Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • High Availability and Disaster Recovery Procedures - Elasticsearch

    Home FortiSIEM 7.1.3 High Availability and Disaster Recovery Procedures - Elasticsearch
    7.1.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0

    External Load Balancer Configuration

    External Load Balancer Configuration

    This section provides guidance on how to configure FortiWEB load balancer to work with FortiSIEM Active-Active Supervisor cluster. Most load balancers can also be used. For additional information on FortiWEB configuration, see the FortiWeb documentation library. The example configuration here assumes FortiWeb will have at a minimum, two interfaces.

    Port1: External network / subnet - This is where collector / user traffic connects to.

    Port2: Internal network / subnet - This is where appServers and Workers reside.

    In this example, VMware interfaces map to FortiWeb virtual interfaces when you deploy OVF

    Virtual interface 1 is port1 in FortiWeb - 172.30.57.88/22 .1 GW

    Virtual interface 2 is port2 in FortiWeb - 10.65.148.3/22

    The default route: 172.30.56.1

    The general configuration step are:

    Define Virtual IPs

    1. Navigate to Network > Virtual IP.

      This is the Load Balancer IPs.

    2. Define one unique free IP in the external subnet for AppServer Load Balancer and Worker Load Balancer

    3. Click Create New.

    4. In the Name field, enter a name, for example, " AppServerLB".

    5. In the IPV4 Address field, enter your IP address. In our example, "172.30.57.89/32".

    6. In the Interface field, enter/select your port. In our example,"port1".

    7. Repeat steps 1 through 7 here in Define Virtual IPs for the Worker Load Balancer, then proceed to Define Virtual Server.

    Define Virtual Server

    1. Navigate to Server Objects > Server > Virtual Server.

    2. Click Create New.

    3. In the Name field, enter a name for the virtual server, for example, "AppServer_VS".

    4. Click OK.

    5. Under this setup, click Create New.

    6. Select the Virtual IP that was created earlier.

    7. Click OK.

    8. In Status select Enable.

    9. Leave other options default, and click OK.

    Define Supervisor Health Check

    1. Navigate to Server Objects > Server > Health Check.

    2. Click Create New.

    3. In the Name field, enter a name for the Health Check trigger, for example, "AppServerHealthCheck".

    4. For Relationship, select And.

    5. Click OK.

    6. In Rule List, click Create New.

    7. For Type, select TCP SSL and leave the options as default.

    8. Click OK.

    9. In Rule List, click Create New again.

    10. For Type, select HTTP.

    11. In the URL Path field, enter "/phoenix/login.html"

    12. For Method , select GET.

    13. For Match Type, select Response Code.

    14. For Response Code, enter "200".

    15. Click OK on each page.

    Define Server Pool

    1. Navigate to Server Objects > Server > Server Pool.

    2. Click Create New.

    3. In the Name field, enter a name for the server pool, for example, "AppServerPool".

    4. For Proto , select HTTP.

    5. For Type, select Reverse Proxy.

    6. For Single Server / Server Balance, select Server Balance.

    7. For Server Health Check, from the drop-down list, select the server health check you created in Define Supervisor Health Check.

    8. For Load Balancing Algorithm, from the drop-down list, select Least Connection or Round Robin.

    9. Click OK.

    10. At the bottom of the page, click Create New.

    11. For each Server in your server pool, in this example AppServer Pool, do the following.

      1. For Status, select Enable.

      2. For Server Type, select IP.

      3. For IP / Domain, enter the IP address range, for example, "#.#.#.#/32".

      4. For Port, enter "443".

      5. For SSL, check it, but ignore client certificate.

      6. Click OK.

    Define Server Policy

    1. Navigate to Policy > Server Policy.

    2. In the Name field, enter a name for the server policy, for example, "AppServerPolicy".

    3. For Deployment Mode, select Single Server/Server Balance.

    4. For Virtual Server, select the virtual server you created in Define Virtual Server.

    5. For Server Pool, select the server pool you created in Define Server Pool.

    6. For HTTP Service, select HTTP.

    7. For HTTPS Service, select HTTPS.

    8. For Monitor Mode, enable it.

    9. For Enable Traffic Log, enable it.

    10. Click OK.

    Define Static Routes in FortiWeb

    For FortiWeb to route non HTTP/HTTPS traffic through FortiWeb, create two policy routes.

    1. Navigate to Network > Route. (See https://docs.fortinet.com/document/fortiweb/7.0.2/administration-guide/55130/configuring-the-network-settings)

    2. Select Policy Route.

    3. Configure the following rules to allow non HTTP/HTTPS traffic inbound.

      1. For If traffic matches Incoming Interface, select your port.

      2. For If traffic matches Source address/mask (IPv4/IPv6), enter the IP range.

      3. For If traffic matches Destination address/mask (IPv4/IPv6), enter the IP range.

      4. For Force traffic to Action, select Stop Policy Routing.

      5. For Force traffic to Priority, enter "200".

      6. Click OK.

    4. Configure the following rules to allow outbound traffic.

      1. For If traffic matches Incoming Interface, select your port.

      2. For If traffic matches Source address/mask (IPv4/IPv6), enter the IP range.

      3. For If traffic matches Destination address/mask (IPv4/IPv6), enter the IP range.

      4. For Force traffic to Action, select Stop Policy Routing.

      5. For Force traffic to Priority, enter "100".

      6. Click OK.

    For each "AppServerIP" defined in the server pool, a FortiSIEM leader/follower cluster should use those IPs.

    Previous
    Next

    External Load Balancer Configuration

    External Load Balancer Configuration

    This section provides guidance on how to configure FortiWEB load balancer to work with FortiSIEM Active-Active Supervisor cluster. Most load balancers can also be used. For additional information on FortiWEB configuration, see the FortiWeb documentation library. The example configuration here assumes FortiWeb will have at a minimum, two interfaces.

    Port1: External network / subnet - This is where collector / user traffic connects to.

    Port2: Internal network / subnet - This is where appServers and Workers reside.

    In this example, VMware interfaces map to FortiWeb virtual interfaces when you deploy OVF

    Virtual interface 1 is port1 in FortiWeb - 172.30.57.88/22 .1 GW

    Virtual interface 2 is port2 in FortiWeb - 10.65.148.3/22

    The default route: 172.30.56.1

    The general configuration step are:

    Define Virtual IPs

    1. Navigate to Network > Virtual IP.

      This is the Load Balancer IPs.

    2. Define one unique free IP in the external subnet for AppServer Load Balancer and Worker Load Balancer

    3. Click Create New.

    4. In the Name field, enter a name, for example, " AppServerLB".

    5. In the IPV4 Address field, enter your IP address. In our example, "172.30.57.89/32".

    6. In the Interface field, enter/select your port. In our example,"port1".

    7. Repeat steps 1 through 7 here in Define Virtual IPs for the Worker Load Balancer, then proceed to Define Virtual Server.

    Define Virtual Server

    1. Navigate to Server Objects > Server > Virtual Server.

    2. Click Create New.

    3. In the Name field, enter a name for the virtual server, for example, "AppServer_VS".

    4. Click OK.

    5. Under this setup, click Create New.

    6. Select the Virtual IP that was created earlier.

    7. Click OK.

    8. In Status select Enable.

    9. Leave other options default, and click OK.

    Define Supervisor Health Check

    1. Navigate to Server Objects > Server > Health Check.

    2. Click Create New.

    3. In the Name field, enter a name for the Health Check trigger, for example, "AppServerHealthCheck".

    4. For Relationship, select And.

    5. Click OK.

    6. In Rule List, click Create New.

    7. For Type, select TCP SSL and leave the options as default.

    8. Click OK.

    9. In Rule List, click Create New again.

    10. For Type, select HTTP.

    11. In the URL Path field, enter "/phoenix/login.html"

    12. For Method , select GET.

    13. For Match Type, select Response Code.

    14. For Response Code, enter "200".

    15. Click OK on each page.

    Define Server Pool

    1. Navigate to Server Objects > Server > Server Pool.

    2. Click Create New.

    3. In the Name field, enter a name for the server pool, for example, "AppServerPool".

    4. For Proto , select HTTP.

    5. For Type, select Reverse Proxy.

    6. For Single Server / Server Balance, select Server Balance.

    7. For Server Health Check, from the drop-down list, select the server health check you created in Define Supervisor Health Check.

    8. For Load Balancing Algorithm, from the drop-down list, select Least Connection or Round Robin.

    9. Click OK.

    10. At the bottom of the page, click Create New.

    11. For each Server in your server pool, in this example AppServer Pool, do the following.

      1. For Status, select Enable.

      2. For Server Type, select IP.

      3. For IP / Domain, enter the IP address range, for example, "#.#.#.#/32".

      4. For Port, enter "443".

      5. For SSL, check it, but ignore client certificate.

      6. Click OK.

    Define Server Policy

    1. Navigate to Policy > Server Policy.

    2. In the Name field, enter a name for the server policy, for example, "AppServerPolicy".

    3. For Deployment Mode, select Single Server/Server Balance.

    4. For Virtual Server, select the virtual server you created in Define Virtual Server.

    5. For Server Pool, select the server pool you created in Define Server Pool.

    6. For HTTP Service, select HTTP.

    7. For HTTPS Service, select HTTPS.

    8. For Monitor Mode, enable it.

    9. For Enable Traffic Log, enable it.

    10. Click OK.

    Define Static Routes in FortiWeb

    For FortiWeb to route non HTTP/HTTPS traffic through FortiWeb, create two policy routes.

    1. Navigate to Network > Route. (See https://docs.fortinet.com/document/fortiweb/7.0.2/administration-guide/55130/configuring-the-network-settings)

    2. Select Policy Route.

    3. Configure the following rules to allow non HTTP/HTTPS traffic inbound.

      1. For If traffic matches Incoming Interface, select your port.

      2. For If traffic matches Source address/mask (IPv4/IPv6), enter the IP range.

      3. For If traffic matches Destination address/mask (IPv4/IPv6), enter the IP range.

      4. For Force traffic to Action, select Stop Policy Routing.

      5. For Force traffic to Priority, enter "200".

      6. Click OK.

    4. Configure the following rules to allow outbound traffic.

      1. For If traffic matches Incoming Interface, select your port.

      2. For If traffic matches Source address/mask (IPv4/IPv6), enter the IP range.

      3. For If traffic matches Destination address/mask (IPv4/IPv6), enter the IP range.

      4. For Force traffic to Action, select Stop Policy Routing.

      5. For Force traffic to Priority, enter "100".

      6. Click OK.

    For each "AppServerIP" defined in the server pool, a FortiSIEM leader/follower cluster should use those IPs.

    Previous
    Next