Fortinet black logo

Handbook

Home FortiADC 7.4.3 Handbook
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Configuring GLB settings

Configuring GLB settings

Configure the global load balancing settings of the FQDN, including the following:

  • Listening interface — The listen port is used for communication for GLB and SLB server.

  • Authentication — Configure the authentication between the GLB and the server.

  • Dynamic proximity — This is used to order DNS lookup results based on the shortest application response time (RTT) for ICMP or TCP probes sent by the local SLB to the DNS resolver that sent the DNS request. The system caches the RTT results for the period specified by the timeout. When there are subsequent requests from clients that have a source IP address within the same network (as specified by the netmask affinity), the RTT is taken from the results table instead of a new, real-time probe. This reduces response time.

  • Persistence — Configure the source address affinity and a timeout for GSLB persistence. You enable persistence per host in the GSLB host configuration.
    If the DNS query is for a host that has persistence enabled, the DNS server replies with a response that has the virtual server IP addresses listed in the order determined by the GSLB proximity algorithms, and the client source IP address (for example 192.168.1.100) is recorded in the persistence table. If source address affinity is set to 24 bits, subsequent queries for the host from the 192.168.1.0/24 network are sent an answer with the virtual servers listed in the same order (unless a server becomes unavailable and is therefore omitted from the answer).
    Persistence is required for applications that include transactions across multiple hosts, so the persistence table is also used for queries for other hosts with the same domain. For example, a transaction on a banking application might include connections to login.bank.com and transfer.bank.com. To support persistence in these cases, the GSLB persistence lookup accounts for domain as well. The first query for login.bank.com creates a mapping for the source address network 192.168.1.0/24 and the domain bank.com. When the DNS server receives subsequent requests, it consults the persistence table for a source network match, then a domain match and a hostname match. In this example, as long as you have created host configurations for both login.bank.com and transfer.bank.com, and persistence is enabled for each, the persistence table can be used to ensure the DNS answers to queries from the same network list the resource records in the same order.

Before you begin:
  • You must have Read-Write permission for Global Load Balance settings.
To configure the GLB settings of the FQDN:
  1. Go to Global Load Balance > FQDN.
  2. Click the GLB Setting tab.
  3. Configure the following GLB settings:

    Setting

    Description

    Auth Type

    Select the authentication type:

    • None — No password.
    • TCP MD5SIG — With password, but cannot be used if NAT is in between the client and server. This is because, when using the TCP MD5SIG authentication in a network with NAT in between, the IP layer is encrypted. So is every packet. Because the IP address will be changed, the encryption check will always fail.
    • Auth Verify — The authentication key is sent to the server after a three-way handshake. The key is encrypted and NAT in between will not affect the authentication.

    Password

    The Password option is available if Auth Type is TCP MD5SIG or Auth Verify.

    Enter the password to authenticate the key.

    This password is used for authentication between the GLB and the server. The same password must be set on both, otherwise the two will not be able to synchronize.

    CA Verify

    Enable/disable the certificate verification when synchronizing the SLB information to the GSLB server.

    Trusted CA Group

    The Trusted CA Group option is available if CA Verify is enabled.

    Select a trusted CA group to verify the peer certificate.

    Trusted Intermediate CA Group

    The Trusted Intermediate CA Group option is available if CA Verify is enabled.

    Select a trusted intermediate CA group to verify the peer certificate.

    IPv4 Accessed StatusEnable/disable listening for DNS requests on the interface IPv4 address.
    IPv6 Accessed Status Enable/disable listening for DNS requests on the interface IPv6 address.
    Listen on All InterfacesEnable/disable IPv4/IPv6 network access status on all interfaces.

    Listen on Interface List

    The Listen on Interface List option is available if Listen on All Interfaces is disabled.

    Specify specific interfaces for IPv4/IPv6 network access.

    Listen on PortSpecify the port to listen on. Default: 5858 Range: 1-65535.
  4. Configure the following Proximity settings:

    Setting

    Description

    Protocol

    Select the proximity detection protocol:

    • ICMP

    • ICMP and TCP

    Retry NumberSpecify the number of retries if the probe fails. The default is 3. The valid range is 1-10 times.
    Retry IntervalSpecify the interval between retries if the probe fails. The default is 3. The valid range is 1-3600 seconds.
    IPv4 Prefix Length Specify the number of IPv4 netmask bits that define network affinity for the RTT table. The default is 24. For example, if the GLB records an RTT for a client with source IP address 192.168.1.100, the record is stored and applies to all requests from the 192.168.1.0/24 network.
    IPv6 Prefix Length Specify the number of IPv6 netmask bits that define network affinity for the RTT table. The default is 64.
    Aging TimeoutSpecify the for how long RTT results are cached. This setting specifies the length of time in seconds for which the RTT cache entry is valid. The default is 86400. The valid range is 60-2,592,000 seconds.
  5. Configure the following Persistence settings:

    Setting

    Description

    IPv4 Mask Length Specify the number of IPv4 netmask bits that define network affinity for the persistence table. The default is 24.
    IPv6 Mask LengthSpecify the number of IPv6 netmask bits that define network affinity for the persistence table. The default is 64.
    Aging PeriodThis setting specifies the length of time in seconds for which the entry is maintained in the persistence table. The default is 86400. The valid range is 60-2,592,000 seconds.
  6. Click Save.
Previous
Next

Configuring GLB settings

Configure the global load balancing settings of the FQDN, including the following:

  • Listening interface — The listen port is used for communication for GLB and SLB server.

  • Authentication — Configure the authentication between the GLB and the server.

  • Dynamic proximity — This is used to order DNS lookup results based on the shortest application response time (RTT) for ICMP or TCP probes sent by the local SLB to the DNS resolver that sent the DNS request. The system caches the RTT results for the period specified by the timeout. When there are subsequent requests from clients that have a source IP address within the same network (as specified by the netmask affinity), the RTT is taken from the results table instead of a new, real-time probe. This reduces response time.

  • Persistence — Configure the source address affinity and a timeout for GSLB persistence. You enable persistence per host in the GSLB host configuration.
    If the DNS query is for a host that has persistence enabled, the DNS server replies with a response that has the virtual server IP addresses listed in the order determined by the GSLB proximity algorithms, and the client source IP address (for example 192.168.1.100) is recorded in the persistence table. If source address affinity is set to 24 bits, subsequent queries for the host from the 192.168.1.0/24 network are sent an answer with the virtual servers listed in the same order (unless a server becomes unavailable and is therefore omitted from the answer).
    Persistence is required for applications that include transactions across multiple hosts, so the persistence table is also used for queries for other hosts with the same domain. For example, a transaction on a banking application might include connections to login.bank.com and transfer.bank.com. To support persistence in these cases, the GSLB persistence lookup accounts for domain as well. The first query for login.bank.com creates a mapping for the source address network 192.168.1.0/24 and the domain bank.com. When the DNS server receives subsequent requests, it consults the persistence table for a source network match, then a domain match and a hostname match. In this example, as long as you have created host configurations for both login.bank.com and transfer.bank.com, and persistence is enabled for each, the persistence table can be used to ensure the DNS answers to queries from the same network list the resource records in the same order.

Before you begin:
  • You must have Read-Write permission for Global Load Balance settings.
To configure the GLB settings of the FQDN:
  1. Go to Global Load Balance > FQDN.
  2. Click the GLB Setting tab.
  3. Configure the following GLB settings:

    Setting

    Description

    Auth Type

    Select the authentication type:

    • None — No password.
    • TCP MD5SIG — With password, but cannot be used if NAT is in between the client and server. This is because, when using the TCP MD5SIG authentication in a network with NAT in between, the IP layer is encrypted. So is every packet. Because the IP address will be changed, the encryption check will always fail.
    • Auth Verify — The authentication key is sent to the server after a three-way handshake. The key is encrypted and NAT in between will not affect the authentication.

    Password

    The Password option is available if Auth Type is TCP MD5SIG or Auth Verify.

    Enter the password to authenticate the key.

    This password is used for authentication between the GLB and the server. The same password must be set on both, otherwise the two will not be able to synchronize.

    CA Verify

    Enable/disable the certificate verification when synchronizing the SLB information to the GSLB server.

    Trusted CA Group

    The Trusted CA Group option is available if CA Verify is enabled.

    Select a trusted CA group to verify the peer certificate.

    Trusted Intermediate CA Group

    The Trusted Intermediate CA Group option is available if CA Verify is enabled.

    Select a trusted intermediate CA group to verify the peer certificate.

    IPv4 Accessed StatusEnable/disable listening for DNS requests on the interface IPv4 address.
    IPv6 Accessed Status Enable/disable listening for DNS requests on the interface IPv6 address.
    Listen on All InterfacesEnable/disable IPv4/IPv6 network access status on all interfaces.

    Listen on Interface List

    The Listen on Interface List option is available if Listen on All Interfaces is disabled.

    Specify specific interfaces for IPv4/IPv6 network access.

    Listen on PortSpecify the port to listen on. Default: 5858 Range: 1-65535.
  4. Configure the following Proximity settings:

    Setting

    Description

    Protocol

    Select the proximity detection protocol:

    • ICMP

    • ICMP and TCP

    Retry NumberSpecify the number of retries if the probe fails. The default is 3. The valid range is 1-10 times.
    Retry IntervalSpecify the interval between retries if the probe fails. The default is 3. The valid range is 1-3600 seconds.
    IPv4 Prefix Length Specify the number of IPv4 netmask bits that define network affinity for the RTT table. The default is 24. For example, if the GLB records an RTT for a client with source IP address 192.168.1.100, the record is stored and applies to all requests from the 192.168.1.0/24 network.
    IPv6 Prefix Length Specify the number of IPv6 netmask bits that define network affinity for the RTT table. The default is 64.
    Aging TimeoutSpecify the for how long RTT results are cached. This setting specifies the length of time in seconds for which the RTT cache entry is valid. The default is 86400. The valid range is 60-2,592,000 seconds.
  5. Configure the following Persistence settings:

    Setting

    Description

    IPv4 Mask Length Specify the number of IPv4 netmask bits that define network affinity for the persistence table. The default is 24.
    IPv6 Mask LengthSpecify the number of IPv6 netmask bits that define network affinity for the persistence table. The default is 64.
    Aging PeriodThis setting specifies the length of time in seconds for which the entry is maintained in the persistence table. The default is 86400. The valid range is 60-2,592,000 seconds.
  6. Click Save.
Previous
Next