Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Fabric integration with FortiGSLB

Fabric integration with FortiGSLB

Fabric integration between the FortiGate and FortiGSLB allows a FortiGate to publish custom host and domain names directly to FortiGSLB. This enables external IPs on VIPs used in ZTNA server objects to be published with the host and domain names directly to FortiGSLB, where its DNS service can provide nameserver lookups for the FQDNs.

In a basic use case, the hostname, domain name, and external IP of a ZTNA server can be published, and any subsequent updates to the address are immediately pushed to FortiGSLB.

In more advanced setup, an FQDN may map to different external IPs, which can be load balanced by FortiGSLB.

In addition, FortiGSLB can perform health checks on the external IPs, and then return the link with the better metrics. See How to add FortiGate SD-WAN Inbound Load Balancing to FortiGSLB in the FortiGSLB Handbook for more information.

Note

This feature requires a valid FortiGSLB account contract (FGCS). If no valid FGCS contract is found, the CLI will return a warning message during configurations:

No license detected for FortiGSLB.
GSLB configuration and statistics will not be reported unless the account is licensed.
To enable VIP and ZTNA server integration with the FortiGSLB Cloud service:
config system global
    set fortigslb-integration {enable | disable}
end
To configure the FortiGSLB setting in the VIP:
config firewall vip
    edit <name>
        set one-click-gslb-server {enable | disable}
        set gslb-hostname <string>
        set gslb-domain-name <string>
        config gslb-public-ips
            edit <id> 
                set ip <IP_address>
            next
        end
    next
end

one-click-gslb-server {enable | disable}

Enable/disable integration with FortiGSLB.

gslb-hostname <string>

Enter the hostname portion of the FQDN that will be used within the configured FortiGSLB domain.

gslb-domain-name <string>

Enter the domain name of the FQDN that will be used within the configured FortiGSLB domain.

ip <IP_address>

Enter the custom publicly accessible IP address that overrides the external IP address (extip). This setting is optional.

Example

In this example, a FortiGate has three WAN interfaces, each configured with different VIPs that are used in ZTNA server objects that point to the same real server. These VIPs are configured with the same GSLB hostname and domain name. As a result, the hostname and domain name are mapped to three different addresses and sent to FortiGSLB. FortiGSLB’s default setting will perform load balancing and respond to DNS queries by returning the addresses in a round-robin fashion.

To configure FortiGSLB integration:

  1. Enable integration with FortiGSLB in the global settings:

    config system global
    set fortigslb-integration enable
end

  2. Enable integration with FortiGSLB on each firewall VIP:

    config firewall vip
    edit "ztna_vip1"
        set type access-proxy
        set server-type https
        set extip 172.18.62.66
        set extintf "port2"
        set one-click-gslb-server enable
        set gslb-hostname "qa.test"
        set gslb-domain-name "wangd.com"
        set extport 4443
        set ssl-certificate "default.test.com"
    next
    edit "ztna_vip2"
        set type access-proxy
        set server-type https
        set extip 172.18.62.67
        set extintf "port3"
        set one-click-gslb-server enable
        set gslb-hostname "qa.test"
        set gslb-domain-name "wangd.com"
        set extport 4443
        set ssl-certificate "default.test.com"
    next
    edit "ztna_vip3"
        set type access-proxy
        set server-type https
        set extip 172.18.62.68
        set extintf "port4"
        set one-click-gslb-server enable
        set gslb-hostname "qa.test"
        set gslb-domain-name "wangd.com"
        config gslb-public-ips
            edit 1
                set ip 172.18.62.69
            next
        end
        set extport 4443
        set ssl-certificate "default.test.com"
    next
end

  3. Enable debugs:

    # diagnose debug application cloudapid -1
# diagnose debug enable

    A successful connection will produce output similar to the following:

    <4234> 10 cloudapi_curl_debug()-19: CURL HEADER OUT: POST /api/v1.0/one-click-glb-fgt/modifyconfig HTTP/2
Host: 1clickfgt.fortigslb-cloud.com
Accept: application/json
Content-Type: application/json
Content-Length: 553

<4234> 10 cloudapi_curl_debug()-19: CURL DATA OUT: {"members":[{"vdom_name":"vdom1","name_key":"ztna_vip1","type":"ztna","ip_list":["172.18.62.66"],"host":"qa.test","domain":"wangd.com"},{"vdom_name":"vdom1","name_key":"ztna_vip2","type":"ztna","ip_list":["172.18.62.67"],"host":"qa.test","domain":"wangd.com"},{"vdom_name":"vdom1","name_key":"ztna_vip3","type":"ztna","ip_list":["172.18.62.69”],"host":"qa.test","domain":"wangd.com"}],"ha_cluster":[{"sn":"FG181FTK22902632","host_name":"FGT1801F-ZTNA"},{"sn":"FG181FTK22902625","host_name":"FGT1801F-ZTNA"}],"timestamp":"2023-11-23 00:28:43"}

Verification

Upon successfully passing the hostname, domain name, and IP address mappings to FortiGSLB, clients that are using FortiGSLB’s DNS for DNS resolution can now get responses to their queries. Results on consecutive queries return the IP addresses in a round-robin fashion.

First query:
fosqa@ztna-client4:~/ztna_pytest$ dig @15.197.150.26 qa.test.wangd.com
; <<>> DiG 9.16.1-Ubuntu <<>> @15.197.150.26 qa.test.wangd.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33860
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qa.test.wangd.com.             IN      A

;; ANSWER SECTION:
qa.test.wangd.com.      5       IN      A       172.18.62.66

;; AUTHORITY SECTION:
wangd.com.              86400   IN      NS      defaultprimary.wangd.com.

;; ADDITIONAL SECTION:
defaultprimary.wangd.com. 86400 IN      A       15.197.150.26

;; Query time: 15 msec
;; SERVER: 15.197.150.26#53(15.197.150.26)
;; WHEN: Thu Nov 16 10:56:23 PST 2023
;; MSG SIZE  rcvd: 107
Second query:
fosqa@ztna-client4:~/ztna_pytest$ dig @15.197.150.26 qa.test.wangd.com
; <<>> DiG 9.16.1-Ubuntu <<>> @15.197.150.26 qa.test.wangd.com
…
;; QUESTION SECTION:
;qa.test.wangd.com.             IN      A

;; ANSWER SECTION:
qa.test.wangd.com.      5       IN      A       172.18.62.69
Third query:
fosqa@ztna-client4:~/ztna_pytest$ dig @15.197.150.26 qa.test.wangd.com
; <<>> DiG 9.16.1-Ubuntu <<>> @15.197.150.26 qa.test.wangd.com
…
;; QUESTION SECTION:
;qa.test.wangd.com.             IN      A

;; ANSWER SECTION:
qa.test.wangd.com.      5       IN      A       172.18.62.67
Previous
Next

Fabric integration with FortiGSLB

Fabric integration between the FortiGate and FortiGSLB allows a FortiGate to publish custom host and domain names directly to FortiGSLB. This enables external IPs on VIPs used in ZTNA server objects to be published with the host and domain names directly to FortiGSLB, where its DNS service can provide nameserver lookups for the FQDNs.

In a basic use case, the hostname, domain name, and external IP of a ZTNA server can be published, and any subsequent updates to the address are immediately pushed to FortiGSLB.

In more advanced setup, an FQDN may map to different external IPs, which can be load balanced by FortiGSLB.

In addition, FortiGSLB can perform health checks on the external IPs, and then return the link with the better metrics. See How to add FortiGate SD-WAN Inbound Load Balancing to FortiGSLB in the FortiGSLB Handbook for more information.

Note

This feature requires a valid FortiGSLB account contract (FGCS). If no valid FGCS contract is found, the CLI will return a warning message during configurations:

No license detected for FortiGSLB.
GSLB configuration and statistics will not be reported unless the account is licensed.
To enable VIP and ZTNA server integration with the FortiGSLB Cloud service:
config system global
    set fortigslb-integration {enable | disable}
end
To configure the FortiGSLB setting in the VIP:
config firewall vip
    edit <name>
        set one-click-gslb-server {enable | disable}
        set gslb-hostname <string>
        set gslb-domain-name <string>
        config gslb-public-ips
            edit <id> 
                set ip <IP_address>
            next
        end
    next
end

one-click-gslb-server {enable | disable}

Enable/disable integration with FortiGSLB.

gslb-hostname <string>

Enter the hostname portion of the FQDN that will be used within the configured FortiGSLB domain.

gslb-domain-name <string>

Enter the domain name of the FQDN that will be used within the configured FortiGSLB domain.

ip <IP_address>

Enter the custom publicly accessible IP address that overrides the external IP address (extip). This setting is optional.

Example

In this example, a FortiGate has three WAN interfaces, each configured with different VIPs that are used in ZTNA server objects that point to the same real server. These VIPs are configured with the same GSLB hostname and domain name. As a result, the hostname and domain name are mapped to three different addresses and sent to FortiGSLB. FortiGSLB’s default setting will perform load balancing and respond to DNS queries by returning the addresses in a round-robin fashion.

To configure FortiGSLB integration:

  1. Enable integration with FortiGSLB in the global settings:

    config system global
    set fortigslb-integration enable
end

  2. Enable integration with FortiGSLB on each firewall VIP:

    config firewall vip
    edit "ztna_vip1"
        set type access-proxy
        set server-type https
        set extip 172.18.62.66
        set extintf "port2"
        set one-click-gslb-server enable
        set gslb-hostname "qa.test"
        set gslb-domain-name "wangd.com"
        set extport 4443
        set ssl-certificate "default.test.com"
    next
    edit "ztna_vip2"
        set type access-proxy
        set server-type https
        set extip 172.18.62.67
        set extintf "port3"
        set one-click-gslb-server enable
        set gslb-hostname "qa.test"
        set gslb-domain-name "wangd.com"
        set extport 4443
        set ssl-certificate "default.test.com"
    next
    edit "ztna_vip3"
        set type access-proxy
        set server-type https
        set extip 172.18.62.68
        set extintf "port4"
        set one-click-gslb-server enable
        set gslb-hostname "qa.test"
        set gslb-domain-name "wangd.com"
        config gslb-public-ips
            edit 1
                set ip 172.18.62.69
            next
        end
        set extport 4443
        set ssl-certificate "default.test.com"
    next
end

  3. Enable debugs:

    # diagnose debug application cloudapid -1
# diagnose debug enable

    A successful connection will produce output similar to the following:

    <4234> 10 cloudapi_curl_debug()-19: CURL HEADER OUT: POST /api/v1.0/one-click-glb-fgt/modifyconfig HTTP/2
Host: 1clickfgt.fortigslb-cloud.com
Accept: application/json
Content-Type: application/json
Content-Length: 553

<4234> 10 cloudapi_curl_debug()-19: CURL DATA OUT: {"members":[{"vdom_name":"vdom1","name_key":"ztna_vip1","type":"ztna","ip_list":["172.18.62.66"],"host":"qa.test","domain":"wangd.com"},{"vdom_name":"vdom1","name_key":"ztna_vip2","type":"ztna","ip_list":["172.18.62.67"],"host":"qa.test","domain":"wangd.com"},{"vdom_name":"vdom1","name_key":"ztna_vip3","type":"ztna","ip_list":["172.18.62.69”],"host":"qa.test","domain":"wangd.com"}],"ha_cluster":[{"sn":"FG181FTK22902632","host_name":"FGT1801F-ZTNA"},{"sn":"FG181FTK22902625","host_name":"FGT1801F-ZTNA"}],"timestamp":"2023-11-23 00:28:43"}

Verification

Upon successfully passing the hostname, domain name, and IP address mappings to FortiGSLB, clients that are using FortiGSLB’s DNS for DNS resolution can now get responses to their queries. Results on consecutive queries return the IP addresses in a round-robin fashion.

First query:
fosqa@ztna-client4:~/ztna_pytest$ dig @15.197.150.26 qa.test.wangd.com
; <<>> DiG 9.16.1-Ubuntu <<>> @15.197.150.26 qa.test.wangd.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33860
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qa.test.wangd.com.             IN      A

;; ANSWER SECTION:
qa.test.wangd.com.      5       IN      A       172.18.62.66

;; AUTHORITY SECTION:
wangd.com.              86400   IN      NS      defaultprimary.wangd.com.

;; ADDITIONAL SECTION:
defaultprimary.wangd.com. 86400 IN      A       15.197.150.26

;; Query time: 15 msec
;; SERVER: 15.197.150.26#53(15.197.150.26)
;; WHEN: Thu Nov 16 10:56:23 PST 2023
;; MSG SIZE  rcvd: 107
Second query:
fosqa@ztna-client4:~/ztna_pytest$ dig @15.197.150.26 qa.test.wangd.com
; <<>> DiG 9.16.1-Ubuntu <<>> @15.197.150.26 qa.test.wangd.com
…
;; QUESTION SECTION:
;qa.test.wangd.com.             IN      A

;; ANSWER SECTION:
qa.test.wangd.com.      5       IN      A       172.18.62.69
Third query:
fosqa@ztna-client4:~/ztna_pytest$ dig @15.197.150.26 qa.test.wangd.com
; <<>> DiG 9.16.1-Ubuntu <<>> @15.197.150.26 qa.test.wangd.com
…
;; QUESTION SECTION:
;qa.test.wangd.com.             IN      A

;; ANSWER SECTION:
qa.test.wangd.com.      5       IN      A       172.18.62.67
Previous
Next