Configuring servers
In the context of the global server load balance configuration, servers are the local SLB (FortiADC instances or third-party servers) to be load balanced. For FortiADC instances, the GLB checks status and synchronizes configuration from the local SLB so that it can learn the set of virtual servers that can be included in the GLB virtual server pool.
Virtual server discovery illustrates configuration discovery. Placement in this list does not include them in the pool. You also must name them explicitly in the virtual server pool configuration.
Before you begin:
- You must have created the data center configuration objects that are associated with the local SLB.
- You must have created virtual server configurations on the local FortiADC SLB. In this procedure, the global SLB discovers them.
- You must have created gateway configuration objects on the local FortiADC SLB if you want to configure a gateway health check. In this procedure, the global SLB discovers them.
- You must have created an SDN connector configuration.
Note: Currently, the SDN Connector option only supports AWS Connectors - You must have Read-Write permission for Global Load Balance settings.
After you have created a server configuration object, you can specify it in the global load balancing virtual server pool configuration.
To configure servers:
- Go to Global Load Balance > Global Object.
- Click the Server tab.
- Click Create New to display the configuration editor.
- Configure the following GLB Server settings:
Setting Description Name
Configuration name. Valid characters are
A
-Z
,a
-z
,0
-9
,_
, and-
. No spaces. You reference this name in the virtual server pool configuration.Note: After you initially save the configuration, you cannot edit the name.
Type
Select the remote server to use for global server load balancing:
- FortiADC SLB — use a FortiADC instance.
- Generic Host — use a third party ADC or server.
- SDN Connector — use an existing external connector that is connected to the FortiADC Security Fabric.
Note: Currently, the SDN Connector option only supports AWS Connectors.
Auth Type The Auth Type option is available if Type is FortiADC SLB.
Select the authentication type:
- None — No password.
- TCP MD5SIG — With password, but cannot be used if NAT is in between the client and server. This is because, when using the TCP MD5SIG authentication in a network with NAT in between, the IP layer is encrypted. So is every packet. Because the IP address will be changed, the encryption check will always fail.
- Auth Verify — The authentication key is sent to the server after a three-way handshake. The key is encrypted and NAT in between will not affect the authentication.
Password The Password option is available if Type is FortiADC SLB and Auth Type is TCP MD5SIG.
Enter the password to authenticate the key.
The password you enter here must match the password configured on the FortiADC appliance in a global sever load-balancing configuration.
User Defined Certificate
The User Defined Certificate option is available if Type is FortiADC SLB.
Enable to use a self-defined certificate for authentication.
Certificate
The Certificate option is available if Type is FortiADC SLB and User Defined Certificate is enabled.
Select the local certificate object to use for the GSLB server.
Address Type
The Address Type option is available if Type is FortiADC SLB.
IPv4 or IPv6.
IP Address/IPv6 Address
The IP Address or IPv6 Address option is available if Type is FortiADC SLB.
Specify the IPv4 or IPv6 address for the FortiADC management interface. This IP address is used for synchronization and also status checks. If the management interface is unreachable, the virtual servers for that FortiADC are excluded from DNS responses.
Port
The Port option is available if Type is FortiADC SLB.
Specify the port. Default: 5858 Range: 1-65535.
SDN Connector
The SDN Connector option is available if Type is SDN Connector.
Select the SDN Connector to synchronize to the GSLB server.
For public SDN type servers, GSLB can update the public IP dynamically.
Note: Currently, only AWS connectors are supported.Use SDN Private IP
The Use SDN Private IP option is available if Type is SDN Connector.
Enable to use the SDN Private IP address.
Data Center
Select a data center configuration object. The data center configuration object properties are used to establish the proximity of the servers and the client requests.
Auto-sync
Enable/disable automatic synchronization with the remote server. When enabled, Global load balancing will synchronize automatically with the server member.
If auto-sync is enabled for SDN Connector type servers, all instances from the SDN connector will be added as server members.
Note: When disabling auto-sync, the server member will be cleared and re-synced.
Health Check Control
The Health Check Control option is available if Type is Generic Host or SDN Connector.
Enable/disable health checks for the virtual server list. The health check settings at this configuration level are the parent configuration. When you configure the list, you can specify whether to inherit or override the parent configuration.
Note: Health checking is built-in, and you can optionally configure a gateway health check.
Health Check Relationship
The Health Check Relationship option is available if Type is Generic Host and Health Check Control is enabled.
- AND—All of the specified health checks must pass for the server to be considered available.
- OR—One of the specified health checks must pass for the server to be considered available.
Health Check List
The Health Check List option is available if Type is Generic Host and Health Check Control is enabled.
Select one or more health check configuration objects.
- Click Save.
After the GLB Server configuration is saved, the Member section becomes available to configure. - Under the Member section, configure the Member list configuration according to the GLB server type.
Setting
Description
FortiADC SLB Discover
Populate the member list with virtual servers from the local FortiADC configuration. After the list had been populated, you can edit the configuration to add a gateway health check.
Override
Select this option if you want to update the discovered virtual server configuration with the latest configuration information whenever you use the Discover utility (for example, additions or changes to previously discovered configurations).
Unselect this option if you want to preserve the previously discovered configuration and not have it overwritten by the Discover operation.
Name
Must match the virtual server configuration name on the local FortiADC.
Address Type
IPv4 or IPv6.
IP Address/IPv6 Address
Virtual server IPv4 or IPv6 address.
Gateway
Enable an additional health check: is the gateway beyond the FortiADC reachable?
The list of gateway configuration objects is populated by discovery, but you must select the appropriate one from the list.
Generic Host
Health Check Inherit
Enable to inherit the health check settings from the parent configuration. The Health Check Inherit option is enabled by default. Disable to specify health check settings in this member configuration.
Health Check Control
The Health Check Control option is available if Health Check Inherit is disabled.
Enable health checking for the virtual server.
Health Check Relationship
The Health Check Relationship option is available if Health Check Inherit is disabled and Health Check Control is enabled.
- AND—All of the specified health checks must pass for the server to be considered available.
- OR—One of the specified health checks must pass for the server to be considered available.
Health Check List
The Health Check List option is available if Health Check Inherit is disabled and Health Check Control is enabled
Specify one or more health check configuration objects.
SDN Connector
SDN Instance
Select an instance from the SDN's instance list.
Health Check Inherit
Enable to inherit the health check settings from the parent configuration. The Health Check Inherit option is enabled by default. Disable to specify health check settings in this member configuration.
Health Check Control
The Health Check Control option is available if Health Check Inherit is disabled.
Enable health checking for the virtual server.
Health Check Relationship
The Health Check Relationship option is available if Health Check Inherit is disabled and Health Check Control is enabled.
- AND—All of the specified health checks must pass for the server to be considered available.
- OR—One of the specified health checks must pass for the server to be considered available.
Health Check List
The Health Check List option is available if Health Check Inherit is disabled and Health Check Control is enabled
Specify one or more health check configuration objects.
Note:
If Health Check is disabled for SDN connector server members, their health check status will always appear as available since the status cannot be verified through health check.
If the SDN instance is changed in the SDN connector, the SDN connector server member status will not be affected. For example, if the EC2 instance is terminated in AWS, that instance will still remain a server member in the SDN connector GLB server.
- Save the Member list configuration and then save the GLB Server configuration to commit the Member list changes.