Scribd
Upload
184 views

FortiADC GLB Deployment Guide

FortiADC

Uploaded by

Kunal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
184 views

FortiADC GLB Deployment Guide

FortiADC

Uploaded by

Kunal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

FortiADC v5.

1 GLB Deployment Guide


FAST. SECURE. GLOBAL

Copyright© Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of
Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other
product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests
under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect
performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except
to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified
product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly
identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and
circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without
notice, and the most current version of the publication shall be applicable.

2 FORTIADC
FAST. SECURE. GLOBAL

FADC v5.1 GLB Deployment Guide

TABLE OF CONTENTS

1. About this Guide ........................................................................................................................ 4


2. Global Load balance ................................................................................................................. 4
2.1 Global Load Balance Server overview ...................................................................... 4
2.2 FortiADC GLB Deployment with wizard (only support GUI)........................... 4
2.3 FortiADC GLB Typical Deployment ........................................................................... 7
2.3.1 GLB Typical Topology ............................................................................................ 7
2.3.2 GLB DNS request process ..................................................................................... 8
2.3.3 GLB Typical Deployment Configuration Steps ............................................. 9
3. Global Load balance TROUBLESHOOTING .................................................................... 21
3.1 Fortiview Global Load Balance Logical Topology .............................................. 21
3.2 Send DNS request in GLB backend .......................................................................... 22
3.3 GLB event log ................................................................................................................... 22
3.4 GLB debug log .................................................................................................................. 23

FORTIADC 3
FAST. SECURE. GLOBAL

1. ABOUT THIS GUIDE

This guide details the steps required to configure a Global Load Balancer in FortiADC. It covers the
configuration of Global Load Balance server, host and policy. For more information, please also refer to
the relevant Administration Manual.

2. GLOBAL LOAD BALANCE

2.1 Global Load Balance Server overview


The global load balancing (GLB) feature is a DNS-based solution that enables you to deploy redundant
resources around the globe, which you can leverage to keep your business online when a local area
deployment experiences unexpected spikes or downtime. The FortiADC system implements a hardened
BIND 9 DNS server that can be deployed as the authoritative name server for the DNS zones that you
configured. Zone resource records are generated dynamically based on the global load balancing
framework. The DNS response to a client request is an ordered list of answers that includes all available
virtual servers. A client that receives a DNS response with a list of answers tries the first answer, and
only proceeds to the next answers if the first answer is unreachable.

2.2 FortiADC GLB Deployment with wizard (only support GUI)

Topology:

In 5.1 version, it provides an easy way to deploy GLB server for new user using only three steps.

4 FORTIADC
FAST. SECURE. GLOBAL

Start with:
Go to Global Load Balance. Look for a green tab with “Global Load Balance Wizard”.

Step 1:
In Server, configure the Name, Address, and Data Center Location.

Step 2:
In Virtual Server Pool, configure the Name, Preferred and Alternate. Discover the server members that
previously configured in Server, and select from the given list.

FORTIADC 5
FAST. SECURE. GLOBAL

Step 3:
It is required to specify the Name, Host Name, and Domain Name. You can also, if you want, specify the
Default Feedback IPv4 or Default Feedback IPv6.

6 FORTIADC
FAST. SECURE. GLOBAL

2.3 FortiADC GLB Typical Deployment

2.3.1 GLB Typical Topology

FORTIADC 7
FAST. SECURE. GLOBAL

2.3.2 GLB DNS request process

The response list is based on the following selections and priorities:


1. Virtual server health—Availability is determined by real-time connectivity checking. When the DNS
server receives a client request, it checks connectivity for all possible matches and excludes unavailable
servers from the response list.
2. Persistence—You can enable persistence for applications that have transactions across multiple
hosts. A match to the persistence table has priority over proximity algorithms.
3. Virtual Server Pool Selection Method in Host
-- Weight: Select the Virtual Server Pool by weight
-- DNS Query Origin: Choose the Virtual Server Pool by location or ISP
-- Global Availability: The first available Virtual Server Pool will be selected
4. Proximity algorithms in Virtual Server Pool
-- Geographic (GEO/GEO-ISP) Proximity: It is determined by matching the source IP address to either
the FortiGuard Geo IP database or the FortiADC predefined ISP address book.
-- Dynamic proximity (RTT/Least-Connections/Connection-Limit/Bytes-Per-Second): This proximity is
determined by application response time (RTT probes), virtual server least connections, connection
limit or byte-per-second under current condition.
-- Weighted round robin: If proximity algorithms are not configured or not applicable, available virtual
servers are listed in order based on a simple load balance algorithm by weight that is set for each
member.

8 FORTIADC
FAST. SECURE. GLOBAL

2.3.3 GLB Typical Deployment Configuration Steps

Step1: Configure “Data Center” and “Link”

Data Center:

Data Center defines the location used in GLB Server. If GEO related method is selected in Virtual Server
Pool or Host, it will respond with the available Virtual Server based on location in data center.

GUI:

Go to Global Load Balance > Global Object.

Click the Data Center tab. Click “Add” to add the new item.

FORTIADC 9
FAST. SECURE. GLOBAL

CLI:
config global-load-balance data-center
edit "DataCenter1"
set location CN
next
edit "DataCenter2"
set location US
next
end

Link: (optional)

Link is used for DNS Query Origin Virtual Server Pool Selection Method in Host and RTT/GEO-ISP
method in Virtual Server Pool. It defines the Server Gateway to ISP.

GUI:

Go to Global Load Balance > Global Object.

Click the Link tab. Click “Add” to add the new item “ISP1” and “ISP2”. After creating server and
discovering the gateway, we can add SLB gateway into Link.

CLI:
config global-load-balance link
edit "ISP1"
set data-center DataCenter1
set isp <CN-ISP>  It has three main CN ISP library by default in ADC
config gateway
end
next
edit "ISP2"

10 FORTIADC
FAST. SECURE. GLOBAL

set data-center DataCenter2


set isp <US-ISP>  ISP can be self-defined in Shared Resources/Address/ISP Address
config gateway
end
next
end

Step2: Configure “Server”

GLB Server means a remote server with type FortiADC SLB or a third party Generic Host. Server IP
with 127.0.0.1 or 0.0.0.0 refers to local SLB. We suggest adding virtual server members from the
same server into one GLB server to minimize the additional CPU and memory utilization. Every
single GLB server contains all of the virtual servers, so there is no need to configure multiple GLB
servers for each virtual server.

GLB can discover Server members and update member information automatically if auto-sync is enabled.
FortiADC supports authentication between GLB and SLB by TCP MD5SIG and Auth_Verify type. Server
members and information can’t be discovered or updated if authentication is fail. (In SLB server, the
place to set GLB authentication is in FQDB Settings => GLB Setting).

GUI:

Go to Global Load Balance > Global Object.

Click the Server tab. Add a new item with Server IP address/Data Center and save. (If GLB can get
connection with SLB, SLB’s gateway can be added into link in step1=> Link)

CLI:
config global-load-balance servers
edit "SLB1"
set ip 10.106.129.95 => SLB1 IP
set data-center DataCenter1
config virtual-server-list
end
next

FORTIADC 11
FAST. SECURE. GLOBAL

edit "SLB2"
set ip 10.106.129.100 => SLB2 IP
set data-center DataCenter2
config virtual-server-list
end
next
end

Discover Server member method:

Method 1: Enable Server auto-sync (recommend)

Method 2: Click “discover” in GUI or Do command “execute discovery-glb-virtual-


server server SLB1” in CLI.

12 FORTIADC
FAST. SECURE. GLOBAL

Method 3:

Click “Create New” in Server and add Server member information manually.

If the added member exists in SLB, GLB will sync the status. Otherwise shows
“unknown”.

Bind gateway for Server Member if use related method. (optional)

Step3: Configure "virtual server pool"

FORTIADC 13
FAST. SECURE. GLOBAL

The virtual server pool configuration defines the set of virtual servers that can be matched in DNS
resource records.

GUI:

Go to Global Load Balance > FQDN Settings, click the Virtual Server Pool tab and add virtual server
member into Virtual Server Pool.

The user can select between kinds of preferred or alternate methods for their Virtual Server, based on
current connection, location, etc.

CLI:
config global-load-balance virtual-server-pool
edit "GLB-VSP-APP1"
config member
edit 1
set server SLB1
set server-member-name APP1_SLB1_VS1
next
edit 2
set server SLB2
set server-member-name APP1_SLB2_VS1
next
end
next
edit "GLB-VSP-APP2"

Step4: Configure "host"

14 FORTIADC
FAST. SECURE. GLOBAL

Host settings are used to form the zone configuration and resource records, in the generated global
balancing DNS zone.

GUI:

Go to Global Load Balance > FQDN Settings, click the Host tab and add virtual server pool into Host.

If DNS Policy is selected here in Host, we can skip step five, DNS Policy.

CLI:
config global-load-balance host
edit "host_APP1"
set host-name www
set domain-name example.com.
config virtual-server-pool-list
edit "APP1_VSP"
set virtual-server-pool GLB-VSP-APP1
next
end
next
end

FORTIADC 15
FAST. SECURE. GLOBAL

Step5: Configure “zone” and “policy”

Zone:

Zone is generated by host or create Master/Forward type by user.

From step 4, the generated zone’s GUI and CLI are as below (fqdn records not show in CLI, but can see
in GUI):

GUI:

CLI:
config global-dns-server zone
edit "fqdn_generate_example.com."
set type fqdn-generate
set domain-name example.com.
set responsible-mail defaultroot
set primary-server-name defaultprimary
set primary-server-ip 127.0.0.1
config a-aaaa-record

16 FORTIADC
FAST. SECURE. GLOBAL

end

end
next
end

Policy:

The Global DNS policy is rule-based and matches traffic to DNS zones. If the traffic matches both source
and destination, the policy will serve it.

In 5.1, FortiADC will generate one default DNS policy if no policy exists. User can use this one or create a
new policy.

GUI:

Go to Global Load Balance > Zone Tools, click the Global DNS Policy tab and add available zone into
zone list.

CLI:
config global-dns-server policy
edit "DEFAULT_DNS_POLICY"
set source-address any
set destination-address any
set zone-list fqdn_generate_example.com.
next
end

Step6: Enable “Global DNS Configuration” in General Settings

GLB DNS can’t work if it’s disabled in Global DNS configuration by default. So this step is very important!

FORTIADC 17
FAST. SECURE. GLOBAL

GUI:

Go to Global Load Balance->Zone Tools->General Settings, enable the "Global DNS Configuration"

CLI:
config global-dns-server general
set gds-status enable
end

Check GLB can work after configuration:

Send DNS request and check the DNS response is as expected (Please refer 2.3.2 for DNS process).

To verify whether the GSLB works as what we expect, there is a wonderful tool for us -- dig. "dig" is a kind
of tool which can be used to test DNS server. Dig can supply almost all the features we need for DNS. It
is installed on most Linux devices by default. For Windows, you can get the installation package on
https://www.isc.org or use nslookup to check.

Linux (dig):

Send DNS request from Client to GLB device (do not use management interface).

Example1: The DNS request can match the GLB host and domain name

dig @10.106.129.38 www.example.com ====> response available VS

Result:

18 FORTIADC
FAST. SECURE. GLOBAL

Example2: The DNS request can match the GLB domain name, but no host
name matches.

dig @10.106.129.38 aaa.example.com ====> response SOA record

Result:

Example3: The DNS request doesn’t match any domain name

dig @10.106.129.38 aaa.example2.com ====> response SERVFAIL

FORTIADC 19
FAST. SECURE. GLOBAL

 GLB server will do forward and recursion if network is available and get answer.

Windows (nslookup):

20 FORTIADC
FAST. SECURE. GLOBAL

3. GLOBAL LOAD BALANCE TROUBLESHOOTING

3.1 Fortiview Global Load Balance Logical Topology

For host, it has following status:

Up: All Virtual Servers are available

Down: No Virtual Server is available

Partial Up: Some of Virtual Servers are not available.

No Policy: Host is not added into Policy (No matched policy)

Unknown: All virtual server are unknown (VS not exists in SLB or other condition)

FORTIADC 21
FAST. SECURE. GLOBAL

3.2 Send DNS request in GLB backend

Go to FortiADC console and send DNS request to self. Check whether the request can be responsed.

3.3 GLB event log

Enable GLB related log in Log & Report > Log Setting

If GLB remote server or server member changes status, it shows in event log.

22 FORTIADC
FAST. SECURE. GLOBAL

3.4 GLB debug log

Enable debug log in CLI using command as below:

diagnose debug enable

diagnose debug module gdns 1

After debug log is enabled, more detail log will not be printed directly in console, but more server
information and log can be seen in backend. /tmp/gicd.log includes server member current throughput,
connection and others. We can also see server and member status.

FORTIADC 23

You might also like