FortiADC 5.2 Study Guide-Online
DO NOT REPRINT © FORTINET FortiADC Study Guide for FortiADC 5.2 DO NOT REPRINT © FORTINET Fortinet Training http://ww
Views 173 Downloads 6 File size 15MB
Recommend stories
- Author / Uploaded
- Julio César Galindo Cáceres
Citation preview
DO NOT REPRINT © FORTINET
FortiADC Study Guide for FortiADC 5.2
DO NOT REPRINT © FORTINET Fortinet Training http://www.fortinet.com/training
Fortinet Document Library http://docs.fortinet.com
Fortinet Knowledge Base http://kb.fortinet.com
Fortinet Forums https://forum.fortinet.com
Fortinet Support https://support.fortinet.com
FortiGuard Labs http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE) https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback Email: [email protected]
2/5/2019
DO NOT REPRINT © FORTINET
TABLE OF CONTENTS 01 Introduction and System Settings 02 Server Load Balancing 03 Link Load Balancing and Advanced Networking 04 Global Load Balancing 05 Security 06 Monitoring and Troubleshooting
4 50 111 150 188 229
Introduction and System Settings
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the system and how to configure initial system settings.
FortiADC 5.2 Study Guide
4
Introduction and System Settings
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiADC 5.2 Study Guide
5
Introduction and System Settings
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding the benefits offered by FortiADC, and accessing the FortiADC using the CLI and GUI, you will be able to implement FortiADC and its features in your network.
FortiADC 5.2 Study Guide
6
Introduction and System Settings
DO NOT REPRINT © FORTINET
What is an application delivery controller (ADC)? Traditional load balancers work mostly at Layer 4, balancing TCP/UDP sessions, with very limited Layer 7 support. They usually have very basic health check mechanisms and algorithms to distribute traffic between servers. Some of them have persistence, but only by source IP address. An ADC improves what a traditional load balancer does, so you have more control and can make better decisions about what is happening at Layer 7. ADC has a feature called global server load balancing, which allows you to load balance traffic among servers at geographically-distant locations. ADCs also feature SSL and compression acceleration to reduce the load on web servers. An ADC is a next-generation load balancer.
FortiADC 5.2 Study Guide
7
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC provides enterprise-class application delivery and additional features that make applications reliable, responsive, and easy to manage: • First and foremost, FortiADC is a server load balancer that allows applications to scale reliably across multiple servers in a data center • Persistence ensures user connections are routed back to the correct server for seamless and transparent continuity of applications • SSL offloading relieves servers of the CPU-intensive tasks of decryption and encryption of secure application traffic • HTTP compression and content caching speed the delivery of content to users and reduce bandwidth needs • Content-based routing sends traffic to specific servers based on business rules by traffic type • Global server load balancing provides disaster recovery by spanning applications across multiple data centers • Content rewriting minimizes user confusion and masks backend server configurations by simplifying URLs • FortiADC offers a complete web application firewall that protects against application attacks and can meet PCI DSS 6.6 compliance • QoS can be used to prioritize traffic by type to minimize disruptions to applications that are sensitive to latency • Link load balancing provides ISP redundancy and increases application bandwidth
FortiADC 5.2 Study Guide
8
Introduction and System Settings
DO NOT REPRINT © FORTINET
Like many Fortinet devices, FortiADC offers two user interfaces: a GUI and a CLI. To access the GUI, use a browser and HTTP or HTTPS. By default, port1 of FortiADC has the IP address of 192.168.1.99. By default, a default administrator user is configured. The Username for the default administrator user is admin and the Password field is empty. You cannot delete the default administrator user account. To access a new FortiADC using the GUI: 1. Using an Ethernet cable, connect a laptop to port1 on FortiADC. 2. Configure the laptop IP address using a valid 192.168.1.0 host address. 3. Connect to the FortiADC GUI by entering http://192./168.1.99 or https://192./168.1.99 in the browser. 4. Enter the admin username without a password. Remember to change the default password as soon as possible after deploying the FortiADC.
FortiADC 5.2 Study Guide
9
Introduction and System Settings
DO NOT REPRINT © FORTINET
You can access the CLI using SSH, telnet, or the console port, which is usually located on the front panel of FortiADC. You can also use the console widget located in the upper-right corner of the FortiADC GUI.
FortiADC 5.2 Study Guide
10
Introduction and System Settings
DO NOT REPRINT © FORTINET
When you log in to the FortiADC GUI for the first time, the GUI will display the System Getting Started Wizard. This wizard will guide you through the basic setup of your FortiADC, including: • • • • • •
Date, time, and NTP server HA management Gateway Interfaces Virtual servers Real servers
FortiADC 5.2 Study Guide
11
Introduction and System Settings
DO NOT REPRINT © FORTINET
This slide shows a screen shot of the FortiADC dashboard, which contains multiple widgets and tabs. The System Information widgets and header bar display the hostname, system time and uptime, serial number and firmware version, as well as shutdown, reboot, and factory reset commands. The Resource Usage widget allows an administrator to monitor CPU, RAM, and disk usage, as well as system metrics. The License widget displays license status and provides a link to more detailed support information, such as service contract expiry dates. The Log Event widget displays recent activity. To launch the console widget, in the upper-right corner of the header bar, click the console icon.
FortiADC 5.2 Study Guide
12
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
13
Introduction and System Settings
DO NOT REPRINT © FORTINET
Good job! You now understand the benefits of a FortiADC. Now, you will learn the steps to perform the initial configuration.
FortiADC 5.2 Study Guide
14
Introduction and System Settings
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in these configuration tasks, you will be able to implement FortiADC in your network, and configure two devices in a high availability (HA) cluster to provide redundancy.
FortiADC 5.2 Study Guide
15
Introduction and System Settings
DO NOT REPRINT © FORTINET
One of the first settings you must configure for any FortiADC is the network interface configuration. You can assign an IP address to each FortiADC interface and specify the permitted administrative access protocols for each interface. To create a VLAN interface, click Create New.
FortiADC 5.2 Study Guide
16
Introduction and System Settings
DO NOT REPRINT © FORTINET
If you don’t have access to the GUI, you can use the CLI to configure a network interface. The command config system interface allows you to access interface configuration subcommands. Using the edit subcommand and substituting the as an argument, such as port1, allows you to set various interface options for that interface. You can then use the Set subcommand to configure individual parameters available for the network interface. In the example shown on this slide, the set ip address subcommand and object specify which IP address and subnet mask to use. You can also use the set allowaccess subcommand to specify which administrative access protocols to permit over that interface.
FortiADC 5.2 Study Guide
17
Introduction and System Settings
DO NOT REPRINT © FORTINET
Using FortiADC, you can aggregate multiple physical interfaces into a single logical interface known as a link aggregation. This slide shows the commands you use to configure a link aggregation. Link aggregations are used most often to combine the bandwidth of two interfaces to increase throughput or to add redundancy to a network connection. You can configure link aggregations using only the CLI, not the GUI. This slide shows the commands you use to configure an aggregated link. After you configure the link aggregation, you can assign a single IP address to it. Link aggregation technology is based on the Link Aggregation Control Protocol (LACP), which is part of the IEEE 802.3ad specification, and is commonly referred to as port trunking, bonding, or teaming.
FortiADC 5.2 Study Guide
18
Introduction and System Settings
DO NOT REPRINT © FORTINET
Any FortiADC must have at least one default gateway and one default static route. On the Networking > Routing screen, which is shown on this slide, you can add the default route and gateway, as well as create static routes to the subnets in your network.
FortiADC 5.2 Study Guide
19
Introduction and System Settings
DO NOT REPRINT © FORTINET
On the System > Settings > Basic screen, you can configure a primary and a secondary DNS server. FortiADC uses the primary DNS server until the primary DNS server fails to respond. Then FortiADC switches to the secondary DNS server.
FortiADC 5.2 Study Guide
20
Introduction and System Settings
DO NOT REPRINT © FORTINET
Like virtual machines, VDOMs allow you to split a single physical FortiADC device into multiple virtual FortiADC devices. VDOMs allow FortiADC to support multi-tenant deployments. A VDOM is a complete FortiADC instance that runs on the FortiADC platform (physical device or VM). Each VDOM has its own interfaces and routing tables that are completely independent from other VDOMs. When you create a VDOM, an administrator account is assigned to the VDOM. In this way, each VDOM can be controlled by a different administrator.
FortiADC 5.2 Study Guide
21
Introduction and System Settings
DO NOT REPRINT © FORTINET
When you enable VDOMs, the GUI divides settings into two groups: • System settings are settings that affect FortiADC and all VDOMs such as hostname, SNMP, system time, HA, and certificates • Each VDOM's settings are unique, so each VDOM has its own static routes, firewall policies, and load balancing objects
FortiADC 5.2 Study Guide
22
Introduction and System Settings
DO NOT REPRINT © FORTINET
Using the GUI, you can enable VDOMs on the System > Settings > Basic screen.
FortiADC 5.2 Study Guide
23
Introduction and System Settings
DO NOT REPRINT © FORTINET
This slide shows a screen shot illustrating how the GUI appears after you enable VDOMs and then log in to FortiADC. System and VDOM configurations are separated, and a default root VDOM is automatically added. You can’t delete or rename the default root VDOM, and all system management traffic comes from this root VDOM. After you enable VDOMs, on the System > Virtual Domains screen, you can add and manage virtual domains, and also assign individual physical interfaces to a VDOM. After you log in to a VDOM, the VDOM’s name is displayed at the top of the GUI.
FortiADC 5.2 Study Guide
24
Introduction and System Settings
DO NOT REPRINT © FORTINET
This slide shows the top-level FortiADC settings, which are: • The Hostname • The interface Language • The Idle Timeout • The TCP ports used for administrative access, which you can change from their default settings • The Primary DNS and Secondary DNS • The Virtual Domain
FortiADC 5.2 Study Guide
25
Introduction and System Settings
DO NOT REPRINT © FORTINET
Each administrator account is assigned an access profile in which you specify the level of access the administrator has for commands and configuration sections. For example, you could create a special administrator access profile to delegate security permissions allowing personnel to manage the device’s security settings, while also denying them the right to modify router, server load balancing, link load balancing, and global load balancing features, which the organization could be using to provide a chargeable service to their clients.
FortiADC 5.2 Study Guide
26
Introduction and System Settings
DO NOT REPRINT © FORTINET
This slide shows the screen you use to create an administrator account. You can set up an administrator account to allow the administrator to access FortiADC only from a specific trusted host subnet. In an administrator account, you can set permissions to allow or disallow the administrator to change global system settings. You can associate a specific administrator access profile with the administrator account. And if VDOMs are enabled on FortiADC, you can assign a VDOM to an administrator account.
FortiADC 5.2 Study Guide
27
Introduction and System Settings
DO NOT REPRINT © FORTINET
The REST application programming interface (API) allows you to create your own management tools or to integrate FortiADC management tasks with your existing application infrastructure. The FortiADC REST API allows you to integrate FortiADC with existing third-party management platforms such as CISCO ACI, VMware, OpenStack, and so on.
FortiADC 5.2 Study Guide
28
Introduction and System Settings
DO NOT REPRINT © FORTINET
The REST API works by passing client HTTP requests to FortiADC in order to manipulate FortiADC’s configuration. Only the JSON format is supported. Supported REST clients include: Postman Chrome app, Mozilla Firefox RESTClient, and Curl.
FortiADC 5.2 Study Guide
29
Introduction and System Settings
DO NOT REPRINT © FORTINET
This slide shows the HTTP methods supported by the FortiADC REST API: • GET, which is used to retrieve a list of all resources or a specific resource • POST, which creates a new resource • PUT, which allows the update of an existing resource • DELETE, which deletes an existing resource
FortiADC 5.2 Study Guide
30
Introduction and System Settings
DO NOT REPRINT © FORTINET
This slide shows how to create a new virtual server. First, use the HTTP POST command to log in to FortiADC. Then, use HTTP POST to create the virtual server.
FortiADC 5.2 Study Guide
31
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
32
Introduction and System Settings
DO NOT REPRINT © FORTINET
Good job! You can now perform the initial configuration of FortiADC. Now, you will learn how to enable HA, and prepare for device recovery.
FortiADC 5.2 Study Guide
33
Introduction and System Settings
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring an HA pair, performing a backup and restore, and performing a firmware upgrade, you will be able to ensure your FortiADC offers the best possible availability and performance.
FortiADC 5.2 Study Guide
34
Introduction and System Settings
DO NOT REPRINT © FORTINET
You can configure two FortiADC devices to form an HA cluster. The HA cluster maintains the availability of the service in case one of the FortiADC devices fails. Every cluster has a primary (or active) device that processes the traffic and handles IP addresses, while the secondary (or standby) device monitors the status of the active device.
FortiADC 5.2 Study Guide
35
Introduction and System Settings
DO NOT REPRINT © FORTINET
If a problem is detected with the active FortiADC, the passive FortiADC takes over as the active device and begins processing traffic and handling IP addresses. This event is known as a failover.
FortiADC 5.2 Study Guide
36
Introduction and System Settings
DO NOT REPRINT © FORTINET
When the FortiADC devices are configured in HA active-passive mode, the active device (called master) handles all the traffic under normal circumstances. If something fails on the active device, the passive device (called slave) becomes active and handles all the traffic instead. The example on this slide shows the HA active-passive mode deployment. Normally, the slave doesn’t handle traffic; all traffic is handled by the master, whether for the client side or the server side. However, the slave can always sync data from the master, such as: • Incremental configuration changes • Layer 4 session/persistence table • Layer 7 persistence • Health-check status When there is something wrong with the current master, for example, the monitored interfaces are down (in this case the monitored interfaces are usually directly connected to an ISP), or even if the physical device is failing, the slave will become the new master and handle all the traffic. HA active-passive mode is the most stable deployment mode, and you can deploy it on any platform. In this mode, the FortiADC’s interface is assigned a virtual mac address; once the HA peer takes over the master, a new master will inherit the virtual MAC address on the interfaces. This can reduce the traffic failing time, while failover is happening. Another benefit is that HA active-passive mode is compatible with the firewall’s MAC address binding. Be aware that HA active-passive mode on the Microsoft Hyper-V platform uses the physical MAC address, due to a platform limitation.
FortiADC 5.2 Study Guide
37
Introduction and System Settings
DO NOT REPRINT © FORTINET
In the HA active-active mode, both the master and slave are able to handle the traffic normally. There is one thing that should be noted: certain limitations exist. For incoming and outgoing traffic, it is useful to sync sessions between master and slave, but the FortiADC syncs only Layer 4 virtual server sessions. This has the following benefit: if the inbound/outbound traffic is different, this is no issue, so long as it is Layer 4 traffic, thanks to the syncing feature. The master will accept the inbound traffic, then send it to the real servers; and because of the sync function, the slave can handle the outbound traffic and send it back to the client. Although this traffic can be handled, it will decrease performance. Ideally, then, you should have a routing device between FortiADC and the real servers; this routing device must have the ability to send the return traffic to its original FortiADC devices. This is called reverse routing. For the Layer 7 virtual server, this does not matter; the traffic can be returned to itself natively, because the FortiADC establishes the session to the real servers by its own interface IP address—unless you enable source-address. The example on the slide shows that, if one of the monitored links is down, or the entire device fails, its HA peer can take over all the traffic.
FortiADC 5.2 Study Guide
38
Introduction and System Settings
DO NOT REPRINT © FORTINET
The HA-VRRP mode, on the other hand, divides the resources into groups, so that you can create multiple VRRP groups, and then assign the public IP resources to those groups. In this way, you can enable another type of active-active mode called HA VRRP, instead of HA active-active. In this mode, every HA node has its own interface IP. The floating IP is a virtual IP address that works only on the VRRP traffic group master. In general, the connected devices or servers point the gateway to the VRRP group’s floating IP. If failover happens, the floating IP will work with the new VRRP master; this makes sure that the floating IP is always online. This slide shows an example of HA-VRRP mode. Typically, you create two VRRP groups: for example, VRRP_Group1 and VRRP_Group2. FortiADC1 is the master of VRRP_Group1, and the slave of VRRP-Group2; while FortiADC2 is the slave of VRRP_Group1, and the master of VRRP_Group2. Then, you divide the real servers into these two groups. The servers in group1 point the default gateway to VRRP_Group1’s floating IP, while the servers in group2 point the default gateway to VRRP_Group2’s floating IP. Then, normally, FortiADC1 handles the traffic to VRRP_Group1, and FortiADC2 handles the traffic to VRRP_Group2. If one of the monitored links or devices is down, the HA peer can take over the traffic.
FortiADC 5.2 Study Guide
39
Introduction and System Settings
DO NOT REPRINT © FORTINET
This slide shows the requirements for configuring FortiADC devices in an HA cluster. Both FortiADC devices must be the same hardware model and have the same firmware. Each FortiADC must be licensed. If you use FortiADC-VM, the licenses must be paid; trial licenses won’t function. You must connect the equivalent interfaces in both devices to the same LAN segments. For example, on both the active and passive devices, you must connect port2 to the same LAN segment that faces the server pool. Also, you must connect at least one physical port on each FortiADC to its peer for heartbeat and configuration synchronization traffic. You can do this using a crossover cable or a switch and normal patch cables. As a best practice, ensure no other data flows over the heartbeat interfaces. FortiADC-VM supports HA. However, if you do not want to use the native FortiADC HA, you can use your hypervisor or VM environment manager to install virtual appliances over a hardware cluster to improve availability. For example, VMware clusters can use vMotion or VMware HA.
FortiADC 5.2 Study Guide
40
Introduction and System Settings
DO NOT REPRINT © FORTINET
In an HA cluster, most of the configuration synchronizes with the passive device. However, some of the information doesn’t synchronize. For example, host names, SNMP system information, RAID settings, and HA settings don’t synchronize. Log messages and generated reports also don’t synchronize across the cluster.
FortiADC 5.2 Study Guide
41
Introduction and System Settings
DO NOT REPRINT © FORTINET
In active-active HA deployments, where a cluster spreads out the workload over multiple FortiADC devices simultaneously, you can synchronize persistence tables and session information across the members of the cluster. You can synchronize Layer 7 and Layer 4 persistence tables, as well as Layer 4 TCP connection states, across the cluster members. Note that enabling any of these synchronization options could impact the performance of the HA solution because it causes more data to flow across the heartbeat interfaces.
FortiADC 5.2 Study Guide
42
Introduction and System Settings
DO NOT REPRINT © FORTINET
You can configure an HA cluster to monitor the physical and link status of one or more interfaces. Two events can trigger an HA failover: an interruption in the heartbeat, or a change in the status of one of the monitored interfaces. After a failover occurs, the new active device notifies the network with a “gratuitous ARP” message to redirect traffic to its own interfaces.
FortiADC 5.2 Study Guide
43
Introduction and System Settings
DO NOT REPRINT © FORTINET
How do you decide which device is the active device? The answer depends on whether device priority Override is enabled or disabled. If override is disabled, the primary device is the device with, in order of importance, the most available monitored interfaces, the highest uptime value, the smallest device priority number, and finally, the highest-sorting serial number. If override is enabled, the order is almost identical, except that the priority changes to the smallest device priority number over the highest uptime value.
FortiADC 5.2 Study Guide
44
Introduction and System Settings
DO NOT REPRINT © FORTINET
This is where you configure HA. The Group Name and Group ID must be the same for any two devices that are members of the same cluster. If you intend to locate two clusters within the same LAN segment, the clusters must have different names and group IDs. The members of both clusters must still share the same group name and group ID, but the group names and IDs must be different among the two clusters. You can enable the device priority Override option, which will elect a primary device by using the device priority value over the device’s uptime. You can also specify how frequently a heartbeat packet is sent and how many times FortiADC retries sending a heartbeat packet before FortiADC assumes the other member of the cluster is down.
FortiADC 5.2 Study Guide
45
Introduction and System Settings
DO NOT REPRINT © FORTINET
This slide shows screen shots of the System screens where you start a backup or restore of the FortiADC configuration, as well as start an upgrade or boot alternate firmware. Note that downgrading to a previous firmware version is possible, but could cause specific settings to reset to their factory default values. This is another reason to back up your configuration before upgrading or downgrading the device’s firmware. Be sure to read and follow the release notes before performing any upgrade or downgrade, to make sure you follow all necessary steps.
FortiADC 5.2 Study Guide
46
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
47
Introduction and System Settings
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 5.2 Study Guide
48
Introduction and System Settings
DO NOT REPRINT © FORTINET
This slide shows the objectives you covered in this lesson. By mastering the basics of FortiADC, you can identify how FortiADC would benefit your network, deploy a FortiADC in your network, and ensure redundancy and the best possible performance of the device.
FortiADC 5.2 Study Guide
49
Server Load Balancing
DO NOT REPRINT © FORTINET
In this lesson, you will learn about server load balancing.
FortiADC 5.2 Study Guide
50
Server Load Balancing
DO NOT REPRINT © FORTINET
In this lesson, you will explore the topics shown on this slide.
FortiADC 5.2 Study Guide
51
Server Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in describing the different load balancing methods, you will be able to apply them to the FortiADC to balance the traffic load in your network.
FortiADC 5.2 Study Guide
52
Server Load Balancing
DO NOT REPRINT © FORTINET
FortiADC supports three different load balancing methods. One of these methods is the Layer 4 load balancing method. After you enable Layer 4 load balancing, FortiADC uses information in the TCP and UDP headers in the first packet of any new session to decide how to balance the traffic. This method is the fastest load balancing method, and it supports IPv4 and IPv6.
FortiADC 5.2 Study Guide
53
Server Load Balancing
DO NOT REPRINT © FORTINET
The second method, Layer 7 load balancing, requires more packets to make a decision, so it’s slower than Layer 4 load balancing. However, after you enable Layer 7 load balancing, FortiADC can make smarter decisions and distribute the traffic more intelligently. It can also inspect and modify HTTP content and use that content to make load balancing decisions. Layer 7 load balancing supports IPv4 and IPv6.
FortiADC 5.2 Study Guide
54
Server Load Balancing
DO NOT REPRINT © FORTINET
The third method, Layer 2 load balancing, balances traffic among multiple next hop gateways. Like Layer 7 load balancing, Layer 2 load balancing also supports the inspection and modification of HTTP content. However, Layer 2 load balancing supports only IPv4, not IPv6. You can use Layer 2 load balancing when FortiADC does not know the real server IP addresses, but you want to balance traffic among multiple gateways or multiple links.
FortiADC 5.2 Study Guide
55
Server Load Balancing
DO NOT REPRINT © FORTINET
Now you will examine the differences between Layer 4 load balancing, and Layer 2 load balancing, and Layer 7 load balancing. When using Layer 4 load balancing, FortiADC only forwards traffic to the real server, which is why it is the fastest of the three methods. When using Layer 2 and Layer 7 load balancing, FortiADC proxies the TCP traffic to the real server. This means that the three-way handshake happens first between the client and FortiADC. Once the TCP session is up, FortiADC establishes a new TCP session with the server by performing another three-way handshake. This means that a FortiADC using Layer 2 and Layer 7 load balancing splits the TCP session into two parts: one between the client and the FortiADC device, and one between the FortiADC device and the server.
FortiADC 5.2 Study Guide
56
Server Load Balancing
DO NOT REPRINT © FORTINET
When you configure FortiADC, you configure many objects: some are mandatory and some are optional. The mandatory objects are the virtual server, the real servers, profiles, and load balancing methods. This slide shows a summary of the objects that you can create in a FortiADC configuration. It also shows which objects are mandatory, or are the minimum required, to enable a server load balancing solution. In this course you will learn how to create many objects.
FortiADC 5.2 Study Guide
57
Server Load Balancing
DO NOT REPRINT © FORTINET
Here are the high-level steps to configure server load balancing: 1. Configure health check rules and real server SSL profiles. Optionally, you can use preset settings. 2. Configure the server pools. 3. Configure persistence rules, optional features and policies, profile components, as well as load balancing methods. Optionally, you can use preset settings. 4. Configure the virtual server.
FortiADC 5.2 Study Guide
58
Server Load Balancing
DO NOT REPRINT © FORTINET
One of the first objects that you can create on a FortiADC is the health check object. FortiADC uses the health check object to poll the server frequently. If the server doesn’t reply within the timeout period, FortiADC retries a specific number of times before assuming the server is down or unresponsive. FortiADC assumes the server is up and responsive as soon as the server replies to a specific number of consecutive polls.
FortiADC 5.2 Study Guide
59
Server Load Balancing
DO NOT REPRINT © FORTINET
There are many different methods for performing a health check with FortiADC. The basic method is to send an ICMP or TCP echo request. Using this method, the FortiADC sends an ICMP or TCP echo request to the server, and waits for a reply. If the server is an HTTP or HTTPS server, FortiADC can query the server by sending a GET or a HEAD request to see if the HTTP service is up. If the server supports TCP, FortiADC can confirm that the server can complete a three-way handshake to a specific TCP port. If the server is a domain name system server (DNS), FortiADC can send a DNS A record request to the server and wait for a specific IP address as a response to confirm that DNS is running correctly. If the server is a RADIUS, SMTP, POP3, or IMAP4 server, you can configure FortiADC to log in to the server to confirm that the service is up.
FortiADC 5.2 Study Guide
60
Server Load Balancing
DO NOT REPRINT © FORTINET
If the server is an FTP server, you can configure FortiADC to log in to the FTP server to check that a specific file is there. FortiADC can use SNMP to poll the server using the SNMP protocol to get the current CPU, memory, and disk usage. The server is assumed to be unresponsive if it doesn’t reply, or if any of those usage values goes above a preconfigured threshold. FortiADC can also perform a TCP half open check. FortiADC sends the sync and waits for the sync acknowledge. As soon as the sync acknowledge is received, FortiADC sends a reset to close the session. For protocols based on SSL over TCP, FortiADC can establish an SSL connection to check if the service is up. The result of the SSL connection will verify the status of the server.
FortiADC 5.2 Study Guide
61
Server Load Balancing
DO NOT REPRINT © FORTINET
For each server, you can configure a maximum number of concurrent connections. That maximum rate is used under normal operating conditions. You can also configure a lower rate than FortiADC uses while the server is rebooting or is finished rebooting , but isn’t ready to operate at full capacity. This is called the Warm Rate. When you configure a Warm Rate setting, FortiADC uses it during a warm-up period, specified in the Warm Up setting, when the server is back online after a health check, or when the status of the server is set to Enabled from Maintain or Disabled.
FortiADC 5.2 Study Guide
62
Server Load Balancing
DO NOT REPRINT © FORTINET
To create real servers, click Server Load Balance, and then click Real Server. On the Real Server screen, click the Real Server tab. On the Real Server tab, you define a name for the server, set the status of the server, and define the IP address of the server.
FortiADC 5.2 Study Guide
63
Server Load Balancing
DO NOT REPRINT © FORTINET
Now you will examine how to create real server pools and how to add real servers to those pools. To create real server pools, click Server Load Balance, then click Real Server Pool and then click the Real Server Pool tab. On the Real Server Pool screen, you can also enable a health check that is applied to all servers, and set the status of each server to enable, disable, or maintain.
FortiADC 5.2 Study Guide
64
Server Load Balancing
DO NOT REPRINT © FORTINET
To add a real server to a real server pool, specify the settings by clicking Server Load Balance, then Real Server Pool, and then the Edit Member section. To add a real server to a real server pool, in the Edit Member section, select the real server you previously created from the drop-down list, or select Create new from the drop-down list to add a new server. If you are going to use Layer 7 persistence, you have to type the name of the cookie in the Cookie field. If you enable Backup, FortiADC uses the backup server when there is no other available server in the pool. On this tab, you can also disable Health Check Inherit to stop the server from inheriting the default health check method that was assigned to the pool, and add or remove specific health check methods for a member.
FortiADC 5.2 Study Guide
65
Server Load Balancing
DO NOT REPRINT © FORTINET
If the FortiADC is working as a Layer 2 or Layer 7 load balancer, the only supported load balancing method is round robin. If FortiADC is working as a Layer 4 load balancer, it supports three methods of load balancing: round robin, fastest response, and least connections. Using the round robin method, traffic is sent to the next server in the pool. Using the fastest response method, traffic is sent to the server with the fastest response to health checks. Using the least connections method, traffic is sent to the server with the fewest total connections, which includes active and inactive connections.
FortiADC 5.2 Study Guide
66
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
67
Server Load Balancing
DO NOT REPRINT © FORTINET
Good job! You can now understand load balancing basics. Now, you will learn about some advanced load balancing features.
FortiADC 5.2 Study Guide
68
Server Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in advanced load balancing features you will be able to configure Layer 7 content routing and rewriting, set up web caching and compression, and import digital certificates in order to configure SSL offloading.
FortiADC 5.2 Study Guide
69
Server Load Balancing
DO NOT REPRINT © FORTINET
Persistence methods are rules that identify traffic that should not be load balanced, but instead forwarded to the back-end server that has seen requests from that source before. Persistence rules are often needed to support server transactions that depend on an established client-server session, such as e-commerce transactions or session initiation protocol (SIP) voice calls. FortiADC supports a large number of different persistence methods. The basic persistence IP method is based on the source IP address. A variation on the IP method is called consistent hash IP, which is based on a consistent hash of the source IP address. The hash IP persistence method is based on both the source IP address and TCP/UDP port number, and the hash header persistence method is based on the HTTP request header and the hash of the HTTP request header.
FortiADC 5.2 Study Guide
70
Server Load Balancing
DO NOT REPRINT © FORTINET
The hash cookie persistence method is based on the hash of the HTTP cookie. The RADIUS attribute and SSL session IP methods are based on a RADIUS attribute and SSL session ID, respectively.
FortiADC 5.2 Study Guide
71
Server Load Balancing
DO NOT REPRINT © FORTINET
Another persistence method is insert cookie. Cookie insertion takes advantage of the browser’s cookie caching behaviour. When the user connects for the first time and sends the first HTTP GET request, FortiADC uses the load balancing method to send the GET request to any of the servers available in the pool. When a server replies with the web content, FortiADC inserts a cookie in the content that is forwarded to the user. From this point on, each time the client issues a GET request, the browser includes the cookie, and FortiADC uses that cookie to determine which server the HTTP GET should go to. The insert cookie method allows us to set a timeout for the server-side session, so that after the specified time-out period elapses, FortiADC won’t forward the request based on the cookie, and will instead select the server using the method specified in the virtual server configuration.
FortiADC 5.2 Study Guide
72
Server Load Balancing
DO NOT REPRINT © FORTINET
Using the embedded cookie persistence method, FortiADC waits for the reply from the server and searches for a specific cookie in the server reply. Once FortiADC finds that cookie, FortiADC adds the server ID as a prefix to the cookie. After that, the client sends the cookie with the server ID prefix and FortiADC uses that prefix to identify which server the traffic should be forwarded to.
FortiADC 5.2 Study Guide
73
Server Load Balancing
DO NOT REPRINT © FORTINET
The persistent cookie method is similar to the insert cookie method, but if the real server produces a cookie with the same name, then FortiADC won’t modify it. Like the insert cookie method, the persistent cookie method also supports specifying a session time out. Finally, there is the rewrite cookie method. Using this method, the cookie is provided by the real server and FortiADC modifies its value.
FortiADC 5.2 Study Guide
74
Server Load Balancing
DO NOT REPRINT © FORTINET
The Persistence screen is where you can configure the persistence method. In this screen you can also configure the specific settings that depend on each method you are using, such as the session timeout.
FortiADC 5.2 Study Guide
75
Server Load Balancing
DO NOT REPRINT © FORTINET
Each real server must have a unique cookie value for persistence to work properly. In order to verify, or edit the cookie value for each server in a pool, navigate to Server Load Balance > Real Server Pool and edit the individual members. Verify or configure the Cookie value as needed.
FortiADC 5.2 Study Guide
76
Server Load Balancing
DO NOT REPRINT © FORTINET
Compression offloading is a feature that is available on FortiADC devices. Using compression offloading, FortiADC can compress data being sent to clients if the browser supports GZIP. The FortiADC receives the web content from the server in uncompressed form. If the content supports compression, the FortiADC compresses the web content and sends it to the users in compressed form. Web pages that support compression include HTML, JavaScript, CSS, and other MIME types.
FortiADC 5.2 Study Guide
77
Server Load Balancing
DO NOT REPRINT © FORTINET
The configuration of compression offloading is simple. You create a compression profile, and then select the content types to be included in or excluded from compression.
FortiADC 5.2 Study Guide
78
Server Load Balancing
DO NOT REPRINT © FORTINET
Web cache is another FortiADC feature. Here’s how it works: if a client requests content that is not yet in cache memory, then FortiADC forwards the request to the server to get that content. Once FortiADC receives the content for the server, it stores it locally and sends a copy of that content to the client.
FortiADC 5.2 Study Guide
79
Server Load Balancing
DO NOT REPRINT © FORTINET
After that, if the same client or a different client requests that same content (that is now in cache memory), FortiADC will not connect to the server again. It sends another copy of the cached content to the client. One great benefit of this feature is that it reduces the bandwidth utilization between FortiADC and the backend servers.
FortiADC 5.2 Study Guide
80
Server Load Balancing
DO NOT REPRINT © FORTINET
Web cache configuration is very simple. The only option you have to specify is the size of the cache memory. You can also specify which URLs are excluded from web caching.
FortiADC 5.2 Study Guide
81
Server Load Balancing
DO NOT REPRINT © FORTINET
You can configure FortiADC to present an error page to clients when all the servers are unavailable. Error pages can only be used when doing Layer 7 load balancing. After you’ve created an error page configuration object, you can select it in the virtual server configuration. To configure an error page configuration object, copy the error message file to a location you can reach from your browser. The error message file must be named index.html and must be contained in a zip file. You must have read-write permission for load balance settings.
FortiADC 5.2 Study Guide
82
Server Load Balancing
DO NOT REPRINT © FORTINET
Layer 4 content routing is when FortiADC routes traffic to specific servers based on the source IP address of the client.
FortiADC 5.2 Study Guide
83
Server Load Balancing
DO NOT REPRINT © FORTINET
Additionally, FortiADC can make smarter load balancing decisions. When FortiADC uses Layer 7 content routing, decisions are made based on URL. For example, requests for a specific file or file type, such as media content, can be forwarded to server pools built to better handle that specific content type.
FortiADC 5.2 Study Guide
84
Server Load Balancing
DO NOT REPRINT © FORTINET
To configure Layer 7 content routing, you specify the real server pool that will handle specific traffic and a set of rules. Each time traffic matches any of those rules, it is forwarded to the specified real server pool.
FortiADC 5.2 Study Guide
85
Server Load Balancing
DO NOT REPRINT © FORTINET
Using Layer 7 content rewrite, FortiADC can modify the HTTP content. FortiADC can rewrite the HTTP header. It can modify the host field, the URL, or the referrer field. It can also be configured to reply with an HTTP redirect or it can be configured to reply with a forbidden error.
FortiADC 5.2 Study Guide
86
Server Load Balancing
DO NOT REPRINT © FORTINET
This slide shows an overview of how to configure Layer 7 content rewrite. On the Content Routing screen, you specify the action and a set of rules. Each time the traffic matches any of those rules, the action is taken.
FortiADC 5.2 Study Guide
87
Server Load Balancing
DO NOT REPRINT © FORTINET
Now you will explore profiles. Profiles specify the protocol whose traffic is going to be load balanced. There are many different profile types, and not all of them are supported by the three different load balancing methods. This table shows some of the profiles, and which ones are supported by each load balance method. FortiADC supports nearly 20 predefined profiles, as well as the ability to create custom profiles.
FortiADC 5.2 Study Guide
88
Server Load Balancing
DO NOT REPRINT © FORTINET
Now you will explore the TCP, UDP, and FTP profiles. In these three profiles, you must configure the session time-out and the TCP session time-out after FIN. The Timeout TCP Session setting specifies how long a TCP session without traffic remains in memory. The TCP session time out after FIN setting specifies how long a session remains in memory after a FIN packet has been sent, and while no FIN acknowledge packets have been received.
FortiADC 5.2 Study Guide
89
Server Load Balancing
DO NOT REPRINT © FORTINET
The X-Forwarded-For Header field is the standard that identifies the original client’s IP address. It’s appended by some devices that change the source IP address such as web proxies or load balancers or devices doing source NAT. FortiADC can add this field or can use it to make decisions related to load balancing.
FortiADC 5.2 Study Guide
90
Server Load Balancing
DO NOT REPRINT © FORTINET
The images on this slide show the HTTP profile. If the Source Address setting is enabled, FortiADC uses the client IP address to set up the connection to the back-end server, so it will not change the source IP address of the packets. If the client traffic contains the X-Forwarded-For field (shown on the previous slide), FortiADC gets the client IP address from there. If the setting is disabled, FortiADC uses its own IP address to connect to the backend server so it will be doing source NAT.
FortiADC 5.2 Study Guide
91
Server Load Balancing
DO NOT REPRINT © FORTINET
HTTP Turbo is similar to the HTTP profile except that it doesn’t support advanced ADC features, such as caching, compression, content rewriting, rate limiting, Geo IP blocking, or source NAT. You can use it with content routing and DNAT, as long as the HTTP request is contained in the first data packet. It enables packet-based forwarding, which reduces network latency and system CPU usage. However, it is not recommended if you anticipate dropped or out-of-order packets.
FortiADC 5.2 Study Guide
92
Server Load Balancing
DO NOT REPRINT © FORTINET
FortiADC supports SSL offloading and acceleration. SSL offloading moves the SSL encryption and decryption from the servers to the load balancer. As the SSL encryption is terminated in the FortiADC device, the system can inspect and make decisions based on SSL content. In order to do that, the server’s signed digital certificate and private key must be installed on FortiADC.
FortiADC 5.2 Study Guide
93
Server Load Balancing
DO NOT REPRINT © FORTINET
When you use SSL offloading, a single device is used for SSL and HTTPS management, so all the certificates are stored on one device. This lowers the SSL management and operational costs. More importantly, when you use SSL offloading, the server doesn't have to run expensive crypto tasks, so the workload on the servers is lower because the SSL traffic is moved to a dedicated CP9 processor on hardware-accelerated FortiADC devices. This also reduces the bandwidth utilization between FortiADC and your backend servers.
FortiADC 5.2 Study Guide
94
Server Load Balancing
DO NOT REPRINT © FORTINET
Using SSL re-encryption, FortiADC can decrypt the data coming from the user and re-encrypt it before sending it to the server. Two separate SSL sessions are established: one from the client to FortiADC and another one from FortiADC to the server. Both SSL sessions terminate at FortiADC. FortiADC can still inspect and make decisions based on the content inside the HTTPS traffic.
FortiADC 5.2 Study Guide
95
Server Load Balancing
DO NOT REPRINT © FORTINET
To use SSL offloading or SSL encryption, you have to install the signed digital certificates and private keys for your servers. There are two ways of doing this. You can do it manually by importing the certificate files, or you can submit a certificate signing request to a CA.
FortiADC 5.2 Study Guide
96
Server Load Balancing
DO NOT REPRINT © FORTINET
You can configure FortiADC to perform certificate-based authentication. Using certificate-based authentication, FortiADC requires clients to present a valid digital certificate. Clients must present a certificate that is signed by a CA whose root certificate is loaded or installed on FortiADC. FortiADC also supports CRLs, which contain the serial number of certificates that are no longer trusted.
FortiADC 5.2 Study Guide
97
Server Load Balancing
DO NOT REPRINT © FORTINET
The HTTPS profile is similar to the HTTP profile. It contains a section for the certificate. Here you specify the digital certificate that’s going to be presented to clients that want to connect to the server. On this screen, you can also configure options in the profile, including IP Reputation, Compression, Caching, as well as Geo IP options.
FortiADC 5.2 Study Guide
98
Server Load Balancing
DO NOT REPRINT © FORTINET
When you configure the virtual server to use HTTPS, you must select the HTTPS profile from the drop-down list. This enables the Client SSL Profile field, where you will select the client SSL profile that FortiADC should use.
FortiADC 5.2 Study Guide
99
Server Load Balancing
DO NOT REPRINT © FORTINET
Now you will examine Layer 4 packet forwarding methods. Multiple methods for Layer 4 packet forwarding are available when FortiADC is doing Layer 4 load balancing. These methods are: • Direct routing • DNAT • Full NAT • Tunneling • NAT46 • NAT64
FortiADC 5.2 Study Guide
100
Server Load Balancing
DO NOT REPRINT © FORTINET
Using the direct routing packet forwarding method, known elsewhere as direct server return, FortiADC doesn’t change the IP addresses in the packets coming from the client. Instead, FortiADC forwards packets to the server keeping the same source IP address and the same destination IP address. This means that the virtual server IP address must match the real server IP address. Server replies can go either through FortiADC or directly to the client without passing through the FortiADC device. The direct routing method is often configured on a single VLAN or subnet, where the cluster IP and the server IP addresses are all on the internal interface. It can also be used in multiple VLAN configurations, although this is less common.
FortiADC 5.2 Study Guide
101
Server Load Balancing
DO NOT REPRINT © FORTINET
Using DNAT, FortiADC changes the destination IP address of the packets coming from the client.
FortiADC 5.2 Study Guide
102
Server Load Balancing
DO NOT REPRINT © FORTINET
Using full NAT, FortiADC changes both the source IP address and the destination IP address. In order to specify the NAT IP addresses for the source IP address, you have to create a source pool. This is often used when the real server’s gateway is not the load balancer and you want to avoid asymmetric traffic. You would use Full NAT primarily when you are using FortiADC in a one-arm configuration.
FortiADC 5.2 Study Guide
103
Server Load Balancing
DO NOT REPRINT © FORTINET
FortiADC also supports tunneling. This allows FortiADC to send client requests to real servers through Layer 4 IP Tunnels.
FortiADC 5.2 Study Guide
104
Server Load Balancing
DO NOT REPRINT © FORTINET
Using NAT46, FortiADC replaces both the destination and source IP addresses, translating IPv4 addresses to IPv6 addresses. The source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the backend server selected by the load balancer.
FortiADC 5.2 Study Guide
105
Server Load Balancing
DO NOT REPRINT © FORTINET
Using NAT64, FortiADC replaces both the destination and source IP addresses, translating IPv6 addresses to IPv4 addresses. The source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the backend server selected by the load balancer.
FortiADC 5.2 Study Guide
106
Server Load Balancing
DO NOT REPRINT © FORTINET
The final step is to create the virtual server object. You specify the IP address of the virtual server and apply all the objects that were created in the previous steps, such as the profile object, the persistence object, the load balance method, and the server pool.
FortiADC 5.2 Study Guide
107
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
108
Server Load Balancing
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 5.2 Study Guide
109
Server Load Balancing
DO NOT REPRINT © FORTINET
This slide shows the objectives covered in this lesson. By mastering server load balancing, you can deploy FortiADC in your network and improve the efficiency of your resources.
FortiADC 5.2 Study Guide
110
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
In this lesson, you will learn about link load balancing (LLB) and advanced networking.
FortiADC 5.2 Study Guide
111
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
In this lesson, you will explore the topics shown on this slide.
FortiADC 5.2 Study Guide
112
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in LLB, you will be able to configure LLB, create virtual tunnels, and link groups.
FortiADC 5.2 Study Guide
113
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
When a router wants to contact a website, for example, www.fortinet.com, the browser first contacts its local DNS server to get the IP address for that fully-qualified domain name. If that IP address is not in the local DNS cache, the local DNS goes to one of the root name servers on the Internet to get the IP address. The root name server replies with the IP address of the DNS server for that domain which, in this case, is fortinet.com. So, the local DNS contacts that domain name server. The domain name server for the domain fortinet.com replies with the IP address of the DNS server that is the authoritative DNS server for that fully-qualified domain name www.fortinet.com. The local DNS contacts that DNS server and gets the IP address from there and forwards the IP address to the client. Now the browser can go directly to that IP address to get the web content stored there.
FortiADC 5.2 Study Guide
114
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Using LLB, FortiADC balances traffic among multiple upstream links. If the primary link fails, traffic is seamlessly redirected through a backup link. You can configure LLB for inbound traffic, outbound traffic, or both. Outbound LLB is the most commonly used configuration.
FortiADC 5.2 Study Guide
115
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Many of the optional objects are configured as system-wide shared resources. Examples of optional objects include schedule, address, service, and health check. Link policies apply to either link groups or virtual tunnels.
FortiADC 5.2 Study Guide
116
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Now you will learn about the steps to configure LLB. First, you should add addresses, address groups, services, service groups, and schedule groups that can then be used to match traffic to link policy rules. If you do not add these, your policy will not use matching criteria and will not have granularity. Next, you configure optional features. You should configure health check rules before you configure gateway links, and and you should configure persistence rules or proximity routes before you configure a link group. Next, you configure the gateway links. Then you will configure either a link group or virtual tunnel as required. Finally, you configure the link policy, in which you set the source/destination/service matching tuple for your link groups or virtual tunnels.
FortiADC 5.2 Study Guide
117
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Using the GUI, you can configure addresses in the system’s shared resources. You will use these addresses when you need to create link policies that apply to more than one address object. For example, if you subscribe customer one and customer two to a group of links, then you can create rules that match the customer one or customer two address space, and load balance the set of gateways assigned to them.
FortiADC 5.2 Study Guide
118
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
You can use service and service groups to specify the service to be matched in policies. The Protocol field identifies the protocol by number, such as 1 (ICMP), 6 (TCP), or 17(UDP). For example, if a client requires a policy for link load balancing web services, you can add HTTP and HTTPS as services, and then aggregate those services into a group called web services.
FortiADC 5.2 Study Guide
119
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
You can use schedule groups to create time-bound LLB policies. The options are one-time, daily, weekly, or monthly. One-time LLB policies can be very useful for special events requiring a specific LLB policy to handle the extra surge in traffic, for example.
FortiADC 5.2 Study Guide
120
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
The gateway link configuration enables you to specify bandwidth rate thresholds, and spillover threshold behavior for the gateway links you will add to link groups. You can also enable health checks, to make better load balancing decisions in the link policy.
FortiADC 5.2 Study Guide
121
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
When you add each gateway, you configure its weight. Links with a higher weight receive more traffic.
FortiADC 5.2 Study Guide
122
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
When you configure a virtual tunnel group, you set the list of tunnel members, as well as load balancing options like algorithm and weight. When you add members to a virtual tunnel configuration, you specify a local and remote IP address. These addresses are IP addresses assigned to a network interface on the local and remote FortiADC appliance. After you configure a virtual tunnel configuration object, you can select it in the link policy configuration.
FortiADC 5.2 Study Guide
123
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
The link policy uses information from all created objects to create a table of link policy rules. The link policy rules specify the traffic to be balanced by each link group. FortiADC searches the table from top to bottom and uses the first rule that matches the traffic. For each rule, you must configure an ingress interface, source address, destination address, service, schedule, and the link group or virtual tunnel the FortiADC uses to route the traffic. The link group is mandatory in a link policy configuration.
FortiADC 5.2 Study Guide
124
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
The final step is to configure the link policies. The link policies specify the traffic to be balanced by each link group and virtual tunnel. The example on this slide shows a table containing three link policies. These policies specify that: • • •
All the traffic that comes from 172.16.1 and goes to 172.16.2 uses Virtual Tunnel 1 All the traffic that goes to 172.16.3 uses Link Group 2 All the traffic that goes to the Internet uses Link Group 1
FortiADC 5.2 Study Guide
125
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Using outbound link load balancing, the FortiADC balances traffic that leaves the network among the links that are part of the same link group.
FortiADC 5.2 Study Guide
126
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Configure FortiADC to do outbound LLB based on proximity route dynamic detection. Dynamic detection of proximity routes uses a proximity cache. The proximity cache contains the delay from all the links to all the destination subnets (/24). For example, If a client sends a new connection to the IP address 10.10.1.1, FortiADC checks if subnet 10.10.1.0/24 is in the cache table. If the subnet isn’t in the table, the packet is routed normally, based on the specified balancing algorithm. In addition, FortiADC sends ICMP ping packets to the destination IP address through each of the links that are part of the link group.
FortiADC 5.2 Study Guide
127
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Next, the round-trip delay for each ping through each link is recorded in the proximity cache table. So, next time there is a packet to the same /24 subnet from the same user or from a different user, FortiADC uses the link with the smallest delay to the destination. All entries in the cache table are aged out after their inactivity timeout expires.
FortiADC 5.2 Study Guide
128
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
There are three methods FortiADC uses to select proximity routes: • Dynamic detect only: • Uses the proximity route cache table to select the link with the lowest delay • Static table only: • Uses a static table that is manually configured by the administrator instead of using the proximity route cache table • Static table first: • Checks if there is a matching destination in the static table that was manually configured by the administrator • If there is no matching destination in the static table, FortiADC uses the proximity route cache table
FortiADC 5.2 Study Guide
129
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Outbound LLB for FortiADC allows virtual tunneling. You can build IP tunnels between two FortiADC devices. These tunnels use a GRE-based proprietary protocol that allows data to travel unencrypted. You can group all the IP tunnels you create into virtual tunnels. You can also balance outbound traffic among tunnels that are part of the same virtual tunnel. Next, you learn how to configure load balancing algorithms for outbound link load balancing virtual tunneling.
FortiADC 5.2 Study Guide
130
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Outbound LLB virtual tunneling routes traffic based on one of two load balancing algorithms: • Weighted round robin: • Means links with more weight receive more traffic • Source-destination hash: • Based on consistent hashing of both the source and the destination IP addresses • Traffic between the same two IP addresses is always routed through the same link
FortiADC 5.2 Study Guide
131
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
132
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Good job! You can now understand basic LLB. Now, you will learn about advanced networking and routing.
FortiADC 5.2 Study Guide
133
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in advanced networking and routing, you will be able to configure advanced networking and routing options such as policy routing, QoS, and NAT.
FortiADC 5.2 Study Guide
134
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Optionally, you can configure persistence for outbound LLB so FortiADC can maintain the same outgoing gateway for packets with the same source or destination IP address. There are four types of outbound LLB persistence: • Source destination pair: • Based on the destination IP address and source IP address • Source destination address: • Based on the source subnet and the destination subnet • Source address: • Based on the source subnet only • Destination address: • Based on the destination subnet only
FortiADC 5.2 Study Guide
135
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
So, how does FortiADC decide to route a packet? When there is an incoming packet, the first table that FortiADC checks is the content route table. FortiADC checks if the URL or host matches any rule in the content route table. If there is a match, the packet is routed based on that content route rule. If there is no match, FortiADC checks the source and destination IP address for a match in the policy route table. If there is a match in the policy route table, the packet is routed based on that rule. If there is no match in the policy route table, then FortiADC checks the destination IP address for a match in the routing table. The routing table contains static routes and OSPF routes. If there is a match, FortiADC routes the packet. If there is no match, the packet is dropped because FortiADC doesn’t know how to route it.
FortiADC 5.2 Study Guide
136
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
You can configure a source NAT (SNAT) table, which contains the rules for one-to-many translation of the source IP address. The SNAT table works in a similar way to the firewall policy tables. FortiADC searches the table from top to bottom and uses the first rule it finds that matches the traffic.
FortiADC 5.2 Study Guide
137
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Another NAT table on FortiADC is the one-to-one NAT table, which contains the rules for one-to-one static bidirectional NAT translation. This slide shows an example of port forwarding, or PAT. PAT works in a similar way to VIPs on FortiGate devices.
FortiADC 5.2 Study Guide
138
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
FortiADC has limited support for QoS. With FortiADC, you can limit the available bandwidth for non-priority traffic. For example, you might want to limit available bandwidth so traffic that is sensitive to bandwidth and delay can receive a higher priority.
FortiADC 5.2 Study Guide
139
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
To configure QoS, you must first configure the queues that define the different bandwidth limits. Then, you assign the queues to the filters that specify the traffic limited by each queue.
FortiADC 5.2 Study Guide
140
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Typically, routing is done based on the destination IP address. FortiADC can use policy routing to route traffic based on the source IP address. In the table shown on this slide, FortiADC is configured to route all traffic coming from 172.16.1 and going to the Internet to use the first gateway on the left. For traffic that comes from one specific IP address in subnet 172.17.1.1, FortiADC is configured to route that traffic through the middle link. And finally, traffic from subnet 172.17.1 is routed through the link on the right. In this way, traffic is routed based on the source IP address, using three different links.
FortiADC 5.2 Study Guide
141
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
The policy routing configuration table contains the rules that specify the source IP address, the destination IP address, and the gateway to use for traffic that matches those settings. FortiADC searches the table from top to bottom and uses the first rule that matches the traffic. If there is no match, FortiADC uses the regular routing table to route the packet.
FortiADC 5.2 Study Guide
142
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
FortiADC uses OSPF to communicate with other OSPF routers, and to advertise its routes and dynamically populate its routing table.
FortiADC 5.2 Study Guide
143
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
You can define subnets and their associated OSPF areas on the Networking > Routing > OSPF screen in the Network section.
FortiADC 5.2 Study Guide
144
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
This example on this slide shows where you define interfaces and their respective metrics.
FortiADC 5.2 Study Guide
145
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
When you read about BGP, often you see EBGP (Exterior BGP ) or IBGP (Interior BGP) mentioned. These are both BGP routing, but BGP used in different roles. EBGP involves packets crossing multiple autonomous systems (AS) where IBGP involves packets that stay within a single AS. For example the AS_PATH attribute is only useful for EBGP where routes pass through multiple ASs. These two modes are important because some features of BGP are used for only one of EBGP or IBGP. For example, confederations are used in EBGP, and route reflectors are only used in IBGP. Also, routes learned from IBGP have priority over EBGP learned routes. Before you begin, you must : • Know how BGP has been implemented in your network; that is, you must know the configuration details of the implementation • Have read-write permission for system settings • Have configured all the needed access (IPv6) lists and prefix (IPv6) lists
FortiADC 5.2 Study Guide
146
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
147
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 5.2 Study Guide
148
Link Load Balancing and Advanced Networking
DO NOT REPRINT © FORTINET
This slide shows the objectives covered in this lesson. By mastering LLB and advanced networking, you will be able to configure LLB, and create virtual tunnels and link groups. You will also be able to configure advanced networking and routing options, such as policy routing, QoS, and NAT.
FortiADC 5.2 Study Guide
149
Global Load Balancing
DO NOT REPRINT © FORTINET
In this lesson, you will learn about global load balancing (GLB).
FortiADC 5.2 Study Guide
150
Global Load Balancing
DO NOT REPRINT © FORTINET
In this lesson, you will explore the topics shown on this slide
FortiADC 5.2 Study Guide
151
Global Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in describing the GLB framework, and understanding how GLB works, you will be able to implement it on your FortiADC.
FortiADC 5.2 Study Guide
152
Global Load Balancing
DO NOT REPRINT © FORTINET
GLB is a DNS-based solution that enables you to deploy redundant resources around the globe. You can use these redundant resources to keep your business online when a local area deployment experiences unexpected spikes in traffic, or downtime. GLB is a two-layer technique consisting of Global server load balancing (SLB) and SLB. Global SLB refers to a global balancing of traffic across multiple, geographically diverse FortiADCs, while SLB refers to the load balancing by the individual FortiADC across the local datacenter.
FortiADC 5.2 Study Guide
153
Global Load Balancing
DO NOT REPRINT © FORTINET
Global SLB is a fully-featured DNS solution based on a customized and hardened BIND 9 DNS implementation. You can deploy GLB as the authoritative name server for the DNS zones you configure. Using FortiADC’s GLB, you create a GLB framework that accounts for location, health, and round-trip time (RTT). When a GLB framework is in place, DNS sends direct client requests to a virtual server that is close, available, and has low latency.
FortiADC 5.2 Study Guide
154
Global Load Balancing
DO NOT REPRINT © FORTINET
FortiADC implements security features in GLB and DNS, including DNSSEC, response rate limits, and DNS forwarding. DNSSEC are a set of extensions to DNS that provide for DNS clients (known as resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. Response rate limits help to mitigate DNS DoS attacks by reducing the rate at which the authoritative DNS responds to high volumes of malicious queries. DNS forwarding works by sending requests for remote resources to another DNS server known as a forwarder. The internal server then caches those results, which optimizes further lookups and reduces the number of DNS servers communicating over the Internet.
FortiADC 5.2 Study Guide
155
Global Load Balancing
DO NOT REPRINT © FORTINET
Server availability is identified by FortiADC using real-time connectivity checking. FortiADC redirects client sessions based on server availability. If there is availability in the local pool, FortiADC replies with its virtual IP address. In the example shown on this slide, FortiADC has to be the authoritative DNS server for the fully qualified domain name that the customer is trying to reach.
FortiADC 5.2 Study Guide
156
Global Load Balancing
DO NOT REPRINT © FORTINET
If the local pool is not available, FortiADC replies to those DNS requests with the remote peer virtual IP address instead.
FortiADC 5.2 Study Guide
157
Global Load Balancing
DO NOT REPRINT © FORTINET
The example on this slide shows a GLB deployment with redundant resources at data centers in China and the United States. FortiADC-1 is the local SLB for the data center in China. FortiADC-2 is the local SLB for the data center in the United States. FortiADC-3 is a global SLB. It hosts the DNS server that is authoritative for www.example.com. When a client clicks a link to www.example.com, the local host DNS resolver commences a DNS query that is ultimately resolved by the authoritative DNS server on FortiADC-3. The set of possible responses includes the virtual servers on FortiADC-1 or FortiADC-2. The GLB framework uses location and health status to determine the set of responses that are returned. For example, you can use the GLB framework to direct clients located in China to the virtual server in China, or, if the virtual server in China is unavailable, then to the redundant resources in the United States. The virtual server IP addresses and ports can be discovered by the FortiADC GLB from the FortiADC local SLBs. The GLB DNS server uses the discovered IP addresses in the DNS response. The framework also supports third-party IP addresses and health checks for those addresses.
FortiADC 5.2 Study Guide
158
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
159
Global Load Balancing
DO NOT REPRINT © FORTINET
Good job! You now understand the principles of GLB. Now, you will learn how to configure GLB
FortiADC 5.2 Study Guide
160
Global Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring GLB, you will be able to ensure that all elements of GLB are configured correctly for your network.
FortiADC 5.2 Study Guide
161
Global Load Balancing
DO NOT REPRINT © FORTINET
GLB uses mandatory and optional configuration objects. Some mandatory objects are predefined, and include the ability to add more objects or customize existing ones. Others, such as the zone, are auto-generated but can be created and customized by the administrator. Optional objects are not required, or are preset, such as the general settings and response rate limit objects.
FortiADC 5.2 Study Guide
162
Global Load Balancing
DO NOT REPRINT © FORTINET
When you deploy a GLB solution, you configure DNS server and GLB details on the global FortiADC instance only. The configuration framework allows for granular administration and fine tuning of both DNS server and GLB frameworks. The order of configuration is important for initial configurations because complex objects, like policies, rely on simple objects, like remote DNS servers or DNS64 rules; however, simple elements must be configured first. Fortunately, some objects are preconfigured and you can fine tune them later, if necessary. Auto-generated zones rely on numerous other objects, so make sure to customize your deployments where required. Many objects are optional. You can configure optional objects and add them to existing policies later. To configure a DNS server solution, do the following: 1. Review and configure the address groups to use in your DNS policy matching rules. You can use the predefined any and none address groups. 2. Configure remote DNS servers, or forwarders, and the DSSET list (optional). A complete zone configuration occurs. Zones, including FortiADC virtual servers, auto-generate; however, you can add additional zones manually. 1. Configure DNS64 and response rate limits (optional). 2. Configure DNS policies and DNSEC. 3. Configure remaining general DNS settings.
FortiADC 5.2 Study Guide
163
Global Load Balancing
DO NOT REPRINT © FORTINET
In configuring GLB, many objects will require that components of your underlying infrastructure are up and running so that you can test the solution. For example, virtual servers, and their corresponding back-end servers should be in place before virtual server pools can be created in Global Load Balancing. Step 1 is configuring dynamic proximity, data centers, servers, virtual server pools, and hosts. These are required for FortiADC to generate a working DNS zone configuration and resource records. Step 2 is reviewing the autogenerated DNS zone configuration. Finally, step 3 is creating the DNS policy.
FortiADC 5.2 Study Guide
164
Global Load Balancing
DO NOT REPRINT © FORTINET
Use the address group object to specify the source and destination IP addresses that will be used as matching criteria in your DNS policies. You can use the predefined Any and None groups, or you can add your own groups.
FortiADC 5.2 Study Guide
165
Global Load Balancing
DO NOT REPRINT © FORTINET
Remote DNS servers are optional. You can use remote DNS servers to create a list of DNS forwarders, which you can use when you don’t want the local DNS server to connect to Internet DNS servers. For example, if your local DNS server is behind a firewall and you don’t want to allow DNS through that firewall, you can implement DNS forwarding to a remote server deployed in a DMZ, or similar network region, that can contact Internet DNS servers. You can use remote DNS servers in DNS zone and DNS policy configurations.
FortiADC 5.2 Study Guide
166
Global Load Balancing
DO NOT REPRINT © FORTINET
If DNSSEC is enabled, secure communication between the FortiADC DNS and any child DNSs is based on keys contained in DSSET files. DSSET files are generated automatically, once the zone is signed by DNSSEC.
FortiADC 5.2 Study Guide
167
Global Load Balancing
DO NOT REPRINT © FORTINET
It’s optional to configure DNS64 for FortiADC. DNS64 is used to map IPv4 addresses to AAAA queries when there are no AAAA records. You can use DNS64 for segments using NAT64 to support IPv6 client communication with the backend servers.
FortiADC 5.2 Study Guide
168
Global Load Balancing
DO NOT REPRINT © FORTINET
The response rate limit keeps the FortiADC’s authoritative DNS server from being used in an amplifying reflection DoS attack. The default response rate limit is 1000 responses per second, but you can set this limit to any value between 1 and 2048 responses per second. You can create up to 256 different response rate limits to use in DNS policies.
FortiADC 5.2 Study Guide
169
Global Load Balancing
DO NOT REPRINT © FORTINET
The general DNS settings allow you to specify which interfaces listen for DNS requests. By default, FortiADC listens for DNS requests on all configured addresses and interfaces. Other settings apply when traffic does not match a global DNS policy. Key elements of the general DNS settings include enabling or disabling global DNS, recursion, and DNSSEC and DNSSEC validation. You can also set the default forwarding behaviour and response rate limit in the general DNS settings.
FortiADC 5.2 Study Guide
170
Global Load Balancing
DO NOT REPRINT © FORTINET
You can use the Dynamic Proximity setting to order DNS lookups results based on the RTT of ICMP or TCP probes sent by the local SLB to the DNS resolver that sent the DNS request. FortiADC calls the RTT results for the specified timeout. For any subsequent requests from IP addresses in the specified netmask, FortiADC takes the RTT from the results table, instead of issuing a new real-time probe. This reduces DNS response time.
FortiADC 5.2 Study Guide
171
Global Load Balancing
DO NOT REPRINT © FORTINET
The Data Center is a required component of a GLB configuration. Configuring the data center allows you to set key properties, such as Location, ISP, or both, and ISP State/Province. The GLB algorithm uses these properties to select the FortiADC that is closest to the client.
FortiADC 5.2 Study Guide
172
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
173
Global Load Balancing
DO NOT REPRINT © FORTINET
Good job! You now understand how to configure GLB. Now, you will learn how to configure zones and servers.
FortiADC 5.2 Study Guide
174
Global Load Balancing
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in configuring servers and zones, you will be able to set up servers, virtual server pools, zones, and DNS policies.
FortiADC 5.2 Study Guide
175
Global Load Balancing
DO NOT REPRINT © FORTINET
Servers are another required component of a GLB configuration. Use servers to specify the local SLBs, either FortiADC instances or third-party servers, that are to be load balanced. For FortiADC instances, the GLB feature checks the status and synchronizes configurations from the local SLBs so that it can learn the set of virtual servers that can be included in the GLB VS pool. For the discovery feature to work you must first create the data center objects associated with the local SLB as well as the virtual server configurations on the local FortiADC SLBs to be included in the GLB VS pools. If you want to configure a gateway health check, you must also create gateway objects on the local FortiADC SLBs. After you meet these requirements, and you add a server to global server load balancing, you can click Discover to allow FortiADC to discover the local VSs and populate the members list.
FortiADC 5.2 Study Guide
176
Global Load Balancing
DO NOT REPRINT © FORTINET
The VS pool configuration is also mandatory. It defines the set of VSs that can be matched in DNS resource records, so it should include all the VSs that can be answers for DNS requests to resolve www.example.com. The VS pool also specifies key parameters of the GLB algorithm, including proximity options, status checking options, load balancing method, and weight. You specify VS pools in the GLB host configuration.
FortiADC 5.2 Study Guide
177
Global Load Balancing
DO NOT REPRINT © FORTINET
The DNS response to the client is an ordered list of answers, which excludes unavailable VSs. The available servers are ordered based on the following priorities: 1. Geographic proximity 2. Dynamic proximity 3. Weighted round robin A client receiving the DNS response as a list of answers tries the first answer and only proceeds to the next answers, if the first answer is unreachable.
FortiADC 5.2 Study Guide
178
Global Load Balancing
DO NOT REPRINT © FORTINET
You can add up to 256 servers to a VS pool.
FortiADC 5.2 Study Guide
179
Global Load Balancing
DO NOT REPRINT © FORTINET
Use host settings which are also mandatory, to form the zone configuration and RRs in the generated DNS zone used for GLB. Host settings are mapped to zone settings and RRs. The system uses the Domain Name and Host Name settings in both the configuration and the generated configuration name. The system derives the IP address and weight from the VS pool.
FortiADC 5.2 Study Guide
180
Global Load Balancing
DO NOT REPRINT © FORTINET
The DNS zone configuration is key to the GLB solution. It contains key DNS server settings, such as domain name and name server details, type (whether master or forwarder), and whether DNSSEC is enabled or not. It also contains the DNS resource records that are used to resolve DNS queries. Each zone can have different DNS server settings. For example, the DNS server can be a master for one zone and a forwarder for another zone. You can create up to 256 zones for use in DNS policies.
FortiADC 5.2 Study Guide
181
Global Load Balancing
DO NOT REPRINT © FORTINET
This slide shows an example of an auto-generated zone.
FortiADC 5.2 Study Guide
182
Global Load Balancing
DO NOT REPRINT © FORTINET
Because FortiADC is now an authoritative DNS server, you can add A and Quad A records, CName records, and NS records. You can also add MX and TXT records to the zone.
FortiADC 5.2 Study Guide
183
Global Load Balancing
DO NOT REPRINT © FORTINET
The global DNS policy is a rule base that matches traffic to DNS zones. Traffic that matches a zone, source, and destination criteria is served by the global DNS policy. Traffic that does not match any specific policy is served by the DNS general settings. You can create up to 256 different global DNS policies.
FortiADC 5.2 Study Guide
184
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
185
Global Load Balancing
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 5.2 Study Guide
186
Global Load Balancing
DO NOT REPRINT © FORTINET
This slide shows the objectives covered in this lesson. By mastering GLB, servers, and zones, you will be able to implement these capabilities on your FortiADC.
FortiADC 5.2 Study Guide
187
Security
DO NOT REPRINT © FORTINET
In this lesson, you will learn about security.
FortiADC 5.2 Study Guide
188
Security
DO NOT REPRINT © FORTINET
In this lesson, you will explore the topics shown on this slide.
FortiADC 5.2 Study Guide
189
Security
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in network security, you will be able to ensure that the various security features of FortiADC are correctly configured to help protect your network.
FortiADC 5.2 Study Guide
190
Security
DO NOT REPRINT © FORTINET
The best approach to sound security is a layered approach. The first layer is made up of firewall policies. A firewall policy is a set of rules that are applied to traffic that passes through FortiADC and defines whether a new client connection is allowed. By default, all new connections are accepted. Blocking or allowing traffic based on ports and IP addresses is your first line of defense when implementing security within your network. For example, if you don’t need to allow the use of the File Transfer Protocol (FTP), you can block the FTP port. You can create firewall policies for both IPv4 and IPv6 traffic for FortiADC. Now you will learn how firewall policies work. When a packet arrives at an interface, FortiADC analyzes the packet and checks its routing table to see where the packet should be sent. If it’s a routable packet, FortiADC searches the firewall policies for a match. To find a policy match, FortiADC checks the ingress and egress interfaces, source and destination IP addresses, and the service. After FortiADC finds a policy match, it applies the rules for the policy.
FortiADC 5.2 Study Guide
191
Security
DO NOT REPRINT © FORTINET
FortiADC firewall policies make use of system-shared resources such as firewall addresses and services. Addresses and services can be further aggregated into address groups and service groups, for ease of management. You configure IP address ranges and subnets for firewall addresses, and IP protocols and TCP/UDP port numbers for service objects.
FortiADC 5.2 Study Guide
192
Security
DO NOT REPRINT © FORTINET
To create a firewall policy in FortiADC, you must configure the inbound interface, outbound interface, source address, destination address, service, and action (which can be either accept or deny). You also have the option to specify the default action, which is the action to be taken by FortiADC for traffic that doesn’t match any of the firewall policies. By default, the action is Accept, but you can change it to Deny. FortiADC uses the first match for the traffic that it finds in the policy in a search from top to bottom. Because of the system resources required by the firewall function, overall FortiADC performance will be impacted. It is important to be aware of this when deciding to implement the firewall feature.
FortiADC 5.2 Study Guide
193
Security
DO NOT REPRINT © FORTINET
The connection limit table contains a set of rules that you can use to limit the number of concurrent connections. In the example shown on this slide, the number of concurrent connections is limited for each destination IP address and for each source IP address.
FortiADC 5.2 Study Guide
194
Security
DO NOT REPRINT © FORTINET
FortiADC offers a mechanism to protect your servers against SYN flood attacks. Now you will learn how a SYN flood attack works. In many servers, the information about each TCP connection is stored in the TCB that is a part of the memory in the server. During a SYN flood attack, an attacker sends a large amount of SYN packets from spoofed IP addresses to the server. An entry is created in the TCB each time a SYN packet arrives to store the information contained in the SYN packet fields. A SYN flood attack is effective when it exhausts the available memory in the TCB. Once the TCB table is exhausted, legitimate users can’t connect to the server.
FortiADC 5.2 Study Guide
195
Security
DO NOT REPRINT © FORTINET
To protect the servers from SYN flood attacks, FortiADC offers a feature called SYN cookie protection. Here’s how it works. FortiADC sends a SYN/acknowledge with a cookie value in the TCP sequence field for each packet that it receives, and then it waits for the acknowledge packet. If it receives an acknowledge packet containing the right cookie, the device proxies the TCP connection to the server. Consequently, SYN packets from an attacker never arrive at the server. The SYN packets go to the server only when FortiADC confirms the sender is a legitimate user.
FortiADC 5.2 Study Guide
196
Security
DO NOT REPRINT © FORTINET
FortiGuard IP Reputation is another feature for FortiADC that can prevent malicious connections to your servers. FortiGuard is a worldwide distributed server network that provides, among many other services, an up-to-date list of IP addresses that could threaten your network. You must purchase a subscription to use the FortiGuard IP Reputation service.
FortiADC 5.2 Study Guide
197
Security
DO NOT REPRINT © FORTINET
Using FortiGuard IP Reputation, you can configure FortiADC to periodically download the latest list of blacklisted IP addresses from FortiGuard. If the FortiADC doesn’t have Internet access, you can download the list from FortiGuard and upload it manually to FortiADC.
FortiADC 5.2 Study Guide
198
Security
DO NOT REPRINT © FORTINET
After you enable FortiGuard IP Reputation, FortiADC blocks any traffic coming from an IP address that has a poor reputation or has been blacklisted by the FortiGuard IP Reputation list. Alternatively, in the case of HTTP and HTTPS, FortiADC can redirect users to a different URL.
FortiADC 5.2 Study Guide
199
Security
DO NOT REPRINT © FORTINET
The Geo IP database is a FortiGuard security service that maps IP addresses to countries, satellite providers, and anonymous proxies. Similar to the FortiGuard IP Reputation database, the Geo IP database is updated periodically. The Geo IP service allows FortiADC to respond in one of four ways to a request from an IP address that is on the block list: • Pass the packet along • Deny and drop the packet • Redirect the packet to another destination • Respond to the packet with an error message of “403 Forbidden”
FortiADC 5.2 Study Guide
200
Security
DO NOT REPRINT © FORTINET
This slide shows the Geo IP Protection configuration screen. You can create up to 256 Geo IP policy objects. Each object can contain up to 256 distinct countries.
FortiADC 5.2 Study Guide
201
Security
DO NOT REPRINT © FORTINET
You can configure exceptions to Geo IP Policies by adding entries to the Geo IP Whitelist, which is based on the IP Subnet.
FortiADC 5.2 Study Guide
202
Security
DO NOT REPRINT © FORTINET
In the example shown on this slide, you can see Geo IP at work in the SLB Layer 4 logs, where source IP addresses can be mapped to their country of origin. In this example, because they are private IP addresses, the countries show as Reserved.
FortiADC 5.2 Study Guide
203
Security
DO NOT REPRINT © FORTINET
FortiADC is the first ADC solution on the market with support for Sandbox service integration. This means that FortiADC supports security fabric integration for advanced threat detection. The feature on FortiADC supports HTTP, HTTPS, and SMTP protocols. Web application file uploads that are cleared by FortiADC’s AV scanner and are then sent to FortiSandbox for further analysis. FortiADC first conducts some basic analysis by AV engine and then submits all suspicious files to FortiSandbox for further analysis. FortiSandbox will then drop or quarantine the malicious traffic and forward healthy traffic segments to the back-end servers. A log is generated whenever a file is uploaded to FortiSandbox.
FortiADC 5.2 Study Guide
204
Security
DO NOT REPRINT © FORTINET
Malware and advanced persistent threats (APT) can cause significant damage to the business of any organization. Malicious codes are commonly used to steal valuable data, gain unauthorized access to networks, or cause products to degrade. Using a suite of integrated security technologies, AV solutions provide protection against a variety of threats, including both known and unknown malicious codes (malware) and advanced targeted attacks (ATA). Integrated with the FortiOS AV engine, FortiADC provides an industry-class malware and APT detection and mitigation solution to our customers. This slide illustrates how FortiADC's AV module works: 1. Automatically updates the latest attack signatures from FortiGuard to ensure real-time protection. 2. Submits all files, including suspicious files, to an on-premise device (FortiSandbox) or cloud-based service (FortiCloud Sandbox) for further analysis after performing the basic AV processing on its own. 3. Malicious files will be dropped or quarantined, and healthy ones will be forwarded to the back-end servers.
FortiADC 5.2 Study Guide
205
Security
DO NOT REPRINT © FORTINET
You must configure AV profiles to use the AV service module, which can be done either on the GUI or the CLI. Once created, you can include your AV profiles when creating advanced virtual server profiles that use the HTTP or HTTPS protocol.
FortiADC 5.2 Study Guide
206
Security
DO NOT REPRINT © FORTINET
The quarantined daemon manages the infected or suspicious files. This is a multi-process daemon, which receives quarantine requests from the AV daemon and then processes the requests in child processes. It can work in tandem with remote devices to complement the AV service, such as sending suspicious files to FortiSandbox for deeper inspection or uploading the archive package onto FortiCloud. In addition, it also manages the use of the storage space, listing the quarantined files, deleting expired files, overriding old files, or dropping new files when there is not enough storage space available.
FortiADC 5.2 Study Guide
207
Security
DO NOT REPRINT © FORTINET
FortiADC's AV service relies on the system's AV engine and signature databases. The AV engine is upgraded whenever new functions are added. The updated daemon is responsible for updating the AV engine and the signature databases. The system offers three types of AV signature databases: Normal, Extended, and Extreme. They represent different levels of AV services. In order for FortiADC to provide you with the level of AV service that you desire, you must choose the appropriate signature database.
FortiADC 5.2 Study Guide
208
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
209
Security
DO NOT REPRINT © FORTINET
Good job! You now understand the network security features of FortiADC. Now, you will learn how to implement user authentication.
FortiADC 5.2 Study Guide
210
Security
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in user authentication, you will be able to set up authentication policies on your FortiADC.
FortiADC 5.2 Study Guide
211
Security
DO NOT REPRINT © FORTINET
FortiADC allows you to set conditions for authentication and identify the user group that can access a resource controlled by FortiADC. This slide shows the client-server communications authentication process. The prerequisites for the authentication process are as follows: • The virtual server must be Layer 2 or Layer 7 • The profile type must be HTTP or HTTPS • The once-only profile option must be disabled If the prerequisites are met, the authentication process occurs as follows: 1. The client sends an HTTP request to FortiADC for a URL belonging to a FortiADC virtual server that has an authorization policy, in this case www.example.com. 2. FortiADC replies to the client with an HTTP 401 message to request authorization. On the client device, the user may be prompted to enter credentials. 3. The client reply is sent, which includes an authorization header that passes the credentials to FortiADC. 4. FortiADC sends a request to the server, whether local, LDAP, or RADIUS, in order to authenticate the user. 5. The authentication server sends its response to FortiADC, which can be cached according to your user group configuration. 6. If authentication is successful, FortiADC continues to process the traffic and forwards the request to the real server. 7. The real server responds with an HTTP 200 OK message. 8. FortiADC processes the traffic and forwards the server response to the client.
FortiADC 5.2 Study Guide
212
Security
DO NOT REPRINT © FORTINET
FortiADC’s authentication policies support local user groups as well as RADIUS and LDAP servers. To create local users and groups, on the GUI, click User Authentication > User Group.
FortiADC 5.2 Study Guide
213
Security
DO NOT REPRINT © FORTINET
To create authentication policies, on the GUI, click User Authentication > Authentication Policy. To maintain granular control of user authentication, you can create multiple policies, and define multiple members.
FortiADC 5.2 Study Guide
214
Security
DO NOT REPRINT © FORTINET
After you create the authentication policy, you can select it in the settings for the virtual server, in the Auth Policy drop-down menu.
FortiADC 5.2 Study Guide
215
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
216
Security
DO NOT REPRINT © FORTINET
Good job! You can now configure user authentication. Now, you will learn about the web application firewall capabilities of FortiADC.
FortiADC 5.2 Study Guide
217
Security
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in describing WVS and configuring WAF, you will be able to ensure that your FortiADC is OWASP-compliant for secure transactions.
FortiADC 5.2 Study Guide
218
Security
DO NOT REPRINT © FORTINET
In order to comply with OWASP top 10 requirements, FortiADC needed to add WVS. This tool will help to cover the following criteria: • A6: Security Misconfiguration • A9: Using Components with Known Vulnerabilities • A8: Insecure Deserialization WVS is a set of automated tools that perform black box tests on web applications, to look for security vulnerabilities such as cross-site scripting, SQL injection, command injection, source code disclosure, and insecure server configuration. FortiADC uses Skipfish, which is an active web application security tool (pure C code) that includes the following: • Support a variety of quirky web frameworks and mixed-technology sites. • Automatic learning capabilities • Blind injection vectors • Full reporting on vulnerability risks
FortiADC 5.2 Study Guide
219
Security
DO NOT REPRINT © FORTINET
Each WVS task is limited to 50 policies, and a crawl depth limit of 20 libraries. It does not support HTTP/2 or IPv6. A pool member must be selected in order for WVS to send a scan. A scan will not be sent if the pool member port is 0.
FortiADC 5.2 Study Guide
220
Security
DO NOT REPRINT © FORTINET
A WAF is a security policy enforcement point that you can set up between the client and a web application. Its main purpose is to prevent attacks against the web servers. You deploy it separately from the web application so that processes used to perform security scanning do not affect the web server’s performance. A web application firewall uses methods that complement perimeter security, such as perimeter security provided by the FortiGate next-generation firewall (NGFW).
FortiADC 5.2 Study Guide
221
Security
DO NOT REPRINT © FORTINET
A WAF scans a request at four checkpoints: the HTTP request header, the HTTP request body, the HTTP response header, and the HTTP response body. When the WAF completes the scan, it enforces policy rules. If the HTTP request header violates a rule, and the action is Deny, the attempted session is dropped, and scanning for the transaction stops. If the action is Alert, the event is logged and rules processing continues.
FortiADC 5.2 Study Guide
222
Security
DO NOT REPRINT © FORTINET
This slide shows the relationships among WAF configuration elements. A WAF profile is made up of a web attack signature policy, a URL protection policy, an HTTP protocol constraint policy, and a SQL/XSS injection detection policy. This WAF profile is, in turn, applied to a load balancing virtual server, so all traffic routed to the virtual server is subject to the WAF rules set out in the profile. You can apply WAF profiles to HTTP and HTTPS virtual servers but not to HTTP Turbo virtual servers.
FortiADC 5.2 Study Guide
223
Security
DO NOT REPRINT © FORTINET
WAF policies allow the WAF to detect and respond to different types of threats. For example, the web attack signature policy allows the WAF to scan the traffic for signatures that detect known attacks and exploits. URL protection policies allow the WAF to filter HTTP requests that match specific character strings and file extensions. HTTP protocol constraint policies allow the WAF to create rules that filter traffic containing invalid HTTP request parameters and methods, or to drop packets with specified server response codes. SQL and cross site scripting (XSS) injection detection policies inspect user-supplied data for requests that can cause SQL queries to be run directly against the web application’s database, or XSS injection attacks that can cause a web browser to run a client-side script. WAF SQL and XSS detection is complementary to, and much faster than, the web attack signature method.
FortiADC 5.2 Study Guide
224
Security
DO NOT REPRINT © FORTINET
WAF profiles refer to the various WAF policies to be enforced. A profile can define four different types of policies: web attack signature, URL protection, HTTP protocol constraint, and SQL/XSS injection detection. You can apply WAF profiles to a load balancing VS, so that traffic routed to that VS is subject to those rules. You can apply WAF profiles to both HTTP and HTTPS VSs, but not to HTTP Turbo virtual servers. You can use existing predefined profiles or create your own. The maximum number of profiles per VDOM is 255.
FortiADC 5.2 Study Guide
225
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
226
Security
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 5.2 Study Guide
227
Security
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering security concepts, you will be able to ensure the FortiADC and your network are effectively protected from a variety of threats.
FortiADC 5.2 Study Guide
228
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
In this lesson, you will learn about monitoring and troubleshooting.
FortiADC 5.2 Study Guide
229
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide
FortiADC 5.2 Study Guide
230
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding the various dashboards of the FortiADC, you will be able to identify issues or anomalies faster and more efficiently.
FortiADC 5.2 Study Guide
231
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
The first screen you’ll see when you log in to the FortiADC GUI is the dashboard. The dashboard contains a group of widgets that provide information that you can use to monitor the device and learn when something isn’t working properly. For example, there’s a widget that provides traffic statistics, one that provides license statistics, and another that provides system information. You can even customize the dashboard using the Edit button, or add additional dashboards from the menu on the left side of the window, using the Create Dashboard button.
FortiADC 5.2 Study Guide
232
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
The FortiView pages display important information about FortiADC, which includes the logical topology of real server pools and their members within each virtual server, server load-balancing information, security, and some other system events and alerts.
FortiADC 5.2 Study Guide
233
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
The Physical Topology page displays the physical topology of your FortiADC network structure. It shows your FortiADC appliance or appliances identified by serial number and the real servers connected to it.
FortiADC 5.2 Study Guide
234
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
The Server Load Balance > Logical Topology page uses the tree view format to show the internal configuration of each virtual server on FortiADC. Depending on the configuration, the diagram may show content routing, schedule pools, real server pools, and real server pool members configured on a virtual server. As well as viewing the internal configurations of virtual servers, you can also drill down into the components (except content routing and schedule group) for details by clicking their corresponding icons. This is what you will see when you click the component icons: • • •
Virtual server: Opens the page with details of that virtual server Real server pool: Opens the page with details of the real-server Real server: Opens the page showing details of the real server
FortiADC 5.2 Study Guide
235
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
This is a view of the virtual servers dashboard, which allows you to monitor all of the virtual servers on FortiADC, and access the real server dashboard for each virtual server.
FortiADC 5.2 Study Guide
236
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
The real server dashboard provides a live, up-to-date view of the individual real server pool members underpinning the virtual server.
FortiADC 5.2 Study Guide
237
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
FortiADC now also features a GUI-based Packet Capture tool, as well as the traditional CLI commands. Before using this tool, you should have a good understanding of tcpdump and filter expressions. You must have read-write permission for system settings. Capture results are collected in a PCAP format file which you can download and open in any tool supporting PCAP format, such as Wireshark See http://www.tcpdump.org/manpages/pcap-filter.7.html for more information on the tcpdump utility.
FortiADC 5.2 Study Guide
238
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
239
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
Good job! You can now navigate the various dashboards. Now, you will learn how to configure and navigate logs and alerts.
FortiADC 5.2 Study Guide
240
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in logging and alerts, you will be able to configure local logging, remote logging and alert emails. You will also be able to use the SNMP protocol to monitor FortiADC.
FortiADC 5.2 Study Guide
241
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
FortiADC can send logs to multiple destinations. FortiADC can store the logs in local RAM and on the local hard disk. FortiADC can also send logs to remote servers, such as a third-party syslog server, or a FortiAnalyzer.
FortiADC 5.2 Study Guide
242
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
FortiADC can generate three types of logs. Event logs provide information about administrative actions or system events, such as device reboots or user logins. Security logs provide information about FortiADC security features, and traffic logs provide traffic flow information.
FortiADC 5.2 Study Guide
243
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
For each logging destination a severity threshold is defined. Only logs equal to or exceeding the selected level are generated. There are seven different log severity levels on FortiADC. The highest, or most severe, is level 0, which is used for emergency events. The lowest, or least severe, is level 6, which is used for information events.
FortiADC 5.2 Study Guide
244
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
When you enable local logging, FortiADC stores the logs on the hard disk. If you disable local logging, logs are stored in the memory of the device. You also have to select what level of logs you want to store. When you enable logs, you can specify what types of events you want to generate logs for.
FortiADC 5.2 Study Guide
245
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
You can also configure FortiADC to send logs to multiple FortiAnalyzer devices and third-party syslog servers. For each of the destinations, you must configure the types of logs that you are going to generate.
FortiADC 5.2 Study Guide
246
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
This slide shows a sample event log. All the logs include the date, the time that the log was generated, an ID, the type of log, and the severity level. All logs also contain a message that describes the event. In this example, the message indicates that the event is related to the admin user making a change in the root VDOM’s load-balancing configuration.
FortiADC 5.2 Study Guide
247
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
FortiADC can send an alert email each time a specific category of event occurs. When you configure this feature, you specify the events for which you want to generate alert emails and a destination email address. You can specify multiple destination email addresses.
FortiADC 5.2 Study Guide
248
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
FortiADC supports SNMP, so this protocol can be used to monitor the device. FortiADC supports version 1, 2, and 3 of the SNMP protocol. In FortiADC version 4.3.0, FortiADC support of SNMP v3.0 was added. In FortiADC 4.4.0, support for enhanced SNMP MIBs and traps was added. For more information about downloading vendor-specific and product-specific MIB files, see the FortiADC Handbook.
FortiADC 5.2 Study Guide
249
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
250
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
Good job! You can now configure and navigate logs and alerts. Now, you will learn about some CLI utilities.
FortiADC 5.2 Study Guide
251
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in using CLI utilities, you will be able to use the diagnostic commands available on the CLI, and to identify some of the most common issues.
FortiADC 5.2 Study Guide
252
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
The CLI offers three basic network utilities for troubleshooting. You can run a ping command using the command execute ping, you can run a traceroute using the command execute traceroute, or you can do an nslookup using the command execute nslookup name. These three commands will help you to troubleshoot networking problems or DNS problems.
FortiADC 5.2 Study Guide
253
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
One of the most useful troubleshooting tools in the CLI is the built-in sniffer. FortiADC has a built-in sniffer that you can use to sniff and capture all the traffic that’s crossing the device. To enable the sniffer, use the command diag sniffer packet then specify the interface name. To sniff the traffic on all interfaces, specify any, instead of a specific interface name. You must also specify a filter and a verbosity level. The verbosity level ranges from 1 to 6. The example on this slide shows what information is displayed for each verbosity level. Verbosity level 4 is often used to gain an understanding of how traffic flows because it shows the incoming interface and outbound interface and the IP headers only. Verbosity levels 3 and 6 are used to capture the whole packet, including the payload. The verbosity level 3 and 6 captures can be exported to a PCAP file using two scripts. You can analyze the file later, using Wireshark. The script file for converting data output to a PCAP file is available on the Fortinet Knowledge Base.
FortiADC 5.2 Study Guide
254
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
This slide shows three examples of how to use the sniffer. The examples shown use three different filters. In the first example, the diag sniffer command is capturing all the UDP packets on the internal interface whose source IP address or destination IP address is port 53. The filter supports using logic statements so you can build very complicated sniffs in order to try and narrow down the output. This is more important if you are supporting large networks with lots of traffic; otherwise, the output may simply be overwhelming. Note that the GUI sniff is available only for devices that have hard drives. For other devices, you must sniff from the CLI.
FortiADC 5.2 Study Guide
255
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
So what are some of the most common issues that affect FortiADC? The most common problem is clients or customers being unable to connect to the server. When this occurs, the first thing that you should do is to use FortiADC’s built-in sniffer to sniff the traffic and check that the traffic from the client is reaching the virtual server IP address. If the traffic is reaching the server, the next step is to check that a server is available in the pool. Then, you can check if the traffic is arriving at the server by running a sniffer on the server. Another step is to check the default gateway in the servers to be sure that the servers are pointing to the FortiADC device. Another common problem is a server being down because of a health check failure. You can use the sniffer to troubleshoot this problem by sniffing the health check traffic to see if FortiADC is sending that traffic to the server, if that traffic is arriving at the server, and where in the server the reply is coming from.
FortiADC 5.2 Study Guide
256
Introduction and System Settings
DO NOT REPRINT © FORTINET
FortiADC 5.2 Study Guide
257
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiADC 5.2 Study Guide
258
Monitoring and Troubleshooting
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering monitoring and troubleshooting, you will be able to ensure your FortiADC is in top working condition.
FortiADC 5.2 Study Guide
259
DO NOT REPRINT © FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as stipulated by the United States Copyright Act of 1976. Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.