Student Guide FortiADC 4.8.0OAC

FortiADC
Student Lab Guide

FortiADC 4.8.0
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Lab Exercises
FortiADC
Contents
Introduction ........................................................................................................... 4
Prerequisites ......................................................................................................... 4
1 Connectivity Diagram ..................................................................................... 6
2 Initial Setup .................................................................................................... 7
Exercise 1: Configure the webserver................................................................. 8
Exercise 2: Check SET-Linux configuration ...................................................... 8
Exercise 3: Get the FortiGate IP address information ....................................... 8
Exercise 4: Configuring Initial FortiADC Device Settings .................................. 9
3 L4 Server Load Balance .............................................................................. 14
Exercise 1: Verify Health Check ...................................................................... 14
Exercise 2: Server Pools and Virtual Servers .................................................. 15
Exercise 3: Testing, monitor and logs ............................................................. 16
4 L7 Server Load Balance (HTTP).................................................................. 18
Exercise 1: L7 HTTP SLB ............................................................................... 18
Exercise 2: Testing .......................................................................................... 20
5 Outbound Link Load Balance....................................................................... 22
Exercise 1: Configure LLB ............................................................................... 22
6 Global Load Balance (1 datacenter, multiple links) ...................................... 25
Exercise 1: Create a second L7 SLB............................................................... 25
Exercise 2: Configuring GLB ........................................................................... 26
Exercise 3: Testing GLB .................................................................................. 30
7 Global Load Balance (2 datacenters, multiple links) .................................... 32
Exercise 1: Initial Setup FortiADC2, WS3 and WS4 ........................................ 32
Exercise 2: SLB in datacenter2 ....................................................................... 34
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Exercise 3: Configuring GLB in datacenter2 ................................................... 36
Exercise 4: Adjusting GLB in datacenter1 ....................................................... 40
8 Virtual Tunnel Routing ................................................................................. 43
Exercise 1: Configuring FortiADC1 .................................................................. 43
Exercise 2: Configuring FortiADC2 .................................................................. 45
9 HTTP Routing and Rewriting ....................................................................... 48
Exercise 1: URL Rewriting .............................................................................. 48
Exercise 2: Content Routing ............................................................................ 49
10 Scripting ................................................................................................... 53
11 ADC Security............................................................................................ 55
Exercise 1: Authentication ............................................................................... 55
Exercise 2: Web Application Firewall .............................................................. 57
12 Advanced SLB ......................................................................................... 61
Exercise 1: Preserve Client IP ......................................................................... 62
Exercise 2: Connection reuse ......................................................................... 65
Exercise 3: Caching ........................................................................................ 67
13 Final: Shutting Down Everything .............................................................. 69
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Introduction
This document is intended to provide the SE with a tool to show to the Customers
and Partners the main functionalities of the Fortinet devices with virtual machine.
It has several step by step exercises to configure and setup all the devices and
how to show it to the customer.
This document includes FortiADC.
Prerequisites
Load the ESX-Labs package into your Fusion or VMWare Player/Workstation
Edit VM network and create a NAT vmnet (or edit the existing one if you already
have it created):
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Select also to connect the host to this network and to provide DHCP.
Edit ESX-Labs adapter to be connected to the created vmnet:
Check the IP your ESXi server received from DHCP. This IP will be referred as
ESX-IP in this document:
Open it from a Web Browser, login as root and password fortinet.
Start the SET-Linux server, then connect to it with user fortinet and password
fortinet.
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
TIP: if you have any problem with the ESX web GUI, right click over the SET-Linux
VM and select Console > Launch Remote Console.
Open the Linux Terminal and execute the following commands there:
sudo su
cd /root/scripts
./Deploy.sh ESX-IP fad.conf
Example:
root@SET-Linux:# sudo su
root@SET-Linux:# [sudo] password for fortinet: fortinet
root@SET-Linux:# cd /root/scripts/
root@SET-Linux:# ./Deploy.sh 192.168.10.128 fad.conf
root@SET-Linux:#
If this is the first installation, just select y for all options and wait for the
deployment of all VMs, which can take some minutes.
If, for some reason, you want to just reinstall one VM, delete that then run the same
script again, but this time choosing n except for the VM you want to reinstall.
1 Connectivity Diagram
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
All networks in this topology have a /24 netmask.
The FortiGate acts as an ISP and allows traffic from all VMs to Internet.
There is an out-of-band management network named NET1 to allow easier access

to the FortiADC. FortiGate also have some PATs configured on the vmnet4
interface pointing to the following IP addresses:
FG-IP:1080 to 10.0.0.11:80
FG-IP:1081 to 10.0.0.12:80
2 Initial Setup
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Exercise 1: Configure the webserver
From the ESXi interface, start WS1 and WS2.
Go to the WS1 VM console, open a Terminal and type the following commands:
# sudo ifconfig eth0 up 10.0.1.11 netmask 255.255.255.0 broadcast 10.0.1.255

# sudo route add default gw 10.0.1.1
Then, go to the WS2 VM console, open a Terminal and yype the following
commands:

Exercise 2: Check SET-Linux configuration
The Deploy script should have already configured everything in SET-Linux, so you
just need to check that.
Open a terminal and check that the IP address from the ens192 interface is
10.0.0.100/24:
Then check that the default gateway is 10.0.0.1:
Exercise 3: Get the FortiGate IP address information
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Connect to the FortiGate console, at the CLI login prompt log in with the default
username of admin with no password.
Execute the command show system interface to see all FortiGate interfaces were
correctly configured by the Deploy script. Otherwise please re-run the script, put
n for all steps except for the one that configures the FortiGate. If you still have
problems, please ask for instructors help.
Execute the command get system interface.
Take note of the IP address from port1, youll use it for this lab anywhere the [FG-
IP] tag is indicated.
Exercise 4: Configuring Initial FortiADC Device Settings
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Start FortiADC1 VM. Connect to the its console, at the CLI login prompt log in with
the default username of admin with no password.
Configure the IP for port1, that will be used for management only:
From the SET-Linux VM, connect to FortiADC1 GUI through http://10.0.0.11 with
admin and no password.
Go to System > Settings > Basic and set a hostname:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to System > Settings > Maintenance, configure Time Zone and enable NTP:
Go to Networking > Interface and configure port2, port3 and port4 as indicated:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Enable DHCP on Port7 and ensure that it receives a IP from ESX segment.
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Connect to the console (you can do it through the web management GUI too) and
test ping to both ISP gateways, WS1 and WS2:
Go to Networking > Routing > Static and configure 2 static routes as indicated.
Notice that wan1 will be used since it has lower distance:
From FortiADC console, try to ping external websites to check that name resolution
and routing are working properly.
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Log & Report > Log Setting and enable all log options including Fast Stats.
This will be necessary for some of the labs in this document:
3 L4 Server Load Balance
Exercise 1: Verify Health Check
There are already some health checks created. Go to Shared Resources > Health
Check and see how they are configured. See the LB_HLTHCK_HTTP details:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Exercise 2: Server Pools and Virtual Servers
Go to Server Load Balance > Real Server Pool > Real Server and create both
webservers:
Then go to Real Server Pool and create a new pool as indicated:
Then go to Server Load Balance > Virtual Server, and create one in Advanced
Mode:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Exercise 3: Testing, monitor and logs
Verify everything is working:
From SET Linux VM try accessing this Virtual Server through the CLI:
# curl http://10.0.21.100 -v
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Look the persistence table to check which server FAD choose:
Go to Log & Report > Log Browsing > Traffic Log and see the generated logs,
including the details:
Check the Source IP. Is it the IP from the FADC interface?
Run the command to connect to server several times to see the behavior:
# while true; sleep 1; do curl http://10.0.21.100 -v; done;
Check again persistence table, traffic logs and Session table. Is traffic being sent
to both webservers or always to the same?
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Disable persistence from the Virtual Server and test again. Do you see any
difference from the previous test?
# while true; sleep 1; do curl http://10.0.21.100 -v; done;
Check the Total sessions for each WS
4 L7 Server Load Balance (HTTP)
Exercise 1: L7 HTTP SLB
Go to Shared Resources > Health Check and create a new one as indicated:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Server Load Balance > Virtual Server and edit to change to Layer 7:
Edit the Real Server Pool to use the newly created health check:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Verify it is working properly:
Exercise 2: Testing
From SET Linux VM, test accessing the virtual server using Firefox. Then, try also
through command line:
# curl http://10.0.21.100 -v
Check the Traffic Logs for SLB HTTP. Verify the details, and compare with the log
generated when using curl:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Also, compare with logs we generated for SLB Layer 4.
Check the Source IP, it is the FADC interface ip?
From the ESX console, connect to WS1 VM. Open a terminal and stop the Apache
WebServer service with the following commands:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Dont worry about any error presented related to Apache configuration. Wait a few
seconds and verify that WS1 is not available anymore:
Go back to WS1 VM and restore the index.php file
Wait a few seconds and verify that WS1 is considered online again. Check logs to
see health check monitoring:
5 Outbound Link Load Balance
Exercise 1: Configure LLB
Go to Link Load Balance > Link Group and add both gateways:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Those are the gateways from both wan links connected to FortiADC. Create a Link-
Group with both gateways:
Create a Link Policy to set all traffic from port2 to use the created link-group:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Networking > NAT and set some NAT rules for both wan links. In our case,
we will consider all traffic:
Exercise 2: Testing
Open the FortiADC console:
Create a packet capture as indicated:
Or
From the ESX GUI, open the WS1 VM console. Using curl, try accessing a few
different https websites or ping them:
Dont worry about the certificates errors, the idea is to generate traffic only. Check
that traffic is sent through wan1 and wan2:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Remember the Destination persistence selected in the Link Group configuration.
For every single destination IP, FADC will maintain persistence over the link.
6 Global Load Balance (1 datacenter, multiple links)
Exercise 1: Create a second L7 SLB
Now suppose the datacenter wants to provide access to webservers through both
wan links. The first step is to create this second virtual server using wan2 (we
already have on in wan1 from previous labs).
Go to Server Load Balance > Virtual Server and create a second one with same
characteristics of VS-Webservers-Wan1, but now using wan2:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
From the SET Linux VM, try to access http://10.0.22.100 (the VS in wan2).
Open FortiADC console and start a packet capture to verify that traffic to this VS
always uses the wan2 interface (port4):
Exercise 2: Configuring GLB
Go to Global Load Balance > Global Object > Data Center and create an object to
reference where this FortiADC is (we will name it datacenter1)
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Global Load Balance > Global Object > Server and create a new one as
indicated. Click on the Discover button to load all local virtual servers:
Then configure each member to define its gateway:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Global Load Balance > FQDN Settings to create a new Virtual Server Pool:
Leave the TTL for the members as -1 to use the zone level TTL:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Global Load Balance > FQDN Settings and create a new Host:
Change Zone settings to have a TTL = 1. With that, DNS clients will not cache
records and will query for www.fortilab.com name resolution always:
In General Settings, enable Global DNS Configuration and Traffic Log:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Finally, go to Global Load Balance > Zone Tools and create a policy to allow
queries to this domain from any source IP to any interface/destination:
Exercise 3: Testing GLB
From the SET Linux VM, verify how FortiADC answers DNS queries to
www.fortilab.com. You can use nslookup for that and point to both FortiADC IPs:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Notice that both Virtual Servers are returned. Connect to FortiGate (10.0.0.1) and
disable port4 to simulate a failure on the wan2 link:
Test DNS resolution using FortiADC wan1 IP to see it does not return the Virtual
Server IP associated with wan2:
Go to Dashboard>>Global Load Balance and see the graph
Go to Log & Report > Log Browsing and verify GLB generated logs:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Enable FortiGate port4 interface again and verify that DNS resolution returns both
virtual servers again.
7 Global Load Balance (2 datacenters, multiple links)
Exercise 1: Initial Setup FortiADC2, WS3 and WS4
From the ESX console, turn on FortiADC2, WS3 and WS4.
Go to the WS3 VM console, open a Terminal and type the following commands:

Then, go to the WS4 VM console, open a Terminal and type the following
commands:

Open FortiADC2 console and configure port1 interface:
From SET-Linux VM, login to http://10.0.0.12. Go to System > Settings > Basic
and set hostname to FortiADC2.
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Network > Interfaces and configure all interfaces accordingly to the topology
and enable ping on them:
Configure static routing to both gateways:
Go to Link Load Balance > Link Group and create both gateways. Remember to
enable ICMP health check for them:
Go to Link Load Balance and create a new link group:
Go to Link Policy and set the default link group:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Exercise 2: SLB in datacenter2
Go to Shared Resources and create a new Health Check:
Server Load Balance > Real Server Pool and create both Real Servers:
Create the Real Server Pool:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Create a Virtual Servers for wan1:
Create a Virtual Servers for wan2:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
From SET Linux VM, validate that both Virtual Servers (http://10.0.23.100 and
http://10.0.24.100) are working before going to next step.
Exercise 3: Configuring GLB in datacenter2
Go to Global Load Balance > Global Object and create datacenter2 and
datacenter1 objects:
Create the local servers (remember you can use the Discover button):
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Create the servers from datacenter1. You need to create twice, one by using
FortiADC1 wan1 IP address, and another using wan2 IP address:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to FQDN Settings and Create a Server Pool. Add all members to it:
Create a new Host:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Zone Tools and set Zone TTL to 1.
Then go to Global DNS Policy to create a new one:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Finally, Go to General Settings and enable Global DNS Configuration:
Exercise 4: Adjusting GLB in datacenter1
We need to adjust FortiADC1 to take datacenter2 into consideration.
In FortiADC1, go to Global Load Balance and create datacenter2 object:
Create a new server for datacenter2 wan1 interface:
Create a new server for datacenter2 wan2 interface:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Do not forget to add a Gateway to each member.
Go to FQDN Settings and edit the existing Virtual Server Pool to include all
members from datacenter2:
Exercise 5: Testing
From SET Linux VM, test name resolution for all FortiADC wan interfaces. Notice
that all virtual servers are presented, since they are all available:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Repeat the nslookup 4 times using the same server. Notice the server order that
appear on the answer, they are rotating. Why does it happen, and why is it useful?
Go to ESX console and suspend WS4 VM. Does it change anything? Why?
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to WS3 and put this command:
Check Dashboard>Server Load Balance and Blobal Load balance on FADC2 and
FADC1
Go to FortiGate and disable wan2 port. Does it change anything?
Check the Dashboard while you test those failures.
Remember to check the logs too.
Go to FortiGate and enable wan2 port before continuing to next labs.
8 Virtual Tunnel Routing
Before you start, verify that all FortiGate wan interfaces are up and enabled, and
that all webservers are running.
Exercise 1: Configuring FortiADC1
Connect to FortiADC1 and enable ping in all interfaces. This will be necessary later
when they test each other with the icmp health check:
Go to Link Load Balance > Virtual Tunnel and create a new tunnel named vt1. Add
2 members, one connecting wan1-wan1 and other using wan2-wan2:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
After creating it, notice that tunnel-wan2 is shown as unavailable. Why is that?
Discuss with other students and/or instructor before you continue
Go to Link Policy, delete the existing policy (the one created during LLB lab), and
set the Default Link Group as link-group-1:
Go back to Virtual Tunnel vt1 and verify it is shown as available now. What was
the difference with the older LLB policy? Discuss with instructor.
Go to Shared Resources and add address objects for both datacenter networks:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Finally, go to Link Load Balance > Link Policy and create a policy to route traffic
from datacenter1 network to datacenter2 through the tunnel:
Exercise 2: Configuring FortiADC2
Connect to FortiADC2 and enable ping in all interfaces:
Go to Link Load Balance > Virtual Tunnel and create a new tunnel named vt1. Add
2 members, one connecting wan1-wan1 and other using wan2-wan2:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Link Policy, delete the existing policy (the one created during LLB lab), and
set the Default Link Group as link-group-1:
Go to Shared Resources and add address objects for both datacenter networks:
Finally, go to Link Load Balance > Link Policy and create a policy to route traffic
from datacenter1 network to datacenter2 through the tunnel:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Exercise 3: Testing
Connect to WS3 console and leave a ping to both WS1 and WS2 running:
Connect to FortiADC console and set a packet capture as indicated:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Repeat the capture in FortiADC2, and analyze the packet flow.
9 HTTP Routing and Rewriting
Exercise 1: URL Rewriting
In the FortiADC1 GUI, go to Server Load Balance > Virtual Server and create a
new Content Rewriting rule:
Then edit the Virtual Server VS-WebServers-Wan1 and enable this content
rewriting:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
From the SET Linux VM, try to access http://10.0.21.100/index2.html. The rewriting
rule will replace index2.html for index.html, and you can see the webpage
correctly.
Now try to access http://10.0.22.100/index2.html. You will receive a not found alert,
since theres no rewriting rule, and this page does not really exist in the servers.
Exercise 2: Content Routing
In FortiADC1, go to Server Load Balance > Real Server Pool and create two new
Real Servers as indicated:
They refer to the external Virtual Servers in FortiADC2.

Then create a new Real Server Pool including both servers:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Server Load Balance > Virtual Server and create two new Content Routing
rules:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Now edit the existing VS-WebServers-Wan1 virtual server and add both content
routing rules on it:
From SET Linux VM, try accessing http://10.0.21.100/file.txt and

http://10.0.21.100/dc2.
Check the logs for details:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Now try to access http://10.0.21.100. Why does it show a server-unavailable
error? How to solve that? Discuss with instructor before moving on
Create a new content routing rule as indicated. Notice that not defining a match
condition means a match anything.
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Add this content routing to the Virtual Server:
Try http://10.0.21.100 again. Why does it work now?
Note: you can suspend WS3, WS4 and FortiADC2 VMs now to save resources in
your computer.
10 Scripting
Go to Server Load Balance and create a new script named Redirect-curl:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Server Load Balance and edit the VS-WebServers-Wan2 virtual server to
add this script:
From SET Linux VM, try accessing http://10.0.22.100 using Firefox. You should
see the page correctly.
Now open a terminal and test access to 10.0.22.100 using curl:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
You will see that it is redirected to www.fortinet.com.
Now change the Redirect-curl script and set firefox instead of curl:
Try from Firefox and using curl to see the differences now.
This lab intention is to briefly explain how to start working with scripts. Check the
existing scripts to understand better how they are and have some ideas on what
is possible to do.
11 ADC Security
Exercise 1: Authentication
Go to User Authentication and create a new user:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Create a new group and include this user:
Create an Authentication Policy:
Edit the VS-WebServers-Wan1 virtual server and set the authentication policy:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
From SET Linux VM, try to access http://10.0.21.100. Check the logs at the end:
Exercise 2: Web Application Firewall
Remove the authentication policy from VS-WebServers-Wan1 virtual server.
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Go to Web Application Firewall and create a new HTTP Protocol Constraint:
Create a WAF Profile to include this:
Edit the VS-WebServer-Wan1 virtual server to set this WAF profile:
From SET Linux VM, open a terminal and using curl try to access
http://10.0.21.100/index.html:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Now try to pass some parameters to have a longer URL:
Check the logs:
Now create a SQL/XSS Injection Detection:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
And add it to the WAF profile. Remove the HTTP Protocol Constraint to not affect
this test right now:
From SET Linux VM, run the following to simulate a SQL Injection attack:
wget http://89.93.236.107/index.html?x=1--
For XSS, run:
wget --post-data="<script>alert(1);<script>" http://89.93.236.107/
Check the logs:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
12 Advanced SLB
If you didnt make it already, you can suspend WS3, WS4 and FortiADC2 now to
save resources in your computer.
Also, to facilitate our packet captures, we need to change SLB health check for
ICMP instead of HTTP. To do so, go to Server Load Balance > Real Server Pool
and edit RS-Pool-Webservers:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Exercise 1: Preserve Client IP
By default, FortiADC uses its own interface IP as source IP when connecting to

real servers. Run the capture below, then access http://10.0.21.100, and see that
in port3 (wan1) we can see source IP 10.0.0.100 (the SET Linux) while in port2
(lan) we can see the source IP as 10.0.1.1 (FortiADC):
To change that, go to Server Load Balance > Application Resources and create a
new HTTP profile with the Source Address option enabled and HTTP mode as
Server Close (we will need that later):
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Then edit the VS-WebServers-Wan1 virtual server to set this profile:
Run the same capture again and verify the source IP used:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Another option to make the real client IP reach the server is by adding some
information in the header as X-Forwarded-For.
Edit the HTTP-Profile and enable X-Forwarded-For. Disable Source Address

option, since theres no sense on keeping both enabled...
Then go to Networking and create a Packet Capture:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Run this capture, access http://10.0.21.100, then stop the capture to download it.
From the SET Linux CLI, run the following to see the included header with the
original source IP:
Exercise 2: Connection reuse
From SET Linux, run a command to continuously access http://10.0.21.100
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Then go to FortiADC console and run the following to get all TCP SYN packets:
Notice that for each SYN packet received in port3 (wan) theres also a SYN packet
in port2 (lan) to the server.
Now, from FortiADC console, create a new connection pool:
Still from CLI, set this connection pool in the VS-WebServer-Wan1 virtual server:
From SET Linux, run again the command:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Then go to FortiADC console and run the capture to get all TCP SYN packets:
Notice that only the first SYN is sent in port2. Why is that? Discuss with
instructor.
Exercise 3: Caching
Go to Server Load Balance > Application Optimization and create a new Caching
object:
Go to Application Resources and edit the HTTP-Profile to set caching:
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
From SET Linux, run a command to continuously access http://10.0.21.100
Run a packet capture in FortiADC to see the traffic:
Notice that theres only one access to the real server (in port2), while subsequent
traffic is delivered by the FortiADC directly.
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
You can also verify the cache statistics with the following command:
Remember to verify the logs generated:
13 Final: Shutting Down Everything

To erase all labs and shutdown the servers correctly, follow these steps:
Enter the SET-Linux console
Execute sudo su to login as root
Execute /root/scripts/RestartESXLab.sh [ESX-IP]
Execute init 0
At the ESX management GUI, check that SET-Linux is the only existing VM,
and is turned off;
Right click the Host and select Shutdown (takes some time to finish).
899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700

Student Guide FortiADC 4.8.0OAC

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Student Guide FortiADC 4.8.0OAC

Hochgeladen von

Copyright:

Verfügbare Formate

FortiADC

Student Lab Guide

899 Kifer Road

899 Kifer Road

899 Kifer Road

This document includes FortiADC.

Load the ESX-Labs package into your Fusion or VMWare Player/Workstation

899 Kifer Road

Edit ESX-Labs adapter to be connected to the created vmnet:

Open it from a Web Browser, login as root and password fortinet.

899 Kifer Road

899 Kifer Road

There is an out-of-band management network named NET1 to allow easier access

899 Kifer Road

From the ESXi interface, start WS1 and WS2.

# sudo ifconfig eth0 up 10.0.1.11 netmask 255.255.255.0 broadcast 10.0.1.255

# sudo ifconfig eth0 up 10.0.1.12 netmask 255.255.255.0 broadcast 10.0.1.255

Exercise 2: Check SET-Linux configuration

Then check that the default gateway is 10.0.0.1:

Exercise 3: Get the FortiGate IP address information

899 Kifer Road

Execute the command get system interface.

Exercise 4: Configuring Initial FortiADC Device Settings

899 Kifer Road

Go to System > Settings > Basic and set a hostname:

899 Kifer Road

899 Kifer Road

899 Kifer Road

899 Kifer Road

3 L4 Server Load Balance

Exercise 1: Verify Health Check

899 Kifer Road

Then go to Real Server Pool and create a new pool as indicated:

899 Kifer Road

Verify everything is working:

899 Kifer Road

Check the Source IP. Is it the IP from the FADC interface?

# while true; sleep 1; do curl http://10.0.21.100 -v; done;

899 Kifer Road

Check the Total sessions for each WS

4 L7 Server Load Balance (HTTP)

Exercise 1: L7 HTTP SLB

899 Kifer Road

899 Kifer Road

899 Kifer Road

Check the Source IP, it is the FADC interface ip?

899 Kifer Road

Go back to WS1 VM and restore the index.php file

5 Outbound Link Load Balance

Exercise 1: Configure LLB

899 Kifer Road

899 Kifer Road

Open the FortiADC console:

Create a packet capture as indicated:

899 Kifer Road

6 Global Load Balance (1 datacenter, multiple links)

Exercise 1: Create a second L7 SLB

899 Kifer Road

Exercise 2: Configuring GLB

899 Kifer Road

Then configure each member to define its gateway:

899 Kifer Road

899 Kifer Road

In General Settings, enable Global DNS Configuration and Traffic Log: