Fortinet black logo

CLI Reference

config global-load-balance servers

config global-load-balance servers

Use this command to configure global load balance servers.

In the context of the global server load balance configuration, servers are the local SLB (FortiADC instances or third-party servers) that are to be load balanced. For FortiADC instances, the GLB checks status and synchronizes configuration from the local SLB so that it can learn the set of virtual servers that are possible to include in the GLB virtual server pool.

Figure 1 illustrates configuration discovery. You use the execute discovery-glb-virtual-server command to populate the virtual-server-list configuration. Placement in this list does not include them in the pool. You also must name them explicitly in the virtual server pool configuration.

Figure 1: Virtual server discovery

Before you begin:
  • You must have created the data center configuration objects that are associated with the local SLB.
  • You must have created virtual server configurations on the local FortiADC SLB so that you can use execute discovery-glb-virtual-server command to discover them.
  • You must have created an SDN connector configuration.
    Note: Currently, the SDN Connector option only supports AWS Connectors
  • You must have read-write permission for global load balancing settings.

After you have created a server configuration object, you can specify it the global load balancing virtual server pool configuration.

Syntax

config global-load-balance servers

edit <name>

set server-type {FortiADC-SLB|Generic-Host|SDN-Connector}

set auth-type {none|TCP_MD5SIG|auth_verify}

set auth-key <string>

set user-defined-certificate {enable|disable}

set cert <datasource>

set address-type {ipv4|ipv6}

set ip <ip&netmask>

set ip6 <ipv6&netmask>

set port <integer>

set sdn-connector <datasource>

set use-sdn-private-ip {enable|disable}

set data-center <datasource>

set auto-sync {enable|disable}

set health-check-ctrl {enable|disable}

set health-check-relation {AND|OR}

set health-check-list <datasource> <datasource> ...

config virtual-server-list

edit <name>

set address-type {ipv4|ipv6}

set ip <ip&netmask>

set ip6 <ipv6&netmask>

set gateway <string>

set instance <datasource>

set health-check-inherit {enable|disable}

set health-check-ctrl {enable|disable}

set health-check-list <datasource> <datasource> ...

set health-check-relation {AND|OR}

next

end

next

end

server-type

Select the remote server to use for global server load balancing:

  • FortiADC-SLB — use a FortiADC instance.
  • Generic-Host — use a third party ADC or server.
  • SDN-Connector — use an existing external connector that is connected to the FortiADC Security Fabric.
    Note: Currently, the SDN Connector option only supports AWS Connectors.

auth-type

The auth-type option is available if server-type is FortiADC-SLB.

Select the authentication type:

  • none — No password.
  • TCP_MD5SIG — With password, but cannot be used if NAT is in between the client and server. This is because, when using the TCP MD5SIG authentication in a network with NAT in between, the IP layer is encrypted. So is every packet. Because the IP address will be changed, the encryption check will always fail.
  • auth_verify — The authentication key is sent to the server after a three-way handshake. The key is encrypted and NAT in between will not affect the authentication.

auth-key

The auth-key option is available if server-type is FortiADC-SLB and auth-type is TCP_MD5SIG.

Enter the password to authenticate the key.

The password you enter here must match the password configured on the FortiADC appliance in a global sever load-balancing configuration.

user-defined-certificate

The user-defined-certificate option is available if Type is FortiADC SLB.

Enable to use a self-defined certificate for authentication.

cert

The cert option is available if server-type is FortiADC-SLB and user-defined-certificate is enabled.

Select the local certificate object to use for the GSLB server.

address-type

The address-type option is available if server-type is FortiADC-SLB.

IPv4 or IPv6.

ip/ip6

The ip or ip6 option is available if server-type is FortiADC-SLB.

Specify the IPv4 or IPv6 address for the FortiADC management interface. This IP address is used for synchronization and also status checks. If the management interface is unreachable, the virtual servers for that FortiADC are excluded from DNS responses.

port

The port option is available if server-type is FortiADC-SLB.

Specify the port. Default: 5858 Range: 1-65535.

sdn-connector

The sdn-connector option is available if server-type is SDN-Connector.

Select the SDN Connector to synchronize to the GSLB server.
For public SDN type servers, GSLB can update the public IP dynamically.
Note: Currently, only AWS connectors are supported.

use-sdn-private-ip

The use-sdn-private-ip option is available if server-type is SDN-Connector.

Enable to use the SDN Private IP address.

data-center

Select a data center configuration object. The data center configuration object properties are used to establish the proximity of the servers and the client requests.

auto-sync

Enable/disable automatic synchronization with the remote server. When enabled, Global load balancing will synchronize automatically with the server member.

If auto-sync is enabled for SDN Connector type servers, all instances from the SDN connector will be added as server members.

Note: When disabling auto-sync, the server member will be cleared and re-synced.

health-check-ctrl

The health-check-ctrl option is available if server-type is Generic-Host or SDN-Connector.

Enable/disable health checks for the virtual server list. The health check settings at this configuration level are the parent configuration. When you configure the list, you can specify whether to inherit or override the parent configuration.

Note: Health checking is built-in, and you can optionally configure a gateway health check.

health-check-relation

The health-check-relation option is available if server-type is Generic-Host or SDN-Connector, and health-check-ctrl is enabled.

  • AND—All of the specified health checks must pass for the server to be considered available.
  • OR—One of the specified health checks must pass for the server to be considered available.

health-check-list

The health-check-list option is available if server-type is Generic-Host or SDN-Connector, and health-check-ctrl is enabled.

Select one or more health check configuration objects.

config virtual-server-list

When servers are FortiADC servers, use execute discovery-glb-virtual-server to populate the basic virtual-server-list configuration. After it has been populated, you can add a gateway health check. (optional).

<name>

Must match the virtual server configuration name on the local FortiADC.

address-type

The address-type option is available if server-type is FortiADC-SLB.

IPv4 or IPv6.

ip/ip6

The ip or ip6 option is available if server-type is FortiADC-SLB.

Virtual server IPv4 or IPv6 address.

gateway

The gateway option is available if server-type is FortiADC-SLB.

Specify a gateway to enable an additional health check: is the gateway beyond the FortiADC reachable? Specify a string that matches the configuration name of a link load balancing gateway.

instance

The instance option is available if server-type is SDN-Connector.

Select an instance from the SDN's instance list.

health-check-inherit

The health-check-inherit is available if server-type is Generic-Host or SDN-Connector.

Enable to inherit the health check settings from the parent configuration. The Health Check Inherit option is enabled by default. Disable to specify health check settings in this member configuration.

health-check-ctrl

The health-check-ctrl is available if server-type is Generic-Host or SDN-Connector, and health-check-inherit is disabled.

Enable health checking for the virtual server.

health-check-list

The health-check-list is available if server-type is Generic-Host or SDN-Connector, and health-check-inherit is disabled.

Specify one or more health check configuration objects.

health-check-relation

The health-check-relation is available if server-type is Generic-Host or SDN-Connector, and health-check-inherit is disabled.

  • AND—All of the selected health checks must pass for the server to the considered available.
  • OR—One of the selected health checks must pass for the server to be considered available.

Example

FortiADC-VM # config global-load-balance servers

FortiADC-VM (servers) # edit FortiADC-2

FortiADC-VM (FortiADC-2) # set sync-status enable

FortiADC-VM (FortiADC-2) # auth-type TCP_MDFSIG

FortiADC-VM (FortiADC-2) # set auth-key ENC QVhOH9Wvq6q4BP2sqQMNJ6FDWWYcZA6THCj/sHFGHtAb6qO5nqy1SJ9PpEpc+yk/j8XWfXeORT8DsF8KDBhDL9K5Ms9sXs1y8gUQbtFnCIHKwIpf

FortiADC-VM (FortiADC-2) # set data-center United_States

FortiADC-VM (FortiADC-2) # set auto-sync enable

FortiADC-VM (FortiADC-2) # set ip 172.30.144.100

FortiADC-VM (FortiADC-2) # set server-type FortiADC-SLB

FortiADC-VM (FortiADC-2) # show

config global-load-balance servers

edit "FortiADC-2"

set ip 172.30.144.100

set data-center United_States

config virtual-server-list

end

next

end

FortiADC-VM (FortiADC-2) # end

FortiADC-VM # execute discovery-glb-virtual-server server FortiADC-2

FortiADC-VM # show global-load-balance servers FortiADC-2

config global-load-balance servers

edit "FortiADC-2"

set ip 172.30.144.100

set data-center United_States

config virtual-server-list

edit "mail_example_com"

set ip 192.0.2.2

set port 80

next

edit "www_example_com"

set ip 192.0.2.1

set port 811

next

end

next

end

FortiADC-VM # config global-load-balance servers

FortiADC-VM (servers) # edit FortiADC-2

FortiADC-VM (FortiADC-2) # config virtual-server-list

FortiADC-VM (virtual-server~l) # show

config virtual-server-list

edit "mail_example_com"

set ip 192.0.2.2

set port 80

next

edit "www_example_com"

set ip 192.0.2.1

set port 811

next

end

FortiADC-VM (virtual-server~l) # edit www_example_com

FortiADC-VM (www_example_com) # set gateway US-ISP1

FortiADC-VM (www_example_com) # end

FortiADC-VM (FortiADC-2) # end

config global-load-balance servers

Use this command to configure global load balance servers.

In the context of the global server load balance configuration, servers are the local SLB (FortiADC instances or third-party servers) that are to be load balanced. For FortiADC instances, the GLB checks status and synchronizes configuration from the local SLB so that it can learn the set of virtual servers that are possible to include in the GLB virtual server pool.

Figure 1 illustrates configuration discovery. You use the execute discovery-glb-virtual-server command to populate the virtual-server-list configuration. Placement in this list does not include them in the pool. You also must name them explicitly in the virtual server pool configuration.

Figure 1: Virtual server discovery

Before you begin:
  • You must have created the data center configuration objects that are associated with the local SLB.
  • You must have created virtual server configurations on the local FortiADC SLB so that you can use execute discovery-glb-virtual-server command to discover them.
  • You must have created an SDN connector configuration.
    Note: Currently, the SDN Connector option only supports AWS Connectors
  • You must have read-write permission for global load balancing settings.

After you have created a server configuration object, you can specify it the global load balancing virtual server pool configuration.

Syntax

config global-load-balance servers

edit <name>

set server-type {FortiADC-SLB|Generic-Host|SDN-Connector}

set auth-type {none|TCP_MD5SIG|auth_verify}

set auth-key <string>

set user-defined-certificate {enable|disable}

set cert <datasource>

set address-type {ipv4|ipv6}

set ip <ip&netmask>

set ip6 <ipv6&netmask>

set port <integer>

set sdn-connector <datasource>

set use-sdn-private-ip {enable|disable}

set data-center <datasource>

set auto-sync {enable|disable}

set health-check-ctrl {enable|disable}

set health-check-relation {AND|OR}

set health-check-list <datasource> <datasource> ...

config virtual-server-list

edit <name>

set address-type {ipv4|ipv6}

set ip <ip&netmask>

set ip6 <ipv6&netmask>

set gateway <string>

set instance <datasource>

set health-check-inherit {enable|disable}

set health-check-ctrl {enable|disable}

set health-check-list <datasource> <datasource> ...

set health-check-relation {AND|OR}

next

end

next

end

server-type

Select the remote server to use for global server load balancing:

  • FortiADC-SLB — use a FortiADC instance.
  • Generic-Host — use a third party ADC or server.
  • SDN-Connector — use an existing external connector that is connected to the FortiADC Security Fabric.
    Note: Currently, the SDN Connector option only supports AWS Connectors.

auth-type

The auth-type option is available if server-type is FortiADC-SLB.

Select the authentication type:

  • none — No password.
  • TCP_MD5SIG — With password, but cannot be used if NAT is in between the client and server. This is because, when using the TCP MD5SIG authentication in a network with NAT in between, the IP layer is encrypted. So is every packet. Because the IP address will be changed, the encryption check will always fail.
  • auth_verify — The authentication key is sent to the server after a three-way handshake. The key is encrypted and NAT in between will not affect the authentication.

auth-key

The auth-key option is available if server-type is FortiADC-SLB and auth-type is TCP_MD5SIG.

Enter the password to authenticate the key.

The password you enter here must match the password configured on the FortiADC appliance in a global sever load-balancing configuration.

user-defined-certificate

The user-defined-certificate option is available if Type is FortiADC SLB.

Enable to use a self-defined certificate for authentication.

cert

The cert option is available if server-type is FortiADC-SLB and user-defined-certificate is enabled.

Select the local certificate object to use for the GSLB server.

address-type

The address-type option is available if server-type is FortiADC-SLB.

IPv4 or IPv6.

ip/ip6

The ip or ip6 option is available if server-type is FortiADC-SLB.

Specify the IPv4 or IPv6 address for the FortiADC management interface. This IP address is used for synchronization and also status checks. If the management interface is unreachable, the virtual servers for that FortiADC are excluded from DNS responses.

port

The port option is available if server-type is FortiADC-SLB.

Specify the port. Default: 5858 Range: 1-65535.

sdn-connector

The sdn-connector option is available if server-type is SDN-Connector.

Select the SDN Connector to synchronize to the GSLB server.
For public SDN type servers, GSLB can update the public IP dynamically.
Note: Currently, only AWS connectors are supported.

use-sdn-private-ip

The use-sdn-private-ip option is available if server-type is SDN-Connector.

Enable to use the SDN Private IP address.

data-center

Select a data center configuration object. The data center configuration object properties are used to establish the proximity of the servers and the client requests.

auto-sync

Enable/disable automatic synchronization with the remote server. When enabled, Global load balancing will synchronize automatically with the server member.

If auto-sync is enabled for SDN Connector type servers, all instances from the SDN connector will be added as server members.

Note: When disabling auto-sync, the server member will be cleared and re-synced.

health-check-ctrl

The health-check-ctrl option is available if server-type is Generic-Host or SDN-Connector.

Enable/disable health checks for the virtual server list. The health check settings at this configuration level are the parent configuration. When you configure the list, you can specify whether to inherit or override the parent configuration.

Note: Health checking is built-in, and you can optionally configure a gateway health check.

health-check-relation

The health-check-relation option is available if server-type is Generic-Host or SDN-Connector, and health-check-ctrl is enabled.

  • AND—All of the specified health checks must pass for the server to be considered available.
  • OR—One of the specified health checks must pass for the server to be considered available.

health-check-list

The health-check-list option is available if server-type is Generic-Host or SDN-Connector, and health-check-ctrl is enabled.

Select one or more health check configuration objects.

config virtual-server-list

When servers are FortiADC servers, use execute discovery-glb-virtual-server to populate the basic virtual-server-list configuration. After it has been populated, you can add a gateway health check. (optional).

<name>

Must match the virtual server configuration name on the local FortiADC.

address-type

The address-type option is available if server-type is FortiADC-SLB.

IPv4 or IPv6.

ip/ip6

The ip or ip6 option is available if server-type is FortiADC-SLB.

Virtual server IPv4 or IPv6 address.

gateway

The gateway option is available if server-type is FortiADC-SLB.

Specify a gateway to enable an additional health check: is the gateway beyond the FortiADC reachable? Specify a string that matches the configuration name of a link load balancing gateway.

instance

The instance option is available if server-type is SDN-Connector.

Select an instance from the SDN's instance list.

health-check-inherit

The health-check-inherit is available if server-type is Generic-Host or SDN-Connector.

Enable to inherit the health check settings from the parent configuration. The Health Check Inherit option is enabled by default. Disable to specify health check settings in this member configuration.

health-check-ctrl

The health-check-ctrl is available if server-type is Generic-Host or SDN-Connector, and health-check-inherit is disabled.

Enable health checking for the virtual server.

health-check-list

The health-check-list is available if server-type is Generic-Host or SDN-Connector, and health-check-inherit is disabled.

Specify one or more health check configuration objects.

health-check-relation

The health-check-relation is available if server-type is Generic-Host or SDN-Connector, and health-check-inherit is disabled.

  • AND—All of the selected health checks must pass for the server to the considered available.
  • OR—One of the selected health checks must pass for the server to be considered available.

Example

FortiADC-VM # config global-load-balance servers

FortiADC-VM (servers) # edit FortiADC-2

FortiADC-VM (FortiADC-2) # set sync-status enable

FortiADC-VM (FortiADC-2) # auth-type TCP_MDFSIG

FortiADC-VM (FortiADC-2) # set auth-key ENC QVhOH9Wvq6q4BP2sqQMNJ6FDWWYcZA6THCj/sHFGHtAb6qO5nqy1SJ9PpEpc+yk/j8XWfXeORT8DsF8KDBhDL9K5Ms9sXs1y8gUQbtFnCIHKwIpf

FortiADC-VM (FortiADC-2) # set data-center United_States

FortiADC-VM (FortiADC-2) # set auto-sync enable

FortiADC-VM (FortiADC-2) # set ip 172.30.144.100

FortiADC-VM (FortiADC-2) # set server-type FortiADC-SLB

FortiADC-VM (FortiADC-2) # show

config global-load-balance servers

edit "FortiADC-2"

set ip 172.30.144.100

set data-center United_States

config virtual-server-list

end

next

end

FortiADC-VM (FortiADC-2) # end

FortiADC-VM # execute discovery-glb-virtual-server server FortiADC-2

FortiADC-VM # show global-load-balance servers FortiADC-2

config global-load-balance servers

edit "FortiADC-2"

set ip 172.30.144.100

set data-center United_States

config virtual-server-list

edit "mail_example_com"

set ip 192.0.2.2

set port 80

next

edit "www_example_com"

set ip 192.0.2.1

set port 811

next

end

next

end

FortiADC-VM # config global-load-balance servers

FortiADC-VM (servers) # edit FortiADC-2

FortiADC-VM (FortiADC-2) # config virtual-server-list

FortiADC-VM (virtual-server~l) # show

config virtual-server-list

edit "mail_example_com"

set ip 192.0.2.2

set port 80

next

edit "www_example_com"

set ip 192.0.2.1

set port 811

next

end

FortiADC-VM (virtual-server~l) # edit www_example_com

FortiADC-VM (www_example_com) # set gateway US-ISP1

FortiADC-VM (www_example_com) # end

FortiADC-VM (FortiADC-2) # end