Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiAppSec Cloud User Guide

    FortiGate Integration with One-Click GSLB

    FortiGate Integration with One-Click GSLB

    GSLB seamlessly integrates with FortiGate through the use of One-Click GSLB, streamlining server connections for enhanced efficiency. This section covers the following:

    By enabling One-Click GSLB, FortiGate synchronizes the Fully Qualified Domain Name (FQDN) configuration with Virtual IP (VIP) or Zero Trust Network Access (ZTNA) server features. This is beneficial for FortiGate customers that would like to load-balance an application across multiple data centers, based on factors such as availability or geographical location. In such cases, you can publish this application using a single FQDN on FortiAppSec Cloud using one-click GSLB. The result is a single domain with multiple unique IP addresses corresponding to the different FortiGates.

    Please note that this feature is currently only available through the command line (CLI) and does not support web GUI configuration.

    Packet Flow

    1. The client sends a DNS query to the GSLB (www.test.com)

    2. GSLB will redirect the user (based on the application Health Check) to the most available application according to the Geolocation, load, proximity, and service availability.

    Configuration prerequisites

    • The account of FortiGate’s license should have a valid GSLB QPS license as well as a valid HC license.

    • To enable a connector, the account license for FortiGate must match that of GSLB.

    • This feature is supported by FortiGate version 7.4.2.

    Configuration steps

    1. Enable GSLB connector from FortiGate.

      1. CLI:

        config system global

        set GSLB-integration enable

        end

    2. Configure the ZTNA/VIP policy and add the FQDN (hostname + domain) to the policy.

      1. CLI:

        Example VIP configuration:

        Example ZTNA configuration:

    3. The FortiGate syncs the ZTNA/VIP configuration (along with the FQDN) to the GSLB via the One-Click GSLB connector.

    4. You can always edit the VIP/domain/hostname on the FortiGate, which will automatically change on the GSLB.

    5. Go to Profiles > Health Check and click Create New to set up a health check for your newly added FQDN. For more information and full descriptions of each field, see Health check.

    How to check the status of the FQDN on FortiAppSec Cloud GSLB

    1. Login to FortiAppSec Cloud and navigate to GSLB

    2. Go to Organization via the left side navigation bar, and click on the organization in which you created your FQDN.

    3. Once you are in your individual organization's portal, go to GSLB Services via the left side navigation bar.

    4. Click on the name of the newly created FQDN. This opens a modal window (pictured below) that displays more details regarding the FQDN.

      Details for FQDN created from the VIP configuration under Configuration steps:

      Details for FQDN created from ZTNA configuration underConfiguration steps:

      Example of an FQDN with multiple Virtual Servers:

      If your FQDN does not appear in GSLB Services on the GSLB GUI, it could be due to the External IP (ExtIP) in the VIP/ZTNA being a private IP address. In other words, this refers to an IP reserved for use within private networks and is not routable on the public internet. In such instances, consider configuring the corresponding public IP address using config gslb-public-ips in the CLI.

    5. Once your health check is set up, you can also see the status of your servers in Profiles > Health Check. For more information and full descriptions of each field, see Health check.

    How to view/edit FortiGate connector via GSLB after integration

    1. Navigate to Fabric Connectors and click on the relevant FortiGate involved in this process to check its status.

      On this page, you have the option to edit the FQDN/IPs on the FortiGate configuration by clicking on the edit icon on the right-hand side. To add a virtual server to a connector, click Create Member.

      To learn more about all the features available on this page, please refer to Fabric connector.

    How to load balance traffic based on geolocation

    1. Go to Profiles > Data Center

    2. Click Create New to create the data center for the connector. The default data center for One-Click GSLB is set the United States, but you can set your region to any option in the drop-down lists under Region.

    3. Navigate to Fabric Connectors and click the edit icon next to the desired connector.

      In Edit Connector, open the drop-down list under Data Center and select the data center you created in the previous step.

    4. Go to GSLB services, select the desired FQDN and click the edit icon next to its virtual pool.

      In Edit Pool, change the Preferred method to GEO.

    Previous
    Next

    FortiGate Integration with One-Click GSLB

    FortiGate Integration with One-Click GSLB

    GSLB seamlessly integrates with FortiGate through the use of One-Click GSLB, streamlining server connections for enhanced efficiency. This section covers the following:

    By enabling One-Click GSLB, FortiGate synchronizes the Fully Qualified Domain Name (FQDN) configuration with Virtual IP (VIP) or Zero Trust Network Access (ZTNA) server features. This is beneficial for FortiGate customers that would like to load-balance an application across multiple data centers, based on factors such as availability or geographical location. In such cases, you can publish this application using a single FQDN on FortiAppSec Cloud using one-click GSLB. The result is a single domain with multiple unique IP addresses corresponding to the different FortiGates.

    Please note that this feature is currently only available through the command line (CLI) and does not support web GUI configuration.

    Packet Flow

    1. The client sends a DNS query to the GSLB (www.test.com)

    2. GSLB will redirect the user (based on the application Health Check) to the most available application according to the Geolocation, load, proximity, and service availability.

    Configuration prerequisites

    • The account of FortiGate’s license should have a valid GSLB QPS license as well as a valid HC license.

    • To enable a connector, the account license for FortiGate must match that of GSLB.

    • This feature is supported by FortiGate version 7.4.2.

    Configuration steps

    1. Enable GSLB connector from FortiGate.

      1. CLI:

        config system global

        set GSLB-integration enable

        end

    2. Configure the ZTNA/VIP policy and add the FQDN (hostname + domain) to the policy.

      1. CLI:

        Example VIP configuration:

        Example ZTNA configuration:

    3. The FortiGate syncs the ZTNA/VIP configuration (along with the FQDN) to the GSLB via the One-Click GSLB connector.

    4. You can always edit the VIP/domain/hostname on the FortiGate, which will automatically change on the GSLB.

    5. Go to Profiles > Health Check and click Create New to set up a health check for your newly added FQDN. For more information and full descriptions of each field, see Health check.

    How to check the status of the FQDN on FortiAppSec Cloud GSLB

    1. Login to FortiAppSec Cloud and navigate to GSLB

    2. Go to Organization via the left side navigation bar, and click on the organization in which you created your FQDN.

    3. Once you are in your individual organization's portal, go to GSLB Services via the left side navigation bar.

    4. Click on the name of the newly created FQDN. This opens a modal window (pictured below) that displays more details regarding the FQDN.

      Details for FQDN created from the VIP configuration under Configuration steps:

      Details for FQDN created from ZTNA configuration underConfiguration steps:

      Example of an FQDN with multiple Virtual Servers:

      If your FQDN does not appear in GSLB Services on the GSLB GUI, it could be due to the External IP (ExtIP) in the VIP/ZTNA being a private IP address. In other words, this refers to an IP reserved for use within private networks and is not routable on the public internet. In such instances, consider configuring the corresponding public IP address using config gslb-public-ips in the CLI.

    5. Once your health check is set up, you can also see the status of your servers in Profiles > Health Check. For more information and full descriptions of each field, see Health check.

    How to view/edit FortiGate connector via GSLB after integration

    1. Navigate to Fabric Connectors and click on the relevant FortiGate involved in this process to check its status.

      On this page, you have the option to edit the FQDN/IPs on the FortiGate configuration by clicking on the edit icon on the right-hand side. To add a virtual server to a connector, click Create Member.

      To learn more about all the features available on this page, please refer to Fabric connector.

    How to load balance traffic based on geolocation

    1. Go to Profiles > Data Center

    2. Click Create New to create the data center for the connector. The default data center for One-Click GSLB is set the United States, but you can set your region to any option in the drop-down lists under Region.

    3. Navigate to Fabric Connectors and click the edit icon next to the desired connector.

      In Edit Connector, open the drop-down list under Data Center and select the data center you created in the previous step.

    4. Go to GSLB services, select the desired FQDN and click the edit icon next to its virtual pool.

      In Edit Pool, change the Preferred method to GEO.

    Previous
    Next