FortiADC Transparent Mode Configuration Guide VERSION 1.0.0

Similar documents
FortiADC with MS Exchange 2016 Deployment Guide

FortiClient (Android) - Release Notes VERSION 5.4.0

FortiMail AWS Deployment Guide

FortiTester Handbook VERSION FortiTester Handbook Fortinet Technologies Inc.

FortiVoice Phone System Release Notes VERSION GA

FortiVoice Phone System Release Notes VERSION GA

FortiSwitch - Release Notes 3.6.2

FortiVoice Enterprise Phone System Release Notes

FORTINET DOCUMENT LIBRARY FORTINET VIDEO GUIDE FORTINET BLOG CUSTOMER SERVICE & SUPPORT FORTIGATE COOKBOOK FORTINET TRAINING SERVICES

FortiVoice Phone System Release Notes VERSION GA

FortiTester 2.1. Handbook

FortiVoice Phone System Release Notes VERSION GA

FortiMail Release Notes VERSION GA

FortiCam FD40 Mounting Guide

FortiExtender Release Notes VERSION 3.2.2

FortiAuthenticator - Two-Factor Authentication for Web Applications Solution Guide VERSION 1.0

FortiMail Release Notes VERSION GA

FortiCore. FortiCore 3600E, 3700E and 3800E

FortiSwitchOS 3.x Administration Guide

FortiRecorder v2.2.2 GA. Release Notes

FortiVoice 200D/200D-T/2000E-T2 High Availability Technical Note

FortiManager VM - Install Guide VERSION 5.2

FortiVoice-VM with Grandstream PSTN Gateway Configuration Guide

FortiCore E-Series. SDN Security Appliances. Highlights. Securing Software Defined Networking (SDN) Architectures. Key Features & Benefits

FortiManager - Upgrade Guide. Version 5.6.1

FortiManager - Upgrade Guide. Version 5.6.3

FortiMail REST API Reference. Version 6.0.0

Configuring FortiVoice for Primus USA VoIP service

FortiMail Release Notes VERSION GA

FortiRecorder Central User Guide VERSION 1.3

This general availability release of Network Manager introduces several new features and fixes to improve user experience and performance.

FortiRecorder v2.5.0 GA. Release Notes

FortiFone IP Telephones

FortiBalancer 8.4 Web UI Handbook

FortiVoice Enterprise Phone Systems

Salesforce Integration. With FortiVoice Enterprise Technical Note

FortiVoice Enterprise Phone Systems

FortiSwitchOS Standalone Mode Administration Guide. Version 3.2.0

FortiFone QuickStart Guide for FON-175

FortiDDoS Deployment Guide for Cloud Signaling with Verisign OpenHybrid

FortiVoice Enterprise

FortiDDoS Release Notes. Version 4.4.2

FortiSwitch Secure Access Series

FortiManager & FortiAnalyzer - Event Log Reference. Version 5.6.2

FortiManager & FortiAnalyzer - Event Log Reference VERSION 5.4.4

FortiVoice Enterprise and PMS Systems Interoperability via Comtrol Interface Technical Note

Load Balancing Microsoft Exchange 2013 with FortiADC

FortiVoice Enterprise

FortiMail Release Notes VERSION GA

FortiCam SD20 Mounting Guide

FortiRecorder Central 1.2. User Guide

FortiMail Release Notes VERSION GA

FortiFone IP Telephones

FortiManager & FortiAnalyzer - Event Log Reference VERSION 5.4.3

FortiManager & FortiAnalyzer - Event Log Reference VERSION 5.4.1

FortiTester Handbook VERSION 2.5.0

PROTECTING YOUR NETWORK FROM THE INSIDE-OUT

FortiOS Handbook - Networking VERSION 5.6.3

Fortinet Wireless Product Matrix. July 2014

FortiADC Handbook - D Series VERSION

Place graphic in this box

Blue Coat ProxySG First Steps Transparent Proxy Deployments SGOS 6.7

WHITE PAPER. Protecting Financial Services Networks From the Inside-Out. Internal Segmentation Firewall (ISFW)

FortiSwitch Secure Access Series

FortiCache - Administration Guide VERSION 4.2.0

FortiSwitch Data Center Series

FortiTester Handbook VERSION 2.4.1

EdgeXOS Platform QuickStart Guide

FortiSwitch D-Series. Secure Access Switches. Highlights

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need

Equalizer Quick Start Guide

CISCO QUAD Cisco CCENT/CCNA/CCDA/CCNA Security (QUAD)

FortiManager & FortiAnalyzer - Event Log Reference. Version 6.0.0

Application Note: Split Public Addresses between WAN and DMZ

HP Intelligent Management Center Remote Site Management User Guide

IBM BladeCenter Layer 2-7 Gigabit Ethernet Switch Module (Withdrawn) Product Guide

FortiTester Handbook VERSION 2.4.0

USER GUIDE. FortiGate VLANs and VDOMs Version 3.0.

SOLUTION GUIDE. Hybrid WAN Solutions with FortiWAN. The cost-effective way to deliver the WAN bandwidth and redundancy your organization demands

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

FortiADC Handbook VERSION 4.7.1

Oracle Enterprise Manager Ops Center

FortiDDoS REST API Reference

Deployment Overview. Logging via SiteManager EasyTunnel Client

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

Silver Peak. AWS EC-V for Multi- Instance Inbound Load Balancing

Oracle Enterprise Manager Ops Center. Introduction. Provisioning Oracle Solaris 10 Operating Systems 12c Release 2 ( )

FortiSwitchOS 3.4 Administration Guide

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need. Creating vservers 12c Release 1 ( )

F5 Networks F5LTM12: F5 Networks Configuring BIG-IP LTM: Local Traffic Manager. Upcoming Dates. Course Description. Course Outline

FortiDNS Version 1.1 Setup and Administration Guide

The following steps should be used when configuring a VLAN on the EdgeXOS platform:

FortiOS Handbook - Networking VERSION 6.0.1

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

FortiRecorder Administration Guide

Guide to Vyatta Documentation

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need. Configure and Install Root Domains 12c Release 3 (

What s New for Cloud at Customer What's New for the Cloud Services on Oracle Cloud at Customer New Documentation for Oracle Cloud at Customer

Oracle SL500/SL3000/SL8500 Security Guide E

Silver Peak EC-V and Microsoft Azure Deployment Guide

Transcription:

FortiADC Transparent Mode Configuration Guide VERSION 1.0.0

FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTIGATE COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING SERVICES http://www.fortinet.com/training FORTIGUARD CENTER http://www.fortiguard.com END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/eula.pdf FEEDBACK Email: techdocs@fortinet.com Wednesday, February 28, 2018 FortiADC Transparent Mode Configuration Guide Initial Release

TABLE OF CONTENTS Change Log 4 Introduction 5 Software switch 6 Important things to know about softswitch 6 Recommations 6 Configure a softswitch interface 7 From the Console 7 From the GUI 7 Test the softswitch 8 Configure softswitch management IP 10 From the Console 10 From the GUI 10 Test the softswitch management IP 11 Configure softswitch VLAN sub-interface 13 From the Console 13 From the GUI 13 Test the softswitch VLAN sub-interface 14 Create a Layer-4 VS in DNAT mode 16 From the Console 16 Configure a load-balancing real server 16 Configure a load-balancing virtual server 16 From the GUI 17 Traffic flow 19 Create a Layer-7 VS with client address enabled 21 From the Console 21 Configure a load-balancing real server 21 Enable client IP address 21 From the GUI 22 Configure a application profile 22 Configure a Layer-7 virtual server 23 Traffic flow 25

Change Log Change Log Date Change Description 02/28/2018 Initial release. 4 Transparent Mode Configuration Guide

Introduction Introduction Transparent mode allows you to deploy a FortiADC appliance directly into a network environment without making changes to the existing routing infrastructure while providing full services for Layer-2 switching. A single or multiple VLANs can be configured on a FortiADC appliance to perform Layer-2 switching. Because a VLAN is a pair of logical interfaces sharing the same characteristics, it can cover one or more ports on multiple devices. In this way, a FortiADC appliance works as a Layer-2 switch with multiple VLAN segments and provides services within the same Layer-2 network. To support transparent mode, you must create a softswitch interface on FortiADC. For more information, see "Software switch" on page 6. 5 Transparent Mode Configuration Guide

Software switch Software switch A software switch, or softswitch, is a virtual switch that is implemented at the software or firmware level rather than the hardware level. It can be used to simplify communication between devices connected to different FortiADC interfaces. For example, using a softswitch, you can place the FortiADC interface connected to an internal network on the same subnet as your wireless interfaces. This allows devices on the internal network to communicate with devices on the wireless network without any additional configuration. A softswitch can also be useful if you require more hardware ports for the switch on a FortiADC unit. For example, if your FortiADC has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and you need one more port, you can create a softswitch that includes the 4-port switch and the DMZ interface all on the same subnet. Such applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces. Similar to a hardware switch, a softswitch functions like a single interface. It has one IP address, and all interfaces in the softswitch are on the same subnet. Traffic between devices connected to each interface is not regulated by security policies, and traffic passing in and out of the switch is affected by the same policy. Important things to know about softswitch The softswitch interface is a standard Layer-3 interface supported on all FortiADC platforms,. Members of a softswitch automatically switches to Layer-2 type. The softswitch interface can be defined as a normal Layer-3 interface, such as management, server load-balancing, link load-balancing, global load-balancing, and firewall, but can't be used by an HA configuration as a heartbeat port, data port, or monitor port. Member ports of the softswitch can't be used by management, server load-balancing, link load-balancing, global load-balancing, firewall, or HA traffic. LLDP in member port of the softswitch is supported. You can't add a softswitch to an aggregate interface. The softswitch interface can be used in a tunnel interface. The softswitch interface is supported in all Layer-2, Layer-4, and Layer-7 virtual server modes; using softswitch interface in Layer-2 mode will not trigger route-redirect events. FortiADC softswitch does not participate in the Spanning Tree Protocol (STP) node, but will forward all STP BPDU by this soft-switch interface directly. Recommations Before setting up a softswitch, we strongly recomm that you do the following: Back up your existing configuration. Have at least one port or connection such as the console port to connect to the FortiADC unit. In so doing, if you accidentally combine too many ports, you still have a way to undo it. 6 Transparent Mode Configuration Guide

Configure a softswitch interface From the Console Configure a softswitch interface To support transparent mode, you must first set up a softswitch interface on your FortiADC appliance, which can be done either from the console or the GUI. From the Console config system interface edit "sw" set type switch set member port9 port10 From the GUI 1. From the navigation bar, click Networking>Interface. 2. On top the interface table, click Add. 3. Make the entries or selections as highlighted in Figure 1. 4. Click Save when done. 7 Transparent Mode Configuration Guide

From the GUI Configure a softswitch interface Figure 1: Configure a softswitch interface Test the softswitch After you have created a softswitch, you must test it to make sure that it works properly. Simply run a Ping test against the server's IP address to see if the client can reach the server via the softswitch, as illustrated in Figure 2. Transparent Mode Configuration Guide 8

Configure a softswitch interface From the GUI Figure 2: Ping a real server via the softswitch 9 Transparent Mode Configuration Guide

Configure softswitch management IP From the Console Configure softswitch management IP The softswitch interface can be managed or referenced by any other modules in the same way as any regular interface. Once a softswitch is created, you need to set a management IP for it. From the Console config system interface edit "sw" set type switch set ip 1.1.250.1/16 set allowaccess https ping ssh snmp http telnet set member port9 port10 From the GUI 1. On the softswitch configuration page, make the selections and entry as highlighted in Figure 3. 2. Click Save when done. 10 Transparent Mode Configuration Guide

Test the softswitch management IP Configure softswitch management IP Figure 3: Configure softswitch management IP Test the softswitch management IP Once you have set up the management IP of the softswitch, you must test it to make sure that it works properly. Simply run a Ping test against the management IP of the softswitch interface, as illustrated in Figure 4. Transparent Mode Configuration Guide 11

Configure softswitch management IP Test the softswitch management IP Figure 4: Ping softswitch management IP 12 Transparent Mode Configuration Guide

Configure softswitch VLAN sub-interface From the Console Configure softswitch VLAN sub-interface You can create a VLAN sub-interface for the softswitch from either the console or the GUI. From the Console config system interface edit "sw" set type switch set vdom root set ip 1.1.250.1/16 set allowaccess https ping http set member port9 port10 config ha-node-ip-list set traffic-group default edit "vlan100" set type vlan set vdom root set ip 100.1.1.1/16 set allowaccess https ping ssh snmp http telnet set vlanid 100 set interface sw config ha-node-ip-list From the GUI 1. From the navigation bar, click Networking>Interface. 2. On top of the interface table, click Add. 3. Make the entries or selections as highlighted in Figure 5. 4. Click Save when done. 13 Transparent Mode Configuration Guide

Test the softswitch VLAN sub-interface Configure softswitch VLAN sub-interface Figure 5: Configure softswitch VLAN sub-interface Test the softswitch VLAN sub-interface After you have configured the softswitch VLAN sub-interface, you must test it to make sure that it works properly. Simply run a Ping test against the VLAN sub-interface of the softswitch, as inllustrated in Figure 6. Transparent Mode Configuration Guide 14

Configure softswitch VLAN sub-interface Test the softswitch VLAN sub-interface Figure 6: Ping VLAN sub-interface 15 Transparent Mode Configuration Guide

Create a Layer-4 VS in DNAT mode From the Console Create a Layer-4 VS in DNAT mode You can create a Layer-4 DNAT virtual server in transparent mode. From the Console Configure a load-balancing real server FortiADC-VM # config load-balance real-sever FortiADC-VM (real-server)# show config load-balance real-server edit srsl set ip 1.1.1.200 edit "swrs2" set ip 1.1.1.201 FortiADC-VM # config load-balance pool FortiADC_VM (pool) # edit sw_pool FortiADC-VM (sw_pool) # show config load-balance pool edit sw_pool set real-server-ssl-profile NONE config pool_member edit 1 set pool_member_cookie rs1 set real-server srs1 edit 2 set pool_member_cookie rs2 Set real-server swrs2 Configure a load-balancing virtual server config load-balance virtual server edit "SW_L4_DNAT" set type l4-load-balance set packet-forwarding-method NAT set interface sw sett addr-type ipv4 set ip 1.1.1.100 set port 80 16 Transparent Mode Configuration Guide

From the GUI Create a Layer-4 VS in DNAT mode set load-balance-profile LB_PROF_TCP set load-balance-method LB_METHOD_ROUND_ROBIN set load-balance-pool sw_pool From the GUI 1. Configure a real-server pool with two real servers, as illustrated in Figure 7. 2. Configure a virtual sever using DNAT as the packet forwarding method, making sure it references the softswitch interface, as illustrated in Figure 8. Figure 7: Create a real-server pool with two members Transparent Mode Configuration Guide 17

Create a Layer-4 VS in DNAT mode From the GUI Figure 8: Configure a virtual server in DNAT mode and reference to softswitch interface 18 Transparent Mode Configuration Guide

Traffic flow Create a Layer-4 VS in DNAT mode Traffic flow Figure 9 illustrates the network traffic flow when FortiADCis deployed in Layer-4 DNAT mode. Transparent Mode Configuration Guide 19

Create a Layer-4 VS in DNAT mode Traffic flow Figure 9: Layer-4 DNAT mode 20 Transparent Mode Configuration Guide

Create a Layer-7 VS with client address enabled From the Console Create a Layer-7 VS with client address enabled This section discusses how to create a Layer-7 virtual sever with client address enabled in transparent mode. It can be done from either the Console or the GUI. From the Console Configure a load-balancing real server FortiADC-VM # config load-balance real-server FortiADC-VM (real-server) # show config load-balance real-server edit srs1 set ip 1.1.1.200 edit "swrs2" set ip 1.1.1.201 FortiADC-VM # conf load-balance pool FortiADC-VM (pool) # edit sw_pool FortiADC_VM (sw_pool) # show config load-balance pool edit sw_pool set real-server-ssl-profile NONE config pool_member edit 1 set pool_member_cookie rs1 set real-server srs1 edit 2 set pool_member_cookie rs2 set real-server swrs2 Enable client IP address FortiADC-VM (http_client) # show config load-balance profile edit "http_client" set type http set client-address enable 21 Transparent Mode Configuration Guide

From the GUI Create a Layer-7 VS with client address enabled FortiADC-VM (http_client) # FortiADC-VM # conf load-balance virtual-server FortiADC-VM (virtual-sever) # edit sw_l7_vs FortiADC-VM (sw_l7_vs) # show config load-balance virtual-server edit "sw_l7_vs" set interface sw set ip 1.1.1.100 set load-balance-profile http_client set load-balance-method LB_METHOD_ROUND_ROBIN set load-balance-pool sw_pool set traffic-group default From the GUI Configure a application profile 1. Create an application profile. 2. Enable the Source Address (client address), as illustrated in Figure 10. Transparent Mode Configuration Guide 22

Create a Layer-7 VS with client address enabled From the GUI Figure 10: Create an application profile with client IP (Source Address) enabled Configure a Layer-7 virtual server 1. Create a Layer-7 virtual server. 2. Reference to the softswitch interface and the application profile, as illustrated in Figure 11. 23 Transparent Mode Configuration Guide

From the GUI Create a Layer-7 VS with client address enabled Figure 11: Configure a Layer-7 virtual server Transparent Mode Configuration Guide 24

Create a Layer-7 VS with client address enabled From the GUI Traffic flow Figure 12 illustrates the network traffic flow when FortiADC is deployed transparent mode in Layer-7 with client IP address enabled. 25 Transparent Mode Configuration Guide

From the GUI Create a Layer-7 VS with client address enabled Figure 12: Layer-7 with client IP address enabled Transparent Mode Configuration Guide 26

Copyright 2018 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback