Sei sulla pagina 1di 260

DO NOT REPRINT

© FORTINET

FortiADC Study Guide


for FortiADC 5.2
DO NOT REPRINT
© FORTINET
Fortinet Training
http://www.fortinet.com/training

Fortinet Document Library
http://docs.fortinet.com

Fortinet Knowledge Base
http://kb.fortinet.com

Fortinet Forums
https://forum.fortinet.com

Fortinet Support
https://support.fortinet.com 

FortiGuard Labs
http://www.fortiguard.com

Fortinet Network Security Expert Program (NSE)


https://www.fortinet.com/support-and-training/training/network-security-expert-program.html

Feedback
Email: courseware@fortinet.com

2/5/2019
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Introduction and System Settings 4


02 Server Load Balancing 50
03 Link Load Balancing and Advanced Networking 111
04 Global Load Balancing 150
05 Security 188
06 Monitoring and Troubleshooting 229
 Introduction and System Settings
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the system and how to configure initial system settings.

FortiADC 5.2 Study Guide 4


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiADC 5.2 Study Guide 5


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the benefits offered by FortiADC, and accessing the
FortiADC using the CLI and GUI, you will be able to implement FortiADC and its features in your
network.

FortiADC 5.2 Study Guide 6


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

What is an application delivery controller (ADC)?

Traditional load balancers work mostly at Layer 4, balancing TCP/UDP sessions, with very limited
Layer 7 support. They usually have very basic health check mechanisms and algorithms to distribute
traffic between servers. Some of them have persistence, but only by source IP address.

An ADC improves what a traditional load balancer does, so you have more control and can make
better decisions about what is happening at Layer 7.

ADC has a feature called global server load balancing, which allows you to load balance traffic among
servers at geographically-distant locations. ADCs also feature SSL and compression acceleration to
reduce the load on web servers.

An ADC is a next-generation load balancer.

FortiADC 5.2 Study Guide 7


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC provides enterprise-class application delivery and additional features that make applications
reliable, responsive, and easy to manage:
• First and foremost, FortiADC is a server load balancer that allows applications to scale reliably
across multiple servers in a data center
• Persistence ensures user connections are routed back to the correct server for seamless and
transparent continuity of applications
• SSL offloading relieves servers of the CPU-intensive tasks of decryption and encryption of secure
application traffic
• HTTP compression and content caching speed the delivery of content to users and reduce
bandwidth needs
• Content-based routing sends traffic to specific servers based on business rules by traffic type
• Global server load balancing provides disaster recovery by spanning applications across multiple
data centers
• Content rewriting minimizes user confusion and masks backend server configurations by simplifying
URLs
• FortiADC offers a complete web application firewall that protects against application attacks and can
meet PCI DSS 6.6 compliance
• QoS can be used to prioritize traffic by type to minimize disruptions to applications that are sensitive
to latency
• Link load balancing provides ISP redundancy and increases application bandwidth

FortiADC 5.2 Study Guide 8


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

Like many Fortinet devices, FortiADC offers two user interfaces: a GUI and a CLI.

To access the GUI, use a browser and HTTP or HTTPS. By default, port1 of FortiADC has the
IP address of 192.168.1.99.

By default, a default administrator user is configured. The Username for the default
administrator user is admin and the Password field is empty. You cannot delete the default
administrator user account.

To access a new FortiADC using the GUI:


1. Using an Ethernet cable, connect a laptop to port1 on FortiADC.
2. Configure the laptop IP address using a valid 192.168.1.0 host address.
3. Connect to the FortiADC GUI by entering http://192./168.1.99 or
https://192./168.1.99 in the browser.
4. Enter the admin username without a password.

Remember to change the default password as soon as possible after deploying the FortiADC.

FortiADC 5.2 Study Guide 9


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

You can access the CLI using SSH, telnet, or the console port, which is usually located on the
front panel of FortiADC.

You can also use the console widget located in the upper-right corner of the FortiADC GUI.

FortiADC 5.2 Study Guide 10


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

When you log in to the FortiADC GUI for the first time, the GUI will display the System Getting
Started Wizard. This wizard will guide you through the basic setup of your FortiADC, including:

• Date, time, and NTP server


• HA management
• Gateway
• Interfaces
• Virtual servers
• Real servers

FortiADC 5.2 Study Guide 11


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

This slide shows a screen shot of the FortiADC dashboard, which contains multiple widgets and tabs.

The System Information widgets and header bar display the hostname, system time and uptime,
serial number and firmware version, as well as shutdown, reboot, and factory reset commands.

The Resource Usage widget allows an administrator to monitor CPU, RAM, and disk usage, as well
as system metrics.

The License widget displays license status and provides a link to more detailed support information,
such as service contract expiry dates.

The Log Event widget displays recent activity.

To launch the console widget, in the upper-right corner of the header bar, click the console icon.

FortiADC 5.2 Study Guide 12


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 13


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

Good job! You now understand the benefits of a FortiADC.

Now, you will learn the steps to perform the initial configuration.

FortiADC 5.2 Study Guide 14


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in these configuration tasks, you will be able to implement FortiADC in
your network, and configure two devices in a high availability (HA) cluster to provide redundancy.

FortiADC 5.2 Study Guide 15


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

One of the first settings you must configure for any FortiADC is the network interface configuration.

You can assign an IP address to each FortiADC interface and specify the permitted administrative
access protocols for each interface.

To create a VLAN interface, click Create New.

FortiADC 5.2 Study Guide 16


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

If you don’t have access to the GUI, you can use the CLI to configure a network interface.

The command config system interface allows you to access interface configuration
subcommands.

Using the edit subcommand and substituting the <interface name> as an argument, such as
port1, allows you to set various interface options for that interface.

You can then use the Set subcommand to configure individual parameters available for the network
interface.

In the example shown on this slide, the set ip address subcommand and object specify which IP
address and subnet mask to use.

You can also use the set allowaccess subcommand to specify which administrative access
protocols to permit over that interface.

FortiADC 5.2 Study Guide 17


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

Using FortiADC, you can aggregate multiple physical interfaces into a single logical interface known as
a link aggregation.

This slide shows the commands you use to configure a link aggregation.

Link aggregations are used most often to combine the bandwidth of two interfaces to increase
throughput or to add redundancy to a network connection.

You can configure link aggregations using only the CLI, not the GUI. This slide shows the commands
you use to configure an aggregated link.

After you configure the link aggregation, you can assign a single IP address to it.

Link aggregation technology is based on the Link Aggregation Control Protocol (LACP), which is part of
the IEEE 802.3ad specification, and is commonly referred to as port trunking, bonding, or teaming.

FortiADC 5.2 Study Guide 18


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

Any FortiADC must have at least one default gateway and one default static route.

On the Networking > Routing screen, which is shown on this slide, you can add the default route and
gateway, as well as create static routes to the subnets in your network.

FortiADC 5.2 Study Guide 19


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

On the System > Settings > Basic screen, you can configure a primary and a secondary DNS server.
FortiADC uses the primary DNS server until the primary DNS server fails to respond. Then FortiADC
switches to the secondary DNS server.

FortiADC 5.2 Study Guide 20


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

Like virtual machines, VDOMs allow you to split a single physical FortiADC device into multiple virtual
FortiADC devices. VDOMs allow FortiADC to support multi-tenant deployments.

A VDOM is a complete FortiADC instance that runs on the FortiADC platform (physical device or VM).

Each VDOM has its own interfaces and routing tables that are completely independent from other
VDOMs. When you create a VDOM, an administrator account is assigned to the VDOM. In this way,
each VDOM can be controlled by a different administrator.

FortiADC 5.2 Study Guide 21


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

When you enable VDOMs, the GUI divides settings into two groups:

• System settings are settings that affect FortiADC and all VDOMs such as hostname, SNMP, system
time, HA, and certificates
• Each VDOM's settings are unique, so each VDOM has its own static routes, firewall policies, and
load balancing objects

FortiADC 5.2 Study Guide 22


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

Using the GUI, you can enable VDOMs on the System > Settings > Basic screen.

FortiADC 5.2 Study Guide 23


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

This slide shows a screen shot illustrating how the GUI appears after you enable VDOMs and then log
in to FortiADC.

System and VDOM configurations are separated, and a default root VDOM is automatically added. You
can’t delete or rename the default root VDOM, and all system management traffic comes from this root
VDOM.

After you enable VDOMs, on the System > Virtual Domains screen, you can add and manage virtual
domains, and also assign individual physical interfaces to a VDOM.

After you log in to a VDOM, the VDOM’s name is displayed at the top of the GUI.

FortiADC 5.2 Study Guide 24


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

This slide shows the top-level FortiADC settings, which are:


• The Hostname
• The interface Language
• The Idle Timeout
• The TCP ports used for administrative access, which you can change from their default settings
• The Primary DNS and Secondary DNS
• The Virtual Domain

FortiADC 5.2 Study Guide 25


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

Each administrator account is assigned an access profile in which you specify the level of access the
administrator has for commands and configuration sections.

For example, you could create a special administrator access profile to delegate security permissions
allowing personnel to manage the device’s security settings, while also denying them the right to
modify router, server load balancing, link load balancing, and global load balancing features, which the
organization could be using to provide a chargeable service to their clients.

FortiADC 5.2 Study Guide 26


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

This slide shows the screen you use to create an administrator account.

You can set up an administrator account to allow the administrator to access FortiADC only from a
specific trusted host subnet.

In an administrator account, you can set permissions to allow or disallow the administrator to change
global system settings.

You can associate a specific administrator access profile with the administrator account.

And if VDOMs are enabled on FortiADC, you can assign a VDOM to an administrator account.

FortiADC 5.2 Study Guide 27


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

The REST application programming interface (API) allows you to create your own management tools
or to integrate FortiADC management tasks with your existing application infrastructure. The FortiADC
REST API allows you to integrate FortiADC with existing third-party management platforms such as
CISCO ACI, VMware, OpenStack, and so on.

FortiADC 5.2 Study Guide 28


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

The REST API works by passing client HTTP requests to FortiADC in order to manipulate FortiADC’s
configuration. Only the JSON format is supported. Supported REST clients include: Postman Chrome
app, Mozilla Firefox RESTClient, and Curl.

FortiADC 5.2 Study Guide 29


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

This slide shows the HTTP methods supported by the FortiADC REST API:
• GET, which is used to retrieve a list of all resources or a specific resource
• POST, which creates a new resource
• PUT, which allows the update of an existing resource
• DELETE, which deletes an existing resource

FortiADC 5.2 Study Guide 30


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

This slide shows how to create a new virtual server. First, use the HTTP POST command to log in to
FortiADC. Then, use HTTP POST to create the virtual server.

FortiADC 5.2 Study Guide 31


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 32


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

Good job! You can now perform the initial configuration of FortiADC.

Now, you will learn how to enable HA, and prepare for device recovery.

FortiADC 5.2 Study Guide 33


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring an HA pair, performing a backup and restore, and


performing a firmware upgrade, you will be able to ensure your FortiADC offers the best possible
availability and performance.

FortiADC 5.2 Study Guide 34


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

You can configure two FortiADC devices to form an HA cluster. The HA cluster maintains the
availability of the service in case one of the FortiADC devices fails.

Every cluster has a primary (or active) device that processes the traffic and handles IP addresses,
while the secondary (or standby) device monitors the status of the active device.

FortiADC 5.2 Study Guide 35


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

If a problem is detected with the active FortiADC, the passive FortiADC takes over as the active device
and begins processing traffic and handling IP addresses. This event is known as a failover.

FortiADC 5.2 Study Guide 36


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

When the FortiADC devices are configured in HA active-passive mode, the active device (called
master) handles all the traffic under normal circumstances. If something fails on the active device, the
passive device (called slave) becomes active and handles all the traffic instead. The example on this
slide shows the HA active-passive mode deployment. Normally, the slave doesn’t handle traffic; all
traffic is handled by the master, whether for the client side or the server side. However, the slave can
always sync data from the master, such as:
• Incremental configuration changes
• Layer 4 session/persistence table
• Layer 7 persistence
• Health-check status

When there is something wrong with the current master, for example, the monitored interfaces are
down (in this case the monitored interfaces are usually directly connected to an ISP), or even if the
physical device is failing, the slave will become the new master and handle all the traffic.

HA active-passive mode is the most stable deployment mode, and you can deploy it on any platform. In
this mode, the FortiADC’s interface is assigned a virtual mac address; once the HA peer takes over the
master, a new master will inherit the virtual MAC address on the interfaces. This can reduce the traffic
failing time, while failover is happening. Another benefit is that HA active-passive mode is compatible
with the firewall’s MAC address binding.

Be aware that HA active-passive mode on the Microsoft Hyper-V platform uses the physical MAC
address, due to a platform limitation.

FortiADC 5.2 Study Guide 37


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

In the HA active-active mode, both the master and slave are able to handle the traffic normally. There
is one thing that should be noted: certain limitations exist. For incoming and outgoing traffic, it is useful
to sync sessions between master and slave, but the FortiADC syncs only Layer 4 virtual server
sessions. This has the following benefit: if the inbound/outbound traffic is different, this is no issue, so
long as it is Layer 4 traffic, thanks to the syncing feature. The master will accept the inbound traffic,
then send it to the real servers; and because of the sync function, the slave can handle the outbound
traffic and send it back to the client.

Although this traffic can be handled, it will decrease performance. Ideally, then, you should have a
routing device between FortiADC and the real servers; this routing device must have the ability to send
the return traffic to its original FortiADC devices. This is called reverse routing.

For the Layer 7 virtual server, this does not matter; the traffic can be returned to itself natively, because
the FortiADC establishes the session to the real servers by its own interface IP address—unless you
enable source-address.

The example on the slide shows that, if one of the monitored links is down, or the entire device fails, its
HA peer can take over all the traffic.

FortiADC 5.2 Study Guide 38


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

The HA-VRRP mode, on the other hand, divides the resources into groups, so that you can create
multiple VRRP groups, and then assign the public IP resources to those groups. In this way, you can
enable another type of active-active mode called HA VRRP, instead of HA active-active. In this mode,
every HA node has its own interface IP.

The floating IP is a virtual IP address that works only on the VRRP traffic group master. In general, the
connected devices or servers point the gateway to the VRRP group’s floating IP. If failover happens,
the floating IP will work with the new VRRP master; this makes sure that the floating IP is always
online.

This slide shows an example of HA-VRRP mode. Typically, you create two VRRP groups: for example,
VRRP_Group1 and VRRP_Group2. FortiADC1 is the master of VRRP_Group1, and the slave of
VRRP-Group2; while FortiADC2 is the slave of VRRP_Group1, and the master of VRRP_Group2.
Then, you divide the real servers into these two groups. The servers in group1 point the default
gateway to VRRP_Group1’s floating IP, while the servers in group2 point the default gateway to
VRRP_Group2’s floating IP. Then, normally, FortiADC1 handles the traffic to VRRP_Group1, and
FortiADC2 handles the traffic to VRRP_Group2. If one of the monitored links or devices is down, the
HA peer can take over the traffic.

FortiADC 5.2 Study Guide 39


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

This slide shows the requirements for configuring FortiADC devices in an HA cluster.

Both FortiADC devices must be the same hardware model and have the same firmware.

Each FortiADC must be licensed. If you use FortiADC-VM, the licenses must be paid; trial licenses
won’t function.

You must connect the equivalent interfaces in both devices to the same LAN segments. For example,
on both the active and passive devices, you must connect port2 to the same LAN segment that faces
the server pool.

Also, you must connect at least one physical port on each FortiADC to its peer for heartbeat and
configuration synchronization traffic. You can do this using a crossover cable or a switch and normal
patch cables. As a best practice, ensure no other data flows over the heartbeat interfaces.

FortiADC-VM supports HA. However, if you do not want to use the native FortiADC HA, you can use
your hypervisor or VM environment manager to install virtual appliances over a hardware cluster to
improve availability. For example, VMware clusters can use vMotion or VMware HA.

FortiADC 5.2 Study Guide 40


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

In an HA cluster, most of the configuration synchronizes with the passive device. However, some of the
information doesn’t synchronize.

For example, host names, SNMP system information, RAID settings, and HA settings don’t
synchronize. Log messages and generated reports also don’t synchronize across the cluster.

FortiADC 5.2 Study Guide 41


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

In active-active HA deployments, where a cluster spreads out the workload over multiple FortiADC
devices simultaneously, you can synchronize persistence tables and session information across the
members of the cluster.

You can synchronize Layer 7 and Layer 4 persistence tables, as well as Layer 4 TCP connection
states, across the cluster members.

Note that enabling any of these synchronization options could impact the performance of the HA
solution because it causes more data to flow across the heartbeat interfaces.

FortiADC 5.2 Study Guide 42


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

You can configure an HA cluster to monitor the physical and link status of one or more interfaces.

Two events can trigger an HA failover: an interruption in the heartbeat, or a change in the status of one
of the monitored interfaces.

After a failover occurs, the new active device notifies the network with a “gratuitous ARP” message to
redirect traffic to its own interfaces.

FortiADC 5.2 Study Guide 43


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

How do you decide which device is the active device?

The answer depends on whether device priority Override is enabled or disabled.

If override is disabled, the primary device is the device with, in order of importance, the most available
monitored interfaces, the highest uptime value, the smallest device priority number, and finally, the
highest-sorting serial number.

If override is enabled, the order is almost identical, except that the priority changes to the smallest
device priority number over the highest uptime value.

FortiADC 5.2 Study Guide 44


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

This is where you configure HA.

The Group Name and Group ID must be the same for any two devices that are members of the same
cluster. If you intend to locate two clusters within the same LAN segment, the clusters must have
different names and group IDs. The members of both clusters must still share the same group name
and group ID, but the group names and IDs must be different among the two clusters.

You can enable the device priority Override option, which will elect a primary device by using the
device priority value over the device’s uptime.

You can also specify how frequently a heartbeat packet is sent and how many times FortiADC retries
sending a heartbeat packet before FortiADC assumes the other member of the cluster is down.

FortiADC 5.2 Study Guide 45


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

This slide shows screen shots of the System screens where you start a backup or restore of the
FortiADC configuration, as well as start an upgrade or boot alternate firmware.

Note that downgrading to a previous firmware version is possible, but could cause specific settings to
reset to their factory default values.

This is another reason to back up your configuration before upgrading or downgrading the device’s
firmware.

Be sure to read and follow the release notes before performing any upgrade or downgrade, to make
sure you follow all necessary steps.

FortiADC 5.2 Study Guide 46


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 47


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiADC 5.2 Study Guide 48


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

This slide shows the objectives you covered in this lesson.

By mastering the basics of FortiADC, you can identify how FortiADC would benefit your network,
deploy a FortiADC in your network, and ensure redundancy and the best possible performance of the
device.

FortiADC 5.2 Study Guide 49


 Server Load Balancing

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about server load balancing.

FortiADC 5.2 Study Guide 50


 Server Load Balancing

DO NOT REPRINT
© FORTINET

In this lesson, you will explore the topics shown on this slide.

FortiADC 5.2 Study Guide 51


 Server Load Balancing

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in describing the different load balancing methods, you will be able to apply
them to the FortiADC to balance the traffic load in your network.

FortiADC 5.2 Study Guide 52


 Server Load Balancing

DO NOT REPRINT
© FORTINET

FortiADC supports three different load balancing methods. One of these methods is the Layer 4 load
balancing method.

After you enable Layer 4 load balancing, FortiADC uses information in the TCP and UDP headers in the first
packet of any new session to decide how to balance the traffic. This method is the fastest load balancing
method, and it supports IPv4 and IPv6.

FortiADC 5.2 Study Guide 53


 Server Load Balancing

DO NOT REPRINT
© FORTINET

The second method, Layer 7 load balancing, requires more packets to make a decision, so it’s slower than
Layer 4 load balancing. However, after you enable Layer 7 load balancing, FortiADC can make smarter
decisions and distribute the traffic more intelligently. It can also inspect and modify HTTP content and use that
content to make load balancing decisions. Layer 7 load balancing supports IPv4 and IPv6.

FortiADC 5.2 Study Guide 54


 Server Load Balancing

DO NOT REPRINT
© FORTINET

The third method, Layer 2 load balancing, balances traffic among multiple next hop gateways. Like Layer 7
load balancing, Layer 2 load balancing also supports the inspection and modification of HTTP content.
However, Layer 2 load balancing supports only IPv4, not IPv6. You can use Layer 2 load balancing when
FortiADC does not know the real server IP addresses, but you want to balance traffic among multiple
gateways or multiple links.

FortiADC 5.2 Study Guide 55


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Now you will examine the differences between Layer 4 load balancing, and Layer 2 load balancing, and Layer
7 load balancing. When using Layer 4 load balancing, FortiADC only forwards traffic to the real server, which
is why it is the fastest of the three methods. When using Layer 2 and Layer 7 load balancing, FortiADC
proxies the TCP traffic to the real server. This means that the three-way handshake happens first between the
client and FortiADC. Once the TCP session is up, FortiADC establishes a new TCP session with the server by
performing another three-way handshake. This means that a FortiADC using Layer 2 and Layer 7 load
balancing splits the TCP session into two parts: one between the client and the FortiADC device, and one
between the FortiADC device and the server.

FortiADC 5.2 Study Guide 56


 Server Load Balancing

DO NOT REPRINT
© FORTINET

When you configure FortiADC, you configure many objects: some are mandatory and some are optional. The
mandatory objects are the virtual server, the real servers, profiles, and load balancing methods. This slide
shows a summary of the objects that you can create in a FortiADC configuration. It also shows which objects
are mandatory, or are the minimum required, to enable a server load balancing solution. In this course you will
learn how to create many objects.

FortiADC 5.2 Study Guide 57


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Here are the high-level steps to configure server load balancing:

1. Configure health check rules and real server SSL profiles. Optionally, you can use preset settings.
2. Configure the server pools.
3. Configure persistence rules, optional features and policies, profile components, as well as load balancing
methods. Optionally, you can use preset settings.
4. Configure the virtual server.

FortiADC 5.2 Study Guide 58


 Server Load Balancing

DO NOT REPRINT
© FORTINET

One of the first objects that you can create on a FortiADC is the health check object. FortiADC uses the health
check object to poll the server frequently. If the server doesn’t reply within the timeout period, FortiADC retries
a specific number of times before assuming the server is down or unresponsive. FortiADC assumes the
server is up and responsive as soon as the server replies to a specific number of consecutive polls.

FortiADC 5.2 Study Guide 59


 Server Load Balancing

DO NOT REPRINT
© FORTINET

There are many different methods for performing a health check with FortiADC. The basic method is to send
an ICMP or TCP echo request. Using this method, the FortiADC sends an ICMP or TCP echo request to the
server, and waits for a reply.

If the server is an HTTP or HTTPS server, FortiADC can query the server by sending a GET or a HEAD
request to see if the HTTP service is up.

If the server supports TCP, FortiADC can confirm that the server can complete a three-way handshake to a
specific TCP port. If the server is a domain name system server (DNS), FortiADC can send a DNS A record
request to the server and wait for a specific IP address as a response to confirm that DNS is running correctly.
If the server is a RADIUS, SMTP, POP3, or IMAP4 server, you can configure FortiADC to log in to the server
to confirm that the service is up.

FortiADC 5.2 Study Guide 60


 Server Load Balancing

DO NOT REPRINT
© FORTINET

If the server is an FTP server, you can configure FortiADC to log in to the FTP server to check that a specific
file is there.

FortiADC can use SNMP to poll the server using the SNMP protocol to get the current CPU, memory, and
disk usage. The server is assumed to be unresponsive if it doesn’t reply, or if any of those usage values goes
above a preconfigured threshold.

FortiADC can also perform a TCP half open check. FortiADC sends the sync and waits for the sync
acknowledge. As soon as the sync acknowledge is received, FortiADC sends a reset to close the session.

For protocols based on SSL over TCP, FortiADC can establish an SSL connection to check if the service is
up. The result of the SSL connection will verify the status of the server.

FortiADC 5.2 Study Guide 61


 Server Load Balancing

DO NOT REPRINT
© FORTINET

For each server, you can configure a maximum number of concurrent connections. That maximum rate is
used under normal operating conditions.

You can also configure a lower rate than FortiADC uses while the server is rebooting or is finished rebooting ,
but isn’t ready to operate at full capacity. This is called the Warm Rate. When you configure a Warm Rate
setting, FortiADC uses it during a warm-up period, specified in the Warm Up setting, when the server is back
online after a health check, or when the status of the server is set to Enabled from Maintain or Disabled.

FortiADC 5.2 Study Guide 62


 Server Load Balancing

DO NOT REPRINT
© FORTINET

To create real servers, click Server Load Balance, and then click Real Server. On the Real Server screen,
click the Real Server tab. On the Real Server tab, you define a name for the server, set the status of the
server, and define the IP address of the server.

FortiADC 5.2 Study Guide 63


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Now you will examine how to create real server pools and how to add real servers to those pools. To create
real server pools, click Server Load Balance, then click Real Server Pool and then click the Real Server
Pool tab. On the Real Server Pool screen, you can also enable a health check that is applied to all servers,
and set the status of each server to enable, disable, or maintain.

FortiADC 5.2 Study Guide 64


 Server Load Balancing

DO NOT REPRINT
© FORTINET

To add a real server to a real server pool, specify the settings by clicking Server Load Balance, then Real
Server Pool, and then the Edit Member section. To add a real server to a real server pool, in the Edit
Member section, select the real server you previously created from the drop-down list, or select Create new
from the drop-down list to add a new server.

If you are going to use Layer 7 persistence, you have to type the name of the cookie in the Cookie field. If you
enable Backup, FortiADC uses the backup server when there is no other available server in the pool. On this
tab, you can also disable Health Check Inherit to stop the server from inheriting the default health check
method that was assigned to the pool, and add or remove specific health check methods for a member.

FortiADC 5.2 Study Guide 65


 Server Load Balancing

DO NOT REPRINT
© FORTINET

If the FortiADC is working as a Layer 2 or Layer 7 load balancer, the only supported load balancing method is
round robin. If FortiADC is working as a Layer 4 load balancer, it supports three methods of load balancing:
round robin, fastest response, and least connections. Using the round robin method, traffic is sent to the next
server in the pool. Using the fastest response method, traffic is sent to the server with the fastest response to
health checks. Using the least connections method, traffic is sent to the server with the fewest total
connections, which includes active and inactive connections.

FortiADC 5.2 Study Guide 66


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 67


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Good job! You can now understand load balancing basics.

Now, you will learn about some advanced load balancing features.

FortiADC 5.2 Study Guide 68


 Server Load Balancing

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in advanced load balancing features you will be able to configure Layer 7
content routing and rewriting, set up web caching and compression, and import digital certificates in order to
configure SSL offloading.

FortiADC 5.2 Study Guide 69


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Persistence methods are rules that identify traffic that should not be load balanced, but instead forwarded to
the back-end server that has seen requests from that source before. Persistence rules are often needed to
support server transactions that depend on an established client-server session, such as e-commerce
transactions or session initiation protocol (SIP) voice calls.

FortiADC supports a large number of different persistence methods. The basic persistence IP method is
based on the source IP address. A variation on the IP method is called consistent hash IP, which is based on
a consistent hash of the source IP address. The hash IP persistence method is based on both the source IP
address and TCP/UDP port number, and the hash header persistence method is based on the HTTP request
header and the hash of the HTTP request header.

FortiADC 5.2 Study Guide 70


 Server Load Balancing

DO NOT REPRINT
© FORTINET

The hash cookie persistence method is based on the hash of the HTTP cookie. The RADIUS attribute and
SSL session IP methods are based on a RADIUS attribute and SSL session ID, respectively.

FortiADC 5.2 Study Guide 71


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Another persistence method is insert cookie. Cookie insertion takes advantage of the browser’s cookie
caching behaviour. When the user connects for the first time and sends the first HTTP GET request, FortiADC
uses the load balancing method to send the GET request to any of the servers available in the pool. When a
server replies with the web content, FortiADC inserts a cookie in the content that is forwarded to the user.
From this point on, each time the client issues a GET request, the browser includes the cookie, and FortiADC
uses that cookie to determine which server the HTTP GET should go to.

The insert cookie method allows us to set a timeout for the server-side session, so that after the specified
time-out period elapses, FortiADC won’t forward the request based on the cookie, and will instead select the
server using the method specified in the virtual server configuration.

FortiADC 5.2 Study Guide 72


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Using the embedded cookie persistence method, FortiADC waits for the reply from the server and searches
for a specific cookie in the server reply. Once FortiADC finds that cookie, FortiADC adds the server ID as a
prefix to the cookie. After that, the client sends the cookie with the server ID prefix and FortiADC uses that
prefix to identify which server the traffic should be forwarded to.

FortiADC 5.2 Study Guide 73


 Server Load Balancing

DO NOT REPRINT
© FORTINET

The persistent cookie method is similar to the insert cookie method, but if the real server produces a cookie
with the same name, then FortiADC won’t modify it. Like the insert cookie method, the persistent cookie
method also supports specifying a session time out.

Finally, there is the rewrite cookie method. Using this method, the cookie is provided by the real server and
FortiADC modifies its value.

FortiADC 5.2 Study Guide 74


 Server Load Balancing

DO NOT REPRINT
© FORTINET

The Persistence screen is where you can configure the persistence method. In this screen you can also
configure the specific settings that depend on each method you are using, such as the session timeout.

FortiADC 5.2 Study Guide 75


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Each real server must have a unique cookie value for persistence to work properly. In order to verify, or edit
the cookie value for each server in a pool, navigate to Server Load Balance > Real Server Pool and edit the
individual members. Verify or configure the Cookie value as needed.

FortiADC 5.2 Study Guide 76


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Compression offloading is a feature that is available on FortiADC devices. Using compression offloading,
FortiADC can compress data being sent to clients if the browser supports GZIP. The FortiADC receives the
web content from the server in uncompressed form. If the content supports compression, the FortiADC
compresses the web content and sends it to the users in compressed form. Web pages that support
compression include HTML, JavaScript, CSS, and other MIME types.

FortiADC 5.2 Study Guide 77


 Server Load Balancing

DO NOT REPRINT
© FORTINET

The configuration of compression offloading is simple. You create a compression profile, and then select the
content types to be included in or excluded from compression.

FortiADC 5.2 Study Guide 78


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Web cache is another FortiADC feature. Here’s how it works: if a client requests content that is not yet in
cache memory, then FortiADC forwards the request to the server to get that content. Once FortiADC receives
the content for the server, it stores it locally and sends a copy of that content to the client.

FortiADC 5.2 Study Guide 79


 Server Load Balancing

DO NOT REPRINT
© FORTINET

After that, if the same client or a different client requests that same content (that is now in cache memory),
FortiADC will not connect to the server again. It sends another copy of the cached content to the client. One
great benefit of this feature is that it reduces the bandwidth utilization between FortiADC and the backend
servers.

FortiADC 5.2 Study Guide 80


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Web cache configuration is very simple. The only option you have to specify is the size of the cache memory.
You can also specify which URLs are excluded from web caching.

FortiADC 5.2 Study Guide 81


 Server Load Balancing

DO NOT REPRINT
© FORTINET

You can configure FortiADC to present an error page to clients when all the servers are unavailable. Error
pages can only be used when doing Layer 7 load balancing. After you’ve created an error page configuration
object, you can select it in the virtual server configuration.

To configure an error page configuration object, copy the error message file to a location you can reach from
your browser. The error message file must be named index.html and must be contained in a zip file. You must
have read-write permission for load balance settings.

FortiADC 5.2 Study Guide 82


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Layer 4 content routing is when FortiADC routes traffic to specific servers based on the source IP address of
the client.

FortiADC 5.2 Study Guide 83


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Additionally, FortiADC can make smarter load balancing decisions. When FortiADC uses Layer 7 content
routing, decisions are made based on URL. For example, requests for a specific file or file type, such as
media content, can be forwarded to server pools built to better handle that specific content type.

FortiADC 5.2 Study Guide 84


 Server Load Balancing

DO NOT REPRINT
© FORTINET

To configure Layer 7 content routing, you specify the real server pool that will handle specific traffic and a set
of rules. Each time traffic matches any of those rules, it is forwarded to the specified real server pool.

FortiADC 5.2 Study Guide 85


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Using Layer 7 content rewrite, FortiADC can modify the HTTP content. FortiADC can rewrite the HTTP
header. It can modify the host field, the URL, or the referrer field. It can also be configured to reply with an
HTTP redirect or it can be configured to reply with a forbidden error.

FortiADC 5.2 Study Guide 86


 Server Load Balancing

DO NOT REPRINT
© FORTINET

This slide shows an overview of how to configure Layer 7 content rewrite. On the Content Routing screen,
you specify the action and a set of rules. Each time the traffic matches any of those rules, the action is taken.

FortiADC 5.2 Study Guide 87


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Now you will explore profiles. Profiles specify the protocol whose traffic is going to be load balanced. There
are many different profile types, and not all of them are supported by the three different load balancing
methods. This table shows some of the profiles, and which ones are supported by each load balance method.
FortiADC supports nearly 20 predefined profiles, as well as the ability to create custom profiles.

FortiADC 5.2 Study Guide 88


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Now you will explore the TCP, UDP, and FTP profiles. In these three profiles, you must configure the session
time-out and the TCP session time-out after FIN. The Timeout TCP Session setting specifies how long a
TCP session without traffic remains in memory. The TCP session time out after FIN setting specifies how long
a session remains in memory after a FIN packet has been sent, and while no FIN acknowledge packets have
been received.

FortiADC 5.2 Study Guide 89


 Server Load Balancing

DO NOT REPRINT
© FORTINET

The X-Forwarded-For Header field is the standard that identifies the original client’s IP address. It’s
appended by some devices that change the source IP address such as web proxies or load balancers or
devices doing source NAT. FortiADC can add this field or can use it to make decisions related to load
balancing.

FortiADC 5.2 Study Guide 90


 Server Load Balancing

DO NOT REPRINT
© FORTINET

The images on this slide show the HTTP profile. If the Source Address setting is enabled, FortiADC uses
the client IP address to set up the connection to the back-end server, so it will not change the source IP
address of the packets.

If the client traffic contains the X-Forwarded-For field (shown on the previous slide), FortiADC gets the client
IP address from there. If the setting is disabled, FortiADC uses its own IP address to connect to the backend
server so it will be doing source NAT.

FortiADC 5.2 Study Guide 91


 Server Load Balancing

DO NOT REPRINT
© FORTINET

HTTP Turbo is similar to the HTTP profile except that it doesn’t support advanced ADC features, such as
caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT.

You can use it with content routing and DNAT, as long as the HTTP request is contained in the first data
packet. It enables packet-based forwarding, which reduces network latency and system CPU usage.

However, it is not recommended if you anticipate dropped or out-of-order packets.

FortiADC 5.2 Study Guide 92


 Server Load Balancing

DO NOT REPRINT
© FORTINET

FortiADC supports SSL offloading and acceleration. SSL offloading moves the SSL encryption and
decryption from the servers to the load balancer. As the SSL encryption is terminated in the FortiADC device,
the system can inspect and make decisions based on SSL content. In order to do that, the server’s signed
digital certificate and private key must be installed on FortiADC.

FortiADC 5.2 Study Guide 93


 Server Load Balancing

DO NOT REPRINT
© FORTINET

When you use SSL offloading, a single device is used for SSL and HTTPS management, so all the certificates
are stored on one device. This lowers the SSL management and operational costs. More importantly, when
you use SSL offloading, the server doesn't have to run expensive crypto tasks, so the workload on the servers
is lower because the SSL traffic is moved to a dedicated CP9 processor on hardware-accelerated FortiADC
devices. This also reduces the bandwidth utilization between FortiADC and your backend servers.

FortiADC 5.2 Study Guide 94


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Using SSL re-encryption, FortiADC can decrypt the data coming from the user and re-encrypt it before
sending it to the server. Two separate SSL sessions are established: one from the client to FortiADC and
another one from FortiADC to the server. Both SSL sessions terminate at FortiADC. FortiADC can still inspect
and make decisions based on the content inside the HTTPS traffic.

FortiADC 5.2 Study Guide 95


 Server Load Balancing

DO NOT REPRINT
© FORTINET

To use SSL offloading or SSL encryption, you have to install the signed digital certificates and private keys for
your servers. There are two ways of doing this. You can do it manually by importing the certificate files, or you
can submit a certificate signing request to a CA.

FortiADC 5.2 Study Guide 96


 Server Load Balancing

DO NOT REPRINT
© FORTINET

You can configure FortiADC to perform certificate-based authentication. Using certificate-based


authentication, FortiADC requires clients to present a valid digital certificate. Clients must present a certificate
that is signed by a CA whose root certificate is loaded or installed on FortiADC. FortiADC also supports CRLs,
which contain the serial number of certificates that are no longer trusted.

FortiADC 5.2 Study Guide 97


 Server Load Balancing

DO NOT REPRINT
© FORTINET

The HTTPS profile is similar to the HTTP profile. It contains a section for the certificate. Here you specify the
digital certificate that’s going to be presented to clients that want to connect to the server.

On this screen, you can also configure options in the profile, including IP Reputation, Compression,
Caching, as well as Geo IP options.

FortiADC 5.2 Study Guide 98


 Server Load Balancing

DO NOT REPRINT
© FORTINET

When you configure the virtual server to use HTTPS, you must select the HTTPS profile from the drop-down
list. This enables the Client SSL Profile field, where you will select the client SSL profile that FortiADC should
use.

FortiADC 5.2 Study Guide 99


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Now you will examine Layer 4 packet forwarding methods. Multiple methods for Layer 4 packet forwarding are
available when FortiADC is doing Layer 4 load balancing. These methods are:
• Direct routing
• DNAT
• Full NAT
• Tunneling
• NAT46
• NAT64

FortiADC 5.2 Study Guide 100


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Using the direct routing packet forwarding method, known elsewhere as direct server return, FortiADC
doesn’t change the IP addresses in the packets coming from the client. Instead, FortiADC forwards packets to
the server keeping the same source IP address and the same destination IP address. This means that the
virtual server IP address must match the real server IP address. Server replies can go either through
FortiADC or directly to the client without passing through the FortiADC device. The direct routing method is
often configured on a single VLAN or subnet, where the cluster IP and the server IP addresses are all on the
internal interface. It can also be used in multiple VLAN configurations, although this is less common.

FortiADC 5.2 Study Guide 101


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Using DNAT, FortiADC changes the destination IP address of the packets coming from the client.

FortiADC 5.2 Study Guide 102


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Using full NAT, FortiADC changes both the source IP address and the destination IP address. In order to
specify the NAT IP addresses for the source IP address, you have to create a source pool. This is often used
when the real server’s gateway is not the load balancer and you want to avoid asymmetric traffic.

You would use Full NAT primarily when you are using FortiADC in a one-arm configuration.

FortiADC 5.2 Study Guide 103


 Server Load Balancing

DO NOT REPRINT
© FORTINET

FortiADC also supports tunneling. This allows FortiADC to send client requests to real servers through Layer
4 IP Tunnels.

FortiADC 5.2 Study Guide 104


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Using NAT46, FortiADC replaces both the destination and source IP addresses, translating IPv4 addresses to
IPv6 addresses. The source IP address is replaced by an IP address from the pool you specify. The
destination IP address is replaced with the IP address of the backend server selected by the load balancer.

FortiADC 5.2 Study Guide 105


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Using NAT64, FortiADC replaces both the destination and source IP addresses, translating IPv6 addresses to
IPv4 addresses. The source IP address is replaced by an IP address from the pool you specify. The
destination IP address is replaced with the IP address of the backend server selected by the load balancer.

FortiADC 5.2 Study Guide 106


 Server Load Balancing

DO NOT REPRINT
© FORTINET

The final step is to create the virtual server object. You specify the IP address of the virtual server and apply
all the objects that were created in the previous steps, such as the profile object, the persistence object, the
load balance method, and the server pool.

FortiADC 5.2 Study Guide 107


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 108


 Server Load Balancing

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiADC 5.2 Study Guide 109


 Server Load Balancing

DO NOT REPRINT
© FORTINET

This slide shows the objectives covered in this lesson.

By mastering server load balancing, you can deploy FortiADC in your network and improve the efficiency of
your resources.

FortiADC 5.2 Study Guide 110


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about link load balancing (LLB) and advanced networking.

FortiADC 5.2 Study Guide 111


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

In this lesson, you will explore the topics shown on this slide.

FortiADC 5.2 Study Guide 112


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in LLB, you will be able to configure LLB, create virtual tunnels, and link
groups.

FortiADC 5.2 Study Guide 113


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

When a router wants to contact a website, for example, www.fortinet.com, the browser first contacts its local
DNS server to get the IP address for that fully-qualified domain name. If that IP address is not in the local
DNS cache, the local DNS goes to one of the root name servers on the Internet to get the IP address. The
root name server replies with the IP address of the DNS server for that domain which, in this case, is
fortinet.com.

So, the local DNS contacts that domain name server. The domain name server for the domain fortinet.com
replies with the IP address of the DNS server that is the authoritative DNS server for that fully-qualified
domain name www.fortinet.com. The local DNS contacts that DNS server and gets the IP address from there
and forwards the IP address to the client. Now the browser can go directly to that IP address to get the web
content stored there.

FortiADC 5.2 Study Guide 114


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Using LLB, FortiADC balances traffic among multiple upstream links. If the primary link fails, traffic is
seamlessly redirected through a backup link. You can configure LLB for inbound traffic, outbound traffic, or
both. Outbound LLB is the most commonly used configuration.

FortiADC 5.2 Study Guide 115


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Many of the optional objects are configured as system-wide shared resources. Examples of optional objects
include schedule, address, service, and health check.

Link policies apply to either link groups or virtual tunnels.

FortiADC 5.2 Study Guide 116


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Now you will learn about the steps to configure LLB. First, you should add addresses, address groups,
services, service groups, and schedule groups that can then be used to match traffic to link policy rules. If you
do not add these, your policy will not use matching criteria and will not have granularity.

Next, you configure optional features. You should configure health check rules before you configure gateway
links, and and you should configure persistence rules or proximity routes before you configure a link group.

Next, you configure the gateway links.

Then you will configure either a link group or virtual tunnel as required.

Finally, you configure the link policy, in which you set the source/destination/service matching tuple for your
link groups or virtual tunnels.

FortiADC 5.2 Study Guide 117


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Using the GUI, you can configure addresses in the system’s shared resources. You will use these addresses
when you need to create link policies that apply to more than one address object.

For example, if you subscribe customer one and customer two to a group of links, then you can create rules
that match the customer one or customer two address space, and load balance the set of gateways assigned
to them.

FortiADC 5.2 Study Guide 118


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

You can use service and service groups to specify the service to be matched in policies. The Protocol field
identifies the protocol by number, such as 1 (ICMP), 6 (TCP), or 17(UDP). For example, if a client requires a
policy for link load balancing web services, you can add HTTP and HTTPS as services, and then aggregate
those services into a group called web services.

FortiADC 5.2 Study Guide 119


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

You can use schedule groups to create time-bound LLB policies. The options are one-time, daily, weekly, or
monthly. One-time LLB policies can be very useful for special events requiring a specific LLB policy to handle
the extra surge in traffic, for example.

FortiADC 5.2 Study Guide 120


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

The gateway link configuration enables you to specify bandwidth rate thresholds, and spillover threshold
behavior for the gateway links you will add to link groups. You can also enable health checks, to make better
load balancing decisions in the link policy.

FortiADC 5.2 Study Guide 121


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

When you add each gateway, you configure its weight. Links with a higher weight receive more traffic.

FortiADC 5.2 Study Guide 122


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

When you configure a virtual tunnel group, you set the list of tunnel members, as well as load balancing
options like algorithm and weight.

When you add members to a virtual tunnel configuration, you specify a local and remote IP address. These
addresses are IP addresses assigned to a network interface on the local and remote FortiADC appliance.

After you configure a virtual tunnel configuration object, you can select it in the link policy configuration.

FortiADC 5.2 Study Guide 123


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

The link policy uses information from all created objects to create a table of link policy rules. The link policy
rules specify the traffic to be balanced by each link group. FortiADC searches the table from top to bottom and
uses the first rule that matches the traffic. For each rule, you must configure an ingress interface, source
address, destination address, service, schedule, and the link group or virtual tunnel the FortiADC uses to
route the traffic. The link group is mandatory in a link policy configuration.

FortiADC 5.2 Study Guide 124


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

The final step is to configure the link policies. The link policies specify the traffic to be balanced by each link
group and virtual tunnel.

The example on this slide shows a table containing three link policies. These policies specify that:

• All the traffic that comes from 172.16.1 and goes to 172.16.2 uses Virtual Tunnel 1
• All the traffic that goes to 172.16.3 uses Link Group 2
• All the traffic that goes to the Internet uses Link Group 1

FortiADC 5.2 Study Guide 125


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Using outbound link load balancing, the FortiADC balances traffic that leaves the network among the links that
are part of the same link group.

FortiADC 5.2 Study Guide 126


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Configure FortiADC to do outbound LLB based on proximity route dynamic detection. Dynamic detection of
proximity routes uses a proximity cache. The proximity cache contains the delay from all the links to all the
destination subnets (/24).

For example, If a client sends a new connection to the IP address 10.10.1.1, FortiADC checks if subnet
10.10.1.0/24 is in the cache table. If the subnet isn’t in the table, the packet is routed normally, based on the
specified balancing algorithm. In addition, FortiADC sends ICMP ping packets to the destination IP address
through each of the links that are part of the link group.

FortiADC 5.2 Study Guide 127


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Next, the round-trip delay for each ping through each link is recorded in the proximity cache table. So, next
time there is a packet to the same /24 subnet from the same user or from a different user, FortiADC uses the
link with the smallest delay to the destination. All entries in the cache table are aged out after their inactivity
timeout expires.

FortiADC 5.2 Study Guide 128


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

There are three methods FortiADC uses to select proximity routes:


• Dynamic detect only:
• Uses the proximity route cache table to select the link with the lowest delay
• Static table only:
• Uses a static table that is manually configured by the administrator instead of using the proximity
route cache table
• Static table first:
• Checks if there is a matching destination in the static table that was manually configured by the
administrator
• If there is no matching destination in the static table, FortiADC uses the proximity route cache table

FortiADC 5.2 Study Guide 129


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Outbound LLB for FortiADC allows virtual tunneling. You can build IP tunnels between two FortiADC devices.
These tunnels use a GRE-based proprietary protocol that allows data to travel unencrypted. You can group all
the IP tunnels you create into virtual tunnels. You can also balance outbound traffic among tunnels that are
part of the same virtual tunnel. Next, you learn how to configure load balancing algorithms for outbound link
load balancing virtual tunneling.

FortiADC 5.2 Study Guide 130


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Outbound LLB virtual tunneling routes traffic based on one of two load balancing algorithms:
• Weighted round robin:
• Means links with more weight receive more traffic
• Source-destination hash:
• Based on consistent hashing of both the source and the destination IP addresses
• Traffic between the same two IP addresses is always routed through the same link

FortiADC 5.2 Study Guide 131


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 132


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Good job! You can now understand basic LLB.

Now, you will learn about advanced networking and routing.

FortiADC 5.2 Study Guide 133


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in advanced networking and routing, you will be able to configure advanced
networking and routing options such as policy routing, QoS, and NAT.

FortiADC 5.2 Study Guide 134


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Optionally, you can configure persistence for outbound LLB so FortiADC can maintain the same outgoing
gateway for packets with the same source or destination IP address.

There are four types of outbound LLB persistence:


• Source destination pair:
• Based on the destination IP address and source IP address
• Source destination address:
• Based on the source subnet and the destination subnet
• Source address:
• Based on the source subnet only
• Destination address:
• Based on the destination subnet only

FortiADC 5.2 Study Guide 135


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

So, how does FortiADC decide to route a packet? When there is an incoming packet, the first table that
FortiADC checks is the content route table. FortiADC checks if the URL or host matches any rule in the
content route table. If there is a match, the packet is routed based on that content route rule. If there is no
match, FortiADC checks the source and destination IP address for a match in the policy route table. If there is
a match in the policy route table, the packet is routed based on that rule. If there is no match in the policy
route table, then FortiADC checks the destination IP address for a match in the routing table. The routing table
contains static routes and OSPF routes. If there is a match, FortiADC routes the packet. If there is no match,
the packet is dropped because FortiADC doesn’t know how to route it.

FortiADC 5.2 Study Guide 136


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

You can configure a source NAT (SNAT) table, which contains the rules for one-to-many translation of the
source IP address. The SNAT table works in a similar way to the firewall policy tables. FortiADC searches the
table from top to bottom and uses the first rule it finds that matches the traffic.

FortiADC 5.2 Study Guide 137


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Another NAT table on FortiADC is the one-to-one NAT table, which contains the rules for one-to-one static
bidirectional NAT translation. This slide shows an example of port forwarding, or PAT. PAT works in a similar
way to VIPs on FortiGate devices.

FortiADC 5.2 Study Guide 138


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

FortiADC has limited support for QoS. With FortiADC, you can limit the available bandwidth for non-priority
traffic. For example, you might want to limit available bandwidth so traffic that is sensitive to bandwidth and
delay can receive a higher priority.

FortiADC 5.2 Study Guide 139


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

To configure QoS, you must first configure the queues that define the different bandwidth limits. Then, you
assign the queues to the filters that specify the traffic limited by each queue.

FortiADC 5.2 Study Guide 140


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Typically, routing is done based on the destination IP address. FortiADC can use policy routing to route traffic
based on the source IP address. In the table shown on this slide, FortiADC is configured to route all traffic
coming from 172.16.1 and going to the Internet to use the first gateway on the left. For traffic that comes from
one specific IP address in subnet 172.17.1.1, FortiADC is configured to route that traffic through the middle
link. And finally, traffic from subnet 172.17.1 is routed through the link on the right. In this way, traffic is routed
based on the source IP address, using three different links.

FortiADC 5.2 Study Guide 141


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

The policy routing configuration table contains the rules that specify the source IP address, the destination IP
address, and the gateway to use for traffic that matches those settings. FortiADC searches the table from top
to bottom and uses the first rule that matches the traffic. If there is no match, FortiADC uses the regular
routing table to route the packet.

FortiADC 5.2 Study Guide 142


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

FortiADC uses OSPF to communicate with other OSPF routers, and to advertise its routes and dynamically
populate its routing table.

FortiADC 5.2 Study Guide 143


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

You can define subnets and their associated OSPF areas on the Networking > Routing > OSPF screen in
the Network section.

FortiADC 5.2 Study Guide 144


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

This example on this slide shows where you define interfaces and their respective metrics.

FortiADC 5.2 Study Guide 145


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

When you read about BGP, often you see EBGP (Exterior BGP ) or IBGP (Interior BGP) mentioned. These
are both BGP routing, but BGP used in different roles. EBGP involves packets crossing multiple autonomous
systems (AS) where IBGP involves packets that stay within a single AS. For example the AS_PATH attribute
is only useful for EBGP where routes pass through multiple ASs. These two modes are important because
some features of BGP are used for only one of EBGP or IBGP. For example, confederations are used in
EBGP, and route reflectors are only used in IBGP. Also, routes learned from IBGP have priority over EBGP
learned routes.

Before you begin, you must :


• Know how BGP has been implemented in your network; that is, you must know the configuration details of
the implementation
• Have read-write permission for system settings
• Have configured all the needed access (IPv6) lists and prefix (IPv6) lists

FortiADC 5.2 Study Guide 146


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 147


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiADC 5.2 Study Guide 148


 Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

This slide shows the objectives covered in this lesson.

By mastering LLB and advanced networking, you will be able to configure LLB, and create virtual tunnels and
link groups. You will also be able to configure advanced networking and routing options, such as policy
routing, QoS, and NAT.

FortiADC 5.2 Study Guide 149


 Global Load Balancing

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about global load balancing (GLB).

FortiADC 5.2 Study Guide 150


 Global Load Balancing

DO NOT REPRINT
© FORTINET

In this lesson, you will explore the topics shown on this slide

FortiADC 5.2 Study Guide 151


 Global Load Balancing

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in describing the GLB framework, and understanding how GLB works, you will
be able to implement it on your FortiADC.

FortiADC 5.2 Study Guide 152


 Global Load Balancing

DO NOT REPRINT
© FORTINET

GLB is a DNS-based solution that enables you to deploy redundant resources around the globe. You can use
these redundant resources to keep your business online when a local area deployment experiences
unexpected spikes in traffic, or downtime.

GLB is a two-layer technique consisting of Global server load balancing (SLB) and SLB. Global SLB refers to
a global balancing of traffic across multiple, geographically diverse FortiADCs, while SLB refers to the load
balancing by the individual FortiADC across the local datacenter.

FortiADC 5.2 Study Guide 153


 Global Load Balancing

DO NOT REPRINT
© FORTINET

Global SLB is a fully-featured DNS solution based on a customized and hardened BIND 9 DNS
implementation. You can deploy GLB as the authoritative name server for the DNS zones you configure.

Using FortiADC’s GLB, you create a GLB framework that accounts for location, health, and round-trip time
(RTT). When a GLB framework is in place, DNS sends direct client requests to a virtual server that is close,
available, and has low latency.

FortiADC 5.2 Study Guide 154


 Global Load Balancing

DO NOT REPRINT
© FORTINET

FortiADC implements security features in GLB and DNS, including DNSSEC, response rate limits, and DNS
forwarding. DNSSEC are a set of extensions to DNS that provide for DNS clients (known as resolvers) origin
authentication of DNS data, authenticated denial of existence, and data integrity.

Response rate limits help to mitigate DNS DoS attacks by reducing the rate at which the authoritative DNS
responds to high volumes of malicious queries.

DNS forwarding works by sending requests for remote resources to another DNS server known as a
forwarder. The internal server then caches those results, which optimizes further lookups and reduces the
number of DNS servers communicating over the Internet.

FortiADC 5.2 Study Guide 155


 Global Load Balancing

DO NOT REPRINT
© FORTINET

Server availability is identified by FortiADC using real-time connectivity checking.

FortiADC redirects client sessions based on server availability. If there is availability in the local pool,
FortiADC replies with its virtual IP address. In the example shown on this slide, FortiADC has to be the
authoritative DNS server for the fully qualified domain name that the customer is trying to reach.

FortiADC 5.2 Study Guide 156


 Global Load Balancing

DO NOT REPRINT
© FORTINET

If the local pool is not available, FortiADC replies to those DNS requests with the remote peer virtual IP
address instead.

FortiADC 5.2 Study Guide 157


 Global Load Balancing

DO NOT REPRINT
© FORTINET

The example on this slide shows a GLB deployment with redundant resources at data centers in China and
the United States. FortiADC-1 is the local SLB for the data center in China. FortiADC-2 is the local SLB for the
data center in the United States. FortiADC-3 is a global SLB. It hosts the DNS server that is authoritative for
www.example.com.

When a client clicks a link to www.example.com, the local host DNS resolver commences a DNS query that is
ultimately resolved by the authoritative DNS server on FortiADC-3. The set of possible responses includes the
virtual servers on FortiADC-1 or FortiADC-2. The GLB framework uses location and health status to
determine the set of responses that are returned. For example, you can use the GLB framework to direct
clients located in China to the virtual server in China, or, if the virtual server in China is unavailable, then to
the redundant resources in the United States.

The virtual server IP addresses and ports can be discovered by the FortiADC GLB from the FortiADC local
SLBs. The GLB DNS server uses the discovered IP addresses in the DNS response. The framework also
supports third-party IP addresses and health checks for those addresses.

FortiADC 5.2 Study Guide 158


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 159


 Global Load Balancing

DO NOT REPRINT
© FORTINET

Good job! You now understand the principles of GLB.

Now, you will learn how to configure GLB

FortiADC 5.2 Study Guide 160


 Global Load Balancing

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring GLB, you will be able to ensure that all elements of GLB are
configured correctly for your network.

FortiADC 5.2 Study Guide 161


 Global Load Balancing

DO NOT REPRINT
© FORTINET

GLB uses mandatory and optional configuration objects. Some mandatory objects are predefined, and include
the ability to add more objects or customize existing ones. Others, such as the zone, are auto-generated but
can be created and customized by the administrator. Optional objects are not required, or are preset, such as
the general settings and response rate limit objects.

FortiADC 5.2 Study Guide 162


 Global Load Balancing

DO NOT REPRINT
© FORTINET

When you deploy a GLB solution, you configure DNS server and GLB details on the global FortiADC instance
only. The configuration framework allows for granular administration and fine tuning of both DNS server and
GLB frameworks. The order of configuration is important for initial configurations because complex objects,
like policies, rely on simple objects, like remote DNS servers or DNS64 rules; however, simple elements must
be configured first. Fortunately, some objects are preconfigured and you can fine tune them later, if
necessary. Auto-generated zones rely on numerous other objects, so make sure to customize your
deployments where required. Many objects are optional. You can configure optional objects and add them to
existing policies later.

To configure a DNS server solution, do the following:

1. Review and configure the address groups to use in your DNS policy matching rules. You can use the
predefined any and none address groups.
2. Configure remote DNS servers, or forwarders, and the DSSET list (optional).
A complete zone configuration occurs. Zones, including FortiADC virtual servers, auto-generate;
however, you can add additional zones manually.
1. Configure DNS64 and response rate limits (optional).
2. Configure DNS policies and DNSEC.
3. Configure remaining general DNS settings.

FortiADC 5.2 Study Guide 163


 Global Load Balancing

DO NOT REPRINT
© FORTINET

In configuring GLB, many objects will require that components of your underlying infrastructure are up and
running so that you can test the solution. For example, virtual servers, and their corresponding back-end
servers should be in place before virtual server pools can be created in Global Load Balancing.

Step 1 is configuring dynamic proximity, data centers, servers, virtual server pools, and hosts. These are
required for FortiADC to generate a working DNS zone configuration and resource records. Step 2 is
reviewing the autogenerated DNS zone configuration. Finally, step 3 is creating the DNS policy.

FortiADC 5.2 Study Guide 164


 Global Load Balancing

DO NOT REPRINT
© FORTINET

Use the address group object to specify the source and destination IP addresses that will be used as
matching criteria in your DNS policies. You can use the predefined Any and None groups, or you can add
your own groups.

FortiADC 5.2 Study Guide 165


 Global Load Balancing

DO NOT REPRINT
© FORTINET

Remote DNS servers are optional. You can use remote DNS servers to create a list of DNS forwarders, which
you can use when you don’t want the local DNS server to connect to Internet DNS servers. For example, if
your local DNS server is behind a firewall and you don’t want to allow DNS through that firewall, you can
implement DNS forwarding to a remote server deployed in a DMZ, or similar network region, that can contact
Internet DNS servers. You can use remote DNS servers in DNS zone and DNS policy configurations.

FortiADC 5.2 Study Guide 166


 Global Load Balancing

DO NOT REPRINT
© FORTINET

If DNSSEC is enabled, secure communication between the FortiADC DNS and any child DNSs is based on
keys contained in DSSET files. DSSET files are generated automatically, once the zone is signed by
DNSSEC.

FortiADC 5.2 Study Guide 167


 Global Load Balancing

DO NOT REPRINT
© FORTINET

It’s optional to configure DNS64 for FortiADC. DNS64 is used to map IPv4 addresses to AAAA queries when
there are no AAAA records. You can use DNS64 for segments using NAT64 to support IPv6 client
communication with the backend servers.

FortiADC 5.2 Study Guide 168


 Global Load Balancing

DO NOT REPRINT
© FORTINET

The response rate limit keeps the FortiADC’s authoritative DNS server from being used in an amplifying
reflection DoS attack. The default response rate limit is 1000 responses per second, but you can set this limit
to any value between 1 and 2048 responses per second. You can create up to 256 different response rate
limits to use in DNS policies.

FortiADC 5.2 Study Guide 169


 Global Load Balancing

DO NOT REPRINT
© FORTINET

The general DNS settings allow you to specify which interfaces listen for DNS requests. By default, FortiADC
listens for DNS requests on all configured addresses and interfaces. Other settings apply when traffic does
not match a global DNS policy. Key elements of the general DNS settings include enabling or disabling global
DNS, recursion, and DNSSEC and DNSSEC validation. You can also set the default forwarding behaviour
and response rate limit in the general DNS settings.

FortiADC 5.2 Study Guide 170


 Global Load Balancing

DO NOT REPRINT
© FORTINET

You can use the Dynamic Proximity setting to order DNS lookups results based on the RTT of ICMP or TCP
probes sent by the local SLB to the DNS resolver that sent the DNS request. FortiADC calls the RTT results
for the specified timeout. For any subsequent requests from IP addresses in the specified netmask, FortiADC
takes the RTT from the results table, instead of issuing a new real-time probe. This reduces DNS response
time.

FortiADC 5.2 Study Guide 171


 Global Load Balancing

DO NOT REPRINT
© FORTINET

The Data Center is a required component of a GLB configuration. Configuring the data center allows you to
set key properties, such as Location, ISP, or both, and ISP State/Province. The GLB algorithm uses these
properties to select the FortiADC that is closest to the client.

FortiADC 5.2 Study Guide 172


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 173


 Global Load Balancing

DO NOT REPRINT
© FORTINET

Good job! You now understand how to configure GLB.

Now, you will learn how to configure zones and servers.

FortiADC 5.2 Study Guide 174


 Global Load Balancing

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring servers and zones, you will be able to set up servers, virtual
server pools, zones, and DNS policies.

FortiADC 5.2 Study Guide 175


 Global Load Balancing

DO NOT REPRINT
© FORTINET

Servers are another required component of a GLB configuration.

Use servers to specify the local SLBs, either FortiADC instances or third-party servers, that are to be load
balanced. For FortiADC instances, the GLB feature checks the status and synchronizes configurations from
the local SLBs so that it can learn the set of virtual servers that can be included in the GLB VS pool.

For the discovery feature to work you must first create the data center objects associated with the local SLB
as well as the virtual server configurations on the local FortiADC SLBs to be included in the GLB VS pools. If
you want to configure a gateway health check, you must also create gateway objects on the local FortiADC
SLBs.

After you meet these requirements, and you add a server to global server load balancing, you can click
Discover to allow FortiADC to discover the local VSs and populate the members list.

FortiADC 5.2 Study Guide 176


 Global Load Balancing

DO NOT REPRINT
© FORTINET

The VS pool configuration is also mandatory. It defines the set of VSs that can be matched in DNS resource
records, so it should include all the VSs that can be answers for DNS requests to resolve www.example.com.
The VS pool also specifies key parameters of the GLB algorithm, including proximity options, status checking
options, load balancing method, and weight. You specify VS pools in the GLB host configuration.

FortiADC 5.2 Study Guide 177


 Global Load Balancing

DO NOT REPRINT
© FORTINET

The DNS response to the client is an ordered list of answers, which excludes unavailable VSs. The available
servers are ordered based on the following priorities:
1. Geographic proximity
2. Dynamic proximity
3. Weighted round robin

A client receiving the DNS response as a list of answers tries the first answer and only proceeds to the next
answers, if the first answer is unreachable.

FortiADC 5.2 Study Guide 178


 Global Load Balancing

DO NOT REPRINT
© FORTINET

You can add up to 256 servers to a VS pool.

FortiADC 5.2 Study Guide 179


 Global Load Balancing

DO NOT REPRINT
© FORTINET

Use host settings which are also mandatory, to form the zone configuration and RRs in the generated DNS
zone used for GLB. Host settings are mapped to zone settings and RRs. The system uses the Domain Name
and Host Name settings in both the configuration and the generated configuration name. The system derives
the IP address and weight from the VS pool.

FortiADC 5.2 Study Guide 180


 Global Load Balancing

DO NOT REPRINT
© FORTINET

The DNS zone configuration is key to the GLB solution. It contains key DNS server settings, such as domain
name and name server details, type (whether master or forwarder), and whether DNSSEC is enabled or not.
It also contains the DNS resource records that are used to resolve DNS queries. Each zone can have different
DNS server settings. For example, the DNS server can be a master for one zone and a forwarder for another
zone. You can create up to 256 zones for use in DNS policies.

FortiADC 5.2 Study Guide 181


 Global Load Balancing

DO NOT REPRINT
© FORTINET

This slide shows an example of an auto-generated zone.

FortiADC 5.2 Study Guide 182


 Global Load Balancing

DO NOT REPRINT
© FORTINET

Because FortiADC is now an authoritative DNS server, you can add A and Quad A records, CName records,
and NS records. You can also add MX and TXT records to the zone.

FortiADC 5.2 Study Guide 183


 Global Load Balancing

DO NOT REPRINT
© FORTINET

The global DNS policy is a rule base that matches traffic to DNS zones. Traffic that matches a zone, source,
and destination criteria is served by the global DNS policy. Traffic that does not match any specific policy is
served by the DNS general settings. You can create up to 256 different global DNS policies.

FortiADC 5.2 Study Guide 184


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 185


 Global Load Balancing

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiADC 5.2 Study Guide 186


 Global Load Balancing

DO NOT REPRINT
© FORTINET

This slide shows the objectives covered in this lesson.

By mastering GLB, servers, and zones, you will be able to implement these capabilities on your FortiADC.

FortiADC 5.2 Study Guide 187


 Security

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about security.

FortiADC 5.2 Study Guide 188


 Security

DO NOT REPRINT
© FORTINET

In this lesson, you will explore the topics shown on this slide.

FortiADC 5.2 Study Guide 189


 Security

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in network security, you will be able to ensure that the various security features
of FortiADC are correctly configured to help protect your network.

FortiADC 5.2 Study Guide 190


 Security

DO NOT REPRINT
© FORTINET

The best approach to sound security is a layered approach. The first layer is made up of firewall policies. A
firewall policy is a set of rules that are applied to traffic that passes through FortiADC and defines whether a
new client connection is allowed. By default, all new connections are accepted. Blocking or allowing traffic
based on ports and IP addresses is your first line of defense when implementing security within your network.
For example, if you don’t need to allow the use of the File Transfer Protocol (FTP), you can block the FTP
port.

You can create firewall policies for both IPv4 and IPv6 traffic for FortiADC.

Now you will learn how firewall policies work. When a packet arrives at an interface, FortiADC analyzes the
packet and checks its routing table to see where the packet should be sent. If it’s a routable packet, FortiADC
searches the firewall policies for a match. To find a policy match, FortiADC checks the ingress and egress
interfaces, source and destination IP addresses, and the service. After FortiADC finds a policy match, it
applies the rules for the policy.

FortiADC 5.2 Study Guide 191


 Security

DO NOT REPRINT
© FORTINET

FortiADC firewall policies make use of system-shared resources such as firewall addresses and services.

Addresses and services can be further aggregated into address groups and service groups, for ease of
management. You configure IP address ranges and subnets for firewall addresses, and IP protocols and
TCP/UDP port numbers for service objects.

FortiADC 5.2 Study Guide 192


 Security

DO NOT REPRINT
© FORTINET

To create a firewall policy in FortiADC, you must configure the inbound interface, outbound interface, source
address, destination address, service, and action (which can be either accept or deny). You also have the
option to specify the default action, which is the action to be taken by FortiADC for traffic that doesn’t match
any of the firewall policies.

By default, the action is Accept, but you can change it to Deny. FortiADC uses the first match for the traffic
that it finds in the policy in a search from top to bottom.

Because of the system resources required by the firewall function, overall FortiADC performance will be
impacted. It is important to be aware of this when deciding to implement the firewall feature.

FortiADC 5.2 Study Guide 193


 Security

DO NOT REPRINT
© FORTINET

The connection limit table contains a set of rules that you can use to limit the number of concurrent
connections.

In the example shown on this slide, the number of concurrent connections is limited for each destination IP
address and for each source IP address.

FortiADC 5.2 Study Guide 194


 Security

DO NOT REPRINT
© FORTINET

FortiADC offers a mechanism to protect your servers against SYN flood attacks.

Now you will learn how a SYN flood attack works. In many servers, the information about each TCP
connection is stored in the TCB that is a part of the memory in the server. During a SYN flood attack, an
attacker sends a large amount of SYN packets from spoofed IP addresses to the server. An entry is created in
the TCB each time a SYN packet arrives to store the information contained in the SYN packet fields.

A SYN flood attack is effective when it exhausts the available memory in the TCB. Once the TCB table is
exhausted, legitimate users can’t connect to the server.

FortiADC 5.2 Study Guide 195


 Security

DO NOT REPRINT
© FORTINET

To protect the servers from SYN flood attacks, FortiADC offers a feature called SYN cookie protection.

Here’s how it works. FortiADC sends a SYN/acknowledge with a cookie value in the TCP sequence field for
each packet that it receives, and then it waits for the acknowledge packet.

If it receives an acknowledge packet containing the right cookie, the device proxies the TCP connection to the
server. Consequently, SYN packets from an attacker never arrive at the server.

The SYN packets go to the server only when FortiADC confirms the sender is a legitimate user.

FortiADC 5.2 Study Guide 196


 Security

DO NOT REPRINT
© FORTINET

FortiGuard IP Reputation is another feature for FortiADC that can prevent malicious connections to your
servers.

FortiGuard is a worldwide distributed server network that provides, among many other services, an up-to-date
list of IP addresses that could threaten your network. You must purchase a subscription to use the FortiGuard
IP Reputation service.

FortiADC 5.2 Study Guide 197


 Security

DO NOT REPRINT
© FORTINET

Using FortiGuard IP Reputation, you can configure FortiADC to periodically download the latest list of
blacklisted IP addresses from FortiGuard.

If the FortiADC doesn’t have Internet access, you can download the list from FortiGuard and upload it
manually to FortiADC.

FortiADC 5.2 Study Guide 198


 Security

DO NOT REPRINT
© FORTINET

After you enable FortiGuard IP Reputation, FortiADC blocks any traffic coming from an IP address that has a
poor reputation or has been blacklisted by the FortiGuard IP Reputation list.

Alternatively, in the case of HTTP and HTTPS, FortiADC can redirect users to a different URL.

FortiADC 5.2 Study Guide 199


 Security

DO NOT REPRINT
© FORTINET

The Geo IP database is a FortiGuard security service that maps IP addresses to countries, satellite providers,
and anonymous proxies. Similar to the FortiGuard IP Reputation database, the Geo IP database is updated
periodically.

The Geo IP service allows FortiADC to respond in one of four ways to a request from an IP address that is on
the block list:
• Pass the packet along
• Deny and drop the packet
• Redirect the packet to another destination
• Respond to the packet with an error message of “403 Forbidden”

FortiADC 5.2 Study Guide 200


 Security

DO NOT REPRINT
© FORTINET

This slide shows the Geo IP Protection configuration screen. You can create up to 256 Geo IP policy objects.
Each object can contain up to 256 distinct countries.

FortiADC 5.2 Study Guide 201


 Security

DO NOT REPRINT
© FORTINET

You can configure exceptions to Geo IP Policies by adding entries to the Geo IP Whitelist, which is based on
the IP Subnet.

FortiADC 5.2 Study Guide 202


 Security

DO NOT REPRINT
© FORTINET

In the example shown on this slide, you can see Geo IP at work in the SLB Layer 4 logs, where source IP
addresses can be mapped to their country of origin. In this example, because they are private IP addresses,
the countries show as Reserved.

FortiADC 5.2 Study Guide 203


 Security

DO NOT REPRINT
© FORTINET

FortiADC is the first ADC solution on the market with support for Sandbox service integration. This means that
FortiADC supports security fabric integration for advanced threat detection. The feature on FortiADC supports
HTTP, HTTPS, and SMTP protocols.

Web application file uploads that are cleared by FortiADC’s AV scanner and are then sent to FortiSandbox for
further analysis. FortiADC first conducts some basic analysis by AV engine and then submits all suspicious
files to FortiSandbox for further analysis. FortiSandbox will then drop or quarantine the malicious traffic and
forward healthy traffic segments to the back-end servers. A log is generated whenever a file is uploaded to
FortiSandbox.

FortiADC 5.2 Study Guide 204


 Security

DO NOT REPRINT
© FORTINET

Malware and advanced persistent threats (APT) can cause significant damage to the business of any
organization. Malicious codes are commonly used to steal valuable data, gain unauthorized access to
networks, or cause products to degrade.

Using a suite of integrated security technologies, AV solutions provide protection against a variety of threats,
including both known and unknown malicious codes (malware) and advanced targeted attacks (ATA).

Integrated with the FortiOS AV engine, FortiADC provides an industry-class malware and APT detection and
mitigation solution to our customers.

This slide illustrates how FortiADC's AV module works:

1. Automatically updates the latest attack signatures from FortiGuard to ensure real-time protection.
2. Submits all files, including suspicious files, to an on-premise device (FortiSandbox) or cloud-based
service (FortiCloud Sandbox) for further analysis after performing the basic AV processing on its own.
3. Malicious files will be dropped or quarantined, and healthy ones will be forwarded to the back-end
servers.

FortiADC 5.2 Study Guide 205


 Security

DO NOT REPRINT
© FORTINET

You must configure AV profiles to use the AV service module, which can be done either on the GUI or the
CLI. Once created, you can include your AV profiles when creating advanced virtual server profiles that use
the HTTP or HTTPS protocol.

FortiADC 5.2 Study Guide 206


 Security

DO NOT REPRINT
© FORTINET

The quarantined daemon manages the infected or suspicious files.

This is a multi-process daemon, which receives quarantine requests from the AV daemon and then processes
the requests in child processes. It can work in tandem with remote devices to complement the AV service,
such as sending suspicious files to FortiSandbox for deeper inspection or uploading the archive package onto
FortiCloud.

In addition, it also manages the use of the storage space, listing the quarantined files, deleting expired files,
overriding old files, or dropping new files when there is not enough storage space available.

FortiADC 5.2 Study Guide 207


 Security

DO NOT REPRINT
© FORTINET

FortiADC's AV service relies on the system's AV engine and signature databases. The AV engine is upgraded
whenever new functions are added. The updated daemon is responsible for updating the AV engine and the
signature databases.

The system offers three types of AV signature databases: Normal, Extended, and Extreme. They represent
different levels of AV services. In order for FortiADC to provide you with the level of AV service that you
desire, you must choose the appropriate signature database.

FortiADC 5.2 Study Guide 208


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 209


 Security

DO NOT REPRINT
© FORTINET

Good job! You now understand the network security features of FortiADC.

Now, you will learn how to implement user authentication.

FortiADC 5.2 Study Guide 210


 Security

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in user authentication, you will be able to set up authentication policies on your
FortiADC.

FortiADC 5.2 Study Guide 211


 Security

DO NOT REPRINT
© FORTINET

FortiADC allows you to set conditions for authentication and identify the user group that can access a
resource controlled by FortiADC.

This slide shows the client-server communications authentication process.

The prerequisites for the authentication process are as follows:


• The virtual server must be Layer 2 or Layer 7
• The profile type must be HTTP or HTTPS
• The once-only profile option must be disabled

If the prerequisites are met, the authentication process occurs as follows:


1. The client sends an HTTP request to FortiADC for a URL belonging to a FortiADC virtual server that has
an authorization policy, in this case www.example.com.
2. FortiADC replies to the client with an HTTP 401 message to request authorization. On the client device,
the user may be prompted to enter credentials.
3. The client reply is sent, which includes an authorization header that passes the credentials to FortiADC.
4. FortiADC sends a request to the server, whether local, LDAP, or RADIUS, in order to authenticate the
user.
5. The authentication server sends its response to FortiADC, which can be cached according to your user
group configuration.
6. If authentication is successful, FortiADC continues to process the traffic and forwards the request to the
real server.
7. The real server responds with an HTTP 200 OK message.
8. FortiADC processes the traffic and forwards the server response to the client.

FortiADC 5.2 Study Guide 212


 Security

DO NOT REPRINT
© FORTINET

FortiADC’s authentication policies support local user groups as well as RADIUS and LDAP servers. To create
local users and groups, on the GUI, click User Authentication > User Group.

FortiADC 5.2 Study Guide 213


 Security

DO NOT REPRINT
© FORTINET

To create authentication policies, on the GUI, click User Authentication > Authentication Policy.

To maintain granular control of user authentication, you can create multiple policies, and define multiple
members.

FortiADC 5.2 Study Guide 214


 Security

DO NOT REPRINT
© FORTINET

After you create the authentication policy, you can select it in the settings for the virtual server, in the Auth
Policy drop-down menu.

FortiADC 5.2 Study Guide 215


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 216


 Security

DO NOT REPRINT
© FORTINET

Good job! You can now configure user authentication.

Now, you will learn about the web application firewall capabilities of FortiADC.

FortiADC 5.2 Study Guide 217


 Security

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in describing WVS and configuring WAF, you will be able to ensure that your
FortiADC is OWASP-compliant for secure transactions.

FortiADC 5.2 Study Guide 218


 Security

DO NOT REPRINT
© FORTINET

In order to comply with OWASP top 10 requirements, FortiADC needed to add WVS. This tool will help to
cover the following criteria:
• A6: Security Misconfiguration
• A9: Using Components with Known Vulnerabilities
• A8: Insecure Deserialization

WVS is a set of automated tools that perform black box tests on web applications, to look for security
vulnerabilities such as cross-site scripting, SQL injection, command injection, source code disclosure, and
insecure server configuration.

FortiADC uses Skipfish, which is an active web application security tool (pure C code) that includes the
following:
• Support a variety of quirky web frameworks and mixed-technology sites.
• Automatic learning capabilities
• Blind injection vectors
• Full reporting on vulnerability risks

FortiADC 5.2 Study Guide 219


 Security

DO NOT REPRINT
© FORTINET

Each WVS task is limited to 50 policies, and a crawl depth limit of 20 libraries. It does not support HTTP/2 or
IPv6.

A pool member must be selected in order for WVS to send a scan. A scan will not be sent if the pool member
port is 0.

FortiADC 5.2 Study Guide 220


 Security

DO NOT REPRINT
© FORTINET

A WAF is a security policy enforcement point that you can set up between the client and a web application. Its
main purpose is to prevent attacks against the web servers. You deploy it separately from the web application
so that processes used to perform security scanning do not affect the web server’s performance.

A web application firewall uses methods that complement perimeter security, such as perimeter security
provided by the FortiGate next-generation firewall (NGFW).

FortiADC 5.2 Study Guide 221


 Security

DO NOT REPRINT
© FORTINET

A WAF scans a request at four checkpoints: the HTTP request header, the HTTP request body, the HTTP
response header, and the HTTP response body. When the WAF completes the scan, it enforces policy rules.

If the HTTP request header violates a rule, and the action is Deny, the attempted session is dropped, and
scanning for the transaction stops. If the action is Alert, the event is logged and rules processing continues.

FortiADC 5.2 Study Guide 222


 Security

DO NOT REPRINT
© FORTINET

This slide shows the relationships among WAF configuration elements. A WAF profile is made up of a web
attack signature policy, a URL protection policy, an HTTP protocol constraint policy, and a SQL/XSS injection
detection policy.

This WAF profile is, in turn, applied to a load balancing virtual server, so all traffic routed to the virtual server
is subject to the WAF rules set out in the profile.

You can apply WAF profiles to HTTP and HTTPS virtual servers but not to HTTP Turbo virtual servers.

FortiADC 5.2 Study Guide 223


 Security

DO NOT REPRINT
© FORTINET

WAF policies allow the WAF to detect and respond to different types of threats.

For example, the web attack signature policy allows the WAF to scan the traffic for signatures that detect
known attacks and exploits. URL protection policies allow the WAF to filter HTTP requests that match specific
character strings and file extensions.

HTTP protocol constraint policies allow the WAF to create rules that filter traffic containing invalid HTTP
request parameters and methods, or to drop packets with specified server response codes.

SQL and cross site scripting (XSS) injection detection policies inspect user-supplied data for requests that can
cause SQL queries to be run directly against the web application’s database, or XSS injection attacks that can
cause a web browser to run a client-side script. WAF SQL and XSS detection is complementary to, and much
faster than, the web attack signature method.

FortiADC 5.2 Study Guide 224


 Security

DO NOT REPRINT
© FORTINET

WAF profiles refer to the various WAF policies to be enforced. A profile can define four different types of
policies: web attack signature, URL protection, HTTP protocol constraint, and SQL/XSS injection detection.

You can apply WAF profiles to a load balancing VS, so that traffic routed to that VS is subject to those rules.
You can apply WAF profiles to both HTTP and HTTPS VSs, but not to HTTP Turbo virtual servers.

You can use existing predefined profiles or create your own. The maximum number of profiles per VDOM is
255.

FortiADC 5.2 Study Guide 225


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 226


 Security

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiADC 5.2 Study Guide 227


 Security

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering security concepts, you will be able to ensure the FortiADC and your network are effectively
protected from a variety of threats.

FortiADC 5.2 Study Guide 228


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about monitoring and troubleshooting.

FortiADC 5.2 Study Guide 229


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide

FortiADC 5.2 Study Guide 230


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the various dashboards of the FortiADC, you will be able to
identify issues or anomalies faster and more efficiently.

FortiADC 5.2 Study Guide 231


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

The first screen you’ll see when you log in to the FortiADC GUI is the dashboard.

The dashboard contains a group of widgets that provide information that you can use to monitor the
device and learn when something isn’t working properly.

For example, there’s a widget that provides traffic statistics, one that provides license statistics, and
another that provides system information.

You can even customize the dashboard using the Edit button, or add additional dashboards from the
menu on the left side of the window, using the Create Dashboard button.

FortiADC 5.2 Study Guide 232


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

The FortiView pages display important information about FortiADC, which includes the logical topology of
real server pools and their members within each virtual server, server load-balancing information, security,
and some other system events and alerts.

FortiADC 5.2 Study Guide 233


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

The Physical Topology page displays the physical topology of your FortiADC network structure. It shows
your FortiADC appliance or appliances identified by serial number and the real servers connected to it.

FortiADC 5.2 Study Guide 234


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

The Server Load Balance > Logical Topology page uses the tree view format to show the internal
configuration of each virtual server on FortiADC. Depending on the configuration, the diagram may
show content routing, schedule pools, real server pools, and real server pool members configured on
a virtual server.

As well as viewing the internal configurations of virtual servers, you can also drill down into the
components (except content routing and schedule group) for details by clicking their corresponding
icons. This is what you will see when you click the component icons:

• Virtual server: Opens the page with details of that virtual server
• Real server pool: Opens the page with details of the real-server
• Real server: Opens the page showing details of the real server

FortiADC 5.2 Study Guide 235


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

This is a view of the virtual servers dashboard, which allows you to monitor all of the virtual servers
on FortiADC, and access the real server dashboard for each virtual server.

FortiADC 5.2 Study Guide 236


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

The real server dashboard provides a live, up-to-date view of the individual real server pool members
underpinning the virtual server.

FortiADC 5.2 Study Guide 237


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiADC now also features a GUI-based Packet Capture tool, as well as the traditional CLI commands.
Before using this tool, you should have a good understanding of tcpdump and filter expressions. You must
have read-write permission for system settings.

Capture results are collected in a PCAP format file which you can download and open in any tool supporting
PCAP format, such as Wireshark

See http://www.tcpdump.org/manpages/pcap-filter.7.html for more information on the tcpdump utility.

FortiADC 5.2 Study Guide 238


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 239


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You can now navigate the various dashboards.

Now, you will learn how to configure and navigate logs and alerts.

FortiADC 5.2 Study Guide 240


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in logging and alerts, you will be able to configure local logging, remote logging
and alert emails. You will also be able to use the SNMP protocol to monitor FortiADC.

FortiADC 5.2 Study Guide 241


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiADC can send logs to multiple destinations. FortiADC can store the logs in local RAM and on the
local hard disk.

FortiADC can also send logs to remote servers, such as a third-party syslog server, or a
FortiAnalyzer.

FortiADC 5.2 Study Guide 242


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiADC can generate three types of logs.

Event logs provide information about administrative actions or system events, such as device reboots
or user logins. Security logs provide information about FortiADC security features, and traffic logs
provide traffic flow information.

FortiADC 5.2 Study Guide 243


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

For each logging destination a severity threshold is defined. Only logs equal to or exceeding the
selected level are generated. There are seven different log severity levels on FortiADC. The highest,
or most severe, is level 0, which is used for emergency events. The lowest, or least severe, is level 6,
which is used for information events.

FortiADC 5.2 Study Guide 244


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

When you enable local logging, FortiADC stores the logs on the hard disk. If you disable local
logging, logs are stored in the memory of the device. You also have to select what level of logs you
want to store. When you enable logs, you can specify what types of events you want to generate logs
for.

FortiADC 5.2 Study Guide 245


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

You can also configure FortiADC to send logs to multiple FortiAnalyzer devices and third-party
syslog servers. For each of the destinations, you must configure the types of logs that you are going
to generate.

FortiADC 5.2 Study Guide 246


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows a sample event log. All the logs include the date, the time that the log was
generated, an ID, the type of log, and the severity level. All logs also contain a message that
describes the event. In this example, the message indicates that the event is related to the admin
user making a change in the root VDOM’s load-balancing configuration.

FortiADC 5.2 Study Guide 247


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiADC can send an alert email each time a specific category of event occurs.

When you configure this feature, you specify the events for which you want to generate alert emails
and a destination email address. You can specify multiple destination email addresses.

FortiADC 5.2 Study Guide 248


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiADC supports SNMP, so this protocol can be used to monitor the device. FortiADC supports
version 1, 2, and 3 of the SNMP protocol.

In FortiADC version 4.3.0, FortiADC support of SNMP v3.0 was added. In FortiADC 4.4.0, support for
enhanced SNMP MIBs and traps was added.

For more information about downloading vendor-specific and product-specific MIB files, see the
FortiADC Handbook.

FortiADC 5.2 Study Guide 249


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 250


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You can now configure and navigate logs and alerts.

Now, you will learn about some CLI utilities.

FortiADC 5.2 Study Guide 251


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using CLI utilities, you will be able to use the diagnostic commands available
on the CLI, and to identify some of the most common issues.

FortiADC 5.2 Study Guide 252


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

The CLI offers three basic network utilities for troubleshooting.

You can run a ping command using the command execute ping, you can run a traceroute using
the command execute traceroute, or you can do an nslookup using the command execute
nslookup name.

These three commands will help you to troubleshoot networking problems or DNS problems.

FortiADC 5.2 Study Guide 253


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

One of the most useful troubleshooting tools in the CLI is the built-in sniffer.

FortiADC has a built-in sniffer that you can use to sniff and capture all the traffic that’s crossing the
device. To enable the sniffer, use the command diag sniffer packet then specify the interface
name. To sniff the traffic on all interfaces, specify any, instead of a specific interface name.

You must also specify a filter and a verbosity level. The verbosity level ranges from 1 to 6. The
example on this slide shows what information is displayed for each verbosity level. Verbosity level 4
is often used to gain an understanding of how traffic flows because it shows the incoming interface
and outbound interface and the IP headers only. Verbosity levels 3 and 6 are used to capture the
whole packet, including the payload. The verbosity level 3 and 6 captures can be exported to a PCAP
file using two scripts. You can analyze the file later, using Wireshark. The script file for converting
data output to a PCAP file is available on the Fortinet Knowledge Base.

FortiADC 5.2 Study Guide 254


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows three examples of how to use the sniffer. The examples shown use three different
filters. In the first example, the diag sniffer command is capturing all the UDP packets on the
internal interface whose source IP address or destination IP address is port 53.

The filter supports using logic statements so you can build very complicated sniffs in order to try and
narrow down the output. This is more important if you are supporting large networks with lots of
traffic; otherwise, the output may simply be overwhelming. Note that the GUI sniff is available only for
devices that have hard drives. For other devices, you must sniff from the CLI.

FortiADC 5.2 Study Guide 255


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

So what are some of the most common issues that affect FortiADC?

The most common problem is clients or customers being unable to connect to the server.

When this occurs, the first thing that you should do is to use FortiADC’s built-in sniffer to sniff the
traffic and check that the traffic from the client is reaching the virtual server IP address. If the traffic is
reaching the server, the next step is to check that a server is available in the pool. Then, you can
check if the traffic is arriving at the server by running a sniffer on the server. Another step is to check
the default gateway in the servers to be sure that the servers are pointing to the FortiADC device.

Another common problem is a server being down because of a health check failure. You can use the
sniffer to troubleshoot this problem by sniffing the health check traffic to see if FortiADC is sending
that traffic to the server, if that traffic is arriving at the server, and where in the server the reply is
coming from.

FortiADC 5.2 Study Guide 256


 Introduction and System Settings
DO NOT REPRINT
© FORTINET

FortiADC 5.2 Study Guide 257


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiADC 5.2 Study Guide 258


 Monitoring and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering monitoring and troubleshooting, you will be able to ensure your FortiADC is in top
working condition.

FortiADC 5.2 Study Guide 259


DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.