0% found this document useful (0 votes)

89 views317 pages

fortiadc

Uploaded by

Baba Bobo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

89 views317 pages

fortiadc

Uploaded by

Baba Bobo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 317

DO NOT REPRINT

FortiADC
Study Guide
for FortiADC 6.2
DO NOT REPRINT
© FORTINET
Fortinet Training

https://training.fortinet.com

Fortinet Document Library

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Network Security Expert Program (NSE)

https://training.fortinet.com/local/staticpage/view.php?page=certifications

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Feedback

Email: [email protected]

12/22/2021
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Introduction and Initial Configuration 4

02 Virtual Servers and Load Balancing 32
03 Advanced Server Load Balancing 81
04 Link Load Balancing and Advanced Networking 118
05 Global Load Balancing 156
06 Security 193
07 Advanced Configurations 250
08 Monitoring, Troubleshooting, and System Maintenance 288
Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about application delivery networks, features and benefits of FortiADC, and how
to configure initial system settings.

FortiADC 6.2 Study Guide 4

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

What is an ADC?

Traditional load balancers work mostly at Layer 4, balancing TCP/UDP sessions, with very limited Layer 7
support. They usually have very basic health check mechanisms and algorithms to distribute traffic between
servers. Some of them have session persistence, but only by source IP address.

Today, web servers don’t just deliver static content. They deliver dynamic, content-rich applications. Simple
load balancing is no longer sufficient to meet the basic needs of most organizations. An ADC improves what a
traditional load balancer does, so you have more control and can make better decisions about what happens
at Layer 7.

FortiADC is an advanced ADC that optimizes application performance and availability, while securing the
application both with its own native security tools, and by integrating application delivery in to the Fortigate-
centric security fabric and FortiGuard Cloud Services.

FortiADC supports global server load balancing (GSLB), which allows you to load balance traffic among
servers at geographically distant locations. FortiADC includes application acceleration, WAF, intrusion
prevention system (IPS), SSL offloading, link load balancing, and user authentication in one solution. You can
deploy FortiADC as a physical or virtual machine (VM), or as a cloud solution.

FortiADC 6.2 Study Guide 9

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiADC provides enterprise-class application delivery and additional features that make applications reliable,
responsive, and easy to manage.

First and foremost, FortiADC is a server load balancer that allows applications to scale reliably across multiple
servers in a data center. Persistence ensures user connections are routed back to the correct server for
seamless and transparent continuity of applications. SSL offloading relieves servers and firewalls from the
CPU-intensive tasks of decryption and encryption of secure application traffic. HTTP compression and content
caching speed the delivery of content to users and reduce bandwidth needs. Quality of service (QoS) can be
used to prioritize traffic by type, to minimize disruptions to applications that are sensitive to latency. Content-
based routing sends traffic to specific servers, based on URL or business rules by traffic type.

Global server load balancing provides disaster recovery by spanning applications across multiple data centers
or cloud.

Link load balancing provides ISP redundancy and increases application bandwidth.

Advanced WAF detects zero-day attacks and protects from OWASP top-10 threats.

IPS detects and blocks network attacks with signature-based defense.

FortiADC 6.2 Study Guide 10

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiADC 6.2 Study Guide 11

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

The FortiADC network interfaces are connected to a FortiGate, which is the firewall and default gateway for
the FortiADC, a subnet for management; a subnet for real servers A, B, and C; and another subnet for real
servers D, E, and F. Real servers are hosted in the different subnets for redundancy, or to segregate different
application resources. The FortiADC system performs health checks on the real servers, and distributes traffic
to the application servers based on the user-configured load balancing algorithms and settings.

FortiADC supports additional features, including SSL encryption/decryption, WAF protection, Gzip
compression, and NAT routing processes, to enhance application security and performance.

This deployment model improves server performance, provides application availability and scalability, and
protects servers from the security breaches.

FortiADC 6.2 Study Guide 15

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

The example on this slide illustrates a service provider ADN for a multi-tenant environment. The ADN
supports local and global load balancing across multiple data centers. The use case for this model is to build a
cost-effective, high-availability, fully-redundant, and secure ADN infrastructure.

The key components in each data center are a pair of FortiGate and FortiADC devices running in their HA
cluster. FortiGate and FortiADC connection is a mesh topology. HA clusters provide software redundancy and
the mesh topology ensures uninterrupted connectivity upon link layer failure. FortiGate protects the data
center against sophisticated cyber threats. FortiGate devices have dual-homed connections to the ISP
through static routes.

In each FortiADC pair, VDOMs are configured for each tenant. A VDOM, analogous to a virtual machine, is a
complete FortiADC instance running on the FortiADC device. Each VDOM runs separately and provides
complete ADC services for each tenant, thus achieving cost-effective multi-tenant hosting.

FortiADC supports DNS-based global server load balancing. The FortiADC in the primary data center is the
authoritative DNS server for all virtual servers in the global server load balancer (GSLB) framework. Remote
users connect to virtual servers through a DNS query, and FortiADC distributes the traffic to the nearest data
center or to the application servers, based on the user-configured load balancing algorithms and settings.

Optionally, service providers can leverage the AI-powered FortiSandbox Cloud service to safeguard the
network from malware, ransomware, and evolving zero-day attacks.

FortiADC 6.2 Study Guide 16

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiADC-VM is a virtual appliance version of FortiADC. The hypervisor environments that FortiADC-VM
supports include VMware ESX/ESXi, Citrix XenServer, Open Source Xen, Microsoft Hyper-V, and KVM.
FortiADC-VM also supports AWS, Azure, Google Cloud, and Oracle Cloud deployments.

The VM instance has the same Layer 4 and Layer 7 local and global server load balancing, VDOM, HA, and
security features as the hardware appliance, except for the ASIC hardware SSL offloading acceleration. The
actual performance of FortiADC-VM depends on the host machine hardware. The best practice is to install
FortiADC-VM on a bare metal hypervisor to fully utilize the hypervisor and hardware computing resources.

FortiADC-VM is suitable for small, medium, and large enterprises deployment. The network diagram on the
slide shows FortiADC-VM deployed in VMware, Hyper-V, and KVM hypervisors together with the application
server virtual machines in two sites. FortiADC-VM connects to FortiGate and application servers through
virtual switches. Clients access application servers through FortiADC virtual servers, and client connections
are distributed to the application servers according to user-configured load balancing algorithms and settings.

FortiADC-VM requires periodic license validation with FortiGuard services. If the license is not validated for 24
hours, access to FortiADC-VM web UI and CLI are locked.

FortiADC 6.2 Study Guide 17

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Like many Fortinet devices, FortiADC offers two user interfaces: a GUI and a CLI.

You can access the CLI using SSH, Telnet, or the console port, which is usually located on the front panel of
FortiADC. You will need to configure a password for the admin user during the initial login.

You can also use the console widget located in the upper-right corner of the FortiADC GUI.

FortiADC 6.2 Study Guide 18

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

To access the GUI, use a browser and HTTP or HTTPS. By default, port1 of FortiADC has the IP address of
192.168.1.99.

A default administrator user is configured on FortiADC. You cannot delete the default administrator user
account. Keep in mind that if the initial login was performed using CLI, the admin user will need to use the
password set at that time.

Remember to change the default password as soon as possible after deploying the FortiADC.

FortiADC 6.2 Study Guide 19

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

When you log in to the FortiADC GUI for the first time, the GUI will display the System Getting Started Wizard.
This wizard will guide you through the basic setup of your FortiADC, including:

• Date, time, and NTP server

• HA management
• Gateway
• Interfaces
• Virtual servers
• Real servers

FortiADC 6.2 Study Guide 20

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

This slide shows a screen shot of the FortiADC dashboard, which contains multiple widgets and tabs. You can
customize the dashboard using the Edit button, or add additional dashboards from the menu on the left side
of the window, using the Create Dashboard button.

The System Information widgets and header bar display the host name, system time and uptime, serial
number and firmware version, as well as shutdown, reboot, and factory reset commands.

The License widget displays license status and provides a link to more detailed support information, such as
service contract expiry dates.

The Log Event widget displays recent activity.

The Resource Usage widget allows an administrator to monitor CPU, RAM, and disk usage, as well as
system metrics.

To launch the console widget, in the upper-right corner of the header bar, click the console icon.

FortiADC 6.2 Study Guide 21

Introduction and Initial Configuration

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

If you don’t have access to the GUI, you can use the CLI to configure a network interface.

The command shown on this slide allows you to access interface configuration subcommands. Using the
edit subcommand and substituting the interface name, such as port1, as an argument allows you to
configure various interface options for that interface. You can then use the set subcommand to configure
individual parameters available for the network interface.

In the example shown on this slide, the set ip address subcommand and object specify which IP address
and subnet mask to use. You can also use the set allowaccess subcommand to specify which
administrative access protocols to permit over that interface.

FortiADC 6.2 Study Guide 25

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Using FortiADC, you can aggregate multiple physical interfaces into a single logical interface known as a link
aggregation.

Link aggregations are used most often to combine the bandwidth of two interfaces to increase throughput or to
add redundancy to a network connection. You can configure link aggregations using only the CLI, not the GUI.
This slide shows the commands you use to configure an aggregated link.

Introduction and Initial Configuration

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding virtual servers and application delivery control, you will be
better able to design a FortiADC deployment.

FortiADC 6.2 Study Guide 34

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

Virtual servers are positioned between connecting clients and pools of real servers to perform application
delivery control (ADC). The clients are likely not aware the virtual server is not the actual server they receive
content from. This architecture allows the incoming traffic to be evaluated and processed for security control,
performance, and load balancing.

Server pools are assigned to virtual servers, and each server pool contains one or more real servers.

Three types of virtual servers can be configured on the FortiADC for application delivery control, depending on
the desired capabilities. The three types are: Layer 7, Layer 4 and Layer 2.

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

There are two options for virtual server configuration in FortiADC: basic mode and advanced mode.

Basic mode is intended for less experienced FortiADC users. You only need to specify the basic settings
needed to configure a virtual server. More advanced parameters are automatically set using default values.

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

There are many different methods that you can use to perform a health check with FortiADC. The most basic
method is to send an ICMP or TCP echo request. Using this method, the FortiADC sends an ICMP or TCP
echo request to the server, and waits for a reply.

The sending of a GET or HEAD request can be used to validate HTTP or HTTPS servers. The response
content from the server can be evaluated, allowing for a more granular determination of health.

The completion of a three-way TCP handshake to a specific port can be used to validate that the server
supports TCP.

If the server is a domain name system (DNS) server, FortiADC can send a DNS A record request to the
server and wait for a specific IP address as a response to confirm that DNS is running correctly.

If the server is a RADIUS, SMTP, POP3, or IMAP4 server, you can configure FortiADC to log in to the server
to confirm that the service is running.

FortiADC 6.2 Study Guide 46

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

If the server is an FTP server, you can configure FortiADC to log in to the FTP server to check that a specific
file is there.

FortiADC can use SNMP to poll the server using the SNMP protocol to get the current CPU, memory, and
disk usage. The server is assumed to be unresponsive if it doesn’t reply, or if any of those usage values goes
above a preconfigured threshold.

FortiADC can also perform a TCP half open check. FortiADC sends the sync and waits for the sync
acknowledge. As soon as the sync acknowledge is received, FortiADC sends a reset to close the session.

For protocols based on SSL over TCP, FortiADC can establish an SSL connection to check if the service is
up. The result of the SSL connection will verify the status of the server.

FortiADC 6.2 Study Guide 47

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

The physical servers that exist in the application delivery network are represented by objects called real
servers in the FortiADC.

FortiADC 6.2 Study Guide 48

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

Server pools are groups of real servers. A FortiADC virtual server will use these server pools for load
balancing and can monitor the state of the member servers using health checks.

FortiADC 6.2 Study Guide 49

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

When adding real servers to a server pool, they can be selected from a list of existing real servers, or they can
be created and added directly from within the server pool configuration. Real servers that have been added as
members to a server pool can be further configured with settings for things like connection limits, warm up
times, rates, and so on.

FortiADC 6.2 Study Guide 50

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

For each server, you can configure a maximum number of concurrent connections. That maximum rate is
used under normal operating conditions.

You can also configure a lower rate than FortiADC uses while the server is rebooting or is finished rebooting,
but isn’t ready to operate at full capacity. This is called the warm rate. When you configure a Warm Rate
setting, FortiADC uses it during a warm-up period, specified in the Warm Up setting, when the server is back
online after a health check, or when the status of the server is set to Enabled, from Maintain, or Disabled.

By demonstrating competence in configuring and using application profiles, you will be able to effectively
utilize them as part of a virtual servers configuration.

FortiADC 6.2 Study Guide 54

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

Application profiles specify the protocol of the traffic to be load balanced. There are many different profile
types, and not all of them are supported by the three different virtual server types. This table shows some of
the profiles, and which ones are supported by each type of virtual server. FortiADC supports nearly 20
predefined profiles, as well as the ability to create custom profiles.

FortiADC 6.2 Study Guide 55

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

TCP, UDP, and FTP profiles require the configuration of session timeout and the TCP session timeout after
FIN. The Timeout TCP Session setting specifies how long a TCP session without traffic remains in memory.
The TCP session time out after FIN setting specifies how long a session remains in memory after a FIN
packet has been sent, and while no FIN acknowledge packets have been received.

FortiADC 6.2 Study Guide 56

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

The images on this slide show the HTTP profile. If the Client Address setting is enabled, FortiADC uses the
client IP address to set up the connection to the back-end server, so it will not change the source IP address
of the packets.

If the client traffic contains the X-Forwarded-For field, FortiADC gets the client IP address from there. If the
setting is disabled, FortiADC uses its own IP address to connect to the back-end server so it will be doing
source NAT.

FortiADC 6.2 Study Guide 57

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

The HTTPS profile is the same as the HTTP profile, allowing for configurations including IP reputation,
compression, caching, Geo IP options and so on. However, when a virtual server is assigned an HTTPS
profile, a resources option is displayed for selection of a client SSL profile. Within the client SSL profile, you
specify the digital certificate that is presented to clients that want to connect to the server.

FortiADC 6.2 Study Guide 58

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

The X-Forwarded-For Header field is the standard that identifies the original client IP address. It’s appended
by some devices that change the source IP address such as web proxies, or load balancers, or devices doing
source NAT. FortiADC can add this field or can use it to make decisions related to load balancing.

FortiADC 6.2 Study Guide 59

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

HTTP turbo is similar to the HTTP profile except that it doesn’t support advanced ADC features, such as
caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT (SNAT).

You can use it with content routing and DNAT, as long as the HTTP request is contained in the first data
packet. It enables packet-based forwarding, which reduces network latency and system CPU usage.

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

A list of load balancing methods is shown on this slide, and these methods work as follows:
• Round robin: The traffic load is balanced by rotating through the servers in sequence. For example, server
1, then server 2, then server 3, and so on.
• Least connections: Selects the server with the fewest connections.
• Fastest response: Selects the server with the fastest response to health check tests.
• Destination IP hash: Selects the next hop based on a hash of the destination IP address. This method is
only available when you are using a Layer 2 virtual server.
• Dynamic load: Selects the server based on SNMP health check results. Weight is assigned based on CPU,
memory, and disk usage.

FortiADC 6.2 Study Guide 65

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

This slide shows a list of the Layer 4 packet forwarding methods. Multiple methods for packet forwarding are
available for Layer 4 virtual servers. These methods are:
• Direct routing
• DNAT
• Full NAT
• Tunneling
• NAT46
• NAT64

FortiADC 6.2 Study Guide 66

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

Using the direct routing packet forwarding method, known elsewhere as direct server return, FortiADC doesn’t
change the IP addresses in the packets coming from the client. Instead, FortiADC forwards packets to the
server keeping the same source IP address and the same destination IP address. This means that the virtual
server IP address must match the real server IP address. Server replies can go either through FortiADC or
directly to the client without passing through the FortiADC device. The direct routing method is often
configured on a single VLAN or subnet, where the cluster IP and the server IP addresses are all on the
internal interface. It can also be used in multiple VLAN configurations, although this is less common. For FTP
profiles, you must use a persistence method.

FortiADC 6.2 Study Guide 67

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

Using DNAT, FortiADC changes the destination IP address of the packets coming from the client. When
configuring DNAT, you should note that the real server will respond to the client requests using their default
gateway. If the FortiADC is not also the default gateway for the real server, asymmetric routing issues can be
introduced.

FortiADC 6.2 Study Guide 68

Virtual Servers and Load Balancing

FortiADC 6.2 Study Guide 74

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

Clicking on a server pool provides you with the ability to edit the server pool configuration or view detailed
analytics about the server pool.

FortiADC 6.2 Study Guide 75

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

Clicking on individual real servers will provide you the ability to change the current server status (enable,
disable, maintain), edit the current settings, delete the server, or view detailed analytics for the server.

FortiADC 6.2 Study Guide 76

Virtual Servers and Load Balancing

DO NOT REPRINT
© FORTINET

The virtual servers dashboard allows you to monitor all of the virtual servers on FortiADC, and access the real
server dashboard for each virtual server.

The real server dashboard provides a live, up-to-date view of the individual real server pool members
underpinning the virtual server.

FortiADC 6.2 Study Guide 77

Virtual Servers and Load Balancing

FortiADC 6.2 Study Guide 81

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiADC 6.2 Study Guide 82

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in understanding server persistence and the available persistence methods,
you will be able to leverage this capability in your environment.

Source Address Hash: Persistence is based on a hash of the source IP address of the client making an initial
request.
Address-Port Hash: Persistence is based on a hash of both the source IP address and TCP/UDP port
number.
HTTP Header Hash: Persistence is based on a hash of the HTTP header.
HTTP Request Hash: Persistence is based on a hash of the specified URL parameters in the initial client
request.

FortiADC 6.2 Study Guide 86

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

The insert cookie rule type takes advantage of the browser’s cookie caching behavior. When the user
connects for the first time and sends the first HTTP GET request, FortiADC uses the load balancing method to
send the GET request to any of the servers available in the pool. When a server replies with the web content,
FortiADC inserts a cookie in the content that is forwarded to the user. From this point on, each time the client
issues a GET request, the browser includes the cookie, and FortiADC uses that cookie to determine which
server the HTTP GET should go to.

This rule type allows you to set a timeout for the server-side session, so that after the specified timeout period
elapses, FortiADC won’t forward the request based on the cookie, and will instead select the server using the
method specified in the virtual server configuration.

FortiADC 6.2 Study Guide 87

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

With the embedded cookie rule type, FortiADC waits for the reply from the server and searches for a specific
cookie in the server reply. Once FortiADC finds that cookie, FortiADC adds the server ID as a prefix to the
cookie. After that, the client sends the cookie with the server ID prefix and FortiADC uses that prefix to identify
which server the traffic should be forwarded to.

FortiADC 6.2 Study Guide 88

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

The rule types listed on this slide are evaluated in the following ways:

Cookie Hash: Persistence is based on a hash of the cookie provided by the server.
RADIUS Attribute: Persistence is based on selected RADIUS attribute information.
SSL Session ID: Persistence is based on the SSL session ID.
Persistent Cookie: The persistent cookie method is similar to the insert cookie method, but if the real server
produces a cookie with the same name, then FortiADC won’t modify it. Like the insert cookie method, the
persistent cookie method also supports specifying a session time out.
Rewrite Cookie: Using this rule type, the cookie is provided by the real server and FortiADC modifies its value.

FortiADC 6.2 Study Guide 89

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

FortiADC 6.2 Study Guide 90

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

Good job! You now understand persistence rules.

FortiADC 6.2 Study Guide 96

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

Configuration of a compression profile is necessary to leverage compression offloading. The profile is used to
define which content to include or exclude from compression. URI rules are used to match page requests and
must use regular expression. The content type section is used to build a list of types to compress or not
compress depending on the rule type. The compression configurations are then assigned to application
profiles.

FortiADC 6.2 Study Guide 97

Advanced Server Load Balancing

webmail.example.com/owa.

FortiADC 6.2 Study Guide 103

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

This slide shows an overview of a Layer 7 content rewrite configuration. On the Content Rewriting screen,
you specify the action and a set of rules. Each time the traffic matches any of those rules, the action is taken.

FortiADC 6.2 Study Guide 104

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

You can configure FortiADC to present an error page to clients when all the servers are unavailable. Error
pages can only be used with Layer 7 virtual servers. After you’ve created an error page configuration object,
you can select it in the virtual server configuration.

To configure an error page configuration object, copy the error message file to a location you can reach from
your browser. The error message file must be named index.html and must be contained in a ZIP file. You
must have read-write permission for load balance settings.

FortiADC 6.2 Study Guide 105

Advanced Server Load Balancing

FortiADC 6.2 Study Guide 109

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

When you use SSL offloading, a single device is used for SSL and HTTPS management, so all the certificates
are stored on one device. This lowers the SSL management and operational costs. More importantly, when
you use SSL offloading, the server doesn't have to run expensive crypto tasks, so the workload on the servers
is lower because the SSL traffic is moved to a dedicated ASIC processor on hardware-accelerated FortiADC
devices. This also reduces the bandwidth utilization between FortiADC and your back-end servers.

FortiADC 6.2 Study Guide 110

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

Using SSL re-encryption, FortiADC can decrypt the data coming from the user and re-encrypt it before
sending it to the server. Two separate SSL sessions are established: one from the client to FortiADC and
another one from FortiADC to the server. Both SSL sessions terminate at FortiADC. FortiADC can still inspect
and make decisions based on the content inside the HTTPS traffic.

Different sized keys can be used on each side of the FortiADC. For example, a smaller key size could be used
between FortiADC and the real servers as a means to reduce processing overhead.

FortiADC 6.2 Study Guide 111

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

As more and more traffic is becoming encrypted traffic, the process of encryption and decryption can weigh
heavily on the CPU resources of security devices. This, coupled with the immense possibility of cyber threats
propagating through encrypted traffic, makes it essential for organizations to inspected this traffic. When
configured in SSLi mode, FortiADC is dedicated to the encryption and decryption of SSL traffic for the purpose
of offloading that task from a dedicated security device.

Enabling SSLi mode on FortiADC reverts the FortiADC to factory defaults. This can only be done through the
CLI with the command shown on this slide. When you configure it this way, the SSLi Proxy menu option
becomes available in the GUI. All SSLi configurations are performed through the GUI.

The following features are not supported when in SSLi mode, and menu options are removed:
• Global load balancing
• Link load balancing
• IP reputation
• Geo IP Protection
• Central management
• User authentication

FortiADC 6.2 Study Guide 112

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

When deployed in SSLi mode, FortiADC works as an SSL proxy between the client and the server. Real
server objects are created on FortiADC for both the security device and the gateway. Two virtual servers are
created and static routes are configured for traffic flow. The traffic flow process is as follows:
1. Traffic is passed from the client to the client side virtual server for decryption.
2. FortiADC passes the decrypted traffic to the security device.
3. The security device inspects the traffic and forwards it to the server side virtual server.
4. The server side virtual server encrypts and forwards the traffic to the gateway.

It should be noted that SSLi mode is not a requirement for decryption and encryption of traffic for inspection by
an external security device. However, it can provide some performance advantages.

FortiADC 6.2 Study Guide 113

Advanced Server Load Balancing

DO NOT REPRINT
© FORTINET

To use SSL offloading or SSL encryption, you have to install the signed digital certificates and private keys for
your servers. There are two ways of doing this. You can do it manually by importing the certificate files, or you
can submit a certificate signing request to a CA.

FortiADC 6.2 Study Guide 114

Advanced Server Load Balancing

Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Many of the optional objects are configured as system-wide shared resources. Examples of optional objects
include schedule, address, service, and health check.

Link policies apply to either link groups or virtual tunnels.

FortiADC 6.2 Study Guide 122

Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Link policies specify the traffic to be balanced by each link group and virtual tunnel.

The example on this slide shows a table containing three link policies. These policies specify that:

• All the traffic that comes from 172.16.1.0/24 and goes to 172.16.2./24 uses Virtual Tunnel 1.
• All the traffic that goes to 172.16.3.0/24 uses Link Group 2.
• All the traffic that goes to the Internet uses Link Group 1 .

Link policies can match on more than simple source and destination address. For example, a link policy can
balance based on a service, such as HTTP or HTTPS. You can also apply schedules to define when policies
are enforced.

FortiADC 6.2 Study Guide 123

Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Using outbound link load balancing, FortiADC balances traffic that leaves the network among the links that are
part of the same link group.

FortiADC 6.2 Study Guide 124

Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Now you will learn about the steps to configure link load balancing. First, you should add addresses, address
groups, services, service groups, and schedule groups that can then be used to match traffic to link policy
rules. If you do not add these, your policy will not use matching criteria and will not have granularity.

Next, you configure optional features. You should configure health check rules before you configure gateway
links, and you should configure persistence rules or proximity routes before you configure a link group.

Next, you configure the gateway links.

Then, you will configure either a link group or virtual tunnel as required.

Finally, you configure the link policy, in which you set the source/destination/service matching criteria for your
link groups or virtual tunnels.

FortiADC 6.2 Study Guide 131

Link Load Balancing and Advanced Networking

After you configure a virtual tunnel configuration object, you can select it in the link policy configuration.

FortiADC 6.2 Study Guide 137

Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

The link policy uses information from all created objects to create a table of link policy rules. The link policy
rules specify the traffic to be balanced by each link group. FortiADC searches the table from top to bottom and
uses the first rule that matches the traffic. For each rule, you must configure an ingress interface, source
address, destination address, service, schedule, and the link group or virtual tunnel the FortiADC uses to
route the traffic. The link group is mandatory in a link policy configuration.

FortiADC 6.2 Study Guide 138

Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

FortiADC 6.2 Study Guide 139

Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Good job! You now understand basic link load balancing.

Now, you will learn about advanced networking and routing.

FortiADC 6.2 Study Guide 140

Link Load Balancing and Advanced Networking

Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

Typically, routing is done based on the destination IP address. FortiADC can use policy routing to route traffic
based on the source IP address.

In the table shown on this slide, FortiADC is configured to route all traffic coming from 172.16.1.0 and
going to the internet to use the first gateway on the left. For traffic that comes from the IP address
172.17.1.1, FortiADC is configured to route that traffic through the middle link. And finally, traffic from
subnet 172.17.1.0 is routed through the link on the right. In this way, traffic is routed based on the source
IP address, using three different links.

FortiADC 6.2 Study Guide 147

Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

The policy routing configuration table contains the rules that specify the source IP address, the destination IP
address, and the gateway to use for traffic that matches those settings. FortiADC searches the table from top
to bottom and uses the first rule that matches the traffic. If there is no match, FortiADC uses the regular
routing table to route the packet.

FortiADC 6.2 Study Guide 148

Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

FortiADC uses OSPF to communicate with other OSPF routers, and to advertise its routes and dynamically
populate its routing table.

Before you begin, you must :

• Know how BGP has been implemented in your network; that is, you must know the configuration details of
the implementation
• Have read-write permission for system settings
• Have configured all the needed access (IPv6) lists and prefix (IPv6) lists

FortiADC 6.2 Study Guide 152

Link Load Balancing and Advanced Networking

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET

FortiADC implements security features in global load balancing and DNS, including DNSSEC, response rate
limits, and DNS forwarding. DNSSEC are a set of extensions to DNS that provide for DNS clients (known as
resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity.

Response rate limits help to mitigate DNS DoS attacks by reducing the rate at which the authoritative DNS
responds to high volumes of malicious queries.

DNS forwarding works by sending requests for remote resources to another DNS server known as a
forwarder. The internal server then caches those results, which optimizes further lookups and reduces the
number of DNS servers communicating over the internet.

FortiADC 6.2 Study Guide 162

Global Load Balancing

DO NOT REPRINT
© FORTINET

Server availability is identified by FortiADC using real-time connectivity checking.

FortiADC redirects client sessions based on server availability. If there is availability in the local pool,
FortiADC replies with its virtual IP address. In the example shown on this slide, FortiADC has to be the
authoritative DNS server for the fully qualified domain name that the customer is trying to reach.

FortiADC 6.2 Study Guide 163

Global Load Balancing

DO NOT REPRINT
© FORTINET

If the local pool is not available, FortiADC replies to those DNS requests with the remote peer virtual IP
address instead.

FortiADC 6.2 Study Guide 164

Global Load Balancing

DO NOT REPRINT
© FORTINET

The example on this slide shows a global load balancing deployment with redundant resources at data
centers in China and the United States. FortiADC-1 is the local server load balancer for the data center in
China. FortiADC-2 is the local server load balancer for the data center in the United States. FortiADC-3 is a
global server load balancer. It hosts the DNS server that is authoritative for www.example.com.

When a client clicks a link to www.example.com, the local host DNS resolver commences a DNS query that is
ultimately resolved by the authoritative DNS server on FortiADC-3. The set of possible responses includes the
virtual servers on FortiADC-1 or FortiADC-2. The global load balancing framework uses location and health
status to determine the set of responses that are returned. For example, you can use the global load
balancing framework to direct clients located in China to the virtual server in China, or, if the virtual server in
China is unavailable, then to the redundant resources in the United States.

The virtual server IP addresses and ports can be discovered by the FortiADC global load balancer from the
FortiADC local server load balancers. The global load balancing DNS server uses the discovered IP
addresses in the DNS response. The framework also supports third-party IP addresses and health checks for
those addresses.

By demonstrating competence in configuring global load balancing, you will be able to ensure that all
elements of global load balancing are configured correctly for your network.

FortiADC 6.2 Study Guide 168

Global Load Balancing

DO NOT REPRINT
© FORTINET

Global load balancing uses mandatory and optional configuration objects. Some mandatory objects are
predefined, and include the ability to add more objects or customize existing ones. Others, such as the zone,
are auto generated but can be created and customized by the administrator. Optional objects are not required,
or are preset, such as the general settings and response rate limit objects.

FortiADC 6.2 Study Guide 169

Global Load Balancing

DO NOT REPRINT
© FORTINET

When you deploy a global load balancing solution, you configure DNS server and global load balancing
details on the global FortiADC instance only. The configuration framework allows for granular administration
and fine tuning of both DNS server and global load balancing frameworks. The order of configuration is
important for initial configurations because complex objects, like policies, rely on simple objects, like remote
DNS servers or DNS64 rules; however, simple elements must be configured first. Fortunately, some objects
are preconfigured and you can fine tune them later, if necessary. Auto-generated zones rely on numerous
other objects, so make sure to customize your deployments where required. Many objects are optional. You
can configure optional objects and add them to existing policies later.

To configure a DNS server solution, do the following:

1. Review and configure the address groups to use in your DNS policy matching rules. You can use the
predefined any and none address groups.
2. Configure remote DNS servers, or forwarders, and the DSSET list (optional).
A complete zone configuration occurs. Zones, including FortiADC virtual servers, auto generate; however,
you can add additional zones manually.
3. Configure DNS64 and response rate limits (optional).
4. Configure DNS policies and DNSEC.
5. Configure remaining general DNS settings.

FortiADC 6.2 Study Guide 170

Global Load Balancing

Global Load Balancing

DO NOT REPRINT
© FORTINET

The data center is a required component of a global load balancing configuration. Configuring the data center
allows you to set key properties, such as Location, ISP, or both, and ISP State/Province. The global load
balancing algorithm uses these properties to select the FortiADC that is closest to the client.

By demonstrating competence in configuring servers and zones, you will be able to set up servers, virtual
server pools, zones, and DNS policies.

FortiADC 6.2 Study Guide 182

Global Load Balancing

DO NOT REPRINT
© FORTINET

Servers are another required component of a global load balancing configuration.

Use servers to specify the local server load balancers, either FortiADC instances or third-party servers, that
are to be load balanced. For FortiADC instances, the global load balancing feature checks the status and
synchronizes configurations from the local server load balancers, so that it can learn the set of virtual servers
that can be included in the global load balancing virtual server pool.

For the discovery feature to work, you must first create the data center objects associated with the local SLB
as well as the virtual server configurations on the local FortiADC server load balancers to be included in the
global load balancing virtual server pools. If you want to configure a gateway health check, you must also
create gateway objects on the local FortiADC server load balancers.

After you meet these requirements, and you add a server to global server load balancing, you can click
Discover to allow FortiADC to discover the local virtual servers and populate the members list.

Global Load Balancing

DO NOT REPRINT
© FORTINET

The DNS zone configuration is key to the global load balancing solution. It contains key DNS server settings,
such as domain name and name server details, type (whether master or forwarder), and whether DNSSEC is
enabled or not. It also contains the DNS resource records that are used to resolve DNS queries. Each zone
can have different DNS server settings. For example, the DNS server can be a master for one zone and a
forwarder for another zone. You can create up to 256 zones for use in DNS policies.

FortiADC 6.2 Study Guide 187

Global Load Balancing

DO NOT REPRINT
© FORTINET

This slide shows an example of a zone auto generated by the creation of a host object.
Because FortiADC is now an authoritative DNS server, you can add A and Quad A records, CName records,
and NS records. You can also add MX and TXT records to the zone.

FortiADC 6.2 Study Guide 188

Global Load Balancing

DO NOT REPRINT
© FORTINET

The global DNS policy is a rule base that matches traffic to DNS zones. Traffic that matches a zone, source,
and destination criteria is served by the global DNS policy. Traffic that does not match any specific policy is
served by the DNS general settings. You can create up to 256 different global DNS policies.

FortiADC 6.2 Study Guide 189

Global Load Balancing

FortiADC 6.2 Study Guide 193

Security

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiADC 6.2 Study Guide 194

Security

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in describing and configuring a WAF and WVS, you will be able to ensure that
your FortiADC is OWASP-compliant for secure transactions.

FortiADC 6.2 Study Guide 195

Security

DO NOT REPRINT
© FORTINET

This slide shows the relationships among WAF configuration elements. A WAF profile is made up of a web
attack signature policy, a URL protection policy, an HTTP protocol constraint policy, a SQL/XSS injection
detection policy, and a bot detection policy.

This WAF profile is, in turn, applied to a load balancing virtual server, so all traffic routed to the virtual server
is subject to the WAF rules set out in the profile.

You can apply WAF profiles to HTTP and HTTPS virtual servers, but not to HTTP Turbo virtual servers.

The WAF module offers enhanced security configuration options for FortiADC. It should be noted that
FortiWeb offers these enhanced security options as well, and combining the FortiWeb and FortiADC solutions
provides enhanced security and performance.

FortiADC 6.2 Study Guide 196

Security

DO NOT REPRINT
© FORTINET

A WAF is a security policy enforcement point that you can set up between the client and a web application. Its
main purpose is to prevent attacks against the web servers. You deploy it separately from the web application
so that processes used to perform security scanning do not affect the web server’s performance.

Security

DO NOT REPRINT
© FORTINET

FortiADC provides an OWASP Top 10 wizard to assist administrators in protecting against OWASP Top 10
application security risks. The wizard automatically creates WAF profiles that can be assigned to virtual
servers.

For more information about the OWASP Top 10 project, as well as details about the top 10 list, visit the
OWASP website.

FortiADC 6.2 Study Guide 201

Security

DO NOT REPRINT
© FORTINET

The WVS is a set of automated tools that perform black box tests on web applications, to look for security
vulnerabilities such as cross-site scripting, SQL injection, command injection, source code disclosure, and
insecure server configuration.

FortiADC supports the following:

• Full reporting on vulnerability risks
• Automatic policy generation

While testing for vulnerabilities FortiADC could negatively impact the systems being tested. For this reason,
the WVS should not be used to test systems in production. Performing scans across the internet could cause
other security systems to identify the traffic as real and active malicious behavior.

FortiADC 6.2 Study Guide 202

Security

DO NOT REPRINT
© FORTINET

WVS profiles define the real server pool to target and the type of scan to perform.

The WVS can perform the following types of scans:

• Mime scan
• File scan
• Message scan
• Apps scan
• Context scan
• HTTP cookie

The crawl limit will define the number of requests sent to each server during scanning. The total number will
be divided equally across the server pool members.

A WVS exceptions configuration can exempt specific URLs from being scanned based on a regular
expression pattern.

FortiADC 6.2 Study Guide 203

Security

DO NOT REPRINT
© FORTINET

WVS tasks define the profile that will be used and the schedule for scanning. If targeted server pools contain
real servers that have failed health checks, those servers will still be scanned. Reports are generated when a
scan completes. A maximum of 50 tasks can be defined.

WVS tasks do not support HTTP/2 or IPv6.

FortiADC 6.2 Study Guide 204

Security

DO NOT REPRINT
© FORTINET

Scan result details are reported on the WVS Scan History page. Each report can be downloaded, deleted,
previewed, or have a policy generated from the results.

FortiADC 6.2 Study Guide 205

Security

DO NOT REPRINT
© FORTINET

FortiADC 6.2 Study Guide 206

Security

DO NOT REPRINT
© FORTINET

Good job! You now understand the WAF.

Now, you will learn about network security.

DO NOT REPRINT
© FORTINET

You can create IPS profiles to defend against specific types of attacks. Individual signatures can be added, as
well as filter-defined signatures. When using an IPS filter, all scans that match the filter criteria are included.
For example, you could define a filter to select all signatures that detect attacks on Linux systems and Apache
services.

FortiADC 6.2 Study Guide 214

Security

DO NOT REPRINT
© FORTINET

FortiADC is the first ADC solution on the market with support for sandbox service integration. This means that
FortiADC supports Security Fabric integration for advanced threat detection. The feature on FortiADC
supports HTTP, HTTPS, and SMTP protocols.

Web application file uploads that are cleared by the FortiADC antivirus scanner are then sent to FortiSandbox
for further analysis. FortiADC first conducts some basic analysis by antivirus engine and then submits all
suspicious files to FortiSandbox for further analysis. FortiSandbox will then drop or quarantine the malicious
traffic and forward healthy traffic segments to the back-end servers. A log is generated whenever a file is
uploaded to FortiSandbox.

FortiADC 6.2 Study Guide 215

Security

DO NOT REPRINT
© FORTINET

Malware and advanced persistent threats (APT) can cause significant damage to the business of any
organization. Malicious codes are commonly used to steal valuable data, gain unauthorized access to
networks, or cause products to degrade.

Using a suite of integrated security technologies, antivirus solutions provide protection against a variety of
threats, including both known and unknown malicious codes (malware) and advanced targeted attacks (ATA).

Integrated with the FortiOS antivirus engine, FortiADC provides an industry-class malware and APT detection
and mitigation solution to our customers.

This slide illustrates how the FortiADC antivirus module works:

1. Automatically updates the latest attack signatures from FortiGuard to ensure real-time protection.
2. Submits all files, including suspicious files, to an on-premises device (FortiSandbox) or cloud-based
service (FortiCloud Sandbox) for further analysis, after performing basic antivirus processing.
3. FortiSandbox or the cloud-based service drops or quarantines malicious files and forwards healthy files to
the back-end servers.

FortiADC 6.2 Study Guide 216

Security

FortiGuard is a worldwide distributed server network that provides, among many other services, an up-to-date
list of IP addresses that could threaten your network. You must purchase a subscription to use the FortiGuard
IP Reputation service.

FortiADC 6.2 Study Guide 220

Security

Using FortiGuard IP Reputation, you can configure FortiADC to periodically download the latest list of
blacklisted IP addresses from FortiGuard.

If FortiADC does not have internet access, you can download the list from FortiGuard and upload it manually
to FortiADC.

FortiADC 6.2 Study Guide 221

Security

After you enable FortiGuard IP Reputation, FortiADC blocks any traffic coming from an IP address that has a
poor reputation or has been blacklisted by the FortiGuard IP Reputation list.

Alternatively, in the case of HTTP and HTTPS, FortiADC can redirect users to a different URL.

FortiADC 6.2 Study Guide 222

Security

The Geo IP database is a FortiGuard security service that maps IP addresses to countries, satellite providers,
and anonymous proxies. Similar to the FortiGuard IP Reputation database, the Geo IP database is updated
periodically.

The Geo IP service allows FortiADC to respond in one of four ways to a request from an IP address that is on
the block list:
• Pass the packet along.
• Deny and drop the packet.
• Redirect the packet to another destination.
• Respond to the packet with an error message of “403 Forbidden”.

FortiADC 6.2 Study Guide 223

Security

This slide shows the Geo IP Protection configuration screen. You can create up to 256 Geo IP policy objects.
Each object can contain up to 256 distinct countries.

FortiADC 6.2 Study Guide 224

Security

You can configure exceptions to Geo IP Policies by adding entries to the Geo IP allowlist, which is based on
the IP subnet.

FortiADC 6.2 Study Guide 225

Security

Security

Attackers use denial of service attacks to overwhelm systems or networks to the point that the supplied
services become unavailable to legitimate users. These types of attacks can be orchestrated across many
different systems, and these systems work in parallel to achieve the attacker’s goal. This is known as a
distributed denial of service attack (DDoS) because the source of the attack has been distributed across
multiple systems.

DoS and DDoS attacks generally use the following methods to overwhelm, or flood, an application server:
Buffer overflow: The method attempts to send more traffic to a server than it has been designed to handle,
ultimately overflowing defined buffers and slowing or crashing the system.
• ICMP flood: This method attempts to generate a ping flood by hitting a system with large numbers of ICMP
packets, without waiting for replies.
• SYN flood: This method rapidly initiates connections to the server by sending a SYN (synchronize)
message but never finishes the handshake, leaving ports on the server waiting for a response and
ultimately exhausting available ports.

A successful DoS or DDoS attack will result in legitimate users being unable to access the resources.

FortiADC 6.2 Study Guide 230

Security

FortiADC defends against DoS attacks by attaching a DoS protection profile to the virtual server. The DoS
protection profile contains application protections such as HTTP access limits and/or networking protections
such as TCP connection access flood protection.

FortiADC 6.2 Study Guide 231

Security

The application protection policy options are:

• HTTP Access Limit: This policy limits the speed of HTTP requests from a source IP address.
• HTTP Connection Flood: This policy limits HTTP connections based on a cookie.
• HTTP Request Flood: This policy limits the speed of HTTP requests based on a cookie.

The networking protection policy options are:

• TCP Slow Data Flood Protection: This type of attack sends legitimate application layer requests, but
reads the responses very slowly. This can consume valuable system resources on the application server.
This policy can detect and disable the connections.
• TCP Connection Access Flood Protection: This policy limits the number of TCP requests from a certain
IP address.

Actions can be performed on policy matches for both application and networking policies.

FortiADC 6.2 Study Guide 232

Security

An IP fragmentation DDoS attack uses standardized fragmentation settings to send a data gram so large that
buffers are overrun on your router as it attempts to buffer all the data gram fragments for reassembly. You can
configure FortiADC to stop fragment reassembly when a designated maximum memory size is reached.
When the designated minimum memory threshold is reached FortiADC will resume fragmentation
reassembly. A timeout setting defines when FortiADC will drop all packets in a fragmentation queue.

FortiADC 6.2 Study Guide 233

Security

FortiADC offers a mechanism to protect your servers against SYN flood attacks.

In many servers, the information about each TCP connection is stored in the TCB that is a part of the memory
in the server. During a SYN flood attack, an attacker sends a large amount of SYN packets from spoofed IP
addresses to the server. An entry is created in the TCB each time a SYN packet arrives to store the
information contained in the SYN packet fields.

A SYN flood attack is effective when it exhausts the available memory in the TCB. After the TCB table is
exhausted, legitimate users can’t connect to the server.

FortiADC 6.2 Study Guide 234

Security

To protect the servers from SYN flood attacks, FortiADC offers a feature called SYN cookie protection.

Here’s how it works. FortiADC sends a SYN/acknowledge with a cookie value in the TCP sequence field for
each packet that it receives, and then it waits for the acknowledge packet.

If it receives an acknowledge packet containing the right cookie, the device proxies the TCP connection to the
server. Consequently, SYN packets from an attacker never arrive at the server.

The SYN packets go to the server after FortiADC confirms the sender is a legitimate user.

FortiADC 6.2 Study Guide 235

Security

Security

Security

Advanced Configurations

In this lesson, you will learn about FortiADC advanced configuration options.

FortiADC 6.2 Study Guide 250

Advanced Configurations

In this lesson, you will learn about the topics shown on this slide.

Advanced Configurations

You enable VDOMs from the FortiADC Settings view. Once enabled, a drop-down list will be displayed
providing access to global settings or VDOM-specific settings. Initially, a single root VDOM is created. The
root VDOM cannot be deleted or renamed, and all self-generated management traffic will come from the root
VDOM. This includes FortiGuard communications, SNMP, email, and so on. A new menu option, Virtual
Domain, will appear in the FortiADC System menu.

FortiADC 6.2 Study Guide 255

Advanced Configurations

The Virtual Domain view is where you add and manage virtual domains. Dynamic and Static resources can
be modified for each VDOM individually.

After you log in to a VDOM, the VDOM’s name is displayed at the top of the GUI. As additional VDOMs are
created, they will appear in the drop-down list with the original root VDOM. You access and manage VDOM
settings by selecting the VDOM in the drop-down list.

FortiADC 6.2 Study Guide 256

Advanced Configurations

To review, each VDOM behaves like it is on a separate FortiGate device. With separate FortiADC devices,
you would normally connect a network cable and configure routing and policies between them. A more
efficient means of passing traffic between VDOMs is to use inter-VDOM links. An inter-VDOM link is a pair of
connected virtual interfaces that routes traffic between VDOMs. This removes the need to loop a physical
cable between two VDOMs.

FortiADC 6.2 Study Guide 257

Advanced Configurations

Advanced Configurations

If a problem is detected with the active FortiADC, a standby FortiADC takes over as the active device and
begins processing traffic and handling IP addresses. This event is known as a failover.

FortiADC 6.2 Study Guide 263

Advanced Configurations

When the FortiADC devices are configured in HA active-passive mode, the active device handles all the traffic
under normal circumstances. If something fails on the active device, the passive device becomes active and
handles all the traffic instead. The example on this slide shows the HA active-passive mode deployment.
Normally, the passive device doesn’t handle traffic; all traffic is handled by the active, whether for the client
side or the server side. However, the passive device can always sync data from the active device, such as:
• Incremental configuration changes
• Layer 4 session/persistence table
• Layer 7 persistence
• Health-check status

When there is something wrong with the current active device, for example, the monitored interfaces are down
(in this case the monitored interfaces are usually directly connected to an ISP), or even if the physical device
is failing, the passive device will become the new active device and handle all the traffic.

HA active-passive mode is the most stable deployment mode, and you can deploy it on any platform. In this
mode, the FortiADC interface is assigned a virtual mac address; once the HA peer takes over the active role,
the new active FortiADC will inherit the virtual MAC address on the interfaces. This can reduce the traffic
failing time, while failover is happening. Another benefit is that HA active-passive mode is compatible with the
firewall’s MAC address binding.

FortiADC 6.2 Study Guide 264

Advanced Configurations

In HA active-active mode, both the primary and secondary FortiADC devices are able to handle the traffic
normally. There is one thing that should be noted: certain limitations exist. For incoming and outgoing traffic, it
is useful to sync sessions between primary and secondary, but the FortiADC syncs only Layer 4 virtual server
sessions. This has the following benefit: if the inbound/outbound traffic is different, this is no issue, as long as
it is Layer 4 traffic, thanks to the syncing feature. The primary will accept the inbound traffic, then send it to the
real servers; and because of the sync function, the secondary can handle the outbound traffic and send it
back to the client.

Although this traffic can be handled, it will decrease performance. Ideally, then, you should have a routing
device between FortiADC and the real servers; this routing device must have the ability to send the return
traffic to its original FortiADC devices. This is called reverse routing.

For the Layer 7 virtual server, this does not matter; the traffic can be returned to itself natively, because the
FortiADC establishes the session to the real servers by its own interface IP address—unless you enable
source-address.

The example on this slide shows that, if one of the monitored links is down, or the entire device fails, its HA
peer can take over all the traffic.

FortiADC 6.2 Study Guide 265

Advanced Configurations

The HA-VRRP mode, on the other hand, divides the resources into groups, so that you can create multiple
VRRP groups, and then assign the public IP resources to those groups. In this way, you can enable another
type of active-active mode called HA VRRP, instead of HA active-active. In this mode, every HA node has its
own interface IP.

The floating IP is a virtual IP address that works only on the active VRRP traffic group. In general, the
connected devices or servers point the gateway to the floating IP of the VRRP group. If failover happens, the
floating IP will work with the new VRRP primary; this makes sure that the floating IP is always online.

This slide shows an example of HA-VRRP mode. Typically, you create two VRRP groups: for example, VRRP
Group1 and VRRP Group2. FortiADC1 is the primary of VRRP Group1, and the secondary of VRRP Group2;
while FortiADC2 is the secondary of VRRP Group1, and the primary of VRRP Group2. Then, you divide the
real servers into these two groups. The servers in group1 point the default gateway to the VRRP Group1
floating IP, while the servers in group2 point the default gateway to the VRRP Group2 floating IP. Then,
normally, FortiADC1 handles the traffic to VRRP Group1, and FortiADC2 handles the traffic to VRRP Group2.
If one of the monitored links or devices is down, the HA peer can take over the traffic.

FortiADC 6.2 Study Guide 266

Advanced Configurations

This slide shows the requirements for configuring FortiADC devices in an HA cluster.

Both FortiADC devices must be the same hardware model and have the same firmware. Each FortiADC must
be licensed. If you use FortiADC-VM, the licenses must be paid; trial licenses won’t function.

You must connect the equivalent interfaces in both devices to the same LAN segments. For example, on both
the active and passive devices, you must connect port2 to the same LAN segment that faces the server pool.

Also, you must connect at least one physical port on each FortiADC to its peer for heartbeat and configuration
synchronization traffic. You can do this using a crossover cable or a switch and normal patch cables. As a
best practice, ensure no other data flows over the heartbeat interfaces.

FortiADC-VM supports HA. However, if you do not want to use the native FortiADC HA, you can use your
hypervisor or VM environment manager to install VMs over a hardware cluster to improve availability. For
example, VMware clusters can use vMotion or VMware HA.

Advanced Configurations

How do you decide which device is the active device?

The answer depends on whether device priority override is enabled or disabled.

If override is disabled, the primary device is the device with, in order of importance, the most available
monitored interfaces, the highest uptime value, the smallest device priority number, and finally, the highest-
sorting serial number.

Now, you will learn about scripting.

FortiADC 6.2 Study Guide 274

Advanced Configurations

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in the scripting capabilities of FortiADC, you will be able to configure scripts for
use with your virtual servers.

FortiADC 6.2 Study Guide 275

Advanced Configurations

You can leverage Lua scripts to perform tasks that are not available in the built-in feature set. Scripts are
associated with virtual machines and are event driven. Scripts are triggered when the virtual server receives
an HTTP request or response. For example, a script could be used to check a request URI and forward the
user to different web pages. FortiADC includes a long list of pre-created scripts and commands that can be
used or modified.

FortiADC 6.2 Study Guide 276

Advanced Configurations

You can create scripts by directly adding the script in the script creation window, or by importing. When you
create or import a script, FortiADC validates the script and will not allow a misconfigured script to be saved.

FortiADC 6.2 Study Guide 277

Advanced Configurations

Advanced Configurations

The REST application programming interface (API) allows you to create your own management tools or to
integrate FortiADC management tasks with your existing application infrastructure. The FortiADC REST API
allows you to integrate FortiADC with existing third-party management platforms such as CISCO ACI,
VMware, OpenStack, and so on.

FortiADC 6.2 Study Guide 282

Advanced Configurations

The REST API works by passing client HTTP requests to FortiADC in order to manipulate configurations.
Only the JSON format is supported. Supported REST clients include: Postman Chrome app, Mozilla Firefox
RESTClient, and Curl.

FortiADC 6.2 Study Guide 283

Advanced Configurations

This slide shows the HTTP methods supported by the FortiADC REST API:
• GET, which is used to retrieve a list of all resources or a specific resource
• POST, which creates a new resource
• PUT, which allows the update of an existing resource
• DELETE, which deletes an existing resource