background image

Failover

6. Enter:

eqcli >

vlan

vlname

subnet

sname

hb_interval

seconds

Where

vlname

is the name of the VLAN,

sname

is the name of the subnet and

seconds

is the heartbeat interval or time in seconds (default: 2) between successful heartbeat
checks of the peer.

7. Repeat the same procedure on the preferred backup.

558

Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.

Summary of Contents for Equalizer GX Series

Page 1: ... DELIVERY CONTROLLER EQ OS 10 Administration Guide for Equalizer LX and GX Series OS Version 10 3 1 December 23 2014 The recognized leader in proven and affordable load balancing and application delivery solutions ...

Page 2: ...et and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinet s General Counsel with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in ...

Page 3: ... 34 Persistence 35 Why a Server May Not Be Selected 38 What s New 39 What s New in this Revision 40 Installation 43 Hardware Installation 44 UL cUL CE CB Safety Warnings and Precautions 45 Power Requirements 47 Operating Environment 47 Regulatory Certification 47 Setting Up a Terminal or Terminal Emulator 48 Configuring Access 49 Default Login 50 Serial Access 51 First Time Configuration 53 Global...

Page 4: ... Scenarios 96 Blank Configuration 96 Single VLAN Subnet 97 Single VLAN Subnet with a Default Gateway 99 Dual VLAN Network 101 Dual VLAN Network with 2 Gateways 104 Dual VLAN Network with Outbound NAT 107 Using VLANs 110 How the ADC Routes a Packet 112 Configuring Front Panel Ports 114 Viewing Link Status and Port Settings 115 Viewing Link Status and Port Settings E350GX E450GX E650GX Only 116 Disp...

Page 5: ... In to the CLI Over an SSH Connection 142 Exiting the CLI 143 Working in the CLI 144 CLI Contexts and Objects 144 Object Relationships 146 Command Line Editing 147 Entering Names for Equalizer Objects 148 Using White Space in a Command Line 148 Enabling and Disabling Flags 149 Command Abbreviation and Completion 150 Detection of Invalid Commands and Arguments 151 Specifying Multiple Server Instanc...

Page 6: ...s 189 Link Aggregation Commands 191 Link Load Balancing Commands 192 Object List Commands 194 Peer Commands 195 Remote Management Commands 198 Responder Commands 199 Regular Expressions in Redirect Responders 200 Server Commands 201 Server Pool and Server Instance Commands 202 Server Side Encryption Commands 210 Smart Control Commands 211 SNMP Commands 213 Tunnel Commands 215 User Commands 216 Use...

Page 7: ...3 Certificate Revocation Lists 245 Installing a Certificate Revocation List CRL 245 IP Reputation 247 Parameters 264 Server Side Encryption 266 Smart Control 267 SNMP 268 MIB Compliance 270 MIB Files 271 External Services 272 SMTP Relay 272 VLB Manager 273 Maintenance 275 Setting Date and Time 275 Backup and Restore 276 Backup 277 Restore 279 Manage Software 282 Tools 283 Network Configuration 286...

Page 8: ...luster Configuration Settings 331 TCP Cluster Persistence 333 TCP Cluster Timeouts 334 UDP Cluster Configuration Summary 335 UDP Cluster Configuration Settings 336 UDP Cluster Configuration Persistence 338 UDP Cluster Configuration Timeouts 339 UDP Cluster Limitations 340 Modifying a Layer 7 HTTP or HTTPS Cluster 341 Layer 7 Cluster Configuration Summary 342 Layer 7 HTTP and HTTPS Cluster Settings...

Page 9: ...e Considerations for HTTPS Clusters 378 HTTPS Performance and Xcel SSL Acceleration 378 HTTPS Header Injection 380 Providing FTP Services on a Virtual Cluster 380 FTP Cluster Configuration 381 Configuring Direct Server Return 382 Testing Your Basic Configuration 385 Using Match Rules 386 How Match Rules are Processed 387 Match Rule Order 388 Match Rule Expressions and Bodies 389 Match Rule Express...

Page 10: ... Reporting CLI and GUI 420 Server Pools and Server Instances 429 About Server Pools 430 Server Pool Summary 431 Configuring Server Pool Load Balancing Options 432 Equalizer s Load Balancing Policies 432 Equalizer s Load Balancing Response Settings 433 Aggressive Load Balancing 434 Dynamic Weight Oscillations 434 Using Active Content Verification ACV 435 Adding and Configuring a Server Pool GUI 437...

Page 11: ...ing on Servers 469 Spoof Controls SNAT 469 How Spoof Influences Routing 469 Server Statistics and Reporting CLI and GUI 471 Automatic Cluster Responders 477 Automatic Cluster Responders 478 Responder Summary 479 Managing Responders 480 Adding a Responder 480 Modifying a Responder 482 Using Regular Expressions in Redirect Responders 482 Using Responders in Match Rules 485 Creating a Match Rule for ...

Page 12: ...d Balancer Determines if it Should Assume the Primary Role 533 Releases Supported for Failover with EQ OS 10 534 Guidelines for Updating a Failover Pair 535 Failover Between Two EQ OS 10 Systems 536 Types of Failover Configurations 536 Peer Failover Modes 538 Failover Constraints 539 Configuration Synchronization Constraints 541 Server Gateway Availability Constraint 543 Failover Peer Probes and T...

Page 13: ...ith 4 Load Balancers CLI 597 Configuring N 0 Failover with 4 Load Balancers CLI 605 Logs and Reports 615 Displaying Logs 616 Export to CSV 617 Filtering Status Details 618 Event Log 619 System Log 620 Audit Log 621 Upgrade Log 622 Remote System Logging 623 Reporting 625 Configuring Server Connections 627 HTTP Multiplexing 628 Enabling HTTP Multiplexing 629 Disabling spoof for HTTP Multiplexing 630...

Page 14: ...ation ACV Probes 647 Enabling Disabling ACV Probes 648 Setting ACV Query and Response Strings 649 Testing ACV Probes 650 Configuring UDP and TCP Parameters 651 Simple Health Check Probes 653 Configuring Simple Health Check Probe Parameters 653 Simple Health Checks and Load Balancing Policies 658 Server Agents 659 Sample Server Agent 660 VLB Health Check Probes 662 Enabling Disabling VLB Health Che...

Page 15: ...anagement Station 727 Enabling SNMP 728 Enabling SNMP Traps 729 Creating Alerts for SNMP Traps 730 User and Group Management 733 Best User and Group Management Practices 734 Object Permission Types 735 Required Task Permissions and Flags 736 Single and Multiple User Scenarios 742 How to Use Regular Expressions 747 Regular Expression Terms 748 Learning About Atoms 749 Creating a Bracket Expression ...

Page 16: ...Mware Fusion 800 Licensing EQOD 801 Upgrading EQOD 803 Using Certificates in HTTPS Clusters 805 Using Certificates in HTTPS Clusters 806 Configuring Cipher Suites 811 Enabling HTTPS with a Server Certificate 817 Enabling HTTPS with Server and Client Certificates 818 Generating a CSR and Getting It Signed by a CA 820 Generating a Self Signed Certificate 822 Installing Certificates for an HTTPS Clus...

Page 17: ... x and 10 2 x 843 Networking Translation Between 10 1 x and 10 2 x Systems 844 Maximum Configuration Values 848 Glossary 849 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 17 Equalizer Administration Guide ...

Page 18: ......

Page 19: ... in this chapter include About Equalizer 20 Typographical Conventions 21 Attributions 21 Where to Go for More Help 22 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 19 Equalizer Administration Guide ...

Page 20: ... availability with no single point of failure through the use of redundant servers in a cluster and the optional addition of a failover or backup Equalizer l Layer 7 content sensitive routing l Connection persistence using cookies or IP addresses l Real time server and cluster performance monitoring l Server and cluster administration from a single interface l SSL acceleration on Equalizer models ...

Page 21: ... to click to display the GUI form relevant to the task at hand In the above example the user would click on the Equalizer host name displayed at the top of the left nav igational tree click on the Configuration tab in the right pane and then click on the Settings tab 1 Numbered lists show steps that you must complete in the numbered order l Bulleted lists identify items that you can address in any...

Page 22: ...ns a Resource CD with copies of all product documentation including support documents that help you configure Equalizer for a variety of environments Register today to get access to the Fortinet Support Portal https support fortinet com Registration provides you with a login so you can access these benefits l Support FAQs answers to our customer s most common questions l Moderated Customer Support...

Page 23: ...mation 26 Network Address Translation and Spoofing 27 Load Balancing 29 How a Server is Selected 31 Layer 7 Load Balancing and Server Selection 34 Persistence 35 Why a Server May Not Be Selected 38 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 23 Equalizer Administration Guide ...

Page 24: ...he destination IP address of the request is sufficient and no examination of the request headers is required Layer 7 clusters are intended for configurations where routing decisions need to be made based on the content of the request headers the appliance evaluates and can modify the content of request headers as it routes packets to servers in some cases it can also modify headers in server respo...

Page 25: ...count the configuration options set for the cluster and servers real time server status information and information from the request itself For Layer 7 clusters user defined match rules can also be used to determine the route a packet should take Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 25 Equalizer Administration Guide ...

Page 26: ...ng is not in the response the verification fails and it stops routing new requests to that server See Active Content Verification ACV Probes for more information Note ACV is not supported for Layer 4 UDP clusters Server Agent Probes enable the appliance to communicate with a user written program the agent running on the server A server agent is written to open a server port and when the appliance ...

Page 27: ...y configured to use Equalizer s IP address as their default gateway to ensure that all responses go through the appliance otherwise the server would attempt to respond directly to the client IP When the spoof option is disabled on a cluster then SNAT is enabled Equalizer translates the source IP the client IP to one of the appliance s IP addresses before forwarding pack ets to a server The servers...

Page 28: ...ction to the the appliance s Default VLAN IP address the external interface IP address on the E250GX and legacy si systems or to the address specified in the server s Outbound NAT tab Enabling outbound NAT as a result has a performance cost since the appliance is examining every outbound packet Note When Equalizer is in single network mode outbound NAT should be disabled Since Equalizer resides on...

Page 29: ...be not used at all or it can completely define how the load is calculated Once a load is calculated Equalizer distributes incoming requests using the relative loads as weights sv00 Load 50 sv01 Load 50 sv02 Load 50 Equalizer calculated loads so the request distribution will be approximately equal sv00 Load 100 sv01 Load 50 sv02 Load 25 sv01 and sv02 above are uneven loads sv01 is twice as loaded a...

Page 30: ... every other non hot spare server is down If a con nection persists to this server it will be placed back on this server l Quiesce If a server instance in a server pool has been marked as Quiesce it will not be included in the pool of servers to select from Only previously existing persistent con nections will be made to this server 30 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet I...

Page 31: ...for load balancing If the server selected by persistence is not available the appliance uses load balancing policy to select an alternate server Server Selection Process Flow The figure below shows the server selection process As describe above this process depends on whether persistence is in use Once a server is selected Equalizer verifies that it isn t too busy based on max_connections and that...

Page 32: ...Overview 32 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 33: ...t to the same server until the connect timeout expires Fore Layer 4 clusters the connection must be established within the stale_timeout Here the appliance retries the same server 3 times and then chooses another server on the 4th attempt If the appliance receives an active refusal RST from a server the connection is dropped Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Righ...

Page 34: ... called match rules A match rule might for example route requests based on whether the request is for a text file or a graphics file For example you may want to l load balance all requests for text files html etc across servers A and B l load balance all requests for graphics files across servers C D and E l load balance all other requests across all of the servers Match Rules are constructed usin...

Page 35: ...ence so that a persistent connection between a particular client and a particular server can be maintained this supports a client server session where session data is being maintained on the server for the life of the connection In other words whether you need to enable persistence on the appliance depends on the application you are load balancing Equalizers have no knowledge of the fact that the ...

Page 36: ... client has an unavailable persistent session Equalizer automatically selects a different server Then the client must establish a new session Equalizer stuffs a new cookie in the next response Details and scenarios are presented in Fallback Persistence Scenarios on page 355 Layer 4 Persistence For Layer 4 TCP and UDP clusters Equalizer support IP address based persistent connections With a sticky ...

Page 37: ...uster for a sticky record as it receives each connection request just like it does for ordinary sticky connections If the appliance does not find a sticky record it proceeds to check all of the other clusters that have the same IP address If it still does not find a sticky record it connects the user based on the current load balancing policy Copyright 2014 Coyote Point Systems A Subsidiary of For...

Page 38: ...hen the next SYN is received The 1st SYN would be at time 0 the 2nd at time 3 the 3rd at time 9 so the 4th would not happen before 10 seconds 3 For Layer 7 clusters if health checks have not yet detected that the server is down but Equalizer is unable to establish a cluster connection with the server it will wait the con figured connect_timeout time frame and then drop the connection so that the c...

Page 39: ...apter 3 What s New Subsections in this chapter include What s New in this Revision 40 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 39 Equalizer Administration Guide ...

Page 40: ...onfiguration It is now a stan dalone section for easier access n Working with Clusters and Match Rules Managing Server Pools and Server Instances and Managing Servers were previously part of Load Balancing Objects They are now stan dalone sections for easier access 2 New Feature Descriptions Server Side Encryption this new section appears in Working with Clusters and Match Rules Modifying a Layer ...

Page 41: ...efaults keeping core files and files that are currently in the file store See Debug Commands on page 159 Supported Ciphersuites Updated the list of supported ciphersuites in Working with Clusters and Match Rules Modifying a Layer 7 HTTP or HTTPS Cluster Layer 7 Security SSL Screen HTTPS Clusters See Layer 7 SSL Security HTTPS Clusters on page 349 Port Numbers Revised port numbers that are used in ...

Page 42: ......

Page 43: ...UL cUL CE CB Safety Warnings and Precautions 45 Power Requirements 47 Operating Environment 47 Regulatory Certification 47 Setting Up a Terminal or Terminal Emulator 48 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 43 Equalizer Administration Guide ...

Page 44: ...alizer as an intermediary between an external and internal network connect it to the external network using one of the RJ 45 ports labeled 1 or 2 on the front panel Connect the appliance to the internal network using one or more of the ports numbered 3 and above For a single network one subnet topology connect Equalizer to the network and the servers using one of the numbered RJ 45 ports numbered ...

Page 45: ...ack should be such that the amount of air flow required for safe operation of the equipment is not compromised Mechanical Loading Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading Circuit Overloading Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of...

Page 46: ...ith the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if it is not installed and used in accordance with the instruction manual it may cause harmful inte...

Page 47: ...cause radio interference in which case the user may be required to take adequate measures IMPORTANT Switzerland Annex 4 10 of SR814 013 applies to batteries Power Requirements The unit s power supply is rated at 100 240 VAC auto selecting 60 50 Hz 4 0A Operating Environment l Temperature 40 105 F 5 40 C GX Series 32 104 F 0 40 C LX Series l Humidity 5 90 non condensing Regulatory Certification Ple...

Page 48: ...supported this allows a single terminal session to continue running even if the appliance restarts On Windows systems you can use the Windows built in terminal emulator HyperTerminal or the Tera Term Pro terminal emulator to log in over the serial port On Unix systems you can use the cu 1 command or any other Unix serial communication program If you use HyperTerminal in addition to the settings sh...

Page 49: ...5 Configuring Access Sections within this chapter include Default Login 50 Serial Access 51 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 49 Equalizer Administration Guide ...

Page 50: ... you log in You can do this by logging into the CLI entering the following command and following the command prompts eqcli user touch password Creating Additional Logins You can create additional administrative logins and assign specific permissions to individual logins if desired See Best User and Group Management Practices on page 734 50 Copyright 2014 Coyote Point Systems A Subsidiary of Fortin...

Page 51: ... connectivity for the first time l Performing upgrades of the EQ OS software and switch firmware l Re configuring network access for services such as HTTP and SSH when you cannot login over the network interfaces currently configured or you are changing the network interfaces that will provide those services Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 51 Eq...

Page 52: ......

Page 53: ...ude Global Services 54 VLAN Subnet Network Services 56 First Time VLAN Configuration Example 58 Replacing the Default Certificate Key and Cipherspec 61 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 53 Equalizer Administration Guide ...

Page 54: ...ter the touch user name and the pass word that you assigned earlier and click Login The Welcome screen for the Equalizer GUI appears on the right pane 2 Select the System configuration tab in the left pane 3 Click on the arrow u beside Global to expand the branch and select Parameters to display the Global Parameters screen on the right pane a Set the system Hostname to a name that is unique on yo...

Page 55: ...r GUI will listen on all subnets on which HTTPS services are enabled ssh SSH SSH login service when enabled SSH login will be permitted on all subnets on which SSH services are enabled snmp SNMP SNMP Simple Network Management Protocol service when enabled SNMP will accept connections on all subnets on which SNMP services are enabled Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 56: ... The following subnet network services settings are supported CLI GUI Network Service http HTTP HTTP GUI service when enabled the Equalizer will listen for HTTP connections on Equalizer s IP address on the subnet The global HTTP GUI service must also be enabled https HTTPS HTTPS GUI service when enabled the Equalizer will listen for HTTPS connections on Equalizer s IP address on the subnet The glo...

Page 57: ...s if configured on the subnet The global SSH service must also be enabled fo_snmp Failover SNMP Failover SNMP service when enabled SNMP will accept connections on Equalizer s Failover IP address if configured on the subnet The global SNMP service must also be enabled fo_envoy Failover Envoy Failover Envoy DNS service when enabled Envoy will accept DNS lookup connections on Equalizer s Failover IP ...

Page 58: ...pyright 2014 Fortinet Inc Welcome to Equalizer eqcli 2 Change the password for the touch login Enter eqcli user touch passwd Follow the command prompts to create a new password 3 Create a VLAN enter a command like the following eqcli vlan vlname vid vlan_ID Replace vlname with the VLAN name and vlan_ID with the VLAN ID number 1 4094 If you are using untagged VLANs common in many sites the VLAN ID ...

Page 59: ...xample below 0 0 is the default route and 172 16 0 1 is the gateway which is an unadorned IP addresses In this scenario all packets fordestinations are to be sent via this routes eqcli vlan 172net subnet sn01 route 0 0 gw 172 16 0 1 Refer to the webhelp if you need more help setting up your initial VLAN and subnet go to www coyotepoint com move your mouse over the Support link near the top of the ...

Page 60: ...ink Down if09 NA NA NA Link Down if10 NA NA NA Link Down if11 NA NA NA Link Down if12 NA NA NA Link Down eqcli The above example shows the appropriate output assuming that you are using the port labeled 1 on the front panel You should now be able to use the ping command from a workstation on the same subnet to reach the subnet IP address configured above 7 Connect the appliance to your network usi...

Page 61: ...r spec l Setting the encryption level to use in the communications between the client and the ADC Uploading the Custom Certificate and Key File Enter the following to upload a certificate and key file 1 Enter the name of the new certificate and upload it as follows eqcli certificate certificatename certfile URL where URL downloads the certfile using ftp or http protocol 2 Upload the new key file T...

Page 62: ... the custom cipherspec as follows eqcli remote mgmt cipherspec cipherspec where cipherspec is the new custom cipherspec to be used Setting the Encryption Levels 6 Configure the encryption levels that will be used in communications between the client and the ADC The default encryption level is TLSv1 0 tls10 eqcli protocol protocol where protocol can be sslv3 tls10 default tls11 or tls12 The protoco...

Page 63: ...To reapply the defaults for Cipherspec Certificate or Protocol enter any of the following eqcli no remote mgmt cipherspec certificate protocol Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 63 Equalizer Administration Guide ...

Page 64: ......

Page 65: ...ter 7 Sample Configuration Sections within this chapter include Sample Configuration 66 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 65 Equalizer Administration Guide ...

Page 66: ...e procedure below shows you how to use one line commands in the global context to set up the configuration illustrated above 1 Power on Equalizer and enter the CLI as shown in Starting the CLI on page 141 2 Configure a VLAN for the GUI SSH and cluster IP addresses using the format eqcli vlan vlname vid vlan_ID Replace vlname with the VLAN name and vlan_ID with the VLAN ID number 1 4094 If you are ...

Page 67: ...net sn01 ip 192 168 0 200 21 5 Configure services on each subnet of each VLAN For our example we ll enable SSH login and the GUI over HTTP on the 172net VLAN eqcli vlan 172net subnet sn01 services http https ssh eqcli vlan 192net subnet sn01 services http https ssh 6 Configure routing on the VLANs including a default route and gateway routes In the example below 0 0 is the default route and 172 16...

Page 68: ...ot respond on a VLAN you may need special routes on the default router or on the next hop gateway for a particular VLAN 9 Set the timezone Enter eqcli timezone 10 Locate your timezone in the displayed list and press q to quit out of the list Then type in your timezone number and press Enter as in this example for the America New York time zone eqcli timezone 161 11 If Equalizer can reach the Inter...

Page 69: ...either of the following methods If the certificate resides on an FTP site enter commands like the following substituting the IP address and path on your FTP site from which the certificate and private key can be downloaded eqcli certificate ct01 eqcli cert certfile ftp 10 0 0 21 certfile pem eqcli cert keyfile ftp 10 0 0 21 keyfile pem If you want to cut and paste the certificate and key using an ...

Page 70: ...a web page that asks the user to try again later eqcli resp Sorrycl01 type sorry html edit An editor is launched so that you can enter the HTML for the responder page For example you can enter Once you are done type Esc Enter and then Enter to save the HTML you entered 22 Add the responder created in the previous step to cluster cl01 eqcli cluster cl01 resp Sorrycl01 The effect of adding this resp...

Page 71: ...d url https clustercl03 example com 1 eqcli rsp Red exit eqcli 12200287 Operation successful eqcli Note the following The regular expression used in the regex parameter contains a single space between the caret and backslash characters The FQDN used in the regex and url parameters e g cluster cl03 example com must match the FQDN used by clients to connect to cluster cl03 24 Add the responder creat...

Page 72: ......

Page 73: ...8 Registering Your Product Sections within this chapter include Registering Your Product 74 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 73 Equalizer Administration Guide ...

Page 74: ...sing SSH over an appropriately configured subnet and enter the fol lowing CLI command eqcli version Record the System Serial Number from the command output b If networking is configured and the GUI has been enabled on a subnet you can also get the serial number from the System Information widget on the GUI dash board The Dashboard appears automatically when you log into the GUI Once you have obtai...

Page 75: ...nal pane and then click on Global Dashboard The System Information widget on the right pane will indicate the Support information including Last refresh date Support end and Email Click on the Refresh button to update the registration information Note FortiCare information is not provided with E250GX systems in either the CLI or GUI Note The registration information does not update automatically i...

Page 76: ......

Page 77: ...Path from EQ OS 8 6 to the Latest EQ OS 10 Version 78 EQ OS 8 6 Upgrade Procedure 79 Upgrading to the Latest Release 85 Downgrading to EQ OS 8 6 86 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 77 Equalizer Administration Guide ...

Page 78: ...s the latest configuration file used When you downgrade you must downgrade one configuration version at a time For example if you want to downgrade from EQ OS 10 3 1a to EQ OS 10 1 0a you must use the following downgrade sequence 10 3 0a 10 2 0a 10 1 0a Configuration File Version Equalizer LX GX Releases Version 1 All releases prior to 10 1 0a Version 2 10 1 0a Version 3 10 2 0a Version 4 10 3 0a ...

Page 79: ...elease upgrade to the latest EQ OS 8 6 release reboot and then upgrade to the latest 8 6 release again 3 Equalizer must be running from the first disk partition when you begin the upgrade The easiest way to ensure this is to reboot the unit and press F1 the first function key on the keyboard when the following prompt appears F1 FreeBSD F2 FreeBSD Default F1 The Default line above may contain F1 or...

Page 80: ...ith a blank unconfigured installation of EQ OS version 10 If you proceed further load balancing will be disabled on this Equalizer until it is next rebooted even if the upgrade fails Continue with upgrade Y N Press Y and then Enter Note You may see the following messages during an upgrade tar Unable to access licenses No such file or directory tar WARNING These file names were not selected license...

Page 81: ...er to contact the Coyote Point license server over an internet connection please call Coyote Point Support or your local distributor to confirm your support status Then press N and Enter to proceed with the upgrade Two confirmation messages are displayed to proceed press Y and then Enter at each prompt to proceed with the upgrade Otherwise press Y and then Enter to request a new license If success...

Page 82: ...stage upgrade files are downloaded verified and unpacked you are asked to create a restore image Upgrade bundle is EQ OS 10 0 2a Checking that bundle is EQ OS 8 to EQ OS 10 type Retrieving autobuilds folsomBuilds 18288 i386 binary os8upgrade is os8 100 11 00 00 ETA It is very important to create a restore image of this Equalizer running the current EQ OS 8 software This is not a standard backup of...

Page 83: ...ed for an FTP server to which the encrypted restore image can be trans ferred Sending restore image to remote FTP server Enter URL for path to which to send restore image Example ftp ftp coyotepoint com my_images Enter URL Enter Username for file upload Enter Password for file upload Enter the URL and then a Username and Password to log into the FTP server 16 After you supply the FTP login informa...

Page 84: ...matically performed The switch firmware is automatically upgraded if required This process can take several minutes Caution DO NOT INTERRUPT THE SWITCH FIRMWARE UPGRADE IN ANY WAY This includes power cycling the unit Interrupting the switch firmware upgrade can leave your system in an inoperable state l After successfully upgrading and validating the switch firmware the system reboots auto matical...

Page 85: ...nadorned ftp or http URL that completely specifies the path to the upgrade image directory as in this example eqcli upgrade ftp 10 0 0 21 pub patches upgrades 10 0 0 upgrade 4 Equalizer downloads the upgrade files automatically unpacks them and then begins the upgrade No user intervention is required When the upgrade is complete the following messages are displayed Upgrade successfully completed N...

Page 86: ...back to EQ OS 8 6 you must use a restore image that was created during the upgrade of that unit to EQ OS 10 The file name used to save a restore image is the serial number of the unit on which it was created and this restore image can only be used to restore the Equalizer with the same serial number On EQ OS 10 you can use the CLI command to display Equalizer s serial number or check the serial nu...

Page 87: ...e URL where you saved the restore system image created during the upgrade to EQ OS 10 as in this example ftp ftp 10 0 0 21 folsom A107A 17004 xrb 5 The downgrade script then retrieves decrypts and installs the restore image from the URL you provided During this process you are asked to enter the restore image password At the prompts indicated in the sample output below enter the restore image pass...

Page 88: ...ling restore environment onto target filesystem Decrypting image restore data onto target filesystem Password restore_password Writing secondary boot configuration Updating primary bootblock version table Performing automatic reboot System will reboot to image extraction environment Halt NOW 6 As the system reboots do not press any keys After the following prompt is displayed IMAGE RESTORE DOWNGRA...

Page 89: ...es a Packet 112 Configuring Front Panel Ports 114 Viewing Link Status and Port Settings 115 Displaying Port Statistics 118 Source Based Routing Scenarios 119 Source Selection 120 Source Routing Scenarios 121 Enabling DNS 128 Configuring NTP 129 NTP and Plotting 129 Default NTP Configuration 129 Selecting an NTP Server 130 Managing NTP 131 Source Routing Tables Rules 132 Source Routing Table 133 IP...

Page 90: ...eway or router that is specified in this route It is then this gateway s job to get the packet closer to its final destination Source Based Routing This concept is not unique to Equalizer however the behavior of each device that implements Source based Routing can be different The definition of source based routing is simply that the source IP address is used in the routing decision For Equalizer ...

Page 91: ...0 0 0 0 source route is not used unless none of the other routes match Also note that in this configuration any packets that have a destination IP address other than a network local to Equalizer presumably 192 168 0 0 24 192 168 1 0 24 and 10 0 0 0 8 a route would not be found and the packet would be dropped by the system To prevent this from happening most configurations include a default route i...

Page 92: ... local network This how Equalizer selects an IP address to use when send ing a packet to the destination network In order to do this Equalizer actually sorts all of the destination networks it knows about in most specific to least specific order It then chooses an appropriate IP address to use based on the first destination network to match l Normally Equalizer would not allow any packets that do ...

Page 93: ... 10 0 0 0 24 network when these internal networks need to talk to the Internet When configuring outbound NAT the internal local network that is being configured for outbound NAT must use the routing information for the external network which it is using NAT through In the example above the default gateway for the 192 168 211 0 24 network will really be on the 10 0 0 0 24 network This is logical wh...

Page 94: ... most configurations permissions are necessary on both networks if network A needs to route to network B a permission must be added to A for B and another permission must be added to B for A Permissions are only necessary when using Equalizer to route packets They are not required for Application Traffic Management That is when an Equalizer cluster is paired with a server by adding a server pool c...

Page 95: ...and concepts in this doc ument applies for tagged VLANs as well l This section uses examples that are for IPv4 networking However the configuration for IPv6 networking would be identical with a couple of exceptions These exceptions are iden tified where applicable l This section uses examples from an Equalizer OnDemand system using untagged VLANs If your configuration uses tagged networks or Equal...

Page 96: ...k Configuration When the Equalizer configuration does not contain any subnets the networking configuration should also be blank eqcli show sbr IPv4 Default Source Selection Table 0 0 172 16 5 90 IPv6 Default Source Selection Table Source Routing Table 0 0 0 0 00 0 0 0 0 00 via 172 16 0 1 weight 0 prefer 172 16 0 0 21 0 0 0 0 00 via 172 16 0 1 weight 0 prefer IP Filter Rules empty list IP NAT Rules...

Page 97: ... eqcli 12000287 Operation successful There are no differences to the DSS Default Source Selection table which is a listing of all destination networks configured in the load balancer the routing and the NAT tables since no new entries have been added to them However the IP Filters table has been updated by the system IP Filter Rules IPv4 Rules 1 pass on interface lo0 all hits 0 bytes 0 2 pass on i...

Page 98: ...cal host interface lo0 and IPv4 6 rule 3 blocks all traffic which didn t fall into one of the previous rules This is the default deny rule IPv6 rule 2 is an automatically added rule for link local IPv6 addresses which is always there if any networks are configured If all of the clients and servers for this Equalizer are on the internal net network we re done however most installations have custome...

Page 99: ...92 168 211 0 24 4 pass on interface wm1 hits 0 bytes 0 From To 192 168 211 0 24 any 5 pass on interface wm1 hits 0 bytes 0 From To any 192 168 211 0 24 6 block all hits 7 bytes 799 IPv6 Rules 1 pass on interface lo0 all hits 0 bytes 0 2 pass hits 0 bytes 0 From To fe80 10 any Now that we have a non blank routing configuration we can see that the source routing table reflects the change and that we...

Page 100: ...nto Equalizer and from Equalizer to non Equalizer networks These are the rules that allow routing through the default gateway to work The configuration presented in this section corresponds to the following scenario 100 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 101: ...et net ip 10 0 0 68 24 default_route 10 0 0 254 eqcli 12000287 Operation successful The IP Filter configuration is updated as shown below Source Routing Table 10 0 0 0 24 default via 10 0 0 254 IP Filter Rules IPv4 Rules 1 pass on interface lo0 all hits 0 bytes 0 2 pass on interface wm1 hits 36 bytes 1608 From To 192 168 211 0 24 192 168 211 0 24 3 pass on interface wm0 hits 48 bytes 2926 From To ...

Page 102: ...ule doesn t exist for the 192 168 211 0 network because we have not enabled routing for it Since the new external network is the one is used for sending packets to the Internet we also make it the default network for sourcing packets We see that setting this flag has created a DSS table entry This entry is a definition for the 0 0 destination network which specifies that the external VLAN is the o...

Page 103: ...rface wm1 hits 141 bytes 7025 From To 192 168 211 0 24 192 168 211 0 24 3 pass on interface wm0 hits 5 bytes 399 From To 10 0 0 0 24 10 0 0 0 24 0 0 0 0 0 0 0 0 0 0 4 block on interface wm0 hits 0 bytes 0 From To 10 0 0 0 24 192 168 211 0 24 10 0 0 0 24 0 0 0 0 0 5 pass on interface wm0 hits 4 bytes 756 From To 10 0 0 0 24 any 6 pass on interface wm0 hits 0 bytes 0 From To any 10 0 0 0 24 0 0 0 0 ...

Page 104: ...ernet and to use Equalizer whenever sending packets to clients However in order to do this on a server the administrator would need to statically define which portions of the Internet should use which gateway the router or the Equalizer This can be configured very simply on Equalizer instead eqcli vlan internal subnet net default_route 192 168 211 2 eqcli 12000287 Operation successful This command...

Page 105: ...routing from the internal network IPv4 Rules 1 pass on interface lo0 all hits 0 bytes 0 2 pass on interface wm1 hits 39 bytes 1368 From To 192 168 211 0 24 192 168 211 0 24 3 pass on interface wm0 hits 12 bytes 624 From To 10 0 0 0 24 10 0 0 0 24 0 0 0 0 0 0 0 0 0 0 4 block on interface wm1 hits 0 bytes 0 From To 192 168 211 0 24 192 168 211 0 24 10 0 0 0 24 0 0 0 0 0 5 pass on interface wm1 hits ...

Page 106: ...the first hop gateway on the Equalizer traceroute freebsd traceroute 64 13 152 126 traceroute to 64 13 152 126 64 13 152 126 64 hops max 40 byte packets 1 192 168 211 8 192 168 211 8 0 576 ms 0 799 ms 0 241 ms 2 192 168 211 2 192 168 211 2 0 522 ms 0 547 ms 0 334 ms Equalizer traceroute n 64 13 152 126 traceroute to 64 13 152 126 64 13 152 126 64 hops max 40 byte packets 1 192 168 8 2 1 653 ms 1 3...

Page 107: ...ed range then the packet is modified to use the IP address specified by the out parameter as the source IP The out address specifies that if the source IP address of an outbound packet matches the IP address or IP address range specified by the from parameter then the packet is modified to use this IP address as the source IP eqcli vlan vlan name subnet subnet name nat from ip_cidr out 1 2 3 33 na...

Page 108: ... address to 10 0 0 68 Second we changed the default gateway Source Routing Table 0 0 0 0 00 default via 10 0 0 254 192 168 211 0 24 default via 10 0 0 254 10 0 0 0 24 default via 10 0 0 254 Both networks now use the same default gateway since all traffic will be sent through that router Third we added permit rules for the networks IPv4 Rules 1 pass on interface lo0 all hits 0 bytes 0 2 pass on int...

Page 109: ...ain difference between these rules and those in Dual VLAN Network with 2 Gateways is that because of the new permissions Rules 2 and 3 now include both networks in them meaning that traffic can be sent to either network rather than just one Additionally rule 8 has replaced two separate rules because all traffic coming from the Internet will now enter Equalizer through the wm0 interface This config...

Page 110: ...e switches can maintain a list of all MAC addresses connected to them and to the other switches to which they are connected A set of Layer 2 devices and the systems connected to them form a broadcast domain meaning that all the systems can talk to one another using broadcast packets Conversely broadcast packets are not forwarded beyond the boundaries of the broadcast domain For example if two LANs...

Page 111: ...k Layer Layer 3 and require Layer 3 devices such as routers and firewalls to implement them These Layer 3 devices require separate subnets and themselves emit a significant amount of broadcast traffic What we really want is a way of abstracting the idea of a LAN so that large broadcast domains can be separated into smaller domains without requiring any network rewiring or physical movement of syst...

Page 112: ... connected to that network If you use a router on another configured network with another IP address it will send it out of the interface attached to that address ii If No it sends directly ARP for the address and then send to the MAC address via Ethernet b If No it searches the routes present for the source network that this packet has in most specific to least specific order It determines whethe...

Page 113: ... will send it direct to 10 10 10 2 since it s attached to the 10net b With a route present on the 10net the route wouldn t wouldn t be used because the source address of the packet is on the 11net c With a route present on the 11net with Destination 10 10 10 24 Route 10 10 10 254 The packet would be sent from the 10net In this example this is not desirable since the packet should take the same pat...

Page 114: ...tch specific port settings required by the server connection For example you could use the switch interface to configure a particular switch port to be 100Mb s and half duplex to accommodate older hardware Supported 10Gb Media Subtypes 10Gb ports are available on Equalizer E670LX and E970LX The following media subtypes are supported 10GbaseLR single mode fiber 10GBase SR 850nm Multi mode 10GBase C...

Page 115: ...t name eqcli show interface ge01 Interface Number ge01 Duplex mode NA Link Speed NA Actual Link Status Link Down Configured Link Status Link Up Maximum MTU 9000 Maximum Speed 1G eqcli Port settings are as follows l Duplex Mode If the port status is Link Up this is the current port duplex setting If the status is Link Down this is either the highest duplex that can be negotiated or the force settin...

Page 116: ...Down if04 NA NA NA Link Down if05 NA NA NA Link Down if06 NA NA NA Link Down if07 NA NA NA Link Down if08 NA NA NA Link Down if09 NA NA NA Link Down if10 NA NA NA Link Down if11 NA NA NA Link Down if12 NA NA NA Link Down The same information for a single port can be displayed by specifying the port name eqcli show interface if01 Interface Number if01 Autonegotiation mode full Duplex mode full Link...

Page 117: ... for the other device and try to match the settings as much as possible on both sides of the connection l Duplex Mode If the port status is Link Up this is the current port duplex setting If the status is Link Down this is either the highest duplex that can be negotiated or the force setting Can be set to full or half l Link Speed If the port status is Link Up this is the current port speed If the...

Page 118: ...qcli interface if01 stats Transmitted Counters packets 314966 bytes 422 multicasts 2 errors 0 collisions 0 Received Counters packets 3669409 bytes 266 multicasts 759068 errors 0 drops 0 unknown protocol 0 eqcli Displaying Port Statistics GUI Refer to Interfaces on page 286 for details on using the GUI for this function 118 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 119: ...le routes to a host l Allows a source to directly manage network performance by forcing packets to travel over one path to prevent congestion on another Source routing requires careful management by the administrator when building the source address selection and source routing tables to ensure a coherent overall routing strategy For this reason it is often called policy routing since routing beha...

Page 120: ...chose its IP address on the appropriate VLAN to use as the source address in a probe packet If the server is not located on a network that is local to Equalizer then Equalizer will consult the source address selection table to choose a source address and route the packet according to the information in the source routing table Refer to Load Balancing Networking on page 89for a detailed discussion ...

Page 121: ...lient Client Server No Non Spoof Load Balancing Toward Server Equalizer Server Yes Spoof Load balancing Toward Client 1 Local Destination 2 Remote Destination Cluster Client No Non Spoof Load Balancing Toward Client Cluster Client No Source Destination Specified 1 Equalizer as Router Source Destination No Generated by Equalizer 1 IP Generated by Equalizer Equalizer Destination Yes Copyright 2014 C...

Page 122: ...server is outside of the local network with a client that is local The packet has a local source IP address The server is not on the local network and therefore needs to be evaluated by the routing table to determine if the des tination IP address is within the source routing table block If it does lie within the block it will have a specific routing gateway associated with that block and will be ...

Page 123: ...Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 123 Equalizer Administration Guide ...

Page 124: ...e packet and is simply sent to the local address on the subnet 2 Remote Destination in this case a packet originating from a cluster and destined for a remote client does have a local source IP address yet the destination is not on a local sub net The packet will be evaluated to see whether the source address destination pairing is identified in a source routing table block if it is not in the rou...

Page 125: ... applicable as the IP address is guaranteed to be local Non Spoof Load Balancing Toward Server This scenario is the same as Spoof Load Balancing Toward Server on page 122 except that in this scenario the source IP address is the load balancer s IP address The routing possibilities are the same as Spoof load balancing except that the remote clients are not applicable as the IP address is guaranteed...

Page 126: ...Specified In this scenario the source and destination are both specified by the client Equalizer will function as a router to send the packet directly to the addresses specified 126 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 127: ...inging and Equalizer image updates As shown below a packet will be dropped if no source IP address is found As shown below the packet routing will be determined by the default gateway specified in the DSS table Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 127 Equalizer Administration Guide ...

Page 128: ...arameters on page 264 Remove an DNS server CLI eqcli no name server ip address GUI See Parameters on page 264 Remove all DNS servers CLI eqcli no name server GUI See Parameters on page 264 Disable DNS CLI eqcli no name server GUI See Parameters on page 264 Display DNS servers CLI eqcli show GUI See Parameters on page 264 1 The IP addresses of the primary secondary and tertiary name servers can be ...

Page 129: ...o clocks is significantly different or there is significant latency for example the two clocks may never be in sufficient agreement to increase the delay towards maxpoll In this case Equalizer will continue to sync approximately every 64 seconds This behavior indicates that a different NTP server should be chosen NTP packets are very small and should not cause any problems with Equalizer or networ...

Page 130: ...use 0 uk pool ntp org 1 uk pool ntp org 2 uk pool ntp org Or for the US you would use 0 us pool ntp org 1 us pool ntp org 2 us pool ntp org Be careful when using country based NTP pool servers since some countries contain a very limited number of time servers In these cases it is best to use a mix of country and continent based pool servers If a country has only one time server then it is recommen...

Page 131: ... GUI Click Hostname Maintenance NTP Enter an NTP Server or pool name Click Commit Remove the NTP server CLI eqcli no ntp server GUI Not implemented Disable NTP CLI eqcli ntp disable GUI Not implemented Enable NTP CLI eqcli ntp enable GUI Not implemented Display NTP server CLI eqcli show GUI Not implemented Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 131 Equ...

Page 132: ...ormation Rules in include IP Filter Rules on page 134 which govern the IP traffic flow into and out of the system and includes IPv4 or IPv6 Rules and IP NAT Rules on page 137 which are processed when a packet is exiting the system All of this information can be viewed on the same CLI output by entering the following 132 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 133: ...e below is a truncated example of the show sbr command display showing the Source Routing Table display only In the example above traffic that is sourced from all local networks is sent through the 10 0 0 254 gateway unless it is destined for the 192 168 105 0 24 destination network Because the default gateway for the 192 168 211 0 24 local network is on the 10 0 0 24 local network there is an out...

Page 134: ...n interface wm1 hits 0 bytes 0 From To 192 168 211 0 24 192 168 211 0 24 192 168 105 0 24 10 0 0 0 24 0 0 0 0 0 The example above shows each filter rule along with the groups of networks that the rule applies to and the number of times each rule has been used and bytes that have been received using this rule Each column of From and To addresses can be viewed as an or group For example rule 3 can b...

Page 135: ...hese rules that may be used for troubleshooting or diagnostic purposes Disabling the firewall turns off all system packet filtering Any subnet permit deny rules are ignored and all traffic will be routed between subnets l If you use the GUI you will note that if you disable these rules and you navigate to System Network VLANs any subnet Permitted Subnets the following message will be displayed in ...

Page 136: ...k on Commit to save the change Verify that the rules have been disabled by checking the subnets as shown above and verify that the disabled message appears Note This is not related to the IP Reputation Refer to IP Reputation on page 247 filtering or any white blacklists that may exist as part of that configuration Equalizers in Failover Configuration When the configuration between failover peers s...

Page 137: ...68 211 0 24 10 0 0 68 32 proxy port ftp ftp tcp map wm0 192 168 211 0 24 10 0 0 68 32 portmap tcp udp auto map wm0 192 168 211 0 24 10 0 0 68 32 map wm0 192 168 105 0 24 10 0 0 68 32 proxy port ftp ftp tcp map wm0 192 168 105 0 24 10 0 0 68 32 portmap tcp udp auto map wm0 192 168 105 0 24 10 0 0 68 32 List of active sessions Three rules are added for each outbound NAT mapping In this example there...

Page 138: ...cli command show sbr that displays the output of these tools There are other ways to view the same information in eqcli however the show sbr command displays the actual running state of the system whereas commands such as show vlan X subnet Y show the configuration information and not necessarily the running data if there is a problem 138 Copyright 2014 Coyote Point Systems A Subsidiary of Fortine...

Page 139: ...d Commands 153 Context Help 155 Global Parameters 156 Show Configuration Command 157 Debug Commands 159 Context Command Summaries 162 Global Commands 163 Certificate Commands 166 Certificate Revocation List Commands 168 Cluster and Match Rule Commands 169 Diagnostic Commands 177 External Services Commands 178 Failover Commands 180 Firewall Commands 181 GeoCluster and GeoSite Instance Commands 182 ...

Page 140: ...er Instance Commands 202 Server Side Encryption Commands 210 Smart Control Commands 211 SNMP Commands 213 Tunnel Commands 215 User Commands 216 VLAN and Subnet Commands 223 140 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 141: ...zer s front panel serial port and to a properly con figured terminal or terminal emulator as described in Quick Start on page 58 2 Press the Enter key to display the login prompt Equalizer EQ OS 10 Username 3 Log in using an Equalizer user name and password If this is the first time you are logging in use the default administrative user name and password as shown below Username touch Password touc...

Page 142: ...command line below ssh eqadmin 172 16 0 200 3 Upon successful SSH login Equalizer displays the Username prompt Enter an Equalizer login such as the default login touch Username touch 4 Enter the password for the user name specified in the previous step Password touch 1 If the user name and password is correct Equalizer responds with Login successful EQ OS 10 Copyright 2014 Fortinet Inc Welcome to ...

Page 143: ...s l Enter quit to exit and discard all queued changes If you are in a lower context repeatedly enter one of the above commands as appropriate until you exit the CLI Once you exit the CLI the login prompt is displayed Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 143 Equalizer Administration Guide ...

Page 144: ... you start the CLI the command prompt looks like this eqcli This indicates that you are in the global context all commands available in the CLI for all objects can be executed from this context and you can also set parameters for global services such as NTP DNS etc You can also change to other contexts whose scope is limited to a specific object For example you can enter the cluster specific conte...

Page 145: ...ers If you then type in the name of one of the existing servers while in the server context you will enter the server specific context for that existing server the prompt changes to eqcli sv server_name to indicate that you are in the server specific context for the server with the name server_name You could also do this directly from the global context by typing eqcli show server eqcli sv server_...

Page 146: ...sign a server to a server pool you create a server instance of that server in the server pool The server instance definition specifies operating parameters for the real server that are effective only within that server pool This allows you the flexibility to associate a single physical server with multiple server pools and set different server instance options within each server pool A server pool...

Page 147: ...all objects are explained in Context Command Summaries on page 162 Command Line Editing Use the key sequences below to edit the current command line ctrl a ctrl e Move the cursor to the beginning of the line Move the cursor to the end of the line ctrl b ctrl f Move the cursor one character to the left Move the cursor one character to the right esc b esc f Move the cursor one word to the left also ...

Page 148: ...ted in the interface is increased by using short names that use as many unique characters at the beginning of the name as possible Using White Space in a Command Line The CLI uses white space i e one or more tab or space characters as a delimiter between command line elements To include spaces within a command line element such as a string a list of objects or multiple flags the entire element mus...

Page 149: ...gate operator the exclamation point character Negates turns off the option that immediately follows it No spaces are allowed between the negation operator and the option that follows For example the following command disables the hot_spare option and quiesce options eqcli srvpool sp01 si sv01 flags hot_spare quiesce A flag can be enabled and disabled in the object specific context or from any high...

Page 150: ...of the command line for you followed by a space eqcli certificate space This also works with multiple keywords on the same command line So for example you can type the following eqcli sh space cl space And the CLI will expand this to eqcli show space cluster space If the string that you type before pressing space or tab does not uniquely identify a command then the CLI displays a list of all the c...

Page 151: ...uld enter eqcli srvpool sp01 si sv01 sv02 eqcli sp sp01 si sv01 When you enter multiple server instances as in the command above eqcli enters a special combined context that applies commands to all of the specified objects For example after entering the example command above eqcli enters the sv01 sv02 context and the CLI prompt changes to include the first four letters of the combined context sv01...

Page 152: ... and subnets you can use the no form at either the global context or in the lower object specific context eqcli no cluster cl00 match ma00 eqcli cluster cl00 eqcli cl cl00 no match ma00 For parameters the no form requires the complete command used to set the parameter minus the argument setting the value So for example to reset the value of the resp responder parameter on match rule ma00 in cluste...

Page 153: ...of the object argument of the incomplete command An incomplete command is one does not include one or more para meters required to add or modify the object For example if the server sv01 does not exist entering the following server command in the global context queues the command and leaves eqcli in the relevant context an explicit commit is needed to create the server eqcli server sv01 proto tcp ...

Page 154: ...hange the current context l quit Discards all queued commands and changes to the next highest context in the hierarchy if executed in the global context this command exits eqcli Note that the following commands always take effect immediately and do not change the current command context l A command that sets a global parameter see Global Commands l The no form of a command see Using the no Form of...

Page 155: ... type the complete name of a command that is valid in the current context and type context help for that command is displayed For example eqcli cluster cl01 eqcli cl cl01 clientto clientto Set the client timeout for this cluster Syntax cluster cluster name clientto value Warning Only valid for proto http or https l If you type a partial command name and type If there is only one command that match...

Page 156: ... on Equalizer Refer to Global Commands on page 163 for descriptions of each parameter eqcli show Variable Value icmp_interval 15 icmp_maxtries 3 hostname NAME date Mon Jun 17 18 15 40 UTC 2013 timezone UTC locale en global services http https ssh snmp Envoy Envoy_agent name servers None ntp server pool ntp org Unavailable name server undefined syslog server None extended audit Enabled GUI logo For...

Page 157: ...nce 0 last_refresh_date support_email support_enddate hw_support_level fw_support_enddate fw_support_level en_support_enddate en_support_level ntp sequence 0 enable true server pool ntp org syslog sequence 0 enable false server alerts sequence 0 enable true services sequence 0 http true https true ssh true snmp true envoy true envoy_agent true fo_http true fo_https true fo_ssh true Copyright 2014 ...

Page 158: ...Working in the CLI fo_snmp true fo_envoy true fo_envoy_agent true 158 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 159: ...onfig Reset the configuration to factory defaults debug reset for sup port Reset the configuration to factory defaults Keeps core files and files that are currently in the file store A backup file is also generated and stored in the file store debug reset keep license Reset the configuration to factory defaults and retain the license data in the configuration debug reset passwd Reset the touch use...

Page 160: ...bove error message contact technical support Resetting the Configuration This command resets Equalizer configuration to a factory installed condition All VLANs subnets clusters servers SSL certificates and other user supplied objects and settings will be removed After the configuration has been reset the system will be rebooted 1 Enter CTRL C when prompted for a username This will enter the debug ...

Page 161: ...ay be removed if necessary 1 Enter CTRL C when prompted for a username This will enter the debug mode 2 Enter the following eqcli hidden reset keep filestore WARNING This command resets the Equalizer configuration to a factory installed condition All VLANs subnets clusters servers SSL certificates and other user supplied objects and settings will be removed After the configuration has been reset t...

Page 162: ...he command line option option A series of elements in braces separated by commas means you may chose more than one of the options between the braces Separate multiple options on the command line using either commas or vertical bars If you use white space in the string of options the entire string must be surrounded by quotes The braces are not typed on the command line option Square brackets indic...

Page 163: ...t eqcli crl Add or modify a Certificate Revocation List CRL eqcli date Set the system time eqcli diags Run the system utilities commands in the diags context eqcli edit filename Edit a file in the datastore eqcli ext_services Add or modify a mail server in the ext_ser vices context eqcli exit Commit all pending configuration changes and exit eqcli eqcli extended_audit Enable or disable extended au...

Page 164: ...r Add a DNS name server entry One IP address can be specified on the command line A total of 3 IP addresses can be added DNS is enabled as long as there is one entry in the list primary Add a primary name server secondary Add a secondary name server tertiary Add a tertiary name server eqcli no Reset a parameter or delete an object eqcli ntp Enable or disable NTP without changing the NTP configurat...

Page 165: ... vlan or the configuration of a specific object eqalic smart_control name parameter Add or modify a Smart Control eqcli snmp Add SNMP parameters eqcli srvpool Add or modify a server pool eqcli stats Display global statistics eqcli syslog Enable or disable remote logging eqcli syslog server Set the syslog server IP address eqcli timezone Set the system timezone eqcli traceroute Trace the network pa...

Page 166: ...red to authenticate the cluster to the client and to decrypt the cli ent request these are also called server certificates For cluster certificates both a cer tificate file and a private key file must be uploaded to Equalizer l A cluster may also be configured to ask for or require a client certificate a certificate used to authenticate the client to Equalizer For client certificates only a certif...

Page 167: ... Display the certificate con figuration The arguments to the certfile and keyfile commands are edit Launch an editor to supply the content of the certificate or key file url Download the certificate or key file from the ftp or http protocol URL supplied on the command line Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 167 Equalizer Administration Guide ...

Page 168: ...used to gen erate a client certificate presented when connecting to the cluster an error occurs The CRL and client certificate must be signed by the same CA Using CRL Commands in the Global Context eqcli certificate certname cmd Create certname req_cmds commands below eqcli certificate certname cmd Modify certname cmd any com mands below eqcli no certificate certname Delete certname eqcli show cer...

Page 169: ...name context see below Using Cluster Commands in a Cluster Specific Context For all Clusters eqcli cl clname ip ip_addr Cluster IP address eqcli cl clname proto http ht tps tcp udp Protocol MUST SET proto FIRST eqcli cl clname port integer Cluster port eqcli cl clname show Show the cluster con figuration eqcli cl clname stats Display cluster statistics For Layer 7Clusters eqcli cl clname age integ...

Page 170: ...535 eqcli cl clname match maname Change to the maname match context eqcli cl clname match cmds Execute match commands eqcli cl clname no match maname Delete match maname eqcli cl clname no age cli entto connto custhdr domain gen path resp scheme serverto srvpool Reset the specified para meter eqcli cl clname path string Cookie path eqcli cl clname range Set the cluster port range eqcli cl clname r...

Page 171: ...l clname valdepth Set validation depth for cluster eqcli cl clname preferred_peer Set the preferred peer eqcli cl clname persist type none source_ip Coyote_cookie_0 Coyote_cookie_1 Coyote_cookie_2 Set the persist type For Layer 7 TCP Clusters proto tcp eqcli cl clname flags disable spoof delayed_binding abort_server ics eqcli cl clname stickyto Set the sticky timeout for a cluster eqcli cl clname ...

Page 172: ...Context eqcli cluster clname match maname req_cmds Create maname req_cmds commands below eqcli cluster clname match maname cmd Modify maname cmds any com mands below eqcli no cluster clname match maname Delete match rule maname eqcli show cluster clname isplay all match rules or man ame eqcli cluster clname match maname Change context to a match rule context Using Match Rule Commands in a Match Ru...

Page 173: ...e stats Display statistics Cluster and Match Rule Command Notes l When creating a cluster the list of available parameters depends on the protocol selected for the cluster As a result the proto parameter must be specified before any other cluster parameters on the command line l Layer 7 clusters can have one or more match rules that override the options set on the cluster when the expression speci...

Page 174: ...nsert a cookie in server responses if the server did not spoof Use the client IP as source IP in packets sent to servers tcp_mux Enables TCP multiplexing for a cluster TCP multiplexing must also be enabled on at least one server instance in the server pool assigned to the cluster or one of its match rules See the section https only allow_sslv2 Enable SSLv2 for client connections allow_sslv3 Enable...

Page 175: ...s10 This option enables and disables support for the TLSv1 0 protocol Enabled by default If multiple TLS versions are enabled the first supported TLS version negotiated by a client will be used allow_tls11 This option enables and disables support for the TLSv1 1 protocol Disabled by default If multiple TLS versions are enabled the first supported TLS version negotiated by a client will be used all...

Page 176: ...led the default a client certificate presented to Equalizer that has a CRL Distribution Point extension will be processed and the CRL critical extension will be ignored Note however that if other extensions are present in a client certificate they are not ignored and will cause the client certificate to be rejected by Equalizer strict_crl_chain Check the validity of all certificates in a certifica...

Page 177: ...he global context eqcli diags ifconfig Display the state of all interfaces eqcli diags netstat Display the network status information eqcli diags ps Display the information about all the processes eqcli diags quit Discard all pending configuration changes and change to the global context eqcli diags top Display the top processes on the system eqcli diags tcpdump Save the description of the content...

Page 178: ...play a list of SMTP Relay mail servers or detail for the specified SMTP Relay mail server eqcli xs smtp_relay name Add or modify a SMTP Relay mail server eqcli xs no vlb_manager name Delete the specified VLB Man ager eqcli xs show vlb_manager name Display a list of VLB Managers eqcli xs vlb_manager name Add or modify a VLB Manager Using SMTP Relay Commands in SMTP Relay Context eqcli xs smtp smtpn...

Page 179: ...user eqcli xs vlb vlbmgrname timeout Set number of elapsed seconds for connection timeout eqcli xs vlb vlbmgrname url Set the URL used to connect to the VLB Manager eqcli xs vlb vlbmgrname username Set the user name for authen ticating a user Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 179 Equalizer Administration Guide ...

Page 180: ...subnet vlan name subnetname Set the designated vlan subnet as the command subnet eqcli exit Commit all pending alert configuration changes and exit to the user context eqcli rebalance Rebalance clusters among failover group mem bers Each cluster will be re started on its preferred peer eqcli quit Discard all pending alert configuration changes and exit to the user context eqcli show failover Displ...

Page 181: ...nges and change to the global context eqcli firewall quit Discard all pending configuration changes and change to the global context eqcli firewall show Show firewall configuration Firewall Commands in Firewall Context eqcli fw commit Commit all pending configuration changes and do not change context eqcli fw context Display the current command context eqcli fw disable Disable system firewall eqcl...

Page 182: ...mds Create geocluster see below for cmds eqcli geocluster gcname cmds Modify geocluster see below for cmds eqcli no geocluster gcname Delete geocluster eqcli show geocluster Display geocluster summary eqcli show geocluster gcname Display geocluster details eqcli geocluster gcname Change context to gcl gcname GeoCluster Context Commands eqcli gcl gclname flags icmp geocluster flags eqcli gcl gclnam...

Page 183: ...ay geosite instance summary eqcli show geocluster gclname gsi Display geosite instance details eqcli cluster clname match maname Change to geosite instance context Geosite Instance Context Commands eqcli gcl gclname gsi gsiname load_weight GeoSite Instance weight 0 200 eqcli gcl gclname gsi gsiname flags default disable hot_spare preferred GeoCluster flags can be either icmp enable ICMP triangulat...

Page 184: ...ny site when the resource cluster is down at all available sites etc If no default GeoSite instance is selected for a GeoCluster and all GeoSites are down then Envoy sends a null response to the client DNS disabled When enabled this GeoSite instance will not be selected as a response to a DNS query hot_spare When enabled indicates that this GeoSite instance will be selected only when no other site...

Page 185: ...eoSite address max 1 IPv4 and 1 IPv6 eqcli gs gsname agent addr IP address of Envoy site eqcli gs gsname resource clname Cluster name at GeoSite GeoSite Commands in the GeoSite Context eqcli gs gsname agent addr Set the agent IP address for a GeoSite eqcli gs gsname commit Commit all pending GeoSite con figuration changes and do not change context eqcli gs gsname context Display the current comman...

Page 186: ...e eqcli gs gsname type remote local Set the type for this geosite GeoSite agent is located on a remote machine GeoSite agent is located on this local machine GeoSite Resource Commands in the GeoSite Resource Context eqcli gs gsname rsrc resource name healthchk Attach one or more health checks to this resource 186 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 187: ...t IRDB eqcli reputation pass category IP list Set a category or list of IPs to pass eqcli show reputation blacklist whitelist blacklist List all IPs in blacklist category List all the categories whitelist List all IPs in whitelist Display the category or list of IPs in the selected list eqcli reputation stats blacklist whitelist category blacklist List all IPs in blacklist whitelist List all IPs i...

Page 188: ...nd status enter eqcli show interface The name of each port is displayed along with the port s current autonegotiation duplex speed and link status Using Interface Commands in the Global Context eqcli interface port cmds eqcli show interface eqcli show interface port eqcli interface port Port Context Commands eqcli if port autonegotiation force full select eqcli if port duplex full half eqcli if po...

Page 189: ... transmit buffer collision detection These packets are not transmitted by the port Total transmitted octets The total number of bytes 8 bits transmitted by this port Receive Counters Number of good and bad packets The total number of packets received good or bad by this port Number of good broadcasts and multicasts The total number of good broadcast multicast e g ARP packets received on this port ...

Page 190: ...e Receive Counters Packets The total number of packets received on this interface bytes The total number of bytes received on this interface multicasts The total number of good broadcast multicast e g ARP packets received on this interface errors The total number of bad packets e g CRC errors alignment errors received on this interface drops The total number of packets that were dropped e g lack o...

Page 191: ...r Add or modify an AGR or interface instance eqcli show agr Display a list of AGRs or interface instances eqcli show agr name Display details for the specified AGR or interface instance Using Link Aggregation Commands in an Interface Instance Context eqcli agr name flags lacp eqcli agr name ifi Change to the command context for the specified interface instance Copyright 2014 Coyote Point Systems A...

Page 192: ...ame eqcli llb gwllb gw name Change to the llb gateway name context eqcli llb gw llb gw commands Modify the llb gateway eqcli no llb gw llb gw name Delete llb gw name eqcli show llb gw llb gw name Display all llb gateways or llb gw name LLB Specific Context Commands Inbound LLB Group Context Commands eqcli illb grp illbgrpname flags enable disable Set illb group flags eqcli illb grp illbgrpname fqd...

Page 193: ...p con figuration LLB Gateway Context Commands eqcli llb gw gwname flags enable disable Set llb gateway flags eqcli llb gw gwname gw hcobjects Set the llb gateway health_ check s This is a comma delimited list of health_check objects eqcli llb gw gwname no Reset an llb gateway parameter to its default value eqcli llb gw gwname show Display the llb gateway con figuration eqcli llb gw gwname weightva...

Page 194: ...ed can create modify or delete object lists l The type argument must be one of the following object types cert cluster crl geocluster geo site port responder server srvpool subnet or vlan l The object argument must be the name of an existing object of the specified type Object list names and the keyword all are not allowed l The no form of the objlist command is immediately executed no commit is r...

Page 195: ...e P P preferred_primary xfr fo_config_xfer eqcli show peer eq_880A4D0B5C94A611CB927D44BED75F20C7BE7D8C Peer Name eq_880A4D0B5C94A611CB927D44BED75F20C7BE7D8C Peer signature 1RBC880A4D0B5C94A611CB927D44BED75F20C7BE7D8CAC100602 Peer sysid 880A4D0B5C94A611CB927D44BED75F20C7BE7D8C Receive Timeout 2 Connect Timeout 1 Probe Interval 2 Retry Interval 5 Strike Count 3 Flags fo_config_xfer local OS 8 Intern...

Page 196: ...s failover fo_config_xfer os8 preferred_primary active active use_ssl Set peer flags see below eqcli peer peer hb_interval Set the Failover heartbeat interval seconds eqcli peer peer ipstate Only valid for local Peer Displays peer IP states eqcli peer peer os8_intip V8 5 Equalizer Internal IP address eqcli peer peer name Display object list eqcli peer peer recv_timeout Set the Failover receive tim...

Page 197: ...fer between peers os8 Defines peer as OS8 peer Preferred_primary Sets peer as preferred primary active active Enable active active failover mode See Understanding Failover on page 532 for a complete failover setup procedure Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 197 Equalizer Administration Guide ...

Page 198: ...ertificate to use eqcli remote mgmt cipherspec cipher spec Set the cipherspec to use eqcli remote mgmt protocol protocol sslv3 tls10 tls11 tls12 Set the allowed SSL TLS protocols NOTE The protocol specification must be enclosed by double quotes if there are any spaces Remote Management Commands in Remote Management Context eqcli rm show Display the remote management options eqcli rm no remotemgmto...

Page 199: ...ge to the rsp rname context see below Using Responder Commands in a Responder Specific Context eqcli rsp rname stats Display responder statistics eqcli rsp rname type sorry redirect R MUST SET type FIRST type redirect eqcli rsp rname regex expr Set redirect regular expres sion eqcli rsp rname statcode 301 302 303 307 Set redirect status code eqcli rsp rname statdesc desc Set redirect status descri...

Page 200: ...pserver redirect html The contents of the file redirect html will be used as the redirect URL for the responder The html parameter can be specified on the command line as follows html edit Launch an editor to supply the HTML for the sorry page url Download the redirect URL from the ftp or http protocol URL supplied on the command line quotes are optional Regular Expressions in Redirect Responders ...

Page 201: ...t value eqcli sv svname proto tcp udp Server protocol eqcli sv svname port integer Server port eqcli sv svname show Show server configuration eqcli sv svname stats Display server statistics eqcli sv svname flags probe_l3 Server flags eqcli sv svname max_reuse_conn integer Maximum number of connections to this server eqcli sv svname reuse_conn_to integer Timeout for connection re use eqcli sv svanm...

Page 202: ...ge to the sp spname context see below Using Server Pool Commands in a Server Pool Specific Context eqcli sp spname acvq string Set the ACV query string eqcli sp spname acvr string Set the ACV response string eqcli sp spname custom_actconn percent Custom LB policy active con nections percentage eqcli sp spname custom_delay percent Custom LB policy server delay percentage eqcli sp spname no acvq acv...

Page 203: ... hcname healthy value Set the healthy value for the server instance healthy is a floating point value eqcli sp spname hc hcname loaded value Set the loaded value for the server instance loaded is a floating point value eqcli sp spname hc hcname no Delete a health_check or reset a health_check para meter to its default value eqcli sp spname hc hcname probe_port port Set the port number for probing ...

Page 204: ...xt eqcli srvpool spname si siname req_cmds Create siname req_cmds commands below eqcli srvpool spname si siname cmds Modify siname cmds any com mands below eqcli no srvpool spname si siname Delete siname eqcli show srvpool spname si siname Display all server instances or siname eqcli srvpool spname si siname Change to a server instance context Using Server Instance Commands in a Server Instance Sp...

Page 205: ...in a Server Instance Specific Context eqcli sp spname si siname weight integer Set the server instance weight to Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 205 Equalizer Administration Guide ...

Page 206: ...yer 4 TCP and ACV probes for this server By default this flag is enabled strict_maxconn This flag allows you to customize the behavior of the max connections parameter Using Health Check Instance Commands in a Server Instance Specific Context eqcli sp spname si siname hci hciname flags require_response eqcli sp spname si siname hci hciname vlb_param Set the VLB Parameter for health check instance ...

Page 207: ... the cluster Load Balancing Policy Description round robin round robin load balancing distributes requests on the server pool in the cluster Equalizer dispatches the first incoming request to the first server the second to the second server and so on When Equalizer reaches the last server it repeats the cycle If a server in the cluster is down Equalizer does not send requests to that server This i...

Page 208: ...h of these have less of an influence than they do under the adaptive load balancing policy For example if a server s active connection count and server agent values are high Equalizer might not dispatch new requests to that server even if that server s response time is the fastest in the cluster least connections load balancing dispatches least connections load balancing dispatchesthe highest perc...

Page 209: ...formance can suffer On the other hand if Equalizer does not adjust weights often enough server overloads might not be compensated for quickly enough and cluster wide performance can suffer Aggressive Load Balancing After you fine tune the initial weights of each server in the cluster you might discover that Equalizer is not adjusting the dynamic weights of the servers at all the dynamic weights ar...

Page 210: ...al Context eqcli show sse Display the sse configuration eqcli sse cipherspec cipherstring Set the sse cipherspec eqcli no sse Reset one or more sse parameters eqcli sse flags allow_tls10 allow_tls11 allow_tls12 Set the sse flags 210 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 211: ...rols will be displayed Using Smart Control Commands in the Global Context eqcli smart_controls name eqcli show smart_controls name eqcli no smart_controls name eqcli show smart_controls Smart Control Context Commands eqcli sc scname flags dis able Set Smart Control flags eqcli sc scname interval seconds Set the Smart Control interval Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc...

Page 212: ... White space or is a column break and consecutive white spaces are treated as one Fields which are an asterisk are skipped Day names Mon Tue Wed Thu Fri Sat Sun Month names Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Note The schedule string must be enclosed in quotes i e 0 30 Mon would be trans lated as Every Monday run this every 30 seconds eqcli sc scname script mode edit URL edit invokes a...

Page 213: ... respond on a particular IP address enter the address serverport 162 This is optional If not entered the default trap server port 162 will be used The following tables list the SNMP context commands Using SNMP Commands in the Global Context eqcli no snmp cmd Reset the specified parameter to its default value eqcli show snmp Display SNMP parameter settings eqcli snmp Change to the snmp context see ...

Page 214: ... show Display SNMP parameter con figuration Downloading Equalizer MIB Files The MIB files can be downloaded from Equalizer using a browser pointed at http Equalizer eqmanual mibname my 214 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 215: ...cli no tunnel tname Delete tunnel tname eqcli show tunnel tname Display all tunnels or a specific tunnel eqcli tunnel tname Change to a tunnel context see below Tunnel Context Commands eqcli tl tname local_address ipv6_addr Local IPv6 address from broker eqcli tl tname local_endpoint ipv4_addr Local IPv4 address eqcli tl tname remote_address ipv6_addr Remote IPv6 address from broker eqcli tl tname...

Page 216: ...lobal settings eqcli user uname no duration Set default duration 0 eqcli user uname no permit_object perm type object Remove permission on object eqcli user uname no permit_objlist perm type objlist Remove perm from objlist eqcli user uname password Change user password eqcli user uname permit_object perm type object Add permission on object eqcli user uname locale en To set English locale ja To s...

Page 217: ...on figuration for which this alert definition is to be applied The fully qualified object name is a semi colon delimited list describing the object hierarchy For example to set an alert for vlan vl01 subnet sn00 the user would spe cify object vl01 sn00 and the object_type would be subnet For another example to set an alert for peer eq A F O Group fo_group1 the user would spe cify object eq A fo_gr...

Page 218: ...sable eqcli user uname alertname subject user string Set the subject User string is any up to 256 characters the user wishes to enter It must be surrounded by quotes if it has embedded blanks Its usage depends upon the notify_type eqcli user uname alertname to to email addresses Set the email address es Email addresses are email1 e mail2 emailx where email user domain User Alert Notify Type Flags ...

Page 219: ...u can set the locale for Equalizer to either English or Japanese 2 available options at this time The default locale is en for English For English enter the following eqcli user uname locale en For Japanese enter the following eqcli user uname locale ja Creating a User When a user name is created l A default user i e touch is assigned a duration of 0 seconds When additional users are created the d...

Page 220: ...he user access permissions on all objects of a par ticular type as listed in the object list specified on the command line Note The permit_object and permit_objlist commands can be used only on existing user logins must be entered one at a time on a line by themselves with no other user context commands on the command line So for example you cannot modify a user s duration parameter and in the sam...

Page 221: ... objects in an object list are as follows l perm One or more of the following permissions read write delete Multiple per missions must be separated by commas If spaces are included the entire list of per missions must be enclosed in quotes l type One of the following object types cert cluster crl geocluster geosite port server srvpool subnet user vlan l objlist_name The name of an existing object ...

Page 222: ...creating objects of the specified type An entry for the created object is placed in the object list Objects created in this manner will be visible to other users who have per mission to use this object list For example the following command executed in the global context allows user1 to create servers that other non admin users cannot access eqcli user user1 permit_objlist create server default Th...

Page 223: ...ubnet specific com mand eqcli vl vlname mtu mtuvalue Set the vlan MTU eqcli vl vlname vid integer Set VLAN ID Value between 1 and 4094 VLAN Commands in the ifi Context eqcli vl vlname ifi ifiname type Set the interface instance vlan type tagged untagged eqcli vl vlname ifi ifiname show Display the ifi configuration Using Subnet Commands in the Global Context eqcli vlan vlname subnet subname req_cm...

Page 224: ...qcli vl vlname sn subname outip_addr Set NAT out IP eqcli vl vlname sn subname permit Set the list of permitted sub nets on a subnet eqcli vl vlname sn subname route Add or modify a subnet route eqcli vl vlname sn subname services http https ssh snmp envoy envoy_agent fo_http fo_https fo_ssh fo_snmp fo_envoy fo_envoy_agent Subnet Services see below eqcli vl vlname sn subname show Display subnet eq...

Page 225: ...ss on the subnet as the source IP The global Envoy Agent service must also be enabled fo_http When enabled the Equalizer will listen for HTTP connections on Equalizer s Fail over IP address if configured on the subnet The global HTTP GUI service must also be enabled fo_https When enabled the Equalizer will listen for HTTPS connections on Equalizer s Fail over IP address if configured on the subnet...

Page 226: ...address via HTTP and or HTTPS and SSH login on the VLAN IP can be enabled as well It is not required that any of these services be enabled on any VLAN If services are enabled on the VLAN they must also be enabled in the global context in order to be functional on the VLAN See the services command in Global Commands on page 163 Routing Between VLANs By default packets are not routed between VLANs I...

Page 227: ...ou only want to route packets to vlan1 from ports configured for vlan2 if they originated on subnet sn03 To accomplish this you ll need to specifically add that VLAN subnet combination to the permitted VLAN list for vlan2 eqcli vlan vlan2 subnet sn03 permit vlan1 Source IP Address for Outbound Packets When Equalizer originates connections to other hosts for example when Equalizer sends out probes ...

Page 228: ......

Page 229: ...r include Logging In 230 Navigating Through the Interface 231 Entering Names for Load Balancing Objects 235 Using the WebHelp 236 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 229 Equalizer Administration Guide ...

Page 230: ... s address bar http Equalizer_IP_address https Load Balancer_IP_address Substitute the load balancer s IP address on a VLAN subnet that is enabled for HTTP or HTTPS as appropriate Equalizer displays the login screen 2 Enter an existing login as well as the login password and click Login The System con figuration tab on the left pane will be be expanded and the Dashboard screen will be dis played 2...

Page 231: ...ntrol and SNMP con figuration displays on the right pane l Clicking on the arrow u next to External Services expands the branch and provides access to SMTP Relay and VLB Manager configuration displays on the right pane l Clicking on the arrow u next to Maintenance expands the branch and provides access to sys tem Date Time Backup Restore Licensing Manage Software upgrade and system Tools dis plays...

Page 232: ...of the configured server pools and their status Clicking the plus sign next to a server pool name opens a list of the currently defined server pools and status l Clicking on the arrow u expands the branch to display all configured server pools Click on each server pool and the configuration displays are available on the right pane l Clicking on the arrow u for each Server Pool expands the branch t...

Page 233: ...anch to display all of the defined GeoSite Instances for the GeoCluster l Right clicking on each defined GeoCluster displays the Add GeoSite Instance command Geosites l Clicking on the arrow u expands this branch to display all of the configured GeoSites l Clicking on each GeoSite displays the GeoSite Configuration screen on the right pane l Clicking on the arrow u beside each GeoSite expands this...

Page 234: ...he Help that corresponds to the screen currently displayed in the right frame About Opens the Welcome screen also displayed when you first log into the GUI Management Tabs Dialogue Area The right hand side of the GUI initially displays the Welcome screen however it is designed to display all configuration management and dialogue associated with the objects in the left navigational pane Click on an...

Page 235: ...aracters used in names are limited to standard ASCII letters A through Z and a through z numbers 0 through 9 and the characters period dash and _ underscore l The first character in a name must be a letter l Names can be at most 47 characters long l The readability of lists presented in the interface is increased by using short names that use as many unique characters at the beginning of the name ...

Page 236: ...dcrumb Trail Displays a trail of breadcrumbs composed of the table of contents Table of Contents entries above the current topic in the Table of Contents hierarchy Search Open Topic This text entry box is where you can enter a search term to search the open topic for specific details Click on after you have entered a search term Toolbar The toolbar contains buttons for quick navigation display opt...

Page 237: ...configuration tab to open a Search pane Enter a term in the at the top of the pane and click on Search A list of results from the entire WebHelp system will be displayed Click on each item in the list to navigate to the applicable topic in the WebHelp All of the found terms will be highlighted Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 237 Equalizer Admini...

Page 238: ......

Page 239: ... Control 267 SNMP 268 External Services 272 SMTP Relay 272 VLB Manager 273 Maintenance 275 Setting Date and Time 275 Backup and Restore 276 Manage Software 282 Tools 283 Network Configuration 286 Interfaces 286 Link Aggregation 291 Configuring VLANs 297 IPv6 Tunnel Overview 309 Failover 312 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 239 Equalizer Administr...

Page 240: ...meters that can be viewed added modified on this branch include 1 Dashboard 2 Alerts Configuration 3 Certificates 4 CRL 5 IP Reputation 6 Global Parameters 7 Server Side Encryption 8 Smart Control 9 SNMP When you select each item a different displayed will be visible in the right frame of the GUI Refer to Global Parameters on page 156 and Global Commands on page 163 for Global Parameter details us...

Page 241: ...om the display if desired By default all of the widgets are expanded Click on q in the upper right corner of each tab to expand or collapse the tab Click on the X to remove the tab from the Dashboard Virtual Server Summary Displays a summary of the configured servers on the appliance as well as their availability and the associated server pools Even Log Console Displays events for each element con...

Page 242: ...number of lines hidden show log dbg reverse lines number of lines Note You cannot enter into sub contexts from this widget Only global context is available Commands must be entered in a single line License Information Displays Firmware Version used the System Type you are using the Serial Number of the appliance and specific features on the appliance such as Software based SSL or hardware based SS...

Page 243: ...authenticate the cluster to the client and to decrypt the cli ent request these are also called server certificates For cluster certificates both a cer tificate file and a private key file must be uploaded to Equalizer l A cluster may also be configured to ask for or require a client certificate a certificate used to authenticate the client to Equalizer For client certificates only a certificate f...

Page 244: ... locally stored CertificateFile Repeat the same for adding a locally stored Key File 4 Click on Commit to save the upload the new Certificate File and Key File To install an SSL Certificate using the CLI Refer to Certificate Commands on page 166 for Certificate commands 244 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 245: ... many clusters as required If a CRL attached to a cluster was generated by a Certificate Authority CA different from the CA used to generate a client certificate presented when connecting to the cluster an error will occur The CRL and client certificate must be signed by the same CA Installing a Certificate Revocation List CRL Installed CRLs will be displayed in an accordion style list Click on ea...

Page 246: ...firmation screen will appear as follows Click on Commit if the CRL is the one you would like to upload to Equalizer The CRL file will be uploaded to Equalizer and will appear on the Global CRL screen as shown above Proceed with the following to install a CRL using the CLI Refer to Certificate Revocation List Commands on page 168 for details on using the CLI 246 Copyright 2014 Coyote Point Systems ...

Page 247: ...before they target your servers Data about dangerous clients is derived from many sources around the globe This data is compiled into Fortinet s IP Reputation Database IRDB which consists of the IP addresses of suspect clients Clients are identified and tagged with poor reputations and included in the IRDB if they have been participating in attacks willingly or otherwise Configuring IP Reputation ...

Page 248: ... with the following Note The IP Reputation object on the Global branch of the left navigational pane will not be visible if using Equalizer E250GX E350GX E450GX or E650GX In addition the System Information pane on the GUI Dashboard will not display IP Reputation Database information 1 Click on the System configuration tab on the left navigational pane 2 Expand the Global tree Select IP Reputation ...

Page 249: ... regularly In order to download the IRDB database verify that IRIS Service IP Reputation Intelligence Service has been enabled for your registered product on the Fortinet Support site This will appear in the Product Entitlements section of the product page Manual Download Note Your appliance must have internet access to download the IRDB database You will need to download the IRDB database before ...

Page 250: ...rnet access to the Fortinet Support page so that you can download a file and place the downloaded file containing the IRDB on a host from which your appliance can connect via FTP Direct download of the IRDB database using the CLI Enter the following in the CLI eqcli reputation fetch eqcli 12000287 Operation successful Direct download of the IRDB database using the GUI 1 On the left navigational pa...

Page 251: ...ave a prefix of IRISUpdate with a pkg extension Using the CLI 1 Upload the pkg file to a host system The file must be placed in a directory from which Equalizer can connect via FTP 2 Enter the following to upload the pkg file to your Equalizer eqcli reputation load FTP Address pkg File name The CLI command will l Transfer this file via FTP from the host system to Equalizer l Translate the download...

Page 252: ...igational pane select System Global IP Reputation to display the following 3 Select the Local File radio button and click on Choose File 4 Follow the prompts to upload the pkg file 5 Click on Commit to save the new database 252 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 253: ...it invokes the script editor to enter create the desired script eqcli sc fet script edit 3 Construct a script in the editor to fetch the IRDB database escape menu e search prompt y delete line u up p prev page a ascii code x search z undelete line d down n next page b bottom of text g begin of line w delete word l left t top of text o end of line v undelete word r right c command k delete char f u...

Page 254: ...and expand the Global branch 2 Select Smart Control to display the Smart Control display on the right 3 Click on to create a new Smart Control The following will be displayed 4 On the Smart Control configuration screen a Enter a Name for the Smart Control b Enter the Type of Smart Control For example in the configuration above the Smart Control will be run at 6 hour intervals Select the Interval o...

Page 255: ...us proxies provide anonymity users accessing websites through an anonymous proxy can t easily be traced back to their original IP They are typically used to circumvent security policies allowing users to access prohibited recreational adult or other non business sites by tunneling this traffic over a regular or encrypted HTTP session l Spam spam is normally defined as unsolicited electronic junk m...

Page 256: ...klists eqcli reputation pass category To blacklist a category using the GUI 1 Select System Global IP Reputation on the left navigational pane to display the IP Reputation screen Note If IP Reputation Tracking has been disabled the Inbound Blocking by Category are will be grayed out and non functional 2 Use the radio buttons to Block or Allow inbound Botnet Phishing Anonymous Proxy Spam or Other t...

Page 257: ...st of IP addresses The following examples demonstrated how to block a single IP or a list of IPs A list is comma separated as shown in the example below eqcli reputation blacklist 172 16 1 170 172 16 1 175 172 16 3 245 Verify your entry by entering eqcli show reputation blacklist Blocked IP Name Start IP Address End IP Address Blocked Direction 172 16 1 170 172 16 1 170 172 16 1 170 inbound 172 16...

Page 258: ...168 103 255 To verify the addresses that are blocked enter eqcli show reputation blacklist Blocked IP Name Start IP Address End IP Address Blocked Direction 192 168 100 0 192 168 100 0 192 168 103 255 inbound eqcli 258 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 259: ...ist below l You could enter individual IP addresses l You could also enter a range of IP addresses to block If for example you enter 10 0 0 5 10 0 0 11 all the addresses from 10 0 0 5 to 10 0 0 11 will be blocked l You can also enter a range of ip addresses using CIDR notation If for example you enter 192 168 100 0 22 this would encompass the 1024 addresses from 192 168 100 0 to 192 168 103 255 4 ...

Page 260: ...hown eqcli reputation whitelist 172 16 1 170 172 16 1 175 172 16 3 245 Verify your entry by entering eqcli show reputation whitelist Allowed IP Name Start IP Address End IP Address Allowed Direction 172 16 1 170 172 16 1 170 172 16 1 170 inbound 172 16 1 175 172 16 1 175 172 16 1 175 inbound 172 16 3 245 172 16 3 245 172 16 3 245 inbound eqcli You could also enter a range of IP addresses to pass I...

Page 261: ...ab on the right The following will be displayed 3 Enter IP addresses in the Modify Whitelist text box and click on to add them to the list below a You could enter individual IP addresses that will be allowed b You could also enter a range of IP addresses to allow If for example you enter 10 0 0 5 10 0 0 11 all the addresses from 10 0 0 5 to 10 0 0 11 will be allowed c You can also enter a range of...

Page 262: ... enter eqcli show reputation category category The example below shows 16 IRDB IP addresses for the botnet category eqcli show reputation category botnet Category botnet has 16 IP addresses 1 0 243 254 1 11 85 56 1 11 149 254 1 11 173 96 1 11 183 116 1 11 195 119 1 22 8 216 1 22 16 180 1 22 17 79 1 22 19 49 1 22 28 30 1 22 35 88 1 22 38 1 1 22 38 241 1 22 71 16 1 22 71 230 262 Copyright 2014 Coyot...

Page 263: ... IRDB for each category as well as blocked statistics are displayed Click on the appropriate category option to select a category s IP addresses You can also display blocked statistics for a specific IP address by selecting the Filter by IP Address option and entering an IP address in the space provided You can enter a range of IP addresses or CIDR format as described previously Copyright 2014 Coy...

Page 264: ...ab Click on Commit to save your parameters or Reset to return the default values Hostname This is Equalizer s host name default Locale Sets the Equalizer locale en to set English locale ja to set Japanese locale DNS Section Domain Name Server Primary Secondary or Tertiary If using a Domain Name Server the Domain Name Server Equalizer will use 264 Copyright 2014 Coyote Point Systems A Subsidiary of...

Page 265: ...s marked down only if there are no other probes TCP ACV or server agent active for the cluster This value must be greater than 1 ICMP Probe Interval A timer specifying the length of time in seconds during which a successful server probe must occur or the server is marked down At least one ICMP probe of a server must have succeeded since the last Equalizer reboot or failed ICMP probes for the serve...

Page 266: ...onfigure a cluster server or match rule so that traffic between the Equalizer and servers is encrypted using SSL TLS Refer to Server Side Encryption on page 358 for a description of configuring SSE using the GUI and the CLI 266 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 267: ...em parameters and statistics It is a method for administrators to configure the system to automatically perform functions that may be dependent on threshold values or timing Refer to Smart Control Overview on page 680 for complete descriptions of this function Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 267 Equalizer Administration Guide ...

Page 268: ...ly to browse through the MIB tree and so is sometimes called a MIB browser One such management station that is available in a free personal edition is the iReasoning MIB Browser available from www ireasoning com A MIB database is a hierarchical tree of variables whose values describe the state of the monitored device A management station that want to browse the MIB database on a device sends a req...

Page 269: ...NMP service You must specifically enable SNMP on the subnet or subnets on which you want it to listen for SNMP MIB browser and management station connections SNMP Parameters using the GUI SNMP parameters are displayed on the GUI by clicking on the System configuration tab on the left navigational pane and then selecting Global to expand the branch Click on SNMP to display the following The paramet...

Page 270: ...the MIBs for EQ OS 10 Therefore the MIB names and filenames are changed for EQ OS 10 EQ OS 8 6 MIBS will not work with EQ OS 10 MIBS EQ OS 10 provides partial support for these standard MIBS RFC1213 MIB RFC1213 System tcp tcpInSegs tcpOutSegs tcpRetransSegs tcpInErrs tcpOutRsts and tcpConnTable Interfaces udp IP ipForwarding ipDefaultTTL ipInReceives ipInHdrErrors ipInAddrErrors ipForwDatagrams ip...

Page 271: ... my HOST RESOURCES TYPES my IANAifType MIB my IF MIB my INET ADDRESS MIB my IP MIB my RFC1155 SMI my RFC1213 MIB my SNMPv2 CONF my SNMPv2 MIB my SNMPv2 SMI my SNMPv2 TC my TCP MIB my UDP MIB my The MIB files can be downloaded from Equalizer using a browser pointed at http Equalizer eqmanual mibname my Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 271 Equalize...

Page 272: ...re commonly used when you want to configure email alerts With email alerts you be adding email addresses to the alert Refer to Configuring an SMTP Relay on page 716 for additional information 272 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 273: ...con trash can to delete the displayed VLB Manager Enter the following details for each VLB used URL The URL configured on the system running vCenter or on an ESX Server for VMware API connections By default this is an https URL using the IP address of the vCenter system followed by sdk as in https 192 168 1 50 sdk Username The VMware user account that you normally use to log into the vCenter or ES...

Page 274: ...yed The default Connect Timeout is 1 second Clicking on the Test Login button will attempt to log in to the displayed virtual machine using the credentials you specified After clicking a success or failure response will be displayed VLB Manager using the CLI Refer to External Services Commands on page 178 for VLB Manager commands 274 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc...

Page 275: ...ld in the format mm dd yyyy hh mm ss Click on Commit to save the settings Click on Reset to reset all the newly entered values to the previous values Automatically Set Date and Time Network Time Protocol NTP is a protocol and software implementation for synchronizing the clocks of computer systems It provides Coordinated Universal Time UTC including scheduled leap second adjustments and will be us...

Page 276: ...ame behavior that occurs if Equalizer is booted and there are no peer definitions found in the configuration file which happens for example when the system is reset to factory defaults Restore features are available through the GUI and through eqcli Restore Notes 1 eqcli restore of a backup archive from a local directory is not supported 2 When restoring a backup archive created on an Equalizer ot...

Page 277: ...as follows 1 Log in to the GUI as described in Logging In on page 230 2 Click on the Maintenance tab and then select Backup and Restore The following will be dis played 3 In the Backup pane enter a File Name which is built from the optionally specified Tag In the example above voodoo is used The Tag is used in addition to the default file name which is of the form system_name tag date _ time backu...

Page 278: ...r save it to the specified local dir ectory or transfers the file to the FTP server via the URL entered Backup CLI The backup archive is created and then uploaded to a URL that specifies an FTP site that can be reached by Equalizer To create a backup and upload to a specific URL enter the following eqcli backup url URL name where name is a string that will be used in the backup file name The defau...

Page 279: ...tem is reset to factory defaults Restore features are available through the GUI and through eqcli Restore Notes 1 eqcli restore of a backup archive from a local directory is not supported 2 When restoring a backup archive created on an Equalizer other than the one you are restor ing all IP addresses clusters servers failover IP addresses VLAN IP addresses etc will be instantiated as is from the ba...

Page 280: ...e is downloaded from the specified FTP site and a pop up displays a summary of the configuration in the archive A notification SSL Certificates for HTTPS cluster notification will be displayed Click on Continue or Cancel If Continue is selected the archive is restored and the system is rebooted For Local File click on the Restore button to display a file selection dialogue to select a file from lo...

Page 281: ...ollowing eqcli restore url URL name Where name must match the name of the backup archive to be downloaded URL is the path to the previously backed up file and must be of the form ftp user password server path Note You will be prompted to enter a password if it is not supplied in the URL Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 281 Equalizer Administratio...

Page 282: ...load URL space Upgrade To download and install an image select the Download location using the drop down list If Local File is selected you will be prompted for the location of the local file When a file is selected the path and file name will be displayed If CPS URL is selected the CPS download URL pointing to the latest available release shown in the EQ OS Release Status pane will automatically ...

Page 283: ...qualizer from directly in the GUI l A Save System State feature that allows you to create an archive of your various configuration files logs and other details used to help in diagnosing any issues that may arise Access any of the tools by selecting the appropriate accordion tab to display the commands details Halt Shutdown System Click on the Halt Shutdown System configuration tab to display the ...

Page 284: ...y Support to help diagnose problems you are having with Equalizer The file can be saved locally or uploaded to an FTP server 1 Click on the Maintenance tab and then Save State to display the following 2 Enter a File Name for the archive This should be in the format hostname tag date_time collect tbz If desired enter a unique tag for the archive file name in the Tag field which will be included in ...

Page 285: ...e Equalizer collects the information for the archive a dialog box is displayed by your browser to open or save the archive 5 If you require technical support open your email client and send the file you saved to sup port coyotepoint com as an attachment or provide the URL with credentials for the FTP site on which the archive now resides Explain the nature of your problem in the email or just incl...

Page 286: ...gotiate the highest available speed with the unit on the other end of the connection Select GX Only Autonegotiation at the current speed and duplex parameter settings only Force GX Only Set the port to the current speed and duplex parameter settings with no auto negotiation Duplex Mode If the port status is Link Up this is the current port duplex setting If the status is Link Down this is either t...

Page 287: ...tted by this port Number of transmitted QoS Class 3 frames The total number of received Quality of Service QoS Class 3 frames transmitted by this port Total number of dropped frames on egress path The total number of packets that were dropped e g lack of transmit buffer collision detection These packets are not transmitted by the port Total transmitted octets The total number of bytes 8 bits trans...

Page 288: ...he total number of packets that were dropped e g lack of transmit buffer collision detection These packets are not transmitted by the interface Received Counters Packets The total number of packets received on this interface bytes The total number of bytes received on this interface multicasts The total number of good broadcast multicast e g ARP packets received on this interface errors The total ...

Page 289: ... or the force setting Can be set to 10 100 or 1000 Mbps The link light on Equalizer s ports will be displayed in green when con nected at 1 Gbps and amber when connected at 100 Mbps If you would like to display statistics using the CLI enter the following eqcli interface interface name stats The tables below show a typical port statistics displays Transmit Counters Number of good and bad packets T...

Page 290: ...umber of bad packets e g CRC errors alignment errors too short received on this port Number of received QoS Class 3 frames The total number of received Quality of Service QoS Class 3 frames received by this port Total number of dropped frames on ingress path The total number of packets that were dropped e g lack of receive buffer congestion invalid classification e g tagged frame received on untag...

Page 291: ...t supported General Process for Creating Aggregated Interfaces 1 Configuration of aggregated interfaces via the CLI GUI by specifying a A unique aggregated interface name b The physical interfaces ports to be configured as members of the aggregated inter face c A flag indicating whether LACP is to be enabled or disabled it is enabled by default 2 Assign the aggregated interface to a VLAN by adding...

Page 292: ...e aggregation configuration by entering eqcli show agr agr00 AGR Name agr00 Flags lacp Interfaces eqcli Note The LACP flag is enabled by default 4 If you have not done so already create a VLAN and do not assign any interfaces to it See Configuring VLANs on page 297 for how to create a VLAN 5 Add an instance of the new link aggregation group created above In the example below an interface instance ...

Page 293: ... create a link aggregation group and assign it to a VLAN using the GUI do the following 1 Click on the System configuration tab on the left pane of the GUI if it is not already selected 2 Click on the arrow u beside Network to expand the branch 3 Click on Aggregation to display the Aggregation configuration screen The screen features accordian tabs that will display the configured Aggregated Inter...

Page 294: ...gregated interfaces that have been created will be displayed as shown below on the VLAN Configuration screen Add Aggregated interfaces to the VLAN by selecting radio buttons VLANs can either be tagged or untagged tagged ports can be assigned to more than one VLAN untagged interfaces can be assigned to exactly one VLAN Select an appropriate radio button in Type E670LX E970LX shown 8 Click on Commit...

Page 295: ...isplay the VLAN Configuration screen 2 Select the unassigned radio button from the Aggregated Interfaces pane at the bottom of the screen 3 Click on Commit to complete the process Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 295 Equalizer Administration Guide ...

Page 296: ...selected 2 Click on the arrow u beside Network to expand the branch 3 Click on Aggregation to display the Aggregated Interfaces screen 4 Select the Aggregated Interfaces accordian tab that you want to remove from the system 5 Click on to remove the interface 6 Click on Commit to complete the process 296 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 297: ...rame 2 Right click the name of the VLAN you want to delete 3 Select Delete VLAN from the pop up command menu 4 Click Confirm Modify a VLAN CLI eqcli vlan name parameters GUI 1 Expand the VLANs node in the left frame 2 Click the name of the VLAN you want to modify The VLAN configuration tabs appear in the right frame 3 Edit the VLAN configuration using the controls on each tab Click Commit before n...

Page 298: ...onfiguration is incomplete The VLAN Port configuration on the E670LX and E970LX displays l 8 1GB ports l 1 1GB management port l 2 10GB ports and as many aggregated ports as are currently configured by the user The E470LX and E370LX do not have 10GB ports so the 10 GB pane is not displayed on the VLAN Port configuration screen The E370LX does not have a MGMT port and does not appear in the 1GB pan...

Page 299: ...revert to the previous settings VLAN Port Assignment Using the CLI Configure a VLAN using the CLI as follows Create a VLAN and subnet over which you can log into Equalizer If you want to license Equalizeronline the subnet you create should also be able to reach the Internet 1 To create a VLAN enter a command like the following eqcli vlan vlname vid vlan_ID Replace vlname with the VLAN name and vla...

Page 300: ...se over the Support link near the top of the screen and choose Manuals from the drop down list 3 Associate an interface instance with the VLAN Here we assume that you are using the port labelled 1 on the front panel Enter one of the following commands depending on whether the VLAN you created above is untagged or tagged ask your network administrator if you are unsure eqcli vlan vlname ifi ge01 ty...

Page 301: ...LANs 4 Click on the arrow u next to a specific VLAN to expand the branch to display all configured subnets 5 Right click the name of the subnet you want to delete 6 Select Delete Subnet from the popup command menu 7 Click Confirm Modify a subnet CLI eqcli vlan name subnet name parameters GUI 1 Click on the System configuration tab on the left pane 2 Click on the arrow u next to Network to expand t...

Page 302: ...next to Network to expand the branch 3 Click on the arrow u next to VLANs to expand the branch to display all configured VLANs 4 Click on the arrow u next to a specific VLAN to expand the branch to display all configured subnets 5 Click a subnet name to display the configuration displays for that subnet in the right pane 302 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 303: ...to the Permit pane on this screen Using drag and drop functionality drag a Subnet from the Deny pane and drop it in the Permit pane to allow packet forwarding on the subnet Similarly if you would like to remove a subnet from the Permit pane you can drag and drop to the Deny pane Click on Reset to revert to the default permissions Click on Commit to save any subnet permission changes made See VLAN ...

Page 304: ...net specific static route table Subnet static routes can be specified via the CLI or the GUI Also refer to Source Based Routing Scenarios on page 119 for a description of source based routing scenarios Configuring Subnet Static Routes using the GUI Do one of the following 1 In the GUI click on the System configuration tab if it is not already selected Then click on the arrow u beside VLANs to expa...

Page 305: ... g 192 168 1 0 24 For IPv6 specified using IPv6 subnet notation Gateway The IP address of the gateway used to reach the host or subnet Source IP The IP address of where a packet originates Prefer Enabling this flag allows you to specify the preferred route to be used for any matching destination even if the destination address is on a subnet that is defined on Equalizer One Prefer flag is allowed ...

Page 306: ... 24 For IPv6 specified using IPv6 subnet notation gw The IP address of the gateway used to reach the host or subnet src The IP address of where a packet originates Prefer Enabling this flag allows you to specify the preferred route to be used for any matching destination even if the destination address is on a subnet that is defined on Equalizer One Prefer flag is allowed for each subnet is allowe...

Page 307: ...et as if they are part of the external subnet through which they are being NAT d Configuring outbound NAT using the GUI 1 Configure outbound NAT using either of the following methods l Enter a From IP and the Up To IP which specifies the IP range Also enter the Out outbound NAT IP address l Enter a from IP without the Up To IP Also enter the Out outbound NAT IP address The From address is the sour...

Page 308: ...ess of an outbound packet matches this IP address or falls within the specified range then the packet is modified to use the IP address specified by the out parameter as the source IP The out address specifies that if the source IP address of an outbound packet matches the IP address or IP address range specified by the from parameter then the packet is modified to use this IP address as the sourc...

Page 309: ...nd a system at the tunnel broker s site Clusters on Equalizerare assigned IPv6 addresses within the subnet assigned by the tunnel broker Clients can then access the IPv6 cluster address through the tunnel There are a number of tunnel brokers providing IPv6 tunnels to various geographical regions In general you should pick a tunnel broker that maintains tunnel servers that are geographically close ...

Page 310: ...e IPv4 Internet and request a 6in4 tun nel from a tunnel broker 2 After you receive the tunnel configuration information from the broker set up the tunnel endpoint on Equalizer Once the tunnel is configured you can perform additional tasks required to get Equalizer clusters on the IPv6 Internet including l Assigning cluster IPv6 addresses from the subnet address range provided by the tunnel broker...

Page 311: ...roker as the Equalizer endpoint for the tunnel It is the IP address that the tunnel broker will use to reach Equalizer This is either s VLAN IP on the subnet created in Step 1 or the IP address with which Equalizer s VLAN IP is associated via Network Address Translation NAT remote_endpoint The IPv4 address of the tunnel broker side of the tunnel as provided by the tunnel broker local_address The I...

Page 312: ...and address to name mapping Systems that support both IPv4 and IPv6 will require DNS entries that describe the mappings for each protocol A new DNS record type AAAA sometime referred to as quad A has been defined for IPv6 name to address mappings see RFC 3596 AAAA records contain a single IPv6 address mapped to a fully qualified domain name FQDN The assigned value for this record type is 28 decima...

Page 313: ... Clusters 349 Layer 7 HTTP and HTTPS Cluster Persistence 351 Server Side Encryption 358 Layer 7 Cluster Reporting 362 Layer 7 Cluster Timeouts 362 Server Name Indication 363 Layer 7 TCP Cluster Settings 367 Layer 7 TCP Cluster Persistence 370 Additional Cluster Configuration 371 About Passive FTP Translation 371 Enabling Cookies for Persistent Connections 371 Enabling Persistent Server Connections...

Page 314: ...lusters and Match Rules Testing Your Basic Configuration 385 Using Match Rules 386 Cluster and Match Rule Statistics and Reporting CLI and GUI 420 314 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 315: ...tual cluster determine how client and server connections are managed and how requests are load balanced among the server instances in a server pool Before beginning to define a cluster you need to do the following 1 Determine the IPaddresses to use for each cluster and the IP addresses to use for all of your real servers 2 Determine the cluster types appropriate for your configuration Notes l The ...

Page 316: ...pport IPv6 addressing l Layer 7 HTTPS clusters also provide SSL Offloading all SSL certificate operations are per formed by the cluster not by the servers behind the cluster thus improving overall cluster performance After you decide on the cluster types you need you ll then need to determine the additional settings and flags to be used on the cluster and its server pools For most configuration it...

Page 317: ...e if it is not already selected Then click on Clusters to display this summary screen Status Indicators This icon indicates that the server instances in the attached server pool are up and running This icon indicates that one or more of the server instances in the attached server pool are down Numerical Statistics Displayed Connections The number of active current connections to this cluster TPS T...

Page 318: ...uster s that you would like displayed For example if you would like to display cluster summary for IPv4 clusters with IP addresses beginning with 172 you would enter 172 using a wildcard character For IPv6 clusters you would enter prefix specification such as 2001 218 420 64 After clicking on the Set button the details for those clusters alone will be displayed Filter by Status selecting this opti...

Page 319: ...imeouts responders and persistence eqcli show cluster Testhttps L7 Cluster Name Test_https Protocol https IP Address 2 4 6 8 Port 80 Preferred Peer VID 1 Client Timeout 10 Server Timeout 60 Connection Timeout 10 Sticky Timeout 0 Sticky Netmask 32 Custom Header CRL CA Certificate Cipher Spec AES128 SHA DES CBC3 SHA RC4 SHA RC4 MD5 AES256 SHA SSLv2 Validation Depth 9 Flags allow_utf8 allow_sslv3 ign...

Page 320: ...Working with Clusters and Match Rules Cookie Age 0 Cookie Generation 0 Persist Type coyote_cookie_2 eqcli 320 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 321: ... are completed which is indicated by the client sending two blank lines for HTTP 1 0 or 1 1 one blank line for HTTP 0 9 Once the headers are completely transmitted to Equalizer the client timeout is no longer used 3 As soon as the Equalizer is done examining the header data it makes a connection to a server as determined by the load balancing policy persistence or a match rule hit The amount of ti...

Page 322: ...ver Note that there is the chance that a client will connect send its headers and then send continuous data to Equalizer that repeatedly resets the server timeout This vulnerability is usually avoided by setting a hard client timeout on the application server itself see Cluster Connection Timeouts on page 321 The figure below summarizes the connection timeout parameters Equalizer uses for Layer 7 ...

Page 323: ... respond to a client request plus 1 second If there is high latency between Equalizer and the servers in your cluster then you may need to increase the connect timeout The client timeout usually does not need to be changed but in some situations HTTPS clusters will require a client timeout between 15 and 30 seconds for best performance If you do need to increase the client timeout use the lowest v...

Page 324: ...he Layer 4 connection timeouts specify how long a connection record is kept by Equalizer Layer 4 TCP clusters use the idle timeout and stale timeout parameters that set at cluster levels The parameters affect how Equalizer manages Layer 4 connection records l Connection records need to be removed in cases where the connection is not closed by the client or server and is left idle If no data has be...

Page 325: ... will wait for three things a The total amount of time it takes to receive a GET request b The amount of time between receipt of TCP packets on a POST or PUT request c The amount of time between ACKs on transmissions of TCP packets in responses 2 The KeepAliveTimeout directive specifies the number of seconds Apache will wait for a sub sequent request before closing the connection Once a request ha...

Page 326: ...e timeout parameter eq l7lb timeouts The total number of Layer 7 connections dropped because a connection timer expired eq l7lb http client_timeouts The total number of Layer 7 HTTP and HTTPS connections that were terminated because the client timeout expired eq l7lb http connect_timeouts The total number of Layer 7 HTTP and HTTPS connections that were terminated because the connect timeout expire...

Page 327: ...dress which is the dotted decimal IP address of the cluster The IP address of the cluster is the external address for example 172 16 0 201 with which clients connect to the cluster Port Enter the cluster port the numeric port number on the Equalizer to be used for traffic between the clients and the cluster For HTTP clusters the cluster port defaults to 80 For HTTPS clusters the cluster port defau...

Page 328: ...ster b Click on a cluster on the left navigational pane and drag to the Delete Trash icon Using the CLI Add a cluster using eqcli as follows In this example a Layer 7 HTTPS cluster is created Since the protocol is HTTPS port 443 is used 1 Log in to eqcli as described in Starting the CLI on page 141 2 Enter the following at the CLI prompt eqcli cluster clustername proto protocol ip xxx xx x xxx por...

Page 329: ...1 Enter the following at the CLI prompt eqcli no cluster clustername Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 329 Equalizer Administration Guide ...

Page 330: ...e system or by selecting the cluster name from the Cluster branch on the left navigation pane and selecting the Configuration Summary tabs This screen displays a snapshot of the cluster and all of its associated objects i e server pools server instances and responders the status of the objects the Active Connections Connections Second and Transactions Second A graphical plot is also displayed show...

Page 331: ...er Preferred Peer Used with N 1 Failover Configuration See Configuring N 1 Failover Between Two EQ OS 10 Systems on page 583 Server Pool The drop down list selects the Server Pool grouping of server instances to be associated with the TCP cluster Range For L4 UDP and L4 TCP protocol clusters a port Range can be defined by entering a value higher than the L4 port configured for the cluster This ran...

Page 332: ...sses to Equalizer s IP address on the VLAN If you disable Spoof the server receiving the request will see Equalizer s IP address as the client address because the TCP connection to the client is terminated when the request is routed The server will therefore send its response back to Equalizer s IP address When the Spoof flag is disabled on a Layer 4 cluster If there is more than one VLAN defined ...

Page 333: ...e network The sticky netmask value indic ates which portion of the address Equalizer should use to identify par ticular networks Values are 0 32 for IPV4 clusters default 32 0 128 for IPV6 clusters Inter Cluster Sticky With the inter cluster sticky option you can configure Equalizer to dir ect requests from a client to the same server on any available port that has a current persistent connection ...

Page 334: ...cords need to be removed in cases where the connection is not closed by the cli ent or server and is left idle If no data has been received on a connection from either the client or the server after the time period specified by the idle timeout has elapsed then the connection record for that connection is removed Any data received from either client or server resets the idle timer 1 65535 Stale Ti...

Page 335: ...s the Active Connections Connections Second and Transactions Second A graphical plot is also displayed showing the traffic flow through the cluster from the past 30 minutes In addition you have the option to Disable the cluster by selecting the Disable check box Note that if a connection is active and the cluster is disabled then any packets received are dropped The connection will eventually time...

Page 336: ... the clients and the cluster For TCP clusters the port defaults to 80 This port also becomes the default port for servers added to the cluster though servers can use a different port number than the one used by the cluster Preferred Peer Used with N 1 Failover Configuration Refer to Configuring N 1 Fail over Between Two EQ OS 10 Systems on page 583 Server Pool The drop down list selects the Server...

Page 337: ...ress on the server VLAN If this is not pos sible you can establish static routes on the server to send responses to specific client IP addresses to Equalizer s IP address on the VLAN If you disable Spoof the server receiving the request will see Equalizer s IP address as the client address because the TCP connection to the client is terminated when the request is routed The server will therefore s...

Page 338: ...ally all the servers in a proxy farm are on the same network The sticky netmask value indic ates which portion of the address Equalizer should use to identify par ticular networks Values are 0 32 for IPV4 clusters default 32 0 128 for IPV6 clusters Inter Cluster Sticky With the inter cluster sticky option you can configure Equalizer to dir ect requests from a client to the same server on any avail...

Page 339: ... Timeout is the length of time in seconds that a partially open or closed Layer 4 connection is maintained If a client fails to complete the TCP connection termination handshake sequence or sends a SYN packet but does not respond to the server s SYN ACK Equalizer marks the connection as incomplete Click on the Commit button after making changes to the settings Copyright 2014 Coyote Point Systems A...

Page 340: ... 1 SSL offload is not supported for UDP clusters If you would like to use a secure UDP applic ation you must install certificates directly on your physical servers rather than in the UDP cluster 2 IP address based persistence is the only persistence type supported 3 Match Rules are not supported There are also several limitations that apply only to UDP clusters and servers 1 A UDP server can be us...

Page 341: ...electing the cluster from Cluster branch on the left navigation pane HTTP and HTTPS clusters parameters are modified using the following tabs l Configuration including Summary Settings Persistence and Timeouts l Reporting including Statistics and Plotting Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 341 Equalizer Administration Guide ...

Page 342: ...nd responders the status of the objects the Active Connections Connections Second and Transactions Second A graphical plot is also displayed showing the traffic flow through the cluster from the past 30 minutes In addition you have the option to Disable the cluster by removing its IP address alias from the interface in addition to disabling cluster traffic The example below shows a sample of the C...

Page 343: ...ualizer to be used for traffic between the clients and the cluster For HTTP clusters the port is normally 80 For HTTPS clusters the port is normally 443 This port also becomes the default port for servers added to the cluster though servers can use a different port number than the one used by the cluster Preferred Peer Used with Active Active Failover Refer to Configuring Active Active Failover Be...

Page 344: ... done for 2 reasons faster client response and better user experience In addition less ISP bandwidth is used in sending smaller files back to clients Files smaller than the minimum specified are not compressed Default 1024 bytes Compression MIME Types ADCs with Hardware Acceleration Specifies the mime types that will be compressed when the Compress option is enabled for the cluster The value of th...

Page 345: ...ch requests Therefore ensure that your server software is capable of handling URIs containing extended characters and will not serve as a potential weak point in your network before you enable extended characters Compress Not applicable to E250GX When this option is enabled Equalizer automatically detects requests to the cluster from compression capable browser clients and performs GZIP com pressi...

Page 346: ...rvers without rewriting them In the typical Equalizer setup you configure servers in an HTTPS cluster to listen and respond using HTTP Equalizer communicates with the clients using SSL If a server sends an HTTP redirect using the Location header this URL most likely will not include the https protocol Equalizer rewrites responses from the server so that they are HTTPS You can direct Equalizer to p...

Page 347: ...nger be able to log into the GUI You will need to supply the correct certificate key pairing In the meantime you can enable HTTP access to the GUI temporarily to enter the proper certificate key pairing to enable HTTPS access Loading Certificates Using the CLI Refer to Certificate Commands on page 166 for descriptions on uploading certificates using the CLI Loading Certificates Using the GUI The L...

Page 348: ...n List CRL is used to check if the SSL certificates provided by the SSL client during the SSL handshake are not in the CRL list It requires the Client CA to be specified Use the drop down list to select a CRL Validation Depth The depth to which certificate checking is done on the client certificate chain The default of 2 indicates that the client certificate level 0 and two levels above it levels ...

Page 349: ...ault All units with Hardware SSL Acceleration can process the TLSv1 0 TLSv1 1 and TLSv1 2 protocols in both hardware and software except for legacy GX hardware On legacy GX hardware only TLSv1 0 is supported by Hardware SSL Acceleration if you want to enable TLSv1 1 or TLSv1 2 on GX hardware you must first enable this flag Please note that enabling this option will reduce the processor and memory ...

Page 350: ...r 7 HTTPS Security can be configured in the CLI either globally or in cluster context Enter parameters using the following format eqcli cluster clustername parameter value flags flag Use the table above for descriptions of the parameters and values Where clustername is the the name fo the cluster parameter is the parameter value is the value associated with the parameter flag is the flag to be ass...

Page 351: ...istence where Equalizer provides a secondary persistence option where if for example a cookie response is not received a secondary or fallback option can be used With these configurable options if two persist methods are listed e g Cookie 1 Cluster IP Server IP Port and Source IP In this example the order indicates the fallback order if a cookie is found the cookie will be used otherwise the Sourc...

Page 352: ...way that so as long as the cluster maintains the same IP address servers can be added to and removed from the cluster without invalidating all of the existing cook ies This cookie stores the cluster IP and port and the server IP and port Cookie 1 Cluster IP Server IP Port Constructs a cookie which will be valid across all clusters with the same IP address not port specific A requirement for this t...

Page 353: ...only if the server s host name is within the specified domain For example if the cookie domain is website com then Equalizer will only present the cookie to servers in the website com domain for example www website com Wildcards are not supported in the cookie domain Cookie Generation A value added to cookies when the cookie scheme is 2 In order for cookies to be valid the specified Cookie Generat...

Page 354: ...servers in a proxy farm are on the same network The sticky netmask value indic ates which portion of the address Equalizer should use to identify par ticular networks Values are 0 32 for IPV4 clusters default 32 0 128 for IPV6 clusters Inter cluster Sticky With the inter cluster sticky option you can configure Equalizer to direct requests from a client to the same server on any available port that...

Page 355: ...e and if the cookie is anything other than Cookie 0 Cluster IP Port Server IP Port a server is selected using the Load balancing Policy Algorithm Source IP Cookie 1 Cluster IP Server IP Port A server is selected on a sticky record Source IP If no records are found a server is selected on the basis of the cookie and if the cookie is anything other than Cookie 1 Cluster IP Server IP Port a server is...

Page 356: ... on the cookie If no cookie is in the request the server is selected using the Load balancing Policy Algorithm Cookie 1 Cluster IP Server IP Port Source IP A server is selected based on the cookie If no cookie or a cookie other then Cookie 1 Cluster IP Server IP Port is in the request a server is selected based on the sticky record Source IP If no records are found a server is selected and a new s...

Page 357: ...e or a cookie other then Cookie 2 Cluster IP Server IP or Cookie 0 Cluster IP Port Server IP Port is in the request a server is selected using the Load balancing Policy Algorithm Cookie 2 Cluster IP Server IP Cookie 1 Cluster IP Server IP Port A server is selected based on the cookie If no cookie or a cookie other then Cookie 2 Cluster IP Server IP or Cookie 1 Cluster IP Server IP Port is in the r...

Page 358: ...SSE the vulnerable path between your appliance and servers can be encrypted by enabling cluster options With Equalizer Match Rules extend the Layer 7 load balancing capabilities of HTTP and HTTPS clusters by allowing you to define a set of logical conditions which when met by the contents of the request trigger the load balancing behavior specified in the match rule You have the option of utilizin...

Page 359: ... parameters 3 Configure cluster options for SSE 4 Configure match rule options for SSE Note The spoof and TCP Multiplexing tcp_mux options will not be available on http or https clusters or match rules if the Server Side Encryption sse option is enabled on the cluster and or match rule Proceed with the following to configure your appliance for SSE using the CLI and GUI Copyright 2014 Coyote Point ...

Page 360: ...her suite is used by default AES128 SHA DES CBC3 SHA RC4 SHA RC4 MD5 AES256 SHA SSLv2 Note SSLv2 is not supported as Equalizer will not negotiate with packets using SSLv2 encyrption 4 Add additional Cipher Suites as described in Layer 7 SSL Security HTTPS Clusters on page 349 as necessary 5 Enable each TLS version that you wish to use For example if you select only Allow TLSv1 1 this will be the o...

Page 361: ...xchange algorithm and a cipher spec The server selects a cipher suite or if no acceptable choices are presented returns a handshake failure alert and closes the connection Once you add an https cluster a default cipher suite will be added AES128 SHA DES CBC3 SHA RC4 SHA RC4 MD5 AES256 SHA SSLv2 Note SSLv2 is not supported as Equalizer will not negotiate with packets using SSLv2 encyrption Add addi...

Page 362: ...tion Timeouts tabs Client Timeout The time in seconds that Equalizer waits before closing an idle client con nection The default is the global value between 1 and 65535 seconds Server Timeout The time in seconds that Equalizer waits before closing an idle server con nection The default is the global value between 1 and 65535 seconds Connect Timeout The time in seconds that Equalizer waits for a se...

Page 363: ... After a client connects with a TCP port on the load balancer it searches it s certificate store for the website name that was exchanged as part of the HTTPS packet header If the website is NOT presented on a certificate the cluster s default certificate will be returned to the client If the website IS presented on a certificated that certificate will be returned to the client Using SNI additional...

Page 364: ... All previously con figured SNI will be listed on accordion tabs 5 To add an SNI click on to add a new SNI The following will be displayed 6 Configure SNI parameters as follows SNI Certificate Name The name of the SNI object up to 47 ASCII characters and can include period dash and underscore _ Server Name The name of the website that you would like the SNI certificate to be asso ciated with Certi...

Page 365: ...ertname certfile edit url Do the same for the associated key files eqcli cert certname eqcli cert certname keyfile edit url 4 Add an SNI object by entering the following in the HTTPS cluster context The SNI name can be up to 47 ASCII characters and can include period dash and underscore _ eqcli cl HTTPS sni testsni eqcli cl HTTPS sni tes 5 Now associate certificates with the new SNI by entering th...

Page 366: ... following in the SNI context eqcli cl NEW sni testsni sni_svname www march22 com eqcli cl NEW sni testsni commit eqcli 12000287 Operation successful 8 Now verify the SNI to be sure that it is associated with a server name eqcli cl NEW sni testsni show SNI Name test Certificate snicertificate1 Flags SNI svname www march22 com eqcli cl NEW sni testsni 9 Add additional SNI objects to certificates as...

Page 367: ...rs do l Cannot examine or manipulate headers l Cannot do anything protocol specific This type of cluster is essentially used to 1 Get a TCP connection on the cluster 2 Pick a server 3 Connect the client to server In general the basic function of the Layer 7 TCP cluster is to provide IPv6 addressing for generic Layer 4 protocols and support IPv4 and IPv6 addressing for clusters and servers The func...

Page 368: ...rt number than the one used by the cluster Preferred Peer Used with Active Active Failover Refer to Configuring Active Active Fail over Between Two Systems for details Server Pool A drop down list used to select a Server Pool or grouping of servers to which the cluster will communicate with Abort server By default when a client closes a connection Equalizer waits for a response from the server bef...

Page 369: ...Equalizer s IP address on the server VLAN If this is not pos sible you can establish static routes on the server to send responses to specific client IP addresses to Equalizer s IP address on the VLAN If you disable spoof the server receiving the request will see Equalizer s IP address as the client address because the TCP connection to the client is terminated when the request is routed The serve...

Page 370: ...s Layer 7 TCP Cluster Persistence Layer 7 TCP cluster persistence is the same as Layer 4 TCP cluster persistence Refer to TCP Cluster Persistence on page 333 for details 370 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 371: ... the server s response header on its way back to the client This cookie uniquely identifies the server to which the client was connected and is included automatically in subsequent requests from the client to the same cluster Equalizer can use the information in the cookie to route the requests to the same server If the server is unavailable Equalizer automatically selects a different server This ...

Page 372: ...ers that have inter cluster sticky enabled for a sticky record for the same client and server but on a different server port than the one originally used in the client request If such a sticky record is found and the server IP port in the sticky record is configured as a server in the current cluster then the sticky record is used to send the client request to that server IP port Otherwise the cli...

Page 373: ... the server will also include Connection keep alive in its response headers and the client is able to send the next request over the persistent HTTP connection without the bother of opening additional connections For HTTP 1 1 persistent connections are the default For a Layer 7 cluster Equalizer evaluates and possibly changes both the request and response headers that flow between the client and s...

Page 374: ... cookie send request to the server in the cookie If there is no cookie load balance request and send to server chosen by policy persist disabled Send to same server as first request Load balance the request and send to the server chosen match rule hit Send to same server as first request Send to the server chosen by the match rule For example let s look at how Equalizer processes HTTPS requests Fo...

Page 375: ...you are essentially disabling Layer 7 processing while still incurring extra overhead for the Layer 7 cluster If your application requires a cluster with no persistence header processing or match rules then we recommend that you define a Layer 4 UDP or TCP cluster for the best performance Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 375 Equalizer Administrat...

Page 376: ... the connection Equalizer will insert a cookie into subsequent responses on the same connection if they do not contain a valid cookie the cookie generation has changed the server in the cookie has the quiesce flag enabled Note the cluster parameters cookie path cookie age cookie generation and cookie domain specify cookie content for the cluster If any of these parameters are updated this changes ...

Page 377: ...xchange 2003 version of Microsoft Outlook Web Access OWA OWA 2003 normally requires that all incoming client requests use the Secure Sockets Layer SSL protocol This means that all client requests must have the https protocol in the URI If however OWA is running on a server in an Equalizer Layer 7 HTTPS cluster then OWA will receive all requests with http in the URI since Equalizer performs SSL pro...

Page 378: ...t custom headers and rewrite headers in every transaction in a connection turning off once only is required HTTPS Performance and Xcel SSL Acceleration The E650GX and E450GX include the Xcel SSL Accelerator Card Equalizer models without Xcel E250GX and E350GX performs all SSL processing in software using the system CPU Equalizers with Xcel perform all SSL processing using the dedicated processor o...

Page 379: ...them it is possible that they may be negotiated with clients This will not lead to incorrect operation of the system but encryption for these cipher suites will occur in software instead of taking advantage of the improved performance provided by the Xcel hardware Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 379 Equalizer Administration Guide ...

Page 380: ...will have these headers inserted Some application may require a special header in the request and the following section describes how Equalizer can be configured to provide a custom HTTPS header for such applications Providing FTP Services on a Virtual Cluster The FTP protocol dates from the 1970s and was designed to be used in an environment where l the network topology is simple l the FTP server...

Page 381: ... FTP data connections are automatically configured internally with a sticky time of one second This is necessary to support the passive mode FTP data connection that most web browsers use This means that there will be one sticky record kept for each FTP data connection For an explanation of sticky records see Enabling Sticky Connections on page 371 Enabling Sticky Connections on page 371 l FTP clu...

Page 382: ... necessary for Equalizer to receive and examine the server s responses the client makes a request and the server simply streams a large amount of data to the client DSR is supported on Layer 4 TCP and UDP clusters only and is not supported for FTP clusters Layer 4 TCP clusters with a start port of 21 Port translation or port mapping is not supported in DSR configurations DSR configurations are usu...

Page 383: ...er routes a request to a server in a virtual cluster that is the IP address of the client is sent to the server not the IP address of the Equalizer This flag must be enabled for DSR l Idle Timeout The is the time in seconds before reclaiming idle Layer 4 connection records Applies to Layer 4 TCP clusters only For DSR the Idle timeout slider must be set to a non zero value or Equalizer will never r...

Page 384: ...nable the Direct Server Return and Spoof check boxes 4 If the cluster is a Layer 4 TCP cluster and the idle timeout parameter is set to 0 increase it as described in the table above Skip this step for Layer 4 UDP clusters 5 Click on Commit to save your changes to the cluster configuration 6 If you need to add server instances to a server pool add them by doing the following a Right click the serve...

Page 385: ...d be able to successfully ping all of the servers from the test machine 5 From the internal network test machine ping the server aliases on each of the servers You should be able to successfully ping all of the servers from the test machine using their ali ases 6 From the internal test machine and each of the servers ping the Equalizer address that you use as the default gateway on your servers If...

Page 386: ... subset of servers that the load balancing algorithms will use for a particular request By default a request is load balanced over all the available non spare servers in a cluster Match rules allow you to select the group of servers or server pools that will be used to load balance the request For each virtual cluster you can specify any number of match rules For each match rule you specify the su...

Page 387: ...in the request selects a match rule that is the match rule expression evaluates to true no further match rules are checked against the request Equalizer makes a load balancing decision as follows 1 If the request headers contain a cookie that specifies a server pool for the match rule Equal izer sends the request to the server in the cookie Otherwise 2 Equalizer sends the request to the server poo...

Page 388: ...t of reducing to a minimum the amount of match rule processing required for requests to that cluster This is best illustrated by an example Let s say you want to construct a set of match rules that achieves these goals l Direct all requests whose URL contains one of two specific directories to specific server pools Assume these two directories are support and engineering l Of the two directories a...

Page 389: ...a03 match for specific directory names We match for the most common directory name first then the less common directory name Finally if all three of the match rule expressions for ma01 ma02 and ma03 fail to match an incoming request then that request is load balanced across the server pool in the cluster using the options set on the cluster and mirrored in the Default match rule Match Rule Express...

Page 390: ...mple it is usually best from a performance perspective to keep them simple The most simple match expression is one made up solely of a single match function The truth value true or false of this expression is then returned by the match function For example a match function common to all Layer 7 protocols is the any function which always returns true independent of the contents of the request data ...

Page 391: ... argument matches somedir l filename returns true if its argument matches somepage html Other functions can evaluate the contents of the Host header in the request URI above host www website com host_prefix www host_suffix website com Some function arguments can take the form of a regular expression1 Note that you cannot put regular expressions Matching regular expressions using _regex functions i...

Page 392: ...match the expression in the match rule The reserved server names all and none specify respectively the set of all servers in the virtual cluster and none of the servers in the virtual cluster If you do not assign servers none will be available for load balancing as a result the connection to the client will be dropped In general you can override most cluster specific variables in a match body One ...

Page 393: ...lag for comparisons when it is not set on the cluster When this function is ANDed with other functions it has the effect of for cing case to be ignored for any comparisons done by the match rule observe_case This function always evaluates to true and is intended to be used to over ride the ignore_case flag for comparisons when it is set on a cluster When this function is ANDed with other functions...

Page 394: ...lar expression matches the associated header text In addition to the functions in the preceding table a set of functions is provided that allows you to process requests based on the various components of a request s destination URI A URI has the following parts as defined in RFC1808 scheme hostname path params query fragment In addition Equalizer further breaks up the path component of the URI int...

Page 395: ...f the string argument is a suffix of the path com ponent of the request URI pathname_substr string This function evaluates to true if the string argument is a substring of the path component of the request URI pathname_regex string This function evaluates to true if the string argument interpreted as a regular expression matches the path component of the request URI dirname string This function ev...

Page 396: ...name portion of the URI path query string This function evaluates to true if the string argument exactly matches the optional query component of the request URI The query if present appears in a URI following a question mark The syntax of a query is application specific but generally is a sequence of key value pairs separated by an ampersand query_prefix string This function evaluates to true if t...

Page 397: ...hat is evaluated against the incoming request If the expression evaluates to true the Server Pool field specifies the pool of servers that will be used to satisfy the incoming request as well as the options that will be set for the request Refer to Managing Server Pools on page 430 MatchRule ExpressionExamples A match rule expression must be specified in double quotes so any quotes used in a funct...

Page 398: ...erver pools parameters and flags specified in the match rule The server pools specified in the match rule may be in a number of states that affect the load balancing behavior the servers within the sever pools may be up or down and may have one or both of the quiesce and hot spare options enabled server up The request is routed to the selected server up quiesce enabled The request is routed to the...

Page 399: ...etried If we instead were to skip a match rule because for example the server selected by the match rule is down the request would be evaluated by the next match rule or the default match rule The request therefore could potentially be sent to a server in the cluster that does not have the requested content This means that the client would receive a not found error instead of an error indicating t...

Page 400: ...case is set on the cluster you would use the following expression to force the header_substr function to make case sensitive string comparisons observe_case and header_substr host MySystem Regular Expressions Some match functions have prefix suffix substr or regex variants The regex variants interpret an argument as a regular expression to match against requests Regular expressions can be very cos...

Page 401: ...rs running the HTTPS protocol HTTPS is HTTP running over an encrypted transport typically SSL version 2 0 or 3 0 or TLS version 1 0 All of the functions available for load balancing HTTP clusters are available for HTTPS clusters In addition there are some additional match functions ssl2 ssl3 and tls1 that match against the protocol specified in an HTTPS request Supported Characters in URIs The cha...

Page 402: ...the match rule s server list that is selected by the load balancing policy in effect for the match rule Same as at left second and subsequent requests on the same connection Same as above If the request headers contain a cookie specifying a server in the match rule s server list send the request to the server in the cookie Otherwise send the request to the server that was selected by the first req...

Page 403: ...tand the general concepts of match rules covered in Match Rule Expressions and Bodies on page 389 In the Match Rule descriptions herein instructions are provided for using the GUI first followed by instructions for accomplishing the same task using the CLI Refer to Working in the CLI on page 139 for details on using the CLI commands Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 404: ...tch rule named Default that matches all requests and selects all servers match Default any then servers all When displayed any appears in the Expression field in the GUI as shown below The default rule specifies that all server pools defined in the cluster should be used for load balancing the request and that all flag settings for the request will be inherited from the cluster flag settings Creat...

Page 405: ...he rule You must also associate a server pool with the match rule on the Configuration screen tab 6 Use the Expression Editor to build your match expression Refer to Match Rule Expression Examples on page 397 for details on using this feature 7 Use the Server Pool drop down list to select a Server Pool to direct Layer 7 traffic if it com plies with the match rule conditions specified Refer to Mana...

Page 406: ... the connection to the server instead it sends a TCP RST reset to the server when the client closes the con nection Ignore Case This function always evaluates to true and is intended to be used to apply the Ignore Caseflag for comparisons when it is not set on the cluster When this function is ANDed with other functions it has the effect of forcing case to be ignored for any comparisons done by th...

Page 407: ...1 Cluster Name SP fe_http Server Pool Responder Cookie Path Cookie Domain Cookie Scheme 0 Cookie Age 0 Cookie Generation 0 Flags disable Expression any 3 Assign a Server Pool to the newly created Match Rule by entering eqcli cl clname ma maname srvpool spname 4 Add or remove Responder Cookie Path Cookie Domain Cookie Scheme Cookie Age and Cookie Generation and Flags using the procedures above 5 Co...

Page 408: ...ge 141 2 Make the desired changes using eqcli as shown in the procedures beginning with step 1 Removinga MatchRule To delete a match rule using the GUI follow these steps 1 Log into the GUI using a login that has add del access for the cluster See Logging In on page 230 2 In the navigation pane on the left right click the name of the match rule to be deleted and select Delete Match Rule 3 Click de...

Page 409: ...ditor allows the user to drag and drop functions and operators to build the desired expressions The Match Rule Expression Editor is separated into 3 panes l The Operators pane displays the available operators is used for the logical AND operator is used for the logical NOT operator ll is used for the logical OR operator is used to group functions and operators l The Functions refer to Match Rule F...

Page 410: ...to discard the details Clicking on the continue or cancel button will close the Expression Editor Clicking on the Reset button will remove all of your configured parameters and return to the default screen Clicking on the Commit button will assign all of your match rule configurations to the cluster The figure below shows an example of a completed Match Rule configuration In this example a match r...

Page 411: ...Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 411 Equalizer Administration Guide ...

Page 412: ... the cluster 2 In the left frame right click the name of the Layer 7 cluster to which you want to add the rule and select Add Match Rule The Add Match Rule dialog appears a Type a name into the Match Rule Name field In this case New Match Rule was added b Select the Next Match Rule from the drop down list to determine the placement of New Match Rule in the order of processing In this case test was...

Page 413: ...ate a cluster Let s assume that you only want to disable persistence for incoming requests that have a URI containing a hostname in the following format xxx testdonotpersistexample com We ll use the host_suffix match rule function to test for the above hostname format For this example we assume that a cluster with three server pools has already been defined We will construct a match rule that will...

Page 414: ... to display the Expression editor a Leaving the any expression in place drag and drop the host_suffix from the Functions pane to the Expression Workbox beside the any expression b Type testdonotpersisteexample com into the hostname suffix function The new expression should appear as follows c Click on continue 4 Uncheck the Persist checkbox and Disable checkboxes on the Configuration tab 5 Click o...

Page 415: ...anslates the source IP address in the request to one of Equalizer s IP addresses before sending it on to the server This is called Source Network Address Translation or SNAT and this configuration is often called Full NAT since Equalizer is translating the client IP in packets from clients as well as the server IP in packets from servers In this case servers will send responses to Equalizer s IP a...

Page 416: ...ane to the Expression Workbench b Specify a simple IP address e g 192 168 0 240 or an IP address in Class less Inter Domain Routing CIDR notation e g 192 168 0 0 24 to specify an entire subnet in the client_ip function Click on the Continue button when fin ished The Expression field should now contain the client_ip function with the ip argument you specified above 5 Uncheck both the Spoof checkbox...

Page 417: ...the right a Make sure that the Once Only checkbox is not checked otherwise uncheck it and click Commit b Make sure the Persist checkbox is not checked otherwise uncheck it and click Commit These steps are necessary because these flags if enabled cause only the first request in a connection to be evaluated Since we want content to come from one server pool and images from another we want the server...

Page 418: ... 7 Click on Commit The images rule we created selects all the requests for image files now we need a rule to determine which servers will receive all the other requests The Default rule is not sufficient and in fact we don t want it to be reached since it could send a request for content to one of the image servers So we ll create another rule with the same match expression as the Default any but ...

Page 419: ...lect the server pool in which all other content is to be sent c Select Commit The match rule is created added to the object tree and its Configuration Screen tab is opened 9 Check the Persist check box Remember that in our example we re enabling Persist for the content servers so that persistent sessions can be maintained by the applications that run on these servers 10 Select the Commit button to...

Page 420: ...VD 20354896 N A N A N A BYTESEND 146733440 N A N A N A DROPNOSRVR 0 N A N A N A TOTALSTKY 0 N A N A N A CURRSTKY 0 0 0 0 REQPARSED 68535 N A N A N A REQFAILED 0 N A N A N A REQFAILHDR 0 N A N A N A RSPPARSED 0 N A N A N A RSPFAILED 0 N A N A N A RSPFAILHDR 0 N A N A N A CLNTTO 68111 N A N A N A SRVRTO 0 N A N A N A CONNTO 0 N A N A N A SELPERSIST 0 N A N A N A SPLICE 50891 N A N A N A CURCLNTWAITQ...

Page 421: ...ration tab is it is not already selected 3 Click on the arrow u beside Clusters to expand the branch 4 Select a cluster or responder Server on the left navigational pane and click on the Reporting tab to display statistics The following is an example of the statistics displayed A Layer 4 statistical display is similar however it displays Connections second CPS Throughput Bytes Received Bytes Sent ...

Page 422: ...rs and Match Rules Sample Layer 7 Cluster GUI Statistical Displays The following are definitions for the statistical terms shown on both the CLI and GUI 422 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 423: ...sponse headers failed RSPFAILHDR Too Many Response Headers Too many response header CLNTTO Cx dropped due to Client Timeout Connections dropped due to client timeout SRVRTO Cx Dropped due to Server Timeout Connections dropped due to server timeout CONNTO Cx Dropped Due to Connect Timeout Connections dropped due to connect timeout SELPERSIST Server Selected By Cookie The number of times the server ...

Page 424: ...ing with Clusters and Match Rules CLI Term GUI Term Definition OUTBYTECOMP Output Bytes after Compressions Output byte after compression 424 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 425: ...server responses N A Connections Dropped Due To No Server Connections dropped due to no server Layer 4 Cluster Statistic Definitions CLI Term GUI Term Definition BYTERCVD Bytes Received Bytes received BYTESEND Bytes Sent Bytes transmitted N A Connections second CPS Connections per second DROPNOSRVR N A Connections dropped due to no server TOTALSTKY Total Sticky Records Total sticky connections N A...

Page 426: ...tions on the Statistics pane on the upper right corner of the GUI Make selections based on the data that you require The Plot Type selection determines whether the display shown reflects a Static Time Span which is configured using the slider or whether a real time duration is display If Real Time Duration is selected the slider controls will change to Duration and Refresh controls as shown below ...

Page 427: ... statistics that are displayed are determined by the selections on the Statistics pane on the upper right corner of the GUI Make selections based on the data that you require Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 427 Equalizer Administration Guide ...

Page 428: ...ng the slider or whether a real time duration is display If Real Time Duration is selected the slider controls will change to Duration and Refresh controls as shown below In this case set the Duration of time in which you would like to review statistics and the Refresh rate desired 428 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 429: ...V 435 Adding and Configuring a Server Pool GUI 437 Adding and Configuring a Server Pool CLI 439 Adding Server Instances GUI 440 Server Instance Summary Screen 443 Adding Server Instances CLI 444 Testing ACV on a Server Instance 445 Associate a Server Pool with a Cluster GUI 446 Associate a Server Pool with a Cluster CLI 447 Deleting a Server Pool GUI 448 Deleting a Server Pool CLI 449 Server Pool ...

Page 430: ...meters are organized by the server s name and are referred to as server instances within the server pool context This allows you to associated a distinct set of server instance options weight flags maximum number of connections to multiple instances of the same real server in different server pools The following subsections describe Server Pool management using both the GUI and CLI 430 Copyright 2...

Page 431: ...red Screen shown on where the server pool configuration parameters can be edited Clicking on the icon will delete the currently selected server pool In addition to the names of the server pool on the expandable table the following is also displayed Policy Displays the load balancing policy used with the server pool Status The Status icons display the same conditions that are displayed next the the...

Page 432: ...he servers initial weights and does not attempt to dynamically adjust server weights based on server performance l Static load balancing distributes requests among the servers depending on their assigned initial weights A server with a higher initial weight gets a higher percentage of the incoming requests Think of this method as a weighted round robin implementation Static weight load balancing d...

Page 433: ...en to a server o Agent Weight The relative influence on the policy of the return value of a server agent if any running on the servers in the cluster o VM CPU For servers that are associated with VMware Virtual Machines the rel ative influence on the policy of the VM CPU usage status returned by VMware Displayed only if VLB Advanced is licensed and VLB is enabled for this cluster o VM RAM For serv...

Page 434: ...dynamic weights are very stable even under a heavy load In this case you might want to set the cluster s load balancing response parameter to fast Then Equalizer tries to optimize the performance of your servers more aggressively this should improve the overall cluster performance For more information about setting server weights see Adjusting a Server s Initial Weight on page 464 Dynamic Weight O...

Page 435: ...nection is established GET index html User sends request for HTML page HTML Server responds with requested page TITLE Welcome to our Home Page TITLE HTML Connection closed by foreign host Telnet indicates server connection closed Equalizer can perform the same exchange automatically and verify the server s response by checking the returned data against an expected result Specifying an ACV probe st...

Page 436: ...string is case sensitive An example of a poorly chosen string would be HTML since most web servers automatically generate error pages that contain valid HTML For more information on probing see Active Content Verification ACV Probes on page 647 436 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 437: ... left navigational pane a Configure the load balancing options as described above in Configuring Server Pool Load Balancing Options on page 432 b Configure the Handshake Probesas described in Health Check Timeouts on page 675 c When the server pool is associated with HTTPS clusters the Highest TLS Version slider should be used This specifies the highest TLS version that will be offered in the SSL ...

Page 438: ...Server Pools and Server Instances 5 Click on Commit to save the configuration 438 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 439: ...ol eqcli srvpool spname req_cmds 3 Use the load balancing options as described above in Configuring Server Pool Load Balancing Options on page 432 and the Managing Server Pools on page 430 to configure the other server pool parameters 4 If necessary configure the ACV Query and ACV Response strings as described in Using Act ive Content Verification ACV on page 435 Copyright 2014 Coyote Point System...

Page 440: ...side Servers to expand the branch 5 Select one of the servers in the list of Servers on the tree on left navigational pane While holding your mouse key down drag and drop the server into the desired server pool on the server pool branch of the tree The figure below will be displayed 6 Select the initial weight for the server instance using the slider control If desired disable the Quiesce check bo...

Page 441: ... pool on the cluster fail Checking hot spare forces Equalizer to direct incoming connections to this server only if all the other servers in the cluster are down You should only configure one server in a cluster as a hot spare For example you might configure a server as a hot spare if you are using licensed software on your servers and the license allows you to run the software only on one node at...

Page 442: ...erridden in any of the following circumstances l A client attempts to connect to a server with the hot spare flag enabled this allows hot spares to service more than the max connections setting of connections l A client attempting to connect to a Layer 7 cluster has a persistence cookie and the server identified in the cookie has already reached its max connections limit l A client attempting to c...

Page 443: ...isplays server instance details such as Active Connections Connections second and Transactions per second as well as server pool configuration parameters and a graphical representation of performance history from the last 30 minutes Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 443 Equalizer Administration Guide ...

Page 444: ...e parameters for all the server instances For example you could change to an aggregate context for the three server instances in the previous example above using a command like the following eqcli srvpool sp01 si sv01 sv02 sv03 eqcli sp sp01 si sv0 The CLI is now in the aggregate server instance context sv01 sv02 sv03 only the first three characters of which are displayed in the command line To se...

Page 445: ...eived indicating whether probing is successful or if it fails Testing ACV Using the CLI In the example below a server instance is being tested Enter the following eqcli sp spname test acv si name si name ACV probe successful If you do not specify a server instance in a server pool all of the server instances will be tested For example eqcli sp spname test acv si name ACV probe successful si name A...

Page 446: ...tab if it is not already selected 4 Click on the arrow u beside Clusters to expand the branch 5 Select a Cluster and the Configuration Required screen will be displayed 6 Select a server pool from the Server Pool drop down list 7 Refer to Overview of Clusters on page 315and make any additional changes to the cluster con figuration if necessary 8 Click on Commit to save new server pool association ...

Page 447: ... described in Starting the CLI on page 141 2 Use the following format to enter the cluster context eqcli cluster clname 3 In the cluster context enter details in the following format eqcli cl clname srvpool spname Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 447 Equalizer Administration Guide ...

Page 448: ... the Load Balance configuration tab if it is not already selected 3 Click on the arrow u beside Server Pools to expand the branch 4 Right click on the server pool to be deleted from the Server Pool branch of the tree on the left navigational pane and select Delete Server Pool 5 Click on Confirm when prompted on the Delete Server Pool dialogue form 448 Copyright 2014 Coyote Point Systems A Subsidia...

Page 449: ...ng the CLI on page 141 2 Use the following format to enter the cluster context eqcli cluster clname 3 In the cluster context enter details in the following format eqcli cl clname no srvpool spname Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 449 Equalizer Administration Guide ...

Page 450: ...and Server Instance Reporting CLI and GUI The CLI display of Statistics can be seen by entering the following within the server pool context Sample Server Pool Statistical Display 450 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 451: ...vigational pane if it is not already selected 3 Click on the arrow u beside Server Poolsto expand the branch 4 Select a Server Pool or Server Instance Server on the branch and click on the Reporting tab to display statistics The following is an example of the statistics displayed Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 451 Equalizer Administration Guide...

Page 452: ... Times Server Selected By Sticky Total Sticky Records Total Sticky Records Total New Server Selected after 3 Retries New Server Selected After 3 Client Tries New Server Selected After 3 Client Tries Total Same Server Selected after 3 Retries Same Server Selected After 3 Client Tries Same Server Selected After 3 Client Tries Total Connections Dropped for Stale Timeout Cx Dropped Due To Stale Timeou...

Page 453: ...t server connections linked Total Connections Timed Out in TCP MUX Reuse Pool Cx Dropped Due To Reuse Pool Timeout Total connections timed out in TCP MUX reuse pool Total Connections Terminated for TCP MUX Reuse Pool Overflow Cx Dropped Due To Reuse Pool Overflow Total connections timed out in TCP MUX reuse pool Total Connections Closed by Server in TCP MUX Reuse Pool Overflow Cx Dropped Due To Se...

Page 454: ... Tries Same server selected after 3 retries NEWFAILTHRICE New Server Selected After 3 Client Tries New server selected after 3 retries RSPPARSED Number of Request Headers Parsed Response headers parsed RSPFAILED Number of Request Headers Failed Parsing Responses failed header parsing RSPFAILHDR Total Responses Dropped for Exceeding Header Limit Responses dropped for exceeding header limit CLNTTO C...

Page 455: ...rrent responses being compressed TOTALCOMP Total Responses Compressed Total responses compressed INBYTECOMP Input Bytes To Compress Total plain text bytes before compression OUTBYTECOMP Output Bytes After Compression Total compressed response bytes The following is a graphical plot that can be displayed on the GUI Select a server pool or server instance on the left navigational pane and click on t...

Page 456: ...lection determines whether the display shown reflects a Static Time Span which is configured using the slider or whether a real time duration is display If Real Time Duration is selected the slider controls will change to Duration and Refresh controls as shown below In this case set the Duration of time in which you would like to review statistics and the Refresh rate desired 456 Copyright 2014 Co...

Page 457: ...re Configuration 463 Adjusting a Server s Initial Weight 464 Interaction of Server Options and Connection Processing 466 Configuring Routing on Servers 469 Server Statistics and Reporting CLI and GUI 471 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 457 Equalizer Administration Guide ...

Page 458: ...is not already selected 3 Click on Servers to display the Server Summary screen From this screen you can add a new server by clicking on You can delete a server by selecting a server and clicking on You can modify server configuration by selecting a server and clicking on This will expand the window activate the server Settings area as shown below Refer to Adding and Modifying Servers on page 460 ...

Page 459: ...Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 459 Equalizer Administration Guide ...

Page 460: ...tion is set to 0 which means that Equalizer will route traffic to the server whenever the server is selected by the current load balancing settings If Maximum Reused Connections is set to a value greater than 0 then Equalizer limits the total number of simultaneously open connections to the server to that value This restriction applies regardless of the persistence options set on the cluster When ...

Page 461: ...tion tab and the new server will appear on the Server branch on the left navigational pane The server IP address and Port will be visible in the Server Configuration screen Modifying Servers The configuration tabs for a server are displayed automatically when a server is added to the system or by selecting the server name from the left navigational pane 1 Log into the GUI using a log in that has a...

Page 462: ...her than 443 since Equalizer communicates with servers in an HTTPS cluster via HTTP For L4 UDP and L4 TCP protocol clusters a cluster port range can be defined These are the ports on the Equalizer to be used to send traffic to the server pool in the cluster Port ranges allow Equalizer users to create a single cluster to control the traffic for multiple contiguous ports The Port defined for a serve...

Page 463: ...er as its default gateway so that all packets that come through Equalizer from clients will pass back through Equalizer and then to the clients l You do not need to configure Equalizer as the gateway for the servers if you have disabled the IP spoof flag for the cluster Header Limit l Server responses and client requests must contain 64 or fewer headers any packet that contains more than 64 header...

Page 464: ...t of servers dynamically as traffic goes through the cluster Dynamic server weights might vary from 50 150 of the statically assigned values To optimize cluster performance you might need to adjust the initial weights of the server instance in a server pool based on their performance Note Equalizer stops dynamically adjusting server weights if the load on the cluster drops below a certain threshol...

Page 465: ...L pages and images See Adding a Responder on page 480for information on configuring a responder To use a hot spare you would usually configure it on Equalizer as follows 1 Set Maximum Reused Connections to zero 0 so that all connection requests sent to the hot spare are accepted 2 Enable the Hot Spare flag This specifies that any requests refused by all the other server instances in a server pool ...

Page 466: ...ver disabled An initial weight of 0 tells Equalizer that no traffic should be sent to the server disabling the server This option setting takes precedence over all other options including persistence hot spare etc Max Connections 0 If set to a non zero value Equalizer limits the total number of sim ultaneously open connections to the server to that value This limit is not overridden if the Hot Spa...

Page 467: ...ests for clients that have a persistent session with the server When you quiesce a server Equalizer does not route new connections from new clients to the server but will still send requests from clients with a persistent session to the quiescing server Once all the persistent sessions on the server have expired you can set the server s initial weight to zero then Equalizer will not send additiona...

Page 468: ...lso be necessary to reconfigure probe time outs in order to account for network latency An example of a configuration with both directly connected servers and remotely accessible servers is illustrated in the diagram below The configuration shown above is an example of a single VLAN configuration where Equalizer communicates with all servers and clients via the same subnet The example cluster show...

Page 469: ...gurations with Layer 4 clusters are an exception to this rule In DSR configurations client requests coming through Equalizer are routed to servers which then respond directly back to the clients without going through Equalizer Therefore servers in a DSR configuration typically have a default gateway other than Equalizer In non DSR clusters with spoof enabled you should use one of the following Equ...

Page 470: ... each server from the server s system console not through a telnet session This will avoid any disconnects that might otherwise occur as you adjust the network settings on the server 470 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 471: ...URRSTKY 0 0 0 0 IDLECONXDROPED 0 N A N A N A STALECONXDROPED 0 N A N A N A FAILTHRICE 0 N A N A N A NEWFAILTHRICE 0 N A N A N A RSPPARSED 281157 N A N A N A RSPFAILED 0 N A N A N A RSPFAILHDR 0 N A N A N A CLNTTO 734 N A N A N A SRVRTO 41182 N A N A N A CONNTO 63477 N A N A N A SELPERSIST 0 N A N A N A SPLICE 69772 N A N A N A CURSRVERUSE 0 0 0 0 CURCLNTWAITQ 0 0 0 0 REUSEOF 0 N A N A N A REUSESRV...

Page 472: ... on the left navigational pane if it is not already selected 3 Click on the arrow u beside Serversto expand the branch 4 Select a Server and click on the Reporting tab to display statistics The following is an example of the statistics displayed Sample Server Statistics GUI Display 472 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 473: ... 3 retries RSPPARSED Number of Request Headers Parsed Response headers parsed RSPFAILED Number of Request Headers Failed Parsing Responses failed header parsing RSPFAILHDR Total Responses Dropped for Exceeding Header Limit Responses dropped for exceeding the header limit CLNTTO Cx Dropped Due To Client Timeout Connections dropped due to client timeout SRVRTO Cx Dropped Due To Server Timeout Connec...

Page 474: ... timed out in TCP MUX reuse pool CURCOMP Current Responses Being Compressed Current responses being compressed TOTALCOMP Total Responses Compressed Total responses compressed N A Input Bytes To Compress Input Bytes To Compress N A Output Bytes After Compression Output Bytes After Compression The following is a graphical plot that can be displayed on the GUI Select a server e on the left navigation...

Page 475: ...splay shown reflects a Static Time Span which is configured using the slider or whether a real time duration is display If Real Time Duration is selected the slider controls will change to Duration and Refresh controls as shown below In this case set the Duration of time in which you would like to review statistics and the Refresh rate desired Copyright 2014 Coyote Point Systems A Subsidiary of Fo...

Page 476: ......

Page 477: ...hapter include Automatic Cluster Responders 478 Responder Summary 479 Managing Responders 480 Responder Statistics and Reporting CLI and GUI 490 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 477 Equalizer Administration Guide ...

Page 478: ...tch rule is not available If an incoming request matches a Match Rule expression and the server pool specified in the Match Rule is down a Responder definition in the Match Rule if present tells Equalizer to send one of two automatic responses to the client l A customized HTML sorry page that can for example ask the client to retry later or go to another URL l A standard HTTP Redirect response tha...

Page 479: ...Respondersto display the Responder Summary screen From this screen you can add a new responder by clicking on You can delete a server by selecting a responder and clicking on You can modify server configuration by selecting a responder and clicking on This will activate expand the Responders summary screen to include Responder Configuration details described in Adding a Responder on page 480 Copyr...

Page 480: ...er on the Responder branch on the left navigational pane and select Delete Responder A Responder cannot be deleted if it is cur rently used in a match rule definition Adding a Responder Responders are a global resource once created they can be individually assigned to one or more match rules in one or more clusters Up to 8192 Responders can be created 1 Verify that you are logged into the GUI If n...

Page 481: ...llowing is an example of a Redirect URL with named variables http 1 2 net 3 4 See the see Using Regular Expressions in Redirect Responders on page 482 Regular Expression An optional POSIX style regular expression that splits the incoming request URL into variables that can be used for string replacement in the HTTP Redirect URL see above See Using Regular Expressions in Redirect Responders on page...

Page 482: ... Responder parameters 3 Click Commit to save your changes Using Regular Expressions in Redirect Responders In some cases it may be desirable to examine the URL of an incoming request and re use parts of it in the URL returned to the client by a Redirect Responder This is the purpose of the Regex field specify a custom regular expression that is used to l parse the URL of an incoming request l brea...

Page 483: ...e these variables in the URL field as shown in the following Responder Configuration screen tab This Responder can be used in any cluster where a Redirect to an HTTPS cluster is desired Example 2 Multi Hostname Redirect Let s assume that we have a set of com host names all of which resolve to the same cluster IP and we need a Responder that redirects requests to the same hostname prefixes with a n...

Page 484: ...nvolve either a more complex regular expression that matches both or an additional Responder with a regular expression that matches IP addresses as well as two match rules to match the two types of host names so that the appropriate Responder replies to the client Example 3 Directory Redirect The next example involves redirecting requests that include a particular directory to a different domain o...

Page 485: ...esponder to be used only for specific requests then cre ate an appropriate match rule expression to match those requests See Using Match Rules on page 386 server selection By default no servers are selected in a match rule This means that any incoming request URL that matches the match rule expression will be handled by the responder specified in the match rule If you want the responder to be used...

Page 486: ... create a new Responder and then add a match rule to the cluster 1 Verify that you are logged into the GUI If not log in as described in Logging In on page 230 2 Select the Load Balance configuration tab if it is not already selected 3 Right click on Responder on the left navigational pane and select AddResponder The Add New Responder dialog appears 4 Type Sorry_Example into the Name field and sel...

Page 487: ...vigational pane and select AddResponder The Add New Responder dialog appears 4 Type Redirect_Example into the Name field and select Redirect 5 Type https www example com special into the URL field 6 Click Commit to save the new Responder 7 Right click on the name of the cluster for which you want to display the sorry page in the left frame and select Add Match Rule from the menu 8 Refer to Creatin...

Page 488: ...he above procedure all client requests to http cluster special will be redirected to https www example com special even when all the server instances in a server pool are available 488 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 489: ...uster It should also be noted that resources Equalizer uses to service client requests via the Responder feature are resources potentially taken away from processing other client requests In most cases Responders might possibly have an effect on performance if all the servers in one or more clusters are down during periods of peak usage Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet ...

Page 490: ... the statistics displayed Sample Responder GUI Statistics Display The following are definitions for the statistical terms shown on both the CLI and GUI Responder Statistics Definitions CLI Term GUI Term Definition N A Connections second CPS Connections second N A Transactions second TPS Transactions second N A Throughput Throughput N A Total Connections Total connections N A Active Connections Act...

Page 491: ...econd The Plot Type selection determines whether the display shown reflects a Static Time Span which is configured using the slider or whether a real time duration is display If Real Time Duration is selected the slider controls will change to Duration and Refresh controls as shown below In this case set the Duration of time in which you would like to review statistics and the Refresh rate desired...

Page 492: ......

Page 493: ...ing 494 Outbound Link Load Balancing 495 Configuring Outbound Link Load Balancing 496 Inbound Link Load Balancing 503 Configuring Inbound Link Load Balancing 504 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 493 Equalizer Administration Guide ...

Page 494: ...supports them If a primary ISP link fails LLB enables the seamless redirection of traffic through a backup link Similar to GSLB inbound LLB avoids the need for failover via Border Gateway Protocol BGP by using DNS based load balancing and gateways instead LLB also adds the capability of clients reaching each of your points of presence through multiple paths It is typically configured for both outb...

Page 495: ...tions If you want Equalizer to avoid links that are not available or links that do not have complete routes to crucial IP addresses you will need to enable link health checks Each link health check will periodically send Layer 3 ICMP ECHO probe pings from the Equalizer interface IP to an IP address that must be reachable in order for the link to be determined to be available This can be any IP add...

Page 496: ...ANs as described in Configuring Subnets on page 301 Configure the subnets over which your internal and link traffic and health checking probes will traverse Enter a name maximum of 47 characters 4 Click on the Link Load Balance configuration tab on the left navigational pane Configuring Gateway 5 Click on the arrow beside Outbound to expand the branch and then click on Gateways to display the Link...

Page 497: ...om among all that are up the gateway with the highest weight 8 Click on Commit to save the LLB Gateway 9 Repeat steps 5 6 and 7 for additional LLB Gateways When the LLB Gateways are configured they will appear on the list as shown To edit LLB Gateways either double click a Gateway on the list or select a Gateway using the check box and selecting the edit icon Both methods will display the LLB Gate...

Page 498: ...or the group in the space provided You also have the option of disabling the group by selecting the Disable check box The Gateways Used and Gateways Not Used unused panes list all existing Gateways You can associate one or more with the group by dragging and dropping the gateways 13 Click on Commit to save the OLLB Group Set Up NAT 14 If needed set up NAT Select a subnet from the left navigational...

Page 499: ...e that any destination can be used Also enter a Gateway The Gateway is the packet destination Enter an LLB Group name that you configured in steps 10 13 23 Click on Commit to save the route The Static Route will be displayed In the example below 2 static routes are configured on a subnet 192 4 Both use a Destination IP of 0 0 Note the llbg1 gateway group name on the second routing entry This indic...

Page 500: ...he outbound gateways as shown In the example int is used for the internal VLAN and ext is used for the external VLAN eqcli vlan int subnet sn0 ip 1 1 0 2 24 eqcli vlan int subnet sn1 ip 1 1 1 2 24 eqcli vlan int subnet sn2 ip 1 1 2 2 24 eqcli vlan ext subnet sn3 ip 1 2 3 4 24 eqcli vlan ext subnet sn4 ip 1 4 5 6 24 eqcli vlan ext subnet sn5 ip 1 6 7 8 24 Configuring Gateways 2 Set up LLB Gateways ...

Page 501: ...i llb gw 1 2 3 1 weight value b By default when you create a gateway it is enabled If necessary you can dis able the gateway by entering eqcli llb gw 1 2 3 1 flags disable c By default LLB gateway health checks are enabled To disable health checks enter eqcli llb gw 1 2 3 1 flags disable_hc Configuring OLLB Groups 4 The gateways set up from the previous step are grouped into an OLLB Group group1 i...

Page 502: ...t 1 4 5 33 nat sn0 out gw 1 4 5 1 eqcli vlan int subnet sn1 nat from 1 1 1 0 24 out 1 2 3 34 nat sn1 out gw 1 2 3 1 eqcli vlan int subnet sn1 nat from 1 1 1 0 24 out 1 4 5 34 nat sn1 out gw 1 4 5 1 Configuring Subnet Routes 6 In the example shown below subnets sn0 and sn1 will be routed through the outbound LLB group1 from step 3 above eqcli vlan int subnet sn0 route 0 0 gw group1 eqcli vlan int s...

Page 503: ...ess of an FQDN However unlike GSLB the IP address returned in the DNS reply does not represent a geographic location but rather one of several links available on a single Equalizer The illustration below shows how ILLB functions Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 503 Equalizer Administration Guide ...

Page 504: ...effect a cluster of clusters This cluster of clusters will be bound together with the ILLB group object Configuration of OLLB consists of the following 1 Adding VLANs with subnets 2 Configuring gateways 3 Configuring ILLB groups 4 Add Targets to the ILLB groups Using the GUI 1 Log in to the GUI Configuring VLANs with Subnets 2 Configure VLANs as described in Configuring VLANs on page 297 3 Add sub...

Page 505: ...izer will select from among all that are up the gateway with the highest weight 8 Click on Commit to save the LLB Gateway 9 Repeat steps 5 6 and 7 for additional LLB Gateways When the LLB Gateways are con figured they will appear on the list as shown In the list shown above the Flags that are checked are displayed To edit LLB Gateways either double click a Gateway on the list or select a Gateway u...

Page 506: ...d TTL the Time To Live is the length of time in seconds that the client s DNS resolver should cache the resolved IP address The default is 120 that is 2 minutes Policy options are rr round robin policy causes the load balancer to send a DNS reply with the IP address associated with each available gateway in turn This is equivalent to traditional round robin DNS load balancing Prefer if more than o...

Page 507: ...LANs with Subnets 1 Configure VLANs as described in Configuring VLANs on page 297 2 Configure subnets as described in Configuring Subnets on page 301 Configure the subnets over which your internal and link traffic and health checking probes will traverse An example is shown below eqcli vlan int subnet sn0 ip 1 1 0 2 24 eqcli vlan int subnet sn1 ip 1 1 1 2 24 eqcli vlan int subnet sn2 ip 1 1 2 2 24...

Page 508: ...By default the gateway s weight value is 50 If you would like to change the weight enter the following and enter a value eqcli llb gw 172 16 128 1 weight value b By default when you create a gateway the health checks are enabled If neces sary you can disable the health check by entering eqcli llb gw 172 16 128 1 flags disable_hc c To enable the health check after it has been disabled enter eqcli l...

Page 509: ...at is 1 minute 6 Add a weight and policy to the ILLB group eqcli illb grp illb1 weight 50 weight by default the gateway s weight value is 50 If you would like to change the weight enter the following and enter a value eqcli illb grp illb1 weight value flags by default the illb grp is enabled To disable it enter eqcli illb grp name flags disable 7 Display the new illb grp by entering eqcli show ill...

Page 510: ...p newllb target t1 ip 172 16 191 34 gw 172 16 128 1 weight 50 9 Show the new illb grp target by entering eqcli show illb grp newllb target t1 ILLB Target Name t1 IP Address 172 16 191 34 Gateway 172 16 128 1 Weight Flags eqcli 10 Display the list of ILLB group targets by entering eqcli show illb grp illb1 target Name IP Gateway t1 172 16 191 34 172 16 128 1 eqcli 510 Copyright 2014 Coyote Point Sy...

Page 511: ...Configuration 513 Using Envoy with Firewalled Networks 516 Using Envoy with NAT Devices 516 Configuring GeoClusters 517 Configuring GeoSites 522 GeoSite Instance Parameters 523 GeoSite Resources and GeoSite Instance Resources 527 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 511 Equalizer Administration Guide ...

Page 512: ...alanced by an Equalizer the IP address returned is the IP address of an Equalizer cluster After resolving the name the client sends the request to the cluster IP When Equalizer receives the client request it load balances the request across the server pool in the cluster based on the current load balancing policy and parameters In an Envoy conversation you have two or more Equalizers located in se...

Page 513: ...le to access the requested site Local Caching DNS Server In a typical GSLB configuration a local or caching DNS server resides in the client s LAN environment When the client directs the browser to get to a URL i e www coyotepoint com the browser requests the local DNS to resolve the name i e www coyotepoint com to an IP address Once local DNS server resolves the name to an ip address It will firs...

Page 514: ...yotepoint com domain to delegate authority for www coyotepoint com to both east coyotepoint com and west coyotepoint com When queried to resolve www coyotepoint com coyotepoint com s name servers should return name server NS and alias A address or glue records for both Envoy sites An example of a DNS zone file for this configuration is shown below In this example the systems ns1 and ns2 are assume...

Page 515: ...version of DNS that you are using for more information on the zone file content and format Envoy also supports AAAA also called quad A records for IPv6 addresses To ensure that you have properly configured DNS for Envoy you can use the nslookup command supported on most OS platforms to confirm that the DNS server is returning appropriate records as in this example nslookup www remotesite com Serve...

Page 516: ...ho response packets from clients outside the firewall When a client attempts a DNS res olution Envoy sites send an ICMP echo request ping packet to the client and the client might respond with an ICMP echo response packet Using Envoy with NAT Devices If an Envoy site is located behind a device such as a firewall that is performing Network Address Translation NAT on incoming IP addresses then you m...

Page 517: ... the left navigational pane and the Add GeoCluster form will be displayed 3 Enter a GeoCluster Name in the space provided 4 Enter a FQDN in the space provided This is the Fully Qualified Domain Name of the GeoCluster for example www coyotepoint com The FQDN must include all name com ponents up to the top level com net org etc Do not include the trailing period 5 Click on Commit to add the GeoClust...

Page 518: ... site the initial weight setting of the site and ICMP triangulation responses The policy setting tells Envoy the realtive weight to assign to each metric when choosing a site round robin causes Envoy to send requests to each available site in turn in the order they are listed in the configuration This is equivalent to traditional round robin DNS load balancing round trip weights the ICMP triangula...

Page 519: ...urned in a DNS response that will be allowed in this GeoCluster The first address will be the actual selec ted GeoSite Those that follow will be any site which is up in the list of GeoSites ICMP triangulation option When a request for name resolution is received by Envoy from a client s local DNS this option if enabled tells Envoy to request network latency information from all sites in order to m...

Page 520: ... are others that did not fail and that are not down then GeoSite selection will only include those sites that successfully completed ICMP triangualtion This is the same as the Version 8 6 behavior Adding a GeoCluster CLI To add a GeoCluster using eqcli as follows 1 Log in to eqcli as described in Starting the CLI 2 Enter the following at the CLI prompt eqcli geocluster gcname req_cmds Deleting a G...

Page 521: ...bed in Starting the CLI 2 Use the parameter descriptions above and the command line sequences described in GeoCluster and GeoSite Instance Commands to view and modify GeoCluster parameters using eqcli Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 521 Equalizer Administration Guide ...

Page 522: ...played 4 Enter a GeoSite Name and an Agent IP The Agent IP is the IP address of the GeoSite s Envoy Agent This is the subnet IP address of Envoy at this site on which the Envoy Agent is run ning On EQ OS 10 you can enable the Envoy Agent on any subnet s VLAN IP address or Fail over IP address 5 Click on Commit to add the GeoSite The new GeoSite will appear on the left navigational pane You can vie...

Page 523: ...nd configuring GeoSite Instance parameters Adding and Configuring a GeoSite Instance GUI To add a GeoSite instance to a GeoCluster using the GUI proceed with the following 1 Log in to the GUI See Logging In on page 230 2 Configuring GeoClusters on page 517 to configure a GeoCluster 3 Add a GeoSite instance to a GeoCluster using one of the following methods a Using the GUI drag and drop functionali...

Page 524: ...tween 10 and 200 Use the default of 100 if all sites are configured similarly otherwise adjust higher or lower for sites that have more or less capacity Equalizer uses a site s initial weight as the starting point for determining what percentage of requests to route to that site Equalizer assigns sites with a higher initial weight a higher per centage of the load The relative values of site initia...

Page 525: ...ult value is disabled l Disabled When turned on no traffic will be routed to the site Default value is off Deleting a GeoSite Instance GUI To remove a GeoSite instance from a GeoCluster using the GUI proceed with the following 1 Log in to the GUI See Logging In on page 230 2 Click on the GeoSite Instance on a GeoCluster branch on the left navigational pane and select Delete GeoSite Instance Adding...

Page 526: ...age 141 2 Enter the following at the CLI prompt eqcli no geocluster gclname gsi gsimaname where gclname is the name of the GeoCluster gsi is the GeoSite instance gsimaname is the name of the GeoSite instance 526 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 527: ...San Jose GeoSites the Resources of each will be defined as GeoSite Resource Instances in a GeoCluster Name a GeoSite Resource GUI 1 Log in to the GUI See Logging In on page 230 2 Select a GeoSite from the left navigational pane 3 Right click on the GeoSite and select Add GeoSite Resource and the following will be displayed 4 Enter a name for the Resource and click on Commit The GeoSite Resource wi...

Page 528: ...ame drop down list to select one of the previously defined GeoSite Resources 4 Click on Commit to add the Resource Instance It will be displayed on the left navigation tree as shown below Name a GeoSite Resource CLI 1 Log in to eqcli as described in Starting the CLI on page 141 2 Enter the GeoSite context and add the following at the CLI prompt eqcli ga gsname resource clname where clname is the c...

Page 529: ...he GeoCluster context and following at the CLI prompt eqcli gcl gclname GeoSite gsname resource clname where gcl is the GeoCluster name gsname is the GeoSite name clname is the name of the GeoSite Resource Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 529 Equalizer Administration Guide ...

Page 530: ......

Page 531: ...er Interface Subnet States and Substates 545 Failover Between EQ OS 8 6 and EQ OS 10 546 Guidelines for Upgrading a Failover Pair from EQ OS 8 6 to EQ OS 10 546 EQ OS 8 6 Failover Constraints 546 Server Availability Constraint 547 Enable Failover of EQ OS 8 6 to EQ OS 10 548 Configuring Active Passive Failover Between Two Systems 555 Configuring VLAN Subnet Failover Settings CLI 556 Configuring VL...

Page 532: ...uests sent to the cluster IP addresses defined in the configuration this unit is called the active peer or the current primary Equalizer in the pairing The other Equalizer called the passive peer or current backup does not process any client requests Both units continually send heartbeat probes or failover probes to one another If the current primary does not respond to heartbeat probes a failover...

Page 533: ...obe Count value a If the Global Failed Probe Count on the failover configuration 0 then the Failed Probe Count configured on the subnet will be used to determine when failover occurs b If the Global Failed Probe Count is reached BEFORE the Failed Probe Count configured on the subnet then failover will occur c If the Failed Probe Count configured on the subnet is reached BEFORE the Global Failed Pr...

Page 534: ...10 can be configured into failover with another Equalizer running either of these releases l EQ OS 10 l EQ OS 8 6 latest release Note Failover is not supported between EQ OS 10 and any release prior to EQ OS 8 6 0c 534 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 535: ...GUI Peer Summary screen for failover related errors If the Log or Syslog indicate a VLAN mis match configuration synchronization will be automatically disabled As long as the 2 fail over peers are heartbeating and a subnet configured with the command flag enabled works properly they will exchange configuration files It is possible that a VLAN mismatch will not allow them to synchronize properly a ...

Page 536: ...w failover The following is an example of the failover display eqcli show failover Local Peer Failover Information Command subnet Vlan v2 Subnet sn172 Failover Enabled Mode Active Passive Preferred Primary Yes Config Sync Enabled 12000003 You have 1 pending alert notification eqcli In the GUI select System Failover on the left navigational pane The following is an example of the Peer Summary displ...

Page 537: ... For the same failure situations that cause a peer to take over all the cluster and floating IP addresses in an Active Passive failover configuration A A operates the same way that is that a healthy peer takes over all of the cluster and failover IPs However if and when the sick peer is healed there is no automatic return migration of the clusters and the user needs to invoke a rebalance command t...

Page 538: ...s only 1 Failover Group Backup The system is the Backup for all Failover Groups Note In Active Passive failover there is only 1 Failover Group Mixed The system is in Active Active failover and is the Primary for at least one Failover Group and Backup for at least 1 Failover Group Initializing The system is still initializing and has not yet settled into any of the above states In the CLI the failo...

Page 539: ...tion This problem occurs at boot up because the switch disables its ports for roughly 30 seconds to listen to BPDU Bridge Protocol Data Unit traffic The 30 second pause causes both Equalizers to attempt to become the primary unit and the default backup continually reboots To repair this condition either disable Spanning Tree Protocol or enable PortFast for the ports connected with the Equalizers T...

Page 540: ...at each change is transferred before you making a change on the other unit 5 A note about GX and LX series Equalizers configured into failover l The VLAN and Link Aggregation configurations are not synched Furthermore the VLAN ports are not compared I e the ports on the VLANs on each system in failover do not have to be the same Since aggregation is just another flavor of ports the aggregation con...

Page 541: ...er with a Version 8 Equalizer 2 If this option is disabled in the local peer definition then configuration file transfer will not be initiated or accepted by that system 3 When Configuration Transfer is disabled between two peers and a VLAN change is made on either or both systems then failover between the units will be disabled because of a VLAN mismatch There will be errors evident in the GUI on...

Page 542: ... same for each peer They will not be checked and therefore no error is logged if they do not match l MTU l interface instances l aggregated interfaces 6 The following peer parameters must be the same on all peers configured into failover However they will be synchronized amongst the Peers just as the non network parameters are l receive timeout l connect timeout l heartbeat interval l retry interv...

Page 543: ...ll heartbeats between the two peers will occur over this long lived connection Once failover is configured it is the system with the greater system ID that always starts the heartbeating process For example of one sysid is 003048BC2C8A and the other is 003048D52AA2 The second sysid has a higher hex value and will start the heartbeating process Failover Timeout Parameters Heartbeat timeout probes a...

Page 544: ...seconds default 1 after a TCP connection is established of how long a peer waits for the other peer s response Failover Occurs If l The number of failed probes on any single subnet equals or exceeds the Failed Probe Count for that subnet OR l The number of subnets with a Failed Probe Count greater than 0 equals or exceeds the global Failed Probe Count Modifying Failover Timeouts in Production When...

Page 545: ... the interfaces do not have connectivity with the remote Peer Failed None of the interfaces have connectivity with the remote Peer Configure heartbeating Waiting An attempt is being made to configure heartbeating on all heartbeating subnets Failed Heartbeating could not be configured on 1 or more heartbeating subnets on Heartbeating Start The local and remote Peers are heartbeating on all heartbea...

Page 546: ...h an Equalizer running EQ OS 8 6 subject to these constraints l The failover configuration is limited to two 2 VLANs only both Equalizers must be con figured with at most two VLANs l Configuration synchronization is not supported that is the dont transfer option must be enabled on both units The configurations on both devices must be updated manually to maintain equivalent configurations meaning t...

Page 547: ...availability status in eqcli using this command eqcli server server_name stats On EQ OS 8 6 and EQ OS 10EQ OS 10 server availability can be checked in the GUI by looking at the icons next to the server name in the left pane object tree In EQ OS 8 6 unavailable servers have an exclamation point icon displayed over the server icon In EQ OS 10 unavailable servers have an exclamation point icon displa...

Page 548: ...rticular make sure that at least one server is active that is marked up in the GUI Failover will not properly initialize if Equalizer cannot successfully probe at least one server 2 Add the VLAN IP addresses Once you verify that the EQ OS 8 6 system is working properly in standalone mode open the Equalizer Networking VLAN Configuration tab and do the fol lowing for each VLAN in the table a Click t...

Page 549: ... section should display the Failover IP addresses you configured on the VLAN Configuration tab earlier e Click Commit f Open the Failover Synchronization tab and do the following l Check turn on the dont transfer check box l Uncheck turn off the Use SSL only check box l Click Commit g Click Help About and expand the system information box the failover mode should now be Primary you may need to man...

Page 550: ... IP addresses and Failover Netmasks assigned on the EQ OS 8 6 system in Step 2b The heartbeat flag is used on the EQ OS 10 subnet that will be used to communicate with the EQ OS 8 6 system eqcli vlan Mgmt subnet subnet name virt_addr 172 16 0 210 hb_interval 10 flags heartbeat eqcli vlan Server subnet subnet name virt_addr 192 168 0 210 hb_interval 10 flags heartbeat Note Both systems need to be h...

Page 551: ...ng the stats command to confirm that failover has been negotiated between them as in these examples Display the remote EQ OS 8 peer statistics using this command eqcli peer eq_os8 stats 12200442 Peer eq_os8 Failover Group Status 12200443 Member of Failover Group Yes 12200444 Preferred Primary Yes 12200445 Peer OS EQ OS 8 12200446 State Probing 12200447 Substate Start 12200448 Takeover Primary Mode...

Page 552: ...lover Group Status 12200443 Member of Failover Group Yes 12200444 Preferred Primary No 12200445 Peer OS EQ OS 10 12200446 State Probing 12200447 Substate Start 12200448 Takeover Backup Mode 12200449 Last Peer probed eq_os8 12200450 Last Peer probed from eq_os8 12200453 Number of interfaces 2 12200456 Interface Mgmt 12200457 State Probing 12200458 Substate Start 12200461 Number of strikes 0 1220045...

Page 553: ...ubstate Start 12200461 Number of strikes 0 12200456 Interface Mgmt 12200457 State Probing 12200458 Substate Start 12200461 Number of strikes 0 The failover configuration is now complete and the EQ OS 10 system should have now assigned the cluster IP addresses to itself The EQ OS 8 6 GUI should display initializing for failover mode on the Help About screen Because of how failover in EQ OS 8 6 work...

Page 554: ...of the EQ OS 8 6 GUI will not change to indicate when the EQ OS 10 peer is in primary mode that is the EQ OS 10 system will always have the sitting coyote icon next to it On EQ OS 8 6 always use the Help About screen or the Equalizer log Equalizer Status Event Log to check failover status 554 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 555: ...sts Both units continually send heartbeat probes or failover probes to one another If the current primary does not respond to heartbeat probes a failover occurs In this scenario the current backup assumes the primary role by assigning the cluster IP addresses to its network interfaces and begins processing cluster traffic Configuration of failover peer definitions and options on VLAN subnets can b...

Page 556: ...ust have a Heartbeat flag enabled 4 Enter eqcli vlan vlname subnet sname services service Where vlname is the name of the VLAN sname is the name of the subnet and service is the name of the service These services enable the System Services for the Failover IP Address a fo_http when enabled the Equalizerwill listen for http connections on the Fail over IP address on the subnet When configuring a Fa...

Page 557: ...ount number which is the strike count threshold for a subnet When the number of strikes detected on this subnet exceeds this value the subnet has failed A value of 0 indicates this subnet will never be considered failed Note If the strike_count reaches its specified maximum value on the subnet or if the strike_count reaches 1 on all subnets in a multi subnet network configuration then a failover c...

Page 558: ...he name of the VLAN sname is the name of the subnet and seconds is the heartbeat interval or time in seconds default 2 between successful heartbeat checks of the peer 7 Repeat the same procedure on the preferred backup 558 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 559: ...both units they must be exactly the same as noted above under Failover Constraints on page 539 3 Designate a preferred primary and preferred backup using Configuring Active Passive Failover CLI on page 562 beginning with step 3 4 Open the Equalizer Graphical User Interface or GUI and click on the System configuration tab if it has not already been selected Click on the arrows u beside Network to c...

Page 560: ...will designate this subnet as the subnet over which the configuration file transfers between preferred primary and pre ferred backup can occur b Checking the Heartbeat checkbox will allow the failover peers to probe one another over the subnet At least one subnet must have a Heartbeat flag enabled Note Command Transfer and Heartbeat use the subnet IP address not the failover IP address 8 Check the...

Page 561: ...t network configuration then a failover can occur There is also a global Failed Probe Count See Failover Peer Probes and Timeouts on page 543 in addition to the subnet Failed Probe Count If the subnet Failed Probe count is 0 then the global Failed Probe Count is used 12 Click on Commit when you have finished 13 Perform Steps 1 through 11 above on the preferred backup Copyright 2014 Coyote Point Sy...

Page 562: ...an IP address on a subnet with heartbeat enabled Make sure it is responding to a ping command eqcli server name proto tcp udp ip IP_address port port_number eqcli ping server_IP_address Perform Step 3 on the preferred backup Equalizer to obtain the peer signature 3 Obtain the failover signature of the preferred backup Equalizer a Log in to the CLI on the Equalizer you will use as the preferred bac...

Page 563: ...1D7D78E13E Peer Name eq_001D7D78E13E Peer signature 1RBC78142F9ADE9E8F29FF5373AE7DA6EB994075A9BAAC1001B4 Peer sysid 00241DB2ABA0 Flags failover fo_config_xfer remainder of output omitted c Record the Peer signature displayed or copy it using your terminal emu lator s supported editing commands You ll need it in the following steps Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc Al...

Page 564: ...ferred primary The flags should display F O P P xfr beneath the Flags heading The fo_config_xfer is used on the local peer and not on the remote peer If it is enabled the primary peers on both systems will synchronized the configuration When the flag is changed for the local peer it should be reflected in the remote peer on the other system When the use_ssl flag is set it causes messages from this...

Page 565: ...over A A active active P P preferred primary xfr fo_config_xfer ssl use_ssl c Now you will need the peer signature from the primary Equalizer Enter the fol lowing eqcli show peer name Where name is the name of the peer for the primary Equalizer The following will be displayed eqcli show peer eq_001D7D78E13E Peer Name eq_001D7D78E13E Peer signature 1RBC14245CBCC7552362679F0E2AD4C0B2CF0C6E6B84AC1000...

Page 566: ...emote OS 10 xfr Standalone No Flags Key F O failover A A active active P P preferred primary xfr fo_config_xfer ssl use_ssl b Add the failover flag to the backup by entering eqcli peer name flags failover Where the peer name is the same one that appears beneath the Peer Name heading c Verify that the flag was assigned by entering eqcli show peer d Now create a peer definition for the preferred pri...

Page 567: ...eferred primary xfr fo_config_xfer ssl use_ssl Note Once the two peers are joined in a failover group heartbeating and file sync are occurring then they syn chronize their remote peer definitions with the information obtained from the remote peer The name and flags on the remote peer change In addition if you want to change the name of a peer you MUST change the name of the local peer definition o...

Page 568: ...over is working properly The system on which you are logged in will always appear first in the list b Enter the following command for each peer listed eqcli show peer name On each unit the local peer definition for the unit on which you are logged in should appear like this example eqcli show peer eq_00241DB2ABA0 Peer Name eq_00241DB2ABA0 Peer signature 1RBC78142F9ADE9E8F29FF5373AE7DA6EB994075A9BA...

Page 569: ...ace subnet on which heartbeat is enabled l Check the VLAN configurations on both systems to ensure they are exactly the same and correct if not If this is the source of the issue failover will begin to work as soon as the VLAN configurations match l Check the logs on both units for errors The remote peer display should appear like this example eqcli show peer eq_001D7D78E13E Peer Name eq_001D7D78E...

Page 570: ...tart Last heartbeat sent 161 at Wed Mar 14 12 07 10 2012 Last heartbeat received 97 at Wed Mar 14 12 07 10 2012 Number of strikes 0 Subnet sn1 State Heartbeating Substate Start Last heartbeat sent 161 at Wed Mar 14 12 07 10 2012 Last heartbeat received 97 at Wed Mar 14 12 07 10 2012 Number of strikes 0 The above display includes detailed information about the success or failure of the health check...

Page 571: ...xample of the failover summary eqcli show failover Local Peer Failover Information Command subnet Vlan v2 Subnet sn172 Failover Enabled Mode Active Passive Preferred Primary Yes Config Sync Enabled eqcli Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 571 Equalizer Administration Guide ...

Page 572: ... Click on the arrow u beside failover to expand the branch c Click on a peer to be used as the preferred backup The following will be dis played d Check the Failover flag e Highlight and copy the failover Signatureof the preferred backup Equalizer Copy the signature to an electronic clipboard notepad or whatever means available to save it Perform Steps 4 and 5 on the preferred primary Equalizer to...

Page 573: ...ste in the signature of the preferred primary that you saved from step 3 Click on Commit to save the peer c You now need to assign a failover flag to the backup peer Click on the backup peer EQ2_Backup in the example to display the backup peer Configuration Required screen d Enable the Failover flag and click on Commit Both peers should appear on the left navigational pane on the Peers branch Perf...

Page 574: ...d file sync are occurring then they synchronize their remote peer definitions with the inform ation obtained from the remote peer The name and flags on the remote peer change In addition if you want to change the name of a peer you MUST change the name of the local peer definition on that peer Perform Steps 7 on both Equalizers You have now configured failover peers in both the preferred primary a...

Page 575: ...ists it will become the backup Click on Detailed Local Peer Status for drop down box with detailed peer information The following shows the preferred backup Equalizer Peer Summary and shows the reversed condition in a failover state Click on Detailed Local Peer Status for drop down box with detailed peer information Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserv...

Page 576: ...configured correctly or a problem existed with one of the peers you would see a display similar to the following example Note that a failure icon appears on the left navigational pane beside the peer with an error as well as on the right indicating that Failover is not configured Refer to Peer Interface Subnet States and Substates for descriptions of the Peer states and substate conditions 576 Cop...

Page 577: ...Failover Groups Active Active failover introduces the concept of Failover Groups A Failover Group consists of all the smallest set of resources that may be moved between Peers and can consist of one or more clusters servers and failover IPs Failover Groups are dynamically determined by the configuration and cannot be specified by the user In the simplest case there is a maximum of 1 Failover group...

Page 578: ...ve active flags to each local peer if the Equalizers are heartbeating you should see the A A flags should be displayed when you enter show peer for each Equalizer as shown below One Equalizer should be displayed as Backup while the other as Primary l If all Failover groups are instantiated on a Peer the F O column will display Primary l If none are instantiated the F O column will display Backup l...

Page 579: ...en set as the preferred primary When the use_ssl flag is set it causes messages from this Peer to a remote Peer to be transmitted using SSL When not set messages are transmitted in clear text The flag may be set differently for Peers in failover For example if set on Peer A but not set on Peer B heartbeats from Peer A to Peer B will be encrypted however heartbeats from Peer B to Peer A WILL NOT be...

Page 580: ...Groups that have been created based on the configuration For example eqcli show fogrp F O Group Name F O Group ID F O Mode Primary Peer Unassigned 0 Not Used fo_group1 1 Primary Primary fo_group2 2 Backup The F O Group Name Unassigned is used l When active active is NOT enabled on the local peer all clusters are in the Unassigned F O Group l If the system cannot determine a failover group in which...

Page 581: ... to an existing F O Group based on its IP address If it does its preferred peer is set as the preferred peer of that F O Group otherwise it is set as the preferred primary b If the preferred peer has been set on the cluster the system checks to see whether the cluster can be added to a F O Group with the same preferred peer If not the request is rejected and an error message will be generated c A ...

Page 582: ...onfigure servers on a different subnet than the cluster d Using multiple Failover Groups change the configuration such that 2 Failover groups will be merged and verify that all work as expected For example sup pose there are 2 F O Groups l F O Group 1 has subnet 172 16 0 24 with cluster cl01 172 16 0 211 server sv01 172 16 0 181 and floating IP 172 16 0 219 l F O Group 2 has subnet 192 168 0 24 wi...

Page 583: ...best connectivity to servers routers etc In case of a tie amongst one or more Peers the Peer with the greatest System ID hex value or sysid will take over the F O group For example if 2 peers have the same level of connectivity with servers routers etc and one sysid is 003048BC2C8A and the other is 003048D52AA2 The second sysid has a higher hex value and will take over the F O group Note All flavo...

Page 584: ...ration A failover occurs when Equalizer detects that there is an issue with one of the subnets on which a cluster s IP address or one of its server IP addresses resides This typically means that Equalizer has lost connectivity on a subnet and can happen for any number of reasons for example the failure of a downstream hub router or other networking device A failover event can be simulated by eithe...

Page 585: ... why the system with the highest System ID is used as the 1 backup unit in all the sample configurations so that we are guaranteed to move a failover group over to the dedicated backup unit when there is no preferred peer or preferred primary available that provides the connectivity required by the fail over group Equalizer s System ID is displayed in the CLI using the global context version comma...

Page 586: ... information F O Group Name These are determined by Equalizer according to cluster IP addresses server IP addresses and the network configuration Unassigned is the failover group used when active active failover is not yet enabled Failover groups are not used in active passive failover configurations F O Group ID An identifying number for the failover group This is set by Equalizer and not direcet...

Page 587: ...his command displays exactly which subnets clusters and servers belong to this failover group These are the objects that will become active on another peer when this failover group is moved as a result of a failover event This form of the command allows you to determine exactly how your clusters servers and subnets are organized by Equalizer into failover groups and also which clusters are instant...

Page 588: ...peer has instantiated some of the cluster IP addresses in the configuration and is available as a Backup for others It has also instantiated all subnet failover IP addresses for the subnets required by the instantiated clusters Backup The peer has not instantiated any clusters and is available as a Backup Heartbeating is working properly Isolated The peer appears to be up but we cannot heartbeat i...

Page 589: ...rtbeat status between this peer and other peers in the failover set of Equalizers specify the name of a remote peer Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 589 Equalizer Administration Guide ...

Page 590: ...s Basic troubleshooting for failover includes verifying that all preferred peer and VID settings on clusters are correct Rebalancing Rebalancing is usually done after a failover event occurs and all system have been returned to normal service This instantiates each cluster and its required objects such as servers on the peer set in the cluster s preferred_peer parameter In the example configuratio...

Page 591: ...th any failover configuration the VLAN subnet configuration on all peers must be exactly the same except for object names and tagged un tagged port assignments b Set the Failover or Virtual IP address on each VLAN subnet as in these examples eqcli vlan vlan2 subnet 172net virt_addr 172 16 0 169 eqcli vlan vlan3 subnet 192net virt_addr 192 168 0 169 c Set the command and heartbeat flags on the subn...

Page 592: ... the time manually on all systems to the current time eqcli date HHmmss In the above command HH is hours mm is minutes and ss is seconds Seconds are optional g Enable NTP If you ve defined at least one DNS server you can configure the Network Time Protocol NTP by entering eqcli ntp enable h Change the name of the local peer so it s easier to recognize as in this example for Equalizer Eq A eqcli pe...

Page 593: ...o each cluster and then rebalance to move the clusters to their preferred peer Equalizers You could also create your clusters on the other peers If you do be sure to specify a preferred peer for each cluster when you create them if you want them to be instantiated on that peer otherwise they will be instantiated on the peer that has the preferred primary flag enabled b Update the flags for peer Eq...

Page 594: ...I on that peer and executing show peer name where name is Eq A or Eq C 4 Do the following on Eq C a Update the flags for peer Eq C eqcli peer Eq C flags failover active active fo_config_xfer b Create the peer definitions for the remote peers Eq A and Eq B eqcli peer Eq A signature signature eqcli peer Eq B signature signature Note The signature for each remote peer can be displayed by logging into...

Page 595: ...iguration Sequence Number XXXX Peer Name Type Flags F O Mode Message s Eq B Local OS 10 F O A A xfr Backup No Eq A Remote OS 10 F O A A P P xfr Primary No Eq C Remote OS 10 F O A A xfr Backup No c On Eq C the peer status should now look like this eqcli show peer Configuration Sequence Number XXXX Peer Name Type Flags F O Mode Message s Eq C Local OS 10 F O A A xfr Backup No Eq B Remote OS 10 F O A...

Page 596: ...O Group fo_group1 ID 1 Preferred Peer Eq B Primary Peer Eq A F O Mode Backup Subnet Members num 2 vlan2 172net vlan3 192net Cluster Members num 2 c1A clB Server Members num 2 sv2 sv3 eqcli After the above procedure is completed the object configuration should get synchronized over to Eq B and Eq C All Equalizerobjects will be visible in the CLI and GUI of all peers The two clusters will continue t...

Page 597: ...ctly the same except for object names and tagged untagged port assignments b Set the Failover or Virtual IP address on each vlan subnet as in these examples eqcli vlan vlan2 subnet 172net 1 virt_addr 172 16 0 169 eqcli vlan vlan2 subnet 172net 2 virt_addr 172 16 1 169 eqcli vlan vlan3 subnet 192net virt_addr 192 168 0 169 c Set the command and heartbeat flags on the subnets One subnet must have th...

Page 598: ...o the current time eqcli date HHmmss In the above command HH is hours mm is minutes and ss is seconds Seconds are optional g Enable NTP If you ve defined at least one DNS server you can configure the Network Time Protocol NTP by entering eqcli ntp enable h Change the name of the local peer so it s easier to recognize as in this example for Equalizer Eq A eqcli peer e TAB name Eq A Note Note that t...

Page 599: ...is procedure we create all of the clusters servers and server pools on the preferred primary Equalizer assign a preferred peer to each cluster and then rebalance to move the clusters to their preferred peer Equalizers You could also create your clusters on the other peers If you do be sure to specify a preferred peer for each cluster when you create them if you want them to be instantiated on that...

Page 600: ...nature signature flags failover Note The signature for each remote peer can be displayed by logging into the CLI on that peer and executing show peer name where name is Eq A Eq C and Eq D 4 Do the following on Eq C a Update the flags for peer Eq C eqcli peer Eq C flags failover active active fo_config_xfer b Create the peer definitions for the remote peers Eq A Eq B and Eq D eqcli peer Eq A signat...

Page 601: ...er status is correct a On Eq A the peer status should now look like this eqcli show peer Configuration Sequence Number XXXX Peer Name Type Flags F O Mode Message s Eq A Local OS 10 F O A A P P xfr Primary No Eq B Remote OS 10 F O A A xfr Backup No Eq C Remote OS 10 F O A A xfr Backup No Eq D Remote OS 10 F O A A xfr Backup No b On Eq B the peer status should now look like this eqcli show peer Conf...

Page 602: ...essage s Eq D Local OS 10 F O A A xfr Backup No Eq A Remote OS 10 F O A A P P xfr Primary No Eq B Remote OS 10 F O A A xfr Backup No Eq C Remote OS 10 F O A A xfr Backup No If all peers sharing several failover groups are rebooted or powered on in a sequential fashion first reboot Eq A then Eq B etc the expected behavior is that one unit may become Primary for all failover groups depending upon th...

Page 603: ...r Members num 3 clA clB clC Server Members num 3 sv2 sv3 sv4 eqcli b For fo_group2 eqcli show fogrp fo_group2 F O Group fo_group2 ID 1 Preferred Peer Eq B Primary Peer Eq A F O Mode Backup Subnet Members num 3 vlan2 172net 1 vlan2 172net 2 vlan3 192net Cluster Members num 3 clA clB clC Server Members num 3 sv2 sv3 sv4 eqcli Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Right...

Page 604: ...lA clB clC Server Members num 3 sv2 sv3 sv4 eqcli After the above procedure is completed the configuration on Eq A should get copied over to Eq B Eq C and Eq D All Equalizer objects will be visible in the CLI and GUI of all peers All clusters will continue to run on Eq A until they are rebalanced or a failover occurs Refer to Rebalancing on page 590 604 Copyright 2014 Coyote Point Systems A Subsid...

Page 605: ... assignments b Set the Failover or Virtual IP address on each vlan subnet as in these examples eqcli vlan vlan2 subnet 172net 1 virt_addr 172 16 0 169 eqcli vlan vlan2 subnet 172net 2 virt_addr 172 16 1 169 eqcli vlan vlan3 subnet 192net 1 virt_addr 192 168 0 169 eqcli vlan vlan3 subnet 192net 2 virt_addr 192 168 1 169 c Set the command and heartbeat flags on the subnets One subnet must have the c...

Page 606: ...tems to the current time eqcli date HHmmss In the above command HH is hours mm is minutes and ss is seconds Seconds are optional g Enable NTP If you ve defined at least one DNS server you can configure the Network Time Protocol NTP by entering eqcli ntp enable h Change the name of the local peer so it s easier to recognize as in this example for Equalizer Eq A eqcli peer TAB name Eq A Note The TAB...

Page 607: ...uster clC proto http ip 192 168 0 161 port 80 srvpool sp03 eqcli server sv5 proto tcp ip 192 168 1 24 port 80 eqcli srvpool sp04 policy adaptive eqcli srvpool sp04 si sv5 weight 100 eqcli cluster clC proto http ip 192 168 1 161 port 80 srvpool sp04 Note In this procedure we create all of the clusters servers and server pools on the preferred primary Equalizer assign a preferred peer to each cluste...

Page 608: ...ter clB preferred_peer Eq B eqcli cluster clC preferred_peer Eq C eqcli cluster clD preferred_peer Eq D 3 Do the following on Eq B a Update the flags for peer Eq B eqcli peer Eq B flags failover active active fo_config_xfer b Create the peer definitions for the remote peers Eq A Eq C and Eq D eqcli peer Eq A signature signature eqcli peer Eq C signature signature eqcli peer Eq D signature signatur...

Page 609: ...eer name where name is Eq A Eq B or Eq D 5 Do the following on Eq D a Update the flags for peer Eq D eqcli peer Eq D flags failover active active fo_config_xfer b Create the peer definitions for the remote peers Eq A Eq B and Eq C eqcli peer Eq A signature signature eqcli peer Eq B signature signature eqcli peer Eq C signature signature Note The signature for each remote peer can be displayed by l...

Page 610: ... peer Configuration Sequence Number XXXX Peer Name Type Flags F O mode Message s Eq B Local OS 10 F O A A xfr Backup No Eq A Remote OS 10 F O A A P P xfr Primary No Eq C Remote OS 10 F O A A xfr Backup No Eq D Remote OS 10 F O A A xfr Backup No c On Eq C the peer status should now look like this eqcli show peer Configuration Sequence Number XXXX Peer Name Type Flags F O mode Message s Eq C Local O...

Page 611: ...S 10 F O A A xfr Backup No 7 Show the fo group details and status as follows a For fo_group1 eqcli show fogrp fo_group1 F O Group fo_group1 ID 1 Preferred Peer Eq A Primary Peer Eq A F O Mode Primary Subnet Members num 4 vlan2 172net 1 vlan2 172net 2 vlan3 192net 1 vlan3 192net 2 Cluster Members num 4 clA clB clC clD Server Members num 4 sv2 sv3 sv4 sv5 eqcli Copyright 2014 Coyote Point Systems A ...

Page 612: ...mbers num 4 clA clB clC clD Server Members num 4 sv2 sv3 sv4 sv5 eqcli c For fo_group3 eqcli show fogrp fo_group3 F O Group fo_group3 ID 1 Preferred Peer Eq C Primary Peer Eq A F O Mode Backup Subnet Members num 4 vlan2 172net 1 vlan2 172net 2 vlan3 192net 1 vlan3 192net 2 Cluster Members num 4 clA clB clC clD Server Members num 4 sv2 sv3 sv4 sv5 eqcli 612 Copyright 2014 Coyote Point Systems A Sub...

Page 613: ...um 4 sv2 sv3 sv4 sv5 eqcli After the above procedure is completed the object configuration should get synchronized over to Eq B Eq C and Eq D All Equalizerobjects will be visible in the CLI and GUI of all peers All clusters will continue to run on Eq A until they are rebalanced or a failover event occurs Refer to Rebalancing on page 590 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet ...

Page 614: ......

Page 615: ...g Logs 616 Export to CSV 617 Filtering Status Details 618 Event Log 619 System Log 620 Audit Log 621 Upgrade Log 622 Remote System Logging 623 Reporting 625 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 615 Equalizer Administration Guide ...

Page 616: ...r audit log respectively B default the entire log is displayed Use the range to specify the time frame of log entries to display In the GUI 1 Click on the Log and Reports configuration tab in the left navigational pane 2 Click on the arrow u beside Logging to expand the branch 3 Click one either Events Log System Log Audit Log Upgrade Log or Remote Syslog to display the graphical log browser 616 C...

Page 617: ...lues csv format The file name will be in the format Equalizer mon dd time frame EventLog csv An example is shown below This is an example of a change added to this document Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 617 Equalizer Administration Guide ...

Page 618: ...a to display the Filter Parameters dialogue as shown below Use the sliders to specify Start Time and End Time to display events within a time frame on the Events log table The Error Warning and Info flags can be selected to display those selected events within the time frame selected with the silders After selecting these display options click on Commit to redisplay the even log 618 Copyright 2014...

Page 619: ... the branch 4 Click on Event Log to display the log An example of a display is shown below If you clicking on each individual Clusters Server Pools Servers or Responders the objects to the left of events table will display events for the object selected The log can be sorted by Type Date Category Context and Message by clicking on the column heading on your browser Refer to Displaying Equalizer Lo...

Page 620: ...ect the Log and Reports configuration tab on the left navigational pane if it is not already selected 3 Click on the arrow u beside Logging to expand the branch 4 Click on System Log to display the log An example of a display is shown below The log can be sorted by Date Category and Message by clicking on the column heading on your browser Refer to Displaying Equalizer Logs on page 616 for instruc...

Page 621: ...ional pane if it is not already selected 3 Click on the arrow u beside Logging to expand the branch 4 Click on Audit Log to display the log An example of a display is shown below The log can be sorted by Date Identifier Path and Action by clicking on the column heading on your browser Refer to Displaying Equalizer Logs on page 616 for instructions on displaying the Audit log using the CLI Copyrigh...

Page 622: ...hat you are logged into the GUI If not log in as described in Logging In on page 230 2 Select the Log and Reports configuration tab on the left navigational pane if it is not already selected 3 Click on the arrow u beside Logging to expand the branch 4 Click on Upgrade Log to display the log An example of a display is shown below 622 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc...

Page 623: ... in Logging In on page 230 2 Select the Log and Reports configuration tab on the left navigational pane if it is not already selected 3 Click on the arrow u beside Logging to expand the branch 4 Select Remote Syslog to display the Remote Syslog entry form on the right 5 Do one or both of the following a Remove the contents of the Syslog Server text box b Turn off the Syslog Enable check box 6 Clic...

Page 624: ...of the current remote logging server enter eqcli syslog disable Alternatively removing the IP address or name of the current remote logging server will also automatically disable remote logging eqcli no syslog server 624 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 625: ...ing In on page 230 2 Select the Log and Reports configuration tab on the left navigational pane if it is not already selected 3 Click on the arrow u beside Reporting to expand the branch 4 Select CPU Memory and the CPU Memory Usage screen shown below will be displayed This screen displays the Current and 60 minute averages of CPU Consumption percentage and Memory Utilization in Mb Copyright 2014 C...

Page 626: ......

Page 627: ... Disabling spoof for HTTP Multiplexing 630 Server Options for HTTP Multiplexing 631 Direct Server Return DSR 632 Configuring a Cluster for Direct Server Return 633 Configuring Servers for Direct Server Return 634 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 627 Equalizer Administration Guide ...

Page 628: ...plications running on the servers When HTTP multiplexing is enabled an established server connection is left open for a period of time to see if any new client connections are load balanced to the same server If so this connection is used to forward the new client request to the server This allows Equalizer to service multiple client requests without all the overhead associated with establishing a...

Page 629: ...t time After TCP multiplexing is enabled as above it can be selectively disabled on clusters and server instances without modifying the TCP multiplexing parameters set on the server Refer to Modifying a Layer 7 HTTP or HTTPS Cluster on page 341 or Cluster and Match Rule Commands on page 169 on the CLI for details Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved ...

Page 630: ...disables much of the benefit of using TCP multiplexing If the application running on the servers behind an Equalizer cluster requires the real client IP address in incoming requests that is spoof enabled then in most configurations we recommend disabling TCP multiplexing In some cases when it is known that most or all client connections will come from a relatively short list of IP addresses spoof ...

Page 631: ...owed in the reusable server pool The default is 0 which means that there is no limit on the number of reusable connection pool entries If you have HTTP multiplexing enabled and CPU or memory usage on Equalizer is sig nificant you can use this parameter to limit the size of the reusable connection pool which in turn limits the amount of memory and CPU resources used to manage HTTP mul tiplexing You...

Page 632: ...n multiple VLAN configurations although this is less common Cluster IP addresses are on one VLAN subnet while server IP addresses are on another VLAN subnet In any DSR configuration note that the incoming client traffic is assumed to originate on the other side of the gateway device for the subnets on which Equalizer and the servers reside The servers will usually have their default gateway set to...

Page 633: ...CP clusters only For DSR idle timeout must be set to a non zero value or Equalizer will never reclaim connection records for connections terminated by the server The cluster s idle timeout should be set to the longest period within your application that you would like Equalizer to wait for consecutive messages from the client since the Equalizer does not see server packets on DSR connections For e...

Page 634: ...guring Windows Server 2003 and IIS for DSR The basic procedure below also applies to Windows XP and other versions of Windows 1 Open Start Control Panel and double click Network Connections 2 Select View Tiles If a Microsoft Loopback Adapter is already listed proceed to the next step Otherwise to install the loopback interface as follows a Open Start Control Panel Add Hardware and then click Next ...

Page 635: ...the ARP behavior needs to be adjusted so the system only replies to ARP requests for IP addresses on non loopback interfaces The method used to do this varies between operating systems For example to do this on a Linux box you would adjust specific kernel parameter values as shown below by editing the file etc sysctl net ipv4 conf all arp_ignore 1 net ipv4 conf all arp_announce 2 net ipv4 conf def...

Page 636: ...t requests to the cluster IP and port and get responses directly from the Apache server running on Linux Remember that static routes on your servers may be necessary depending on your network configuration Configuring a Loopback Interface on Other Systems for DSR The commands and interfaces used to configure a loopback interface vary slightly between operating systems and sometimes between version...

Page 637: ...ing of sysctl net inet ip check_interface which by default is set to 0 weak host Windows XP and Windows 2003 use the weak host model on all IPv4 interfaces and the strong host model on all IPv6 interfaces and this is not configurable Windows Vista and Windows 2008 support strong host by default on all interfaces but this is configurable for individual interfaces Use the following command to list i...

Page 638: ......

Page 639: ...obes 647 Enabling Disabling ACV Probes 648 Setting ACV Query and Response Strings 649 Testing ACV Probes 650 Configuring UDP and TCP Parameters 651 Simple Health Check Probes 653 Configuring Simple Health Check Probe Parameters 653 Simple Health Checks and Load Balancing Policies 658 Server Agents 659 VLB Health Check Probes 662 Enabling Disabling VLB Health Check Probes 663 Configuring VLB Health...

Page 640: ... balancing decisions include only those applications that are currently available and can be tailored to provide application specific probes The types of probes Equalizer uses on a server depend upon the server s protocol setting UDP or TCP and are summarized below Layer Protocol Daemon Port Details Layer 3 ICMP l3pd N A Echo request reply Layer 4 UDP IP udppd 53 DNS 111 RPC4 Portmap 2049 RPC4 NFS...

Page 641: ... is marked DOWN and Equalizer continues to send ICMP requests to the server s IP address If an ICMP echo response is subsequently received the server is marked UP Responding to ICMP echo requests is an option on most server platforms If ICMP echo reply is disabled on one or more of the servers your configuration then you may want to disable ICMP echo requests on Equalizer to reduce traffic between...

Page 642: ...eady selected 3 Click on a server on the left navigational pane and select a configured server 4 In the right configuration pane enable or disable the Probe Layer 3 check box 5 Click Commit Enable Disable ICMP Probes in the CLI ICMP probes are enabled by default for all servers 1 To enable ICMP probes for a server in the CLI enter the following eqcli server servername flags probe_l3 2 To disable I...

Page 643: ... when it has been configured to ignore ICMP ECHO Requests GUI Probe Parameter CLI Probe Parameter Description ICMP Probe Maximum Tries icmp_maxtries The maximum number of times per ICMP Probe Interval that Equalizer will attempt to probe a server ICMP Probe Interval icmp_interval A timer specifying the length of time in seconds during which a successful server probe must occur or the server is mar...

Page 644: ...ver Health Check Probes eqcli parameter_name value 2 Enter a parameter_name and value which are described in ICMP Probe Parameters above 644 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 645: ...vices a UDP datagram is sent to the server probe port and if no response is received the server is marked DOWN Enabling Disabling L4 UDP Probes UDP probes are enabled for a UDP server as soon as a server instance for the server is added to a server pool Default settings for probe parameters are used unless specifically set on the server pool Refer to Adding Server Instances GUI on page 440and Addi...

Page 646: ... established Enabling Disabling L4 TCP Probes TCP probes are enabled for a TCP server as soon as a server instance for the server is added to a server pool Default settings for probe parameters are used unless specifically set on the server pool Refer to Adding Server Instances GUI on page 440and Adding Server Instances CLI on page 444 for a description of enabling or disabling L4 TCP Probes 646 C...

Page 647: ...t in order to respond If the TCP probe connection is not established ACV probing will fail as well ACV is best explained using a simple example HTTP protocol enables you to establish a connection to a server request a file and read the result The example below shows the connection process when a user requests a telnet connection to an HTTP server and requests an HTML page Equalizer can perform the...

Page 648: ...nts of the ACV Response edit box or leaving it blank 7 Click on Commit Note L4 TCP probes acvd are performed on servers running TCP protocol only Verify that the Probe Layer 4 option is enabled on server instances on server pools using ACV Enable Disable ACV Probes in the CLI 1 To enable ACV probes for all TCP type servers in a server pool enter eqcli srvpool spname acvr string 2 To disable ACV pr...

Page 649: ...e connection is established An ACV query or response string l Must be enclosed in single or double quotes if it contains a space character l Any single or double quotes included within the string must be preceded by the backslash character Note In ACV Query strings character escapes such as n for new line r for carriage return and t for Tab are supported r and n must be manually inserted at the en...

Page 650: ...l acvq acv query string 4 Enter the ACV response string in the following format using the guidelines above eqcli srvpool srvpool acvr acv response string The following commands are all examples of valid ACV string commands eqcli srvpool srvpool_name acvr Up eqcli srvpool srvpool_name acvr This is a response string with spaces eqcli srvpool srvpool_name acvr This is a response string with quotes 5 ...

Page 651: ... 3 the default will send at most 3 probes to the server during any Probe Interval period Probe Global Timeout probe_gto The maximum length of time in seconds to wait for a TCP or UDP probe to be sent and a connection established or a response is received If the number of seconds specified exceeds the Probe Interval setting then the Probe Interval is used as the Probe Global Timeout Probe Connect T...

Page 652: ...figuration LB Policy screen will be displayed 5 Modify the appropriate probe parameter values as described in UDP and TCP Parameters above 6 Click on Commit to save the configuration or Reset to return all values to the default settings Setting TCP and UDP Probe Parameters in the CLI 1 To set TCP and UDP probe parameters in the CLI enter the following command in the global context eqcli srvpool sr...

Page 653: ...rameter CLI Parameter Description Health Check Relative Weight weight Set the relative weight default 100 of the health check load value returned by the application compared to other health check values returned by other health checks The weight must be between 1 and 100 Lightest Load Value healthy A floating point value that is the healthiest or least busy load value that can be returned by the h...

Page 654: ...ery stimulus A string sent to the server agent after a connection is established For example a server health check application may require a string such as get load r n before it will send a load value This parameter is optional No GUI type Set the type for the health check probes Required Require Response require_response flag Mandates that the health check probe must receive a response or the se...

Page 655: ...k Name area and select simple from the Health Check Type drop down list 7 Click on Commit to save the health check Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 655 Equalizer Administration Guide ...

Page 656: ...10 Click on Commit to save the configuration or Reset to return all values to the default settings 11 Add an instance of the health check health check instance to a server instance in the server pool Click on a server instance in the left navigational pane and then click on Con figuration Health Check Instances on the right pane 12 Click on to add a health check instance to the server instance The...

Page 657: ...Disable option will disable the health check for this server instance Setting Simple Health Check Parameters in the CLI To demonstrate the configuration of Simple Health Check parameters the following examples are provided In the examples we ll use a server pool named MyPool that has three server instances defined sv1 sv2 and sv3 Let s also assume that there is no string required by the applicatio...

Page 658: ...C1 parameter_name value 4 Add an instance of the health check health check instance to a server instance in the server pool Now add a health check instance for HC1 to each server instance si in the server pool eqcli srvpool MyPool si sv1 hci HC1 eqcli srvpool MyPool si sv2 hci HC1 eqcli srvpool MyPool si sv3 hci HC1 Simple Health Checks and Load Balancing Policies Simple health checks work with al...

Page 659: ... is running it uses the number returned by the agent in its load balancing calculations with the server agent policy giving highest preference to the server agent s return value over other factors The number returned by the agent to Equalizeris intended to indicate the current load on the server The agent application that runs on the server can be written in any available scripting or programming ...

Page 660: ...s default my port 1510 my proto getprotobyname tcp take the server agent response value from the command line my value shift my response value n response has to be a valid server agent response response 1 or response 0 and response 101 or die Response must be between 1 and 100 create a socket and set the options set up listen port socket SERVER PF_INET SOCK_STREAM proto or die socket setsockopt SE...

Page 661: ...ints each time the server agent is probed by Equalizer From Equalizer s perspective all that is returned by the server agent is the integer set on the command line For example if you use the example server agent above and set the response to 50 here is what you will see if you use the telnetcommand to open the server agent IP and port telnet 10 0 0 120 1510 50 Connection to host lost Copyright 201...

Page 662: ...ct If the use_server_port is set the server object s port is used Otherwise the probe_port specified in the health check object is used Typically VLB health check probes are configured in the following manner 1 Provide VMware login information by creating VLB Managers 2 Associate Equalizer servers with virtual machines on VMware 3 Create VLB health checks 4 Configure parameters for each health che...

Page 663: ...k Enable Disable VLB Health Check Probes in the CLI VLB probes are enabled as soon as a health check instance is added to a server instance in a server pool Default settings for probe parameters are used unless specifically configured on eqcli Health checks can be disabled by entering the following in each server instance context eqcli srvpool sp spname si siname no hci hci name where sp spname is...

Page 664: ...ber of seconds default 5 Equalizer waits for a connection to the health check server application to complete before marking the server down Probe Connect Timeout probe_cto The health check connection timeout The number of seconds default 1 that Equalizer will wait for a connection attempt to the health check server application to succeed before marking the server down Probe Data Timeout probe_dto ...

Page 665: ...RL for the VLB Manager you would like to connect with in the VLB Man ager URL field Add Username Password credentials for login as well b The Connect Timeout slider is used to configure the allowable time to connect with VMware By default this is 1 c The Disable checkbox is used to disable the VLB Manager if necessary d Clicking on the Test Login button will test your URL and credentials using the...

Page 666: ...n list above and click Get VMList The figure below will be displayed The popup contains the list of the Virtual Machines VMs retrieved from the VLB Manager The VM with the matching IP address if found is pre chosen highlighted in the list Click on Select to select the pre highlighted VM or choose another before clicking Select The tab is then redisplayed with the Virtual Server ID of the selected ...

Page 667: ...y VLB health checks Refer to Load Balancing Policies for details 8 The Health Checkscreen below will be displayed after adding a health check The screen allows the configuration of all health checks and features accordion tabs labeled with the health check name and type and the currently set health check relative weight Clicking on the icon will add a new health check Clicking on the delete icon w...

Page 668: ...lth Check Instances screen features accordion panes for the existing and the new health check instances that are labeled with the health check instance Clicking on the icon will display the figure above to add a new health check instance Clicking on the icon will delete the health check whose accordion pane is currently open Use the drop down list to select a VLB Parameter This can be either VM CP...

Page 669: ...he Disabled check box is checked Checking the Disable checkbox will disable this health check instance for the server instance selected 13 Click on Commit to save the health check instance Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 669 Equalizer Administration Guide ...

Page 670: ...3 Enter the new VLB Manager adding a URL Username Password Connect Timeout para meters and flags Enter eqcli xs vlb nam URL value eqcli xs vlb nam username name eqcli xs vlb nam password name eqcli xs vlb nam flags disablea a The only flag used is disable which would disable the VLB Manager if necessary 4 Enter the following to verify the new VLB Manager and parameters In the example below a VLB m...

Page 671: ...6 Enter the server context and set the vlb_manager value by entering the following In this example the vlb_manager is esxi 01 on a server centos216 eqcli sv cen vlb_manager esxi 01 eqcli sv cen commit eqcli 12000287 Operation successful Add Health Checks 7 The next step is to add a new health check to a specific server pool Enter the following eqcli srvpool srvpool name health_check health_check n...

Page 672: ...her parameters Set the VLB Manager and UUID for a Server 9 Show the configured VLB Managers Enter eqcli show ext_services vlb_manager An example of a display is shown below eqcli show ext_services vlb_manager Name URL esxi 01 https 192 168 213 196 sdk eqcli show server Name Protocol IP Address Port Flags mac 80 tcp 192 168 213 222 80 probe_l3 xp 80 tcp 192 168 213 211 80 probe_l3 bsd 80 tcp 192 16...

Page 673: ...0ffd 53cb 93e6 4607d46e755e 11 Set the uuid value by entering eqcli sv name uuid xxxxxxx xxxx xxxx xxxx xxxxxxxxxxxx where sv name is the name of the server and the uuid number corresponds with a server in step 10 12 Show the server parameters to verify that the VLB Manger has been assigned by entering eqcli show sv name where sv name is the server name An example of the display for a server cento...

Page 674: ... instance in a server pool healthcheckname is the name of the health check instance that you are adding to the server instance By default the vlb_param is vm_cpu The other option is vm_ram To change the vlb_param to vm_ram enter the following in the health check instance context eqcli srvpool serverpoolname si server instance hci healthcheckinstancenamevlb_ param vm_cpu 14 Health check instances m...

Page 675: ...e Equalizer was last rebooted This behavior accounts for the fact that many servers are configured by default to never respond to ICMP echo requests as a security precaution In other words if a server has never responded to a Layer 3 health check probe since the last reboot it is never marked Layer 3 Down Note Responding to ICMP echo requests is an option on most server platforms If ICMP echo repl...

Page 676: ...etween Equalizerand the server instance will be performed over an encrypted SSL connection Once enabled TCP and ACV probe behavior is determined by the timeouts located on the server pool configuration screen in the GUI and in the srvpool context in the CLI GUI Parameter CLI Parameter Minimum Default Maximum Units Max Tries Per Interval max_tries 1 3 30 integer Probe Interval probe_interval 1 15 6...

Page 677: ...r Layer 4 TCP and ACV health checks in the previous section with the exception that the Probe Data Timeout probe_ dto is the timeout for the server response for these health checks rather than ACV This affects only the part of the flowchart that is outlined in the previous section Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 677 Equalizer Administration Guid...

Page 678: ......

Page 679: ...ntrol Classes 684 Server Pool Class srvpool 685 Server Class server 689 Server Instance Class si 692 ADC Class adc 695 Sample Trigger Script for the Configuration of Multiple Hot Spare Servers 697 Sample Trigger Script for Rebooting the System 698 Adding Smart Controls 699 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 679 Equalizer Administration Guide ...

Page 680: ... of a Smart Event would be if you specify that when the number of active servers in a particular cluster falls below a certain value a currently quiesced server could become active Smart Events are configured using PHP scripting PHP Hypertext Preprocessor is a server side scripting language designed for web development but can also be used as a general purpose programming language as it is in this...

Page 681: ... occurred so that smartd can execute the necessary script The figure below illustrates an overview of how Smart Control framework functions The alertd daemon gets triggered event information from the system and then notifies the smartd daemon to execute a particular PHP script The smartd daemon is responsible for running scripts when a particular scheduled or interval event occurs based on a syste...

Page 682: ...t occurs This is triggered type This kind of con trol is only run when a trigger event happens within the system The alerting mechanism automatically notifies the alert daemon alertd when something has occurred That dae mon determines which alerts should be fired For triggered events the alertd daemon is responsible for the events themselves rather than smartd The alertd daemon reads the configura...

Page 683: ... while running an error is logged in the ADC log however the script continues to be executed as normal The reason for this is that a dif ferent execution path may not produce the same error l By default any variables declared during execution of a script are saved for the subsequent execution If you would like to discard the environment between script executions save_ environment FALSE should be e...

Page 684: ...g ADC object use the getByName method For example sp srvpool getByName sp00 Once a class variable exists there are several methods to read information about that variable and common ways to modify the underlying object in the system configuration Descriptions for each class are shown below The supported parameters for each class are the same as provided in the CLI Flags in Smart Control are specif...

Page 685: ... object populated with all of its properties On failure An exception with a message and an error code Example Fetch a server pool named sp00 sp srvpool getByName sp00 getInstanceByName string name Description Fetch the server instance named name which is part of this server pool from the configuration Returns On success server instance object populated with all of its properties On failure An exce...

Page 686: ...tatusDescription Description Get the status of this server pool as a string Returns A string containing the status of this server pool Example sp srvpool getByName sp00 print the status accessible using lastrun command echo sp getStatusDescription getStatusResp Description Get the status of this server pool as a numeric value Returns A numeric value indicating the status 0 There are no problems wi...

Page 687: ...ust be set to TRUE in order for it to be deleted Returns Map containing message string with a status code Status code will be 0 if the deletion was successful and non zero otherwise Example sp srvpool getByName sp00 Try to delete it if it fails force the deletion value sp delete if value status 0 Print out the reason for the failure accessible using lastrun command echo Failed to delete because va...

Page 688: ...do getByName the commit below would fail with object already exists error because the system will try to add this object instead of modify it sp srvpool getByName newsp sp probe_maxtries 2 sp commit 688 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 689: ...turns On success server object populated with all of its properties On failure An exception with a message and an error code Example Fetch a server named sv00 sv server getByName sv00 getStatusDescription Description Get the status of this server as a string Returns A string containing the status of this server Example sv server getByName sv00 print the status accessible using lastrun command echo...

Page 690: ...D or unassigned if no appropriate network is found Example Print out unknown or known network accessible using the lastrun command sv server getByName sv00 if sv getVid unassigned echo Unknown network else echo Known network stats string statName Description Get the value of the statistic named statName The available statistics are the same as those displayed in the CLI when using the server name ...

Page 691: ...o Failed to delete because value message value sv delete TRUE commit Description Push the changes to this server into the permanent configuration If this server object was created using getByName this operation is treated as a modify If it was created using the new keyword it is treated as an addition Returns Map containing message string with a status code Status code will be 0 if the commit was ...

Page 692: ... the server pool object srvpool The server pool object should have been previously fetched with srvpool getByName Returns On success server instance object populated with all of its properties On failure An exception with a message and an error code Example Fetch a server instance named sv00 sp srvpool getByName sp00 si si getByName sp sv00 getStatusDescription Description Get the status of this s...

Page 693: ...ns A numeric value indicating the weight Example Print the current weight accessible using lastrun command sp srvpool getByName sp00 si si getByName sp sv00 if si getStatusResp 2 echo si getCurrentWeight stats string statName Description Get the value of the statistic named statName The available statistics are the same as those displayed in the CLI when using the srvpool name si name stats comman...

Page 694: ...e because value message value si delete TRUE commit Description Push the changes to this server instance into the permanent configuration If this server object was created using getByName this operation is treated as a modify If it was created using the new keyword it is treated as an addition Returns Map containing message string with a status code Status code will be 0 if the commit was successf...

Page 695: ...ebalance the failover peers sp srvpool getByName sp00 if sp stats ACTIVECONX 10 adc cli rebalance getSrvpoolList Description List server pools from the configuration Returns A map with the following keys srvpool_list list of server pool names as strings message a status message indicating success or failure of the operation status a status code 0 indicates success nonzero indicates failure Example...

Page 696: ...s code will be 0 if the ipmi command was successful otherwise it will be non zero In case of error the out_buf string will contain the output returned from ipmitool else it will be blank Additional message string contains a description of the status code Example There are two servers attached to the server pool If there are more than 1000 connections on the server pool then switch on server 2 and ...

Page 697: ...02 sv03 si getByName sp sv03 if both of these servers are down make the other two servers active and hot_spare these if sv00 getStatusResp 2 sv01 getStatusResp 2 sv00 hot_spare TRUE sv01 hot_spare TRUE sv02 hot_spare FALSE sv03 hot_spare FALSE commitChanges TRUE else if sv02 getStatusResp 2 sv03 getStatusResp 2 sv00 hot_spare FALSE sv01 hot_spare FALSE sv02 hot_spare TRUE sv03 hot_spare TRUE commi...

Page 698: ...should be noted that the script uses string parsing and will consume a fair amount of CPU resources It is recommended that you use this type of script if no other mechanisms are available out adc cli ping 10 0 0 68 if the ping fails the string 0 packets received is output so look for that if strstr out cli_buf 0 packets received adc cli reboot 698 Copyright 2014 Coyote Point Systems A Subsidiary o...

Page 699: ...trol context eqcli script edit URL where edit invokes the script editor to enter create the desired script URL fetches the script from the entered fully qualified ftp http site 3 Create edit the script in the script editor and save the script to the data store 4 Determine whether the script is to be run by schedule or at an interval by entering either of the following a Running the script at an in...

Page 700: ...ow Lists are supported using comma but steps generally specified with a are not supported White space or t is a column break The parsing starts at the first non white space character If the wrong number of columns not 6 is parsed parsing fails Day names Mon Tue Wed Thu Fri Sat Sun Month names Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Note The schedule string must be enclosed in quotes i e 0 ...

Page 701: ...control smartcontrlname where smartcontrolname is the name of the smart control The following is an example eqcli show smart_control sc test This Smart Control is enabled Last Execution Time 11 17 2014 17 07 55 Next Execution Time 11 18 2014 17 07 55 Smart Control Name sc test Schedule Interval 0 Flags Script echo test smart control Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 702: ...y screen An example is shown below 6 Do one of the following to add a new Smart Control a Click on to add a new smart event To modify an existing Smart Control either double click one from the list or select one and click on the In both cases the Modify Smart Control dialogue screen will be displayed The dialogue screen will be change based on your choice of Smart Control types In the example belo...

Page 703: ...pt in the space provided if you have selected the Edit option If using the Upload option click on the Choose File button and follow the dialogue to upload a local script file to your Equalizer file store Click on Commit to save the Smart Control The Smart Control con figuration screens will then be available Displaying the Smart Control Configuration Screens Smart Control configuration screens inc...

Page 704: ... the output of the Smart Control daemon from the last run l Viewing the Last script execution time and date l Viewing the Next execution time This is applicable when an interval or schedule has been con figured Refer to the descriptions that follow for details l Running the Smart Control by clicking on the Run Now button This will run the script imme diately If you click on the Reset button all of...

Page 705: ...ation screen will be displayed when you select Schedule and then select the Year option These scheduling options allow you to configure a Smart Control to be executed on a monthly basis by date and hour 24 hour clock minutes and seconds In the example below the Smart Control is scheduled to be executed on the 4th 8th 15th and 25th of March May and September at 13 00 1PM 1 Select the Months and Day...

Page 706: ... 1PM 1 Select the Days by clicking them You can select one or all of the days Click on a previously selected day of the month to unselect it Note You will note that there are 28 days on the monthly schedule To configure Smart Control execution on the 30th or 31st of the month use the Yearly scheduling option described above and configure Smart Control execution for the 30th and or 31st as necessar...

Page 707: ...w the Smart Control is scheduled to be executed every Sunday Wednesday and Friday at 13 00 1PM 1 Select the Week Days by clicking them You can select one or all of the days of the week Click on a previously selected Week Day to unselect it 2 Select the Smart Control execution Time by using the Hour Minute and Second selectors 3 Click on Commit to save the Scheduling options Copyright 2014 Coyote P...

Page 708: ... seconds In the example below the Smart Control is scheduled to be executed every day at 13 00 1PM 1 Select the Hoursby clicking them You can select one or all of the Hours Click on a previously selected day of the Hour to unselect it 2 Click on Commit to save the Scheduling options 3 Use finer grained timing by using the Minute and Second selectors in addition to selecting Hours 708 Copyright 201...

Page 709: ...iously selected Minute to unselect it 2 Use the Seconds selector if necessary 3 Click on Commit to save the Scheduling options Minute The Minute configuration screen will be displayed when you select Schedule and then select the Minuteoption This scheduling options allows you to configure a Smart Control to be executed by seconds In the example below the Smart Control is scheduled to be executed e...

Page 710: ...tive white spaces are treated as one Fields which are an asterisk are skipped The schedule string must be enclosed in quotes seconds 0 59 minutes 0 59 hour 0 23 day of month 1 31 month 1 12 or Day Month names as shown below day of week 0 7 0 or 7 is Sun or use names Day names Mon Tue Wed Thu Fri Sat Sun Month names Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec In the example below the string 0 3...

Page 711: ...t Control alerts This daemon is cognizant of important events in the system so it generates an alert for which a Smart Control is configured The Configuration Alert configuration screen is where an alert is attached to the Smart Control 1 Verify that you have configured an alert as described in Configuring Alerts on page 715 You must set the Alert Notification Type on the Add Alert configuration s...

Page 712: ...cripts in this configuration screen Since the Smart Control is already generated there is no need to enter a name 1 Edit the script as necessary Disable it or Upload a new script file If using the Upload option click on the Choose File button and follow the dialogue to upload a local script file to your Equalizer file store 2 Click on Commit to save the changes to the Smart Control 712 Copyright 2...

Page 713: ...Notification Types 714 Configuring Alerts 715 Configuring an SMTP Relay 716 Configuring Alerts in the CLI 718 Configuring Alerts in the GUI 721 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 713 Equalizer Administration Guide ...

Page 714: ...he specified recipients using a specified SMTP relay mail server When this notification type is used an email address is also required A subject line for the email is optional 2 syslog Sends an alert message to the system log 3 snmp SNMP traps send alert notifications via an SMMP trap to send to the currently con figured trap servers Refer to Setting Up SNMP Traps for additional information 4 ui T...

Page 715: ...d have been used There only restriction is that the must either be the only character in the object name or the last character of the object name i e object sv is not allowed Enter the following in the CLI to show the alert configuration eqcli user tou show alert al_switch Alert Name al_switch Object Type interface Object swport Alert Type state_change Notify Type ui syslog From Email Address Emai...

Page 716: ...xt_services smtp_relay name server IP_or_FQDN port number For example if you have an SMTP relay server named postmaster that has an IP address of 10 0 0 111 and uses the standard SMTP port you can enter this command eqcli ext_services smtp_relay postmaster server 10 0 0 111 port 25 To display the SMTP relay definition enter eqcli show ext_services smtp_relay postmaster To delete the SMTP relay def...

Page 717: ...ing the External Services tab Currently only one SMTP relay is supported To add and SMTP relay click on to display the Add SMTP Relay form as shown below Enter an IP Address for the SMTP Relay in the SMTP Server IP Address field Specify an Equalizer port to use using the SMTP Server Port selection The Port defaults to 25 and can range from 1 to 65535 Click on Commit to save the entries To delete a...

Page 718: ...card characters For example to configure an alert for all subnets of vlan vl01 specify object vl01 Also an object hierchary of vl01 sn 1 would configure alerts for subnets sn1 sn01 sn11 etc object_type Can be a si server instance fogrp failover group peer interface port srvpool server pool llb gw Link Load Balancing Gateway and server alert_type Alert Types are state_change and exception The state...

Page 719: ...r touch that sends email whenever the server testserver is marked up or down by Layer 3 probes eqcli user touch eqcli user tou alert testsrvr eqcli user tou alert tes alert_type state_change eqcli user tou alert tes notify_type email eqcli user tou alert tes object testserver eqcli user tou alert tes object_type server eqcli user tou alert tes to user example com eqcli user tou alert tes subject S...

Page 720: ...ser touch eqcli user tou alert standmode eqcli user tou alert tes alert_type state_change eqcli user tou alert tes notify_type email eqcli user tou alert tes object Eq_AD1122CC99 eqcli user tou alert tes object_type peer eqcli user tou alert tes to user example com eqcli user tou alert tes subject Status email from Eq450 100 eqcli user tou alert tes commit 720 Copyright 2014 Coyote Point Systems A...

Page 721: ...tances peers or user interfaces In order for a user s alert notification emails to work a mail server 1 Must be added to external services 2 must be selected in the user s context To configure and edit alerts using the GUI 1 Log in as described in Logging In on page 230 2 Click on the System configuration tab 3 Click on the arrow u beside Alerts to expand the branch 4 Click on Configuration to dis...

Page 722: ...e displayed with a list of previously configured Smart Events Select multiple Alert Types and Notification Types by pressing the CTRL key while selecting each item from the lists Note Selecting the Disable flag will disable the alert Alert Name A descriptive name for the alert Object Name This is the name of the object associated with this alert if the object is contained within another object bot...

Page 723: ...bject If the email notification type is specified from the drop down list this is the optional subject of the email For the syslog notification type this text is included in the system log message Smart Control If smartd is selected from the Notification Type drop down list a Smart Control drop down list will be visible You must have a Smart Event configured prior to using this Notification Type R...

Page 724: ... Backup modes apply to Equalizer in a failover configuration Standalone mode is the normal operational state for a single Equalizer not deployed in a failover pair when it is first booted On an Equalizer that is not deployed in a failover configuration there is a single peer definition that refers to the local Equalizer In a failover configuration there are two peer definitions one for the local E...

Page 725: ... Setting Up SNMP Traps 726 Setting Up an SNMP Management Station 727 Enabling SNMP 728 Enabling SNMP Traps 729 Creating Alerts for SNMP Traps 730 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 725 Equalizer Administration Guide ...

Page 726: ... SNMP traps are alerts that are tied into the Equalizer Alerts system They enable an agent to notify a management station of significant events by way of unsolicited SNMP messages First they must be enabled using the CLI context and then created for each desired alerts Presently Equalizer supports the following SNMP traps l Server up down events Equalizer will triggers these traps when it detects ...

Page 727: ...zer Refer to SNMP Commands on page 213 or SNMP on page 268 l Use the address and port specified in the above for SNMP traps usually port 162 is used for this purpose but this can be configured as shown in Enabling SNMP Traps on page 729 l Use the MIB definitions these need to be loaded into the management console following the instructions for the console The MIB source files are located at http L...

Page 728: ... eqcli show You should see a line that looks like the following eqcli show Variable Value recv_timeout 2 conn_timeout 1 hb_interval 2 retry_interval 5 strike_count 3 icmp_interval 15 icmp_maxtries 3 hostname Equalizer date Thu Mar 20 11 49 09 UTC 2014 timezone UTC locale en global services http https ssh fo_snmp snmp Envoy Envoy_agent name servers None ntp server pool ntp org Unavailable name serv...

Page 729: ... Enabling SNMP Traps SNMP traps must first be enabled using the CLI An snmp trap address and port is required to enable the traps Enter the following at the CLI prompt eqcli snmp serverip ip serverport port where ip is the SNMP trap server IP and port is the SNMP trap server port The port is optional If it is NOT entered the default trap server port 162 will be used Multiple trap servers can be de...

Page 730: ...s object testserver eqcli user tou alert tes object_type server eqcli user tou alert tes commit Creating SNMP Trap Peer Alerts Setting an SNMP Trap alert enables the sending of snmp trap messages to the snmp management station whenever a peer state changes to Primary Backup or Standalone modes Primary and Backup modes apply to Equalizer in a failover configuration Standalone mode is the normal ope...

Page 731: ...ge whenever a failover group fo_group1 changes state Note that the failover group object name must be entered as peername fogroupname eqcli user touch eqcli user tou alert fogroupstatechange eqcli user tou alert tes alert_type state_change eqcli user tou alert tes notify_type snmp eqcli user tou alert tes object Eq_AD1122CC99 fo_group1 eqcli user tou alert tes object_type fogrp eqcli user tou aler...

Page 732: ...Using SNMP Traps 732 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 733: ...e Best User and Group Management Practices 734 Object Permission Types 735 Required Task Permissions and Flags 736 Single and Multiple User Scenarios 742 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 733 Equalizer Administration Guide ...

Page 734: ... given permission to perform certain administrative tasks by enabling the read_global and write_global flags for that user See User Flags on page 219 l No groups other than Default are used The next step up in complexity is to give a non admin user the ability to create objects of a particular type An even more advanced mode allows users to create objects of a certain type and add them to a group ...

Page 735: ...signed a value The user cannot however add or delete global objects for example logins clusters and responders For clusters the user can modify the values assigned to all cluster parameters including parameters that are not already assigned a value The user cannot add or delete a cluster object for example a server or match rule Create In addition to write permission the user can add new objects F...

Page 736: ... certificate adding a cluster create clusterwrite vlan_name read certificate_name read crl_name adding a CRL create crl adding a DNS server write_ global adding a GeoCluster create geocluster adding a GeoSite create geosite adding a GeoSite instance write cluster_name read geosite_name adding a GeoSite IP write geosite_name adding a GeoSite resource write geosite_name adding a match rule write clu...

Page 737: ...pool create srvpool adding a subnet write vlan_name adding a subnet route write vlan_name adding a syslog server write_ global adding a vlan create vlanwrite port_name add delete modify group admin add delete modify group permit list admin add delete modify user admin add delete modify user permit list admin deleting a certificate delete certificate_name write cluster_name deleting a cluster delet...

Page 738: ...name write srvpool_name deleting a server instance write srvpool_name deleting a server pool delete srvpool_name write cluster_name deleting a subnet write vlan_name deleting a subnet permit list entry write vlan_name deleting a subnet route write vlan_name deleting a VLAN delete vlan_name write cluster_name delete peer DNS server NTP server syslog server write_ global displaying a certificate fil...

Page 739: ... global displaying a group read group_name displaying a group permit list read group_name displaying an interface read_ global displaying a interface status read_ global displaying logs read_ global displaying a match rule read cluster_name displaying a number of entries in a permit list read vlan_name displaying a number of peers read_ global displaying a number of subnet routes read vlan_name di...

Page 740: ...read user_name displaying a user permit list read user_name displaying a VLAN read vlan_name modifying a cluster write cluster_name modifying global parameters write_ global modifying a interface write_ global modifying a match rule write cluster_name modifying a peer write_ global modifying a port write port_name modifying a responder write responder_name modifying a server write server_name modi...

Page 741: ...ange their own password unless that user has the admin flag set modifying a VLAN write vlan_name write port_name MSG_GET_CONFIG admin MSG_SET_CONFIG admin running a global command write_ global Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 741 Equalizer Administration Guide ...

Page 742: ...t s VLANs Servers Server Pools etc The permissions must be set up by a user with administrative privileges and they must be set up on the eqcli command line interface In the scenario described below two users will be assigned permissions using the Operations and Permissions shown in Object Permission Types on page 735 l User Touch_1 will be able to read write create and delete all of the servers s...

Page 743: ...w users and their log in credentials have now been created User Touch_1 now has read and write permissions for cluster Cl1 and user Touch_2 has read and write permissions for cluster Cl2 The next step is to add specific permissions on the Equalizer objects within each cluster for each user Object Permissions for Each User Setup the object permissions for users Touch_1 and Touch_2 Use Required Task...

Page 744: ...ject read write delete server test3 eqcli user Touch_1 permit_object read write delete server test4 Permissions have now been configured for users Touch_1 and Touch_2 Each has access to 1 cluster and access with permissions on VLANS Servers and Server Pools within the cluster To view the permissions enter the following eqcli show user Touch_1 User Name Touch_1 Duration 3600 Flags Locale en Read Pe...

Page 745: ...rpool1 responders VLANs geoclusters geosites users certificates CRLs ports clusters eqcli show user Touch_2 show user Touch_2 User Name Touch_2 Duration 3600 Flags Locale en Read Permissions servers test3 test4 server pools testserverpool2 responders VLANs vl2 geoclusters geosites users certificates CRLs ports Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 745...

Page 746: ...icates CRLs ports clusters Cl2 Create Permissions servers server pools responders VLANs geoclusters geosites users certificates CRLs ports clusters Delete Permissions servers test3 test4 server pools testserverpool2 responders VLANs geoclusters geosites users certificates CRLs ports clusters 746 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 747: ...sion Terms 748 Learning About Atoms 749 Creating a Bracket Expression 750 Escape Sequences 751 Matching in Regular Expressions 752 Using Regular Expressions in Responders 753 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 747 Equalizer Administration Guide ...

Page 748: ... or by a bound o An atom followed by an asterisk matches a sequence of 0 or more matches of the atom o An atom followed by a plus sign matches a sequence of 1 or more matches of the atom o An atom followed by a question mark matches a sequence of 0 or 1 matches of the atom l A bound consists of an open brace followed by an unsigned decimal integer between 0 and 255 inclusive You can follow the fir...

Page 749: ... any single character l A carat which matches the null string at the beginning of a line l A dollar sign which matches the null string at the end of a line l A backslash followed by one of the following characters which matches that character taken as an ordinary character l A backslash followed by any other character which matches that character taken as an ordinary character as if the had not be...

Page 750: ...aracters of that collating element The sequence is a single element of the bracket expression s list A bracket expression containing a multi character collating element can thus match more than one character e g if the collating sequence includes a ch collating element then the real expression ch c matches the first five characters of chchcc Within a bracket expression a collating element enclosed...

Page 751: ...rs matches a single backslash b matches the beginning of a word e g bex matches example but not text n r t v match whitespace characters match single and double quotes Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 751 Equalizer Administration Guide ...

Page 752: ...eal expression taking priority over ones starting later Note that higher level subexpressions thus take priority over their lower level component subexpressions Match lengths are measured in characters not collating elements A null string is considered longer than no match at all For example bb matches the three middle characters of abbbc wee week knights nights matches all ten characters of weekn...

Page 753: ...ession l Assign each string to a named variable These named variables can then be used in the URL field of the Redirect Responder When the Responder replies to a client it performs string substitution on the URL Because the purpose of using regular expressions to perform string substitution in Redirect URLs is to parse request URLs into strings constructing an appropriate regular expression requir...

Page 754: ......

Page 755: ...agnostic Commands 759 Using tcpdump 772 Using Watchdog Timers 776 Configuring the Baseboard Management Controller BMC 780 Prerequisites 780 Configuration 780 Using IPMI to Power Servers On Off 788 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 755 Equalizer Administration Guide ...

Page 756: ... server to the client Adjust route until the ADCs address shows up in the traceroute output All packets sent from the server back to clients must pass through the ADC on the way back to the client unless the spoof cluster option is disabled or Direct Server Return DSR is configured Test client is on the same network as the servers If the test client is on the same network as the servers the server...

Page 757: ...pgrade You can do this by clearing your browser cache or closing your browser and opening it again to establish a new connection Equalizer Doesn t Respond to Pings to the Admin Address Equalizer is not powered on Check that power switch is on and the front panel LED is lit Connect the keyboard and monitor cycle the power and watch the startup diagnostic messages Equalizer isn t connected to your n...

Page 758: ...izeris not showing up as the first hop routing is the cause of the problem Context Help Does Not Appear Turn off the Pop up Blocker for your browser Log Contains SSL Errors with wrong version number If you have one or more HTTPS clusters defined you may see the following messages in the Equalizer log ssl_err 425 error 1408F10B SSL routines SSL3_GET_RECORD wrong version number s3_ pkt c 360 ssl_err...

Page 759: ...ntext or in diags context For example eqcli diags arp df dig ifconfig netstat ps top arp The arp command display the ARP entries An example of an arp output is as follows eqcli diags arp ARP Entries 172 16 0 1 at 00 01 30 b9 69 90 on ixg0 192 168 0 15 at incomplete on ixg1 192 168 0 16 at incomplete on ixg1 192 168 0 17 at incomplete on ixg1 192 168 0 18 at incomplete on ixg1 192 168 0 50 at incom...

Page 760: ...1032238 172354 808274 17 var eq kernfs 1 1 0 100 kern ptyfs 1 1 0 100 dev pts tmpfs 8192 16 8176 0 tmp tmpfs 12288 408 11880 3 tmp statcache dev wd0h 82575976 60033804 18413374 76 var crash usr local captive 1032238 152378 828250 15 tm p capt 0000516aa etc resolv conf 1032238 3698 976930 0 tm p capt 0000516aa etc resolv conf dev clockctl 1032238 152378 828250 15 tm p capt 0000516aa dev clockctl tm...

Page 761: ...vers net 330190 IN A 202 12 27 33 m root servers net 330190 IN AAAA 2001 dc3 35 f root servers net 330190 IN A 192 5 5 241 f root servers net 330190 IN AAAA 2001 500 2f f e root servers net 330190 IN A 192 203 230 10 k root servers net 330190 IN A 193 0 14 129 k root servers net 330190 IN AAAA 2001 7fd 1 j root servers net 330190 IN A 192 58 128 30 j root servers net 330190 IN AAAA 2001 503 c27 2 ...

Page 762: ...9 capabilities 3ff80 TSO4 IP4CSUM_Rx IP4CSUM_Tx TCP4CSUM_Rx TCP4CSUM_ Tx UDP4CSUM_Rx UDP4CSUM_Tx TCP6CSUM_Rx TCP6CSUM_Tx UDP6CSUM_Rx UDP6CSUM_Tx enabled 3ff80 TSO4 IP4CSUM_Rx IP4CSUM_Tx TCP4CSUM_Rx TCP4CSUM_Tx UDP4CSUM_ Rx UDP4CSUM_Tx TCP6CSUM_Rx TCP6CSUM_Tx UDP6CSUM_Rx UDP6CSUM_Tx address 00 0c bd 05 a3 05 media Ethernet autoselect 10GbaseSR full duplex status active inet 192 168 5 90 netmask 0xf...

Page 763: ...Rx IP4CSUM_Tx TCP4CSUM_Rx TCP4CSUM_ Tx UDP4CSUM_Rx UDP4CSUM_Tx TCP6CSUM_Rx TCP6CSUM_Tx UDP6CSUM_Rx UDP6CSUM_ Tx TSO6 enabled 7ff80 TSO4 IP4CSUM_Rx IP4CSUM_Tx TCP4CSUM_Rx TCP4CSUM_Tx UDP4CSUM_ Rx UDP4CSUM_Tx TCP6CSUM_Rx TCP6CSUM_Tx UDP6CSUM_Rx UDP6CSUM_Tx TSO6 address 00 0c bd 05 a3 00 media Ethernet autoselect none status no carrier inet6 fe80 20c bdff fe05 a300 wm4 prefixlen 64 scopeid 0x7 wm5 fl...

Page 764: ... fe05 a303 wm7 prefixlen 64 scopeid 0xa wm8 flags 8843 UP BROADCAST RUNNING SIMPLEX MULTICAST mtu 9000 capabilities 7ff80 TSO4 IP4CSUM_Rx IP4CSUM_Tx TCP4CSUM_Rx TCP4CSUM_ Tx UDP4CSUM_Rx UDP4CSUM_Tx TCP6CSUM_Rx TCP6CSUM_Tx UDP6CSUM_Rx UDP6CSUM_ Tx TSO6 enabled 7ff80 TSO4 IP4CSUM_Rx IP4CSUM_Tx TCP4CSUM_Rx TCP4CSUM_Tx UDP4CSUM_ Rx UDP4CSUM_Tx TCP6CSUM_Rx TCP6CSUM_Tx UDP6CSUM_Rx UDP6CSUM_Tx TSO6 addre...

Page 765: ...cp 0 0 0 0 127 0 0 1 90 LISTEN tcp 0 0 0 0 172 16 5 97 80 LISTEN tcp 0 0 0 0 172 16 5 91 80 LISTEN udp 0 0 0 0 udp 0 0 0 0 udp 0 0 0 0 udp 0 0 0 0 172 16 5 90 65533 udp 0 0 0 0 172 16 5 90 161 Active Internet6 connections including servers Proto Recv Q Send Q Local Address Foreign Address state udp6 0 0 udp6 0 0 udp6 0 0 Active UNIX domain sockets Address Type Recv Q Send Q Inode Conn Refs Nextref...

Page 766: ... tm p eqsock anon envoy 418 0 6ae0d834 dgram 0 0 6ae17798 0 0 0 tm p eqsock anon l3pd 1204 0 6ae0da14 dgram 0 0 6adfa0b4 0 0 0 tm p eqsock anon statsd 1091 0 6ab04234 dgram 0 0 0 66c3d5f4 0 6b182e64 var run log 6ac42a5c dgram 0 0 6ad3f168 0 0 0 tm p eqsock snmptrap sock 6ab043c4 dgram 0 0 0 66c3d5f4 0 6ab04eb4 var run log 6ac428cc dgram 0 0 67b2f164 0 0 0 tm p eqsock anon t_roxy_n3 1059 0 6ab048c4...

Page 767: ...580 0 0 0 tm p eqsock anon cpsmib2agt 1021 0 6ac42aac dgram 0 0 6ad3f218 0 0 0 tm p eqsock anon cpsequalagt 207 0 69b0f744 dgram 0 0 0 66c3d5f4 0 69b0f5b4 var run log 69b0ff14 dgram 0 0 6aaeadd0 0 0 0 tm p eqsock peerd sock 69b0fe74 dgram 0 0 6aaeae80 0 0 0 tm p eqsock anon peerd 767 6 67b020fc dgram 0 0 6aaeaf30 0 0 0 tm p eqsock anon peerd 767 5 67b0205c dgram 0 0 6a94b00c 0 0 0 tm p eqsock anon...

Page 768: ...qsock switchd sock 66c3d1e4 dgram 0 0 0 66c3d5f4 0 0 var run log 6ae0d5b4 dgram 0 0 0 66c3d5f4 0 6ae0d744 var run log 69b0f014 dgram 0 0 6ab72c64 0 0 0 tm p eqsock anon acvd 1077 0 69b0fdd4 dgram 0 0 6a94b63c 0 0 0 tm p eqsock anon eqcli 562 0 6b182374 dgram 0 0 0 66c3d5f4 0 6ae0d7e4 var run log 6ab04374 dgram 0 0 0 66c3d5f4 0 6ab043c4 var run log 66c3d284 dgram 0 0 0 66c3d5f4 0 67b0241c var run l...

Page 769: ...l ntp org 767 S 0 26 29 peerd Peer Daemon 778 Ss 0 00 04 usr sbin cron 792 Is 0 00 00 usr sbin inetd l 966 I 0 00 00 usr libexec httpd U _eqcli s b f n i 172 16 5 90 990 S 0 00 02 smartd Smart Control Daemon 1021 I 0 00 00 usr local libexec cpsmib2agt 1047 I 0 00 01 usr local libexec snmpdm d snmp_bindaddr 172 16 5 90 1049 S 0 00 49 lbmd LB Mgmt Daemon l4_spirent_1 1052 S 0 02 38 usr local libexec...

Page 770: ...0 user 0 0 nice 0 0 system 0 0 interrupt 100 idle CPU10 states 0 0 user 0 0 nice 0 0 system 0 0 interrupt 100 idle CPU11 states 0 0 user 0 0 nice 0 0 system 0 0 interrupt 100 idle CPU12 states 0 3 user 0 0 nice 0 1 system 0 0 interrupt 99 6 idle CPU13 states 0 2 user 0 0 nice 0 3 system 0 0 interrupt 99 5 idle CPU14 states 0 0 user 0 0 nice 0 0 system 0 0 interrupt 100 idle CPU15 states 0 0 user 0...

Page 771: ... 85 0 4528K 2520K select 1 0 00 0 00 0 00 lbmd 1078 _lbmd 85 0 4528K 2520K select 8 0 00 0 00 0 00 lbmd 270 _lbmd 85 0 4512K 2480K select 9 0 00 0 00 0 00 lbmd 1061 _udppd 85 0 4180K 2132K kqueue 1 0 00 0 00 0 00 udppd 1047 _snmp 85 0 3016K 2076K select 1 0 00 0 00 0 00 snmpdm 96 _hcd 85 0 4216K 2016K kqueue 1 0 00 0 00 0 00 hcd 990 _switchd 85 0 4000K 1952K kqueue 1 0 00 0 00 0 00 smartd 966 _eqc...

Page 772: ...s ICMP In all cases only packets that match expressions will be processed by tcpdump tcpdump is used with the Equalizer CLI using the eqcli diags tcpdump commands or in diags context The number of packets captured can be specified by either command line syntax or by manually halting a capture in progress using CTRL C to stop it For example if you need to capture packets from a server sv01 you woul...

Page 773: ...uest who has 172 16 166 10 tell 172 16 128 1 length 46 12 33 35 312253 ARP Reply 172 16 166 10 is at 00 90 0b 29 89 88 oui Unknown length 28 12 33 35 312342 IP 192 168 10 19 49749 172 16 166 10 http Flags S seq 1452094800 win 5840 options mss 1460 sackOK TS val 6931863 ecr 0 nop ws cale 6 length 0 12 33 35 312374 IP 172 16 166 10 http 192 168 10 19 49749 Flags S seq 771217372 ack 1452094801 win 46...

Page 774: ...ltering Expressions Custom filtering expressions can be used in the tcpdump CLI syntax that allow you to trim out various types of traffic You can combine them in different ways to find exactly what you re looking for PCAP filtering expressions are used in these cases Refer to www tcpdump org for detailed descriptions of using PCAP filtering expressions When using custom PCAP filtering expressions...

Page 775: ...cli diags tcpdump capture vlan vl01 expr tcp 13 3 0 3 Capture all packets to from a cluster cl01 that are larger than 576 bytes eqcli diags tcpdump capture cluster cl01 expr ip 2 2 576 Host based filtering 1 Capture traffic between a server sv01 and a host with IP eqcli diags tcpdump capture server sv01 expr host Filtering Ports 1 Capture all packets to from a cluster cl01 and a port XX eqcli diag...

Page 776: ... software doesn t matter It will always succeed reboot As opposed to a CPU reset a reboot may not succeed if the operating system hangs for example panic A reboot that is caused by a kernel exception or by Non maskable Interrupt NMI This default behavior can also be changed to cause the system to enter the kernel debugger instead of rebooting Non maskable Interrupt NMI In this scenario the operati...

Page 777: ...tchdog and then several seconds later reboot using a CPU reset The following rules apply reset 0 nmi 0 the watchdog is not armed i e if the reset timer is 0 the nmi value does not matter reset 0 nmi 0 The system will reset the CPU reset seconds after the timer stops being tickled This is the default behavior reset 30 reset 0 nmi 0 reset nmi The system will generate an NMI nmi seconds after the tim...

Page 778: ...nic 0 or 1 Sets the ddb onpanic sysctl The default is 0 If set to 1 the system enters the debugger on panic or on NMI Therefore if set and the IPMI watchdog NMI timer is active the system will enter the debugger when the watchdog expires instead of a panic Note The reset timer is controlled by the already existing hidden watchdog seconds command When the system boots a message or two messages will...

Page 779: ... If the software watchdog is active at this time it will never reboot which means that the standby failover peer will never take over as the primary unit Setting the require_hw_wd option on these systems will prevent the system from processing traffic until after the IPMI watchdog is available This will mean that if it locks up while the software watchdog is in use it isn t processing traffic If i...

Page 780: ...configured Prerequisites Before configuring the BMC utility it is recommended that you contact your network administrator to obtain l an IP address and subnet mask for the BMC l the IP address of the gateway through which the BMC will be accessed Configuration The BMC is configured using CLI commands only In the GUI you can run the BMC commands shown in this section using the CLI widget on the Das...

Page 781: ...d at the eqcli prompt press ENTER and follow the prompts to enter password and confirm password press ENTER after entering and confirming eqcli bmc passwd Please enter password password Please confirm password password eqcli 12000287 Operation successful eqcli 3 Enable the BMC by entering eqcli bmc enable eqcli 12000287 Operation successful eqcli 4 Enter an IP Address lan ip for the BMC The defaul...

Page 782: ...ptions To access the console enter the IP address that you configured in the address bar of your web browser Log In to the Integrated BMC Web Console To log in to the BMC Web Interface enter the IP address into your browser s address box The IP address is the one that you configured as the lan ip above You will be prompted for the User Name and Password that you configured When you click on the Lo...

Page 783: ...onsole up for web acess by following the instructions in the previous section Once you have access to the Web Console and logged in select the Configuration tab and then Users from the left navigational pane The User List will appear on the right Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 783 Equalizer Administration Guide ...

Page 784: ...existing user s User Name User Status or Network Privileges select the user from the User List and click on the Modify User button Click on the Help link at top right for instructions on how to use the Web Console interface To change a user password in the web console select the Change Password check box Enter the Password and Confirm it and then click on the Modify User button 784 Copyright 2014 ...

Page 785: ...ollows 1 Enter bmc passwd at the eqcli prompt and press ENTER 2 Follow the prompts to enter password and confirm password press ENTER after entering and confirming as shown below eqcli bmc passwd Please enter password password Please confirm password password eqcli 12000287 Operation successful eqcli Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 785 Equalizer...

Page 786: ...ick on IPv4 Network on the left navigational pane to display the following Make the necessary IP Address Subnet Mask and Default Gateway changes after consulting with your network administrator When you have finished click on the Save button It is recommended that you leave the LAN Channel drop down selection as Baseboard Mgmt as this is the selection that is configurable at this time 786 Copyrigh...

Page 787: ...mediately power off the host l Graceful Shutdown Selecting this option will soft power off the host l Power On Server Selecting this option will power on the host l Power Cycle Server Selecting this option will immediately power off the host then power it back on after one second All power control actions are done through the BMC and are immediate actions after clicking on the Perform Action butto...

Page 788: ...ts If the installed operating system on the server has an IPMI driver installed and configured you may also be able to configure the BMC from the command line or using graphical utilities The tools used to configure BMC controllers and IPMI drivers are specific to a server s hardware and OS platform Refer to the hardware and operating system documentation for your servers for specific BMC and IPMI...

Page 789: ...ver shutdown Entering this option will soft power off the server reset Entering this option will hard reset the server without powering off Configuring IPMI Power Controls using a Smart Control IPMI support in Smart Controls has the following limitations The Smart Control interface does not allow the user to specify IPMI v1 5 Only IPMI v2 0 is supported at this time The Smart Control interface doe...

Page 790: ......

Page 791: ...izer Hardware 793 Installing and Upgrading Equalizer OnDemand 796 VMware Host Requirements 796 Installing EQOD Using OVF 797 Installing EQOD from a ZIP file 799 Licensing EQOD 801 Upgrading EQOD 803 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 791 Equalizer Administration Guide ...

Page 792: ...t to ensure the best application response Equalizer instances can be deployed on a single server to maximize utilization of hardware infrastructure and current server platforms can be used for load balancing and other application delivery needs without creating dependence on specific server hardware Equalizer OnDemand offers l Intelligent layer 4 7 application based load balancing l Flexible hybri...

Page 793: ...ded via VMware port 2 to the second The current release supports up to 16 network interfaces 2 An interface port in the CLI or GUI can be assigned to one VLAN only either l a single untagged VLAN and or l multiple tagged VLANs A port cannot be assigned to multiple untagged VLANs or to a mix of tagged and untagged VLANs 3 EQOD is delivered with no serial console configured because this requires add...

Page 794: ...Note that there is no virtualDev line in this set of properties that indicates the interface type This line needs to be added for the interface to work on Equalizer The text below shows what the ethernet2 set of properties should look like after editing ethernet0 present TRUE ethernet0 virtualDev e1000 ethernet0 connectionType bridged ethernet0 wakeOnPcktRcv FALSE ethernet0 addressType generated e...

Page 795: ...the CLI or GUI You should now see 3 interfaces ports when you run the show interface command in the CLI and when you open the Interfaces tab in the GUI Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 795 Equalizer Administration Guide ...

Page 796: ...d higher l VMware Player 4 X and higher A VM instance of Equalizer requires the following minimum hardware resources l 1GB RAM l 1GB free disk space l 1 VMware supported 10 100 1000Gb Network Adapter e1000 adapter type l Internet connectivity for license validation The above requirements are in addition to the resources required to run VMware See the VMware documentation for the VMware product you...

Page 797: ...EQOD section of the support page at http www coyotepoint com content eqos 10 support page c The OVF details are displayed Click Next d Type a name for the VM Click Next e Associate the source network adapters in the OVF to networks defined on VMware Click Next f A summary of the VM configuration is displayed Click Next g The VMDK file for the OVF is now downloaded from the FTP site When it is done...

Page 798: ... the local directory When it is done the EQOD VM should now appear in your inventory 4 The first time you start Equalizer login to the CLI on the VM console using the touch login default password is touch We recommend that you immediately change the default pass word for the touch login Do this using the following CLI command eqcli user touch password 798 Copyright 2014 Coyote Point Systems A Subs...

Page 799: ... icon and then Upload Folder Browse to the directory where you unpacked the ZIP file in Step 1 select the file Equalizer vmx and click Open 6 After completion open the new OnDemand directory in the DataStore Browser 7 Right click on file Equalizer vmx and select Add to Inventory 8 Either accept the default VM name and resource pool or change them Click OK to continue 9 Once the virtual machine is ...

Page 800: ...mage l On VM Player select File Open a Virtual Machine l On VM Fusion select File Open Browse to the location where you unpacked the ZIP file in Step 1 select the file EQOD vmx and click Open 3 Once the virtual machine is loaded EQOD should appear in the virtual machine list Start or play the virtual machine by selecting the appropriate command from the VMware menus or double click on the virtual ...

Page 801: ...e you have obtained both the login credentials of a support account and the System Serial Number of the unit to register do the following 1 Log in to https support fortinet com using the login credentials obtained above 2 Follow the instructions provided in the Registration Frequently Asked Questions under the heading How do I register a Fortinet device to register your EQOD When requested enter t...

Page 802: ...cket to the last as shown below Copy to your computer s clipboard The display below is trun cated xml version 1 0 encoding UTF 8 SOAP ENV Envelope xmlns SOAP ENV V http schemas xmlsoap org soap envelope xmlns SOAP ENC C http schemas xmlsoap org soap encoding xmlns xsi http www w3 org 2001 XMLSchema instance xmlns xsd d http www w3 org 2001 XMLSchema xmlns lic c http tempuri org lic xsd SOAP ENV Bo...

Page 803: ...yed at the bottom of the list if your EQOD has been properly licensed 7 To upload the license using the GUI a Log in to the EQOD GUI using the touch login b Select the System Maintenance Licensing on the left navigational panel to display the licensing screen on the right c Click on the Upload License button and follow the prompts to select the license file that you saved in step 5 d Click on Comm...

Page 804: ......

Page 805: ...Certificate 817 Enabling HTTPS with Server and Client Certificates 818 Generating a CSR and Getting It Signed by a CA 820 Generating a Self Signed Certificate 822 Installing Certificates for an HTTPS Cluster 823 Converting a Certificate from PEM to PKCS12 Format 824 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 805 Equalizer Administration Guide ...

Page 806: ...ent it also sends a request for a certificate from the client Once the client accepts the server certificate as described above it sends the client certificate to the server for verification The server compares the client certificate it receives with its local copy of the client certificate and if they match the connection is made Each Layer 7 HTTPS cluster requires a server certificate client cer...

Page 807: ...f loading SSL processing from all the servers in the HTTPS cluster Equalizer communicates with the clients via HTTPS the traffic between Equalizer and the servers in an HTTPS cluster is HTTP i e unencrypted Compared to the typical scenario where each client is establishing direct HTTPS connections with servers encrypting and decrypting packets and serving content as well SSL offloading improves th...

Page 808: ... method requires some certificate processing on the servers behind Equalizer in order to prevent access by clients with revoked certificates This method there fore should be used only under the following conditions a If the site is able to use an intermediate CA or multiple CAs which signs all and only certificates authorized for use with the cluster AND b If the application running on the servers...

Page 809: ...scenes and store them appropriately You can also upload the same file as both the certfile and the keyfile If you have uploaded a certificate that doesn t match the cipher suite that is configured for the HTTPS cluster you will no longer be able to log into the GUI You will need to supply the correct certificate key pairing In the meantime you can enable HTTP access to the GUI temporarily to enter...

Page 810: ...ng Certificates in HTTPS Clusters Platform SSL offloading E970LX Hardware acceleration only for supported ciphers OnDemand Software only 810 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 811: ...MD5 AES256 SHA See Replacing the Default Certificate Key and Cipherspec on page 61 for descriptions on replacing the default cipher suite R Updating the Cipher Suites Field This field can be used to specify a custom cipher suite required by the servers in a cluster In general to add a cipher suite you specify a plus sigh and then the name of the suite To specifically exclude a cipher suite use an ...

Page 812: ...68 SHA1 AES128 GCM SHA256 RSA TLSv1 2 RSA AESGCM 128 AEAD AES128 SHA256 RSA TLSv1 2 RSA AES 128 SHA256 AES128 SHA RSA SSLv3 RSA AES 128 SHA1 SEED SHA RSA SSLv3 RSA SEED 128 SHA1 CAMELLIA128 SHA RSA SSLv3 RSA Camellia 128 SHA1 IDEA CBC SHA RSA SSLv3 RSA IDEA 128 SHA1 RC4 SHA RSA SSLv3 RSA RC4 128 SHA1 RC4 MD5 RSA SSLv3 RSA RC4 128 MD5 DES CBC SHA RSA SSLv3 RSA DES 56 SHA1 EXP DES CBC SHA RSA 512 SS...

Page 813: ...DHE DSS AES256 SHA256 DSS DHE RSA AES256 SHA RSA DHE DSS AES256 SHA DSS DHE RSA CAMELLIA256 SHA RSA DHE DSS CAMELLIA256 SHA DSS ECDHE RSA AES128 GCM SHA256 RSA ECDHE ECDSA AES128 GCM SHA256 ECDA ECDHE RSA AES128 SHA256 RSA ECDHE ECDSA AES128 SHA256 ECDSA ECDHE RSA AES128 SHA RSA ECDHE ECDSA AES128 SHA ECDSA DHE DSS AES128 GCM SHA256 DSS DHE RSA AES128 GCM SHA256 RSA DHE RSA AES128 SHA256 RSA DHE D...

Page 814: ... SEED SHA RSA DHE DSS SEED SHA DSS DHE RSA CAMELLIA128 SHA RSA DHE DSS CAMELLIA128 SHA DSS ECDHE RSA RC4 SHA RSA ECDHE ECDSA RC4 SHA ECDSA ECDHE RSA DES CBC3 SHA RSA ECDHE ECDSA DES CBC3 SHA ECDSA 814 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 815: ... SSL3_RSA_DES_192_CBC3_SHA SSL 3 0 RSA RSA DES 192 MD5 SSL2_RC4_128_WITH_MD5 SSL 2 0 RSA RSA RC4 128 MD5 SSL2_RC4_128_EXPORT40_ WITH_MD5 SSL 2 0 RSA RSA RC4 128 MD5 SSL2_DES_64_CBC_WITH_MD5 SSL 2 0 RSA RSA DES 64 MD5 SSL2_DES_192_EDE3_CBC_ WITH_MD5 SSL 2 0 RSA RSA DES 192 MD5 TLS1_RSA_WITH_AES_128_SHA TLS 1 0 RSA RSA AES 128 SHA TLS_RSA_WITH_AES_256_SHA TLS 1 0 RSA RSA AES 256 SHA TLS_RSA_WITH_AES...

Page 816: ... of negotiating a cipher for a client connection is as follows 1 During the SSL handshake phase of the connection the client sends Equalizer a list of the ciphers it supports 2 Equalizer examines the client cipher list in the order it is specified chooses the first cipher that matches a cipher specified in the cluster s Cipher Suite parameter and responds to the client If none of the ciphers offer...

Page 817: ...evel of trust since the client is essentially trusting the server to identify itself Self signed certificates are relatively easy to counterfeit and are only recom mended for use on internal non production or test configurations See Gen erating a Self Signed Certificate on page 822 2 Create the HTTPS cluster When creating an HTTPS cluster the default flags and parameters are acceptable for most se...

Page 818: ... attempts to connect to this cluster c By default the client certificate verification depth is set to 2 This number indic ates the number of levels in a certificate chain that the Equalizer will process before stopping verification This default depth may need to be raised if you received more than one chained root certificate in addition to a client certificate from your Certificate Authority Note...

Page 819: ...ing to the Cluster via HTTPS From a client browser open https cluster where cluster is the network node name or IP address of the HTTPS cluster The browser may notify you that it is accepting a certificate from the server and ask for confirmation Once you accept the certificate the server should ask for a client certificate your browser may ask you to choose one After the client cer tificate is se...

Page 820: ...ry on your system and create a new directory to hold your CSR certificate and private key 2 Generate the CSR by entering this command openssl req new newkey rsa 1024 out cert csr This begins an interactive session to generate a CSR and also generates a new private key to be output into a file named privkey pem If you already have a private key use key filename instead of newkey rsa 1024 to specify...

Page 821: ... Using Internet Information Services IIS is optional when creating and managing certificates for Equalizer Layer 7 HTTPS clusters and clients In fact one of the advantages of using Equalizer is that only one server certificate is required for an HTTPS cluster The cluster certificate is installed on Equalizer not on the servers in the HTTPS cluster So you do not need to use IIS on each server to cr...

Page 822: ... Engineering Common Name eg YOUR name myclient example com Email Address admin example com Depending on the tool you use to create the certificate you may also be asked for a challenge password and other optional information Make sure you remember the password and if prompted the challenge password you specify as you will need it to install the certificate The Common Name provided must be the DNS ...

Page 823: ... to Layer 7 Security Certificate Screen HTTPS Clusters on page 347 for a description of installing certificates on an HTTPS cluster Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 823 Equalizer Administration Guide ...

Page 824: ... without conversion Like PEM format PKCS12 format supports having all your certificates and your private key in one file If you created the file clientprivcert pem containing the client certificate the private key and any intermediate certificates then converting the file to PKCS12 is simple openssl pkcs12 export in clientprivcert pem out clientprivcert pfx The resulting file clientprivcert pfx ca...

Page 825: ...endix C Using the File Editor Sections within this chapter include Editing Files 826 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 825 Equalizer Administration Guide ...

Page 826: ...edit files edit and others In the example below the files edit command is used In the example below a configuration backup file script is opened for editing eqcli files edit backup script When this command is executed the ee editor will be displayed A list of commands is located at the top of the display The present location of your cursor is displayed in a highlighted block For example L 1 C 1 in...

Page 827: ...ds c file operations Will display a submenu of commands that includes read a file write afileand print editor contents are all restricted and not available save file will save the changes that you made to the file d redraw screen Will redraw the open screen Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 827 Equalizer Administration Guide ...

Page 828: ...s menu f search Will open a search submenu with 2 options a search for will prompt you to enter a search term s b search not available g miscellaneous Will display the following miscellaneous menu 828 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 829: ...onfiguration Converter Sections within this chapter include EQ OS 8 6 to EQ OS 10 Configuration Conversion Process 830 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 829 Equalizer Administration Guide ...

Page 830: ...rvers are defined within clusters in EQ OS 8 6 some adjustments to a EQ OS 8 6 configuration must be made because servers are global objects in EQ OS 10 that must be placed in server pools before they are associated with clusters Configuration Conversion Notes 1 You must be running EQ OS 8 6 0i patch1 to upgrade to EQ OS 10 2 SSL Certificates are not converted They will need to be to manually rein...

Page 831: ... configuration Not converted Smart Control events Not converted Failover Not completely converted Only the local peer is converted It is recommended that you reconfigure failover after the conversion Users Not converted Because the password is encoded there is no way to add a user automatically manual intervention is needed to type the password Also the permissions model is different in EQ OS 10 s...

Page 832: ... A new cluster is created with the new server pool attached cluster cl00 srvpl cl00 However if there are duplicate servers shared between clusters in the EQ OS 8 6 configuration there will be a configuration where we use the name of the first cluster in which it appears and there is a mismatch between the server name and the cluster name If the configuration in EQ OS 8 6 was cluster cl00 server sv...

Page 833: ...the backup file to EQ OS 10 4 Convert the backup file to a EQ OS 10 configuration script 5 Run the script In Version 8 6 outbound NAT may be configured to use the server IP cluster IP failover IP or the subnet IP default case However the converter will look for a subnet to which the server belongs and configure it to NAT out of that subnet IP If no such subnet exists then outbound NAT for that Ver...

Page 834: ...te converted configuration objects and comments describing parameters which could not be converted For example cluster myclust proto tcp ip 10 0 0 10 port 1 range 4999 stickyto 3500 idleto 36000 Unsupported user touch option desc touch unable to migrate this option it must be hand converted Note When viewing the translated file look for lines that begin with comments These are lines which could no...

Page 835: ...umber In ee to do this press CTRL C to enter command mode and then type the line number to jump to 8 Once you have verified that the configuration was successfully converted you can remove the EQ OS 8 backup file and converted CLI script from the file store eqcli no files filename For example eqcli no files os8backup bkp Conversion using the GUI The GUI work flow would be simplified particularly b...

Page 836: ...the FTP location or URL in the space provided b Click on Continue to upload the file A Please Wait message should appear while the file is downloaded from the FTP site If connection with the FTP site fails an error message will be displayed If successful a message will be displayed prompting you to continue Press Continue again and the Verify and Run Configuration Script screen will be displayed 6...

Page 837: ...which the error occurred as indicated by the error message a If you click on Cancel the editor screen will be closed and you will be prompted to Save your conversion script in the file store Refer to Editing Files on page 826 EQ OS 8 6 to EQ OS 10 Configuration Conversion Process on page 830 for instruc tions on accessing and editing files in the data store using the CLI Click on Dis card to disca...

Page 838: ...pletion a Con figuration Complete message will be displayed If an error occurs the Correct Error and Continue screen will be displayed again and will open at the line at which the error occurred as indicated by the error message 9 After the script has completed running the new objects should appear on the left nav igational pane 838 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...

Page 839: ...Appendix E Port Numbers Sections within this chapter include Port Numbers 840 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 839 Equalizer Administration Guide ...

Page 840: ... Checks 3403 501 TCP Failover Heartbeat ports If SSL is enabled for failover port 501 is used oth erwise port 3403 is used 3404 502 TCP Failover Peer to Peer command ports All non heartbeat failover operations such as configuration synchronization use these ports If SSL is enabled for failover port 501 is used otherwise port 3403 is used 5300 UDP Envoy sites communication 5301 UDP Envoy sites comm...

Page 841: ...erver or virtual cluster and if the destination address is a virtual server or vir tual cluster 3403 TCP HA Heartbeat listen on this port 3404 TCP HA all non Heartbeat Peer to Peer communications such as configuration syn chronization listen on this port 5300 UDP Envoy sites communication 5301 UDP Envoy sites communication Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights...

Page 842: ......

Page 843: ... EQ OS 10 1 x and 10 2 x Sections within this chapter include Networking Translation Between 10 1 x and 10 2 x Systems 844 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 843 Equalizer Administration Guide ...

Page 844: ...has been removed 4 The def_src_addr Default Source Address flag used in 10 1 x configurations has been removed 5 Destination networks used in 10 1 x configurations have been removed Destination networks are now computed automatically by the system according to the static route configuration No user configuration is needed In order for destination networks to be properly computed static routes must...

Page 845: ... convert the Network 2 configuration An error is logged Network 2 Default route GW2 Network 2 No static routes created at upgrade time Network 1 Default route GW1 Network 1 No static routes created at upgrade time This is a misconfiguration in 10 1 x configuration because the user did not specify the connected networks for either Network 1 or Network 2 There is neither a def_src_addr flag or a lis...

Page 846: ... since there are no configured destination networks available from Network 2 and Network 3 However the intent of the user is obvious so the networking is converted correctly in an upgrade An error is not logged Network 2 Static route 192 24 GW2 Network 2 Static route 192 24 GW2 Network 3 Static route 172 16 GW3 Network 3 Static route 172 16 GW3 Network 1 Static route 192 24 Destination network 0 0...

Page 847: ...Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 847 Equalizer Administration Guide ...

Page 848: ...250 190 125 95 80 Server Instances 521 Per Server Pool 375 Per Server Pool 250 Per Server Pool 190 Per Server Pool 150 Per Server Pool Health Check Instances 16 Per Server Instance 16 Per Server Instance 16 Per Server Instance 16 Per Server Instance 16 Per Server Instance VLANs 999 750 500 375 300 Subnets 999 Per VLAN 750 Per VLAN 500 Per VLAN 375 Per VLAN 300 Per VLAN Envoy Resources 250 190 95 9...

Page 849: ...d on two peers and organized into failover groups If the other peer s connectivity for the failover group s resources is judged to be healthier than the peer on wihich the group is running then the group fails over to the other peer active standby AllEqualizer clusters are instantiated on a primary system and allwillfailover to a backup unit if the backup unit is judgged to be healthier than the p...

Page 850: ...gation and sticky network aggregation algorithm Instructions procedures or formulas used to solve a problem alias A nickname that replaces a long name or one that is difficult to remember or spell aliased IP address A nickname for an IP address Application Delivery Controller ADC An application delivery controller ADC is a network device that usually sits between the firewall router and applicatio...

Page 851: ... the cluster of which the server is a part connection A connection is a Layer 4 transmission path established between two endpoints Clients open connections to Equalizer cluster IPs and Equalizer opens connections to the servers behind it The notion of a connection is supplied by the underlying protocol There are connection oriented protocols like TCP and connectionless protocols such as UDP conne...

Page 852: ...NS TTL The amount of time in seconds that a name server is allowed to cache the domain information See DNS and TTL domain The highest levelin an IP address and the last part of the address in the URL The domain identifies the category under which the Web site operates For example in www coyotepoint com com is the domain where com represents a commercialsite See domain name IP address and subdomain...

Page 853: ...xternal interface A network interface used to connect Equalizer to the externalnetwork See interface internalinterface and network interface external network The subnet to which the client machines and possibly the Internet or an intranet are connected F failover The act of transferring operations from a failing component to a backup component without interrupting processing firewall A set of secu...

Page 854: ...e cluster fail the hot spare willbegin processing requests for the cluster HTTP HyperText Transfer Protocol the protocolwith which a computer or user access information on the World Wide Web HTTPS HyperText Transfer Protocol Secure The SSL TLS protocolis used in combination with the HTTP protocolto provide secure identification and data encryption hub A device that joins allthe components attached...

Page 855: ...Protocol ICMP The ISO OSI Layer 3 Network protocolthat controls transport routes message handling and message transfers during IP packet processing See ICMP triangulation and ISO OSI model IP Internet protocol the TCP IP protocolthat controls breaking up data messages into packets sending the packets and reforming the packets into their originaldata messages See Internet protocolstack IP address p...

Page 856: ...nation IP address and port number We look in the list of con figured clusters to find one that matches Attached to that cluster areservers The best server is chosen and the packet request is then sent to that server using NAT L4 TCP and UDP IP protocols They are welldescribed at http en wikipedia org wiki Transmission_Control_Protocoland http en wiki pedia org wiki User_Datagram_Protocolrespective...

Page 857: ...gent load balancing Local Area Network LAN LocalArea Network M Match Rules Match Rules are a feature associated with Layer 7 load balancing This is often called content switching by other vendors Using match rules you can configure Equalizer to handle application HTTP requests in specific ways depending on the data present in the request For example you can tellEqualizer to send any image requests...

Page 858: ...g Equalizer as a gateway device their source IP willtranslated to an Equalizer IP on the egress interface of Equalizer used to reach the destination network P packet A group of data that is transmitted as a single entity passive FTP connection An Equalizer option that rewrites outgoing FTP PASV controlmessages from the servers so that they contain the IP address of the virtualcluster rather than t...

Page 859: ...eriod of time With sticky persistence the number of persistent clients is limited by the memory available to store the sticky table physical server A machine located on the internalnetwork that provides services on specific IP addresses and ports See server and virtualweb server See also authoritative name server back end server name server and proxy server piece An atom followed by a single or or...

Page 860: ...acket that contains information that requests a response See packet and response packet reserved network A network consisting of phony IP addresses which are not registered and cannot be made visible outside of the internalnetwork resolution The process of interpreting allthe messages between an IP address and a domain name address Responder This is an L7 advanced feature A user can configure Equa...

Page 861: ...and which instructs a device to end a connection S Secure Sockets Layer SSL A protocolthat enables secure communication between two hosts using data encryption and authentication server A computer or application that controls access to a network and its associated devices and applications A server communicates with one or more clients as wellas other servers See authoritative name server back end ...

Page 862: ...d on clients and servers Equalizer uses cookies at Layer 7 and a sticky timer at Layer 4 to provide server persistence the cookie lifetime or sticky time to set on Equalizer is determined by the application and should usually match the corresponding cookie or session timeouts set on the realservers in a cluster SFP and SFP SFP is the new version which supports 10Gb throughput Stands for SmallFacto...

Page 863: ...e sticky network mask set for the cluster the destination port on the server is not responding the same server IP with another port is defined in another cluster Then Equalizer willattempt to forward the request to the same server on the other port sticky timer A countdown timer used to manage sticky connections to a Layer 4 cluster When this timer expires i e there is no activity between the serv...

Page 864: ... TCP IP Transmission ControlProtocol Internet Protocol the rules for transmitting data over networks and the Internet Telnet Part of TCP IP a protocolthat enables a user to log onto a remote computer connected to the Internet See TCP IP traceroute A utility that shows the route over which a packet travels to reach its destination transaction A transaction is a Layer 7 interaction between a client ...

Page 865: ...nd virtualserver address See also authoritative name server back end server name server physical server and proxy server VLAN See VirtualLocalArea Network VM CPU For servers that are associated with VMware VirtualMachines the relative influence on the policy of the VM CPU usage status returned by VMware VM RAM For servers that are associated with VMware VirtualMachines the relative influence on th...

Page 866: ......

Reviews: