advertisement
Chapter 5: Link Load Balancing Configuring persistence rules
Settings
Health Check
List
Inbound
Bandwidth
Outbound
Bandwidth
Guidelines
Select one or more health check configuration objects.
Maximum bandwidth rate for inbound traffic through this gateway link.
Maximum bandwidth rate for outbound traffic to this gateway link. If traffic exceeds this threshold, the FortiADC system considers the gateway to be full and does not dispatch new connections to it.
The default is 2,000,000 Kbps. The valid range is 1 to 2,147,483,647.
We recommend you tune bandwidth thresholds strategically, using the bandwidth rate and price structure agreement you have with your ISP to your advantage.
Maximum inbound bandwidth rate for a link in a spillover load balancing pool.
Inbound
Spillover
Threshold
Outbound
Spillover
Threshold
Total Spillover
Threshold
Maximum outbound bandwidth rate for a link in a spillover load balancing pool.
If you enable spillover load balancing in the link group configuration, the system maintains a spillover list. It dispatches new connections to the link with the greatest priority until its spillover threshold is exceeded; then dispatches new connections to the link with the next greatest priority until its threshold is exceeded, and so on.
The default is 2,000,000 Kbps. The valid range is 1 to 2,147,483,647.
Maximum total bandwidth rate (inbound plus outbound) for a link in a spillover load balancing pool.
Configuring persistence rules
Persistence rules identify traffic that should be ignored by load balancing rules and instead be forwarded to the same gateway each time the traffic traverses the FortiADC appliance.
You should use persistence rules with applications that use a secure connection. Such applications drop connections when the server detects a change in a client’s source IP address.
describes the types of persistence rules you can configure.
Table 30: Persistence rules used in link load balancing
Persistence Description
Source-Destination Pair Packets with the same source IP address and destination IP address take same outgoing gateway.
154 FortiADC D-Series Handbook
Fortinet Technologies, Inc.
Configuring persistence rules Chapter 5: Link Load Balancing
Persistence
Source-Destination
Address
Source Address
Destination Address
Description
Packets with a source IP address and destination IP address that belong to the same subnet take the same outgoing gateway.
Packets with a source IP address that belongs to the same subnet take the same outgoing gateway.
Packets with a destination IP address that belongs to the same subnet take same outgoing gateway.
Before you begin: l l l
You must have an awareness of the types of outbound traffic from your network. Persistence rules are useful for traffic that requires an established session, such as secure connections (HTTPS and SSH, for example).
You must have knowledge of the source and/or destination subnets to which the persistence rules should apply.
You must have Read-Write permission for Link Load Balance settings.
You can use persistence rules in link groups but not virtual tunnels.
To configure a persistence rule:
1. Go to Link Load Balance > Link Group.
2. Click the Persistence tab.
3. Click Add to display the configuration editor.
4. Complete the configuration as described in
.
5. Save the configuration.
Table 31: Persistence rule configuration
Type Guidelines
Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the link group configuration.
Note: After you initially save the configuration, you cannot edit the name.
Type
Source-Destination Pair
Select one of the persistence types, as described below.
Timeout The default is 300 seconds.
Source-Destination Address
FortiADC D-Series Handbook
Fortinet Technologies, Inc.
155
advertisement
advertisement
Table of contents
- 13 Features
- 13 Basic network topology
- 14 Scope
- 16 FortiADC 4.6.1
- 16 FortiADC 4.6.0
- 18 FortiADC 4.5.3
- 18 FortiADC 4.5.2
- 18 FortiADC 4.5.1
- 19 FortiADC 4.5.0
- 20 FortiADC 4.4.0
- 21 FortiADC 4.3.1
- 21 FortiADC 4.3.1
- 22 FortiADC 4.3.0
- 23 FortiADC 4.2.3
- 23 FortiADC 4.2.1
- 23 FortiADC 4.2.0
- 24 FortiADC 4.1
- 24 FortiADC 4.0 Patch 2
- 24 FortiADC 4.0 Patch 1
- 24 FortiADC 4.0
- 25 FortiADC 3.2.0
- 25 FortiADC 3.1.0
- 26 FortiADC 3.0.0
- 26 FortiADC 2.1.0
- 27 Server load balancing
- 27 Feature Summary
- 28 Authentication
- 28 Caching
- 29 Compression
- 29 Content rewriting
- 29 Content routing
- 29 Scripting
- 29 SSL transactions
- 30 Link load balancing
- 30 Global load balancing
- 30 Security
- 30 High availability
- 31 Virtual domains
- 32 Step 1: Install the appliance
- 33 Step 2: Configure the management interface
- 36 Step 3: Configure basic network settings
- 40 Step 4: Test connectivity to destination servers
- 40 Step 5: Complete product registration, licensing, and upgrades
- 42 Step 6: Configure a basic server load balancing policy
- 45 Step 7: Test the deployment
- 48 Step 8: Back up the configuration
- 50 Server load balancing basics
- 53 Server load balancing configuration overview
- 56 Configuring real server SSL profiles
- 61 Using real server pools
- 61 Configuring real server pools
- 66 Example: Using port ranges and the port 0 configuration
- 67 Configuring persistence rules
- 73 Configuring content routes
- 75 Using content rewriting rules
- 75 Overview
- 76 Configuring content rewriting rules
- 78 Example: Redirecting HTTP to HTTPS
- 86 Example: Rewriting the HTTP response when using content routing
- 88 Example: Rewriting the HTTP request and response to mask application details
- 90 Example: Rewriting the HTTP request to harmonize port numbers
- 91 Configuring compression rules
- 93 Using caching features
- 93 Static caching
- 95 Dynamic caching
- 95 Configuring caching rules
- 97 Configuring Application profiles
- 121 Configuring error pages
- 121 Using source pools
- 122 Configuring source pools
- 124 Example: DNAT
- 125 Example: full NAT
- 126 Example: NAT46 (Layer 4 virtual servers)
- 128 Example: NAT64 (Layer 4 virtual servers)
- 130 Example: NAT46 (Layer 7 virtual servers)
- 132 Example: NAT64 (Layer 7 virtual servers)
- 133 Configuring auth policies
- 135 Configuring methods
- 136 Configuring an L2 exception list
- 137 Using the Web Category tab
- 138 Creating a Web Filter Profile configuration
- 138 Configuring virtual servers
- 144 TCP multiplexing
- 145 Using scripts
- 146 Create a script object
- 146 Import a script
- 146 Export a script
- 147 Delete a script
- 148 Link load balancing basics
- 148 Using link groups
- 149 Using virtual tunnels
- 151 Link load balancing configuration overview
- 153 Configuring gateway links
- 154 Configuring persistence rules
- 156 Configuring proximity route settings
- 158 Configuring a link group
- 160 Configuring a virtual tunnel group
- 162 Configuring link policies
- 164 Global load balancing basics
- 166 Global load balancing configuration overview
- 168 Configuring servers
- 171 Configuring a global load balance link
- 172 Configuring data centers
- 173 Configuring hosts
- 174 Configuring virtual server pools
- 176 Configuring dynamic proximity
- 177 Configuring persistence
- 178 Configuring an address group
- 179 Configuring remote DNS servers
- 180 Configuring the DSSET list
- 180 Configuring DNS zones
- 184 Configuring DNS64
- 185 Configuring the response rate limit
- 186 onfiguring a Global DNS policy
- 187 Configuring general settings
- 189 Configuring the trust anchor key
- 190 Security features basics
- 190 Managing IP Reputation policy settings
- 192 Configure IP reputation exception
- 193 Using the Geo IP block list
- 194 Using the Geo IP whitelist
- 195 Enabling denial of service protection
- 196 Configuring a firewall policy
- 197 Configuring the firewall connection limit
- 199 Web application firewall basics
- 200 Web application firewall configuration overview
- 201 Predefined configuration elements
- 201 Severity
- 201 Exceptions
- 201 Configuring a WAF Profile
- 203 Configuring a Web Attack Signature policy
- 208 Configuring a URL Protection policy
- 209 Configuring an HTTP Protocol Constraint policy
- 213 Configuring an SQL/XSS Injection Detection policy
- 215 Configuring WAF Exception objects
- 216 Configuring a Bot Detection policy
- 219 Configuring user groups
- 220 Using the local authentication server
- 221 Using an LDAP authentication server
- 222 Using a RADIUS authentication server
- 223 Using Kerberos Authentication Relay
- 223 Authentication Workflow
- 223 Step 1: Client authentication
- 224 Step 2: Client service authorization
- 224 Step 3: Client service request
- 224 FortiADC Kerberos authentication implementation
- 225 Configure Authentication Relay (Kerberos)
- 225 Configure SAML authentication
- 226 Import IDP metadata
- 226 Configure SAML authentication
- 228 Configuring health checks
- 235 Creating schedule groups
- 236 Creating IPv4 address objects
- 237 Configuring IPv4 address groups
- 238 Creating IPv6 address objects
- 239 Configuring IPv6 address groups
- 240 Managing ISP address books
- 242 Create an ISP address book object
- 243 Creating service objects
- 244 Creating service groups
- 246 Configuring network interfaces
- 246 Using physical interfaces
- 247 Using VLAN interfaces
- 247 Using aggregate interfaces
- 248 Configuring network interfaces
- 253 Configuring static routes
- 254 Configuring policy routes
- 256 Configuring basic system settings
- 257 Configuring system time
- 259 Configuring an SMTP mail server
- 259 Configuring FortiGuard service settings
- 261 Pushing/pulling configurations
- 262 Backing up and restoring the configuration
- 263 Updating firmware
- 264 Upgrade considerations
- 264 Updating firmware using the web UI
- 266 Updating firmware using the CLI
- 267 Rebooting, resetting, and shutting down the system
- 268 Create a traffic group
- 269 Create a traffic group via the command line interface
- 269 Create a traffic group from the Web GUI
- 270 Create administrator users
- 272 Configure access profiles
- 275 Enable password policies
- 276 Configuring SNMP
- 277 Download SNMP MIBs
- 278 Configure SNMP threshold
- 278 Configure SNMP v1/v2
- 280 Configure SNMP v3
- 281 Manage and validate certificates
- 282 Overview
- 282 Prerequisite tasks
- 283 Manage certificates
- 284 Generating a certificate signing request
- 286 Importing local certificates
- 288 Creating a local certificate group
- 288 Importing intermediate CAs
- 289 Creating an intermediate CA group
- 290 Validating certificates
- 290 Configure a certificate verification object
- 293 Importing CRLs
- 294 Adding OCSPs
- 296 Importing remote certificates
- 297 Importing CAs
- 298 Creating a CA group
- 300 Using the event log
- 307 Using the security log
- 313 Using the *traffic log
- 321 Configuring local log settings
- 323 Configuring syslog settings
- 325 Configuring high speed logging
- 326 Enabling real-time statistics
- 327 Configuring alert email settings
- 328 Configuring an alert email recipient
- 328 Configuring reports
- 329 Configuring Report Queries
- 332 Configuring fast reports
- 333 Using reports
- 334 Display logs via CLI
- 335 HA feature overview
- 339 HA system requirements
- 340 HA synchronization
- 341 Configuring HA settings
- 346 Monitoring an HA cluster
- 348 Updating firmware for an HA cluster
- 349 Deploying an active-passive cluster
- 349 Overview
- 351 Basic steps
- 351 Best practice tips
- 351 Deploying an active-active cluster
- 352 Configuration overview
- 353 Basic steps
- 354 Expected behavior
- 354 Traffic to TCP virtual servers
- 358 Traffic to HTTP virtual servers
- 360 FTP traffic and traffic processed by firewall rules
- 363 Best practice tips
- 363 Advantages of HA Active-Active-VRRP
- 363 Deploying an active-active-VRRP cluster
- 364 Configuration overview
- 365 Basic steps
- 366 Best practice tips
- 368 Virtual domain basics
- 368 Enabling the virtual domain feature
- 369 Creating virtual domains
- 369 Assigning network interfaces and admin users to VDOMs
- 370 Virtual domain policies
- 371 Disabling virtual domains
- 372 SSL offloading
- 374 SSL decryption by forward proxy
- 374 Layer 7 deployments
- 376 Layer 2 deployments
- 377 Profile configurations
- 381 Certificate guidelines
- 381 SSL/TLS versions and cipher suites
- 385 Exceptions list
- 385 SSL traffic mirroring
- 387 Configure source NAT
- 389 Configure source NAT
- 392 Configure 1-to-1 NAT
- 394 QoS
- 395 Configuring a QoS queue
- 395 Configuring the QoS filter
- 396 Configuring the QoS IPv6 filter
- 397 ISP routes
- 398 BGP
- 398 How BGP works
- 398 IBGP vs. EBGP
- 402 Access list vs. prefix list
- 403 Configuring an IPv4 access list
- 403 Configuring an IPv6 access list
- 404 Configuring an IPv4 prefix list
- 405 Configuring an IPv6 prefix list
- 405 OSPF
- 409 Reverse path route caching
- 411 Packet capture
- 413 Regular backups
- 413 Security
- 414 Topology
- 414 Administrator access
- 415 Performance tips
- 415 System performance
- 415 Reducing the impact of logging on performance
- 415 Reducing the impact of reports on system performance
- 415 Reducing the impact of packet capture on system performance
- 416 High availability
- 417 Logs
- 417 Tools
- 417 execute commands
- 418 diagnose commands
- 419 System dump
- 420 Packet capture
- 421 Diff
- 422 Solutions by issue type
- 422 Login issues
- 423 Connectivity issues
- 423 Checking hardware connections
- 423 Checking routing
- 427 Examining the routing table
- 427 Examining server daemons
- 427 Checking port assignments
- 427 Performing a packet trace
- 428 Checking the SSL/TLS handshake & encryption
- 428 Resource issues
- 428 Monitoring traffic load
- 429 DoS attacks
- 429 Resetting the configuration
- 429 Restoring firmware (“clean install”)
- 432 Additional resources
- 435 Status
- 436 Data Analytics
- 437 Server load balance
- 437 Select a display option
- 438 Filter virtual servers onscreen
- 439 Add virtual servers
- 439 Link load balance
- 439 Global load balance
- 440 HA status
- 441 Session monitoring
- 446 Events and actions
- 446 Predefined Commands
- 452 Control structures
- 452 Operators
- 453 String library
- 454 Examples
- 454 Select content routes based on URI string matches
- 455 Rewrite the HTTP request host header and path
- 456 Rewrite the HTTP response Location header
- 456 Redirect HTTP to HTTPS using Lua string substitution
- 456 Redirect mobile users to the mobile version of a website