Fortinet Document Library

Version:


Table of Contents

7.0.0
Download PDF
Copy Link

Appendix B: CLI Reference

Solution 1 Example Configuration

Steps
  1. Configure basic networking settings like interface IP (example: 123.1.1.50) and routing.
  2. To deploy the Layer4 SLB, first create new real servers with the address as the IP of the listening FortiGate interface.

    config load-balance real-server

    edit "sslvpn1"

    set ip 123.1.1.1

    next

    edit "sslvpn2"

    set ip 123.1.1.2

    next

    end

  3. Create a new Real Server Pool and add real servers into it.

    config load-balance pool

    edit "sslvpn_pool"

    set health-check-ctrl enable

    set health-check-list LB_HLTHCK_ICMP

    set real-server-ssl-profile NONE

    config pool_member

    edit 1

    set pool_member_service_port 10443

    set pool_member_cookie rs1

    set real-server sslvpn1

    next

    edit 2

    set pool_member_service_port 10443

    set pool_member_cookie rs1

    set real-server sslvpn2

    next

    end

    next

    end

  4. Create a NAT source Pool in Server Load Balance > Virtual Server > NAT Source Pool.

    config load-balance ippool

    edit "nat1"

    set interface port1

    set ip-min 123.1.1.51

    set ip-max 123.1.1.60

    next

    end

  5. Finish the Basic and General configurations for the Virtual Server settings, including: 
    1. Select Layer 4 type.
    2. Select Full NAT Packet FORWARDING Method and specify the net source pool.
    3. Specify address, port, and interface in general configuration
    4. Select TCP Profile and ROUND_ROBIN method and make sure to specify the persistence method (e.g. SRC_ADDR, HASH_SRC_ADDR), then select the configured real server pool.

    config load-balance virtual-server

    edit "SSLVPN_L4"

    set packet-forwarding-method FullNAT

    set interface port1

    set ip 123.1.1.50

    set port 10443

    set load-balance-profile LB_PROF_TCP

    set load-balance-persistence LB_PERSIS_SRC_ADDR

    set load-balance-method LB_METHOD_ROUND_ROBIN

    set load-balance-pool sslvpn_pool

    set ippool-list nat1

    next

    end

Solution 2 Example Configuration

Steps
  1. Change the network settings to match the topology in the in-line example, including:
    1. FortiGate network settings modification and related configurations that might also need to be modified.
    2. Set the gateway to FortiADC for the outbound traffic.
    3. Configure basic networking settings like WAN interface IP (example: 123.1.1.1), LAN interface IP and route to take over the original FortiGate WAN related function.
  2. To deploy the Layer 4 SLB, first create new real severs with the address as the IP of the listening FortiGate interface.

    config load-balance real-server

    edit "vpn1"

    set ip 10.1.1.1

    next

    edit "vpn2"

    set ip 10.1.1.2

    next

    end

  3. Create separate Real Server Pools for IPsec and SSL VPN balancing and then add real servers into them.
    1. IPsec VPN: Specify port as 0 in the pool member service.

      config load-balance pool

      edit "ipsecvpn_pool"

      set health-check-ctrl enable

      set health-check-list LB_HLTHCK_ICMP

      set real-server-ssl-profile NONE

      config pool_member

      edit 1

      set pool_member_service_port 0

      set pool_member_cookie rs1

      set real-server vpn1

      next

      edit 2

      set pool_member_service_port 0

      set pool_member_cookie rs1

      set real-server vpn2

      next

      end

      next

      end

    2. SSL VPN: Specify the port you configured on FortiGate in the pool member service (example: 10443)

      config load-balance pool

      edit "sslvpn_pool"

      set health-check-ctrl enable

      set health-check-list LB_HLTHCK_ICMP

      set real-server-ssl-profile NONE

      config pool_member

      edit 1

      set pool_member_service_port 10443

      set pool_member_cookie rs1

      set real-server vpn1

      next

      edit 2

      set pool_member_service_port 10443

      set pool_member_cookie rs1

      set real-server vpn2

      next

      end

      next

      end

  4. Finish the Basic and General configurations
    1. IPsec VPN Virtual Server settings:
      1. Select Layer 4 type.
      2. Use the default DNAT Packet FOWARDING Method.
      3. Specify address, port (500, 4500), and interface in general configuration.
      4. Select UDP Profile and ROUND_ROBIN method and make sure to specify the persistence method (e.g. SRC_ADDR, HASH_SRC_ADDR), then select the configured real server pool.

      5. config load-balance virtual-server

        edit "IPSecVPN_L4"

        set interface port1

        set ip 123.1.1.1

        set port 500 4500

        set load-balance-profile LB_PROF_UDP

        set load-balance-persistence LB_PERSIS_HASH_SRC_ADDR

        set load-balance-method LB_METHOD_ROUND_ROBIN

        set load-balance-pool ipsecvpn_pool

        next

        end

    2.  SSL VPN Virtual Server settings:
      1. Select Layer 4 type.
      2. Use the default DNAT Packet FOWARDING Method.
      3. Specify address, port, and interface in general configuration.
      4. Select TCP Profile and ROUND_ROBIN method and make sure to specify the persistence method (e.g. SRC_ADDR, HASH_SRC_ADDR), then select the configured real server pool.

      5. config load-balance virtual-server

        edit "SSLVPN_L4"

        set interface port1

        set ip 123.1.1.1

        set port 10443

        set load-balance-profile LB_PROF_TCP

        set load-balance-persistence LB_PERSIS_SRC_ADDR

        set load-balance-method LB_METHOD_ROUND_ROBIN

        set load-balance-pool sslvpn_pool

        next

        end

 

 

Appendix B: CLI Reference

Solution 1 Example Configuration

Steps
  1. Configure basic networking settings like interface IP (example: 123.1.1.50) and routing.
  2. To deploy the Layer4 SLB, first create new real servers with the address as the IP of the listening FortiGate interface.

    config load-balance real-server

    edit "sslvpn1"

    set ip 123.1.1.1

    next

    edit "sslvpn2"

    set ip 123.1.1.2

    next

    end

  3. Create a new Real Server Pool and add real servers into it.

    config load-balance pool

    edit "sslvpn_pool"

    set health-check-ctrl enable

    set health-check-list LB_HLTHCK_ICMP

    set real-server-ssl-profile NONE

    config pool_member

    edit 1

    set pool_member_service_port 10443

    set pool_member_cookie rs1

    set real-server sslvpn1

    next

    edit 2

    set pool_member_service_port 10443

    set pool_member_cookie rs1

    set real-server sslvpn2

    next

    end

    next

    end

  4. Create a NAT source Pool in Server Load Balance > Virtual Server > NAT Source Pool.

    config load-balance ippool

    edit "nat1"

    set interface port1

    set ip-min 123.1.1.51

    set ip-max 123.1.1.60

    next

    end

  5. Finish the Basic and General configurations for the Virtual Server settings, including: 
    1. Select Layer 4 type.
    2. Select Full NAT Packet FORWARDING Method and specify the net source pool.
    3. Specify address, port, and interface in general configuration
    4. Select TCP Profile and ROUND_ROBIN method and make sure to specify the persistence method (e.g. SRC_ADDR, HASH_SRC_ADDR), then select the configured real server pool.

    config load-balance virtual-server

    edit "SSLVPN_L4"

    set packet-forwarding-method FullNAT

    set interface port1

    set ip 123.1.1.50

    set port 10443

    set load-balance-profile LB_PROF_TCP

    set load-balance-persistence LB_PERSIS_SRC_ADDR

    set load-balance-method LB_METHOD_ROUND_ROBIN

    set load-balance-pool sslvpn_pool

    set ippool-list nat1

    next

    end

Solution 2 Example Configuration

Steps
  1. Change the network settings to match the topology in the in-line example, including:
    1. FortiGate network settings modification and related configurations that might also need to be modified.
    2. Set the gateway to FortiADC for the outbound traffic.
    3. Configure basic networking settings like WAN interface IP (example: 123.1.1.1), LAN interface IP and route to take over the original FortiGate WAN related function.
  2. To deploy the Layer 4 SLB, first create new real severs with the address as the IP of the listening FortiGate interface.

    config load-balance real-server

    edit "vpn1"

    set ip 10.1.1.1

    next

    edit "vpn2"

    set ip 10.1.1.2

    next

    end

  3. Create separate Real Server Pools for IPsec and SSL VPN balancing and then add real servers into them.
    1. IPsec VPN: Specify port as 0 in the pool member service.

      config load-balance pool

      edit "ipsecvpn_pool"

      set health-check-ctrl enable

      set health-check-list LB_HLTHCK_ICMP

      set real-server-ssl-profile NONE

      config pool_member

      edit 1

      set pool_member_service_port 0

      set pool_member_cookie rs1

      set real-server vpn1

      next

      edit 2

      set pool_member_service_port 0

      set pool_member_cookie rs1

      set real-server vpn2

      next

      end

      next

      end

    2. SSL VPN: Specify the port you configured on FortiGate in the pool member service (example: 10443)

      config load-balance pool

      edit "sslvpn_pool"

      set health-check-ctrl enable

      set health-check-list LB_HLTHCK_ICMP

      set real-server-ssl-profile NONE

      config pool_member

      edit 1

      set pool_member_service_port 10443

      set pool_member_cookie rs1

      set real-server vpn1

      next

      edit 2

      set pool_member_service_port 10443

      set pool_member_cookie rs1

      set real-server vpn2

      next

      end

      next

      end

  4. Finish the Basic and General configurations
    1. IPsec VPN Virtual Server settings:
      1. Select Layer 4 type.
      2. Use the default DNAT Packet FOWARDING Method.
      3. Specify address, port (500, 4500), and interface in general configuration.
      4. Select UDP Profile and ROUND_ROBIN method and make sure to specify the persistence method (e.g. SRC_ADDR, HASH_SRC_ADDR), then select the configured real server pool.

      5. config load-balance virtual-server

        edit "IPSecVPN_L4"

        set interface port1

        set ip 123.1.1.1

        set port 500 4500

        set load-balance-profile LB_PROF_UDP

        set load-balance-persistence LB_PERSIS_HASH_SRC_ADDR

        set load-balance-method LB_METHOD_ROUND_ROBIN

        set load-balance-pool ipsecvpn_pool

        next

        end

    2.  SSL VPN Virtual Server settings:
      1. Select Layer 4 type.
      2. Use the default DNAT Packet FOWARDING Method.
      3. Specify address, port, and interface in general configuration.
      4. Select TCP Profile and ROUND_ROBIN method and make sure to specify the persistence method (e.g. SRC_ADDR, HASH_SRC_ADDR), then select the configured real server pool.

      5. config load-balance virtual-server

        edit "SSLVPN_L4"

        set interface port1

        set ip 123.1.1.1

        set port 10443

        set load-balance-profile LB_PROF_TCP

        set load-balance-persistence LB_PERSIS_SRC_ADDR

        set load-balance-method LB_METHOD_ROUND_ROBIN

        set load-balance-pool sslvpn_pool

        next

        end