Appendix B: CLI Reference
Solution 1 Example Configuration
Steps
- Configure basic networking settings like interface IP (example: 123.1.1.50) and routing.
- To deploy the Layer4 SLB, first create new real servers with the address as the IP of the listening FortiGate interface.
config load-balance real-server
edit "sslvpn1"
set ip 123.1.1.1
next
edit "sslvpn2"
set ip 123.1.1.2
next
end
- Create a new Real Server Pool and add real servers into it.
config load-balance pool
edit "sslvpn_pool"
set health-check-ctrl enable
set health-check-list LB_HLTHCK_ICMP
set real-server-ssl-profile NONE
config pool_member
edit 1
set pool_member_service_port 10443
set pool_member_cookie rs1
set real-server sslvpn1
next
edit 2
set pool_member_service_port 10443
set pool_member_cookie rs1
set real-server sslvpn2
next
end
next
end
- Create a NAT source Pool in Server Load Balance > Virtual Server > NAT Source Pool.
config load-balance ippool
edit "nat1"
set interface port1
set ip-min 123.1.1.51
set ip-max 123.1.1.60
next
end
- Finish the Basic and General configurations for the Virtual Server settings, including:
- Select Layer 4 type.
- Select Full NAT Packet FORWARDING Method and specify the net source pool.
- Specify address, port, and interface in general configuration
- Select TCP Profile and ROUND_ROBIN method and make sure to specify the persistence method (e.g. SRC_ADDR, HASH_SRC_ADDR), then select the configured real server pool.
config load-balance virtual-server
edit "SSLVPN_L4"
set packet-forwarding-method FullNAT
set interface port1
set ip 123.1.1.50
set port 10443
set load-balance-profile LB_PROF_TCP
set load-balance-persistence LB_PERSIS_SRC_ADDR
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool sslvpn_pool
set ippool-list nat1
next
end
Solution 2 Example Configuration
Steps
- Change the network settings to match the topology in the in-line example, including:
- FortiGate network settings modification and related configurations that might also need to be modified.
- Set the gateway to FortiADC for the outbound traffic.
- Configure basic networking settings like WAN interface IP (example: 123.1.1.1), LAN interface IP and route to take over the original FortiGate WAN related function.
- To deploy the Layer 4 SLB, first create new real severs with the address as the IP of the listening FortiGate interface.
config load-balance real-server
edit "vpn1"
set ip 10.1.1.1
next
edit "vpn2"
set ip 10.1.1.2
next
end
- Create separate Real Server Pools for IPsec and SSL VPN balancing and then add real servers into them.
-
IPsec VPN: Specify port as 0 in the pool member service.
config load-balance pool
edit "ipsecvpn_pool"
set health-check-ctrl enable
set health-check-list LB_HLTHCK_ICMP
set real-server-ssl-profile NONE
config pool_member
edit 1
set pool_member_service_port 0
set pool_member_cookie rs1
set real-server vpn1
next
edit 2
set pool_member_service_port 0
set pool_member_cookie rs1
set real-server vpn2
next
end
next
end
-
SSL VPN: Specify the port you configured on FortiGate in the pool member service (example: 10443)
config load-balance pool
edit "sslvpn_pool"
set health-check-ctrl enable
set health-check-list LB_HLTHCK_ICMP
set real-server-ssl-profile NONE
config pool_member
edit 1
set pool_member_service_port 10443
set pool_member_cookie rs1
set real-server vpn1
next
edit 2
set pool_member_service_port 10443
set pool_member_cookie rs1
set real-server vpn2
next
end
next
end
-
IPsec VPN: Specify port as 0 in the pool member service.
- Finish the Basic and General configurations
- IPsec VPN Virtual Server settings:
- Select Layer 4 type.
- Use the default DNAT Packet FOWARDING Method.
- Specify address, port (500, 4500), and interface in general configuration.
- Select UDP Profile and ROUND_ROBIN method and make sure to specify the persistence method (e.g. SRC_ADDR, HASH_SRC_ADDR), then select the configured real server pool.
config load-balance virtual-server
edit "IPSecVPN_L4"
set interface port1
set ip 123.1.1.1
set port 500 4500
set load-balance-profile LB_PROF_UDP
set load-balance-persistence LB_PERSIS_HASH_SRC_ADDR
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool ipsecvpn_pool
next
end
- SSL VPN Virtual Server settings:
- Select Layer 4 type.
- Use the default DNAT Packet FOWARDING Method.
- Specify address, port, and interface in general configuration.
- Select TCP Profile and ROUND_ROBIN method and make sure to specify the persistence method (e.g. SRC_ADDR, HASH_SRC_ADDR), then select the configured real server pool.
config load-balance virtual-server
edit "SSLVPN_L4"
set interface port1
set ip 123.1.1.1
set port 10443
set load-balance-profile LB_PROF_TCP
set load-balance-persistence LB_PERSIS_SRC_ADDR
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool sslvpn_pool
next
end
- IPsec VPN Virtual Server settings: