Configure Layer 7 Load Balancing
In this series of exercises, you explore the principles of configuring the basic elements required for load balancing at Layer 7. These elements include:
- Layer 7 virtual server
- Content routing in a virtual server
- Cookie insertion persistence
Create a Layer 7 Virtual Server
Background
You will create another virtual server, but this time at Layer 7. This way, the FortiADC device will be able to inspect and change the HTTP traffic.
To create a server profile
- From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the HTTPS option.
- Log in using the username:
admin
and the password:Fortinet1!
. - Click Server Load Balance > Application Resources > Application Profile.
- Click Create New to create a new profile using the following settings:
- Name:
HTTP_Profile
- Type: HTTP
- Name:
- Keep the default values for the remaining settings, and then click Save.
To delete the Layer 4 virtual server
- Click Server Load Balance > Virtual Server > Virtual Server.
- Select the virtual server TCP_VS.
- Click Delete.
- Click OK to confirm.
To create a new Layer 7 virtual server
- Click Server Load Balance > Virtual Server > Virtual Server.
- Click Create New and select Advanced Mode to create a new virtual server using the following settings:
- Name:
HTTP_VS
- Status: Enable
- Type: Layer 7
- Address Type: IPv4
- Name:
- On the General tab, configure the following settings:
- Address:
172.16.99.146
- Port:
80
- Interface: Port2
- Profile: HTTP_Profile
- Method: LB_METHOD_ROUND_ROBIN
- Real Server Pool: Ap_Servers
- Address:
- Keep the default values for all other settings, and then click Save.
Configure Content Routing in a Virtual Server
Background
FortiADC can be configured to make decisions based on the content of the HTTP traffic. This is called content routing. AppSrv3 has a resources folder, which does not exist on the other application servers. In this exercise, you configure FortiADC-1 to properly route all users attempting to connect to the resources folder, to AppSrv3, while still keeping the traffic to the home page balanced among all three of the application servers.
To configure content routing in a virtual server
- From the Lab Activity: FortiADC sidebar menu, access Kali using the RDP option.
- Open a web browser and connect to the following URL:
http://172.16.99.146/resources
- Press CTRL+SHIFT+R several times to reload the website.
Note: Approximately two out of three connection attempts will fail. They fail each time the device routes the traffic to AppSrv1 and AppSrv2 because the resources folder is located only on AppSrv3. - To fix the problem, you will configure content routing. First, you must create a new real server pool using AppSrv3 as the only member.
To create a new real server pool
- From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the HTTPS option.
- Log in as
admin
and passwordFortinet1!
- Click Server Load Balance > Real Server Pool > Real Server Pool.
- Click Create New to create a new real server pool using the following settings:
- Name:
Ap_3
- Address Type: IPv4
- Health Check: On
- Name:
- In the Available Items list, double-click HTTP_Check to add it to the Selected Items list.
- Keep the default values for the remaining settings, and then click Save.
To add members to the real server pool
- Click the edit icon to edit the new real server pool named Ap_3.
- Scroll down to the Member pane and click Create New to create a new member using the following settings:
- Status: Enable
- Real Server: AppSrv3
- Port:
80
- Weight:
1
- Keep the default values for the remaining settings, click Save, and then click Save again.
To create content routes
- Click Server Load Balance > Virtual Server > Content Routing.
- Click Create New to create a new route using the following settings:
- Name:
Resources_Route
- Type: Layer 7
- Real Server Pool: Ap_3
- Persistence: Inherit
- Method: Inherit
- Name:
- Click Save.
- Click Create New to create a second content route using the following settings:
- Name:
All
- Type: Layer 7
- Real Server Pool: Ap_Servers
- Persistence: Inherit
- Method: Inherit
- Name:
- Click Save.
You should now have two content routing rules, as follows:
To add match conditions to the content routes
- Click the edit icon ( ) to edit the Resources_Route.
- Scroll down to the Match Condition pane, and then click Create New to create a new rule using the following settings:
- Object: HTTP Request URL
- Type: String
- Content: resources
- Click Save, and then click Save again.
- Click the edit icon ( ) to edit the All content route.
- Scroll down to the Match Condition pane, and then click Create New to create a new rule using the following settings:
- Object: HTTP Host Header
- Type: String
- Content: 172.16.99.146
- Click Save, and then click Save again.
- Click Server Load Balance > Virtual Server > Virtual Server.
- Click the edit icon ( ) to edit HTTP_VS.
- In the Specifics pane, enable Content Routing.
- In the Available Items list, double-click Resources_Route to add it to the Selected Items list.
- In the Available Items list, double-click All to add it to the Selected Items list.
- The route All must be the second entry in the Selected Items list from top to bottom.
If necessary, you can drag and drop the content routes to reorder them. - Click the General tab.
- Scroll down to the Error Page pane, and then type the following message in the Error Message field to customize it:
Server is not currently available. Please try again later. - Click Save.
Test Content Routing
To test the content routes
- Return to the Kali tab and the browser that is running the connection to the resources folder at:
http://172.16.99.146/resources. - Press CTRL+SHIFT+R several times to refresh the browser.
- Now it works! Traffic is redirected by the content route only to AppSrv3.
- Open a new browser tab and connect to the virtual server at http://172.16.99.146.
The FortiADC is still balancing the connections among the three application servers.
To test the error page
- From the Lab Activity: FortiADC sidebar menu, access AppSrv3 using the SSH option.
- Log in as root using the password Fortinet1!, and then run the following command:
[root@AppSrv3 ~]#service httpd stop
- Return to the Kali web browser and connect to the resources folder at:
http://172.16.99.146/resources - Press CTRL+SHIFT+R several times to refresh the browser.
- The customized error message displays.
- At the AppSrv3 command prompt, activate the web server using the following command:
[root@AppSrv3 ~]#service httpd start
- Close the AppSrv3 SSH tab.
Configure Cookie Insertion Persistence
Background
Cookie insertion takes advantage of the browser’s cookie caching behavior. FortiADC inserts a cookie in the content that is forwarded to the user, so each time the client issues a GET request, the FortiADC uses that cookie to identify which server the HTTP GET should go to.
This allows FortiADC to ensure that any applications requiring session-based connections, such as those required by e-commerce transactions, remain established between the client and the same back-end server. Without this capability, each new GET request from the client could end up going to a different back-end application server.
In this exercise, you use cookie insertion persistence to route the traffic coming from the same user to the same server.
To configure cookie insert-based persistence
- From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the HTTPS option.
- Log in using the username admin and the password Fortinet1!.
- Click Server Load Balance > Application Resources > Persistence.
- Click Create New to create a new persistence method using the following settings:
- Name:
Cookie_Insert
- Type: Insert Cookie
- Keyword:
FastTrack
- Timeout (sec):
300
- Name:
- Click Save.
- Click Server Load Balance > Virtual Server > Virtual Server.
- Click the edit icon to edit the new virtual server HTTP_VS.
- Click the General tab, and scroll down to the Resources section.
- Select Cookie_Insert as the Persistence method.
- Click Save.
To test the Cookie-based persistence
- From the Lab Activity: FortiADC sidebar menu, access Kali using the RDP option.
- Open the web browser and connect to the virtual server at http://172.16.99.146.
- Press CTRL+SHIFT+R several times to refresh the browser.
- Traffic is now routed to the same application server.
The FortiADC inserts a cookie named FastTrack that identifies requests made by the FortiADC. Your browser is appending the cookie to all requests made to the virtual server IP address.
To observe the cookie and its value
- In the Mozilla web browser, on the upper-right corner, click the Open Menu icon.
- From the menu, click Web Developer > Storage Inspector to open the developer tools panel.
- Expand the Cookies section on the left.
- Select the http://172.16.99.146 cookie to view the details.
- On the right pane, in the Name column, you will see the FastTrack cookie name that you created earlier.
- Close the Developer pane.
Install SSL Certificates
Background
To inspect and make decisions based on the SSL content, you will import the server’s signed digital certificate and the private key to the FortiADC.
The FortiADC, instead of the backend servers, will then present these to HTTPS clients.
To import the server’s signed digital certificate
- From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the HTTPS option.
- Log in using the username:
admin
and the password:Fortinet1!
. - Click System > Manage Certificates > Local Certificate.
- Click Import, and then enter the following settings:
- Type: Certificate
- Certificate Name:
FastTrack_Cert
- Input Type: Manual Input
- Certificate: copy the following into this field:
-----BEGIN CERTIFICATE-----
MIIGPzCCBCegAwIBAgIBAjANBgkqhkiG9w0BAQ0FADCBujELMAkGA1UEBhMCQ0Ex
EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTERMA8GA1UEChMIRm9y
dGluZXQxHTAbBgNVBAsTFEZvcnRpQURDIFRyYWluaW5nIENBMTAwLgYDVQQDEydG
b3J0aUFEQyBUcmFpbmluZyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJDAiBgkqhkiG
9w0BCQEWFXRyYWluaW5nQGZvcnRpbmV0LmNvbTAeFw0xNjAyMTcxNjQzMDBaFw0y
NjAyMTcxNjQzMDBaMIGZMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEP
MA0GA1UEBxMGT3R0YXdhMREwDwYDVQQKEwhGb3J0aW5ldDEWMBQGA1UECxMNRm9y
dGlBREMgTGFiczEWMBQGA1UEAxMNRm9ydGlBREMgTGFiczEkMCIGCSqGSIb3DQEJ
ARYVdHJhaW5pbmdAZm9ydGluZXQuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAwC5BNNNn+H/sp9ag4qOvav1xhNNIS44EI//QMg2buHNGNvEkbsgh
o7viNbJou0rSjd31C3jDOMRTRCi0L8H9/zoq9PXjHoPhi8Rk527P2yQEs3/O69pf
b6uE9CnvTNMhfc8xMKS7KSg3aXxzCO6EtpxbJomxMjSHdXTLXxkKeKySJdiS3IZT
xrq/P3kOJZzCVl0Cp3pa8cFQDtYPSQwaV90RcZ3jg6Yo/1aDZrAOKKNVuLEgnhOD
lQ5UoU6UZngI9dnEEe+GDKTxzvrhLQBvlpvxXncAqE/ckuHkzBCWs2eeXuiXqS+7
Z3qE/YizBsl/ys4DJ0x7FHZ151Rg96jM5oW8N79oiHpf7XFGeryeDJnsdEolIXH6
NXey8pOdD127xlYAEP4iAb/UkOXnc5RiZ5tUPAdsKHwL23Bpf2uoO2Xivq3VYyjL
LisQHmWKR+kQkhWgt5onqngs6x6g6VG+p4tP7ruNPeiG5K8sfp4YnUMXGiGa/dfY
Ax8dPsLmeApyG9Zf93GnPWnlib3QsxEpfSX1GFVRghWpT1lTYeCJvfs4QyxeBv+i
PGdcfJsXtIMFRu0QDZdFOMuTii+ehBnrq99Ul2ZmGNDJvQFEBEyiVGWYcMITjvtj
asMDh60/iox6Chi5N/s/kKou78nr4lIqlyf8TcRoHbgzx0+x5YByPJMCAwEAAaNv
MG0wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUpIBsXE2d679YwgWdHr1Bwl+sGScw
CwYDVR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDAeBglghkgBhvhCAQ0EERYP
eGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBDQUAA4ICAQB/BbYWKLkkSjCP4cu8
mNQ9IiTEUb9I0vTiWhJECHtWs5Xb11olRFMRN3D82NZSfQnEi58T0a70FVP5b4mm
6oImdEuWRp2ykmQvXIfnA0sgSbrSuPtpPlNaaDINy7ecc3uSRFkAUK7DAFf+eILD
Afz0hFztDSH+iQs51Y9/+4HcDoyq67INzOx+pgszpR86FlpXBgcNLMPL2VpR2YM1
YvRPc948gy/N/aIOSArRSsW02XfonEAj4n2sE7ZQUU28Wa4w1xjyDKHyeZiiZFC3
NtbBCk3W7g5L5VMM3UJfQkcM5/ENMZJyeCiA2aV6jNJFHH5+ryiSzzyq+6hX7f1r
8/bissTS+tNUNi776NgOL4OMhFmJuzwfMF0+UTraVpuuLD6aax8SlxH0flwJrC9/
882Esn0TSCBYbIV8VlK7+em8zLEurchsGI4QWSOOPeYAxbrkh7UMhw8xxoUTBXgL
2SqjDWPYL0p0w8YSjFcLZvI3Dx6neuWyuh/oOCIyiZR2jNE+GBZYJz1HQXkubYX0
teO/vHEreiCfbXuHuUmuJq8V4PRKUx9N5qrZv7VFeOO+Y+k0O7nHwADeu0hw+bFj
GrlHSTeSWaLaeukJIk8D+8+cXByKHh8x9wddpLwxgYY+/0fzHonQkkxw2KlJc/RR
bQFcG7EMSQu3cdsUk57vmLU1Cw==
-----END CERTIFICATE----- - Key: Copy the following into this field:
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAwC5BNNNn+H/sp9ag4qOvav1xhNNIS44EI//QMg2buHNGNvEk
bsgho7viNbJou0rSjd31C3jDOMRTRCi0L8H9/zoq9PXjHoPhi8Rk527P2yQEs3/O
69pfb6uE9CnvTNMhfc8xMKS7KSg3aXxzCO6EtpxbJomxMjSHdXTLXxkKeKySJdiS
3IZTxrq/P3kOJZzCVl0Cp3pa8cFQDtYPSQwaV90RcZ3jg6Yo/1aDZrAOKKNVuLEg
nhODlQ5UoU6UZngI9dnEEe+GDKTxzvrhLQBvlpvxXncAqE/ckuHkzBCWs2eeXuiX
qS+7Z3qE/YizBsl/ys4DJ0x7FHZ151Rg96jM5oW8N79oiHpf7XFGeryeDJnsdEol
IXH6NXey8pOdD127xlYAEP4iAb/UkOXnc5RiZ5tUPAdsKHwL23Bpf2uoO2Xivq3V
YyjLLisQHmWKR+kQkhWgt5onqngs6x6g6VG+p4tP7ruNPeiG5K8sfp4YnUMXGiGa
/dfYAx8dPsLmeApyG9Zf93GnPWnlib3QsxEpfSX1GFVRghWpT1lTYeCJvfs4Qyxe
Bv+iPGdcfJsXtIMFRu0QDZdFOMuTii+ehBnrq99Ul2ZmGNDJvQFEBEyiVGWYcMIT
jvtjasMDh60/iox6Chi5N/s/kKou78nr4lIqlyf8TcRoHbgzx0+x5YByPJMCAwEA
AQKCAgBj7ild7KfdobdPNt2FvBOVEKCcrrijAP/KMFT0EfttGBPksdN9/3buit3/
ifvHmAqQVl/7TRpGRF//yyKWysrmkjqQEeO9lFoNsVu+s/JFQx9mrwjLv0ts58VE
qSGT0x1RLBGp956SsiTOJzYx6MT9p6QGEAch0gq12rt9ganeQe3k3A7RuM+LQMP9
n1bp2+95tPeSWp87ooecj1Z3Z2GzWnKdn7oUVKxwyW2eUeGq4/PJC+GoEQGU2lTL
Y+7qsXQHUusPYHtVy9cpB29bVSSxLfl+Y2bmHlDV17x/GAkk1LaXJ17lTLqn/h91
LkXZO6HFtQYSw0QkycxZM5kQbqfMNhPsUfmBrPdLERTforHgdoC6+9+juV61rhi/
OuA/4r8SIMSNKJfCZjGoUhFhLeSWTJwWdYPkM2nld1HY5rWzLT9yIiWMMLD0Skr1
3QSVlHRhzswRGmC1tGzU8WHz0hdha2icTrNmGqNNpBoOua/vmnzMnR3mwrA0dtuj
h+pLMET0YZd0hhjLIB4FYwIGbCM4lEfL2APG/3m1mY6e7aAJ7RgauW6I0TqYf/sk
GP4g3dc2CZ1ZTTuqUxVR1qgnx8IcGYp7zmugJRIALND43CRU5mQOXIMn92rbjfMU
mfw1v6deu9YsltOIOTBxDOubqGAt0FK6lslZbS2X1KHOprgWoQKCAQEA/IkEx+Sh
GRmtPLkTqxXVLvfJknlpk93yuf5+KjfYC00/Fx3JYJMdEQRLqnCoAO/ZfdFwo/vV
htRclM1X6b52k8s2o4QBuXGVUqfSWEgbHwCK3R36IysIXBFbSVfjUaUjF7VuZ9cM
XCA06G6uN/JIyrbZWNFL/Z+VedObVbe71hUSlpFZrFo8cBrvIiAiacrrZuAzecrb
wx6ylA3vNJ+b0Oz4qR2frKejNRVT/IjcXATOCyu/cTlYR5vCiQ6YcHGzEd3bhs4k
yPcusFZrplhjmnN36LGw1NE10d2xumfJ/5YUCLdanA+cLdVxBahj12SSdGOVM7mc
BpVJsW7pe4tjeQKCAQEAwtFAmD9CmrSLWrMbvVbaTxtMX/+8ybvugikA8828HWN6
lNFwIKdgI2rKxVRs1nznzTudt6XMQTWQ2Q+dZj+xqFHM7hbrFhjCdBSUh4nSVbqz
8mhyvs3/PLyNdSrvhgw9UgJC+QMJfkSE5rsHQT60bXccouhYaHLhIUC53HgiyV+4
eWWM05vuvo6KUGRdpRagmB7iXWoUrpNJ054tmkx8e65JtHJnHZY1LMggjN9kFuUo
qUEtz9RR/SRZqFHxGfrKsgo7nmRiqijYshElduh4Q0HIe0Ih+zg70SvTiWVQShVy
0NKzOJLlxX+I+RWXHqFfXqjpDWoRruwNykz+/XGxawKCAQBHdbpdmiuf/60O3sxb
AE2YAdQPV73xcr/Js+MdrTm8UPqGXw5p/pceBpomu8Q+p6Biww5dyNhuU89y5/x1
j0jcn4dxk9wtDqATiJu0EYtjJXMmCOKMaxPtgZfUVENmChW5EsUQK0E7HH38O72e
5TeF7WHpiSg4t5zDoYZ2JgzIEqR06OJ4K/yoOGbswC0cxKgCL3VBhI7VUu1zidHj
kTq1Tyk6KcDSSYmcbtGaR1wbydxIOvPsZS6+7KuKvw+R2gqzBpWlOtYb7B5RFdNW
efKNdRk8RnPkdOMG5PXy6oW1hlFa+g9w09X8/kYCNNkzzSjIOJmyzlYBYuM8i0cU
h6f5AoIBAGIMns4BSKxEIb7MVjG8/LLDsnS+aW2+wBOSP4B1EzBXWOJ9ZkmI88Hf
hZ47F2v8AU4xqvc64soPA4+7ZCSJ+ggU42cQ8dB1NajmkrqEiu/Kv7ZJCzcsxkDz
RN6rdVGp51LXAI4DEUwTgDAAAW68+GH/iNIUzioDZ3ss8F4duKRRIK84hOAbotUV
OFetq9Pix4DISnVpZm9WgdmXyqvVwvEcjsvaqDsj1i9rqbY82EsNmqFUxJHM8lbN
bLJiS04gAtQIgmj9bQrm8+jq6EgoSB7RhO1EI4YkjzZ/MD/+VaJzmQ2wfbMDe9Ei
lvWGAEDSRwWFTYYK1EuNUoN2rP8xsXECggEBAOVHC+qkcRxNZz822HUlQ7qyS0CC
AxVy2UkjbdkNCdnbwFlo+vXo3z4zsncQI6p/bRJHp/uXHv34BvtEheaeNN70w4Fw
6dqyEinTpC++THElTv6sWAv+nKJvMj/2hSuxuGxll13KxDCs9xSZeEVzOYjID4LK
LXymcgJWo0oUTPcE6nVx5u2OAzmqrAONlO+CaHzC0TXiyeovPLYCfTC1MHjD0FLP
IaayVjp98M7DnOVZ1fqY6ZGXvAkkLfEFOrvksRlgK/BZgaWLlQ5W2Gw2zyqY3+ZW
23T9OMSCsV3fNTXB9DWNViNKA9S1/p8DnkPuxJkJy2L+U5L7resOEr13T08=
-----END RSA PRIVATE KEY----- - Password:
fortinet
- Click Save.
To define a local certificate group
- Click System > Manage Certificates > Local Certificate Group.
- Click Create New, and then enter the following setting:
- Group Name:
FastTrack
- Group Name:
- Click Save.
- Click the edit icon ( ) to edit the new Local Certificate Group FastTrack.
- In the Group Member pane, click Create New, and then enter the following settings:
- Default: On
- Local Certificate: FastTrack_Cert
- Click Save, and then click Save again.
Create a New HTTPS Profile
Background
Now that you have imported the server certificates, you need to specify the digital certificate that will be presented to clients when they connect to the server.
To create a new HTTPS profile
- From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the HTTPS option.
- Log in using the username:
admin
and the password:Fortinet1!
- Click Server Load Balance > Application Resources > Application Profile.
- Click Create New to create a new profile using the following settings:
- Name: HTTPS_Profile
- Type: HTTPS
- Keep the default values for the other settings, and then click Save.
To create a new client SSL profile
- Click Server Load Balance > Application Resources > Client SSL.
- Click Create New to create a new profile using the following settings:
- Name: FastTrack_Client
- Local Certificate Group: FastTrack
- Keep the default values for the remaining settings, and then click Save.
Configure the Virtual Server to Use an SSL Certificate
Background
Finally, you create and configure a virtual server for the HTTPS service using the SSL certificate.
To create a virtual server
- Continuing on the FortiADC-1 GUI, click Server Load Balance > Virtual Server > Virtual Server.
- Click Create New, and then select Advanced Mode.
- On the Basic tab, configure the following settings:
- Name:
HTTPS_VS
- Status: Enable
- Type: Layer 7
- Address Type: IPv4
- Name:
- On the General tab, configure the following settings:
- Address:
172.16.99.146
- Port:
443
- Interface: Port2
- Profile: HTTPS_Profile
- Client SSL Profile: FastTrack_Client
- Method: LB_METHOD_ROUND_ROBIN
- Real Server Pool: Ap_Servers
- Address:
- Click Save.
To test the HTTPS connection
- From the Lab Activity: FortiADC sidebar menu, access Kali using the RDP option.
- Open a new browser tab and connect to the virtual server at https://172.16.99.146.
- Accept the security certificate warning if it appears, click Advanced, and then select Accept the Risk and Continue.
- Press CTRL+SHIFT+R to refresh the web page.
The device will evenly distribute your connections among the three application servers. The communication between your browser and the FortiADC device is now encrypted, while the communication between FortiADC and the application servers is not. - Leave the Kali browser tab open, as you will be returning to it shortly.
To capture HTTPS traffic
- From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the SSH option.
- Log in as username:
admin
and the password:Fortinet1!
- Enter the following CLI command to sniff and capture all TCP SYN packets in any interface:
#diagnose sniffer packet any “tcp[13] & 2 == 2” 4
- Return to the Kali tab
- On the browser that is open on Kali, press CTRL+SHIFT+R to refresh the browser.
- Return to the FortiADC-1 SSH tab and observe the sniffer output:
You will observe:- HTTPS traffic passing from the client to the FortiADC (port2)
- HTTP traffic passing between the FortiADC (port3) and the application server
- Close the SSH tab.
Global Server Load Balancing
Introduction
During this lab, you configure a global load-balancing solution using two FortiADC devices. For the lab, assume that the devices are located in two different geographic sites.
The network topology for this lab is slightly different from the one used in previous exercises. In this scenario, you will simulate that the FortiADC devices are located at different sites that match the following descriptions:
- Site A: FortiADC-1, AppSrv1, and AppSrv2
- Site B: FortiADC-2 and AppSrv3
The following illustration summarizes the new network topology for this lab:
You will use the FQDN www.acmecorp.net. At any time, the DNS resolution for that name will be one of the virtual server IP addresses located at one of the sites.
The FortiADC-1 device will act as the load balancer for AppSrv1 and AppSrv2, and also as the global load balancing solution, directing traffic to either Site A or Site B depending on the availability of the servers.
Objectives
- Configure global load balancing on the secondary device (FortiADC-2)
- Configure global load balancing on the primary device (FortiADC-1)
- Test global load balancing in both FortiADC devices
Configure the Secondary FortiADC
Configure the Secondary FortiADC.
- From the Lab Activity: FortiADC sidebar menu, access FortiADC-2 using the HTTPS option.
- Log in using the username:
admin
and the password:Fortinet1!
To configure the network interfaces
- Click on Networking > Interfaces.
- Select port2 and click Edit.
- Under Allow Access, enable the HTTPS, Ping, SSH, and HTTP.
- Scroll down to the Mode Specifics section.
- For IPv4/Netmask enter 172.16.99.145/24.
- Click Save.
- Select port3 and click Edit.
- Under Allow Access, enable the HTTPS, Ping, SSH, and HTTP.
- Scroll down to the Mode Specifics section.
- For IPv4/Netmask enter
172.16.100.145/24
. - Click Save.
To test network connectivity
- From the upper right side of the FortiADC menu bar, open the CLI interface using the >_ icon.
- Type the following commands to test network connectivity:
# execute ping 172.16.99.254
# execute ping 172.16.100.41
# execute ping 172.16.100.42
# execute ping 172.16.100.43
The outputs should be successful: 5 packets transmitted, 5 packets received, 0% packet loss. This verifies connectivity to FortiGate-EDGE, as well as all application servers. - Click the CLI icon on the menu bar again to close the CLI window.
To configure the network routes
- Navigate to Networking > Routing > Static.
- Click Create New.
- Leave the Destination at defaults (0.0.0.0/0).
- Enter the Gateway address of
172.16.99.254
. - Click Save.
Configure the Health Check
To define health check rules in the secondary FortiADC
- From the Lab Activity: FortiADC sidebar menu, access FortiADC-2 using the HTTPS option.
- Log in using the username:
admin
and the password:Fortinet1!
- Click Shared Resources > Health Check.
- Click Create New and enter the following settings:
- Name:
TCP_Check
- Type: TCP
- Port:
80
- Interval:
20
- Timeout:
10
- Name:
- Click Save.
Create a Real Pool with One Member
Background
You will create one real server pool that has only one member, AppSrv3. Remember to enable the health check.
To create a real server pool that has only one member
- Continuing on FortiADC-2, click Server Load Balance > Real Server Pool > Real Server Pool.
- Click Create New and enter the following settings:
- Name:
Ap_3
- Address Type: IPv4
- Health Check: On
- Name:
- In the Available Items list, double-click TCP_Check to add it to the Selected Items list.
- Click Save.
- Click the edit icon to edit the new real server pool named Ap_3.
- In the Member pane, click Create New to create a new member using the following settings:
- Status: Enable
- Real Server: Create New
- Name:
AppSrv3
- Address:
172.16.100.43
- Click Save to close the Real Server configuration screen and return to the Edit Member screen, and then configure the following settings:
- Port:
80
- Weight:
1
- Health Check Inherit: Enable
- RS Profile Inherit: Enable
- Port:
- Keep the default values for the remaining settings, click Save, and then click Save again.
The server pool should show as available.
To create a Layer 7 virtual server
- Click Server Load Balance > Virtual Server > Virtual Server.
- Click Create New > Advanced Mode to create the virtual server.
- On the Basic tab, configure the following settings:
- Name:
HTTP_VS
- Status: Enable
- Type: Layer 7
- Address Type: IPv4
- Name:
- On the General tab, configure the following settings:
- Address:
172.16.99.147
- Port: 80
- Interface: port2
- Profile: LB_PROF_HTTP
- Method: LB_METHOD_ROUND_ROBIN
- Real Server Pool: Ap_3
- Address:
- Click Save.
Configure Global Server Load Balancing
Background
Next, you will create the data centers and configure global load balancing
To create data centers
- Continuing on FortiADC-2, click Global Load Balance > Global Object > Data Center.
- Click Create New and create a data center named
Site_A
. Keep the default values for the remaining settings. - Click Save.
- Click Create New and create a data center named
Site_B
. Keep the default values for the other settings. - Click Save.
To define the servers
- Click Global Load Balance > Global Object > Server.
- Click Create New to create the server using the following settings:
- Name:
FortiADC-1
- Type: FortiADC SLB
- Address Type: IPv4
- IP Address:
172.16.99.144
- Data Center: Site_A
- Auto Sync: Off
- Name:
- Click Save.
- Click Create New to create the server using the following settings:
- Name:
FortiADC-2
- Type: FortiADC SLB
- Address Type: IPv4
- IP Address:
172.16.99.145
- Data Center: Site_B
- Auto Sync: Off
- Name:
- Click Save.
To configure the members of each server
- Click the edit icon ( ) to edit the FortiADC-1 server.
- In the Member pane, click Discover.
FortiADC-1's virtual servers automatically appear. - Delete the HTTPS_VS virtual server.
- Click Save.
- Click the edit icon ( ) to edit the FortiADC-2 server.
- In the Member pane, click Discover.
The HTTP_VS virtual server automatically appears. - Click Save.
To create a virtual server pool
- Click Global Load Balance > FQDN > Virtual Server Pool.
- Click Create New and enter the following settings:
- Name:
ACMECORP
- Check Server Status: On
- Check Virtual Server Existence: On
- Name:
- Click Save.
- Click the edit icon to edit the virtual server pool.
- In the Member pane, click Create New and enter the following settings:
- Server:
FortiADC-1
- Server Member: HTTP_VS
- Server:
- Click Save.
- Click Create New again to enter the second member of the pool using the following settings:
- Server:
FortiADC-2
- Server Member: HTTP_VS
- Server:
- Click Save.
- Click Save again to exit the virtual server pool.
FortiADC-1 will act as the global load balancer, so you will not need to create a host or zone policy.
To disable the DNS settings
- Click Global Load Balance > Zone Tools > General Settings.
- Click the Edit icon.
- Verify the Global DNS Configuration is off, and Use System DNS Server option is turned on.
- Click Save.
Reroute Application Server
To change the route settings of the AppSrv3
- From the Lab Activity: FortiADC sidebar menu, access AppSrv3 using the SSH option.
- Log in as root using the password Fortinet1! and run the following command:
[root@AppSrv3 ~]#ip route show
- The default route points to 172.16.100.144, which is FortiADC-1’s port3 IP address.
- Enter the following command to point the route configuration to the secondary FortiADC’s port3 address:
[root@centos3 ~]#ip route replace default via 172.16.100.145 dev ens224
- Enter the following command to check the routing table again:
[root@centos3 ~]#ip route
show
- Close the SSH tab.
Remove Application Server from Primary FortiADC
Background
To complete this lab, it is necessary to remove the AppSrv3 from the FortiADC-1 configuration since that server is now part of the new datacenter you just created in the previous activity.
To reconfigure the virtual servers
- From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the HTTPS option.
- Log in using the username:
admin
and the password:Fortinet1!
- Click Server Load Balance > Virtual Server > Virtual Server.
- Delete the virtual server HTTPS_VS.
- Click the edit icon to edit the HTTP_VS virtual server.
- Turn off the Content Routing switch.
- On the General tab, disable Persistence by setting the option to Click to select.
- Click Save.
To remove AppSrv3 from the real server pool
- Click Server Load Balance > Real Server Pool > Real Server Pool.
- Click the edit icon to edit the Ap_Servers.
- Turn on Health Check.
- Double-click TCP_Check to add it to the Selected Items list.
- Remove the HTTP_Check.
- Delete the member, AppSrv3.
- Click Save.
Configure Global Server Load Balancing
To create data centers
- Click Global Load Balance > Global Object > Data Center.
- Click Create New and add two new data centers, Site_A and Site_B.
Keep the default values for the remaining settings for each data center.
To define the servers
- Click Global Load Balance > Global Object > Server.
- Click Create New to create the server using the following settings:
- Name:
FortiADC-1
- Type: FortiADC SLB
- Address Type: IPv4
- IP Address:
172.16.99.144
- Data Center: Site_A
- Auto Sync: Disabled
- Name:
- Click Save.
- Click Create New to create the server using the following settings:
- Name:
FortiADC-2
- Type: FortiADC SLB
- Address Type: IPv4
- IP Address:
172.16.99.145
- Data Center: Site_B
- Auto Sync: Disabled
- Name:
- Click Save.
Testing the Global Server Load Balancing
Background
In this exercise, you will test and verify the global load-balancing configuration.
To test the global load balance
- From the Lab Activity: FortiADC sidebar menu, access Kali using the RDP option.
- Open the web browser and connect to the global load balance URL at:
http://www.acmecorp.net - Press CTRL+SHIFT+R several times to reload the web page.
- The connection to the same site is maintained, either to Site A (AppSrv1 or AppSrv2), or to Site B (AppSrv3).
Note: The global load balancing solution using FortiADC devices is not designed to distribute the user connections between both sites evenly, but to offer a mechanism for geographic redundancy. If both sites are up, most of the user traffic is routed to one of the sites. The other site is used when no server is available at the main site.
Test Redundancy
In this exercise, you will turn off web services for the site you are currently connecting to.
- If you are connecting to Site B, turn off web services in AppSrv3
- If you are connecting to Site A, turn off web services in AppSrv1 and AppSrv2
To test the redundancy using global load balance
- From the sidebar menu, using the SSH option to connect to the application server(s) you are connecting to.
- For AppSrv1 and AppSrv2, use the Web Servers SSH connection, log in with the username ubuntu and password ubuntu and issue the following commands:
$cd dockerdata/AppSrv1
$docker-compose down
$cd ../AppSrv2
$docker-compose down
- For AppSrv3, use the AppSrv3 SSH option. Log in as root using the password Fortinet1! and run the following command:
[root@AppSrv# ~]#service httpd stop
- For AppSrv1 and AppSrv2, use the Web Servers SSH connection, log in with the username ubuntu and password ubuntu and issue the following commands:
- Return to the Kali tab, and the browser that is running www.acmecorp.net and press CTRL+SHIFT+R. The traffic is routed to the other site.
If a Server-unavailable! message displays, close the browser and reconnect to http://www.acmecorp.net. - Open a Terminal window and enter the following command:
root@kali: #ping www.acmecorp.net
- The failing FortiADC IP address is not included in the DNS response.
- Before finishing this lab, return to the SSH session to the web server and restart the web services that you turned off for the server(s):
- For AppSrv1 and AppSrv2 issue the following command:
$cd dockerdata/AppSrv1
$docker-compose up –d
$cd ../AppSrv2
$docker-compose up –d
- For AppSrv3 issue the following command:
[root@AppSrv# ~]#service httpd start
- For AppSrv1 and AppSrv2 issue the following command:
- Close the SSH tab.
Now that you've completed the FortiADC – Application Delivery Without Limits, here are a few additional resources and the next steps.
For continued learning about Fortinet's FortiMail solution, please consider looking at the following Fortinet NSE training courses at https://training.fortinet.com
Additional resources and tools can be found at the following locations:
No comments:
Post a Comment