Category Archives: Administration Guides

What’s New in FortiClient 5.4

The following is a list of new features and enhancements in FortiClient 5.4.

This document was written for FortiClient (Windows) 5.4.0. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.0.

New features in FortiClient 5.4.0

The following is a list of new features in FortiClient version 5.4.0.

Antivirus

Advanced Persistent Threats

FortiClient 5.4.0 has enhanced capabilities for the detection of Advanced Persistent Threats (APT). There are two changes added in this respect:

l Botnet Command and Control Communications Detection l FortiSandbox integration (Windows only)

Botnet Communication Detection

Botnets running on compromised systems usually generate outbound network traffic directed towards Command and Control (C&C) servers of their respective owners. The servers may provide updates for the botnet, or commands on actions to execute locally, or on other accessible, remote systems. When the new botnet feature is enabled, FortiClient monitors and compare network traffic with a list of known Command and Control servers. Any such network traffic will be blocked.

FortiSandbox Integration

FortiSandbox offers the capabilities to analyze new, previously unknown and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on the FortiOS and FortiClient. If the file is not detected but is an executable file, it is run (sandboxed) in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

What’s New in FortiClient 5.4 New features in FortiClient 5.4.0

Enhanced Real-Time Protection Implementation

The Real-Time Protection (RTP) or on-access feature in FortiClient uses tight integration with Microsoft Windows to monitor files locally, or over a network file system, as they are being downloaded, saved, run, copied, renamed, opened, or written to. The FortiClient driver coupling with Windows has been re-written to use modern APIs provided by Microsoft. All basic features remain the same, with a few minor differences in behavior. Some noticeable performance enhancements could be observed in various use case scenarios.

Web Filtering

Web Browser Usage and Duration

If configured, FortiClient will record detailed information about the user’s web browser activities, such as:

l A history of websites visited by the user (as shown in regular web browser history) l An estimate of the duration or length of stay on the website.

These logs are sent to FortiAnalyzer, if configured. With FortiAnalyzer 5.4.0 or newer, the FortiClient logs sent from various endpoints may be viewed in FortiView.

VPN

Authorized Machine Detection

For enterprises where new computers may be brought into the organization by employees, FortiClient can be configured to check or identify the computer before allowing it to establish IPsec VPN or SSL VPN connections to the FortiGate. The administrator may configure restrictions with one or more of the following:

l Registry check: Ensure a specific registry path contains a predetermined value l File check: Verify the existence of a specific file at a specified location l Application check: Ensure that a specific application is installed and running

The verification criteria can be configured using advanced FortiClient XML configurations on the FortiGate or Enterprise Management Server (EMS).

New features in FortiClient 5.4.0 What’s New in FortiClient 5.4

New SSL VPN Windows driver

The FortiClient SSL VPN driver pppop.sys was re-written to use the latest Microsoft recommended CoNDIS WAN driver model. The new driver is selected when FortiClient is installed on Windows 7 or newer. The SSL VPN driver included in the previous versions of FortiClient will still be maintained.

New IPsec VPN Windows drivers

FortiClient IPsec VPN drivers have been updated to support Microsoft Windows NDIS 6.3 specification. The new drivers are compatible with Microsoft Windows 8.1 or newer.

Support for DTLS

FortiClient SSL VPN connections to FortiGate now support Datagram Transport Layer Security (DTLS) by using User Datagram Protocol (UDP) as the transport protocol. Previously FortiClient SSL VPN connections supported only Transport Control Protocol (TCP). You can now use FortiGate to configure SSL VPN connections that use DTLS. You cannot use FortiClient to configure SSL VPN connections that use DTLS. When FortiClient endpoints use a DTLS-enabled SSL VPN connection with FortiGate, and FortiGate communicates DTLS support, FortiClient uses DTLS via UDP. If DTLS fails, FortiClient will fall back to use TLS to establish an SSL VPN connection.

Endpoint Control

Integration with the new Enterprise Management Server

The Enterprise Management Server (EMS) is a new product from Fortinet for businesses to use to manage their computer endpoints. It runs on a Windows Server, not requiring a physical Fortinet device. Administrators may use it to gain insight into the status of their endpoints. The EMS supports devices running Microsoft Windows, Mac OS X, Android, and iOS.

FortiClient Endpoint Control (EC) protocol has been updated to seamlessly integrate with the EMS. Various changes were added to support EMS features, including:

l Deployment of FortiClient to new Microsoft Windows devices l Continuous monitoring of device statuses l AV engine and signature update status reports l AV scanning schedules and requests for AV scans l Notifications about protection statuses.

What’s New in FortiClient 5.4 New features in FortiClient 5.4.0

FortiGate Network Access Control when FortiClient is Deployed using EMS

The new EMS can be used to deploy FortiClient to a large number of Microsoft Windows endpoints. While creating a profile for FortiClient deployment, the EMS administrator can choose to configure the FortiClient to register to the same EMS, or to a FortiGate.

Changes in FortiClient 5.4.0 allow the EMS administrator to deploy FortiClient to endpoints, and configure it to register to a FortiGate, while simultaneously notifying the EMS of its registration status. The FortiClient EC registration to the FortiGate is required for Network Access Compliance (NAC). The administrator can configure the FortiGate to allow access to network resources only if the client is compliant with the appropriate interface EC profile.

Quarantine an Infected Endpoint from the FortiGate or EMS

A computer endpoint that is considered to be infected may be quarantined by the FortiGate or EMS administrator. FortiClient needs to be online, using EC, and registered to the FortiGate or EMS.

Once quarantined, all network traffic to or from the infected endpoint will be blocked locally. This allows time for remediation actions to be taken on the endpoint, such as scanning and cleaning the infected system, reverting to a known clean system restore point, or re-installing the operating system.

The administrator may un-quarantine the endpoint in the future from the same FortiGate or EMS.

Importing FortiGate CA Certificate after EC Registration

When the FortiGate is configured to use SSL deep inspection, users visiting encrypted websites will usually receive an invalid certificate warning. The certificate signed by the FortiGate does not have a Certificate Authority (CA) at the endpoint to verify it. Users can manually import the FortiGate CA certificate to stop the error from being displayed, however, all users will have to do the same.

When registering EC to a FortiGate, the FortiClient will receive the FortiGate’s CA certificate and install it into the system store. If Firefox is installed on the endpoint, the FortiGate’s CA certificate will also be installed into the Firefox certificate store. This way the end user will no longer receive the invalid certificate error message when visiting encrypted websites.

Enhancement to On-net/Off-net Configuration

The on-net feature requires the use of a FortiGate as a DHCP server. This is usually configured on the same FortiGate that the FortiClient will be registered. When the device that FortiClient is running on has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off- net.

New features in FortiClient 5.4.0 What’s New in FortiClient 5.4

There is a new way to configure the on-net feature. On the FortiGate, the DHCP server can be used, or several network subnets can be provided.

FortiClient will be on-net if:

l It is registered using EC to the FortiGate, l It belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

FortiClient GUI

Antivirus Settings Page

With the introduction of botnet detection, and the integration with FortiSandbox with FortiClient (Windows), the AV settings page on the FortiClient GUI has been updated to allow configuration of the new features. The AV settings page is accessible from the FortiClient dashboard. Select the AV tab on the left pane. Then click the settings icon on Real-Time Protection in the right pane. The following may be selected on the AV settings page:

File scanning (previously, Real-Time Protection or RTP) l Scan unknown, supported files using FortiSandbox (Windows only) l Malicious website detection
Botnet detection (block known communication channels)

FortiClient Banner Design

If FortiClient (full version or VPN only) is running in standalone mode and not registered to a FortiGate or EMS, a single banner at the bottom of the GUI is displayed. When registered to a FortiGate or EMS, the banner is hidden by default. Similarly, when created from a FortiClient Configurator (Windows) or Repackager (OS X), no banner is displayed by default.

Logging

Enhancement to FortiClient logs

FortiClient will create a log entry to show just the URL visited by the user through a web browser. This is in addition to the network level logs generated by FortiClient.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4

FortiClient 5.4.0 Administration Guide – Introduction

Leave a reply

Introduction

FortiClient is an all-in-one comprehensive endpoint security solution that extends the power of Fortinet’s Advanced Threat Protection (ATP) to end user devices. As the endpoint is the ultimate destination for malware that is seeking credentials, network access, and sensitive information, ensuring that your endpoint security combines strong prevention with detection and mitigation is critical.

This document provides an overview of FortiClient 5.4.0.

This document was written for FortiClient (Windows) 5.4.0. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.0.

FortiClient features

FortiClient offers two licensing modes: Standalone mode and Managed mode. It can also be integrated with FortiSandbox.

The following table provides a feature comparison between the standalone client (free version) and the managed client (licensed version).

Standalone Client (Free Version)	Managed Client (Licensed Version)
Installation Options l Complete: All Endpoint Security and VPN components will be installed. l VPN Only: only VPN components (IPsec and SSL) will be installed. l Create a custom FortiClient installer using the FortiClient Configurator tool using the trial mode. In trial mode, all online updates are disabled.	Installation Options l Complete: All Endpoint Security and VPN components will be installed. l VPN Only: only VPN components (IPsec and SSL) will be installed. l Create a custom FortiClient installer using the FortiClient Configurator tool.
Threat Protection l Real-time Antivirus Protection l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware)	Threat Protection l Real-time Antivirus Protection l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware) l Cloud Based Behavior Scanning
Web Content l Web Filtering l YouTube Education Filter	Web Content l Web Filtering l YouTube Education Filter

FortiClient features

Standalone Client (Free Version)	Managed Client (Licensed Version)
VPN l SSL VPN l IPsec VPN l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication	VPN l SSL VPN l IPsec VPN l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication
Logging l VPN, Antivirus, Web Security, and Update Logging l View logs locally	Logging l VPN, Application Firewall, Antivirus, Web Filter, Update, and Vulnerability Scan Logging l View logs locally
	Application Control l Application Firewall l Block Specific Application Traffic
	Vulnerability Management l Vulnerability Scan l Link to FortiGuard with information on the impact and recommended actions
	Central Management l Centralized Client Management and monitoring l Centralized configuration provisioning and deployment l Enforcement of enterprise security policies.
	Central Logging l Upload logs to a FortiAnalyzer or FortiManager. FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer or FortiManager.

Standalone mode

In standalone mode, FortiClient is not registered to a FortiGate or Enterprise Management Server (EMS). In this mode, FortiClient is free both for private individuals and commercial businesses to use; no license is required. All features and functions are activated.

FortiClient features

Managed mode

Companies with large installations of FortiClient usually need a method to manage their endpoints. This is accomplished by registering each FortiClient to a FortiGate or an Enterprise Management Server (EMS). In this mode, FortiClient licensing is applied to the FortiGate or EMS. No separate license is required on FortiClient itself.

FortiSandbox

FortiSandbox offers the capabilities to analyze new, previously unknown and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on the FortiOS and FortiClient. If the file is not detected but is an executable file, it is run in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

For more information, see the FortiSandbox Administration Guide, available in the Fortinet Document Library.

On-Net / Off-Net

There is a new way to configure the on-net feature. On the FortiGate, the DHCP server can be used, or several network subnets can be provided. FortiClient will be on-net if:

l It is registered using EC to the FortiGate, l It belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

Licensing

Licensing on the FortiGate is based on the number of registered clients. FortiGate 30 series and higher models support ten (10) free managed FortiClient licenses. For additional managed clients, a FortiClient license subscription must be purchased. The maximum number of managed clients varies per device model.

The VPN on-net, off-net feature in Endpoint Control will be activated only when the FortiGate, to which FortiClient is registered, is running FortiOS 5.2 or 5.4 with a FortiClient 5.2 or 5.4 license.

FortiGate Client limits

The following table shows client limits per FortiGate model series.

FortiGate Series	Free Registrations	FortiClient License Upgrade
FortiGate/FortiWiFi 30 to 90 series	10	1 year FortiClient license subscription for up to 200 clients
FortiGate 100 to 300 series	10	1 year FortiClient license subscription for up to 600 clients
FortiGate 500 to 800 series, FortiGate VM01, FortiGate VM02	10	1 year FortiClient license subscription for up to 2000 clients
FortiGate 1000 series, FortiGate VM04	10	1 year FortiClient license subscription for up to 8000 clients
FortiGate 3000 to 5000 series, FortiGate VM08	10	1 year FortiClient license subscription for up to 20 000 clients

Installation information

EMS client limits

A newly installed EMS offers 20 000 trial client licenses over a period of 60 days from the day of installation. After the trail period lapses, the number of client licenses will be 10, same as for a new FortiGate to which no FortiClient license has been applied.

A license may be applied to the EMS at any time during or after the trial period. Licenses are available in multiples of 100 seats, with a minimum of 100 seats.

Installation information

The following table lists operating system support and the minimum system requirements.

Operating System Support

Minimum System Requirements

l Microsoft Windows XP (32-bit) l Microsoft Windows 7 (32-bit and 64-bit) l Microsoft Windows 8 (32-bit and 64-bit) l Microsoft Windows 8.1 (32-bit and 64-bit) l Microsoft Windows 10 (32-bit and 64-bit)

l Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l Compatible operating system and minimum

512MB RAM

l 600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.

l Microsoft Windows Server 2008 R2 l Microsoft Windows Server 2012 l Microsoft Windows Server 2012 R2

l Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l Compatible operating system and minimum

512MB RAM

Firmware images and tools

Operating System Support	Minimum System Requirements
l Mac OS X v10.8 Mountain Lion l Mac OS X v10.9 Mavericks l Mac OS X v10.10 Yosemite l Mac OS X v10.11 El Capitan	l Apple Mac computer with an Intel processor l 256MB of RAM l 20MB of hard disk drive (HDD) space l TCP/IP communication protocol l Ethernet NIC for network connections l Wireless adapter for wireless network connections

Firmware images and tools

Microsoft Windows

The following files are available in the firmware image file folder:

4.xx.xxxx.exe

Standard installer for Microsoft Windows (32-bit).

4.xx.xxxx.zip
- zip package containing FortiClient.msi and language transforms for Microsoft Windows (32-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
4.xx.xxxx_x64.exe

Standard installer for Microsoft Windows (64-bit).

4.xx.xxxx_x64.zip
- zip package containing FortiClient.msi and language transforms for Microsoft Windows (64-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
4.xx.xxxx.zip
- zip package containing miscellaneous tools including the FortiClient Configurator tool and VPN Automation files:
OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

FortiClientVirusCleaner A virus cleaner.
SSLVPNcmdline

Command line SSL VPN client.

SupportUtils

Includes diagnostic, uninstallation, and reinstallation tools.

Language support

VPNAutomation

A VPN automation tool.

When creating a custom FortiClient 5.4 installer using the FortiClient Configurator tool, you can choose which features to install. You can also select to enable or disable software updates, configure SSO, and rebrand FortiClient

Mac OS X

The following files are available in the firmware image file folder:

4.x.xxx_macosx.dmg Standard installer or Mac OS X.
4.x.xxx_macosx.tar

FortiClient includes various utility tools and files to help with installations. The following tools and files are available in the FortiClientTools .tar file:

OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

RebrandingResources

Rebranding resources used by the FortiClient Configurator tool.

When creating a custom FortiClient 5.4.0 installer using the FortiClient Repackager tool, you can choose to install Everything, VPN Only, or SSO only. You can also select to enable or disable software updates and rebrand

FortiClient.

FortiClient 5.4 cannot use FortiClient version 5.0 licenses. To use FortiClient Configurator, you need to use the FortiClient version 5.4 license file.

Language support

The following table lists FortiClient language support information.

Language	Graphical User Interface	XML Configuration	Documentation
English (United States)	ü	ü	ü
Chinese (Simplified)	ü	–	–
Chinese (Traditional)	ü	–	–

Language support

Language	Graphical User Interface	XML Configuration	Documentation
French (France)	ü	–	–
German	ü	–	–
Japanese	ü	–	–
Korean	ü	–	–
Portuguese (Brazil)	ü	–	–
Spanish (Spain)	ü	–	–

FortiCache 4.0.1 Administration Guide

Leave a reply

Introduction

FortiCache high performance web caching appliances address bandwidth saturation, high latency, and poor performance caused by caching popular internet content locally for carriers, service providers, enterprises, and educational networks. FortiCache appliances reduce the cost and impact of cached content on the network while increasing performance and the end-user experience by improving the speed of delivery of popular repeated content.

About this document

This document contains the following sections:

Introduction l Concepts l System Administration l Policy & Objects l Objects l Security Profiles l User Authentication l WAN Optimization and Web Caching
WCCP
Logging

Concepts

FortiCache web caching is a form of object caching that accelerates web applications and web servers by reducing bandwidth usage, server load, and perceived latency.

Web caching involves storing HTML pages, images, videos, servlet responses, and other web-based objects for later retrieval. These objects are stored in the web cache storage location defined by the config wanopt storage command. You can also go to System > Config > Disk to view the storage locations on the FortiCache unit hard disks.

There are three significant advantages to using web caching to improve HTTP performance:

reduced bandwidth consumption because fewer requests and responses go over the WAN or Internet l reduced web server load because there are fewer requests for web servers to handle l reduced latency because responses for cached requests are available from a local FortiCache unit instead of from across the WAN or Internet.

When enabled in a web caching policy, the FortiCache unit caches HTTP traffic processed by that policy. A web caching policy specifies the source and destination addresses and destination ports of the traffic to be cached.

Web caching caches compressed and non-compressed versions of the same file separately. If the HTTP protocol considers the compressed and uncompressed versions of a file the same object, only the compressed or uncompressed file will be cached.

You can also configure a FortiCache unit to operate as a Web Cache Communication Protocol (WCCP) client. WCCP provides the ability to offload web caching to one or more redundant web caching servers.

This chapter describes:

Web caching topologies l WCCP topologies l Content Analysis Service

Web caching topologies

FortiCache web caching involves one or more FortiCache units installed between users and web servers. The FortiCache unit can operate in both Network Address Translator (NAT) and transparent modes. The FortiCache unit intercepts web page requests accepted by web cache policies, requests web pages from the web servers, caches the web page contents, and returns the web page contents to the users. When the FortiCache unit intercepts subsequent requests for cached web pages, the FortiGate unit contacts the destination web server just to check for changes.

Most commonly the topology uses a router to route HTTP and HTTPS traffic to be cached to one or more FortiCache units. Traffic that should not be cached bypasses the FortiCache units. This is a scalable topology that allows you to add more FortiCache units if usage increases.

Web caching topologies Concepts

Web caching topology with web traffic routed to FortiCache units

You can also configure reverse proxy web-caching. In this configuration, users on the Internet browse to a web server installed behind a FortiCache unit. The FortiCache unit intercepts the web traffic (HTTP and HTTPS) and caches pages from the web server. Reverse proxy web caching on the FortiGate unit reduces the number of requests that the web server must handle, leaving it free to process new requests that it has not serviced before. Since all traffic is to be cached the FortiCache unit can be installed in Transparent mode directly between the web server and the Internet.

Reverse proxy web caching topology

The reverse proxy configuration can also include a router to route web traffic to a group of FortiCache units operating in Transparent Mode. This is also a scalable solution for reverse proxy web caching.

Reverse proxy web caching topology with web traffic routed to FortiCache unit

When web objects and video are cached on the FortiCache hard disk, the FortiCache unit returns traffic back to client using cached object from cache storage. The clients do not connect directly to the server.

When web objects and video are not available in the FortiCache hard disk, the FortiCache unit forwards the request to original server. If the HTTP response indicates it is a cacheable object, the object is forwarded to cache storage and the HTTP request is served from cache storage. Any other HTTP request for the same object will be served from cache storage as well.

The FortiCache unit forwards HTTP responses that cannot be cached from the server back to the client that originated the HTTP request.

Concepts WCCP topologies

All non-HTTP traffic and HTTP traffic that is not cached by FortiCache will pass through the unit. HTTP traffic is not cached by the FortiCache unit if a web cache policy has not been added for it.

WCCP topologies

You can operate a FortiCache unit as a WCCP cache engine. As a cache engine, the FortiCache unit returns the required cached content to the client web browser. If the cache server does not have the required content, it accesses the content, caches it, and returns the content to the client web browser.

WCCP topology

WCCP is transparent to client web browsers. The web browsers do not have to be configured to use a web proxy.

Content Analysis Service

FortiGuard Content Analysis Service is a licensed feature for the real-time analysis of images in order to detect adult content. Detection of adult content in images uses various patented techniques (not just color-based), including limb and body part detection, body position, etc.

Once detected, such content can be optionally blocked or reported.

Please contact your Fortinet Account Manager should you require a trial of this service. You can purchase this service from support.fortinet.com.

For configuration information, see Content Analysis on page 101.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

FortiBridge 4.0 Administration Guide

Leave a reply

Introduction

FortiBridge enables you to add traffic monitoring and security devices to your network, without any loss in network integrity.

FortiBridge supports two normal modes of operation: inline mode and TAP mode. Inline mode supports network

configurations that require in-line monitoring/security devices. TAP mode supports various traffic TAP configurations, where the main network path is mirrored to the monitoring devices.

The FortiBridge product provides monitoring features to ensure that any inline or TAP devices do not impact network integrity and availability. For example, FortiBridge runs a heartbeat probe for in-line configurations, and automatically switches to Bypass mode if the heartbeat fails.

Bypass mode provides active and passive bypass circuitry. Active bypass restores the traffic path between network ports, if the monitoring path fails. If the FortiBridge suffers a catastrophic failure such as power loss, it automatically reverts to Passive Bypass mode, so that traffic flow is not interrupted.

Hardware Configurations

The FortiBridge consists of a host system (a 1U chassis), which houses up to three bypass modules.

A bypass module supports one or more network segments. A network segment provides one inline or bypass traffic path. Each segment provides two network ports (NET0 and NET1) and two monitoring ports (MON1 and MON2).

The following bypass modules are available:

40G bypass module l Supports one bypass segment.
Supports 40G Single mode fiber (40GBase-SR4) network standards l Provides MPO/LC ports for the network ports.
Provides QSFP+ ports for the monitor ports.
Dual-rate 1/10G bypass module l Supports two bypass segments l Supports dual rate 1/10G Multimode Fiber (10GBase-SR , 1000Base-SX) network standards l Supports dual rate 1/10G Single mode fiber (10GBase-LR, 1000Base-LX) network standards l Provides MPO/LC Duplex ports for the network ports. l Provides SFP+ ports for the monitor ports.

The network ports have built-in transceivers. The monitor ports require plug-in optical transceivers. The correct transceivers are delivered (pre-installed) with your FortiBridge product.

Product Overview

Modes of Operation

Each FortiBridge segment operates in one of the following modes:

Inline mode l The system diverts all incoming network traffic to the monitoring ports. No traffic flows directly between the network ports.
The inline network element must bridge the traffic between the monitoring ports. l The system monitors the inline traffic path using a heartbeat probe.
In the event of a fault, the segment transitions to one of the bypass modes (Bypass, TAP or Fail-cutoff mode, depending on configuration values).
When the fault condition clears, the segment can automatically transition back to Inline mode (the exact behavior is defined by configuration values). The segment transitions to Inline mode only after it detects that the heartbeat probe is working again
TAP mode l The system sends traffic between the network ports, and incoming traffic is mirrored to the monitoring ports.
The system does not provide a heartbeat probe on the mirrored path (because the network path is the primary traffic path).
If the system loses power, the traffic path is maintained between the network ports (the segment transitions to passive bypass mode).
Bypass mode l The system sends traffic only between the network ports, and not to the monitoring ports.
Fail-cutoff mode l The system disables the links on the network ports, to simulate cable disconnection between the network devices.

Pages: 1 2 3 4 5 6 7

System Management – FortiBalancer

Leave a reply

Chapter 19 System Management

19.1 Administrative Tools

19.1.1 Overview

This chapter will focus on various configuration maintenance elements, such as downloading new OS software, rebooting your FortiBalancer appliance, reverting your configuration to a previously saved status or returning the FortiBalancer appliance to its factory default settings among other closing strategies.

The final series of configuration options concern the running operation of your FortiBalancer appliance and its relationship with the rest of the network architecture. Through the various subfolders (within the web UI) that are revealed once you click on the “Admin Tools” folder you will discover a series of sub-folders allowing you to set administrative passwords, perform configuration synchronization, set SNMP traps and define reboot strategies among other operations. Otherwise all of these features may be configured via the CLI.

19.1.2 Administrative Tools Configuration

19.1.2.1 Configuration Guidelines

Table 19-1 General Settings of Administrative Tools

Operation	Command
Configuring External Authentication	admin aaa {on\|off} admin aaa method [radius\|tac_x] admin aaa server <server_id> <host_name\|ip_address> <port> <secret>
System shutdown and reboot	system shutdown [halt\|poweroff] system reboot [interactive\|noninteractive]
Configuration file maintenance	clear config file clear config secondary clear config primary clear config all clear config factorydefault clear config timeout write memory write file <file_name> write net tftp <ip_tftp> <file_name> write net scp {remote_server_ip\|name} <user_name> <config_file_name> config memory config net tftp <tftp_server_ip> <config_file_name> config file <file_name>
Software upgrade	system update <url>
Configuration Synchronization	synconfig peer <peer_name> <peer_ip> synconfig to <name> synconfig from <name>
SDNS Synchronization	synconfig sdns peer <peer_name> <peer_ip> synconfig sdns to <peer_name>
Monitoring	graph name <new_name> graph rename <old_name> <new_name> graph settings displaymode {nostack\|stack} <graph_name> graph item <graph_name> <module_name> <type> [service] <scale> <color> [order] [legend_string]
NTP	ntp {on\|off} ntp server <ip> [version]
Operation	Command
	show ntp clear ntp
XML RPC	xmlrpc {on\|off} [https\|http] xmlrpc port <port> show xmlrpc clear xmlrpc
Remote access	ssh remote “user@hostname” telnet “host port”

19.1.2.2 Configuration Example via CLI

19.1.2.2.1 Configuring External Authentication

If you have an external authentication server (RADIUS/Tacacs), you may use these servers to authenticate the SSH/web UI logon request. The external authentication will be performed when the “admin aaa” command is set to ON and the logon user name does not exist in the FortiBalancer system.

FortiBalancer(config)#admin aaa on

FortiBalancer(config)#admin aaa method RADIUS

FortiBalancer(config)#admin aaa server es01 “10.1.1.1” 1812 radiussecret

FortiBalancer(config)#admin aaa server es02 radius_host 1812 radiussecret

19.1.2.2.2 System Maintenance

Simply enough, employing the “quit” command will allow you to exit the CLI. In the event you want to terminate all FortiBalancer appliance interactions with your network, you will need to use the “system shutdown” command.

FortiBalancer(config)#system shutdown

The FortiBalancer appliance will prompt you with an alert to verify the shutting down process. By entering “YES”, case sensitive, the FortiBalancer appliance will commence the shutting down operation. After a brief, 60-second period, users may turn off the appliance.

In some cases when dealing with configuration changes you might need to reboot the box.

FortiBalancer(config)#system reboot

19.1.2.2.3 Configuration File Maintenance

When working with configurations there may come a time that you want to experiment with a new configuration strategy, but not overwrite your known working configuration. The OS possesses several options for working with configurations files.

In general, you work with the running configuration and write it to disk by using the “write memory” command. You can also save the configuration to a file by using the “config file” command, on the FortiBalancer appliance. Finally, you may export and import the configuration by using TFTP.

To clear the running configuration on the FortiBalancer appliance:

FortiBalancer(config)#clear config all

Now the FortiBalancer appliance has been returned to its factory default settings.

When working with the “write memory” command, keep in mind that this is the configuration file that will be loaded when the FortiBalancer reboots. If you have made changes and want to clear the configuration currently running, use the “clear config” command.

At any point when you want to import a previously saved configuration, you will need to clear the current, running configuration as previously discussed in this chapter. Once this is completed, you can import the new configuration. The FortiBalancer appliance affords you the opportunity to save configurations to three separate places; the “memory” file which is where the FortiBalancer appliance calls up configuration settings upon reboot, the “file” where the FortiBalancer appliance can store several different configurations, and to the “net” which refers to saving a file to a remote location on the network. To save configuration files:

FortiBalancer(config)#write net tftp 10.10.0.3 default_config

To recall a previously saved configuration and merge it into the running parameters of the appliance:

FortiBalancer(config)#config memory

FortiBalancer(config)#config file new_lb

FortiBalancer(config)#config net tftp 10.10.0.3 default_config

When loading the configuration file while the box is running, it is important to remember that the configuration is merged with the running configuration. So you need to choose to clear the appropriate configuration from the FortiBalancer appliance before you load a configuration file. For example, if you have 5 real servers defined and execute the “config net tftp 10.10.0.3 default_config” command and if that configuration file has 5 real servers using the same real names you will get an error since you cannot have duplicate real server names.

19.1.2.2.4 Software Upgrade Procedure

To see the current version of OS software that is running, we use the “show version” command.

FortiBalancer(config)#show version

FortiBalancerOS Rel.TM.8.4.0.1 build on Mon Mar 18 18:12:09 2013

Host name : FortiBalancer

System CPU : Intel(R) Core(TM)2 Quad CPU System RAM : 3842964 kbytes.

System boot time : Mon Mar 18 19:10:19 GMT (+0000) 2013

Current time : Tue Mar 19 19:54:09 GMT (+0000) 2013

System up time : 1 day, 00:44

Platform Bld Date : Mon Mar 18 18:12:09 CST 2013 SSL HW : HW ( 1X16C ) Initialized

Compression HW : No HW Available

Power supply : 2U, AC, 2-cords, Redundancy

Network Interface : 4 x Gigabit Ethernet copper

Model : FortiBalancer 2000

Serial Number : 0437A3345200010003011044316464

Licensed Features : WebWall Clustering L4SLB L7SLB Caching

SSL tProxy AppGateway SwCompression LLB GSLB

QoS MultiLang DynRoute FFO REDUNDANT IPv6

License Key : f1bd6e06-d29016c1-c053e5eb-00d27cb7-d3f75a85-00000000-05d5d9

ab-99999999

Fortinet Customer Support

Update : please contact support for instructions

Website : http://www.fortinet.com

Other Root

Version

Rel.FBLOS.8.3.2.3 build on Fri Feb 22 17:35:11 2013

To upgrade to a newer release there are several steps to take.

First, contact Customer Support to gain access to the software and documentation repository.

Contact your customer support representative or send email to: support@fortinet.com

Once you have received a password and verified with a customer support engineer that the OS needs upgrade, you can download the software image using the Fortinet website. You should download the image to either a local Web server or anonymous FTP server.

It is recommended that you use the serial console to upgrade the OS. Once you have a console connection you can upgrade the appliance by using the “system update” command. Currently the upgrade procedure supports two upgrade methods: HTTP or FTP. The commands are identical except from the URL.

For example, use the command to upgrade the appliance from 192.168.10.10:

FortiBalancer(config)#system update http://192.168.10.10/FortiOS_rel_FBL_8_4_0_1.fn

This will upgrade your system from http://192.168.10.10/ FortiOS_rel_FBL_8_4_0_1.fn Power outages or other systems failures may corrupt the system. It is highly recommended that you save your configuration on an external system prior to upgrading or downgrading.

Any configuration changes that have not been “saved” will be lost. After a successful patch the system will be rebooted. Fortinet, Inc.

Type “YES” to confirm upgrade: YES

Note: If you are to use a DNS name like: system-update http://s5.sj.example.com, make sure that you have correctly setup the resolving on the FortiBalancer appliance, using the “ip nameserver” command to define your DNS server for the “s5” host or use the “ip host” command to locally define the IP address of the “s5” host. Otherwise you will get an error when you try to download the software image.

The OS will then shutdown all load balancing features and download the software image, verify that the software is produced at Fortinet and then install it. If there is any problem with the software image, the CLI will abort the upgrade and display a prompt on the screen. Otherwise you should get a prompt on the console stating that the upgrade was successful and the FortiBalancer appliance will reboot. Upon reboot, you should use the “show version” command to verify that the upgrade is successful.

Caution:

If executing this command via an SSH connection and if the connection is lost during update procedure, the FortiBalancer appliance will not be able to complete the update process.
Do not disconnect the connections to the FortiBalancer appliance during the system updating process.

Software Licenses

Some software features of the FortiBalancer appliance may be under software license key control. If you need these software features, please contact customer support (https://support.fortinet.com ) to obtain a new license key.

19.1.2.2.5 Configuration Synchronization

The Configuration Synchronization feature of the FortiBalancer appliance allows administrators to transfer configuration information among FortiBalancer appliances within the same network. Configuration Synchronization is a set of commands that allow you to manage and configure boxes within a network. You may transfer configuration information from one FortiBalancer appliance in a network to other FortiBalancer appliances within the same network. By using configuration synchronization, you can quickly setup an Active-Standby configuration. The rest of the section will cover how to use this feature.

Note: Synconfig commands are executed via SSH, therefore SSH must be enabled.

Step 1 Configure configuration synchronization on FortiBalancer1

FortiBalancer1(config)#synconfig peer FortiBalancer1 192.168.1.1 FortiBalancer1(config)#synconfig to FortiBalancer2

Step 2 Configure configuration synchronization on FortiBalancer2

FortiBalancer2(config)#synconfig peer FortiBalancer1 192.168.1.1

FortiBalancer2(config)#synconfig peer FortiBalancer2 192.168.1.2

FortiBalancer2(config)#synconfig from FortiBalancer1

Note: If WebWall is turned on for the interface which the “synconfig” command uses to synchronize with peer, you need to add the corresponding accesslist rules to allow the traffic to come in through SSH port 22 on both FortiBalancer machines (FortiBalancer appliance and the sync peer).

19.1.2.2.6 SDNS Configuration Synchronization

Administrators can synchronize SDNS configurations and BIND9 zone files except SDNS member configurations from a local FortiBalancer appliance to remote peers.

In the following example, SDNS configurations and BIND9 zone files except SDNS member configurations on FortiBalancer1 are synchronized to remote FortiBalancer2. Ø Step 1 Configure SDNS configuration synchronization on FortiBalancer1

FortiBalancer1(config)#synconfig sdns peer peerlocal 172.16.83.180

FortiBalancer1(config)#synconfig sdns peer peerremote 172.16.83.120

Step 2 Start SDNS configuration synchronization from FortiBalancer1 to FortiBalancer2

FortiBalancer1(config)#synconfig sdns to peerremote

19.1.2.2.7 Monitoring

The FortiBalancer appliance allows the administrator to view a wide range of pertinent network data through a series of pre-designed and custom (administrator defined) graphs.

Step 1 Establish custom graph items

FortiBalancer(config)#graph name aa

FortiBalancer(config)#graph rename aa bb

FortiBalancer(config)#graph settings displaymode stack bb

FortiBalancer(config)#graph item bb “System” “CPU Utilization” “1” “red” “2”

19.1.2.2.8 Component Update

Component update allows for the update of many components on the FortiBalancer appliances without requiring a reboot. The effect of the component update is instantaneous. Any number of component patches can be applied to the FortiBalancer appliances. However, only the most recent component update can be reverted. The list of patches applied using component update is visible in the output of “show version” command.

Component patches can only be generated by Fortinet. These are in the same “.click” format as the regular OS updates, but they are much smaller in size.

19.1.2.2.9 NTP Time Synchronizer

The Network Time Protocol (NTP) time synchronizer enables the FortiBalancer appliance to synchronize the system time with the specified NTP server.

After the NTP time synchronizer is enabled, the FortiBalancer appliance will automatically synchronize the system time with the specified NTP server at the interval of about 15 minutes.

Attention:

It is recommended that you change the time difference between the system time of the FortiBalancer appliance and the time of the NTP server to less than 1000s before enabling the NTP time synchronizer.
Do not change the system time of the FortiBalancer appliance after enabling the NTP time synchronizer.

FortiBalancer appliance should be used as the NTP client rather than the NTP server.

If multiple NTP servers are configured, the FortiBalancer appliance will calculate the round-trip delays according to the time information in the response packet from each NTP server, and synchronize its system time with the NTP server with the minimum delay. Ø Step 1 Configure an NTP server

FortiBalancer1(config)#ntp server 207.46.197.32 4

Ø Step 2 Turn on NTP time synchronizer

FortiBalancer1(config)#ntp on

Users also can use the command “show ntp” to view the current NTP configuration.

FortiBalancer1(config)#show ntp ntp server 207.46.197.32 4 ntp on

time since restart: 1481 time since reset: 1481 packets received: 21 packets processed: 0 current version: 0 previous version: 0 bad version: 0 access denied: 0 bad length or format: 0 bad authentication: 0 rate exceeded: 0

The following explains the items in the output information:

Time since restart: The time in hours since the system was last rebooted.

Time since reset: The time since the statistics were reset and the system statistics monitoring file was updated. This is designed for busy servers, such as those operated by NIST, USNO, and intended as early warning detector of clogging attacks.

Packets received:	The total number of packets received.
Packets processed:	The number of packets received in response to previous packets sent.
Current version:	The number of packets matching the current NTP version.
Previous version:	The number of packets matching the previous NTP version.
Bad version:	The number of packets matching neither NTP version.

Access denied: The number of packets denied access for any reason.

Bad length or format: The number of packets with invalid length, format or port number.

Bad authentication: The number of packets not verified as authentic.

Rate exceeded: The number of packets discarded due to rate limitation.

19.1.2.2.10 XML RPC

XML RPC allows clients to run some CLI commands remotely in the OS. This enables system programmers to automate remote configuration which is difficult with web UI.

XML RPC is a Remote Procedure Calling protocol that works over the Internet, which uses HTTP as a transport mechanism and XML as an encoding.

As shown in the figure below, Client sends an HTTP POST Request to FortiBalancer. XML RPC message is the body of the HTTP Request, in which the commands to run and the commands’ parameters are specified. Then, FortiBalancer decodes the XML PRC message and executes the called commands. At last it returns the results formatted in XML to Client.

Figure 19-1 XML RPC Working Mechanism

To realize the communication between the Client and the FortiBalancer appliance, a Perl script, called fortibalancer_xmlrpc.pl, MUST be first executed on Client. The command executed the script is:

fortibalancer_xmlrpc.pl –d <address> -p <port> -f <data_file>

In this command, <address> specifies the FortiBalancer IP address. <port> specifies the port on which the HTTP server is listening. <data_file> specifies the full path and filename of XML RPC message.

XML RPC message is formatted in XML and contains a <methodCall> tag in which <methodName> and <params> tags are embedded.

The following is an HTTP POST Request whose body is an XML RPC message:

POST /cgi-bin/xmlrpc_server HTTP/1.1

Content-Type: text/xml

Content-Length: xxx

<?xml version=’1.0′ ?>

<param>

<value>

<name>enable_passwd</name>

<value>

</value>

</member>

<name>protocol</name>

<value>

</value>

</member>

<value>

<string>fortibalancer</string>

</value>

</member>

<value>

</value>

</member>

<value>

</value>

</member>

<name>maxconns</name>

<value>

</value>

</member>

<name>hctype</name>

<value>

</value>

</member>

<value>

</value>

</member>

<name>hcdown</name>

<value>

</value>

</member>

</struct>

</value>

</param>

</params>

</methodCall>

In this example, the first three lines (as below) constitute the HTTP Request Header, and the remaining part HTTP Request body.

POST /cgi-bin/xmlrpc_server HTTP/1.1

Content-Type: text/xml

Content-Length: xxx

In the first three lines of XML RPC message (as below), “slb_real” is the XML RPC method of the called command “slb real <protocol> <name> <ip> [port] [maxconns] [hc_type] [hc_up] [hc_down]”. XML PRC method is embedded in a <methodName> tag (Please refer to Appendix III, in which all XML RPC methods supported by FortiBalancer are listed.).

<?xml version=’1.0′ ?>

The following part specifies the Enable mode and its password, which indicates the user will log in the Enable mode. “enable_password” is the keyword. The actual password value is embedded in a <string> tag. Enable password is included in every XML RPC message.

<name>enable_passwd</name>

<value>

</value> </member>

This portion (as below) specifies the “protocol” parameter of the called “slb_real” method. “protocol” is the keyword， whose value is embedded in a <string> tag.

<name>protocol</name>

<value>

</value>

</member>

In this example, the parameters of the “slb_real” method include protocol, name, ip, port, maxconns, hctype, hcup and hcdown。Protocol, name and ip are required, while port, maxconns, hctype, hcup and hcdown are optional.

Note: In an HTTP Request, more than one XML RPC method can be called.

If the calling is successful, FortiBalancer will return an HTTP Response formatted in as follows:

<?xml version=’1.0’ ?>

<param>

<value>

<string>xmlrpc command successful</string>

</value>

</param>

</params>

</methodResponse>

If the called command is a “show” command, its output will be displayed in the place of “xmlrpc command successful”. If there is any error, the error is displayed.

To configure the XML PRC function on FortiBalancer, you need to configure two commands:

Step 1 Turn on XML RPC

FortiBalancer1(config)#xml on https

Step 2 Set the port for XML RPC to listen

FortiBalancer1(config)#xml port 9999

19.1.2.2.11 Remote Management

The Remote Management feature of the FortiBalancer appliance allows administrators to access remote devices via Telnet & SSH.

To use the Telnet feature on the FortiBalancer appliance, users can execute the command “telnet “host port”” as follows:

FortiBalancer#telnet “‘172.16.2.182 -4’” Trying 172.16.2.182…

Connected to 172.16.2.182 -4.

Escape character is ‘^]’.

Trying SRA secure login: User (root): admin Password:

[ SRA accepts you ]……………..succeed

To use the SSH feature on the FortiBalancer appliance, users can execute the command “ssh remote “user@hostname”” as follows:

FortiBalancer#ssh remote “root@172.16.85.240” root@172.16.85.240’s password:

Linux libh-server1 2.6.32-22-generic #33-Ubuntu SMP Wed Apr 28 13:27:30 UTC 2010 i686 GNU/Linux

Welcome to Ylmf_OS!

* Information: http://www.ylmf.com/

0 packages can be updated.

0 updates are security updates.

Last login: Wed Apr 20 00:39:35 2011 from 10.3.46.1 root@libh-server1:~#

19.1.2.2.12 FortiBalancer Flight Deck

The FortiBalancer appliance monitors a variety of useful statistics that provide a good indication of performance, user and network activity. The FortiBalancer appliance provides a graphical interface that can be used to easily monitor various statistics and get a comprehensive picture of the status of the FortiBalancer appliance. This graphical interface is called the Flight Deck.

The Flight Deck is an additional pop up browser window that, once set, can display a wide range of real time network operational data. Across the top of the browser window, you will discover readouts concerning the server health, request rate, cache hits and system usage. Moving to the left side of the window, you will find reading for the TCP, HTTP and SSL connections. The three connection figures sum up to total used “TCP pcb” displayed in the output of the “show memory” command. Sometimes, a pair of TCP connections is created for the same client request, e.g. an SLB client request normally will generate two connections, one is from the client to FortiBalancer appliance, and the other is from the FortiBalancer appliance to the server.

The central portion of the Flight Deck is occupied by two configurable graphs. Simply use the pull-down menu to choose the desired data you wish to track in the real time graphical output.

You can access the Flight Deck from the FortiBalancer appliance web UI by clicking the “Flight Deck” node at the bottom of the web UI Home configuration tree.

There exists two drop down menus above each graph. The first menu, called “Graph Type” contains a list of the statistics that can be displayed in the graph. Note that the list is identical for each graph. The second menu, called “Interval”, is used to control the granularity of the time units shown on the horizontal axis of the graph, and how often the FortiBalancer appliance will update the graph. The default menu option is 5 seconds, which is also the smallest value that can be chosen. When the value is 5 seconds, the FortiBalancer appliance will update the graph display every 5 seconds, and the time will be shown on the horizontal axis in multiples of 5.

For some statistics, it makes sense to use a smaller interval. For example, it might be useful to see how the number of packets processed by the FortiBalancer appliance varies in 30 sec. intervals. On the other hand, you may want to view some statistics over a wider interval. For example, you may want to look at how the number of concurrent sessions varies from hour to hour, to get a feel for when most of your end users are logging in.

It is important to note that in order to view any of the statistics in the graphs, you must enable

SNMP. This can be done via the web UI from the “Graph SNMP Monitoring” page under the “Admin Tools” node. Some of the statistics also require additional configuration, which will be described below.

Note: For the sake of security, it is strongly recommended to modify the default SNMP community string to avoid possible system information interception.

Pages: 1 2 3

Logging – FortiBalancer

Leave a reply

Chapter 18 Logging

18.1 Overview

The Logging mechanism used by the FortiBalancer appliance is Syslog compliant. System error and HTTP access information during proxy application are logged by using the logging subsystem. Syslog is a standard program for Unix and there are also Syslog implementations for Windows. On the Unix platform, syslog is started by the syslogd daemon. The syslogd daemon takes charge of receiving and storing log messages from local machine or remote machine, which listens at UDP 514 port. FortiBalancer appliance supports three remote log servers.

18.2 Understanding Logging

18.2.1 Syslog

Syslog is a protocol that is used for the transmission of event notification message across networks.

Syslog logging has eight valid levels of log message severity: emerg, alert, crit, err, warning, notice, info and debug. And the supported facilities are LOCAL0 to LOCAL7. Users can view the internal log buffer, select the transport protocol, and configure syslog source and destination ports and the alerts on log message string match.

18.2.2 RFC 5424 Syslog

RFC5424 defines the standard format of syslogs. The FortiBalancer appliance supports the RFC 5424 syslog function. When the RFC 5424 syslog function is enabled, the system will generate system logs in the standard format defined by RFC 5424. The format is “<PRI>VER

TIMESTAMP HOSTNAME APPNAME PROCID MSGID STRUCTURED-DATA MSG-CONTENT”. (The PROCID and STRUCTURED-DATA fields are not supported

temporarily and are displayed as “-”.) By default, the RFC 5424 syslog function is disabled. The configuration of “log rfc5424 on” takes effect only when the system logging function has been enabled by using the “log on” command.

18.2.3 HTTP Access Logging

HTTP Access Logging is the logging of information about every HTTP request and its response in a specific predefined format.

HTTP Access Logging supports four standard formats: Combined, WELF (WebTrends Enhanced Log), Common and Squid. And users can define their own logging format by using the “log http custom” command.

Note: The FortiBalancer appliance will record an HTTP access log only after the HTTP communication between the client and the Web server is completed successfully.

18.2.4 Log Filtering

Log filtering is designed to filter logs to different log servers by matching filter strings which are configured in the command “log filter”.

Log filtering in the OS allows administrators to collect only the logs that they are interested in instead of having to capture all the logs. For example, the administrator of “www.site1.com” may want to only collect the HTTP access logs for “www.site1.com”. Knowing if the logs contain a keyword “site1.com”, the administrator can create a filter for a log definition that captures only the logs which match the keyword. The administrator will now have a log file which contains only the desired logs.

If multiple log filters are set on a syslog host, the logs matching one of the filter strings will go to the syslog host.

18.3 Logging Configuration

18.3.1 Configuration Guidelines

Table 18-1 General Settings of Logging

Operation	Command
Enable the logging	log {on\|off}
Enable RFC 5424 Syslog	log rfc5424 {on\|off}
Configure the remote host	log host <host_ip> [port] [udp\|tcp] [host_id]
Set log filters	log filter <host_id> <filter_id> <filter_string>
Set log level	log level <level>
Change log facility	log facility <facility>
Set HTTP access logging format	log http {squid\|common\|combined\|welf} [vip\|novip] [host\|nohost] log http custom <format>

18.3.2 Configuration Example via CLI

Step 1 Enable Logging function The logging system is off by default.

FortiBalancer(config)#log on

Step 2 Enable the RFC 5424 Syslog function

FortiBalancer(config)#log rfc5424 on

Step 3 Set the remote host to which log messages will be sent

The remote host IP address must be specified in dotted IP format. The remote port is optional and the default value is 514. The transport protocol for the syslog messages can be either UDP or TCP and the default is UDP. In our example, the host of 10.2.37.1 is listening for log message at UDP 514 port.

FortiBalancer(config)#log host 10.2.37.1 514 udp 1

Step 4 Set log filters for the configured host

No more than 3 log filters can be set on one syslog host. Log filter canot be set on the syslog host whose ID is 0 (it is configured by the command “log host”). After this command is executed, only the logs matching this filter string go to the syslog host.

FortiBalancer(config)#log filter 1 1 “index”

Step 5 Change the minimum log level at which messages will be logged

Once a log level is set, messages with level below the configured level will be ignored. The default level is info.

FortiBalancer(config)#log level err

Step 6 Change the syslog facility The default facility is LOCAL0.

FortiBalancer(config)#log facility LOCAL0

Step 7 Configure the HTTP access logging format

HTTP access information can be logged in one of the standard formats Squid, WELF, Common and Combined, or it can be logged in a custom format specified by the user.

FortiBalancer(config)#log http squid

Step 8 Generate a test log

You can run the command “log test” to generate an emerg-level log.

FortiBalancer(config)#log test

Step 9 View and clear logs

You can run the following command “show log buff {forward|backward} [match_str]” to view logs in the log buffer. The parameters “backward” and “forward” are used to display the logs that are latest and first generated respectively.

FortiBalancer(config)#show log buffer backward start of buffer

<128>1 2012-07-17T06:35:26Z FortiBalancer – – 100021002 – Fortinet test message

You can run the command “clear log buff” to clear logs from the log buffer.

FortiBalancer(config)#clear log buffer

ePolicy – FortiBalancer

Leave a reply

Chapter 17 ePolicy

17.1 Overview

ePolicy is a script-based function for extending the capabilities of the FortiBalancer appliance. Using the scripts written in Tools Command Language (TCL), you can customize new features in addition to the existing functions on the FortiBalancer appliance. For example, the FortiBalancer appliance can be customized to support more application protocols, precisely control IP application traffic in both incoming and outgoing directions, or control the access of the specified client to real services.

17.2 ePolicy Elements

The elements of ePolicy are as follows:

Event
Command
Command invocation rule

17.2.1 Event

ePolicy uses an event-driven and message-response mechanism. The FortiBalancer appliance defines an event for every action occurring in each Client-FortiBalancer-Server connection. When such an event occurs, the FortiBalancer appliance will process traffic according to preconfigured ePolicy commands.

17.2.2 Command

ePolicy uses commands to instruct the FortiBalancer appliance to process traffic after an event occurs, such as rewriting packet contents, selecting real servers, selecting groups, or querying whether a group has valid real servers.

17.2.3 Command Invocation Rule

Command invocation rules indicate the relationship between events and commands. Based on the command invocation rules, you can flexibly combine the events and commands to intercept, detect, convert, or redirect the IP application traffic in both incoming and outgoing directions. For detailed information of events, commands, and command invocation rules, contact Fortinet Customer Support for related documents.

17.3 ePolicy Scripts

By functions, the scripts of ePolicy can be classified into the following:

Setting script: specifies the traffic type of a virtual service. The following table lists the setting scripts that are currently supported:

Table 17–1 Content of Setting Scripts

Traffic Type	Content of the Setting Script
HTTP	message::type http
Diameter	message::type binary binary_message::length_start_offset 1 binary_message::length_end_offset 3
Generic TCP	message::type binary

Runtime script: specifies the action of the FortiBalancer appliance for an event. The content of a runtime script should be written according to the actual requirement based on events, commands, and command invocation rules. For the examples of the runtime scripts, contact Customer Support for related documents.

Pages: 1 2

Advanced IPv6 Configuration – FortiBalancer

1 Reply

Chapter 16 Advanced IPv6 Configuration

16.1 Overview

As the IPv4 addresses exhaust, how to transit from the IPv4 network to the IPv6 network becomes a challenge for many enterprises and organizations.

The FortiBalancer appliance provides comprehensive support for IPv6 to help enterprises and organizations with the IPv4-to-IPv6 transition without any business interruption. With the IPv4/IPv6 dual stack support on FortiBalancer, the IPv4 resources can be delivered to the IPv6 users, and vice versa. As a result, the IPv4-based and IPv6-based networks can be easily interconnected and intercommunicated. What’s more, the FortiBalancer appliance in the IPv6 network can achieve the same level of secure and efficient application delivery as it does in the IPv4 network.

This chapter will introduce functions and configurations about IPv6 SLB, DNS64/NAT64, DNS46/NAT46, IPv6 NAT and NDP.

Pages: 1 2 3 4 5 6