virtual tunneling routes traffic based on one of two load balancing algorithms: • Weighted round robin: • Means links with more weight receive more traffic • Source-destination hash: • Based on consistent hashing of both the source and the destination IP addresses • Traffic between the same two IP addresses is always routed through the same link
FortiADC 6.2 Study Guide
130
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Now you will learn about the steps to configure link load balancing. First, you should add addresses, address groups, services, service groups, and schedule groups that can then be used to match traffic to link policy rules. If you do not add these, your policy will not use matching criteria and will not have granularity. Next, you configure optional features. You should configure health check rules before you configure gateway links, and you should configure persistence rules or proximity routes before you configure a link group. Next, you configure the gateway links. Then, you will configure either a link group or virtual tunnel as required. Finally, you configure the link policy, in which you set the source/destination/service matching criteria for your link groups or virtual tunnels.
FortiADC 6.2 Study Guide
131
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Using the GUI, you can configure addresses in the system’s shared resources. You will use these addresses when you need to create link policies that apply to more than one address object. For example, if you subscribe customer one and customer two to a group of links, then you can create rules that match the customer one or customer two address space, and load balance the set of gateways assigned to them.
FortiADC 6.2 Study Guide
132
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
You can use service and service groups to specify the service to be matched in policies. The Protocol field identifies the protocol by number, such as 1 (ICMP), 6 (TCP), or 17 (UDP). For example, if a client requires a policy for link load balancing web services, you can add HTTP and HTTPS as services, and then aggregate those services into a group called web services.
FortiADC 6.2 Study Guide
133
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
You can use schedule groups to create time-bound link load balancing policies. The options are one-time, daily, weekly, or monthly. One-time link load balancing policies can be very useful for special events requiring a specific link load balancing policy to handle the extra surge in traffic, for example.
FortiADC 6.2 Study Guide
134
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
The gateway link configuration enables you to specify bandwidth rate thresholds, and spillover threshold behavior for the gateway links you will add to link groups. You can also enable health checks, to make better load balancing decisions in the link policy.
FortiADC 6.2 Study Guide
135
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Link groups are used to group the gateways that will be used for link load balancing. When you add each gateway, you configure its weight. Links with a higher weight receive more traffic.
FortiADC 6.2 Study Guide
136
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
When you configure a virtual tunnel group, you set the list of tunnel members, as well as load balancing options like algorithm and weight. When you add members to a virtual tunnel configuration, you specify a local and remote IP address. These addresses are IP addresses assigned to a network interface on the local and remote FortiADC appliance. After you configure a virtual tunnel configuration object, you can select it in the link policy configuration.
FortiADC 6.2 Study Guide
137
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
The link policy uses information from all created objects to create a table of link policy rules. The link policy rules specify the traffic to be balanced by each link group. FortiADC searches the table from top to bottom and uses the first rule that matches the traffic. For each rule, you must configure an ingress interface, source address, destination address, service, schedule, and the link group or virtual tunnel the FortiADC uses to route the traffic. The link group is mandatory in a link policy configuration.
FortiADC 6.2 Study Guide
138
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
139
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Good job! You now understand basic link load balancing. Now, you will learn about advanced networking and routing.
FortiADC 6.2 Study Guide
140
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objective shown on this slide. By demonstrating competence in advanced networking and routing, you will be able to configure advanced networking and routing options such as policy routing, quality of service (QoS), and NAT.
FortiADC 6.2 Study Guide
141
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
You can configure a SNAT table, which contains the rules for translation of the source IP address. The SNAT table works in a similar way to the firewall policy tables. FortiADC searches the table from top to bottom and uses the first rule it finds that matches the traffic. The source address is then mapped to a defined IP address or an address from the SNAT pool.
FortiADC 6.2 Study Guide
142
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Another NAT table on FortiADC is the one-to-one NAT table, which contains the rules for one-to-one static bidirectional NAT translation. This slide shows an example of port forwarding, or PAT. PAT works in a similar way to VIPs on FortiGate devices.
FortiADC 6.2 Study Guide
143
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
FortiADC has limited support for QoS. With FortiADC, you can limit the available bandwidth for non-priority traffic. For example, you might want to limit available bandwidth so traffic that is sensitive to bandwidth and delay can receive a higher priority.
FortiADC 6.2 Study Guide
144
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
To configure QoS, you must first configure the queues that define the different bandwidth limits. Then, you assign the queues to the filters that specify the traffic limited by each queue. In the QoS filter shown on this slide, HTTPS traffic with an ingress interface of port3 and an egress interface of port1 would be limited to the bandwidth defined in the OneGig QoS queue.
FortiADC 6.2 Study Guide
145
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
This slide presents an overview of how FortiADC determines how to route a packet. When processing an incoming packet, the first table that FortiADC checks is the content route table. FortiADC checks if the URL or host matches any rule in the content route table. If there is a match, the packet is routed based on that content route rule. If there is no match, FortiADC checks the source and destination IP address for a match in the policy route table. If there is a match in the policy route table, the packet is routed based on that rule. If there is no match in the policy route table, then FortiADC checks the destination IP address for a match in the routing table. The routing table contains static routes and OSPF routes. If there is a match, FortiADC routes the packet. If there is no match, the packet is dropped because FortiADC doesn’t know how to route it.
FortiADC 6.2 Study Guide
146
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Typically, routing is done based on the destination IP address. FortiADC can use policy routing to route traffic based on the source IP address. In the table shown on this slide, FortiADC is configured to route all traffic coming from 172.16.1.0 and going to the internet to use the first gateway on the left. For traffic that comes from the IP address 172.17.1.1, FortiADC is configured to route that traffic through the middle link. And finally, traffic from subnet 172.17.1.0 is routed through the link on the right. In this way, traffic is routed based on the source IP address, using three different links.
FortiADC 6.2 Study Guide
147
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
The policy routing configuration table contains the rules that specify the source IP address, the destination IP address, and the gateway to use for traffic that matches those settings. FortiADC searches the table from top to bottom and uses the first rule that matches the traffic. If there is no match, FortiADC uses the regular routing table to route the packet.
FortiADC 6.2 Study Guide
148
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
FortiADC uses OSPF to communicate with other OSPF routers, and to advertise its routes and dynamically populate its routing table.
FortiADC 6.2 Study Guide
149
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
You can define subnets and their associated OSPF areas.
FortiADC 6.2 Study Guide
150
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
This example on this slide shows where you define interfaces and their respective metrics.
FortiADC 6.2 Study Guide
151
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
When you read about BGP, often you see exterior BGP (EBGP) or interior BGP (IBGP) mentioned. These are both BGP routing, but BGP used in different roles. EBGP involves packets crossing multiple autonomous systems (AS) whereas IBGP involves packets that stay within a single AS. For example, the AS_PATH attribute is only useful for EBGP where routes pass through multiple ASs. These two modes are important because some features of BGP are used for only one of EBGP or IBGP. For example, confederations are used in EBGP, and route reflectors are only used in IBGP. Also, routes learned from IBGP have priority over EBGP learned routes. Before you begin, you must : • Know how BGP has been implemented in your network; that is, you must know the configuration details of the implementation • Have read-write permission for system settings • Have configured all the needed access (IPv6) lists and prefix (IPv6) lists
FortiADC 6.2 Study Guide
152
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
153
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 6.2 Study Guide
154
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering link load balancing and advanced networking, you will be able to configure link load balancing, and create virtual tunnels and link groups. You will also be able to configure advanced networking and routing options, such as policy routing, QoS, and NAT.
FortiADC 6.2 Study Guide
155
Global Load Balancing
DO NOT REPRINT © FORTINET
In this lesson, you will learn about global load balancing.
FortiADC 6.2 Study Guide
156
Global Load Balancing
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiADC 6.2 Study Guide
157
Global Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding how global load balancing works, you will be able to implement it on your FortiADC.
FortiADC 6.2 Study Guide
158
Global Load Balancing
DO NOT REPRINT © FORTINET
When a user wants to contact a website, for example, www.fortinet.com, the browser first contacts its local DNS server to get the IP address for that fully qualified domain name. If that IP address is not in the local DNS cache, the local DNS goes to one of the root name servers on the internet to get the IP address. The root name server replies with the IP address of the DNS server for that domain which, in this case, is fortinet.com. So, the local DNS contacts that domain name server. The domain name server for the domain fortinet.com replies with the IP address of the DNS server that is the authoritative DNS server for that fully qualified domain name www.fortinet.com. The local DNS contacts that DNS server, gets the IP address from there, and forwards the IP address to the client. Now the browser can go directly to that IP address to get the web content stored there.
FortiADC 6.2 Study Guide
159
Global Load Balancing
DO NOT REPRINT © FORTINET
Global load balancing is a DNS-based solution that enables you to deploy redundant resources around the globe. You can use these redundant resources to keep your business online when a local area deployment experiences unexpected spikes in traffic, or downtime. Global load balancing is a two-layer technique consisting of global server load balancing and server load balancing. Global server load balancing refers to a global balancing of traffic across multiple, geographically diverse FortiADCs, while server load balancing refers to the load balancing performed by the individual FortiADC across the local data center.
FortiADC 6.2 Study Guide
160
Global Load Balancing
DO NOT REPRINT © FORTINET
Global server load balancing is a fully-featured DNS solution based on a customized and hardened BIND 9 DNS implementation. You can deploy global load balancing as the authoritative name server for the DNS zones you configure. Using FortiADC global load balancing, you create a global load balancing framework that accounts for location, health, and round-trip time (RTT). When a global load balancing framework is in place, DNS sends direct client requests to a virtual server that is close, available, and has low latency.
FortiADC 6.2 Study Guide
161
Global Load Balancing
DO NOT REPRINT © FORTINET
FortiADC implements security features in global load balancing and DNS, including DNSSEC, response rate limits, and DNS forwarding. DNSSEC are a set of extensions to DNS that provide for DNS clients (known as resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. Response rate limits help to mitigate DNS DoS attacks by reducing the rate at which the authoritative DNS responds to high volumes of malicious queries. DNS forwarding works by sending requests for remote resources to another DNS server known as a forwarder. The internal server then caches those results, which optimizes further lookups and reduces the number of DNS servers communicating over the internet.
FortiADC 6.2 Study Guide
162
Global Load Balancing
DO NOT REPRINT © FORTINET
Server availability is identified by FortiADC using real-time connectivity checking. FortiADC redirects client sessions based on server availability. If there is availability in the local pool, FortiADC replies with its virtual IP address. In the example shown on this slide, FortiADC has to be the authoritative DNS server for the fully qualified domain name that the customer is trying to reach.
FortiADC 6.2 Study Guide
163
Global Load Balancing
DO NOT REPRINT © FORTINET
If the local pool is not available, FortiADC replies to those DNS requests with the remote peer virtual IP address instead.
FortiADC 6.2 Study Guide
164
Global Load Balancing
DO NOT REPRINT © FORTINET
The example on this slide shows a global load balancing deployment with redundant resources at data centers in China and the United States. FortiADC-1 is the local server load balancer for the data center in China. FortiADC-2 is the local server load balancer for the data center in the United States. FortiADC-3 is a global server load balancer. It hosts the DNS server that is authoritative for www.example.com. When a client clicks a link to www.example.com, the local host DNS resolver commences a DNS query that is ultimately resolved by the authoritative DNS server on FortiADC-3. The set of possible responses includes the virtual servers on FortiADC-1 or FortiADC-2. The global load balancing framework uses location and health status to determine the set of responses that are returned. For example, you can use the global load balancing framework to direct clients located in China to the virtual server in China, or, if the virtual server in China is unavailable, then to the redundant resources in the United States. The virtual server IP addresses and ports can be discovered by the FortiADC global load balancer from the FortiADC local server load balancers. The global load balancing DNS server uses the discovered IP addresses in the DNS response. The framework also supports third-party IP addresses and health checks for those addresses.
FortiADC 6.2 Study Guide
165
Global Load Balancing
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
166
Global Load Balancing
DO NOT REPRINT © FORTINET
Good job! You now understand the principles of global load balancing. Now, you will learn how to configure global load balancing.
FortiADC 6.2 Study Guide
167
Global Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring global load balancing, you will be able to ensure that all elements of global load balancing are configured correctly for your network.
FortiADC 6.2 Study Guide
168
Global Load Balancing
DO NOT REPRINT © FORTINET
Global load balancing uses mandatory and optional configuration objects. Some mandatory objects are predefined, and include the ability to add more objects or customize existing ones. Others, such as the zone, are auto generated but can be created and customized by the administrator. Optional objects are not required, or are preset, such as the general settings and response rate limit objects.
FortiADC 6.2 Study Guide
169
Global Load Balancing
DO NOT REPRINT © FORTINET
When you deploy a global load balancing solution, you configure DNS server and global load balancing details on the global FortiADC instance only. The configuration framework allows for granular administration and fine tuning of both DNS server and global load balancing frameworks. The order of configuration is important for initial configurations because complex objects, like policies, rely on simple objects, like remote DNS servers or DNS64 rules; however, simple elements must be configured first. Fortunately, some objects are preconfigured and you can fine tune them later, if necessary. Auto-generated zones rely on numerous other objects, so make sure to customize your deployments where required. Many objects are optional. You can configure optional objects and add them to existing policies later. To configure a DNS server solution, do the following: 1. Review and configure the address groups to use in your DNS policy matching rules. You can use the predefined any and none address groups. 2. Configure remote DNS servers, or forwarders, and the DSSET list (optional). A complete zone configuration occurs. Zones, including FortiADC virtual servers, auto generate; however, you can add additional zones manually. 3. Configure DNS64 and response rate limits (optional). 4. Configure DNS policies and DNSEC. 5. Configure remaining general DNS settings.
FortiADC 6.2 Study Guide
170
Global Load Balancing
DO NOT REPRINT © FORTINET
When you configure global load balancing, many objects require that components of your underlying infrastructure are up and running so that you can test the solution. For example, virtual servers, and their corresponding back-end servers should be in place before you create virtual server pools in global load balancing. Step 1 is configuring dynamic proximity, data centers, servers, virtual server pools, and hosts. These are required for FortiADC to generate a working DNS zone configuration and resource records. Step 2 is reviewing the auto-generated DNS zone configuration. Finally, step 3 is creating the DNS policy.
FortiADC 6.2 Study Guide
171
Global Load Balancing
DO NOT REPRINT © FORTINET
Use the address group object to specify the source and destination IP addresses that will be used as matching criteria in your DNS policies. You can use the predefined any and none groups, or you can add your own groups.
FortiADC 6.2 Study Guide
172
Global Load Balancing
DO NOT REPRINT © FORTINET
Remote DNS servers are optional. You can use remote DNS servers to create a list of DNS forwarders, which you can use when you don’t want the local DNS server to connect to internet DNS servers. For example, if your local DNS server is behind a firewall and you don’t want to allow DNS through that firewall, you can implement DNS forwarding to a remote server deployed in a DMZ, or similar network region, that can contact internet DNS servers. You can use remote DNS servers in DNS zones and DNS policy configurations.
FortiADC 6.2 Study Guide
173
Global Load Balancing
DO NOT REPRINT © FORTINET
If DNSSEC is enabled, secure communication between the FortiADC DNS and any child DNSs is based on keys contained in DSSET files. DSSET files are generated automatically, once the zone is signed by DNSSEC.
FortiADC 6.2 Study Guide
174
Global Load Balancing
DO NOT REPRINT © FORTINET
It’s optional to configure DNS64 for FortiADC. DNS64 is used to map IPv4 addresses to AAAA queries when there are no AAAA records. You can use DNS64 for segments using NAT64 to support IPv6 client communication with the back-end servers.
FortiADC 6.2 Study Guide
175
Global Load Balancing
DO NOT REPRINT © FORTINET
The response rate limit keeps the FortiADC’s authoritative DNS server from being used in an amplifying reflection DoS attack. The default response rate limit is 1000 responses per second, but you can set this limit to any value between 1 and 2048 responses per second. You can create up to 256 different response rate limits to use in DNS policies.
FortiADC 6.2 Study Guide
176
Global Load Balancing
DO NOT REPRINT © FORTINET
The general DNS settings allow you to specify which interfaces listen for DNS requests. By default, FortiADC listens for DNS requests on all configured addresses and interfaces. Other settings apply when traffic does not match a global DNS policy. Key elements of the general DNS settings include enabling or disabling global DNS, recursion, and DNSSEC and DNSSEC validation. You can also set the default forwarding behavior and response rate limit in the general DNS settings.
FortiADC 6.2 Study Guide
177
Global Load Balancing
DO NOT REPRINT © FORTINET
You can use the Dynamic Proximity setting to order DNS lookups results based on the RTT of ICMP or TCP probes sent by the local SLB to the DNS resolver that sent the DNS request. FortiADC calls the RTT results for the specified timeout. For any subsequent requests from IP addresses in the specified netmask, FortiADC takes the RTT from the results table, instead of issuing a new real-time probe. This reduces DNS response time.
FortiADC 6.2 Study Guide
178
Global Load Balancing
DO NOT REPRINT © FORTINET
The data center is a required component of a global load balancing configuration. Configuring the data center allows you to set key properties, such as Location, ISP, or both, and ISP State/Province. The global load balancing algorithm uses these properties to select the FortiADC that is closest to the client.
FortiADC 6.2 Study Guide
179
Global Load Balancing
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
180
Global Load Balancing
DO NOT REPRINT © FORTINET
Good job! You now understand how to configure global load balancing. Now, you will learn how to configure zones and servers.
FortiADC 6.2 Study Guide
181
Global Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring servers and zones, you will be able to set up servers, virtual server pools, zones, and DNS policies.
FortiADC 6.2 Study Guide
182
Global Load Balancing
DO NOT REPRINT © FORTINET
Servers are another required component of a global load balancing configuration. Use servers to specify the local server load balancers, either FortiADC instances or third-party servers, that are to be load balanced. For FortiADC instances, the global load balancing feature checks the status and synchronizes configurations from the local server load balancers, so that it can learn the set of virtual servers that can be included in the global load balancing virtual server pool. For the discovery feature to work, you must first create the data center objects associated with the local SLB as well as the virtual server configurations on the local FortiADC server load balancers to be included in the global load balancing virtual server pools. If you want to configure a gateway health check, you must also create gateway objects on the local FortiADC server load balancers. After you meet these requirements, and you add a server to global server load balancing, you can click Discover to allow FortiADC to discover the local virtual servers and populate the members list.
FortiADC 6.2 Study Guide
183
Global Load Balancing
DO NOT REPRINT © FORTINET
The virtual server pool configuration is also mandatory. It defines the set of virtual servers that can be matched in DNS resource records, so it should include all the virtual servers that can be answers for DNS requests to resolve a domain, such as www.example.com. The virtual server pool also specifies key parameters of the global load balancing algorithm, including proximity options, status checking options, load balancing method, and weight. You specify virtual server pools in the global load balancing host configuration. You can add up to 256 servers to a virtual server pool.
FortiADC 6.2 Study Guide
184
Global Load Balancing
DO NOT REPRINT © FORTINET
The DNS response to the client is an ordered list of answers, which excludes unavailable virtual servers. The available servers are ordered based on the following priorities: 1. Geographic proximity 2. Dynamic proximity 3. Weighted round robin A client receiving the DNS response as a list of answers tries the first answer and only proceeds to the next answers, if the first answer is unreachable.
FortiADC 6.2 Study Guide
185
Global Load Balancing
DO NOT REPRINT © FORTINET
Use host settings to form the zone configuration and RRs in the generated DNS zone used for global load balancing. Host settings are mapped to zone settings and RRs. The system uses the Domain Name and Host Name settings in both the configuration and the generated configuration name. The system derives the IP address and weight from the virtual server pool.
FortiADC 6.2 Study Guide
186
Global Load Balancing
DO NOT REPRINT © FORTINET
The DNS zone configuration is key to the global load balancing solution. It contains key DNS server settings, such as domain name and name server details, type (whether master or forwarder), and whether DNSSEC is enabled or not. It also contains the DNS resource records that are used to resolve DNS queries. Each zone can have different DNS server settings. For example, the DNS server can be a master for one zone and a forwarder for another zone. You can create up to 256 zones for use in DNS policies.
FortiADC 6.2 Study Guide
187
Global Load Balancing
DO NOT REPRINT © FORTINET
This slide shows an example of a zone auto generated by the creation of a host object. Because FortiADC is now an authoritative DNS server, you can add A and Quad A records, CName records, and NS records. You can also add MX and TXT records to the zone.
FortiADC 6.2 Study Guide
188
Global Load Balancing
DO NOT REPRINT © FORTINET
The global DNS policy is a rule base that matches traffic to DNS zones. Traffic that matches a zone, source, and destination criteria is served by the global DNS policy. Traffic that does not match any specific policy is served by the DNS general settings. You can create up to 256 different global DNS policies.
FortiADC 6.2 Study Guide
189
Global Load Balancing
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
190
Global Load Balancing
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 6.2 Study Guide
191
Global Load Balancing
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to implement these global load balancing, servers, and zones on your FortiADC.
FortiADC 6.2 Study Guide
192
Security
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the security options on FortiADC.
FortiADC 6.2 Study Guide
193
Security
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiADC 6.2 Study Guide
194
Security
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in describing and configuring a WAF and WVS, you will be able to ensure that your FortiADC is OWASP-compliant for secure transactions.
FortiADC 6.2 Study Guide
195
Security
DO NOT REPRINT © FORTINET
This slide shows the relationships among WAF configuration elements. A WAF profile is made up of a web attack signature policy, a URL protection policy, an HTTP protocol constraint policy, a SQL/XSS injection detection policy, and a bot detection policy. This WAF profile is, in turn, applied to a load balancing virtual server, so all traffic routed to the virtual server is subject to the WAF rules set out in the profile. You can apply WAF profiles to HTTP and HTTPS virtual servers, but not to HTTP Turbo virtual servers. The WAF module offers enhanced security configuration options for FortiADC. It should be noted that FortiWeb offers these enhanced security options as well, and combining the FortiWeb and FortiADC solutions provides enhanced security and performance.
FortiADC 6.2 Study Guide
196
Security
DO NOT REPRINT © FORTINET
A WAF is a security policy enforcement point that you can set up between the client and a web application. Its main purpose is to prevent attacks against the web servers. You deploy it separately from the web application so that processes used to perform security scanning do not affect the web server’s performance. A WAF uses methods that complement perimeter security, such as perimeter security provided by the FortiGate next-generation firewall (NGFW).
FortiADC 6.2 Study Guide
197
Security
DO NOT REPRINT © FORTINET
A WAF scans a request at four checkpoints: the HTTP request header, the HTTP request body, the HTTP response header, and the HTTP response body. When the WAF completes the scan, it enforces policy rules. If the HTTP request header violates a rule, and the action is Deny, the attempted session is dropped, and scanning for the transaction stops. If the action is Alert, the event is logged and rules processing continues.
FortiADC 6.2 Study Guide
198
Security
DO NOT REPRINT © FORTINET
WAF policies allow the WAF to detect and respond to different types of threats. For example, the web attack signature policy allows the WAF to scan the traffic for signatures that detect known attacks and exploits. URL protection policies allow the WAF to filter HTTP requests that match specific character strings and file extensions. HTTP protocol constraint policies allow the WAF to create rules that filter traffic containing invalid HTTP request parameters and methods, or to drop packets with specified server response codes. SQL and cross site scripting (XSS) injection detection policies inspect user-supplied data for requests that can cause SQL queries to be run directly against the web application’s database, or XSS injection attacks that can cause a web browser to run a client-side script. WAF SQL and XSS detection is complementary to, and much faster than, the web attack signature method.
FortiADC 6.2 Study Guide
199
Security
DO NOT REPRINT © FORTINET
WAF profiles refer to the various WAF policies to be enforced. A profile can define six different protection categories: • • • • • •
Standard Protection: Provides web attack signature and HTTP protocol constraint protections. Sensitive Data Protection: Provides cookie security, data leak prevention, and HTTP header security protection. Input Protection: Provides SQL/XSS injection detection and input validation policy protections. Access Protection: Provides brute force attack detection, URL protection, bot detection, and credential stuffing defense. API Protection: Provides JSON detection, XML detection, OpenAPI detection, and API gateway protections. Advanced Protection: User-defined advanced protection configurations from the Common Attacks Detection view, and CSRF protection.
You can apply WAF profiles to a load balancing virtual server, so that traffic routed to that VS is subject to those rules. You can apply WAF profiles to both HTTP and HTTPS virtual servers, but not to HTTP Turbo virtual servers. You can use existing predefined profiles or create your own. The maximum number of profiles per VDOM is 255.
FortiADC 6.2 Study Guide
200
Security
DO NOT REPRINT © FORTINET
FortiADC provides an OWASP Top 10 wizard to assist administrators in protecting against OWASP Top 10 application security risks. The wizard automatically creates WAF profiles that can be assigned to virtual servers. For more information about the OWASP Top 10 project, as well as details about the top 10 list, visit the OWASP website.
FortiADC 6.2 Study Guide
201
Security
DO NOT REPRINT © FORTINET
The WVS is a set of automated tools that perform black box tests on web applications, to look for security vulnerabilities such as cross-site scripting, SQL injection, command injection, source code disclosure, and insecure server configuration. FortiADC supports the following: • Full reporting on vulnerability risks • Automatic policy generation While testing for vulnerabilities FortiADC could negatively impact the systems being tested. For this reason, the WVS should not be used to test systems in production. Performing scans across the internet could cause other security systems to identify the traffic as real and active malicious behavior.
FortiADC 6.2 Study Guide
202
Security
DO NOT REPRINT © FORTINET
WVS profiles define the real server pool to target and the type of scan to perform. The WVS can perform the following types of scans: • Mime scan • File scan • Message scan • Apps scan • Context scan • HTTP cookie The crawl limit will define the number of requests sent to each server during scanning. The total number will be divided equally across the server pool members. A WVS exceptions configuration can exempt specific URLs from being scanned based on a regular expression pattern.
FortiADC 6.2 Study Guide
203
Security
DO NOT REPRINT © FORTINET
WVS tasks define the profile that will be used and the schedule for scanning. If targeted server pools contain real servers that have failed health checks, those servers will still be scanned. Reports are generated when a scan completes. A maximum of 50 tasks can be defined. WVS tasks do not support HTTP/2 or IPv6.
FortiADC 6.2 Study Guide
204
Security
DO NOT REPRINT © FORTINET
Scan result details are reported on the WVS Scan History page. Each report can be downloaded, deleted, previewed, or have a policy generated from the results.
FortiADC 6.2 Study Guide
205
Security
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
206
Security
DO NOT REPRINT © FORTINET
Good job! You now understand the WAF. Now, you will learn about network security.
FortiADC 6.2 Study Guide
207
Security
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in network security, you will be able to ensure that the various security features of FortiADC are correctly configured to help protect your network.
FortiADC 6.2 Study Guide
208
Security
DO NOT REPRINT © FORTINET
The best approach to sound security is a layered approach. The first layer is made up of firewall policies. A firewall policy is a set of rules that are applied to traffic that passes through FortiADC and defines whether a new client connection is allowed. By default, all new connections are accepted. Blocking or allowing traffic based on ports and IP addresses is your first line of defense when implementing security within your network. For example, if you don’t need to allow the use of the File Transfer Protocol (FTP), you can block the FTP port. You can create firewall policies for both IPv4 and IPv6 traffic for FortiADC. When a packet arrives at an interface, FortiADC analyzes the packet and checks its routing table to see where the packet should be sent. If it’s a routable packet, FortiADC searches the firewall policies for a match. To find a policy match, FortiADC checks the ingress and egress interfaces, source and destination IP addresses, and the service. After FortiADC finds a policy match, it applies the rules for the policy.
FortiADC 6.2 Study Guide
209
Security
DO NOT REPRINT © FORTINET
FortiADC firewall policies make use of system-shared resources such as firewall addresses and services. Addresses and services can be further aggregated into address groups and service groups, for ease of management. You configure IP address ranges and subnets for firewall addresses, and IP protocols and TCP/UDP port numbers for service objects.
FortiADC 6.2 Study Guide
210
Security
DO NOT REPRINT © FORTINET
To create a firewall policy in FortiADC, you must configure the inbound interface, outbound interface, source address, destination address, service, and action (which can be either accept or deny). You also have the option to specify the default action, which is the action to be taken by FortiADC for traffic that doesn’t match any of the firewall policies. By default, the action is Accept, but you can change it to Deny. FortiADC uses the first match for the traffic that it finds in the policy in a search from top to bottom. Because of the system resources required by the firewall function, overall FortiADC performance will be impacted. It is important to be aware of this when deciding to implement the firewall feature.
FortiADC 6.2 Study Guide
211
Security
DO NOT REPRINT © FORTINET
The connection limit table contains a set of rules that you can use to limit the number of concurrent connections. In the example shown on this slide, the number of concurrent connections is limited for each destination IP address and for each source IP address.
FortiADC 6.2 Study Guide
212
Security
DO NOT REPRINT © FORTINET
The IPS leverages signature-based detection and prevention, as defined in FortiADC IPS profiles. You associate IPS profiles with Layer 4 virtual servers. As traffic destined for the servers defined in the associated server pool arrives at the virtual server, it is inspected using the defined IPS signatures and IPS filters. There is a list of predefined profiles, configured for detection of threats against some of the most common services, such as email and web servers. You can rapidly apply IPS security using these predefined profiles.
FortiADC 6.2 Study Guide
213
Security
DO NOT REPRINT © FORTINET
You can create IPS profiles to defend against specific types of attacks. Individual signatures can be added, as well as filter-defined signatures. When using an IPS filter, all scans that match the filter criteria are included. For example, you could define a filter to select all signatures that detect attacks on Linux systems and Apache services.
FortiADC 6.2 Study Guide
214
Security
DO NOT REPRINT © FORTINET
FortiADC is the first ADC solution on the market with support for sandbox service integration. This means that FortiADC supports Security Fabric integration for advanced threat detection. The feature on FortiADC supports HTTP, HTTPS, and SMTP protocols. Web application file uploads that are cleared by the FortiADC antivirus scanner are then sent to FortiSandbox for further analysis. FortiADC first conducts some basic analysis by antivirus engine and then submits all suspicious files to FortiSandbox for further analysis. FortiSandbox will then drop or quarantine the malicious traffic and forward healthy traffic segments to the back-end servers. A log is generated whenever a file is uploaded to FortiSandbox.
FortiADC 6.2 Study Guide
215
Security
DO NOT REPRINT © FORTINET
Malware and advanced persistent threats (APT) can cause significant damage to the business of any organization. Malicious codes are commonly used to steal valuable data, gain unauthorized access to networks, or cause products to degrade. Using a suite of integrated security technologies, antivirus solutions provide protection against a variety of threats, including both known and unknown malicious codes (malware) and advanced targeted attacks (ATA). Integrated with the FortiOS antivirus engine, FortiADC provides an industry-class malware and APT detection and mitigation solution to our customers. This slide illustrates how the FortiADC antivirus module works: 1. Automatically updates the latest attack signatures from FortiGuard to ensure real-time protection. 2. Submits all files, including suspicious files, to an on-premises device (FortiSandbox) or cloud-based service (FortiCloud Sandbox) for further analysis, after performing basic antivirus processing. 3. FortiSandbox or the cloud-based service drops or quarantines malicious files and forwards healthy files to the back-end servers.
FortiADC 6.2 Study Guide
216
Security
DO NOT REPRINT © FORTINET
You must configure antivirus profiles to use the antivirus service module. You can create antivirus profiles either on the GUI or the CLI. After you create antivirus profiles, you can include them when creating advanced virtual server profiles that use the HTTP or HTTPS protocol.
FortiADC 6.2 Study Guide
217
Security
DO NOT REPRINT © FORTINET
The quarantined daemon manages the infected or suspicious files. This is a multi-process daemon, which receives quarantine requests from the antivirus daemon and then processes the requests in child processes. It can work in tandem with remote devices to complement the antivirus service, such as sending suspicious files to FortiSandbox for deeper inspection or uploading the archive package onto FortiCloud. In addition, it also manages the use of the storage space, listing the quarantined files, deleting expired files, overriding old files, or dropping new files when there is not enough storage space available.
FortiADC 6.2 Study Guide
218
Security
DO NOT REPRINT © FORTINET
The FortiADC antivirus service relies on the system's antivirus engine and signature databases. The antivirus engine is upgraded whenever new functions are added. The updated daemon is responsible for updating the antivirus engine and the signature databases. The system offers three types of antivirus signature databases: normal, extended, and extreme. • Normal: Includes “In the Wild” viruses and most commonly seen viruses. • Extended: Includes “In the Wild” viruses and a large collection of zoo viruses that are no longer seen in recent virus studies. • Extreme: Includes “in the Wild” viruses and all known zoo viruses that are no longer seen in recent virus studies. In order for FortiADC to provide you with the level of antivirus service that you desire, you must choose the appropriate signature database.
FortiADC 6.2 Study Guide
219
Security
DO NOT REPRINT © FORTINET
FortiGuard IP Reputation is another feature for FortiADC that can prevent malicious connections to your servers. FortiGuard is a worldwide distributed server network that provides, among many other services, an up-to-date list of IP addresses that could threaten your network. You must purchase a subscription to use the FortiGuard IP Reputation service.
FortiADC 6.2 Study Guide
220
Security
DO NOT REPRINT © FORTINET
Using FortiGuard IP Reputation, you can configure FortiADC to periodically download the latest list of blacklisted IP addresses from FortiGuard. If FortiADC does not have internet access, you can download the list from FortiGuard and upload it manually to FortiADC.
FortiADC 6.2 Study Guide
221
Security
DO NOT REPRINT © FORTINET
After you enable FortiGuard IP Reputation, FortiADC blocks any traffic coming from an IP address that has a poor reputation or has been blacklisted by the FortiGuard IP Reputation list. Alternatively, in the case of HTTP and HTTPS, FortiADC can redirect users to a different URL.
FortiADC 6.2 Study Guide
222
Security
DO NOT REPRINT © FORTINET
The Geo IP database is a FortiGuard security service that maps IP addresses to countries, satellite providers, and anonymous proxies. Similar to the FortiGuard IP Reputation database, the Geo IP database is updated periodically. The Geo IP service allows FortiADC to respond in one of four ways to a request from an IP address that is on the block list: • Pass the packet along. • Deny and drop the packet. • Redirect the packet to another destination. • Respond to the packet with an error message of “403 Forbidden”.
FortiADC 6.2 Study Guide
223
Security
DO NOT REPRINT © FORTINET
This slide shows the Geo IP Protection configuration screen. You can create up to 256 Geo IP policy objects. Each object can contain up to 256 distinct countries.
FortiADC 6.2 Study Guide
224
Security
DO NOT REPRINT © FORTINET
You can configure exceptions to Geo IP Policies by adding entries to the Geo IP allowlist, which is based on the IP subnet.
FortiADC 6.2 Study Guide
225
Security
DO NOT REPRINT © FORTINET
In the example shown on this slide, you can see Geo IP at work in the GEO security logs, where source IP addresses can be mapped to their country of origin. In this example, because they are private IP addresses, the countries show as Reserved.
FortiADC 6.2 Study Guide
226
Security
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
227
Security
DO NOT REPRINT © FORTINET
Good job! You now understand network security. Now, you will learn about DoS protection.
FortiADC 6.2 Study Guide
228
Security
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in denial of service (DoS) protection options, you will be able to ensure that FortiADC are correctly configured to help protect your network and applications.
FortiADC 6.2 Study Guide
229
Security
DO NOT REPRINT © FORTINET
Attackers use denial of service attacks to overwhelm systems or networks to the point that the supplied services become unavailable to legitimate users. These types of attacks can be orchestrated across many different systems, and these systems work in parallel to achieve the attacker’s goal. This is known as a distributed denial of service attack (DDoS) because the source of the attack has been distributed across multiple systems. DoS and DDoS attacks generally use the following methods to overwhelm, or flood, an application server: Buffer overflow: The method attempts to send more traffic to a server than it has been designed to handle, ultimately overflowing defined buffers and slowing or crashing the system. • ICMP flood: This method attempts to generate a ping flood by hitting a system with large numbers of ICMP packets, without waiting for replies. • SYN flood: This method rapidly initiates connections to the server by sending a SYN (synchronize) message but never finishes the handshake, leaving ports on the server waiting for a response and ultimately exhausting available ports. A successful DoS or DDoS attack will result in legitimate users being unable to access the resources.
FortiADC 6.2 Study Guide
230
Security
DO NOT REPRINT © FORTINET
FortiADC defends against DoS attacks by attaching a DoS protection profile to the virtual server. The DoS protection profile contains application protections such as HTTP access limits and/or networking protections such as TCP connection access flood protection.
FortiADC 6.2 Study Guide
231
Security
DO NOT REPRINT © FORTINET
The application protection policy options are: • HTTP Access Limit: This policy limits the speed of HTTP requests from a source IP address. • HTTP Connection Flood: This policy limits HTTP connections based on a cookie. • HTTP Request Flood: This policy limits the speed of HTTP requests based on a cookie. The networking protection policy options are: • TCP Slow Data Flood Protection: This type of attack sends legitimate application layer requests, but reads the responses very slowly. This can consume valuable system resources on the application server. This policy can detect and disable the connections. • TCP Connection Access Flood Protection: This policy limits the number of TCP requests from a certain IP address. Actions can be performed on policy matches for both application and networking policies.
FortiADC 6.2 Study Guide
232
Security
DO NOT REPRINT © FORTINET
An IP fragmentation DDoS attack uses standardized fragmentation settings to send a data gram so large that buffers are overrun on your router as it attempts to buffer all the data gram fragments for reassembly. You can configure FortiADC to stop fragment reassembly when a designated maximum memory size is reached. When the designated minimum memory threshold is reached FortiADC will resume fragmentation reassembly. A timeout setting defines when FortiADC will drop all packets in a fragmentation queue.
FortiADC 6.2 Study Guide
233
Security
DO NOT REPRINT © FORTINET
FortiADC offers a mechanism to protect your servers against SYN flood attacks. In many servers, the information about each TCP connection is stored in the TCB that is a part of the memory in the server. During a SYN flood attack, an attacker sends a large amount of SYN packets from spoofed IP addresses to the server. An entry is created in the TCB each time a SYN packet arrives to store the information contained in the SYN packet fields. A SYN flood attack is effective when it exhausts the available memory in the TCB. After the TCB table is exhausted, legitimate users can’t connect to the server.
FortiADC 6.2 Study Guide
234
Security
DO NOT REPRINT © FORTINET
To protect the servers from SYN flood attacks, FortiADC offers a feature called SYN cookie protection. Here’s how it works. FortiADC sends a SYN/acknowledge with a cookie value in the TCP sequence field for each packet that it receives, and then it waits for the acknowledge packet. If it receives an acknowledge packet containing the right cookie, the device proxies the TCP connection to the server. Consequently, SYN packets from an attacker never arrive at the server. The SYN packets go to the server after FortiADC confirms the sender is a legitimate user.
FortiADC 6.2 Study Guide
235
Security
DO NOT REPRINT © FORTINET
Finally, you assign a DoS protection profile to a virtual server on the virtual server security tab.
FortiADC 6.2 Study Guide
236
Security
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
237
Security
DO NOT REPRINT © FORTINET
Good job! You now understand DoS protection. Now, you will learn about user authentication.
FortiADC 6.2 Study Guide
238
Security
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in user authentication, you will be able to set up authentication policies on your FortiADC.
FortiADC 6.2 Study Guide
239
Security
DO NOT REPRINT © FORTINET
FortiADC allows you to set conditions for authentication and identify the user group that can access a resource controlled by FortiADC. This slide shows the client-server communications authentication process. The prerequisites for the authentication process are as follows: • The virtual server must be Layer 2 or Layer 7. • The profile type must be HTTP or HTTPS. • The once-only profile option must be disabled. If the prerequisites are met, the authentication process occurs as follows: 1. The client sends an HTTP request to FortiADC for a URL belonging to a FortiADC virtual server that has an authorization policy, in this case www.example.com. 2. FortiADC replies to the client with an HTTP 401 message to request authorization. On the client device, the user may be prompted to enter credentials. 3. The client reply is sent, which includes an authorization header that passes the credentials to FortiADC. 4. FortiADC sends a request to the server, whether local, LDAP, or RADIUS, in order to authenticate the user. 5. The authentication server sends its response to FortiADC, which can be cached according to your user group configuration. 6. If authentication is successful, FortiADC continues to process the traffic and forwards the request to the real server. 7. The real server responds with an HTTP 200 OK message. 8. FortiADC processes the traffic and forwards the server response to the client.
FortiADC 6.2 Study Guide
240
Security
DO NOT REPRINT © FORTINET
User accounts for authentication can be created as local FortiADC users, or the authentication can be performed against a backend authentication server. Local user accounts are created in the Local User view and integration with remote authentication services is performed in the Remote Server view.
FortiADC 6.2 Study Guide
241
Security
DO NOT REPRINT © FORTINET
User groups are created to organize users for the purpose of authentication. Users, both local and remote are added to FortiADC user groups. Finally, these user groups are used in the creation of authentication policies that control access to the application servers.
FortiADC 6.2 Study Guide
242
Security
DO NOT REPRINT © FORTINET
You create authentication policies in the Authentication Policy view. To maintain granular control of user authentication, you can create multiple policies, and define multiple members.
FortiADC 6.2 Study Guide
243
Security
DO NOT REPRINT © FORTINET
After you create the authentication policy, you can select it in the settings for the virtual server, in the Auth Policy drop-down menu.
FortiADC 6.2 Study Guide
244
Security
DO NOT REPRINT © FORTINET
FortiADC supports the use of two-factor authentication with FortiToken Cloud to provide added security for application server access.
FortiADC 6.2 Study Guide
245
Security
DO NOT REPRINT © FORTINET
Security assertion markup language (SAML) allows for the exchange of security information between online business entities. It is the most commonly used protocol for providing Web SSO. FortiADC provides support for service provider (SP) and identity provider (IDP) metadata, as well as a single sign-on experience for virtual server resources. When configured as a SP FortiADC will support the following IDPs: • FortiAuthenticator • Shibboleth • OpenAM/OpenSSo
FortiADC 6.2 Study Guide
246
Security
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
247
Security
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 6.2 Study Guide
248
Security
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering security concepts, you will be able to ensure the FortiADC and your network are effectively protected from a variety of threats.
FortiADC 6.2 Study Guide
249
Advanced Configurations
DO NOT REPRINT © FORTINET
In this lesson, you will learn about FortiADC advanced configuration options.
FortiADC 6.2 Study Guide
250
Advanced Configurations
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiADC 6.2 Study Guide
251
Advanced Configurations
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in these configuration tasks, you will be able to understand the key benefits and use cases for FortiADC VDOMs.
FortiADC 6.2 Study Guide
252
Advanced Configurations
DO NOT REPRINT © FORTINET
VDOMs allow you to split a single physical FortiADC device into multiple virtual FortiADC devices. VDOMs allow FortiADC to support multi-tenant deployments. A VDOM is a complete FortiADC instance that runs on the FortiADC platform (physical device or VM). Each VDOM has its own interfaces and routing tables that are completely independent from other VDOMs. When you create a VDOM, an administrator account is assigned to the VDOM. In this way, each VDOM can be controlled by a different administrator. VDOM administrators must log in to the GUI by connecting to an interface assigned to their VDOM that has administrative access configured.
FortiADC 6.2 Study Guide
253
Advanced Configurations
DO NOT REPRINT © FORTINET
When you enable VDOMs, the GUI divides settings into two groups: •
Global settings are settings that affect FortiADC and all VDOMs, such as hostname, SNMP, system time, HA, and certificates. You assign physical interfaces and administrative accounts to VDOMs from the Global menus.
•
The settings of each VDOM are unique, so each VDOM has its own static routes, firewall policies, and load balancing objects.
FortiADC 6.2 Study Guide
254
Advanced Configurations
DO NOT REPRINT © FORTINET
You enable VDOMs from the FortiADC Settings view. Once enabled, a drop-down list will be displayed providing access to global settings or VDOM-specific settings. Initially, a single root VDOM is created. The root VDOM cannot be deleted or renamed, and all self-generated management traffic will come from the root VDOM. This includes FortiGuard communications, SNMP, email, and so on. A new menu option, Virtual Domain, will appear in the FortiADC System menu.
FortiADC 6.2 Study Guide
255
Advanced Configurations
DO NOT REPRINT © FORTINET
The Virtual Domain view is where you add and manage virtual domains. Dynamic and Static resources can be modified for each VDOM individually. After you log in to a VDOM, the VDOM’s name is displayed at the top of the GUI. As additional VDOMs are created, they will appear in the drop-down list with the original root VDOM. You access and manage VDOM settings by selecting the VDOM in the drop-down list.
FortiADC 6.2 Study Guide
256
Advanced Configurations
DO NOT REPRINT © FORTINET
To review, each VDOM behaves like it is on a separate FortiGate device. With separate FortiADC devices, you would normally connect a network cable and configure routing and policies between them. A more efficient means of passing traffic between VDOMs is to use inter-VDOM links. An inter-VDOM link is a pair of connected virtual interfaces that routes traffic between VDOMs. This removes the need to loop a physical cable between two VDOMs.
FortiADC 6.2 Study Guide
257
Advanced Configurations
DO NOT REPRINT © FORTINET
VDOM links are created in the Global settings with the creation of a virtual interface in each of the VDOMs that will form the two ends of the link. In the example shown on this slide, the virtual interface for the acme-co VDOM will have an IP address of 192.168.80.1 and the abc-inc VDOM interface will have an IP address of 192.168.80.2. The administrator of the acme-co VDOM could then create a route defining the default gateway for traffic destined for abc-inc to be 192.168.80.2.
FortiADC 6.2 Study Guide
258
Advanced Configurations
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
259
Advanced Configurations
DO NOT REPRINT © FORTINET
Good job! You now understand virtual domains. Now, you will learn about high availability (HA).
FortiADC 6.2 Study Guide
260
Advanced Configurations
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in these configuration tasks, you will be able to implement FortiADC in your network, and configure two devices in an HA cluster to provide redundancy.
FortiADC 6.2 Study Guide
261
Advanced Configurations
DO NOT REPRINT © FORTINET
You can configure two FortiADC devices to form an HA cluster. The HA cluster maintains the availability of the service in case one of the FortiADC devices fails. Every cluster has a primary (or active) device that processes the traffic and handles IP addresses, while one or more secondary (or standby) devices monitor the status of the active device.
FortiADC 6.2 Study Guide
262
Advanced Configurations
DO NOT REPRINT © FORTINET
If a problem is detected with the active FortiADC, a standby FortiADC takes over as the active device and begins processing traffic and handling IP addresses. This event is known as a failover.
FortiADC 6.2 Study Guide
263
Advanced Configurations
DO NOT REPRINT © FORTINET
When the FortiADC devices are configured in HA active-passive mode, the active device handles all the traffic under normal circumstances. If something fails on the active device, the passive device becomes active and handles all the traffic instead. The example on this slide shows the HA active-passive mode deployment. Normally, the passive device doesn’t handle traffic; all traffic is handled by the active, whether for the client side or the server side. However, the passive device can always sync data from the active device, such as: • Incremental configuration changes • Layer 4 session/persistence table • Layer 7 persistence • Health-check status When there is something wrong with the current active device, for example, the monitored interfaces are down (in this case the monitored interfaces are usually directly connected to an ISP), or even if the physical device is failing, the passive device will become the new active device and handle all the traffic. HA active-passive mode is the most stable deployment mode, and you can deploy it on any platform. In this mode, the FortiADC interface is assigned a virtual mac address; once the HA peer takes over the active role, the new active FortiADC will inherit the virtual MAC address on the interfaces. This can reduce the traffic failing time, while failover is happening. Another benefit is that HA active-passive mode is compatible with the firewall’s MAC address binding.
FortiADC 6.2 Study Guide
264
Advanced Configurations
DO NOT REPRINT © FORTINET
In HA active-active mode, both the primary and secondary FortiADC devices are able to handle the traffic normally. There is one thing that should be noted: certain limitations exist. For incoming and outgoing traffic, it is useful to sync sessions between primary and secondary, but the FortiADC syncs only Layer 4 virtual server sessions. This has the following benefit: if the inbound/outbound traffic is different, this is no issue, as long as it is Layer 4 traffic, thanks to the syncing feature. The primary will accept the inbound traffic, then send it to the real servers; and because of the sync function, the secondary can handle the outbound traffic and send it back to the client. Although this traffic can be handled, it will decrease performance. Ideally, then, you should have a routing device between FortiADC and the real servers; this routing device must have the ability to send the return traffic to its original FortiADC devices. This is called reverse routing. For the Layer 7 virtual server, this does not matter; the traffic can be returned to itself natively, because the FortiADC establishes the session to the real servers by its own interface IP address—unless you enable source-address. The example on this slide shows that, if one of the monitored links is down, or the entire device fails, its HA peer can take over all the traffic.
FortiADC 6.2 Study Guide
265
Advanced Configurations
DO NOT REPRINT © FORTINET
The HA-VRRP mode, on the other hand, divides the resources into groups, so that you can create multiple VRRP groups, and then assign the public IP resources to those groups. In this way, you can enable another type of active-active mode called HA VRRP, instead of HA active-active. In this mode, every HA node has its own interface IP. The floating IP is a virtual IP address that works only on the active VRRP traffic group. In general, the connected devices or servers point the gateway to the floating IP of the VRRP group. If failover happens, the floating IP will work with the new VRRP primary; this makes sure that the floating IP is always online. This slide shows an example of HA-VRRP mode. Typically, you create two VRRP groups: for example, VRRP Group1 and VRRP Group2. FortiADC1 is the primary of VRRP Group1, and the secondary of VRRP Group2; while FortiADC2 is the secondary of VRRP Group1, and the primary of VRRP Group2. Then, you divide the real servers into these two groups. The servers in group1 point the default gateway to the VRRP Group1 floating IP, while the servers in group2 point the default gateway to the VRRP Group2 floating IP. Then, normally, FortiADC1 handles the traffic to VRRP Group1, and FortiADC2 handles the traffic to VRRP Group2. If one of the monitored links or devices is down, the HA peer can take over the traffic.
FortiADC 6.2 Study Guide
266
Advanced Configurations
DO NOT REPRINT © FORTINET
This slide shows the requirements for configuring FortiADC devices in an HA cluster. Both FortiADC devices must be the same hardware model and have the same firmware. Each FortiADC must be licensed. If you use FortiADC-VM, the licenses must be paid; trial licenses won’t function. You must connect the equivalent interfaces in both devices to the same LAN segments. For example, on both the active and passive devices, you must connect port2 to the same LAN segment that faces the server pool. Also, you must connect at least one physical port on each FortiADC to its peer for heartbeat and configuration synchronization traffic. You can do this using a crossover cable or a switch and normal patch cables. As a best practice, ensure no other data flows over the heartbeat interfaces. FortiADC-VM supports HA. However, if you do not want to use the native FortiADC HA, you can use your hypervisor or VM environment manager to install VMs over a hardware cluster to improve availability. For example, VMware clusters can use vMotion or VMware HA.
FortiADC 6.2 Study Guide
267
Advanced Configurations
DO NOT REPRINT © FORTINET
In an HA cluster, most of the configuration synchronizes with the passive device. However, some of the information doesn’t synchronize. For example, host names, SNMP system information, RAID settings, and HA settings don’t synchronize. Log messages and generated reports also don’t synchronize across the cluster.
FortiADC 6.2 Study Guide
268
Advanced Configurations
DO NOT REPRINT © FORTINET
In active-active HA deployments, where a cluster spreads out the workload over multiple FortiADC devices simultaneously, you can synchronize persistence tables and session information across the members of the cluster. You can synchronize Layer 7 and Layer 4 persistence tables, as well as Layer 4 TCP connection states, across the cluster members. Note that enabling any of these synchronization options could impact the performance of the HA solution because it causes more data to flow across the heartbeat interfaces.
FortiADC 6.2 Study Guide
269
Advanced Configurations
DO NOT REPRINT © FORTINET
You can configure an HA cluster to monitor the physical and link status of one or more interfaces. Two events can trigger an HA failover: an interruption in the heartbeat, or a change in the status of one of the monitored interfaces. After a failover occurs, the new active device notifies the network with a GARP message to redirect traffic to its own interfaces.
FortiADC 6.2 Study Guide
270
Advanced Configurations
DO NOT REPRINT © FORTINET
How do you decide which device is the active device? The answer depends on whether device priority override is enabled or disabled. If override is disabled, the primary device is the device with, in order of importance, the most available monitored interfaces, the highest uptime value, the smallest device priority number, and finally, the highestsorting serial number. If override is enabled, the order is almost identical, except that the priority changes to the smallest device priority number over the highest uptime value.
FortiADC 6.2 Study Guide
271
Advanced Configurations
DO NOT REPRINT © FORTINET
This slide shows where you configure HA. The Group Name and Group ID must be the same for any two devices that are members of the same cluster. If you intend to locate two clusters within the same LAN segment, the clusters must have different names and group IDs. The members of both clusters must still share the same group name and group ID, but the group names and IDs must be different between the two clusters. You can enable the device priority Override option, which will elect a primary device by using the device priority value over the device uptime. You can also specify how frequently a heartbeat packet is sent and how many times FortiADC retries sending a heartbeat packet before FortiADC assumes the other member of the cluster is down.
FortiADC 6.2 Study Guide
272
Advanced Configurations
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
273
Advanced Configurations
DO NOT REPRINT © FORTINET
Good job! You now understand HA. Now, you will learn about scripting.
FortiADC 6.2 Study Guide
274
Advanced Configurations
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in the scripting capabilities of FortiADC, you will be able to configure scripts for use with your virtual servers.
FortiADC 6.2 Study Guide
275
Advanced Configurations
DO NOT REPRINT © FORTINET
You can leverage Lua scripts to perform tasks that are not available in the built-in feature set. Scripts are associated with virtual machines and are event driven. Scripts are triggered when the virtual server receives an HTTP request or response. For example, a script could be used to check a request URI and forward the user to different web pages. FortiADC includes a long list of pre-created scripts and commands that can be used or modified.
FortiADC 6.2 Study Guide
276
Advanced Configurations
DO NOT REPRINT © FORTINET
You can create scripts by directly adding the script in the script creation window, or by importing. When you create or import a script, FortiADC validates the script and will not allow a misconfigured script to be saved.
FortiADC 6.2 Study Guide
277
Advanced Configurations
DO NOT REPRINT © FORTINET
You assign the scripts in the general tab of the virtual server configuration. Scripts assigned to a virtual server will be run from lowest to highest priority. The priority can be assigned in the script, with the default being 500. Scripts with the same priority number are executed in the order they are listed in the Selected Items window.
FortiADC 6.2 Study Guide
278
Advanced Configurations
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
279
Advanced Configurations
DO NOT REPRINT © FORTINET
Good job! You now understand scripting. Now, you will learn about the REST API.
FortiADC 6.2 Study Guide
280
Advanced Configurations
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in using the REST API, you will be able to perform and automate administrative tasks through the API.
FortiADC 6.2 Study Guide
281
Advanced Configurations
DO NOT REPRINT © FORTINET
The REST application programming interface (API) allows you to create your own management tools or to integrate FortiADC management tasks with your existing application infrastructure. The FortiADC REST API allows you to integrate FortiADC with existing third-party management platforms such as CISCO ACI, VMware, OpenStack, and so on.
FortiADC 6.2 Study Guide
282
Advanced Configurations
DO NOT REPRINT © FORTINET
The REST API works by passing client HTTP requests to FortiADC in order to manipulate configurations. Only the JSON format is supported. Supported REST clients include: Postman Chrome app, Mozilla Firefox RESTClient, and Curl.
FortiADC 6.2 Study Guide
283
Advanced Configurations
DO NOT REPRINT © FORTINET
This slide shows the HTTP methods supported by the FortiADC REST API: • GET, which is used to retrieve a list of all resources or a specific resource • POST, which creates a new resource • PUT, which allows the update of an existing resource • DELETE, which deletes an existing resource The REST API provides powerful configuration, administration, and visibility capabilities, refer to the REST API guide for complete details.
FortiADC 6.2 Study Guide
284
Advanced Configurations
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
285
Advanced Configurations
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 6.2 Study Guide
286
Advanced Configurations
DO NOT REPRINT © FORTINET
This slide shows the objectives you covered in this lesson. By mastering the objectives covered in this lesson, you learned about FortiADC advanced configuration options.
FortiADC 6.2 Study Guide
287
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
In this lesson, you will learn about configuring FortiADC for logging and alerts, troubleshooting some common issues, and performing basic system maintenance.
FortiADC 6.2 Study Guide
288
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiADC 6.2 Study Guide
289
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in logging and alerts, you will be able to configure local logging, remote logging, and alert emails. You will also be able to use the SNMP protocol to monitor FortiADC.
FortiADC 6.2 Study Guide
290
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
FortiADC can send logs to multiple destinations. FortiADC can store the logs in local RAM and on the local hard disk. FortiADC can also send logs to remote servers, such as a third-party syslog server, or a FortiAnalyzer.
FortiADC 6.2 Study Guide
291
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
FortiADC can generate four types of logs. Traffic logs provide traffic flow information for traffic served by FortiADC during load balancing. Security logs provide information about FortiADC security features, such as IP reputation, DoS events, the Geo IP block list, and so on. Script logs provide information relating to scripts used as part of server load balancing configurations. Event logs provide information about administrative actions or system events, such as device reboots or user logins.
FortiADC 6.2 Study Guide
292
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
For each logging destination a severity threshold is defined. Only logs equal to or exceeding the selected level are generated. There are eight different log severity levels on FortiADC. The highest, or most severe, is level 0, which is used for emergency events. The lowest, or least severe, is level 7, which is used for debug information events.
FortiADC 6.2 Study Guide
293
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
When you enable local logging, FortiADC stores the logs on the hard disk. If you disable local logging, logs are stored in the memory of the device. You also have to select what level of logs you want to store. When you enable logs, you can specify which event types you want to generate logs for.
FortiADC 6.2 Study Guide
294
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
You can also configure FortiADC to send logs to multiple FortiAnalyzer devices and third-party syslog servers. For each of the destinations, you must configure the types of logs that you are going to generate.
FortiADC 6.2 Study Guide
295
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
This slide shows a sample event log. All the logs include the date, the time that the log was generated, an ID, the type of log, the severity level, and a message that describes the event. You can select a filter from the drop-down list at the top of the screen and set a time frame to greatly narrow down the number of events displayed. In the example shown on this slide, the events displayed are limited to configuration events generated in the defined time range. The message indicates that the event is related to the administrator user making a change to a system interface.
FortiADC 6.2 Study Guide
296
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
FortiADC supports SNMP, so you can use this protocol to monitor the device. FortiADC supports versions 1, 2, and 3 of the SNMP protocol. FortiADC MIB files can be downloaded directly from the FortiADC device.
FortiADC 6.2 Study Guide
297
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
You can run FortiADC reports both on demand and as scheduled events. Reports are generated using predefined or user-created query sets. You can enable a scheduled interval or use the run report option for on-demand report generation. If you select the pdf option in the Email Format field, FortiADC sends the report as a PDF attachment to all addresses on the recipient list.
FortiADC 6.2 Study Guide
298
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
You can send reports as email attachments only if you configure an email server in the Services view of FortiADC. You create the email recipients list in the Report Email view.
FortiADC 6.2 Study Guide
299
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
After you generate a report, you can delete it, download it, or view it on the FortiADC GUI. FortiADC will format the report neatly with a cover page, table of contents, detailed tables and graphs, and present it in a PDF file format.
FortiADC 6.2 Study Guide
300
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
301
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
Good job! You now understand logging, SNMP, and reports. Now, you will learn about troubleshooting.
FortiADC 6.2 Study Guide
302
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in using CLI utilities, you will be able to use the diagnostic commands available on the CLI, and identify some of the most common issues.
FortiADC 6.2 Study Guide
303
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
The CLI offers three basic network utilities for troubleshooting. You can run a ping command using the command execute ping, you can run a traceroute using the command execute traceroute, or you can do an nslookup using the command execute nslookup name. These three commands will help you to troubleshoot networking problems or DNS problems.
FortiADC 6.2 Study Guide
304
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
One of the most useful troubleshooting tools in the CLI is the built-in sniffer. FortiADC has a built-in sniffer that you can use to sniff and capture all the traffic that’s crossing the device. To enable the sniffer, use the command diag sniffer packet then specify the interface name. To sniff the traffic on all interfaces, specify any, instead of a specific interface name. You must also specify a filter and a verbosity level. The verbosity level ranges from 1 to 6. The example on this slide shows what information is displayed for each verbosity level. Verbosity level 4 is often used to gain an understanding of how traffic flows because it shows the incoming interface and outbound interface and the IP headers only. Verbosity levels 3 and 6 are used to capture the whole packet, including the payload. The verbosity level 3 and 6 captures can be exported to a PCAP file using two scripts. You can analyze the file later, using Wireshark. The script file for converting data output to a PCAP file is available in the Fortinet Knowledge Base.
FortiADC 6.2 Study Guide
305
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
This slide shows three examples of how to use the sniffer. The examples shown use three different filters. In the first example, the diag sniffer command is capturing all the UDP packets on the internal interface whose source IP address or destination IP address is port 53. The filter supports using logic statements so you can build very complicated sniffs in order to try and narrow down the output. This is more important if you are supporting large networks with lots of traffic; otherwise, the output may be overwhelming.
FortiADC 6.2 Study Guide
306
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
FortiADC also features a GUI-based packet capture tool, as well as the traditional CLI commands. Before using this tool, you should have a good understanding of tcpdump and filter expressions. Capture results are collected in a PCAP format file, which you can download and open in any tool supporting PCAP format, such as Wireshark See tcpdump.org for more information on the tcpdump utility.
FortiADC 6.2 Study Guide
307
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
So, what are some of the most common issues that affect FortiADC? The most common problem is clients or customers being unable to connect to the server. When this occurs, the first thing that you should do is to use the FortiADC built-in sniffer to sniff the traffic and check that the traffic from the client is reaching the virtual server IP address. If the traffic is reaching the server, the next step is to check that a server is available in the pool. Then, you can check if the traffic is arriving at the server by running a sniffer on the server. Another step is to check the default gateway in the servers to be sure that the servers are pointing to the FortiADC device. Another common problem is a server being down because of a health check failure. You can use the sniffer to troubleshoot this problem by sniffing the health check traffic to see if FortiADC is sending that traffic to the server, if that traffic is arriving at the server, and where in the server the reply is coming from.
FortiADC 6.2 Study Guide
308
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
309
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
Good job! You now understand troubleshooting. Now, you will learn about system maintenance.
FortiADC 6.2 Study Guide
310
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in backing up and restoring system configuration files, and upgrading the FortiADC firmware, you will be able to perform these important system maintenance tasks in your environment.
FortiADC 6.2 Study Guide
311
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
You can back up and restore the FortiADC configuration from the Backup&Restore view. You can store the configuration files on the local PC performing the backup, or directly on FortiADC. An automatic back-up option allows for the scheduling of backups and for the automatic storage of the configuration files locally or on a network attached server.
FortiADC 6.2 Study Guide
312
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
This slide shows a screen shot of the Maintenance view where you perform upgrades or boot alternate firmware. Note that downgrading to a previous firmware version is possible, but could cause specific settings to reset to their factory default values. This is another reason to back up your configuration before upgrading or downgrading the device firmware. Be sure to read and follow the release notes before performing any upgrade or downgrade, to make sure you follow all necessary steps.
FortiADC 6.2 Study Guide
313
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
FortiADC 6.2 Study Guide
314
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 6.2 Study Guide
315
Monitoring, Troubleshooting, and System Maintenance
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to monitor, troubleshoot, and maintain FortiADC.
FortiADC 6.2 Study Guide
316
DO NOT REPRINT © FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as stipulated by the United States Copyright Act of 1976. Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.