Chapter 19 System Management
19.1 Administrative Tools
19.1.1 Overview
This chapter will focus on various configuration maintenance elements, such as downloading new OS software, rebooting your FortiBalancer appliance, reverting your configuration to a previously saved status or returning the FortiBalancer appliance to its factory default settings among other closing strategies.
The final series of configuration options concern the running operation of your FortiBalancer appliance and its relationship with the rest of the network architecture. Through the various subfolders (within the web UI) that are revealed once you click on the “Admin Tools” folder you will discover a series of sub-folders allowing you to set administrative passwords, perform configuration synchronization, set SNMP traps and define reboot strategies among other operations. Otherwise all of these features may be configured via the CLI.
19.1.2 Administrative Tools Configuration
19.1.2.1 Configuration Guidelines
Table 19-1 General Settings of Administrative Tools
Operation | Command |
Configuring External Authentication | admin aaa {on|off}
admin aaa method [radius|tac_x] admin aaa server <server_id> <host_name|ip_address> <port> <secret> |
System shutdown and reboot | system shutdown [halt|poweroff] system reboot [interactive|noninteractive] |
Configuration file maintenance | clear config file clear config secondary clear config primary clear config all
clear config factorydefault clear config timeout write memory write file <file_name> write net tftp <ip_tftp> <file_name> write net scp {remote_server_ip|name} <user_name> <config_file_name> config memory config net tftp <tftp_server_ip> <config_file_name> config file <file_name> |
Software upgrade | system update <url> |
Configuration Synchronization | synconfig peer <peer_name> <peer_ip> synconfig to <name> synconfig from <name> |
SDNS
Synchronization |
synconfig sdns peer <peer_name> <peer_ip> synconfig sdns to <peer_name> |
Monitoring | graph name <new_name>
graph rename <old_name> <new_name> graph settings displaymode {nostack|stack} <graph_name> graph item <graph_name> <module_name> <type> [service] <scale> <color> [order] [legend_string] |
NTP | ntp {on|off} ntp server <ip> [version] |
Operation | Command |
show ntp clear ntp | |
XML RPC | xmlrpc {on|off} [https|http] xmlrpc port <port> show xmlrpc clear xmlrpc |
Remote access | ssh remote “user@hostname” telnet “host port” |
19.1.2.2 Configuration Example via CLI
19.1.2.2.1 Configuring External Authentication
If you have an external authentication server (RADIUS/Tacacs), you may use these servers to authenticate the SSH/web UI logon request. The external authentication will be performed when the “admin aaa” command is set to ON and the logon user name does not exist in the FortiBalancer system.
FortiBalancer(config)#admin aaa on
FortiBalancer(config)#admin aaa method RADIUS
FortiBalancer(config)#admin aaa server es01 “10.1.1.1” 1812 radiussecret
FortiBalancer(config)#admin aaa server es02 radius_host 1812 radiussecret
19.1.2.2.2 System Maintenance
Simply enough, employing the “quit” command will allow you to exit the CLI. In the event you want to terminate all FortiBalancer appliance interactions with your network, you will need to use the “system shutdown” command.
FortiBalancer(config)#system shutdown
The FortiBalancer appliance will prompt you with an alert to verify the shutting down process. By entering “YES”, case sensitive, the FortiBalancer appliance will commence the shutting down operation. After a brief, 60-second period, users may turn off the appliance.
In some cases when dealing with configuration changes you might need to reboot the box.
FortiBalancer(config)#system reboot
19.1.2.2.3 Configuration File Maintenance
When working with configurations there may come a time that you want to experiment with a new configuration strategy, but not overwrite your known working configuration. The OS possesses several options for working with configurations files.
In general, you work with the running configuration and write it to disk by using the “write memory” command. You can also save the configuration to a file by using the “config file” command, on the FortiBalancer appliance. Finally, you may export and import the configuration by using TFTP.
To clear the running configuration on the FortiBalancer appliance:
FortiBalancer(config)#clear config all
Now the FortiBalancer appliance has been returned to its factory default settings.
When working with the “write memory” command, keep in mind that this is the configuration file that will be loaded when the FortiBalancer reboots. If you have made changes and want to clear the configuration currently running, use the “clear config” command.
At any point when you want to import a previously saved configuration, you will need to clear the current, running configuration as previously discussed in this chapter. Once this is completed, you can import the new configuration. The FortiBalancer appliance affords you the opportunity to save configurations to three separate places; the “memory” file which is where the FortiBalancer appliance calls up configuration settings upon reboot, the “file” where the FortiBalancer appliance can store several different configurations, and to the “net” which refers to saving a file to a remote location on the network. To save configuration files:
FortiBalancer(config)#write net tftp 10.10.0.3 default_config
To recall a previously saved configuration and merge it into the running parameters of the appliance:
FortiBalancer(config)#config memory
FortiBalancer(config)#config file new_lb
FortiBalancer(config)#config net tftp 10.10.0.3 default_config
When loading the configuration file while the box is running, it is important to remember that the configuration is merged with the running configuration. So you need to choose to clear the appropriate configuration from the FortiBalancer appliance before you load a configuration file. For example, if you have 5 real servers defined and execute the “config net tftp 10.10.0.3 default_config” command and if that configuration file has 5 real servers using the same real names you will get an error since you cannot have duplicate real server names.
19.1.2.2.4 Software Upgrade Procedure
To see the current version of OS software that is running, we use the “show version” command.
FortiBalancer(config)#show version
FortiBalancerOS Rel.TM.8.4.0.1 build on Mon Mar 18 18:12:09 2013
Host name : FortiBalancer System CPU : Intel(R) Core(TM)2 Quad CPU System RAM : 3842964 kbytes. System boot time : Mon Mar 18 19:10:19 GMT (+0000) 2013 Current time : Tue Mar 19 19:54:09 GMT (+0000) 2013 System up time : 1 day, 00:44 Platform Bld Date : Mon Mar 18 18:12:09 CST 2013 SSL HW : HW ( 1X16C ) Initialized Compression HW : No HW Available Power supply : 2U, AC, 2-cords, Redundancy Network Interface : 4 x Gigabit Ethernet copper Model : FortiBalancer 2000 Serial Number : 0437A3345200010003011044316464 Licensed Features : WebWall Clustering L4SLB L7SLB Caching SSL tProxy AppGateway SwCompression LLB GSLB QoS MultiLang DynRoute FFO REDUNDANT IPv6 License Key : f1bd6e06-d29016c1-c053e5eb-00d27cb7-d3f75a85-00000000-05d5d9 ab-99999999
Fortinet Customer Support Update : please contact support for instructions Website : http://www.fortinet.com Other Root Version Rel.FBLOS.8.3.2.3 build on Fri Feb 22 17:35:11 2013
|
To upgrade to a newer release there are several steps to take.
First, contact Customer Support to gain access to the software and documentation repository.
Contact your customer support representative or send email to: support@fortinet.com
Once you have received a password and verified with a customer support engineer that the OS needs upgrade, you can download the software image using the Fortinet website. You should download the image to either a local Web server or anonymous FTP server.
It is recommended that you use the serial console to upgrade the OS. Once you have a console connection you can upgrade the appliance by using the “system update” command. Currently the upgrade procedure supports two upgrade methods: HTTP or FTP. The commands are identical except from the URL.
For example, use the command to upgrade the appliance from 192.168.10.10:
FortiBalancer(config)#system update http://192.168.10.10/FortiOS_rel_FBL_8_4_0_1.fn
This will upgrade your system from http://192.168.10.10/ FortiOS_rel_FBL_8_4_0_1.fn Power outages or other systems failures may corrupt the system. It is highly recommended that you save your configuration on an external system prior to upgrading or downgrading. Any configuration changes that have not been “saved” will be lost. After a successful patch the system will be rebooted. Fortinet, Inc.
Type “YES” to confirm upgrade: YES |
Note: If you are to use a DNS name like: system-update http://s5.sj.example.com, make sure that you have correctly setup the resolving on the FortiBalancer appliance, using the “ip nameserver” command to define your DNS server for the “s5” host or use the “ip host” command to locally define the IP address of the “s5” host. Otherwise you will get an error when you try to download the software image.
The OS will then shutdown all load balancing features and download the software image, verify that the software is produced at Fortinet and then install it. If there is any problem with the software image, the CLI will abort the upgrade and display a prompt on the screen. Otherwise you should get a prompt on the console stating that the upgrade was successful and the FortiBalancer appliance will reboot. Upon reboot, you should use the “show version” command to verify that the upgrade is successful.
Caution:
- If executing this command via an SSH connection and if the connection is lost during update procedure, the FortiBalancer appliance will not be able to complete the update process.
- Do not disconnect the connections to the FortiBalancer appliance during the system updating process.
Software Licenses
Some software features of the FortiBalancer appliance may be under software license key control. If you need these software features, please contact customer support (https://support.fortinet.com) to obtain a new license key.
19.1.2.2.5 Configuration Synchronization
The Configuration Synchronization feature of the FortiBalancer appliance allows administrators to transfer configuration information among FortiBalancer appliances within the same network. Configuration Synchronization is a set of commands that allow you to manage and configure boxes within a network. You may transfer configuration information from one FortiBalancer appliance in a network to other FortiBalancer appliances within the same network. By using configuration synchronization, you can quickly setup an Active-Standby configuration. The rest of the section will cover how to use this feature.
Note: Synconfig commands are executed via SSH, therefore SSH must be enabled.
- Step 1 Configure configuration synchronization on FortiBalancer1
FortiBalancer1(config)#synconfig peer FortiBalancer1 192.168.1.1 FortiBalancer1(config)#synconfig to FortiBalancer2
- Step 2 Configure configuration synchronization on FortiBalancer2
FortiBalancer2(config)#synconfig peer FortiBalancer1 192.168.1.1
FortiBalancer2(config)#synconfig peer FortiBalancer2 192.168.1.2
FortiBalancer2(config)#synconfig from FortiBalancer1
Note: If WebWall is turned on for the interface which the “synconfig” command uses to synchronize with peer, you need to add the corresponding accesslist rules to allow the traffic to come in through SSH port 22 on both FortiBalancer machines (FortiBalancer appliance and the sync peer).
19.1.2.2.6 SDNS Configuration Synchronization
Administrators can synchronize SDNS configurations and BIND9 zone files except SDNS member configurations from a local FortiBalancer appliance to remote peers.
In the following example, SDNS configurations and BIND9 zone files except SDNS member configurations on FortiBalancer1 are synchronized to remote FortiBalancer2. Ø Step 1 Configure SDNS configuration synchronization on FortiBalancer1
FortiBalancer1(config)#synconfig sdns peer peerlocal 172.16.83.180
FortiBalancer1(config)#synconfig sdns peer peerremote 172.16.83.120
- Step 2 Start SDNS configuration synchronization from FortiBalancer1 to FortiBalancer2
FortiBalancer1(config)#synconfig sdns to peerremote
19.1.2.2.7 Monitoring
The FortiBalancer appliance allows the administrator to view a wide range of pertinent network data through a series of pre-designed and custom (administrator defined) graphs.
- Step 1 Establish custom graph items
FortiBalancer(config)#graph name aa
FortiBalancer(config)#graph rename aa bb
FortiBalancer(config)#graph settings displaymode stack bb
FortiBalancer(config)#graph item bb “System” “CPU Utilization” “1” “red” “2”
19.1.2.2.8 Component Update
Component update allows for the update of many components on the FortiBalancer appliances without requiring a reboot. The effect of the component update is instantaneous. Any number of component patches can be applied to the FortiBalancer appliances. However, only the most recent component update can be reverted. The list of patches applied using component update is visible in the output of “show version” command.
Component patches can only be generated by Fortinet. These are in the same “.click” format as the regular OS updates, but they are much smaller in size.
19.1.2.2.9 NTP Time Synchronizer
The Network Time Protocol (NTP) time synchronizer enables the FortiBalancer appliance to synchronize the system time with the specified NTP server.
After the NTP time synchronizer is enabled, the FortiBalancer appliance will automatically synchronize the system time with the specified NTP server at the interval of about 15 minutes.
Attention:
- It is recommended that you change the time difference between the system time of the FortiBalancer appliance and the time of the NTP server to less than 1000s before enabling the NTP time synchronizer.
- Do not change the system time of the FortiBalancer appliance after enabling the NTP time synchronizer.
FortiBalancer appliance should be used as the NTP client rather than the NTP server.
If multiple NTP servers are configured, the FortiBalancer appliance will calculate the round-trip delays according to the time information in the response packet from each NTP server, and synchronize its system time with the NTP server with the minimum delay. Ø Step 1 Configure an NTP server
FortiBalancer1(config)#ntp server 207.46.197.32 4
Ø Step 2 Turn on NTP time synchronizer
FortiBalancer1(config)#ntp on
Users also can use the command “show ntp” to view the current NTP configuration.
FortiBalancer1(config)#show ntp ntp server 207.46.197.32 4 ntp on
time since restart: 1481 time since reset: 1481 packets received: 21 packets processed: 0 current version: 0 previous version: 0 bad version: 0 access denied: 0 bad length or format: 0 bad authentication: 0 rate exceeded: 0 The following explains the items in the output information: |
Time since restart: The time in hours since the system was last rebooted.
Time since reset: The time since the statistics were reset and the system statistics monitoring file was updated. This is designed for busy servers, such as those operated by NIST, USNO, and intended as early warning detector of clogging attacks.
Packets received: | The total number of packets received. |
Packets processed: | The number of packets received in response to previous packets sent. |
Current version: | The number of packets matching the current NTP version. |
Previous version: | The number of packets matching the previous NTP version. |
Bad version: | The number of packets matching neither NTP version. |
Access denied: The number of packets denied access for any reason.
Bad length or format: The number of packets with invalid length, format or port number.
Bad authentication: The number of packets not verified as authentic.
Rate exceeded: The number of packets discarded due to rate limitation.
19.1.2.2.10 XML RPC
XML RPC allows clients to run some CLI commands remotely in the OS. This enables system programmers to automate remote configuration which is difficult with web UI.
XML RPC is a Remote Procedure Calling protocol that works over the Internet, which uses HTTP as a transport mechanism and XML as an encoding.
As shown in the figure below, Client sends an HTTP POST Request to FortiBalancer. XML RPC message is the body of the HTTP Request, in which the commands to run and the commands’ parameters are specified. Then, FortiBalancer decodes the XML PRC message and executes the called commands. At last it returns the results formatted in XML to Client.
Figure 19-1 XML RPC Working Mechanism
To realize the communication between the Client and the FortiBalancer appliance, a Perl script, called fortibalancer_xmlrpc.pl, MUST be first executed on Client. The command executed the script is:
fortibalancer_xmlrpc.pl –d <address> -p <port> -f <data_file>
In this command, <address> specifies the FortiBalancer IP address. <port> specifies the port on which the HTTP server is listening. <data_file> specifies the full path and filename of XML RPC message.
XML RPC message is formatted in XML and contains a <methodCall> tag in which <methodName> and <params> tags are embedded.
The following is an HTTP POST Request whose body is an XML RPC message:
POST /cgi-bin/xmlrpc_server HTTP/1.1
Content-Type: text/xml Content-Length: xxx
<?xml version=’1.0′ ?> <methodCall> <methodName>slb_real</methodName> <params> <param> <value> <struct> <member> <name>enable_passwd</name> <value> <string>****</string> </value> </member> <member> <name>protocol</name> <value> <string>http</string> </value> </member> <member> <name>name</name> <value> <string>fortibalancer</string> </value> </member> <member> <name>ip</name> <value> <string>10.1.1.1</string> </value> </member> <member> <name>port</name> <value> <int>80</int> </value> </member> <member> <name>maxconns</name> <value> <int>1000</int> </value> </member> <member> <name>hctype</name> <value> <string>tcp</string> </value> </member> <member> <name>hcup</name> <value> <int>1</int> |
</value>
</member>
<member>
<name>hcdown</name>
<value>
<int>1</int>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
In this example, the first three lines (as below) constitute the HTTP Request Header, and the remaining part HTTP Request body.
POST /cgi-bin/xmlrpc_server HTTP/1.1
Content-Type: text/xml
Content-Length: xxx
In the first three lines of XML RPC message (as below), “slb_real” is the XML RPC method of the called command “slb real <protocol> <name> <ip> [port] [maxconns] [hc_type] [hc_up] [hc_down]”. XML PRC method is embedded in a <methodName> tag (Please refer to Appendix III, in which all XML RPC methods supported by FortiBalancer are listed.).
<?xml version=’1.0′ ?>
<methodCall>
<methodName>slb_real</methodName>
The following part specifies the Enable mode and its password, which indicates the user will log in the Enable mode. “enable_password” is the keyword. The actual password value is embedded in a <string> tag. Enable password is included in every XML RPC message.
<member>
<name>enable_passwd</name>
<value>
<string>****</string>
</value> </member>
This portion (as below) specifies the “protocol” parameter of the called “slb_real” method. “protocol” is the keyword, whose value is embedded in a <string> tag.
<member>
<name>protocol</name>
<value>
<string>http</string>
</value>
</member>
In this example, the parameters of the “slb_real” method include protocol, name, ip, port, maxconns, hctype, hcup and hcdown。Protocol, name and ip are required, while port, maxconns, hctype, hcup and hcdown are optional.
Note: In an HTTP Request, more than one XML RPC method can be called.
If the calling is successful, FortiBalancer will return an HTTP Response formatted in as follows:
<?xml version=’1.0’ ?>
<methodResponse>
<params>
<param>
<value>
<string>xmlrpc command successful</string>
</value>
</param>
</params>
</methodResponse>
If the called command is a “show” command, its output will be displayed in the place of “xmlrpc command successful”. If there is any error, the error is displayed.
To configure the XML PRC function on FortiBalancer, you need to configure two commands:
- Step 1 Turn on XML RPC
FortiBalancer1(config)#xml on https
- Step 2 Set the port for XML RPC to listen
FortiBalancer1(config)#xml port 9999
19.1.2.2.11 Remote Management
The Remote Management feature of the FortiBalancer appliance allows administrators to access remote devices via Telnet & SSH.
To use the Telnet feature on the FortiBalancer appliance, users can execute the command “telnet “host port”” as follows:
FortiBalancer#telnet “‘172.16.2.182 -4’” Trying 172.16.2.182…
Connected to 172.16.2.182 -4. Escape character is ‘^]’. Trying SRA secure login: User (root): admin Password: [ SRA accepts you ]……………..succeed
|
To use the SSH feature on the FortiBalancer appliance, users can execute the command “ssh remote “user@hostname”” as follows:
FortiBalancer#ssh remote “root@172.16.85.240” root@172.16.85.240’s password:
Linux libh-server1 2.6.32-22-generic #33-Ubuntu SMP Wed Apr 28 13:27:30 UTC 2010 i686 GNU/Linux
Welcome to Ylmf_OS! * Information: http://www.ylmf.com/
0 packages can be updated. 0 updates are security updates.
Last login: Wed Apr 20 00:39:35 2011 from 10.3.46.1 root@libh-server1:~# |
19.1.2.2.12 FortiBalancer Flight Deck
The FortiBalancer appliance monitors a variety of useful statistics that provide a good indication of performance, user and network activity. The FortiBalancer appliance provides a graphical interface that can be used to easily monitor various statistics and get a comprehensive picture of the status of the FortiBalancer appliance. This graphical interface is called the Flight Deck.
The Flight Deck is an additional pop up browser window that, once set, can display a wide range of real time network operational data. Across the top of the browser window, you will discover readouts concerning the server health, request rate, cache hits and system usage. Moving to the left side of the window, you will find reading for the TCP, HTTP and SSL connections. The three connection figures sum up to total used “TCP pcb” displayed in the output of the “show memory” command. Sometimes, a pair of TCP connections is created for the same client request, e.g. an SLB client request normally will generate two connections, one is from the client to FortiBalancer appliance, and the other is from the FortiBalancer appliance to the server.
The central portion of the Flight Deck is occupied by two configurable graphs. Simply use the pull-down menu to choose the desired data you wish to track in the real time graphical output.
You can access the Flight Deck from the FortiBalancer appliance web UI by clicking the “Flight Deck” node at the bottom of the web UI Home configuration tree.
There exists two drop down menus above each graph. The first menu, called “Graph Type” contains a list of the statistics that can be displayed in the graph. Note that the list is identical for each graph. The second menu, called “Interval”, is used to control the granularity of the time units shown on the horizontal axis of the graph, and how often the FortiBalancer appliance will update the graph. The default menu option is 5 seconds, which is also the smallest value that can be chosen. When the value is 5 seconds, the FortiBalancer appliance will update the graph display every 5 seconds, and the time will be shown on the horizontal axis in multiples of 5.
For some statistics, it makes sense to use a smaller interval. For example, it might be useful to see how the number of packets processed by the FortiBalancer appliance varies in 30 sec. intervals. On the other hand, you may want to view some statistics over a wider interval. For example, you may want to look at how the number of concurrent sessions varies from hour to hour, to get a feel for when most of your end users are logging in.
It is important to note that in order to view any of the statistics in the graphs, you must enable
SNMP. This can be done via the web UI from the “Graph SNMP Monitoring” page under the “Admin Tools” node. Some of the statistics also require additional configuration, which will be described below.
Note: For the sake of security, it is strongly recommended to modify the default SNMP community string to avoid possible system information interception.