Tag Archives: fortibalancer administration guide

Advanced IPv6 Configuration – FortiBalancer

Chapter 16 Advanced IPv6 Configuration

16.1 Overview

As the IPv4 addresses exhaust, how to transit from the IPv4 network to the IPv6 network becomes a challenge for many enterprises and organizations.

The FortiBalancer appliance provides comprehensive support for IPv6 to help enterprises and organizations with the IPv4-to-IPv6 transition without any business interruption. With the IPv4/IPv6 dual stack support on FortiBalancer, the IPv4 resources can be delivered to the IPv6 users, and vice versa. As a result, the IPv4-based and IPv6-based networks can be easily interconnected and intercommunicated. What’s more, the FortiBalancer appliance in the IPv6 network can achieve the same level of secure and efficient application delivery as it does in the IPv4 network.

This chapter will introduce functions and configurations about IPv6 SLB, DNS64/NAT64, DNS46/NAT46, IPv6 NAT and NDP.

Access Control – FortiBalancer

Chapter 15 Access Control

15.1 WebWall

15.1.1 Overview

The WebWall functionality of the FortiBalancer appliance allows you to create permit/deny rules to filter packets passing through your network infrastructure. The WebWall supports the filtering of TCP, UDP and ICMP packets that are using the IPv4 or IPv6 address. To use access lists you will define these “permit” and “deny” rules and apply them to access groups. Once the access lists are configured, you may apply or bind the group to an interface within the network.

The steps for basic WebWall configurations are explained in this section, along with some advanced features and general knowledge of how WebWall works. For the OS, the WebWall feature can independently control each interface.

WebWall permits TCP and UDP health check traffic, but cannot permit ICMP health check traffic automatically.

15.1.2 Understanding WebWall

WebWall is a full-fledged stateful Firewall. It bridges the gap between speed and security. The FortiBalancer appliance houses and integrates the WebWall feature into a single platform, along with many of other features such as Layer 4-7 load balancing, caching, SSL acceleration, authentication and authorization.

 

Figure 15-1 WebWall

WebWall contains several security mechanisms to protect Web servers from attack, including:

  • ACL (Access Control List) filtering
  • Protection against Syn-Flood, Fragmentation and DoS (Denial Of Service) attacks
  • Stateful packet inspection
  • Single packet attack prevention

ACL Filtering provides tight control over who may and may not enter the network by utilizing FortiBalancer’s ultra-fast rules engine. WebWall access control list filtering mechanism ensures virtually no performance loss with up to 1,000 ACL rules, while never consuming more than one percent of OS capability.

In addition to ACL filtering, the WebWall provides stateful packet inspection and protects against Syn-Flood, fragmentation, DoS and single packet attacks.

The WebWall is a default-deny firewall. Default-Deny refers to the notion that if you do not have any permit rules in your access control lists, no packets will be allowed to pass through the appliance. During the initial installation of the box it might be helpful to leave the WebWall in the off or disengaged state until your total configuration is complete.

Note: By default the WebWall is turned off. The WebWall function will remain disabled until it is activated via the “webwall on” command.

15.1.3 WebWall Configuration

15.1.3.1 Configuration Guidelines

Let’s start with the basic step for configuring the WebWall. To better assist you with configuration strategies that maximize the power of the FortiBalancer appliance, please take a moment to familiarize yourself with basic network architecture.

 

Figure 15-2 WebWall Configuration

Then we must define what we want to deny and permit. Since “example.com” is a relatively small site, let’s begin with the following:

  • Permit port 80 to our VIP (10.10.0.10).
  • Permit port 22 to the Management IP of the FortiBalancer appliance (for SSH access).
  • Permit port 8888 to the Management IP of the FortiBalancer appliance for web UI access.
  • Deny network 10.10.20.0/255.255.255.0, since that network has been abusing its privileges.
  • Allow all inside hosts to ping the IP address of the interface “port2” (inside interface). Initially we will define our access groups as follows:
  • 50 All miscellaneous rules
  • 100 All Management IP related rules
  • 150 All VIP (Virtual IP) related rules

Table 15-1 General Settings of WebWall

Operation Command
Configure access group accessgroup <accesslist_id> <interface>
Configure ACL

rules

accesslist permit icmp echoreply <source_ip> <source_mask|source_prefix> <destination_ip> <destination_mask|destination_prefix> <accesslist_id> accesslist permit icmp echorequest <source_ip>

<source_mask|source_prefix> <destination_ip> <destination_mask|destination_prefix> <accesslist_id>

accesslist permit tcp <source_ip> <source_mask|source_prefix> <source_port> <destination_ip> <destination_mask|destination_prefix>

<destination_port> <accesslist_id> accesslist permit udp <source_ip> <source_mask|source_prefix> <source_port> <destination_ip> <destination_mask|destination_prefix>

<destination_port> <accesslist_id> accesslist permit esp <source_ip> <source_mask|source_prefix> <destination_ip> <destination_mask|destination_prefix> <accesslist_id> accesslist permit ah <source_ip> <source_mask|source_prefix>

<destination_ip> <destination_mask|destination_prefix> <accesslist_id> accesslist deny icmp echoreply <source_ip> <source_mask|source_prefix> <destination_ip> <destination_mask|destination_prefix> <accesslist_id> accesslist deny icmp echorequest <source_ip> <source_mask|source_prefix> <destination_ip> <destination_mask|destination_prefix> <accesslist_id> accesslist deny tcp <source_ip> <source_mask|source_prefix>

<source_port> <destination_ip> <destination_mask|destination_prefix>

<destination_port> <accesslist_id> accesslist deny udp <source_ip> <source_mask|source_prefix>

<source_port> <destination_ip> <destination_mask|destination_prefix>

<destination_port> <accesslist_id>

accesslist deny esp <source_ip> <source_mask|source_prefix>

<destination_ip> <destination_mask|destination_prefix> <accesslist_id> accesslist deny ah <source_ip> <source_mask|source_prefix>

<destination_ip> <destination_mask|destination_prefix> <accesslist_id>

Enable/Disable WebWall webwall <interface> on [mode] webwall <interface > off
View WebWall configurations show interface show accesslist show accessgroup

15.1.3.2 Configuration Example via CLI

15.1.3.2.1 Configuring Access Groups

We may define any number of access groups and apply multiple groups to a designated interface via CLI. Pertaining to our example model, the command should be executed as such:

FortiBalancer(config)#accessgroup 100 port1

FortiBalancer(config)#accessgroup 150 port1

FortiBalancer(config)#accessgroup 50 port1

You might have noticed that we also have specified what interfaces these access groups will be applied to.

15.1.3.2.2 Configuring ACL Rules

Now we define the “permit” and “deny” rules based on these assumptions.

The first entry allows a single host with IP 10.10.10.30 to connect to the server using port 22:

FortiBalancer(config)#accesslist permit tcp 10.10.10.30 255.255.255.255 0 10.10.10.10 255.255.255.255 22 100

The second entry allows a C class subnet to connect to the server via port 8888.

FortiBalancer(config)#accesslist permit tcp 10.10.10.0 255.255.255.0 0 10.10.10.10 255.255.255.255 8888 100

The third allows any host to connect to the server using port 80.

FortiBalancer(config)#accesslist permit tcp 0.0.0.0 0.0.0.0 0 10.10.10.20 255.255.255.255 80

150

The first three rules are fairly straightforward, and they permit all TCP traffic to the destination IP/port specified and are tied to the access group (via the last argument to the command).

With the fourth entry, we are excluding one host from gaining access through the subnet. It is in access group 50 since it does not allow access to a specific destination IP. Logically the deny rule could fit into both access group 100 and 150, so for administrative ease we will make another group.

FortiBalancer(config)#accesslist deny tcp 10.10.10.33 255.255.255.255 0 10.10.10.10 255.255.255.255 0 50

The last two rules allow the inside hosts on the network to ping the “port2” interface when the WebWall function is on.

FortiBalancer(config)#accesslist permit icmp echorequest 192.168.10.0 255.255.255.0

192.168.10.1 255.255.255.255 50

FortiBalancer(config)#accesslist permit icmp echoreply 192.168.10.1 255.255.255.255 192.168.10.0 255.255.255.0 50

Note: The IP address is not an IP on the FortiBalancer appliance. It is the IP of the default gateway.

The priority of the command “accesslist deny” is higher than “accesslist permit”. If we configure

“permit” and “deny” rules for the port 22 to the Management IP of the FortiBalancer appliance (for SSH access) at the same time as follows:

FortiBalancer(config)#accesslist permit tcp 10.10.10.30 255.255.255.255 0 10.10.10.10 255.255.255.255 22 100

FortiBalancer(config)#accesslist deny tcp 10.10.10.30 255.255.255.255 0 10.10.10.10 255.255.255.255 22 100

When the administrators attempt to access the FortiBalancer appliance via the management IP through SSH, the access will be denied.

15.1.3.2.3 Configuring WebWall

At last once you complete the configuration of the other features of the FortiBalancer appliance, and you should turn the WebWall feature back on by issuing the command:

FortiBalancer(config)#webwall port2 on

FortiBalancer(config)#webwall port1 on

Notes:

  1. You should exercise with caution when adjusting the WebWall rules. It is possible to deny yourself from accessing the appliance if you are logged in remotely through SSH or the web UI and your session can be interrupted before configuration is completed.
  2. If you configure the DNS servers and have WebWall turned on for the destination interface through which the DNS requests/replies go, you need to add the corresponding accesslist rules to allow that traffic.
  3. If WebWall is turned on for the interface for which the “synconfig” command uses to synchronize with peer(s), you will need to add the corresponding accesslist rules to allow that traffic to come in through SSH port 22 on the Fortinet machines (FortiBalancer appliance and the sync peers).

15.1.3.3 Verification and Troubleshooting of the WebWall

After adding all the rules it is helpful to display the current lists and groups. To do this, employ the following commands.

FortiBalancer(config)#show accesslist

accesslist deny tcp 10.10.10.33 255.255.255.255 0 10.10.10.10 255.255.255.255 0 50 accesslist permit tcp 10.10.10.30 255.255.255.255 0 10.10.10.10 255.255.255.255 22 100 accesslist permit tcp 10.10.10.0 255.255.255.0 10.10.10.10 255.255.255.255 8888 100 accesslist permit tcp 0.0.0.0 0.0.0.0 0 10.10.10.20 255.255.255.255 80 150

accesslist permit icmp echorequest 10.10.10.0 255.255.255.0 10.10.10.10 255.255.255.255 50 accesslist permit icmp echoreply 0.0.0.0 0.0.0.0 10.10.10.10 255.255.255.255 50

 

FortiBalancer(config)#show accessgroup accessgroup 50 port1 accessgroup 100 port1 accessgroup 150 port1

If you run into problems with access lists, keep your configurations simple. With multiple access groups, you can apply them once at a time and see which access list is causing problems. Of course you can turn the WebWall completely off to determine if the WebWall itself is indeed causing the problem.

To check the status of the firewall use the “show interface” command:

FortiBalancer(config)#show interface

port1(port1): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 1500

inet 10.3.20.100 netmask 0xffff0000 broadcast 10.3.255.255         inet 10.3.20.56 netmask 0xffffffff broadcast 10.3.20.56         ether 00:30:48:82:81:7a

media: autoselect (100baseTX <full-duplex>)         status: active         webwall status: OFF         Hardware is i82547gi

Input queue: 435/512 (size/max)

total: 19376 packets, good: 19376 packets, 2053879 bytes                 broadcasts: 19130, multicasts: 2

11317 64 bytes, 4282 65-127 bytes,3242 128-255 bytes

522 255-511 bytes,13 512-1023 bytes,0 1024-1522 bytes

0 input errors

0 runts, 0 giants, 0 Jabbers, 0 CRCs

0 Flow Control, 0 Fragments, 0 Receive errors

0 Driver dropped, 0 Frame, 0 Lengths, 0 No Buffers

                0 overruns, Carrier extension errors: 0         Output queue: 0/512 (size/max)

total: 18444 packets, good:  18444 packets, 7182692 bytes                 broadcasts: 17, multicasts: 0

48 64 bytes, 6018 65-127 bytes,7512 128-255 bytes

785 255-511 bytes,1014 512-1023 bytes,3067 1024-1522 bytes

0 output errors

0 Collsions, 0 Late collisions, 0 Deferred

0 Single Collisions, 0 Multiple Collisions, 0 Excessive collsions

0 lost carrier, 0 WDT reset         packet drop (not permit): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0         packet drop (deny): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0

5 minute input rate 2160 bits/sec, 2 packets/sec

5 minute output rate 80 bits/sec, 0 packets/sec

port2(port2): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 1500

inet 10.4.20.100 netmask 0xffff0000 broadcast 10.4.255.255         ether 00:30:48:82:81:7b

media: autoselect (100baseTX <full-duplex>)         status: active         webwall status: OFF         Hardware is i82541gi

Input queue: 71/512 (size/max)

total: 38464 packets, good: 38464 packets, 9320519 bytes                 broadcasts: 18751, multicasts: 2

10779 64 bytes, 11545 65-127 bytes,10749 128-255 bytes

1305 255-511 bytes,1019 512-1023 bytes,3067 1024-1522 bytes

0 input errors

0 runts, 0 giants, 0 Jabbers, 0 CRCs

0 Flow Control, 0 Fragments, 0 Receive errors

0 Driver dropped, 0 Frame, 0 Lengths, 0 No Buffers

0 overruns, Carrier extension errors: 0         Output queue: 0/512 (size/max)

total: 2094 packets, good:  2094 packets, 207035 bytes                 broadcasts: 396, multicasts: 0

399 64 bytes, 1681 65-127 bytes,0 128-255 bytes

0 255-511 bytes,14 512-1023 bytes,0 1024-1522 bytes

0 output errors

0 Collsions, 0 Late collisions, 0 Deferred

0 Single Collisions, 0 Multiple Collisions, 0 Excessive collsions

0 lost carrier, 0 WDT reset         packet drop (not permit): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0         packet drop (deny): 0

tcp 0          udp 0          icmp 0          ah 0          esp 0

5 minute input rate 2336 bits/sec, 3 packets/sec

5 minute output rate 224 bits/sec, 0 packets/sec

This command will also show if the interface is up and running and those IP addresses assigned to it. More detailed network information is also included, such as input queue and output queue information.

The following explains the terms and phrases used in the output:

  • Input queue size: the current occupied input.
  • Input queue max: the maximum items of input.
  • The numbers of different sizes: the counts of the packages of each size.
  • Runt: the number of received frames that have passed address filtering that are less than the minimum size (64 bytes from <Destination Address> through <CRC>, inclusively), and have a valid CRC.
  • Giant: the number of received frames with valid CRC field that have passed address filtering and are larger than the maximum size.
  • Jabber: the number of received frames that have passed address filtering that are greater than the maximum size and have a bad CRC. It may be the result of a bad NIC or electronic interfering.
  • CRC: the number of received packets with alignment errors.
  • Flow Control: the number of the received, unsupported flow control frames.
  • Fragments: the number of received frames that have passed address filtering, are less than the minimum size and have a bad CRC.
  • Frame: the number of received packets with alignment errors (the packet is not an integer number of bytes in length).
  • Lengths: the number of received length error events.
  • No Buffers: the number of times that frames are received when there are no available buffers in host memory to store those frames.
  • Overruns: the number of missed packets. Packets are missed when the received FIFO has insufficient space to store the incoming packets. This can be caused by too few allocated buffers, or insufficient bandwidth on the PCI bus.
  • Carrier extension errors: the number of received packets where the carrier extension error is signaled across the internal PHY interface.
  • Collisions: the total number of collisions that are not late collisions as seen by the transmitter.
  • Late collisions: late collisions are collisions that occur after 64-byte time into the transmission of the packet while working in 10-100 Mb/s data rate, and after 512-byte time into the transmission of the packet while working in the 1000 Mb/s data rate.
  • Deferred: a deferred event occurs when the transmitter cannot immediately send a packet because the medium is busy or another device is transmitting.
  • Single Collisions: the number of times that a successfully transmitted packet has encountered only one collision.
  • Multiple Collisions: the number of times that a successfully transmitted packet has encountered more than one collision but less than 16.
  • Excessive collisions: the number of times that 16 or more collisions have occurred on a packet.

Reverse Proxy Cache – FortiBalancer

Chapter 7 Reverse Proxy Cache

7.1 Overview

This chapter will cover the concepts and strategies of using the Reverse Proxy Cache to better enhance the overall speed and performance of your Web servers. Using the cache function will improve website performance and throughput, and will also reduce server load by caching heavily requested data in the temporary memory of the FortiBalancer appliance.

7.1 Understanding Reverse Proxy Cache

7.1.1 How Reverse Proxy Cache Works

The Reverse Proxy Cache is located right in front of Web servers. It receives the requests from clients all over the Internet and responds to these requests by working with the Web servers.

 

Figure 7-1 Reverse Proxy Cache Working Mechanism

  1. The client sends a request to the FortiBalancer appliance, requesting for a file on the Web server. The FortiBalancer appliance will forward the request to the cache module for processing.
  2. If the requested content has been cached on the FortiBalancer appliance and the cache does not expire (cache hit), the FortiBalancer appliance will send the file copy to the client directly without forwarding the request to the Web server. If the requested content does not exist in cache (cache miss), the request will be forwarded to the Web server for processing.
  3. The Web server responds to the FortiBalancer appliance with the requested content.
  4. The FortiBalancer appliance responds to the client with the requested content, and caches the content. Future requests for the same content will be responded directly from the FortiBalancer appliance cache module.

The default behavior of the cache is to send the cached object to the client while the cache is being filled with new objects.

The maximum size of the cache objects depends on different system memories of the FortiBalancer appliances. See the table below:

Table 7-1 Max Size of Cache Object

System Memory Max Size of Cache Object
4GB 10240KB (10MB)
8GB 20480KB (20MB)
16GB 40960KB (40MB)

 

7.1.2 Advantages of Reverse Proxy Cache

Compared with traditional cache functions, the Reverse Proxy Cache, without making any compromise on the overall stability and performance, provides a smarter, high-efficient and personalized configuration platform for administrators to more flexibly adjust the FortiBalancer appliances to addressing the demands of different websites. This helps administrators improves the response ability of the websites, reduces the load of Web servers and delivers perfect user experience of visiting the websites.

The Reverse Proxy Cache function is mainly featured with the following advantages: Ø Improved performance

  • The cache function is an independent module in the OS. Turning it off will not impact the functionality of other modules in the system.
  • The cache module strictly controls its memory consumption under 25% of the total system memory.
  • The ability to cache both the compressed and uncompressed contents allows the

FortiBalancer to send compressed contents to appropriate clients without having to involve the compression engine. This greatly enhances compression throughput.

Ø    Outstanding stability

  • If any error occurs to the cache module, administrators can turn off the module immediately, which will not affect the running of other system functions.
  • All cache tuning parameters now use the “cache filter” mechanism, and the global control parameters are reduced. This new approach gives administrators more flexibility and control and minimizes confusion during configuration.

Ø    Intelligent monitoring

Ÿ     The FortiBalancer process monitor also monitors the cache (in addition to the reverse proxy). If it detects any issues (or if the cache process crashes), it will restart the cache after appropriate cleanup.

Ø    Flexible configuration

  • Since the cache is a separate process, it can be updated in place using the “component update” mechanism.
  • The statistics from “show statistics cache” are more detailed and are designed to allow administrators to get data that would help them understand how the FortiBalancer is making caching decisions. This should help the customer tune the FortiBalancer or their website to optimize performance.
  • The “cache filter” mechanism reduces global control parameters, which increases the precision and flexibility of command control by administrators.
  • The cache can now be switched on/off on a per-virtual site basis.

7.1.3 Cacheability of Contents

The HTTP traffic falls into two categories: cacheable contents and non-cacheable contents. The cacheability of contents depends on the information within the HTTP headers. The reverse-proxy cache will check the request and response HTTP headers to make cache decisions. If the response for a request is cached, the subsequent request for the same object will be served from the cache instead of from a backend server.

By default, if there are no HTTP headers that restrict caching for an object, the reverse-proxy cache will cache the content. The following are the more popular cache-control headers that will control if the content will be cached and if so, for how long.

Cache-Control: public

The public keyword indicates that any available and configured cache may store the content. Cache-Control: private

This directive is intended for a single user and will not be cached by the reverse-proxy cache.

Cache-Control: no-cache

This directive lets the reverse-proxy cache know that it can cache the content and can only use the cached content if the appliance first re-validates the content with the origin server.

Expires: Tue, 30 Oct 2010 14:00:00 GMT

This header tells the cache when the content will expire and when to re-fetch it from an origin server when the request for that object is made. In this example it tells the cache to make the content expire on Tuesday, 30 Oct 2010 14:00:00 GMT.

7.1.3.1 Cacheable Contents

Any content with Cache-Control directives which allow caching of the content will always be cached. If the content does not contain a Cache-Control directive, then it will always be cached and will not be re-validated until it is manually flushed from the cache. If the content does not contain an “Expires” header, after it expires, the FortiBalancer appliance will re-validate the content with the origin server and update the content when it is requested next time.

7.1.3.2 Non-Cacheable Contents

Content that has Cache-Control headers which restrict caching of the content will not be cached. Responses to requests with cookies are not served from cache, unless configured by the user to do so.

7.1.4 Cache Filter

The Cache Filter mechanism helps administrators realize more precise control over the cache module with simple cache configurations, such as whether to cache the contents requested by a specific host or not and how long the cached content will live. The priority of the control parameters in cache filter is higher than the peer parameters defined in the Cache-Control header.

The following gives several application examples of cache filter. For detailed configuration examples, refer to the section Reverse Proxy Cache Configuration and the FortiBalancer CLI Reference.

  • Cache all “*.jpg” files from the host “www.xyz.com”, and the TTL of cache contents is 200,000 seconds.
  • Only cache the image files in common formats, such as JPG, GIF or BMP.
  • For the cache objects from the same host, some can be cached by following the cache filter rules, and others can be cached by following the definitions in the cache control header, such as the TTL of the cache.
  • Ignore the specific type of query strings in the request URL when looking up for an object in cache.

7.1.5 Cache Expiration Time

Three types of cache expiration time are involved during the cache process:

  • The expiration time defined by the “Expires” field in the HTTP header;
  • The global cache expiration time configured via the command “cache settings expire {hh:mm:ss|seconds}”;
  • The TTL time specified by the “ttl” parameter in the command “cache filter rule <host_name> <url> {cache|urlquery|ttl}”.

The priorities of the three expiration times are as follows:

  1. The expiration time configured in “cache filter rule” will be used first.
  2. If the “ttl” parameter is not specified, the global expiration time specified by “cache settings expire” command will apply.
  3. For the cache content that does not match any cache filter rule, the expiration time defined in the HTTP header will be applied.
  4. If no “Expires” field is available in the HTTP header to define the expiration time, just follow the configuration of “cache settings expire”.