Download Print this page

Coyote Point Systems Equalizer GX Series Administration Manual

Coyote Point Systems Equalizer GX Series Administration Manual

Application delivery controller eq/os 10

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

The recognized leader in proven and affordable load

balancing and application delivery solutions

A

D

C

PPLICATION

ELIVERY

ONTROLLER

EQ/OS 10

Administration Guide

for Equalizer™ LX and GX Series

OS Version 10.3.1

December 23, 2014

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the Equalizer GX Series and is the answer not in the manual?

Questions and answers

Summary of Contents for Coyote Point Systems Equalizer GX Series

Page 1 The recognized leader in proven and affordable load balancing and application delivery solutions PPLICATION ELIVERY ONTROLLER EQ/OS 10 Administration Guide for Equalizer™ LX and GX Series OS Version 10.3.1 December 23, 2014...
Page 2 Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Document Version: 10.3.1 Coyote Point Systems A subsidiary of Fortinet, Inc. 56 Main Street Millerton, NY 12546...
Page 3: Table Of Contents
Equalizer Administration Guide Table of Contents Table of Contents Introduction About Equalizer Typographical Conventions Attributions Where to Go for More Help Overview Intelligent Load Balancing Real-Time Server Status Information Network Address Translation and Spoofing Load Balancing How a Server is Selected Layer 7 Load Balancing and Server Selection Persistence Why a Server May Not Be Selected...
Page 4 Table of Contents First Time VLAN Configuration Example Replacing the Default Certificate, Key, and Cipherspec Sample Configuration Sample Configuration Registering Your Product Registering Your Product Upgrading Upgrade Path from EQ/OS 8.6 to the Latest EQ/OS 10 Version EQ/OS 8.6 Upgrade Procedure Upgrading to the Latest Release Downgrading to EQ/OS 8.6 Load Balancing & Networking...
Page 5 Equalizer Administration Guide Non Spoof Load Balancing Toward Server Source, Destination Specified Generated by Equalizer Enabling DNS Configuring NTP NTP and Plotting Default NTP Configuration Selecting an NTP Server Managing NTP Source Routing Tables & Rules Source Routing Table IP Filter Rules IP NAT Rules Network Troubleshooting Tools Working in the CLI...
Page 6 Table of Contents Context Command Summaries Global Commands Certificate Commands Certificate Revocation List Commands Cluster and Match Rule Commands Diagnostic Commands External Services Commands Failover Commands Firewall Commands GeoCluster and GeoSite Instance Commands GeoSite and GeoSite Resource Commands IP Reputation Commands Interface Commands Interface Command Notes Link Aggregation Commands...
Page 7 Equalizer Administration Guide Displaying User Information VLAN and Subnet Commands VLAN and Subnet Command Notes Using the GUI Logging In Navigating Through the Interface Entering Names for Load Balancing Objects Using the WebHelp System Settings Global Settings Dashboard Certificates Installing a Certificate Certificate Revocation Lists Installing a Certificate Revocation List (CRL) IP Reputation...
Page 8 Table of Contents Interfaces (E350GX, E450GX, E650GX Only) Link Aggregation Configuring VLANs Configuring Subnets About Permitted Subnets Configuring Subnet Destination Routes Configuring Outbound NAT IPv6 Tunnel Overview Configuring an IPv6 Tunnel Failover Working with Clusters and Match Rules Overview of Clusters Cluster Summary Cluster Connection Timeouts Adding and Deleting Clusters...
Page 9 Equalizer Administration Guide Server Name Indication Layer 7 TCP Cluster Settings Layer 7 TCP Cluster Persistence Additional Cluster Configuration About Passive FTP Translation Enabling Cookies for Persistent Connections Enabling Persistent Server Connections Enabling Sticky Connections Enabling the Once Only and Persist Options Enabling Both the Once Only and Always Options Enabling Once Only and Compression Enabling Once Only and No Header Rewrite for HTTPS...
Page 10 Table of Contents Displaying Match Rules Default Match Rule Creating a New Match Rule Modifying a Match Rule Removing a Match Rule Using the Match Rule Expression Editor Operating within the Expression Editor Example Match Rules Parsing the URI Using Match Rules Changing Persistence Settings Using Match Rules Using Persistence with Match Rules Changing the Spoof (SNAT) Setting Using Match Rules...
Page 11 Equalizer Administration Guide Deleting a Server Pool (GUI) Deleting a Server Pool (CLI) Server Pool and Server Instance Reporting (CLI and GUI) Servers Server Summary Adding and Modifying Servers Server Software Configuration Adjusting a Server’s Initial Weight Setting Initial Weights for Homogenous Clusters Maximum Connections Limits, Responders, and Hot Spares Setting initial Weights for Mixed Clusters Interaction of Server Options and Connection Processing...
Page 12 Table of Contents Configuring Outbound Link Load Balancing Inbound Link Load Balancing Configuring Inbound Link Load Balancing Global Load Balance Overview of Envoy Geographic Load Balancing Envoy Configuration Summary DNS Configuration Local (Caching) DNS Server Configuring an Authoritative DNS Name Server for Envoy Using Envoy with Firewalled Networks Using Envoy with NAT Devices Configuring GeoClusters...
Page 13 Equalizer Administration Guide Configuring VLAN (Subnet) Failover Settings (CLI) Configuring VLAN (Subnet) Failover Settings (GUI) Configuring Active/Passive Failover (CLI) Configuring Active/Passive Failover (GUI) Configuring Active/Active Failover Failover Groups Configuring Active/Active Failover (CLI) Configuring N+1 Failover Network Design for N+1 Failover How a Peer is Chosen for Failover in N+1 Configuration Monitoring N+1 Failover Rebalancing...
Page 14 Table of Contents Adjusting ARP Behavior on Linux Servers Configuring a Linux System running Apache for DSR Configuring a Loopback Interface on Other Systems for DSR Weak and Strong Host Models and DSR Server Health Check Probes About Server Health Check Probes Layer 3 ICMP Probes Enabling/Disabling Layer 3 ICMP Probes Configuring Layer 3 ICMP Probe Parameters...
Page 15 Equalizer Administration Guide Server Pool Class (srvpool) Server Class (server) Server Instance Class (si) ADC Class (adc) Sample Trigger Script for the Configuration of Multiple Hot Spare Servers Sample Trigger Script for Rebooting the System Adding Smart Controls Alerts Alert Notification Types Configuring Alerts Configuring an SMTP Relay Configuring Alerts in the CLI...
Page 16 Table of Contents Using Diagnostic Commands Using tcpdump Using Watchdog Timers Configuring the Baseboard Management Controller (BMC) Prerequisites Configuration Using IPMI to Power Servers On/Off Equalizer OnDemand What is Equalizer OnDemand? Differences from Equalizer Hardware Installing and Upgrading Equalizer OnDemand VMware Host Requirements Installing EQOD Using OVF Installing EQOD from a ZIP file...
Page 17: Copyright © 2014 Coyote Point Systems, A Subsidiary Of Fortinet, Inc
Equalizer Administration Guide Networking Translation Between EQ/OS 10.1.x and 10.2.x Networking Translation Between 10.1.x and 10.2.x Systems Maximum Configuration Values Glossary Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 19: Introduction
Equalizer Administration Guide Chapter 1 Introduction Subsections in this chapter include: About Equalizer Typographical Conventions Attributions Where to Go for More Help Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 20: About Equalizer
Introduction About Equalizer The Equalizer Application Delivery Controller (ADC) is a high-performance switch that offers optimized availability, user experience, and performance of mobile, cloud-based and enterprise applications while increasing server efficiency and reducing cost and complexity in the data center. It features: Intelligent load balancing based on multiple, user-configurable criteria Non-stop availability with no single point of failure, through the use of redundant servers in a cluster and the optional addition of a failover (or backup) Equalizer...
Page 21: Typographical Conventions
Equalizer Administration Guide Typographical Conventions The following typographical conventions appear throughout this guide: Text in “double quotes” indicates the introduction of a new term. Italic text is used primarily to indicate variables in command lines, and is also used to emphasize concepts while discussing Equalizer operation.
Page 22: Where To Go For More Help
Introduction Where to Go for More Help These instructions are part of the product documentation delivered with Equalizer’s browser- based GUI. You can display the appropriate manual section for any interface screen by selecting Help > Context help from the menu at the top of the interface. The Help menu also contains links to the Release Notes for the currently running software version, and other documentation.
Page 23: Overview
Equalizer Administration Guide Chapter 2 Overview Sections within this chapter include: Intelligent Load Balancing Real-Time Server Status Information Network Address Translation and Spoofing Load Balancing How a Server is Selected Layer 7 Load Balancing and Server Selection Persistence Why a Server May Not Be Selected Copyright ©...
Page 24: Intelligent Load Balancing
Overview Intelligent Load Balancing The Equalizer appliance functions as a gateway to one or more sets of servers organized into virtual clusters. When a client submits a request to a site that the appliance manages, it identifies the virtual cluster for which the request is intended, determines the server in the cluster that will be best able to handle the request, and forwards the request to that server for processing.
Page 25 Equalizer Administration Guide Regardless of cluster type, the appliance uses intelligent load balancing algorithms to determine the best server to receive a request. These algorithms take into account the configuration options set for the cluster and servers, real-time server status information, and information from the request itself.
Page 26: Real-Time Server Status Information
Overview Real-Time Server Status Information Equalizer gathers real-time information about a server’s status using ICMP Probes, TCP Probes, Active Content Verification (ACV), and Server Agents. ICMP and TCP Probes are the default probing methods. ICMP Probes use Internet Control Message Protocol to send an "Echo request" to the server, and then wait for the server to respond with an ICMP "Echo reply"...
Page 27: Network Address Translation And Spoofing
Equalizer Administration Guide Network Address Translation and Spoofing The servers load balanced by Equalizer provide applications or services on specific IP addresses and ports, and are organized into virtual clusters, each with its own IP address. Clients send requests to the cluster IP addresses on the appliance instead of sending them to the IP addresses of the servers.
Page 28 Overview 4. NAT can also be enabled for packets that originate on the servers behind Equalizer and are destined for subnets other than the subnet on which the servers reside -- on the appliance, this is called outbound NAT. This is usually required in dual network mode when reserved IP addresses (e.g., 10.x.x.x, 192.168.x.x) are being used on the internal interface, so that the recipients do not see reserved IP addresses in packets originating from the servers.
Page 29: Load Balancing
Equalizer Administration Guide Load Balancing Load balancing is based on the policy selected. The policies can be split up into two categories: 1. round robin 2. everything else Round robin simply selects the next server in the list with no regard for how busy that server may Other load balancing policies use proprietary algorithms to compute the load of a server and then select the server with the least load server.
Page 30 Overview There are two additional variables for load balancing: - if a server instance (in a server pool) is marked as a , it is not included in Hot spare Hot Spare the pool of servers to select from unless every other non-hot-spare server is down. If a con- nection persists to this server, it will be placed back on this server.
Page 31: How A Server Is Selected
Equalizer Administration Guide How a Server is Selected The main functionality of Equalizer is to load-balance-- that is that when a request is received from a client an appropriate server for to connect the request with. The "appropriate" server is usually selected as part of a proprietary load balancing algorithm or via round-robin.
Page 32 Overview Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 33 Equalizer Administration Guide For Layer 7 clusters, the connection must be established within the . If we receive connect_timeout an active refusal (RST) from a server, we will repeat the load balancing process and choose another server. Otherwise we will continue trying to connect to the same server until the connect timeout expires.
Page 34: Layer 7 Load Balancing And Server Selection
Overview Layer 7 Load Balancing and Server Selection Equalizer’s support for Layer 7 content-sensitive load balancing enables administrators to define rules for routing HTTP, HTTPS, and special Layer 7 TCP requests, depending on the content of the request. Layer 7 load balancing routes requests based on information from the application layer. This provides access to the actual data payloads of the TCP/UDP packets exchanged between a client and server.
Page 35: Persistence
Equalizer Administration Guide Persistence Persistence refers to the ability of a load-balancer (or other traffic management solution) to maintain a virtual connection between a client and a specific server.It is often referred to in the application delivery networking world as "stickiness" .The persistence of session data is important when a client and server need to refer to data previously generated again and again as they interact over more than one transaction, possibly more than one connection.
Page 36 Overview Layer 7 Persistence Equalizer provides server or connection persistence using cookies in Layer 7 HTTP and HTTPS clusters. The following paragraphs explain connection persistence provided by the appliance, and its relationship to session persistence. When a request from a client that has not previously connected to the cluster is received by Equalizer, it is load balanced according to the current server load values as described in "Load on page 29.
Page 37 Equalizer Administration Guide Equalizer can also be configured to ensure that it directs requests from a particular client to the same server pool even if the incoming connection is to a different cluster. When you enable inter cluster stickiness for a Layer 4 cluster, Equalizer checks the cluster for a sticky record as it receives each connection request, just like it does for ordinary sticky connections.
Page 38: Why A Server May Not Be Selected
Overview Why a Server May Not Be Selected There are several reasons that a server may not be selected by Equalizer: 1. The various configured health checks within Equalizer have detected that a server is "down". If a server is marked "down" by a health check, it is immediately removed from the pool of servers available for load balancing.
Page 39: What's New
Equalizer Administration Guide Chapter 3 What's New Subsections in this chapter include: What's New in this Revision Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 40: What's New In This Revision
What's New What's New in this Revision The list below contains changes in this documentation since the previous release. For additional upgrade information, refer to the Release Notes available with the firmware. For EQ/OS 10.3.1: 1. Documentation Enhancements: What's New - this section will appear with each revision of this document, highlighting changes and updates from the previous release of this document as well as features, functionality changes, parameter changes, deletions and any other information that will be used in the configuration and operation of your appliance.
Page 41 Equalizer Administration Guide 4. Command, Configuration, and Miscellaneous Change Descriptions: Supported Object Limits - Added an updated table describing the number of supported load balancing objects for each available appliance. (See "Maximum on page 848) Configuration Values" Debug Commands - Updated Debug Command list with the debug > reset keep file-store command which will reset the configuration to factory defaults, keeping core files and files that are currently in the file store.
Page 43: Installation
Equalizer Administration Guide Chapter 4 Installation Sections within this chapter include: Hardware Installation UL/cUL & CE/CB Safety Warnings and Precautions Power Requirements Operating Environment Regulatory Certification Setting Up a Terminal or Terminal Emulator Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 44: Hardware Installation
Installation Hardware Installation To install Equalizer, proceed with the following: 1. Carefully remove the rack-mount enclosure and cables from the shipping container. Save the original packaging in case you need to ship the appliance for any reason, such as sending it in for warranty service. The chassis does not contain any parts that you can ser- vice.
Page 45: Ul/Cul & Ce/Cb Safety Warnings And Precautions
Equalizer Administration Guide UL/cUL & CE/CB Safety Warnings and Precautions Risk of explosion if battery is replaced by an incorrect type. Dispose of used batteries according to your local regulations. Switzerland: Annex 4.10 of SR814.013 applies to batteries. Statement in Chinese text: 警...
Page 46 Installation Grounding: Ensure your product is connected and properly grounded to a lightning and surge protector. WAN or LAN connections that enter the premises from outside the building should be connected to an Ethernet CAT5 (10/100 Mb/s) surge protector. Shielded Twisted Pair (STP) Ethernet cables should be used whenever possible rather than Unshielded Twisted Pair (UTP).
Page 47: Power Requirements
Equalizer Administration Guide Voluntary Control Council for Interference (VCCI) – Japan この装置は、クラスA情報技術装置です。この装置を家庭環境で使用すると電波妨害を引き起こすことがあります。この場合には使用者が適...
Page 48: Setting Up A Terminal Or Terminal Emulator
Installation Setting Up a Terminal or Terminal Emulator When you set up Equalizer for the first time, you must use a serial connection in order to configure the appliance's network with the interface. Connect the serial port on the to the eqcli serial port on a terminal, or any system (such as a Windows or Unix PC) running terminal emulation software.
Page 49: Configuring Access
Equalizer Administration Guide Chapter 5 Configuring Access Sections within this chapter include: Default Login Serial Access Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 50: Default Login
Configuring Access Default Login Equalizer's default login credentials for both the CLI and GUI are: Username: touch Password: touch For security, you should change the login for the user the first time you log in. You can do touch this by logging into the CLI, entering the following command, and following the command prompts: user touch password eqcli >...
Page 51: Serial Access
Equalizer Administration Guide Serial Access Serial access is provided via the serial port on Equalizer’s front panel. A serial connection is required for activities during which the appliance may lose network connectivity. This includes: Configuring network connectivity for the first time Performing upgrades of the EQ/OS software and switch firmware Re-configuring network access for services such as HTTP and SSH, when you cannot login over the network interfaces currently configured or you are changing the network interfaces...
Page 53: First Time Configuration
Equalizer Administration Guide Chapter 6 First Time Configuration Sections within this chapter include: Global Services VLAN Subnet Network Services First Time VLAN Configuration Example Replacing the Default Certificate, Key, and Cipherspec Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 54: Global Services
First Time Configuration Global Services The Global Services settings provide a convenient way to enable and disable services on all subnets, should the need arise. For example, when you are upgrading or performing a system backup, it may be desirable to use the serial connection and disable all network services to ensure that no other administrative users are accessing the system.
Page 55 Equalizer Administration Guide The following global services settings are supported: Global Service HTTP GUI service; when enabled, the Equalizer GUI will listen on all subnets on which HTTP http HTTP services are enabled. HTTPS GUI service; when enabled, the Equalizer GUI will listen on all subnets on which HTTPS https HTTPS services are enabled.
Page 56: Vlan Subnet Network Services
First Time Configuration VLAN Subnet Network Services By default, no network services are enabled when a VLAN subnet is created. They must be specifically enabled before you can access Equalizer over a subnet: VLAN Subnet Network Services using the CLI: In the CLI, subnet network services are enabled using the parameter in the context.
Page 57 Equalizer Administration Guide Network Service Failover HTTP GUI service; when enabled, the Equalizer will listen for HTTP connections on Equalizer’s Failover IP address fo_http Failover HTTP (if configured) on the subnet. The global HTTP GUI service must also be enabled. Click on the Failover tab to enable or disable the following services: Failover HTTPS GUI service;...
Page 58: First Time Vlan Configuration Example
First Time Configuration First Time VLAN Configuration Example The following procedure is an example of how to configure VLANs using the Equalizer CLI. You must configure VLANs using the CLI so that you can ultimately use the GUI. Follow the steps below to get Equalizer onto your network .
Page 59 Equalizer Administration Guide 4. Add a subnet to the VLAN you just created. You’ll need to specify the subnet IP address, which is the load balancer's address on this network. It must be an IPv4 or IPv6 address in CIDR format (e.g., 172.16.0.200/21). Enter the following command syntax: eqcli >...
Page 60 First Time Configuration 6. Connect the port or ports you configured on the VLAN to the network using a standard Eth- ernet cable with RJ-45 connectors. To confirm that the interface has come up, use the fol- lowing command: eqcli > show interface Interface Autonegotiation Mode Duplex Mode...
Page 61: Replacing The Default Certificate, Key, And Cipherspec
Equalizer Administration Guide Replacing the Default Certificate, Key, and Cipherspec Using Equalizer's Remote Management commands in the CLI, you can replace the default certificate, key, and cipher spec that are used with HTTPS services on subnets with custom certificates, keys and cipher specs. The process includes: Uploading the custom certificate and key file to the file store.
Page 62 First Time Configuration Entering the Certificate and Key file to be Used with HTTPS Services 3. Set the certfile and keyfile to use using the CLI remote management commands. The keyfile has the same name as the certfile and will be used automatically. eqcli remote-mgmt certificate certificatename 4.
Page 63 Equalizer Administration Guide Reapplying the Default Certificate, Cipherspec and Protocols To reapply the defaults for Cipherspec, Certificate or Protocol, enter any of the following: eqcli > no remote-mgmt {cipherspec|certificate|protocol} Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 65: Sample Configuration
Equalizer Administration Guide Chapter 7 Sample Configuration Sections within this chapter include: Sample Configuration Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 66: Sample Configuration
Sample Configuration Sample Configuration After setting up your Equalizer and configuring VLANs you are now ready to configured other load balancing objects such as servers, server pools, clusters and responders. This section shows you how to configure Equalizer for the first time using CLI, and assumes that Equalizer is in a “factory installed”...
Page 67 Equalizer Administration Guide 3. Create a VLAN for servers on the remaining ports: eqcli > vlan 192net vid 3 4. Add subnets to both of the VLANs. You’ll need to specify the subnet IP address, which is the load balancer's address on this network. It must be an IPv4 or IPv6 address in CIDR format (e.g., 172.16.0.200/21).
Page 68 Sample Configuration 7. Associate an interface instance with the VLAN. In the example below we assume that you are using the port labeled "1" on the front panel. Enter one of the following commands, depending on whether the VLAN you created above is untagged or tagged (ask your network administrator if you are unsure): eqcli >...
Page 69 Equalizer Administration Guide 13. Create a server pool: eqcli > srvpool sp01 policy adaptive respv 3 14. In server pool sp01, create server instances for the servers created in Step 6. eqcli > srvpool sp01 si sv01 weight 100 eqcli > srvpool sp01 si sv02 weight 100 15.
Page 70 Sample Configuration 19. Create a Layer 7 HTTPS cluster using server pool sp02 and associate certificate ct01 with the cluster: eqcli > cluster cl03 proto https ip 172.16.0.203 port 443 srvpool sp01 cer- tificate ct01 20. Create a Layer 7 HTTP cluster -- do not specify a server pool, since this cluster will be used only to redirect clients to cl03: eqcli >...
Page 71 Equalizer Administration Guide 23. Add a redirect responder that will redirect all requests coming into the same cluster IP as cl03 on port 80 (via HTTP); the responder will be configured to redirect these requests to cl03 on port 443 (via HTTPS). Since some of the arguments to this command are longer than one line, we’ll add the responder using multiple command lines to make the input clearer: eqcli >...
Page 73: Registering Your Product
Equalizer Administration Guide Chapter 8 Registering Your Product Sections within this chapter include: Registering Your Product Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 74: Registering Your Product
Registering Your Product Registering Your Product Fortinet customer services (such as firmware updates and technical support) require product registration. Take a moment now to register your product at the Fortinet Customer Service and Support web site: https://support.fortinet.com Before you can register, you will need: 1.
Page 75 Equalizer Administration Guide 3. Your Equalizer system is now registered. If your system can connect to the internet, you can now update the support information displayed in the CLI and GUI by doing one of the fol- lowing: a. In the CLI, enter the following to update the support information on your unit: eqcli >...
Page 77: Upgrading
Equalizer Administration Guide Chapter 9 Upgrading Sections within this chapter include: Upgrade Path from EQ/OS 8.6 to the Latest EQ/OS 10 Version EQ/OS 8.6 Upgrade Procedure Upgrading to the Latest Release Downgrading to EQ/OS 8.6 Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 78: Upgrade Path From Eq/Os 8.6 To The Latest Eq/Os 10 Version
Upgrading Upgrade Path from EQ/OS 8.6 to the Latest EQ/OS 10 Version You can upgrade directly from EQ/OS 8.6.0i to the latest version of EQ/OS 10. Downgrade Path The table below shows the configuration file versions and their associated EQ/OS 10 releases. Configuration file version 6 is the latest configuration file used.
Page 79: Eq/Os 8.6 Upgrade Procedure
Equalizer Administration Guide EQ/OS 8.6 Upgrade Procedure To upgrade your EQ/OS 8.6 Equalizer to EQ/OS 10: 1. Connect Equalizer with a serial console. Refer to "Setting Up a Terminal or Terminal Emulator" page 48 . 2. Set up a local FTP server that can be accessed by Equalizer. This will be used during the upgrade process to save a EQ/OS 8.6 system image that can be used to restore Equalizer to EQ/OS 8.6.
Page 80 Upgrading 7. Do one of the following: Press " " followed by " " to download the upgrade image from the Coyote Point web Enter site. Press " " followed by " " to download the upgrade image from a local server. Enter 8.
Page 81 Equalizer Administration Guide 10. The following prompt is displayed: Requesting pid 460 to terminate. It is safest to proceed only on a system with an active support contract. It is recommended that you verify that your support status by re-licensing this system using the online license server now.
Page 82 Upgrading 12. The user is now prompted for the second stage upgrade URL: This installer uses a 2-stage process. You must enter the URL for the second-stage install bundle. It is usually the same URL from which you retrieved the first-stage installer, except without the last component.
Page 83 Equalizer Administration Guide 14. The system then prompts you to enter a URL for the restore image as well as a username and password to : Do you want to create a restore image [Y/N]? ^Cy Cleaning up log and temporary files before restore imaging process. Flushing disk write cache.
Page 84 Upgrading 17. After rebooting, the system will automatically continue the upgrade by booting from the second partition. DO NOT PRESS ANY KEYS WHEN THE BOOT MENU IS DISPLAYED. Wait for the system to boot automatically. Once the system boots, it unpacks the EQ/OS 10 upgrade image and creates the appropriate file systems.
Page 85: Upgrading To The Latest Release
Equalizer Administration Guide Upgrading to the Latest Release Upgrade using the CLI To upgrade a system that is already running EQ/OS 10 to the latest release using the CLI, do the following: 1. Ensure that the upgrade image is available on an FTP or HTTP server that is accessible to Equalizer.
Page 86: Downgrading To Eq/Os 8.6
Upgrading Downgrading to EQ/OS 8.6 If you upgraded Equalizer from EQ/OS 8.6 to EQ/OS 10, you can later downgrade Equalizer back to the release that was running when you upgraded. You can downgrade any Equalizer in the GX series. You cannot downgrade LX series Equalizers. This procedure requires the following: A saved restore system image created during the upgrade to EQ/OS 10.
Page 87 Equalizer Administration Guide 4. The downgrade software is downloaded, unpacked, and run. The following prompt is dis- played: Please enter the URL for the the system restore image for THIS SYSTEM. If a username and/or password is required in order to retrieve the file, the username (and optionally the password) must be embedded in the URL using standard URL syntax.
Page 88 Upgrading If the restored image was originally encrypted with a password, you will be prompted with the following after selecting ”. “Y Enter your restore image password: restore_password Enter your restore image password again: restore_password Password: restore_password In either case the following will be displayed as the system restores the image. Formatting target filesystem.
Page 89: Load Balancing & Networking
Equalizer Administration Guide Chapter 10 Load Balancing & Networking Sections in this chapter include: Networking Technologies Networking Conventions Common Equalizer Networking Scenarios Blank Configuration Single VLAN/Subnet Single VLAN/Subnet with a Default Gateway Dual VLAN/Network Dual VLAN/Network with 2 Gateways Dual VLAN/Network with Outbound NAT Using VLANs How the ADC Routes a Packet Configuring Front Panel Ports...
Page 90: Networking Technologies
Load Balancing & Networking Networking Technologies There are several networking technologies described herein that apply to Equalizer installations. They are summarized below, however, specific rules and commands are described further as each networking scenario is described in detail. This is standard routing that is performed by any networking device. The device Destination Routing: determines how to send a packet to its destination by evaluating the destination IP address to see if it is on a local network.
Page 91 Equalizer Administration Guide If the destination IP address is on a remote network, the device trying to send a packet performs a most-specific to least-specific search for the source IP network. If a matching source route is found within the routing table, any routing table entries that contain that source IP network are used as a destination routing table.
Page 92 Load Balancing & Networking A specific remote network that has been configured by the Administrator as Destination Networks: connected to a local network of Equalizer. This means that if Equalizer needs to send packets to this network, it should do so from an IP address on the local network and use the router of the local network.
Page 93 Equalizer Administration Guide NAT, or Network Address Translation, is a common concept for most network Outbound NAT: administrators. Equalizer administrators usually need to enable NAT when a server on an "internal" (non-public, DMZ) network needs to access resources on the Internet or another public network.
Page 94 Load Balancing & Networking Local networks configured in Equalizer use a default/deny permission scheme. Network Permissions: This means that if an Administrator wants to route between two networks using Equalizer, they must explicitly enable permissions between that pair of networks. Note that permissions are not symmetrical: it is possible to configure a solution where one network can talk to another but not vice-versa.
Page 95: Networking Conventions
Equalizer Administration Guide Networking Conventions Several conventions are used within this section: Network addresses are represented in Classless Inter-Domain Routing (CIDR) notation, an IP addressing scheme in the form A.B.C.D/X where X is the number of bits in the subnet mask.
Page 96: Common Equalizer Networking Scenarios
Load Balancing & Networking Common Equalizer Networking Scenarios This section describes individual networking scenarios that can be used to build up a large, more complicated configuration for Equalizer . Each section starts at a specific pre-configured configuration, and references the section which helps set up that configuration. Blank Configuration When the Equalizer configuration does not contain any subnets, the networking configuration should also be blank:...
Page 97: Single Vlan/Subnet
Equalizer Administration Guide Single VLAN/Subnet A Single VLAN/subnet configuration is one of the most common scenarios used. In this setup, Equalizer is placed into an existing network so that all servers, internal clients, and external routers are on the same VLAN. (This usually means special routing on the servers or the use of no spoof for Equalizer clusters.
Page 98 Load Balancing & Networking The new rule shows that packets from network internal:net are allowed into the system if they are being sent to the same network. Without this rule, the newly added IP address could not be reached from the rest of the network. Also note that IPv4/6 rule 1 allows Equalizer traffic if it is on the local host interface (lo0), and IPv4/6 rule 3 blocks all traffic which didn't fall into one of the previous rules.
Page 99: Single Vlan/Subnet With A Default Gateway
Equalizer Administration Guide Single VLAN/Subnet with a Default Gateway A system can be connected to the Internet by adding a default route (the newly-added rules are in italics) because there is only a single Equalizer local network. eqcli > vlan internal subnet net default_route 192.168.211.1 eqcli: 12000287: Operation successful Source Routing Table: 192.168.211.0/24:...
Page 100 Load Balancing & Networking Rules 4 and 5 allow traffic from non-Equalizer networks into Equalizer and from Equalizer to non- Equalizer networks. These are the rules that allow routing through the default gateway to work. The configuration presented in this section corresponds to the following scenario: Copyright ©...
Page 101: Dual Vlan/Network
Equalizer Administration Guide Dual VLAN/Network Another typical configuration is to have two networks connected to Equalizer: 1. One for external connectivity (this is where the Equalizerclients and clusters are) 2. One for internal resources (this is where the servers are) We start with a single-VLAN configuration with no default route (See on page "Single VLAN/Subnet"...
Page 102 Load Balancing & Networking The 192.168.211.0 network rules remain unchanged. We have new rules for the 10.0.0.0 network: Rule 3 is for sending packets on the external network interface (wm0 in this case) to the 10.0.0.0 network from the 10.0.0.0 network. Rules 5 and 6 for packets between the 10.0.0.0 network to any other network.
Page 103 Equalizer Administration Guide With this configuration, clients can connect to cluster IP addresses on the 10.0.0.0 network, and Equalizer will send the requests to the servers on the 192.168.211.0 network. Source Routing Table: 0.0.0.0/00: default via 10.0.0.254 10.0.0.0/24: default via 10.0.0.254 IP Filter Rules: IPv4 Rules: 1: pass on interface lo0 all hits: 0 bytes: 0 2: pass on interface wm1 hits: 141 bytes: 7025...
Page 104: Dual Vlan/Network With 2 Gateways
Load Balancing & Networking Dual VLAN/Network with 2 Gateways Imagine a scenario very similar to the one described in Dual VLAN/Network, but the internal network is also able to route to the Internet: As far as Equalizer is concerned, the configuration doesn't have to change at all from the previous scenario.
Page 105 Equalizer Administration Guide This can be verified by looking at the show sbr output: Source Routing Table: 0.0.0.0/00: default via 10.0.0.254 192.168.211.0/24: default via 192.168.211.2 10.0.0.0/24: default via 10.0.0.254 The IP Filter rules are updated as well, analogous to the rules which were created when we added routing in Single VLAN/Subnet with a Default Gateway.
Page 106 Load Balancing & Networking 6: block on interface wm0 hits: 0 bytes: 0 From To 10.0.0.0/24 192.168.211.0/24 -> 10.0.0.0/24 0.0.0.0/0 7: pass on interface wm0 hits: 4 bytes: 756 From To 10.0.0.0/24 -> any 8: pass on interface wm1 hits: 0 bytes: 0 From To any ->...
Page 107: Dual Vlan/Network With Outbound Nat
Equalizer Administration Guide Dual VLAN/Network with Outbound NAT If we start with the configuration in Dual VLAN/Network, it should be noted that this configuration is not sufficient if the servers on the internal network require Internet connectivity. Equalizer will properly send traffic from the internal network to the Internet, but because the internal network is non-routable, hosts on the Internet will not be able to respond.
Page 108 Load Balancing & Networking List of active MAP/Redirect filters: map wm0 192.168.211.0/24 -> 10.0.0.68/32 proxy port ftp ftp/tcp map wm0 192.168.211.0/24 -> 10.0.0.68/32 portmap tcp/udp auto map wm0 192.168.211.0/24 -> 10.0.0.68/32 All three rules are created for the single NAT change that we made. They can be read as "whenever traffic is leaving through the wm0 interface, if it has a 192.168.211.0 network source IP address, change the source IP address to 10.0.0.68".
Page 109 Equalizer Administration Guide 0.0.0.0/0 -> 0.0.0.0/0 192.168.211.0/24 4: block on interface wm1 hits: 0 bytes: 0 From To 192.168.211.0/24 192.168.211.0/24 -> 10.0.0.0/24 0.0.0.0/0 5: pass on interface wm1 hits: 0 bytes: 0 From To 192.168.211.0/24 -> any 6: block on interface wm0 hits: 0 bytes: 0 From To 10.0.0.0/24 192.168.211.0/24 ->...
Page 110: Using Vlans
Load Balancing & Networking Using VLANs Many networking technologies use a technique called broadcasting to provide services on a Local Area Network (LAN). Like traditional television or radio signals that are broadcast over the airwaves, broadcast network transmissions are received by every node on the same LAN segment, or broadcast domain.
Page 111 Equalizer Administration Guide One problem with broadcasting is that lots of broadcast traffic on a LAN can slow network traffic down, as well as slow individual systems down. If there is so much broadcast traffic on the LAN that other non-broadcast traffic is significantly delayed (or never delivered), this is called a broadcast storm.
Page 112: How The Adc Routes A Packet
Load Balancing & Networking How the ADC Routes a Packet When an ADC sends out a packet, it determines how to send it as follows: 1. The ADC determines whether the packet destined for a system is directly attached to one of the configured networks.
Page 113 Equalizer Administration Guide 1. The client with IP address 10.10.10.2, sends a packet to a cluster with IP address 10.10.11.21, through a fire- wall with IP address 10.10.10.254. 2. The firewall forwards the packet out of it's 10.10.11.254 interface 3. The ADC receives the request through the cluster IP 10.10.11.21. 4.
Page 114: Configuring Front Panel Ports
Load Balancing & Networking Configuring Front Panel Ports Front panel ports are configured using the either the CLI or GUI. By default, all switch ports are configured as follows: full duplex full autonegotiation (Equalizer will attempt to auto negotiate the highest available speed with the unit on the other end of the connection) If needed, ports can be configured to match specific port settings required by the server connection.
Page 115: Viewing Link Status And Port Settings
Equalizer Administration Guide Viewing Link Status and Port Settings Refer to on page 188 fora a complete listing of the CLI Interface commands. "Interface Commands" Viewing Link Status and Port Settings(CLI) The current link status of each port as well as the current settings, use the "show interface" command as in this example below: eqcli >...
Page 116: Viewing Link Status And Port Settings (E350Gx, E450Gx, E650Gx Only)
Load Balancing & Networking Viewing Link Status and Port Settings (E350GX, E450GX, E650GX Only) Viewing Link Status and Port Settings(CLI) The current link status of each port as well as the current settings, use the "show interface" command as in this example below: eqcli >...
Page 117 Equalizer Administration Guide Autonegotiation mode - Use one of the following: - Full autonegotiation at all supported speed and duplex settings. full - Autonegotiation at the current speed and duplex parameter settings only. select - Set the port to the current speed and duplex parameter settings with no force autonegotiation.
Page 118: Displaying Port Statistics
Load Balancing & Networking Displaying Port Statistics Displaying Port Statistics (CLI) Use the interface context stats command to display statistics for a particular port, as in this example: eqcli > interface if01 stats Transmitted Counters: packets : 314966 bytes : 422 multicasts errors collisions...
Page 119: Source Based Routing Scenarios
Equalizer Administration Guide Source Based Routing Scenarios Source routing allows the originator of a packet to partially or completely specify the path that a packet will take through a network, as well as the return path. In contrast, non-source-routing devices determine that path based on the packet’s destination. Source routing allows: Easier troubleshooting Improved traceroute Enables a node to discover all the possible routes to a host.
Page 120: Source Selection
Load Balancing & Networking Source Selection As a load balancing device Equalizer may change the source address in a packet, the destination address in a packet, or both, before sending a packet on to the next-hop gateway. In doing so, it will perform source address selection to determine the appropriate source address to use when a packet is sent out on the network.
Page 121: Source Routing Scenarios
Equalizer Administration Guide Source Routing Scenarios The following are possible scenarios for load balancing source-based routing through Equalizer: Scenario Source Destination DSS Used Spoof Load Balancing Toward Server 1. Local Server, Local Client 2. Routed Server, Local Client Client Server 3.
Page 122: Spoof Load Balancing Toward Server
Load Balancing & Networking Spoof Load Balancing Toward Server In the load balancing source-based routing scenario presented below, spoofing is enabled so that the source is specified by a client IP and the destination is a server IP. As indicated in the table above, four scenarios are possible: 1.
Page 123 Equalizer Administration Guide Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 124: Spoof Load Balancing Toward Client
Load Balancing & Networking Spoof Load Balancing Toward Client In the load balancing source-based routing scenario presented below, spoofing is enabled so that the source is specified by a cluster and the destination is a client. Two scenarios are possible: 1. Local Destination- in this case the packets originating from a cluster and destined for a cli- ent has both a source IP address and the destination IP address is on a local subnet.
Page 125: Non-Spoof Load Balancing Toward Client
Equalizer Administration Guide Non-Spoof Load Balancing Toward Client This scenario is the same as on page 124 however, spoofing is "Spoof Load Balancing Toward Client" disabled and the source is a cluster IP address and the destination is the load balancer's IP . The routing possibilities are the same as "Spoof"...
Page 126: Source, Destination Specified
Load Balancing & Networking Source, Destination Specified In this scenario, the source and destination are both specified by the client. Equalizer will function as a router to send the packet directly to the addresses specified. Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 127: Generated By Equalizer
Equalizer Administration Guide Generated by Equalizer This scenario is typically used for administrative and probing purposes. It can also be used for upgrades, pinging and Equalizer image updates. As shown below, a packet will be dropped if no source IP address is found. As shown below, the packet routing will be determined by the default gateway specified in the DSS table.
Page 128: Enabling Dns
Load Balancing & Networking Enabling DNS To enable the Domain Name Service (DNS), add a name server to the configuration. Name servers are added to the name-server list one at a time, with a maximum of three name servers in the list (Primary, Secondary, Tertiary). The following table shows you how to perform DNS tasks using the CLI and the GUI: Task Command / Procedure...
Page 129: Configuring Ntp
Equalizer Administration Guide Configuring NTP Network Time Protocol, or NTP is a protocol designed to synchronize the clocks of computers over a network. NTP on Equalizer is compatible with servers running versions 1, 2, 3, or 4 of the NTP protocol.
Page 130: Selecting An Ntp Server
Load Balancing & Networking Selecting an NTP Server We recommend that you specify NTP pool servers appropriate for your geographic location. Selecting a pool server means that you are specifying an alias that is assigned by the NTP Pool Project to a list of time servers for a region. Thus, NTP pool servers are specified by geography. The following table shows the naming convention for servers specified by continent: •...
Page 131: Managing Ntp
Equalizer Administration Guide Managing NTP The following table shows you how to perform NTP tasks using the CLI and the GUI: Task Command / Procedure eqcli > ntp-server name The name parameter can be an NTP server name or an NTP pool name.
Page 132: Source Routing Tables & Rules
Load Balancing & Networking Source Routing Tables & Rules on page 133 is a table that identifies how a packet should be sent by the "Source Routing Table" system based on incoming route information. Rules in include on page 134, which govern the IP traffic flow into and out of the "IP Filter Rules"...
Page 133: Source Routing Table
Equalizer Administration Guide Source Routing Table The sroute table, or Source Routing Table is an excellent tool for identifying how a packet should be sent by the system. It is an aggregation of routing or all subnets and destination networks that you configure.
Page 134: Ip Filter Rules
Load Balancing & Networking IP Filter Rules The current IP Filter rules are displayed as part of the CLI output when using the show sbr command. An example is shown below. The example is shortened due to its length. show sbr Note - The example below is a truncated example of the command display.
Page 135 Equalizer Administration Guide To summarize, rules are processed in numerical order by the packet filter. Pass rules cause packets to be allowed into the system and block rules are ones that explicitly block traffic from entering the system. The last rule is block in all which means that if a pass rule has not yet matched this particular packet, it will be dropped.
Page 136 Load Balancing & Networking To disable using the GUI: 1. Log in to the GUI. 2. In the left navigational pane, select System > Global > Parameters 3. Click on to expand the branch and then select to display the con- Global Parameters Parameters...
Page 137: Ip Nat Rules
Equalizer Administration Guide IP NAT Rules Equalizer performs outbound NAT by creating IP NAT rules. These rules are processed when a packet is exiting the system -unlike IP Filter rules which are processed when a packet is entering the system. When NAT is enabled, the system automatically generates NAT rules to support the specified configuration.
Page 138: Network Troubleshooting Tools
Load Balancing & Networking Network Troubleshooting Tools There are several tools useful for troubleshooting networking configurations on Equalizer. To simplify troubleshooting, Equalizer includes a single eqcli command (show sbr) that displays the output of these tools. There are other ways to view the same information in eqcli, however, the show sbr command displays the actual running state of the system, whereas commands such as show vlan [X] subnet [Y] show the configuration information and not necessarily the running data if there is a problem.
Page 139: Working In The Cli
Equalizer Administration Guide Chapter 11 Working in the CLI Sections in this chapter include: Starting the CLI Logging In to the CLI Over a Serial Connection Logging In to the CLI Over an SSH Connection Exiting the CLI Working in the CLI CLI Contexts and Objects Object Relationships Command Line Editing...
Page 140 Working in the CLI Server Pool and Server Instance Commands Server Side Encryption Commands Smart Control Commands SNMP Commands Tunnel Commands User Commands VLAN and Subnet Commands Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 141: Starting The Cli
Equalizer Administration Guide Starting the CLI The Equalizer Command Line Interface, CLI, gives you complete administrative control over Equalizer and is one of the major new features in EQ/OS 10. The GUI is also available to view and modify the configuration, however, not all administrative options have been enabled in the GUI. The CLI can be used over either a serial connection or an SSH connection.
Page 142: Logging In To The Cli Over An Ssh Connection
Working in the CLI Logging In to the CLI Over an SSH Connection To start the Equalizer CLI over an SSH connection: 1. Ensure that SSH login is enabled for the VLAN and subnet over which you want to establish an SSH connection.
Page 143: Exiting The Cli
Equalizer Administration Guide Exiting the CLI You must exit the CLI from the global context prompt ( eqcli > Enter to exit and commit any queued changes. exit <ctrl-d> Enter to exit and discard all queued changes. quit If you are in a lower context, repeatedly enter one of the above commands, as appropriate, until you exit the CLI.
Page 144: Working In The Cli
Working in the CLI Working in the CLI The Equalizer command line interface, or CLI, was developed to be an easy to use, intuitive, and flexible command line interface. It was patterned after CLIs used in other common networking equipment, so if you’ve used a CLI on another network device (such as a router), you should quickly feel comfortable using eqcli.
Page 145 Equalizer Administration Guide The asterisk ( ) in the prompt indicates that there are more than 4 characters in the cluster name. To display the complete object name in any context, use the command: context eqcli cl-myc*> context The current context is: ‘mycluster’ eqcli cl-myc*>...
Page 146: Object Relationships
Working in the CLI server Server2 eqcli > eqcli sv-Ser*> context The current context is: Server2 eqcli sv-Ser*> Object Relationships Most contexts in the CLI correspond to an Equalizer object -- servers server instances server pools The following diagram shows the relationships clusters match rules responders, CRLs, certificates.
Page 147: Command Line Editing
Equalizer Administration Guide A match rule is processed before cluster settings are processed, and behaves like an if-then statement: if a client request’s content matches the conditional expression set in the match rule, then the options and objects specified in the match rule are used. If the expression in the match rule is not matched by the client request, then the next match rule is processed.
Page 148: Entering Names For Equalizer Objects
Working in the CLI Entering Names for Equalizer Objects Equalizer identifies administrative objects, such as clusters and servers, by name. The characters used in names are limited to standard ASCII letters ("A" through "Z" and "a" through "z"), numbers (0 through 9), and the characters "." (period), "-" (dash) and "_" (underscore), (*) asterisk, (@) "at"...
Page 149: Enabling And Disabling Flags
Equalizer Administration Guide Enabling and Disabling Flags Most objects have a flags keyword that is followed by one or more keywords that enable and disable particular object behavior. A single flag is specified as in this example: eqcli> srvpool sp01 si sv01 flags hot_spare Multiple flags in a command line can be separated using either a comma ( ) or a vertical bar ( between each flag.
Page 150: Command Abbreviation And Completion
Working in the CLI Command Abbreviation and Completion You do not need to type an entire command name in order to execute a command. If you type enough characters to uniquely identify a command and then type a character, <space> <tab>...
Page 151: Detection Of Invalid Commands And Arguments
Equalizer Administration Guide Detection of Invalid Commands and Arguments Invalid commands and invalid arguments for specific commands are detected before they are committed and appropriate error messages are displayed. Specifying Multiple Server Instances When specifying server instances on the command line, the user can specify either a single object or a comma separated list of objects.
Page 152: Using The No Form Of A Command
Working in the CLI Using the no Form of a Command Most commands that create objects and set parameters have a form that you can use to delete an object or reset a parameter to its default value. The general format of the command is: no [keywords] {object|parameter} keyword must be followed by a complete object context that specifies the object to delete...
Page 153: Queued Commands
Equalizer Administration Guide Queued Commands CLI commands that specify changes to the current configuration will either be committed to the configuration file as soon as they are entered, or queued to be committed using the , or commit exit commands. <ctrl-d>...
Page 154 Working in the CLI Commits all queued commands; does not change the current context. commit - Commits all queued commands and changes to the next highest context in the exit <ctrl-d> - hierarchy (if executed in the global context, either of these commands exits eqcli). Discards all queued commands;...
Page 155: Context Help
Equalizer Administration Guide Context Help You can type < > in a number of situations to display context help: If you type at the CLI prompt, a list of commands that are valid in the current context is <?> displayed. For example, this command displays help for all global commands as shown in on page 163: "Global Commands"...
Page 156: Global Parameters
Working in the CLI Global Parameters Global or System Parameters include Probes and Networking. Most clusters will work with the default values on these tabs. To view or modify the default global parameter values: 1. Start the Equalizer CLI and log in. 2.
Page 157: Show Configuration Command
Equalizer Administration Guide Show Configuration Command The show configuration command can be used to display all current configuration data from the CLI. Enter the following. The display shown is an abridged version of an actual output: eqcli > show config sequence = 60 locale = "en"...
Page 158 Working in the CLI fo_snmp = true fo_envoy = true fo_envoy_agent = true Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 159: Debug Commands
Equalizer Administration Guide Debug Commands The debug mode can display hidden commands for the following functions and can be accessed using the CLI only. You can access it when booting your appliance and entering when CTRL+C prompted for a . The following commands are available. username Debug Commands debug >...
Page 160 Working in the CLI Resetting Your Password You can reset your password to the default by entering the following when your unit is rebooting: 1. Enter when prompted for a . This will enter the debug mode. CTRL+C username 2. Enter the following: debug >...
Page 161 Equalizer Administration Guide Using the reset keep-filestore Command This command resets Equalizer configuration to a factory installed condition. All VLANs, subnets, clusters, servers, SSL certificates, and other user-supplied objects and settings will be removed. After the configuration has been reset, the system will be rebooted. This command saves all of the files that are currently in the files store as well as the core files.
Page 162: Context Command Summaries
Working in the CLI Context Command Summaries This section contains a table for each CLI context that summarizes all the commands that can be executed in each context. The following typographical conventions are used when describing command syntax and usage. Regular constant width type is used for the eqcli eqcli>...
Page 163: Global Commands
Equalizer Administration Guide Global Commands The table below lists the global configuration commands that are available in the global context of the CLI. These commands allow you to: Configure, enable, and disable settings such as hostname, NTP, and DNS. Perform system operations, such as upgrading and rebooting. Global Commands eqcli >...
Page 164 Working in the CLI Global Commands eqcli > guilogo : Change the GUI logo of the Equalizer. eqcli > halt : Shutdown Equalizer. eqcli > hostname : Set the system hostname. eqcli > icmp_interval : Set the ICMP probe interval for servers (seconds).
Page 165 Equalizer Administration Guide Global Commands eqcli > run_script file- : Run an eqcli command script. name eqcli > sbr : Display the IPv4 and IPv6 Default Source Selec- tion Table, Source Routing Table, IPv4 and IPv6 Filter Rules, and IP NAT Rules. eqcli >...
Page 166: Certificate Commands
Working in the CLI Certificate Commands Each SSL certificate installed on Equalizer has a CLI context that provides commands for managing the certificate and its associated private key. Certificates, private keys, and CRLs (see the following section) are used by Equalizer to provide SSL offloading for HTTPS clusters. In SSL offloading, Equalizer terminates the SSL connection with the client, decrypts the client request using a certificate and key, sends the request on to the appropriate server, and encrypts the server response before forwarding it on to the client.
Page 167 Equalizer Administration Guide Using Certificate Commands in Certificate Context eqcli cert-certname> certfile {edit|url} : Upload SSL certificate eqcli cert-certname> keyfile {edit|url} : Upload private key eqcli cert-certname> show : Display the certificate con- figuration. The arguments to the commands are: certfile keyfile Launch an editor to supply the content of the certificate or key file.
Page 168: Certificate Revocation List Commands
Working in the CLI Certificate Revocation List Commands context provides commands for managing Certificate Revocation Lists (or CRLs). CRLs can be used to verify that the certificates used by Equalizer are valid and have not been compromised. A CRL is uploaded to Equalizer using commands in the context, and then associated with one or more clusters in the cluster specific context.
Page 169: Cluster And Match Rule Commands
Equalizer Administration Guide Cluster and Match Rule Commands Each cluster has its own context and the settings available in the cluster’s context depends on the cluster’s parameter -- this parameter must be specified first on the command line when proto creating a cluster.
Page 170 Working in the CLI Using Cluster Commands in a Cluster Specific Context eqcli cl-clname> connto integer : Server connection timeout eqcli cl-clname> custhdr string : Custom request header eqcli cl-clname> domain string : Cookie domain eqcli cl-clname> flags : Disable and enable flags For Layer 7 Http Clusters: {[!]always,[!]compress, [!]disable,[!}allow_utf8...
Page 171 Equalizer Administration Guide Using Cluster Commands in a Cluster Specific Context eqcli cl-clname> staleto : Set the stale timeout for a cluster. eqcli cl-clname> stickyto : Set the sticky timeout for a cluster. eqcli cl-clname> stickynetmask : Set the sticky netmask for a cluster.
Page 172 Working in the CLI Using Cluster Commands in a Cluster Specific Context For Layer 4 Clusters (proto = tcp or udp): eqcli cl-clname> eqcli cl-clname> flags {[!]dsr,[!]ics!]spoof, [!]disable} eqcli cl-clname> idleto integer : Set the connection idle timeout eqcli cl-clname> no {idleto|- : Reset specified parameter to stickyto default value...
Page 173 Equalizer Administration Guide Using Match Rule Commands in a Match Rule Specific Context eqcli cl-clname-ma-maname> domain string : Cookie domain eqcli cl-clname-ma-maname> expression : Match expression string eqcli cl-clname-ma-maname> flags : Enable/disable Flags [!]abort_server,[!]always, [!]client_ip,[!]compress, [!]ignore_case,[!]no_header_rewrite, [!]once_only,[!]persist, [!]spoof,[!]tcp_mux} eqcli cl-clname-ma-maname> gen integer : Cookie generation (0 to 65535) eqcli cl-clname-ma-maname>...
Page 174 Working in the CLI Cluster 'proto' Flag Description Disables Source NAT (SNAT) -- the client IP address is spoof used as the source IP in packets sent to servers. http and https abort_server Close server connections without waiting. always Always insert a cookie into server responses. client_ip Include the client IP address in headers.
Page 175 Equalizer Administration Guide Cluster 'proto' Flag Description This flag appears only on systems that are equipped with Hardware SSL Acceleration. When enabled, it specifies that all SSL operations will be performed in software, instead of being performed using the SSL accelerator hardware.
Page 176 Working in the CLI Cluster 'proto' Flag Description Control whether Equalizer will process "CRL Distribution Point" extensions in client certificates. This option only affects the processing of the "CRL Distribution Point" extension in client certificates: When Ignore Critical Extensions is disabled, a client certificate presented to Equalizer that includes any extension will be rejected by Equalizer.
Page 177: Diagnostic Commands
Equalizer Administration Guide Diagnostic Commands Using Diagnostic Commands in a Global Context eqcli > diags arp : Display the ARP entries. eqcli > diags context : Displays the current command context. : Display the disk space on the file system. eqcli >...
Page 178: External Services Commands
Working in the CLI External Services Commands Using External Services Commands in the Global Context eqcli > ext_services : Add or modify a mail server in the'ext_services' context. eqcli > show ext_services : Display the configured external services. External Services Context Commands eqcli xs>...
Page 179 Equalizer Administration Guide Using VLB Manager Commands in VLB Manager Context eqcli xs-vlb-vlbmgrname > flags {[!]disable} eqcli xs-vlb-vlbmgrname > password : Set the password for authen- ticating a user. eqcli xs-vlb-vlbmgrname > timeout : Set number of elapsed seconds for connection timeout. eqcli xs-vlb-vlbmgrname >...
Page 180: Failover Commands
Working in the CLI Failover Commands The table below lists the failover global configuration commands that are available in the global context of the CLI. Global Commands eqcli > commit : Commit all pending alert configuration changes. eqcli > context Display the current command context.
Page 181: Firewall Commands
Equalizer Administration Guide Firewall Commands When you create a subnet, IP Filter (firewall) rules are automatically generated.The Firewall commands can disable these rules that may be used for troubleshooting or diagnostic purposes. Disabling the firewall turns off all system packet filtering . Any subnet permit/deny rules are ignored and all traffic will be routed between subnets.
Page 182: Geocluster And Geosite Instance Commands
Working in the CLI GeoCluster and GeoSite Instance Commands Envoy provides cluster load balancing between Equalizers running at two or more geographically distributed locations -- called GeoSites. Each GeoSite is configured with a cluster that is capable of responding to requests for the same content. A GeoCluster is a collection of GeoSites that act together to determine the “best”...
Page 183 Equalizer Administration Guide GeoCluster Context Commands eqcli gcl-gclname> ttl integer : DNS cache lifetime for Envoy responses Using Geosite Instance Commands in the Global Context eqcli > geocluster gclname gsi gsiname req_cmds : Create a geosite instance eqcli > geocluster gclname gsi gsiname cmds : Modify a geosite instance eqcli >...
Page 184 Working in the CLI Geosite Instance Flags A flag may be turned off by prefixing with "!". When enabled, designates this GeoSite instance as the default GeoSite instance for the GeoCluster. Envoy load balances to the default GeoSite instance whenever it cannot choose a GeoSite instance based on probe responses.
Page 185: Geosite And Geosite Resource Commands
Equalizer Administration Guide GeoSite and GeoSite Resource Commands A GeoSite definition points to running Envoy and a cluster defined on that a GeoCluster defined on the Equalizer. GeoSites are associated with GeoClusters by using the GeoSite name when creating a GeoSite Instance. See on page 182.
Page 186 Working in the CLI GeoSite Commands in the GeoSite Context eqcli gs-gsname> show : Display the GeoSite con- figuration, list all resources, or display details for the specified resource. eqcli gs-gsname> type : Set the type for this geosite. [remote] GeoSite agent is located on a remote machine.
Page 187: Ip Reputation Commands
Equalizer Administration Guide IP Reputation Commands Note - IP Reputation is not supported on GX platforms. This includes Equalizer E250GX, E350GX, E450GX , and E650GX. Using IP Reputation Commands in Global Context eqcli > reputation block category|IP : Set a category or list of IPs to list block.
Page 188: Interface Commands
Working in the CLI Interface Commands context commands let you configure and manage Equalizer’s front panel interface interface ports. There is a separate context corresponding to each front panel port. Ports are created automatically by the system and cannot be deleted. To view a summary of the current port configuration and status, enter: eqcli >...
Page 189: Interface Command Notes
Equalizer Administration Guide Interface Command Notes Port Statistics The following statistics can be displayed for a selected port using the stats command. Select a port on the Equalizer display to display statistics the port. The tables below show a typical port statistics displays for both switched and non-switched systems.
Page 190 Working in the CLI Transmit Counters The total number of transmitted packets on this Packets interface. The total number of bytes transmitted on this bytes interface The total number of good broadcast/multicast (e.g., multicasts ARP) packets transmitted by this interface. The total number of bad packets transmitted by this errors interface.
Page 191: Link Aggregation Commands
Equalizer Administration Guide Link Aggregation Commands Link aggregation is a means by which multiple physical interfaces are combined into a single logical (aggregated) interface, providing increased bandwidth and failover. The following are CLI commands. Using Link Aggregation Commands in Global Context eqcli >...
Page 192: Link Load Balancing Commands
Working in the CLI Link Load Balancing Commands Using LLB Commands in the Global Context Using Link Load Balancing Commands in the Global Context eqcli > illb-grpillb-grp name : Change to the illb group name context. eqcli > illb-grp illb-grp commands : Modify the illb group eqcli >...
Page 193 Equalizer Administration Guide LLB Specific Context Commands eqcli > ollb-grp-ollbgrpname > flags : Set ollb group flags. {enable|disable} eqcli > ollb-grp-ollbgrpname > gwips : Set the ollb group gateway(s). This is a comma-delimited list of LLB gateway IPs. eqcli > ollb-grp-ollbgrpname > no : Reset a ollb group parameter to its default value.
Page 194: Object List Commands
Working in the CLI Object List Commands Object lists make it easier to manage user permissions by allowing an administrator to assign user permissions via list of objects. An entry in an object list is an “object type” and “object name” pair. Once an object list is created, object list names are used as arguments to user context commands (see on page "User Commands"...
Page 195: Peer Commands
Equalizer Administration Guide Peer Commands Peer context commands are used to manage the configuration of failover peers, including the failover peer configuration for this Equalizer, which is created when the system is booted for the first time. The default peer name for the Equalizer you are logged into is of the form: eq_sysid The sysid above is Equalizer’s “...
Page 196 Working in the CLI Subnet : sn192 State : Configure Substate : Object Unchanged eqcli > Using Peer Commands in the Global Context eqcli > peer peername [cmds] : Create peer (see below for cmds) eqcli > peer peername cmds : Modify peer (see below for cmds eqcli >...
Page 197 Equalizer Administration Guide Peer Context Command Flags A flag may be turned off by prefixing with "!". failover Adds peer to failover group fo_config_xfer Enable config transfer between peers Defines peer as OS8 peer Preferred_primary Sets peer as preferred primary active-active Enable active/active failover mode on page 532 for a complete failover setup procedure.
Page 198: Remote Management Commands
Working in the CLI Remote Management Commands Remote Management commands are used to specify cipher suites, certificates, and the allowable protocols to use for connection with HTTPS clusters. Refer to for "Replacing the Default Certificate, Key, and Cipherspec" on page 61 additional information and descriptions on using these commands.
Page 199: Responder Commands
Equalizer Administration Guide Responder Commands Note -Responders are not supported on E250GX model Equalizers. Responders are global objects in the sense that a single responder can be assigned to multiple clusters. They are used when no servers in the associated server pool are available: A responder can be added in the cluster context, in which case it is used when no servers in the server pool defined for the cluster are available.
Page 200: Regular Expressions In Redirect Responders
Working in the CLI the request URL in the HTTP Redirect response (using an optional regular expression). sorry A customized HTML “sorry page” that can, for example, ask the client to retry later or go to another URL For example, the following command creates a responder named , and downloads the sorry...
Page 201: Server Commands
Equalizer Administration Guide Server Commands In the server context, you define a real server using a minimal set of parameters (IP address, port, protocol, etc.). Once defined, a real server can then be associated with one or more server pools, which in turn are associated with one or more Layer 4 clusters or Layer 7 match rules. Using Server Commands in the Global Context eqcli >...
Page 202: Server Pool And Server Instance Commands
Working in the CLI Server Pool and Server Instance Commands A server is attached to a cluster via a server pool. A server pool is a collection of server definitions, each of which has additional parameters assigned to it in the server pool -- these additional parameters are organized by the server’s name and are referred to as server instances within the server pool context.
Page 203 Equalizer Administration Guide Using Server Pool Commands in a Server Pool Specific Context eqcli sp-spname> probe_maxtries integer : Maximum number of server probes in one interval. eqcli sp-spname> *respv integer : LB policy responsiveness: 1 = slowest,5 = fastest. Default = eqcli sp-spname>...
Page 204 Working in the CLI Using Health Check Commands in a Server Pool Specific Context eqcli sp-spname-hc-hcname> probe_interval probe : Set the interval between interval health check probes (in seconds). eqcli sp-spname-hc-hcname> probe_maxtries max : Set the maximum number of tries per interval attempts per interval before marking a server 'down'.
Page 205 Equalizer Administration Guide Using Server Instance Commands in a Server Instance Specific Context eqcli sp-spname-si-siname> *weight integer : Set the server instance weight to Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 206 Working in the CLI Server Instance Flags A flag may be turned off by prefixing with "!". Enable the hot spare check box if you plan to use this server as a backup server, in case the other server instances in a server pool on the cluster fail. Enabling hot spare forces Equalizer to direct incoming connections to this server only if all the other servers in the cluster are down.
Page 207 Equalizer Administration Guide You can also change to an aggregate context that applies to multiple server instances, that allows you to display and modify the parameters for all the server instances. For example, you could change to an aggregate context for the three server instances in the previous example above using a command like the following: eqcli >...
Page 208 Working in the CLI Load Balancing Policy Description adaptive load balancing distributes the load according to the following performance indicators for each server. Server response time is the length of time for the server to begin sending reply packets after Equalizer sends a request.
Page 209 Equalizer Administration Guide Equalizer’s Load Balancing Response Settings The responsiveness setting controls how aggressively Equalizer adjusts the servers’ dynamic weights. Equalizer provides five response settings: Slowest, Slow, Medium, Fast, and Fastest. The response setting affects the dynamic weight spread, weight spread coefficient, and optimization threshold that Equalizer uses when it performs adaptive load balancing: Dynamic Weight Spread indicates how far a server’s dynamic weight can vary (or spread) from its initial weight.
Page 210: Server Side Encryption Commands
Working in the CLI Server Side Encryption Commands Using Server Side Encryption Commands in Global Context eqcli > show sse : Display the sse configuration. eqcli > sse cipherspec cipherstring : Set the sse cipherspec eqcli > no sse : Reset one or more sse parameters. eqcli >sse flags : Set the sse flags {[!]allow_tls10,...
Page 211: Smart Control Commands
Equalizer Administration Guide Smart Control Commands commands let you configure and manage Smart Controls. smart_control To view a summary of the currently configured Smart Controls: eqcli > show smart_control smart_control_name The names of all of the currently configured Smart Controls will be displayed. Using Smart Control Commands in the Global Context eqcli >...
Page 212 Working in the CLI Smart Control Context Commands : Set the Smart Control schedule. eqcli sc-scname > schedulesched- ule string The string is in the standard cron format, but with an additional first column -- second: second 0-59 minute 0-59 hour 0-23 day of month 1-31 month 1-12 (or names, see below)
Page 213: Snmp Commands
Equalizer Administration Guide SNMP Commands The parameters in the SNMP context specify return values for the following Object IDs (OIDs) in the Equalizer SNMP Management Information Base (MIB): Default Parameter Description Value Any SNMP management console needs to send the correct community string community Equalizer along with all SNMP requests.
Page 214 Working in the CLI SNMP Context Commands eqcli snmp> show : Display SNMP parameter con- figuration Downloading Equalizer MIB Files The MIB files can be downloaded from Equalizer using a browser pointed at: <Equalizer>/eqmanual/<mibname>.my http:// Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 215: Tunnel Commands
Equalizer Administration Guide Tunnel Commands Use tunnel context commands to configure Equalizer to access the IPv6 Internet via an IPv6 “6in4” tunnel. Note that you must first request a tunnel configuration from a tunnel broker before setting up the tunnel endpoint on Equalizer. See on page 309 for more "IPv6 Tunnel Overview"...
Page 216: User Commands
Working in the CLI User Commands Using "User" Comands in the Global Context eqcli > user uname [cmds] : Create user uname (see below for cmds) eqcli > user uname cmds : Modify user uname (see below for cmds) eqcli > no user uname : Delete user uname eqcli >...
Page 217 Equalizer Administration Guide User-Alert Context Commands eqcli > user-uname-alertname > from : Set the from email address. email-address eqcli > user-uname-alertname > no smart_ : Delete the specified smart con- control trol name(s) eqcli > user-uname-alertname > notify_ : Set the alert notify flags. type notify notify flags Required.
Page 218 Working in the CLI User-Alert Context Commands : Set the object type. Required. eqcli > user-uname-alertname > object_ type object-type Object type can be server, cluster, match, srvpool, si, resp, peer, vlan, subnet, geo- cluster, geosite, gsi, inter- face, user, certificate, crl, route, tunel, license, health_ check, hci, vlb_manager, resource, ri, external_ser-...
Page 219: User Flags
Equalizer Administration Guide User Flags User flags are used to override permissions checks, as follows: All permissions checks are overridden for the user (including read_ global write_global ). The user has complete administrative control over the system. Only users with the admin flag can: read write delete...
Page 220: User Passwords
Working in the CLI User Passwords The password command allows a logged in user to change the password for their user name. A user name with the admin flag can modify the password for any user name. The password itself is not permitted on the command line, and is not displayed by a user context show command (or any eqcli command).
Page 221 Equalizer Administration Guide For example, the following command executed in the global context assigns read and write permission to the server sv00 for the existing login user1: eqcli > user user1 permit_object read,write server sv00 Using permit_objlist to Assign User Permissions on a Group of Objects The user context permit_objlist command has the following syntax for assigning read, write, and delete permissions: permit_objlist perm type objlist_name...
Page 222: User Permissions Assigned On Object Creation
Working in the CLI Using permit_objlist to Allow a User to Create Objects The user context permit_objlist command has the following syntax for assigning the create permission to a user: permit_objlist create type {default | objlist_name} This form of the permit_objlist command allows the user to create objects of the spe- cified type.
Page 223: Vlan And Subnet Commands
Equalizer Administration Guide VLAN and Subnet Commands Using VLAN Commands in the Global Context eqcli > vlan vlname req_cmds : Create vlname (req_cmds = * commands below) eqcli > vlan vlname cmds : Modify vlname (cmds = any com- mands below) eqcli >...
Page 224 Working in the CLI Subnet Specific Context Commands eqcli vl-vlname-sn-subname> flags : Set subnet flags [!]heartbeat} eqcli vl-vlname-sn-subname> force : Force the subnet modification, ignoring any conflicts. eqcli vl-vlname-sn-subname> from ip_addr : Set NAT from IP (with or without CIDR notation). eqcli vl-vlname-sn-subname>...
Page 225 Equalizer Administration Guide Flag Description Allows the failover peers to probe one another over the subnet. At least one sub- heartbeat net must have a Heartbeat flag enabled. VLAN Subnet Services Services may be turned off by prefixing with "!". Service Description When enabled, the Equalizer will listen for HTTP connections on Equalizer’s IP...
Page 226: Vlan And Subnet Command Notes
Working in the CLI VLAN and Subnet Command Notes context defines Equalizer’s network connectivity. Each VLAN definition defines the front vlan panel ports that are configured for the VLAN, the VLAN ID (VID), and the subnets that belong to the VLAN. VLAN Subnets A single VLAN can have more than one subnet assigned to it.
Page 227 Equalizer Administration Guide Routing Between Specific VLAN Subnets In most cases, there is a one-to-one relationship between VLANs and subnets -- i.e., a VLAN in most configurations is associated with one subnet. There are, however, situations in which an administrator will associate more than one subnet with a VLAN. If multiple subnets are defined within a VLAN, you can optionally specify a subnet as an additional argument to the permit command, as in this example:...
Page 229: Using The Gui
Equalizer Administration Guide Chapter 10 Using the GUI Sections in this chapter include: Logging In Navigating Through the Interface Entering Names for Load Balancing Objects Using the WebHelp Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 230: Logging In
Using the GUI Logging In The Equalizer Administrative Interface, the “GUI”, is a browser based interface. In general, the GUI should function properly using any browser that is enabled for JavaScript (required). 1. Using your browser, type one of the following into the browser’s address bar: http://<Equalizer_IP_address>...
Page 231: Navigating Through The Interface
Equalizer Administration Guide Navigating Through the Interface The browser-based Administrative Interface (GUI), capable of operating with all commonly used web browsers, can be used to configure most of Equalizer load balancing and networking operations. If an operation can only be modified using the command line interface (CLI) it will be noted in the context of the procedures.
Page 232 Using the GUI Clicking on the arrow ( ) next to expands the branch and displays the Failover Peer > Summary screen on the right pane which displays failover status as well as a tab that displays VLAN subnet heartbeating status. Clicking each peer in the expanded branch will display each Peer’s configuration display on the right pane.
Page 233 Equalizer Administration Guide Clicking on the configuration tab provides access to the Link Link Load Balance Outbound Inbound Load Balancing configuration configuration screens on the right pane. Outbound Clicking on the arrow ( ) beside expands the branch to display Outbound Gateways Groups...
Page 234 Using the GUI Clicking displays the screen on the right pane. It allows you to Remote Syslog Remote Syslog specify a remote Syslog Server and to enable the logging of events for this remote host. Reporting Clicking on the arrow ( ) beside expands the branch to access y dis-...
Page 235: Entering Names For Load Balancing Objects
Equalizer Administration Guide Entering Names for Load Balancing Objects Equalizer identifies administrative objects, such as clusters and servers, by name. For example, object names and icons are displayed in a hierarchy in the GUIs left frame as described earlier in this chapter.
Page 236: Using The Webhelp
Using the GUI Using the WebHelp Installed on your Equalizer is an html-based WebHelp system that is fully functional in all web browsers. It provides descriptions of how to manage EQ/OS 10 through the Command Line Interface (CLI) and the Graphical User Interface (GUI). The PDF file of the Equalizer Administration Guide is still available for download from the EQ OS 10 Support Page.
Page 237 Equalizer Administration Guide Glossary Select the configuration tab to access a glossary of load balancing and Equalizer-specific Glossary terminology. Click on each term to display a definition. Search All Topics Click on the configuration tab to open a Search pane. Enter a term in the at the top Search All Topics of the pane and click on .
Page 239: System Settings
Equalizer Administration Guide Chapter 11 System Settings Sections in this chapter include: Global Settings Dashboard Certificates Certificate Revocation Lists IP Reputation Parameters Server Side Encryption Smart Control SNMP External Services SMTP Relay VLB Manager Maintenance Setting Date and Time Backup and Restore Manage Software Tools Network Configuration...
Page 240: Global Settings
System Settings Global Settings grouping of parameters is available within the configuration tab. After logging Global System into the GUI, Click on the configuration tab which should be open by default. Then click on System the arrow (►) beside to expand the branch. The parameters that can be Global viewed/added/modified on this branch include: 1.
Page 241: Dashboard
Equalizer Administration Guide Dashboard The Dashboard is the initial screen displayed after logging in to the GUI. If it is not displayed you can also access it by clicking on the configuration tab on the right navigational pane and System then the arrow ( ) beside to expand the branch.
Page 242 System Settings Most CLI functions can be performed at this console . Note: At this time, following commands are not available with this Dash- board widget: show boot boot boot options hidden reset config hidden reset keep-license hidden show config hidden shell hidden shell admin hidden eqcollect url url [name name]...
Page 243: Certificates
Equalizer Administration Guide Certificates Each SSL certificate installed on Equalizer includes a certificate and its associated private key. In SSL off loading, Equalizer terminates the SSL connection with the client, decrypts the client request using a certificate and key, sends the request on to the appropriate server, and encrypts the server response before forwarding it on to the client.
Page 244 System Settings 2. Click on Add Certificate to display the Add Certificate dialogue form as shown below. 3. Click on Choose File to select a locally stored CertificateFile. Repeat the same for adding a locally stored Key File. 4. Click on Commit to save the upload the new Certificate File and Key File. To install an SSL Certificate using the CLI: Refer to on page 166 for Certificate commands.
Page 245: Certificate Revocation Lists
Equalizer Administration Guide Certificate Revocation Lists The Certificate Revocation List (CRL) can be used to verify that the certificates used byare valid and have not been compromised. A CRL is uploaded to and then associated with one or more clusters in the cluster specific context. Whenever a certificate is used to authenticate a connection to the cluster, the CRL is checked to make sure the certificate being used has not been revoked.
Page 246 System Settings 2. Click on to display the dialogue screen as shown below. Add CRL Add CRL 3. Click on to select a CRL file to upload to Equalizer. Select a file to upload, Choose File *.crl enter a , and then click on .
Page 247: Ip Reputation
Equalizer Administration Guide IP Reputation Note - IP Reputation is not supported on Equalizer E250GX, E350GX, E450GX, or E650GX. Security threats arise from a variety of sources on the internet: botnets, spammers, phishers, etc., are all common threats that you want to keep off your network. Manually identifying suspect client IP addresses from which these threats originate is a complex task that many organizations do not have the resources to tackle.
Page 248 System Settings Enabling and Disabling Note - IP Reputation commands are not available if using Equalizer E250GX, E350GX, E450GX, or E650GX. The IP Reputation Enable/Disable flag allows you to: 1. Fetch the IRDB from Forticare and use it. 2. Configure blacklists and whitelists. By default, IP Reputation functionality is enabled.
Page 249 Equalizer Administration Guide Downloading the IRDB Database The IP Reputation functionality is dependent upon the IP Reputation Database (IRDB), created and managed by Fortinet. The IRDB contains IP addresses and network ID ranges (grouped into the categories described above) that pose a threat to your network. After you register your appliance with Fortinet support, you can download the database from the support site (assuming that your support contract includes IRDB access).
Page 250 System Settings There are two methods of uploading an updated IRDB to your appliance. The first method is a direct download of a current IRDB from Fortinet and "fetching" it using the CLI command line. This method requires direct, real-time connectivity between your appliance and Fortinet support servers.
Page 251 Equalizer Administration Guide Downloading a .pkg file and uploading the IRDB database Using this method requires you to download a .pkg file from Fortinet Support. The .pkg file you download contains the current IRDB. You will need to upload the downloaded file to an FTP site from which Equalizer can access it.
Page 252 System Settings Using the GUI: 1. Download the .pkg file as described above. 2. On the left navigational pane, select to display the following. System > Global > IP Reputation 3. Select the radio button and click on Local File Choose File 4.
Page 253 Equalizer Administration Guide Using a Smart Control for Regularly Scheduled IRDB Downloads You can configure a Smart Control to automatically download the IRDB at a regularly scheduled time. To configure a Smart Control to download the IRDB database using the CLI: 1.
Page 254 System Settings 5. The Smart Control should be run at a regular interval. This is entered in seconds. In the example below, it is configured to run every 6 hours (21600 seconds). A 6 hour interval is recommended, however, you can create an interval that best fits your needs. Enter the fol- lowing.
Page 255 Equalizer Administration Guide Whitelisting & Blacklisting Equalizers Configured in Failover Whitelists and blacklists are synched across all the peers in a failover configuration. Blacklisting Categories The following are the categories of potential malicious attackers: - "botnet"is a merged word, derived from "robot" and "network". Sometimes called a Botnet "zombie army", it represents a number of computers on the web that, although their owners are unaware of it, have been set up to forward transmissions such as spam or viruses to...
Page 256 System Settings If, for example, you blacklist the botnet category, the following will be displayed when you verify: eqcli > show reputation category Name Blocked Direction Botnet inbound Anonymous_Proxy none Phishing none Spam none Others none eqcli > Removing Categories from the Blacklist The following format is used to remove previously configured categories from blacklists.
Page 257 Equalizer Administration Guide Modifying the Database Besides enabling and disabling IP Reputation processing as a whole (See above), you can also enable and disable IP reputation for each for specific IP addresses. This is typically called “blacklisting” and “whitelisting”: Blacklisting: specifying a list of IP addresses not contained in the IRDB that will be blocked. Whitelisting: specifying a list of IP addresses contained in the IRDB that will never be blocked.
Page 258 System Settings This would encompass the 1024 addresses from 192.168.100.0 to 192.168.103.255. To verify the addresses that are blocked enter: eqcli > show reputation blacklist Blocked IP Name Start IP Address End IP Address Blocked Direction 192.168.100.0 192.168.100.0 192.168.103.255 inbound eqcli >...
Page 259 Equalizer Administration Guide Removing IP Addresses from the Blacklist The following format is used to remove previously configured IP addresses or categories from blacklists. eqcli > no reputation {CIDR List|IP address} To blacklist IP addresses using the GUI: 1. Select on the left navigational pane. System >...
Page 260 System Settings Whitelisting Client IP Addresses As described above, a whitelist is a list of IP addresses or categories that will be allowed to pass, regardless of whether they are identified as potentially malicious in the IRDB database. The command format used to "block" addresses is similar to the format used to "pass" addresses (explained above).
Page 261 Equalizer Administration Guide This would encompass the 1024 addresses from 192.168.100.0 to 192.168.103.255. To verify the addresses that are whitelisted enter: eqcli > show reputation whitelist Allowed IP Name Start IP Address End IP Address Allowed Direction 192.168.100.0 192.168.100.0 192.168.103.255 inbound eqcli >...
Page 262 System Settings Displaying the Database IPs for Each Category You can display the IP addresses that have been identified as potentially malicious in the IRDB for each category. Using the CLI To view the IP addresses in categories using the CLI, enter: eqcli >...
Page 263 Equalizer Administration Guide Using the GUI To view the IP addresses in categories using the GUI, enter the Global > IP Reputation > Modify screen and click on the button. A display similar to the one Database Display IP Reputation Database below will be displayed.
Page 264: Parameters
System Settings Parameters On the left navigational pane, select to display the System > Global > Parameters Global Parameters screen on the right frame. The following Global Parameters are configured on this screen (tab). Click on Commit to save your parameters or Reset to return the default values.
Page 265 Equalizer Administration Guide ICMP Health Checks Section Global Enable/Disable ICMP relaxed probing. When enabled, if a server probes "down", but has not previously probed "up", ICMP Relaxed Probe (flag) it will be marked "up". Setting of this flag prevents the sud- den reporting of servers as being "down"...
Page 266: Server Side Encryption
System Settings Server Side Encryption Server Side Encryption (SSE) provides the ability to configure a cluster, server, or match rule so that traffic between the Equalizer and servers is encrypted using SSL/TLS. Refer to on page 358 for a description of configuring SSE using the GUI and "Server Side Encryption"...
Page 267: Smart Control
Equalizer Administration Guide Smart Control The Smart Control feature allows you to define a common administrative function or, Smart Event that executes the function based on pre-set threshold values for system parameters and statistics. It is a method for administrators to configure the system to automatically perform functions that may be dependent on threshold values or timing.
Page 268: Snmp
System Settings SNMP The Simple Network Management Protocol (SNMP) is an internet standard that allows a management station to monitor the status of a device over the network. SNMP organizes information about the Equalizer and provides a standard way to help gather that information. Using SNMP requires: An SNMP agent running on the system to be monitored.
Page 269 Equalizer Administration Guide Dynamic configuration information, such as: Failover Status (Primary or Secondary) NAT enabled L4 configuration state L7 configuration state Server Health check status Email status notification Cluster parameters (timeouts, buffers) Server parameters Equalizer status L4 Statistics L7 Statistics Equalizer cluster L4 or L7 protocol of cluster Load balancing policy for cluster IP address and port (or range)
Page 270: Mib Compliance
System Settings System Contact - Contact is the name of the person responsible for this unit. System Location - Location describes Equalizer’s physical location. System Descriptions - this is the user-assigned description of Equalizer. Click on Commit to save your changes. SNMP Parameters using the CLI: Refer to on page 213 for details.
Page 271: Mib Files
Equalizer Administration Guide MIB Files All MIBs referenced by the supported MIBs are included on Equalizer. The MIB filenames comprise the MIB name plus the filename extension ”.my”: CPS-EQUALIZER-v10-MIB.my CPS-REGISTRATIONS-v10-MIB.my HOST-RESOURCES-MIB.my HOST-RESOURCES-TYPES.my IANAifType-MIB.my IF-MIB.my INET-ADDRESS-MIB.my IP-MIB.my RFC1155-SMI.my RFC1213-MIB.my SNMPv2-CONF.my SNMPv2-MIB.my SNMPv2-SMI.my SNMPv2-TC.my TCP-MIB.my...
Page 272: External Services
System Settings External Services SMTP Relay SMTP Relays are commonly used when you want to configure email alerts. With email alerts, you be adding email addresses to the alert. Refer to "Configuring an SMTP Relay" on page 716 for additional information. Copyright ©...
Page 273: Vlb Manager
Equalizer Administration Guide VLB Manager In order to obtain VMware virtual machine information, Equalizer needs access information for the vCenter console (or ESX server) managing the virtual machines. To enable communication between Equalizer and a vCenter console, the configuration: External Services VLB Manager VLB Manager using the GUI: screen is used to set up communication login credentials to VMware using saved VLB Manager...
Page 274 System Settings slider is used to set the allowable time to make a connection. If a connection Connect Timeout to the VMware is NOT made within the time configured, a “failure” message will be displayed. The default is 1 second. Connect Timeout Clicking on the button will attempt to log in to the displayed virtual machine using the...
Page 275: Maintenance
Equalizer Administration Guide Maintenance The Maintenance screen (tab) allows you to access the sections in the related topics. Setting Date and Time Setting Data and Time using the GUI: The System time setting screen is used to manually enter the current system date and time. This is accessed by selecting Equalizer on the left navigational pane and selecting the Maintenance (tab) and then selecting Date &...
Page 276: Backup And Restore
System Settings Backup and Restore The Backup feature allows you to back up an Equalizer’s user-configured objects and parameters to a file that can be uploaded and later restored to another Equalizer. Backup files may be uploaded to an FTP site or saved locally. The Restore feature allows you to restored a previous backup file containing user-configured objects and parameters to another Equalizer.
Page 277: Backup
Equalizer Administration Guide Backup The Backup feature allows you to back up an Equalizer’s user-configured objects and parameters to a file that can be uploaded and later restored to another Equalizer. Backup files may be uploaded to an FTP site or saved locally. Backup features are available through the GUI and through eqcli.
Page 278 System Settings 4. In the Destination section, select either FTP URL to upload to an FTP site or Local File to save the file locally. a. For FTP URL, you must type the full FTP URL path to the backup file -leaving off the file name.
Page 279: Restore
Equalizer Administration Guide Restore The Restore feature allows you to restored a previous backup file containing user-configured objects and parameters to another Equalizer. Restored files may be uploaded to an Equalizer through FTP or from a locally saved backup file. On boot, Equalizer looks for a unique local peer definition in the configuration file by comparing the System ID found in each peer definition to all available licenses: If a unique local peer definition is found, the System ID found in the local peer definition is...
Page 280 System Settings Restore (GUI) Restore a backup file containing all user-configured objects and parameters through the GUI is as follows: 1. Log in to the GUI as described in on page 230. "Logging In" 2. Click on the Maintenance tab and then select Backup and Restore. The following will be dis- played.
Page 281 Equalizer Administration Guide Restore (CLI) The previously archived backup is uploaded from a URL that specifies an FTP site that can be reached by Equalizer. To restore a previously backed up file from a specified URL (location) enter the following: eqcli >...
Page 282: Manage Software
System Settings Manage Software You can upgrade your version of the operating system using the screen on the Manage Software GUI. 1. Click on the configuration tab. System 2. Click on the arrow ( ) beside to expand the branch. Maintenance 3.
Page 283: Tools
Equalizer Administration Guide Tools The Tools screen provides useful utilities that includes: that allows you to create an EQ/OS 10 configuration that is func- Configuration Converter tionally equivalent to the EQ/OS 8.6 configuration from a supplied backup archive. command, allows you to turn your Equalizer "off" from directly in the GUI. Halt/Shutdown command, allows you to reboot your Equalizer from directly in the GUI.
Page 284 System Settings Reboot System Click on the Reboot System configuration tab to display the following. Click on the button to Reboot reboot your Equalizer. Save System State Click on the configuration tab to display the following. In this screen you can set Save System State up a Save State or system information archive that contains various configuration files, logs, and other information used by Support to help diagnose problems you are having with Equalizer.
Page 285 Equalizer Administration Guide 3. Select either the Local or FTPURL option in the Destination pane. a. If you select Local, the archive will be saved in the default “save” directory spe- cified in your web browser options. b. If you select FTP URL, enter the URL of the FTP site on which you will upload the archive file.The URL should be in the format: ftp://[user[:password]@] server/[path/].
Page 286: Network Configuration
System Settings Network Configuration Clicking on the configuration tab on the GUI and then the beside Network will expand the System branch to provide access to the configuration screen, the configuration Interface Link Aggregation screen, the configuration screen and the IPv6 configuration screen.
Page 287 Equalizer Administration Guide Note -The following 10Gb SFPs (Small Form-factor Pluggable modules) are supported: (Equalizer E670LX and E970LX only) 10GbaseLR - single-mode fiber 10GBase-SR 850nm Multi-mode 10GBase CX4 copper 10GBase Twinax copper 10GBase Twinax Long copper 10GBase-LRM 850nm Multi-mode 10GBase-T - RJ45 If you would like to display statistics using the CLI,enter the following: eqcli >...
Page 288: Interfaces (E350Gx, E450Gx, E650Gx Only)
System Settings The total number of packets that were dropped (e.g., lack of receive buffer, congestion, invalid Total number of dropped frames on ingress path classification, e.g., tagged frame received on untagged port) by the receiving port. The total number of bytes (8 bits) received by this Total received octets port.
Page 289 Equalizer Administration Guide Autonegotiation Mode - One of the following: full Full autonegotiation at all supported speed and duplex settings. select - Autonegotiation at the current speed and duplex parameter settings only. Autonegotiation force - Set the port to the current speed and duplex parameter settings with no autonegotiation.
Page 290 System Settings The total number of bytes (8 bits) transmitted by this Total transmitted octets port. Receive Counters The total number of packets received, good or bad, Number of good and bad packets by this port. The total number of good broadcast/multicast (e.g., Number of good broadcasts and multicasts ARP) packets received on this port.
Page 291: Link Aggregation
Equalizer Administration Guide Link Aggregation Note -Link Aggregation is supported on the LX series, all virtual platforms, and on legacy E250GX systems only. Link aggregation combines multiple physical interfaces into a single aggregated (or, logical) interface, providing increased bandwidth as well as link redundancy. Traffic is distributed evenly over the physical links of the aggregation group;...
Page 292 System Settings Configuring Link Aggregation using the CLI To create a link aggregation group and assign it to a VLAN using the CLI, do the following: 1. Create an aggregation group as follows. eqcli > agr agr00 2. Specify the physical interfaces to be added to the aggregation group: eqcli >...
Page 293 Equalizer Administration Guide MTU : 1500 Subnets : sn02 Interfaces : agr00 Removing an Aggregated Interface from a VLAN using the CLI: To remove an aggregated interface from the VLAN used in the previous example above, enter the following command: eqcli > no vlan vl00 ifi agrname Removing an Aggregated Interface from the System using the CLI: To delete an aggregated interface from the system, you should first remove it from all VLANs that...
Page 294 System Settings 5. Enter a name in the field and select the radio button on ports Aggregated Interface Name assigned to be included in the aggregated interface. Note - The Link Aggregation Control Protocol (LACP) flag is enabled by default. 6.
Page 295 Equalizer Administration Guide To remove an aggregated interface from a VLAN: 1. Select a VLAN from the left navigational pane to display the VLAN screen. Configuration 2. Select the unassigned radio button from the s pane at the bottom of the Aggregated Interface screen.
Page 296 System Settings Removing an Aggregated Interface from the system using the GUI: 1. Click on the configuration tab on the left pane of the GUI if it is not already selected. System 2. Click on the arrow ( ) beside to expand the branch.
Page 297: Configuring Vlans
Equalizer Administration Guide Configuring VLANs The following table shows you how to perform VLAN tasks using the CLI and the GUI: It should be noted that on switch less system only one port can be assigned to a VLAN. On Equalizers with a front-panel switch (E350GX, E450GX, E650GX), multiple ports can be assigned to a VLAN.
Page 298 System Settings VLAN Port Assignment Using the GUI The VLAN Port Assignment Configuration Screen is used to assign ports, specify whether a VLAN is tagged or untagged and specify MTU. It is accessed by clicking on a VLAN on the left navigational pane of on the GUI.
Page 299 Equalizer Administration Guide MTU can be specified for tagged and untagged VLANs on all switched sys- tems (E350GX, E450GX, E650GX)for tagged VLANs on non-switched sys- tems (E250GX,LX Series, Equalizer OnDemand. The MTU is set on the VLAN, and the values you can set depend on the Equalizer model and the subnet configuration of the VLAN, as follows: For the E350GX, E450GX, E650GX, and E370LX, the max- imum MTU value is 4839.
Page 300 System Settings Enter the following command, all on one line: eqcli > vlan vlname subnet subnet name ip CIDR format IP address route dest_ cidr src src cidr gw ip_addr In the command above,vlname is the VLAN name from the previous step, subnet name is the name of the subnet, ipis the CIDR format IP address, routeis the destination network in CIDR notation, src is the source network in CIDR notation (optional), and gw is IP address of the gateway for the route.
Page 301: Configuring Subnets
Equalizer Administration Guide Configuring Subnets The following table describes how to perform subnet tasks using the CLI and the GUI: Task Command / Procedure eqcli vlan name subnet name parameters > 1. Click on the System configuration tab on the left pane. 2.
Page 302 System Settings Task Command / Procedure qcli > show vlan name subnet name 1. Click on the System configuration tab on the left pane. 2. Click on the arrow (u) next to Network to expand the branch. 3. Click on the arrow (u) next to VLANs to expand the branch to Display details for a subnet display all configured VLANs 4.Click on the arrow (u) next to a specific VLAN to expand the branch...
Page 303: About Permitted Subnets
Equalizer Administration Guide About Permitted Subnets By default, each VLAN will not forward packets for any other subnet unless they are specifically designated in the screen-- sometimes referred to as a "subnet access control Permitted Subnets list". When a new subnet is added it will be automatically be added to the pane on this Deny screen.
Page 304: Configuring Subnet Destination Routes
System Settings Configuring Subnet Destination Routes Subnet destination routes (also commonly called "static routes") are commonly used to specify routes to destination IP addresses via gateways other than the subnet’s default route (also called a default gateway). They are called destination routes, since they are used to make routing decisions based on a packet’s destination IP address.
Page 305 Equalizer Administration Guide Specify the Destination IP Address, Gateway, and Source IP address. This determines the route to be used. For example, you may want a set of routes on a subnet such as the following: : 0/0, : 172.16.0.1, : 188.161.0.118.32 Destination IP Address Gateway Source IP...
Page 306 System Settings Configuring Subnet Static Routes using the CLI Static routes are specified in the subnet context (See on page 223). "VLAN and Subnet Commands" To display the static route for a subnet, use the command: show eqcli > show vlan vlan_name subnet subnet_name To add a static route from the global context, enter: eqcli >...
Page 307: Configuring Outbound Nat
Equalizer Administration Guide Configuring Outbound NAT Enabling outbound NAT allows servers on a non-routable network to communicate with hosts on the internet by mapping the server's IP address to another IP address that is routable on the internet. On Equalizer, this is disabled by default. Enabling this option has a performance impact, since Equalizer needs to modify every packet sent and received on server subnets.
Page 308 System Settings To configure outbound NAT using the CLI: 1. Log in to eqcli as described in on page 141. "Starting the CLI" 2. NAT can be set up by entering a from parameter in CIDR format that specifies the IP range. The from address is the source IP address (or range of addresses) to which this NAT rule applies.
Page 309: Ipv6 Tunnel Overview
Equalizer Administration Guide IPv6 Tunnel Overview Every network administrator needs to have a strategy to address the transition to the IPv6 Internet. Various transition mechanisms have been defined that are intended to make it as easy as possible for organizations to get on the IPv6 Internet using their current IPv4 network infrastructure.
Page 310: Configuring An Ipv6 Tunnel
System Settings For example, Hurricane Electric provides what they call “regular” tunnels and “BGP” tunnels. For Equalizer, you would choose a “regular” Hurricane Electric tunnel, which is a 6in4 tunnel. A 6in4 tunnel allows a user to access the IPv6 internet by tunneling over an existing IPv4 connection from an IPv6-enabled host to one of Hurricane Electric's IPv6 routers on the internet.
Page 311 Equalizer Administration Guide Hurricane Electric will set up the tunnel and provide you with the following information: The IPv4 and IPv6 addresses for the Hurricane Electric tunnel endpoint. The IPv6 address of the default route for the tunnel. The IPv6 address block assigned by Hurricane Electric (a /64 prefix subnet). The IP addresses of Hurricane Electric's IPv6 and IPv4 DNS servers.
Page 312: Failover
System Settings The IPv6 address used for the subnet ip parameter must be the same as the local_address specified for the tunnel command in the previous step. The default_route parameter must be set to the IPv6 address provided by the tunnel broker as the default tunnel route.
Page 313: Working With Clusters And Match Rules
Equalizer Administration Guide Chapter 12 Working with Clusters and Match Rules Sections in this chapter include: Overview of Clusters Cluster Summary Cluster Connection Timeouts Adding and Deleting Clusters Modifying a Layer 4 TCP or UDP Cluster TCP Cluster Configuration Summary TCP Cluster Configuration Settings TCP Cluster Persistence TCP Cluster Timeouts...
Page 314 Working with Clusters and Match Rules Testing Your Basic Configuration Using Match Rules Cluster and Match Rule Statistics and Reporting (CLI and GUI) Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 315: Overview Of Clusters
Equalizer Administration Guide Overview of Clusters A virtual cluster is a collection of server pools with a single network-visible IP address. All client requests come into Equalizer through a cluster IP address, and are routed by Equalizer to an appropriate server, according to the load balancing options set on the cluster. The figure below shows a conceptual diagram of an Equalizer with three clusters.
Page 316 Working with Clusters and Match Rules L4 UDP clusters are appropriate for connectionless (stateless) applications, such as DNS, TFTP, Voice over IP (VoIP), and streaming applications -- any application that exchanges short packets with many clients, and where dropped packets are preferred to delayed pack- ets (i.e., the highest possible network performance is required).
Page 317: Cluster Summary
Equalizer Administration Guide Cluster Summary A summary of cluster connection statistics can be displayed using either the GUI or CLI: Cluster Summary using the GUI: The example of a Cluster Summary screen shown below displays an expandable, sortable summary listing of all of the clusters configured on your Equalizer.This table displays basic status and statistics for the currently configured clusters, their associated server pools, and Layer 7 match rules.
Page 318 Working with Clusters and Match Rules Customizing the Display The cluster summary has 3 display options as shown below: - selecting this option will display a cluster summary for all of the clusters configured on No Filter your Equalizer. - selecting this option will display the cluster summary based on the cluster Filter by Cluster Name names that you select with the check boxes.
Page 319 Equalizer Administration Guide Cluster Summary using the CLI: The Cluster Summary screen shown below displays a summary listing of all of the clusters configured on your Equalizer. Enter the following: eqcli > show cluster Name IP Address Port Proto testUDP 4.6.8.9 Test-http 1.3.5.7...
Page 320 Working with Clusters and Match Rules Cookie Age Cookie Generation Persist Type : coyote_cookie_2 eqcli > Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 321: Cluster Connection Timeouts
Equalizer Administration Guide Cluster Connection Timeouts Layer 7 clusters (HTTP / HTTPS) and Layer 4 clusters (TCP / UDP) each use a different set of timeout parameters as described below. Note - Setting cluster timeouts to arbitrarily high values can have an adverse effect on cluster performance, and can result in the cluster no longer processing traffic.
Page 322 Working with Clusters and Match Rules For example, when a client sends a POST operation in a request, the client timeout is used up until the time that the POST headers have all been received. The connect timeout is used until a connection with the server is established.
Page 323 Equalizer Administration Guide The following table shows the value range for the Layer 7 HTTP / HTTPS connection timeouts. Parameter Minimum Default Maximum Units client timeout 65535.0 seconds server timeout 60.0 65535.0 seconds connect timeout 10.0 60.0 seconds The default timeout values are sufficient for many common applications. If timeouts are occurring using the default values, adjust the server timeout to the amount of time you expect your application server to respond to a client request, plus 1 second.
Page 324 Working with Clusters and Match Rules Once Only Option and HTTP / HTTPS Timeouts The previous sections describe how the connection timeouts work when the once only flag is disabled on a cluster; that is, when Equalizer is examining every set of headers received on a connection.
Page 325 Equalizer Administration Guide Reducing the stale timeout can be an effective way to counter the effects of SYN flood Denial of Service attacks on server resources. A stale timeout of 10.0 (see table below) would be an appropriate value for a site under SYN flood attack. Parameter Minimum Default...
Page 326 Working with Clusters and Match Rules Connection Timeout Kernel Variables Equalizer uses a number of kernel variables to track connection timeouts, as shown in the table below. You can use the sysctl command to display kernel variables. The two basic formats of this command are: Displays the kernel variable variable_name.
Page 327: Adding And Deleting Clusters
Equalizer Administration Guide Adding and Deleting Clusters Add and delete clusters as follows: Using the GUI: Follow these steps to add a new Layer 7 or Layer 4 virtual cluster using the GUI: 1. Log into the GUI using a log in that has add/del access for global parameters (See "Logging on page 230) In"...
Page 328 Working with Clusters and Match Rules Follow these steps to delete a new Layer 7 or Layer 4 virtual cluster using the GUI: 1. Log into the GUI using a login that has add/del access for global parameters (See "Logging on page 230) In"...
Page 329 Equalizer Administration Guide 1. Enter the following at the CLI prompt: eqcli > no cluster [clustername] Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 330: Modifying A Layer 4 Tcp Or Udp Cluster
Working with Clusters and Match Rules Modifying a Layer 4 TCP or UDP Cluster The configuration tabs for a cluster are displayed automatically when a cluster is added to the system, or by selecting the cluster name from the left frame Configuration Tree. To update the settings on any tab, make changes and select the button to save them.
Page 331: Tcp Cluster Configuration Settings
Equalizer Administration Guide TCP Cluster Configuration Settings The TCP Cluster Settings screen for a TCP cluster is displayed by selecting a cluster and from the left navigational pane and then selecting the tabs. Configuration Settings Protocol The protocol used for the cluster. The VLAN ID number.
Page 332 Working with Clusters and Match Rules When the Spoof option is enabled on a cluster, Equalizer uses the client’s IP address as the source IP address in all packets sent to a server in that cluster. When Spoof is enabled, all server responses to client requests that came through the Equalizer cluster IP address must be routed by the server back to the client through Equalizer.
Page 333: Tcp Cluster Persistence
Equalizer Administration Guide TCP Cluster Persistence The TCP Cluster Configuration Persistence screen is used to configure values, Sticky Netmask Timeouts and assign the Inter Cluster sticky flag to the selected TCP cluster. It can be accessed by selecting a cluster from the left navigational pane and selecting the tab.
Page 334: Tcp Cluster Timeouts
Working with Clusters and Match Rules TCP Cluster Timeouts The TCP Cluster Configuration Timeouts screen is used to configure the various timeouts shown below for the selected TCP cluster. It can be accessed by selecting a cluster from the left navigational pane and selecting the tabs.
Page 335: Udp Cluster Configuration Summary
Equalizer Administration Guide UDP Cluster Configuration Summary The UDP screen is displayed automatically when a UDP cluster is added Cluster Configuration Summary to the system, or by selecting the cluster name from the branch on the left navigation pane. Cluster This screen displays a snapshot of the cluster and all of its associated objects (i.e., server pools, server instances and responders), the status of the objects, the Active Connections...
Page 336: Udp Cluster Configuration Settings
Working with Clusters and Match Rules UDP Cluster Configuration Settings The UDP Cluster screen shown below is displayed automatically when the Configuration Settings cluster is added to the system, or by selecting the cluster from the left navigational pane on the GUI and selecting the tabs.
Page 337 Equalizer Administration Guide When enabled, Equalizer forwards packets to the server in such a way that the server responds directly to the client, rather than through Equalizer. "Con- This option requires special configuration on the cluster; see Direct Server Return - on page 382 figuring Direct Server Return"...
Page 338: Udp Cluster Configuration Persistence
Working with Clusters and Match Rules UDP Cluster Configuration Persistence The UDP Cluster screen is used to configure values, Timeouts Configuration >Persistence Sticky Netmask and assign the Inter Cluster sticky flag to the selected UDP cluster. It can be accessed by selecting a cluster from the left navigational pane and selecting the tab.
Page 339: Udp Cluster Configuration Timeouts
Equalizer Administration Guide UDP Cluster Configuration Timeouts The UDP Cluster screen is used to configure the the for the Configuration Timeouts Stale Timeout selected UDP cluster. It can be accessed by selecting a cluster from the left navigational pane and selecting the tab.
Page 340: Udp Cluster Limitations
Working with Clusters and Match Rules UDP Cluster Limitations Layer 4 UDP clusters are appropriate for connectionless (stateless) applications, such as DNS, TFTP, Voice over IP (VoIP), and streaming applications. UDP applications typically exchange short packets with many clients, and typically provide faster network performance over TCP applications, because UDP applications do not re-transmit dropped packets and do not performing error checking.
Page 341: Modifying A Layer 7 Http Or Https Cluster
Equalizer Administration Guide Modifying a Layer 7 HTTP or HTTPS Cluster On the GUI, the for a layer 7 cluster is displayed automatically when a cluster Configuration Summary is added to the system, or by selecting the cluster from branch on the left navigation pane. Cluster HTTP and HTTPS clusters parameters are modified using the following tabs: including:...
Page 342: Layer 7 Cluster Configuration Summary
Working with Clusters and Match Rules Layer 7 Cluster Configuration Summary The Layer 7 screen is displayed automatically as described in "Modifying Cluster Configuration Summary on page 341; when a cluster is added to the system, or by selecting a Layer 7 HTTP or HTTPS Cluster" the cluster from the branch on the left navigation pane.
Page 343: Layer 7 Http And Https Cluster Settings
Equalizer Administration Guide Layer 7 HTTP and HTTPS Cluster Settings The following are descriptions of the functionality and configuration parameters used with Layer 7 HTTP and HTTPS Clusters. The figure below shows a Layer 7 screen. Configuration >Settings The fields on this screen are as follows: Parameter Description Protocol...
Page 344 Working with Clusters and Match Rules Parameter Description A custom HTTP header that Equalizerinserts into all client requests before they Custom Header are sent to the server. The format of the string is text:text. Also see Specifying a Custom Header for HTTP/HTTPS Clusters.
Page 345 Equalizer Administration Guide Flags Flag Description By default, when a client closes a connection, Equalizerwaits for a response from the server before closing the server connection. If this flag is enabled, Equalizer will not wait for a response before closing the connection to the server; instead it Abort server sends a TCP RST (reset) to the server when the client closes the connection.
Page 346 Working with Clusters and Match Rules Flag Description When the spoof option is enabled on a cluster, Equalizer uses the client’s IP address as the source IP address in all packets sent to a server in that cluster. This option is enabled by default. When spoof is enabled, all server responses to client requests that came through the Equalizer cluster IP address must be routed by the server back to the client through Equalizer.
Page 347: Layer 7 Security Certificate Screen (Https Clusters)
Equalizer Administration Guide Layer 7 Security Certificate Screen (HTTPS Clusters) The HTTPS protocol supports encrypted, secure communication between clients and servers. It requires that a Secure Sockets Layer (SSL) authentication handshake occur between a client and a server in order for a connection request to succeed. Certificates are loaded using either the CLI or GUI.
Page 348 Working with Clusters and Match Rules Use the tab to select a default SSL certificate that clients will use to validate a Security > Certificate connection to an HTTPS cluster (a cluster certificate). Use the drop down list to select a default SSL certificate that clients will use to val- Default Certificate idate a connection to this HTTPS cluster.
Page 349: Layer 7 Ssl Security (Https Clusters)
Equalizer Administration Guide Layer 7 SSL Security (HTTPS Clusters) Layer 7 Security allows you to configure various options that are specific to HTTPS connections. Parameters The table below shows the parameters and values used in the configuration of HTTPS cluster security.
Page 350 Working with Clusters and Match Rules Configuring Layer 7 SSL Security Using the GUI The Layer 7 Security SSL screen shown below is displayed when an HTTPS cluster is selected from the Cluster branch on the left navigational pane on the GUI. Use the table above for parameters, values, and flags for the SSL configuration of an HTTPS cluster.
Page 351: Layer 7 Http And Https Cluster Persistence
Equalizer Administration Guide Layer 7 HTTP and HTTPS Cluster Persistence Equalizer can use cookies or a server’s IP address to maintain a persistent session between a client and a particular server. A cookie is included with the server’s response header on its way back to the client.
Page 352 Working with Clusters and Match Rules Persistence Methods With the Persistence Methods pane are an Enabled area and a Not Used area. One Persistence Type method and one Fallback Persistence Type only can be enabled. Enable and order persistence methods by dragging and dropping from between the Not Used area and the Enable area. Arrange the order between the primary persistence method and the “fallback”...
Page 353 Equalizer Administration Guide Cookie Parameters The Cookie Parameters pane will expand if a cookie scheme is enabled. The Cookie age sets the time, in seconds, over which the client browser maintains the cookie (“0” means the cookie never expires). After the spe- Cookie age cified number of seconds have elapsed, the browser deletes the cookie and any subsequent client requests will be handled by Equalizer’s load-...
Page 354 Working with Clusters and Match Rules Source IP Parameters pane will expand if is moved to the Enabled pane. Source IP Source IP The number of seconds that Equalizer should “remember” connections Sticky Timeout from clients) Valid values are from 0 (which disables sticky connections) to 1073741823 seconds (or over 34 years).
Page 355: Fallback Persistence Scenarios
Equalizer Administration Guide Fallback Persistence Scenarios The table below shows all of the possible persistence scenarios and the resulting load balancing server selections based on the persist types and fallback persist types that are “enabled”. Persist Type Fallback Persist Type Result The server is selected on the load balancing [none]...
Page 356 Working with Clusters and Match Rules Persist Type Fallback Persist Type Result A server is selected based on the cookie. If no cookie or a cookie other then Cookie 0:Cluster Cookie 0:Cluster IP/Port, IP/Port, Server IP/Port is in the request, a server is Source IP Server IP/Port selected on the basis of the sticky record(Source IP).
Page 357 Equalizer Administration Guide Persist Type Fallback Persist Type Result A server is selected based on the cookie. If no cookie or a cookie other then Cookie 2:Cluster Cookie 2:Cluster IP, IP, Server IP is in the request, a server is selected Source IP Server IP based on the on sticky record(Source IP).
Page 358: Server Side Encryption
Working with Clusters and Match Rules Server Side Encryption Note - Server Side Encryption is not supported on GX Series Equalizers. In a potentially dangerous scenario, you may be load balancing traffic and forwarding it to back- end servers along untrusted paths. Vital credit card and personally identifying information could be vulnerable during its back-end transit to clients unless you-encrypt it.
Page 359 Equalizer Administration Guide General Configuration Process Note - Server Side Encryption is not supported with servers using IPv6. The general configuration process for configuring your appliance for SSE is: 1. Set the listening port on your servers. 2. Configure Equalizer's Cipher Suite and TLS parameters.
Page 360 Working with Clusters and Match Rules Configuring SSE Using the GUI 1. Log in to the GUI. Global Cipher Suite and TLS Configuration First, you will need to enable SSE on your Equalizer on a global level. 2. Select on the left navigational pane.The following will be System >...
Page 361 Equalizer Administration Guide Configuring SSE Using the CLI Set the Server Listening Port 1. Verify that your back-end servers are configured for encrypted connections — if they are not, the connection will fail. Configure the listening port number (typically port 443 for HTTPS) for each server.
Page 362: Layer 7 Cluster Reporting
Working with Clusters and Match Rules Layer 7 Cluster Reporting Refer to on page 420 for details. "Cluster and Match Rule Statistics and Reporting (CLI and GUI)" Layer 7 Cluster Timeouts The Layer 7 Cluster Timeouts screen is used to configure timeouts used in cluster connection with clients and servers.
Page 363: Server Name Indication
Equalizer Administration Guide Server Name Indication Server Name Indication (SNI) is an extension to the SSL and TLS protocols that indicates a server name or website that a client is attempting to connect with at the start of the handshake process. It allows a server to present multiple certificates on the same IP address and port number, thus allowing multiple secure (HTTPS) websites to be server of the same IP address while allowing all of those sites to have unique certificates all serviced on the same cluster/IP address.
Page 364 Working with Clusters and Match Rules Server Name Indication Using the GUI Proceed with the following to configure SNI certificates on an HTTPS cluster using the GUI: 1. Configure an HTTPS cluster on Equalizer. Use the GUI as described in "Adding and Deleting on page 327 Clusters"...
Page 365 Equalizer Administration Guide Server Name Indication Using the CLI Proceed with the following to configure SNI certificates on an HTTPS cluster using the CLI: 1. Configure an HTTPS cluster on Equalizer. Use the CLI syntax described in "Cluster and Match on page 169. Rule Commands"...
Page 366 Working with Clusters and Match Rules 6. Display the contents of the new certificate by entering the following. Note that the SNI svname has not yet been entered. eqcli cl-NEW*-sni-testsni> show SNI Name : test Certificate : snicertificate1 Flags : SNI svname : eqcli cl-NEW*-sni-test>...
Page 367: Layer 7 Tcp Cluster Settings
Equalizer Administration Guide Layer 7 TCP Cluster Settings Layer 7 TCP clusters are used to provide IPv6 addressing for generic Layer 4 protocols, and can support IPv4 and IPv6 addressing for clusters and servers. A key feature of EQ/OS 10 is that it is designed to allow L7 HTTP & HTTPS clusters to work with IPv6.
Page 368 Working with Clusters and Match Rules The fields on this screen are as follows: The protocol selected in the Add Cluster form will be displayed “grayed Protocol out”. The VLAN ID number assigned to the VLAN on which the cluster resides. Refer to Common Networking Scenarios for details.
Page 369 Equalizer Administration Guide When the spoof option is enabled on a cluster, Equalizer uses the client’s IP address as the source IP address in all packets sent to a server in that cluster. This option is enabled by default. When spoof is enabled, all server responses to client requests that came through the Equalizer cluster IP address must be routed by the server back to the client through Equalizer.
Page 370: Layer 7 Tcp Cluster Persistence
Working with Clusters and Match Rules Layer 7 TCP Cluster Persistence Layer 7 TCP cluster persistence is the same as Layer 4 TCP cluster persistence. Refer to "TCP on page 333 for details. Cluster Persistence" Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 371: Additional Cluster Configuration
Equalizer Administration Guide Additional Cluster Configuration The Related Topics describe additional cluster configuration. About Passive FTP Translation In EQ/OS 8.6 if your servers were on a network that the outside world could not reach, you were provided the capability of enabling a passive FTP translation option. This option caused Equalizer to rewrite outgoing FTP PASV control messages from the servers so they could contain the IP address of the virtual cluster rather than that of the server.
Page 372 Working with Clusters and Match Rules period is the length of time over which Equalizer ensures that it directs new sticky time connections from a particular client to the same server. The timer for the sticky time period begins to expire as soon as there are no active connections between the client and the cluster. If Equalizer establishes a new connection to the cluster, Equalizer resets the timer for the sticky time period.
Page 373: Enabling The Once Only And Persist Options
Equalizer Administration Guide 5. To direct all requests from a particular client to the same server even if the connection is to a different virtual cluster, check the checkbox. You can turn on inter-cluster inter-cluster sticky stickiness only if you have enabled sticky connections by specifying a greater than sticky time zero.
Page 374 Working with Clusters and Match Rules Whether is enabled or not has a significant effect on how Equalizer routes requests, as once only summarized in the following table: Requests in a single once only enabled once only disabled keep-alive connection First Request If request contains a cookie and there is no If request contains a cookie and there is no...
Page 375 Equalizer Administration Guide Note - Although it is permitted by the software, it is not recommended to define a Layer 7 cluster with persist and once only both turned off, and with no match rules. By defining a Layer 7 cluster in such a way, you are essentially disabling Layer 7 processing, while still incurring extra overhead for the Layer 7 cluster.
Page 376: Enabling Both The Once Only And Always Options
Working with Clusters and Match Rules Enabling Both the Once Only and Always Options flag influences when Equalizer inserts cookies into server responses; it in turn is always affected by the setting of the flag, as shown in the following table: once only once only enabled once only disabled...
Page 377: Specifying A Custom Header For Http/Https Clusters
Equalizer Administration Guide For server connections that contain multiple server responses, the setting of the flag once only determines whether Location: headers in all server responses are rewritten. This is shown in the table below. Note that the GUI does not permit you to enable once only and disable no header rewrite -- this option combination would rewrite the header in only the first response in the Location:...
Page 378: Performance Considerations For Https Clusters
Working with Clusters and Match Rules 3. Log into the GUI using a login that has add/del access for the cluster (See "Logging In" page 230.) 4. In the left frame, click the name of the cluster to be configured. 5.
Page 379 Equalizer Administration Guide The default configuration for HTTPS clusters created with Xcel enabled will not use the modes described above. If, however, one either modifies the cluster’s cipher suite string to use them, it is possible that they may be negotiated with clients. This will not lead to incorrect operation of the system, but encryption for these cipher suites will occur in software instead of taking advantage of the improved performance provided by the Xcel hardware.
Page 380: Https Header Injection
Working with Clusters and Match Rules HTTPS Header Injection When a connection is established by a client for an HTTPS cluster, Equalizer performs the SSL processing on the request (this is called SSL off loading), and adds some additional headers to the client's request before forwarding the request on to a server: X-LoadBalancer: Equalizer X-Forwarded-For: (client's IP address)
Page 381: Ftp Cluster Configuration
Equalizer Administration Guide Consult the documentation for the firewalls and NAT devices used at your site to determine how to set up those devices appropriately for FTP transfers. See the next section for how to configure an Equalizer cluster for responding to FTP requests from clients. FTP Cluster Configuration When configuring an FTP cluster on Equalizer, the following guidelines must be followed: for the cluster must be...
Page 382: Configuring Direct Server Return
Working with Clusters and Match Rules Configuring Direct Server Return In a typical load balancing scenario, server responses to client requests are routed through Equalizer on their way back to the client. Equalizer examines the headers of each response and may insert a cookie, before sending the server response on to the client.
Page 383 Equalizer Administration Guide Note - In both configurations that the incoming client traffic is assumed to originate on the other side of the gateway device for the subnets on which Equalizer and the servers reside. The servers will usually have their default gateway set to something other than Equalizer so that they can respond directly to client requests.
Page 384 Working with Clusters and Match Rules 1. Log into the GUI using a login that has add/del access for the cluster (See "Logging In" page 230.) 2. Do one of the following: a. Create a new Layer 4 TCP or UDP cluster: right-click Equalizer in the left nav- igational pane and select Add Cluster.
Page 385: Testing Your Basic Configuration
Equalizer Administration Guide Testing Your Basic Configuration Once you have installed and configured Equalizer and your servers, perform tests to verify that Equalizer is working properly. To perform these tests, you need the following: A test machine on the internal network (the same physical network as the servers; one of the server machines can be used for this purpose).
Page 386: Using Match Rules
Working with Clusters and Match Rules Using Match Rules Note - Match Rules are not supported on E250GX model Equalizers. The ability to make load balancing decisions based on the content of a client request is what separates Layer 7 processing from the processing options available at Layer 4. For Layer 7 HTTP and HTTPS clusters, Match Rules provide fine-grained control over load balancing decisions based on the content of the client request.
Page 387: How Match Rules Are Processed
Equalizer Administration Guide Most client requests are a mix of requests for text and graphics. Layer 7 processing without Match Rules balances requests across the specified server pool so that each server instance in the server pool will see a mix of text and graphics requests. This means that all text and graphics must be available on each server pool.
Page 388: Match Rule Order
Working with Clusters and Match Rules Match Rule Order When you add more than one match rule to a cluster, the order in which the match rules are processed is important to system performance. Since processing a match rule requires system CPU and memory, the most efficient way of ordering match rules is from the most common case to the least common case.
Page 389: Match Rule Expressions And Bodies
Equalizer Administration Guide At left in the figure above are the expressions for the three match rules, shown in the order in which they are configured in the cluster. At right, the decision tree describes how the match rules are evaluated for every client request that comes into this cluster. As described previously, the first match rule (ma01) is meant to match any request that does not have a directory in it.
Page 390: Match Rule Expressions
Working with Clusters and Match Rules Match Rule Expressions Match rules consists of a match expression and a match body, which identifies the operations to perform if the expression is satisfied by the request. Match syntax is as follows: match name {expression} then {body} Each match has a name, which is simply a label.
Page 391: Match Bodies
Equalizer Administration Guide Match expressions are read from left to right. Expressions contained within parentheses get evaluated before other parts of the expression. The previous expression would match anything that was not happy or that was round and happy. Unlike the previous example, match functions correspond to certain attributes in a request header.
Page 392 Working with Clusters and Match Rules Match bodies specify the actions to take if the match expression selects the request. This is specified in the form of statements that provide values to variables used by the load balancer to process the request. The most common (and most useful) match body selects the set of servers (server pool) over which to apply the load balancing.
Page 393: Match Rule Functions
Equalizer Administration Guide Match Rule Functions Match rule functions generally test for certain strings or settings in the headers and URI of a client request. In the table below, we first discuss match rule functions that examine information in the request other than the URI, and then we discuss the URI related functions.
Page 394 Working with Clusters and Match Rules Non-URI header match functions Match Bodies, for the headers that can be specified in these functions. This function evaluates to true if the selected header is present and header_prefix(header, string) if the string-valued argument string is a prefix of the associated header text.
Page 395 Equalizer Administration Guide Match functions for the optional <fragment> component are not provided. The fragment por- tion of a URI is not transmitted by the browser to the server, but is instead retained by the client and applied after the reply from the server is received. The following lists the URI matching functions that match text in the URI components shown.
Page 396: Match Rule Operators
Working with Clusters and Match Rules URI Function Description This function evaluates to true if the string argument exactly matches the file- name portion of the URI path. This portion includes only the text after the last filename(string) trailing path component separator (/), as that is considered part of the directory (for example, “file.html”...
Page 397: Match Rule Definitions
Equalizer Administration Guide Match Rule Definitions Match rules are defined in the file /var/eq/eq.conf with the definition of the cluster to which the match rule applies. A match rule as it appears in eq.conf looks like the following example: match ma01 { client_ip("10.0.0.19") } then { flags =!spoof;...
Page 398: Match Rule Expression Notes
Working with Clusters and Match Rules expression “!client_ip(\“10.10.10/24\”)” Functions can be combined using the logical operators shown in the previous section. For example, to match a client request for any file with two different file suffixes, you could use an expression like this: expression “filename_suffix(\“jpg”) or filename_suffix(\“gif”)”...
Page 399 Equalizer Administration Guide With this in mind, it does not make sense to skip a match rule because the server (or servers) named in the rule are down, hot spared, or quiesced -- rather, since the server in the rule is presumably critical to satisfying the request, it makes sense to route the request to the (for example) down server, and have the client receive an appropriate error -- so that the request can be retried.
Page 400 Working with Clusters and Match Rules Considering Case in String Comparisons String comparisons performed by match functions honor the setting of the ignore case cluster parameter: if it is set on the cluster (the default), then all match rule functions used for that cluster are case insensitive;...
Page 401 Equalizer Administration Guide Supported Headers All of the header_* match functions take a header argument, which selects the header of interest. If this header is not present in the request, the match function evaluates to false. Although HTTP permits a header to span multiple request lines, none of the functions match text on more than one line.
Page 402: Using Responders In Match Rules
Working with Clusters and Match Rules Match Rules, the Once Only Flag, and Cookies Since multiple client requests may be received on a single TCP/IP connection, Equalizer has a flag (once only) that specifies whether to check the headers in every request received on a connection, or to load balance based solely The once only flag is a cluster parameter on the Networking tab.
Page 403 Equalizer Administration Guide The interface does not, however, test the behavior of match rules. Match rules must be tested against a flow of incoming requests in order to determine if the behavior of the rule is what you expect. Before constructing a match rule, you should first understand the general concepts of match rules covered in on page 389.
Page 404: Displaying Match Rules
Working with Clusters and Match Rules Displaying Match Rules On the GUI, click on a cluster name in the navigation pane and then click on any of the Match Rules associated with any of the HTTP or HTTPS clusters to display the match rules defined for that cluster.
Page 405 Equalizer Administration Guide 3. Enter a name for the new rule in the Match Rule Name field. All match names within a cluster must be unique. 4. Make a selection for the Next Match Rule using the drop-down list. When you select Next Match Rule, the new match rule you are creating will be placed before the Next Match Rule and will be evaluated in that sequence in load balancing.
Page 406 Working with Clusters and Match Rules on page 398 "Match Rule Expression Notes" Expression Refer to The Next Match Rule field determines the order of processing. For example, if Next Match Rule you were to configure a Match Rule 2 with a Next Match Rule parameter of Match Rule 1, it would be place before Match Rule 1 in the order of processing.
Page 407 Equalizer Administration Guide flag to skip a match rule that is still being developed. Disable 10. Click on the button to Commit the parameter selections. Commit To add a match rule to a Layer 7 cluster using the CLI follow this general procedure: 1.
Page 408: Modifying A Match Rule
Working with Clusters and Match Rules Modifying a Match Rule To edit a match rule using the GUI, follow these steps: 1. Log into the GUI using a login that has write access for the cluster (See on page "Logging In" 230).
Page 409: Using The Match Rule Expression Editor
Equalizer Administration Guide Using the Match Rule Expression Editor The Match Rule Expression Editor shown below is a feature of the GUI that allows the user an easy method of building Match Expressions. As described in on page "Match Rule Expressions and Bodies" 389, Match Expressions are made up of match functions, most of which are protocol-specific, joined by logical operators, optionally preceded by the negation operator, with sets of beginning and end parentheses for grouping where Match Bodies required.
Page 410: Operating Within The Expression Editor
Working with Clusters and Match Rules Operating within the Expression Editor You can drag Functions and Operators into the Expressions Workbench If you drag a new element onto the top of an existing element, the new element will be place before the existing element. If you drag the new element onto the bottom of en existing element, the new element will be placed after the existing element.
Page 411 Equalizer Administration Guide Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 412: Example Match Rules
Working with Clusters and Match Rules Example Match Rules The Related Topics navigate to examples of how to create a few of the most commonly used types of match rules. Parsing the URI Using Match Rules In this example, we want to direct requests to a pool of specific server pools based on the hostname used in the URI contained in the request.
Page 413: Changing Persistence Settings Using Match Rules
Equalizer Administration Guide 5. Click on accept after entering “support” and then click on the continue button at the bottom of the Expression Editor to save the expression. Now, all requests for URIs that start with “support” should go to the sv_support server pool, and all other requests that do not match this rule to be load balanced across all server pools in the cluster.
Page 414 Working with Clusters and Match Rules b. Select the server pool that this new rule will precede using the Next Match Rule drop-down list and click on Commit. The new rule will appear on the navigation tree in within the cluster from which is was created. c.
Page 415: Using Persistence With Match Rules
Equalizer Administration Guide Using Persistence with Match Rules When a match rule is configured you can specify that persistence methods for that match rule -- which supercede those the persistence method specified for a cluster. This is the persistence type to be used when the match rules conditions are met.
Page 416: Server Selection Based On Content Type Using Match Rules
Working with Clusters and Match Rules Selective SNAT Example The procedure below shows you how to create a match rule that selectively disables the cluster Spoof option based on the client IP address of an incoming connection. It is assumed that the cluster for which the match rule is created has Spoof enabled on the cluster Configuration screen (tab), and that the cluster works properly for clients on subnets other than the subnet to which the server pools in the cluster are connected.
Page 417 Equalizer Administration Guide We want to direct all requests for images to a particular server pool, and balance the remainder of requests across the other server pools in the cluster. The image server pool is connected to a common storage device that contains the images. The remaining server pools are all dedicated to serving particular content for different web sites.
Page 418 Working with Clusters and Match Rules c. Select continue. 5. Repeat Step 4 for each of the other filename suffixes on our example servers -- , tif 6. In our example, we want all the images to be served from sp01. On the images Configuration screen (tab), select sp01 from the Server Pool drop-down list.
Page 419 Equalizer Administration Guide 8. In the left frame, right-click the name of the cluster and select Add Match Rule. The Add Match Rule screen appears: a. Type “content into the match name text box and use the Next Match Rule drop- ”...
Page 420: Cluster And Match Rule Statistics And Reporting (Cli And Gui)
Working with Clusters and Match Rules Cluster and Match Rule Statistics and Reporting (CLI and GUI) The CLI display of Statistics can be seen by entering the following within the cluster or match rule context: Sample of Layer 7 Cluster Statistical Display eqcli cl-Tes*>...
Page 421 Equalizer Administration Guide Sample of Layer 7 HTTP and HTTPS Match Rule Statistical Display eqcli cl-htt*-ma-Tes*> stats Current 60sec 10min 60min TOTALPRCSD 6157678 4218 3028 2479 eqcli cl-htt*-ma-Tes*> Sample of Layer 4 Cluster Statistical Display eqcli cl-tes*> stats Current 60 sec 10 min 60 min BYTERCVD...
Page 422 Working with Clusters and Match Rules Sample Layer 7 Cluster GUI Statistical Displays The following are definitions for the statistical terms shown on both the CLI and GUI: Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 423 Equalizer Administration Guide Layer 7 Cluster Statistic Definitions CLI Term GUI Term Definition TOTALPRCSD Total Connections Connections Processed. TOTALRESPPRCSD Total Transactions The total responses processed. Total Time For Server TIMESPENT The total time spent on this object. Responses ACTIVECONX Active Connections Active Connections. BYTERCVD Bytes Received Bytes received.
Page 424 Working with Clusters and Match Rules CLI Term GUI Term Definition Output Bytes after OUTBYTECOMP Output byte after compression. Compressions Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 425 Equalizer Administration Guide Layer 7 HTTP and HTTPS Match Rule Statistic Definitions CLI Term GUI Term Definition TOTALPRCSD Connections/second (CSP) Connections Processed. Transactions/second (TPS) The total responses processed. Throughput Throughput Total Connections Total connections. Total Transactions Total transactions. Active Connections Active connections. Bytes Received Bytes received.
Page 426 Working with Clusters and Match Rules The following is an example of a graphical plot that can be displayed on the GUI. Select a Cluster or Match Rule on the left navigational pane and click on the tab and then .
Page 427 Equalizer Administration Guide Sample Match Rule Graphical Plot Sample Layer 4 Cluster Graphical Plot The specific types of statistics that are displayed are determined by the selections on the Statistics pane on the upper right corner of the GUI.Make selections based on the data that you require. Copyright ©...
Page 428 Working with Clusters and Match Rules selection determines whether the display shown reflects a Static Time Span which is Plot Type configured using the slider or whether a real time duration is display. If Real Time Duration selected the slider controls will change to controls as shown below.
Page 429: Server Pools And Server Instances
Equalizer Administration Guide Chapter 13 Server Pools and Server Instances Sections in this chapter include: About Server Pools Server Pool Summary Configuring Server Pool Load-Balancing Options Equalizer’s Load Balancing Policies Equalizer’s Load Balancing Response Settings Aggressive Load Balancing Dynamic Weight Oscillations Using Active Content Verification (ACV) Adding and Configuring a Server Pool (GUI) Adding and Configuring a Server Pool (CLI)
Page 430: About Server Pools
Server Pools and Server Instances About Server Pools A server is attached to a cluster via a server pool. A server pool is a collection of server definitions, each of which has additional parameters assigned to it in the server pool -- these additional parameters are organized by the server’s name and are referred to as server instances within the server pool context.
Page 431: Server Pool Summary
Equalizer Administration Guide Server Pool Summary screen shown below will be displayed when you select the Server Pool Summary Load Balance configuration tab in the left navigational pane and then click on . It displays the health Server Pools checks defined for each configured server pool, the server instances using the health checks, status icons and the option to add new health checks and the ability to add new server pools as described in on page 437.
Page 432: Configuring Server Pool Load-Balancing Options
Server Pools and Server Instances Configuring Server Pool Load-Balancing Options Configure load balancing policy and response settings for each server pool independently. Multiple clusters do not need to use the same load balancing configuration even if the same physical server machines host them. For example, if one cluster on port 80 handles HTML traffic and one on port 8000 serves images, you can configure different load balancing policies for each server pool.
Page 433: Equalizer's Load Balancing Response Settings
Equalizer Administration Guide policy. For example, if a server’s active connection count and server agent values are high, Equalizer might not dispatch new requests to that server even if that server’s response time is the fastest in the cluster. (least connections) load balancing - dispatches the highest percentage of Least Cxns requests to the server with the least number of active connections.
Page 434: Aggressive Load Balancing
Server Pools and Server Instances Optimization Threshold controls how frequently Equalizer adjusts dynamic weights. If Equal- izer adjusts server weights too aggressively, oscillations in server weights can occur and cluster-wide performance can suffer. On the other hand, if Equalizer does not adjust weights often enough, server overloads might not be compensated for quickly enough and cluster-wide performance can suffer.
Page 435: Using Active Content Verification (Acv)
Equalizer Administration Guide Using Active Content Verification (ACV) Active Content Verification (ACV) is a mechanism for checking the validity of a server. When you enable ACV for a server pool, Equalizer requests data from each server instance in the server pool and verifies that the returned data contains a character string that indicates that the data is valid.
Page 436 Server Pools and Server Instances The response string should be text that appears only in a valid response. This string is case- sensitive. An example of a poorly chosen string would be “HTML”, since most web servers automatically generate error pages that contain valid HTML. For more information on probing, see on page 647.
Page 437: Adding And Configuring A Server Pool (Gui)
Equalizer Administration Guide Adding and Configuring a Server Pool (GUI) To add and configure a server pool using the GUI proceed with the following: 1. Log in to the GUI as described in on page 230. "Logging In" 2. Select the configuration tab is it is not already selected.
Page 438 Server Pools and Server Instances 5. Click on Commit to save the configuration. Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 439: Adding And Configuring A Server Pool (Cli)
Equalizer Administration Guide Adding and Configuring a Server Pool (CLI) To add and configure a server pool using the CLI proceed with the following: 1. Log in to the CLI as described in on page 141 . "Starting the CLI" 2.
Page 440: Adding Server Instances(Gui)
Server Pools and Server Instances Adding Server Instances(GUI) A server pool is a collection of server definitions, each of which has additional parameters assigned to it in the server pool -- these additional parameters are organized by the server’s name and are referred to as server instances. Add server instances as follows: 1.
Page 441 Equalizer Administration Guide 7. Configure the server instance using the following parameters: Note - For servers in Layer 7 HTTPS clusters, set the probe port to something other than 443, since Equalizer communicates with the servers via HTTP. In many configurations, it is set to the server port. The server agent port, set on the cluster, remains a separate port that is used only for server agent communication.) An number between 0 and 200 that indicates a server’s processing power relative to the other servers in a cluster.
Page 442 Server Pools and Server Instances This flag allows you to customize the behavior of the max connections parameter (see above). When Strict Max Cx is enabled (the default), the max connections parameter is interpreted as a strict maximum and is never overridden. If a Strict Max Cx client attempts to connect to a server that has a number of connections equal to the max connections setting, then the connection is refused.
Page 443: Server Instance Summary Screen
Equalizer Administration Guide Server Instance Summary Screen is displayed when a server instance is selected from the left Server Instance Summary Screen navigational pane. It displays server instance details such as Active Connections Connections/second as well as server pool configuration parameters and a graphical Transactions per second representation of performance history from the last 30 minutes.
Page 444: Adding Server Instances (Cli)
Server Pools and Server Instances Adding Server Instances (CLI) Server instance specific commands can be applied to multiple server instances by entering a comma-separated list of server instance names on the command line. For example, to set the weight to 125 on three server instances (sv01, sv02, sv03) in server pool sp01, you could enter a command like this: eqcli >...
Page 445: Testing Acv On A Server Instance
Equalizer Administration Guide Testing ACV on a Server Instance A test function is available where you can test the functionality of an ACV probe. It is performed on a server pool that must have server instances configured in the pool. All the uncommitted parameters are used when running the test, including the ACV query strings, response strings, timeouts, etc.
Page 446: Associate A Server Pool With A Cluster (Gui)
Server Pools and Server Instances Associate a Server Pool with a Cluster (GUI) 1. To associate a server pool with a cluster proceed with the following: 2. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In"...
Page 447: Associate A Server Pool With A Cluster (Cli)
Equalizer Administration Guide Associate a Server Pool with a Cluster (CLI) To associate a server pool with a cluster proceed with the following: 1. Access the CLI as described in on page 141. "Starting the CLI" 2. Use the following format to enter the cluster context. eqcli>...
Page 448: Deleting A Server Pool (Gui)
Server Pools and Server Instances Deleting a Server Pool (GUI) To remove a server pool proceed with the following: 1. Verify that you are logged into the GUI. If not, log in as described in on page 230 "Logging In" 2.
Page 449: Deleting A Server Pool (Cli)
Equalizer Administration Guide Deleting a Server Pool (CLI) To remove a server pool proceed with the following: 1. Access eqcli as described in on page 141 . "Starting the CLI" 2. Use the following format to enter the cluster context. eqcli>...
Page 450: Server Pool And Server Instance Reporting (Cli And Gui)
Server Pools and Server Instances Server Pool and Server Instance Reporting (CLI and GUI) The CLI display of Statistics can be seen by entering the following within the server pool context: Sample Server Pool Statistical Display Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 451 Equalizer Administration Guide Sample Server Instance Statistical Display To view the GUI display: 1. Verify that you are logged into the GUI. (Refer to on page 230.) "Logging In" 2. Select the configuration tab on the left navigational pane if it is not already Load Balance selected.
Page 452 Server Pools and Server Instances Sample Server Pool and Server Instance GUI Statisical Display The following are definitions for the statistical terms shown on both the CLI and GUI: Server Pool Statistic Definitions CLI Term GUI Term Definition Total connections processed Total Connections Connections Processed.
Page 453 Equalizer Administration Guide CLI Term GUI Term Definition Total Responses Failed Header Number of Request Headers Number of Request Headers Failed Parsing. Parsing Failed Parsing Total Responses Dropped for Total Responses Dropped for Total Responses Dropped for Exceeding Header Exceeding Header Limit Exceeding Header Limit Limit.
Page 454 Server Pools and Server Instances Server Instance Statistic Definitions CLI Term GUI Term Definition TOTALPRCSD Total Connections Connections Processed. TOTALRESPPRCSD Total Transactions Responses Processed. Total Time For Server TIMESPENT Total time for server responses. Responses ACTIVECONX Active Connections Active Connections. BYTERCVD Bytes Received Bytes received from peer.
Page 455 Equalizer Administration Guide CLI Term GUI Term Definition Cx Dropped Due To Reuse Pool REUSEOF Connection dropped due to reuse pool overflow Overflow Cx Dropped Due To Server Connection dropped due to server closed REUSESRVR Closed Cx In Reuse Pool connection in reuse pool. Cx Dropped Due To Reuse Pool Total connections timed out in TCP MUX reuse REUSETO...
Page 456 Server Pools and Server Instances The specific types of statistics that are displayed are determined by the selections on the Statistics pane on the upper right corner of the GUI.Make selections based on the data that you require. selection determines whether the display shown reflects a Static Time Span which is Plot Type configured using the slider or whether a real time duration is display.
Page 457: Servers
Equalizer Administration Guide Chapter 14 Servers Sections within this chapter include: Server Summary Adding and Modifying Servers Server Software Configuration Adjusting a Server’s Initial Weight Interaction of Server Options and Connection Processing Configuring Routing on Servers Server Statistics and Reporting (CLI and GUI) Copyright ©...
Page 458: Server Summary
Servers Server Summary screen displays the names of configured servers, address, Server Summary Ports Protocol and associated Server Pools 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In" 230. 2.
Page 459 Equalizer Administration Guide Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 460: Adding And Modifying Servers
Servers Adding and Modifying Servers Servers can be added and modified using either the GUI or the CLI Parameters The table below shows the parameters, values, and flags used in the configuration Servers. GUI Parameter (CLI Parameter) Description The dotted decimal IP address of the server. This is the address Equalizer uses to communicate with the server.
Page 461 Equalizer Administration Guide Adding and Modifying Servers Using the GUI Adding Servers Perform this procedure once for each real server that you want to add to Equalizer. 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In"...
Page 462 Servers If you made any changes to the default configuration values, click on the button to save Commit your changes. Adding and Modifying Servers using the CLI Adding Servers Perform this procedure once for each real server that you want to add to Equalizer. Enter the following: eqcli >...
Page 463: Server Software Configuration
Equalizer Administration Guide Modifying Servers Servers can be configured in the CLI either globally or in cluster context. Enter parameters using the following format. eqcli > server servername parameter value where: servername - is the name of the server parameter - is the parameter to be configured value - is the value associated with the parameter.
Page 464: Adjusting A Server's Initial Weight
Servers Adjusting a Server’s Initial Weight Equalizer uses a server’s initial weight as the starting point for determining the percentage of requests to route to that server. As Equalizer gathers information about the actual performance of a server against client requests, it adjusts the server’s current weight so that servers that are performing well receive a higher percentage of the cluster load than servers that are performing at a slower rate.
Page 465: Maximum Connections Limits, Responders, And Hot Spares
Equalizer Administration Guide Maximum Connections Limits, Responders, and Hot Spares When a maximum connections limit is set on all the servers in a cluster, it is often desirable to define either a responder or a hot spare server for the cluster, so that any attempted connections to the cluster that occur after the limit has been reached are Maximum Reused Connections...
Page 466: Setting Initial Weights For Mixed Clusters
Servers Setting initial Weights for Mixed Clusters Equalizer enables you to build heterogeneous clusters using servers of widely varying capabilities. Adjust for the differences by assigning initial weights that correspond to the relative capabilities of the available servers. This enables you to get the most out of existing hardware, so you can use an older server side-by-side with a new one.
Page 467 Equalizer Administration Guide To avoid interrupting user sessions, make sure that a server to be shut down or deleted from a cluster no longer has any active connections. When a server’s initial weight is zero, Equalizer will not send new requests to that server. Connections that are already established continue to exist until the client and server application end them or they time out because they are idle.
Page 468: Server Configuration Constraints
Servers Server Configuration Constraints When configuring servers on Equalizer, you must observe the following constraints: In general, there must be no Layer 3 devices (e.g., such as a router) between a server and Equalizer in order for health check probes to work correctly. Equalizer operation depends on reliable communication between Equalizer and the servers behind it.
Page 469: Configuring Routing On Servers
Equalizer Administration Guide Configuring Routing on Servers The way you configure routing on servers behind Equalizer depends largely on whether Equalizer’s spoof option is enabled on a cluster. Spoof Controls SNAT If spoof is disabled, SNAT (Source Network Address Translation) is performed on client requests before sending them on to the server -- the source address used in the packet sent to the server is Equalizer’s IP address on the VLAN used to communicate with the server.
Page 470 Servers Note that you should configure routing on each server from the server’s system console, not through a telnet session. This will avoid any disconnects that might otherwise occur as you adjust the network settings on the server. Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 471: Server Statistics And Reporting (Cli And Gui)
Equalizer Administration Guide Server Statistics and Reporting (CLI and GUI) The CLI display of Statistics can be seen by entering the following within the server context: Sample Server Statistics Display eqcli sv-spi*> stats Current 60 sec 10 min 60 min TOTALPRCSD 133250 TOTALRESPPRCSD...
Page 472 Servers To view the GUI display: 1. Verify that you are logged into the GUI. (Refer to on page 230.) "Logging In" 2. Select the configuration tab on the left navigational pane if it is not already Load Balance selected. 3.
Page 473 Equalizer Administration Guide Server Statistic Definitions CLI Term GUI Term Definition TOTALPRCSD Connections processed. TOTALRESPPRCSD Total Transactions Responses processed. TIMESPENT Total Time For Server Responses The total time spent on this object. ACTIVECONX Active Connections Active connections. BYTERCVD Bytes Received Bytes received. BYTESEND Bytes Sent Bytes transmitted.
Page 474 Servers CLI Term GUI Term Definition Cx Dropped Due To Reuse Pool The number of connections dropped due to reuse pool REUSEOF Overflow overflow. Cx Dropped Due To Server Closed The number of connections dropped due to server REUSESRVR Cx In Reuse Pool closing a connection in the reuse pool.
Page 475 Equalizer Administration Guide Sample Server Plot The specific types of statistics that are displayed are determined by the selections on the Statistics pane on the upper right corner of the GUI.Make selections based on the data that you require. selection determines whether the display shown reflects a Static Time Span which is Plot Type configured using the slider or whether a real time duration is display.
Page 477: Automatic Cluster Responders
Equalizer Administration Guide Chapter 15 Automatic Cluster Responders Sections within this chapter include: Automatic Cluster Responders Responder Summary Managing Responders Responder Statistics and Reporting (CLI and GUI) Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 478: Automatic Cluster Responders
Automatic Cluster Responders Automatic Cluster Responders Note -Responders are not supported on E250GX model Equalizers. A Responder is a server-like object that can be associated with a Match Rule. It provides you with the ability to cleanly load balance traffic where server pools associated with a cluster are not available to satisfy a client's request.
Page 479: Responder Summary
Equalizer Administration Guide Responder Summary screen displays the names of configured responders, ,associated Responder Summary Type Clusters Match Rules 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In" 230. 2.
Page 480: Managing Responders
Automatic Cluster Responders Managing Responders To display a list of all currently defined Responders, select the Load Balance configuration tab on the left navigational pane and click on the arrow ( ) beside Respondersto expand the branch. Select any of the Responders on the tree to display their configuration on the right pane. To add a Responder, right click on Responders on the left navigational pane and select Add Responder.
Page 481 Equalizer Administration Guide 3. Do one of the following: Create a custom HTML page by selecting Sorry Server. The dialog changes to a text entry box, into which you can type the HTML that Equalizer will return to cli- ents. The text size limit is 4096 bytes. Create a standard Redirect page by supplying the following information in the pop up screen: The HTTP status code to return to the client.
Page 482: Modifying A Responder
Automatic Cluster Responders 5. On the next screen, do one of the following: Click the Back icon (>) at the top of the screen to review the responder configuration. For a Sorry Server, click commit to add this responder or cancel to close the dialog without adding the responder.
Page 483 Equalizer Administration Guide The simplest form of HTTPS redirect involves simply referring the user to the top level of the https:// site, regardless of the path information that may have been included in the original request URL. For example, we could direct all requests for: http://www.example.com/<path>...
Page 484 Automatic Cluster Responders http://www.example3.net/<path> The following regular expression: ^(([^ :/?#]+):)?//([^ \r/?#.]+)?\.([^ \r/?#.]+)?\.([^ \r/?#]+)?(/[^ \r]+)? breaks the request URL into the following named variables: $0 http://www.example.com/<path> $1 http: $2 http $3 www $4 example $5 com $6 /<path> We can then use these variables in the URL field as shown in the following Responder Configuration screen (tab): It should be noted that this example will not work for requests with destination URLs specified with an IP address for a hostname (e.g.,"12.34.56.78"...
Page 485: Using Responders In Match Rules
Equalizer Administration Guide $3 www $4 example $5 com $6 /images $7 /<path> We can then use these variables in the URL field as shown in the following Responder Configuration screen (tab): This Responder can be used in a Match Rule in any cluster where a similar directory name based redirect is required.
Page 486 Automatic Cluster Responders The most common use of a responder is to change the default match rule behavior when no server pools are available in a cluster. By default, every HTTP and HTTPS cluster is created with a Default match rule that does not specify a Responder -- thus, if all the server pools in the Default match rule are down, Equalizer drops the client connection to the cluster.
Page 487: Creating A Match Rule To Redirect All Traffic For A Specific Url
Equalizer Administration Guide 9. Select in the drop-down list on the tab as shown below. Sorry_Example response Configuration 10. Click to save the match rule. Commit Creating a Match Rule to Redirect All Traffic for a Specific URL Another common cluster configuration requirement is to be able to automatically redirect all traffic that uses a specific URL.
Page 488 Automatic Cluster Responders After completing the above procedure, all client requests to http://cluster/special/ will be redirected to https://www.example.com/special/, even when all the server instances in a server pool are available. Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 489: Responders And Hot Spares
Equalizer Administration Guide Responders and Hot Spares Responders provide functionality that automates the very basic functions of a hot spare server, and off loads them onto Equalizer. If more functionality is desired, than a separate real server should be used as a hot spare for the cluster. It should also be noted that resources Equalizer uses to service client requests via the Responder feature are resources potentially taken away from processing other client requests.
Page 490: Responder Statistics And Reporting (Cli And Gui)
Automatic Cluster Responders Responder Statistics and Reporting (CLI and GUI) The CLI display of Statistics can be seen by entering the following within the responder context: Sample Responder Statistics Display) To view the GUI display: 1. Verify that you are logged into the GUI. (Refer to on page 230.) "Logging In"...
Page 491 Equalizer Administration Guide Sample Responder Plot The specific types of statistics that are graphically displayed are determined by the selections on pane on the upper right corner of the GUI.Make selections based on the data that you Statistics require. As you can see from the figure above, the Responder statistic displays only Transactions/second selection determines whether the display shown reflects a Static Time Span which is Plot Type...
Page 493: Link Load Balancing
Equalizer Administration Guide Chapter 16 Link Load Balancing Sections in this chapter include: Link Load Balancing Outbound Link Load Balancing Configuring Outbound Link Load Balancing Inbound Link Load Balancing Configuring Inbound Link Load Balancing Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 494: Link Load Balancing
Link Load Balancing Link Load Balancing Multiple ISP connections at each point of presence help to guarantee the availability of your services by building redundancy. Link Load Balancing (LLB) functionality allows your ADC appliance to support multiple upstream links across infrastructure that supports them. If a primary ISP link fails, LLB enables the seamless redirection of traffic through a backup link Similar to GSLB, inbound LLB avoids the need for failover via Border Gateway Protocol (BGP) by using DNS-based load balancing and gateways instead.
Page 495: Outbound Link Load Balancing
Equalizer Administration Guide Outbound Link Load Balancing Outbound LLB (OLLB) is used when you want redundancy across multiple routes for traffic leaving the ADC. One prerequisite for OLLB is that all gateways configured into an OLLB group must be able to route traffic to the same set of destinations. In order to distribute outbound traffic from your servers, you must define links by defining its gateway.
Page 496: Configuring Outbound Link Load Balancing
Link Load Balancing Configuring Outbound Link Load Balancing Configuration of OLLB consists of the following: 1. Adding VLANs with subnets 2. Configuring gateways 3. Configuring OLLB groups 4. Configuring NAT 5. Configuring subnet routes Using the GUI 1. Log in to the GUI Configuring VLANs with Subnets 2.
Page 497 Equalizer Administration Guide 7. Enter the IP address of the gateway in the text box. Enter the IP addresses of the Gateway links to be health checked. Use a “,” to separate the IP addresses. You have the option of disabling the Gateway or disabling the Health Check by selecting the appropriate check boxes.
Page 498 Link Load Balancing Configure an OLLB Group 10. Click on from the left navigational pane to display the Outbound > Groups Outbound Link Load display on the right. Balancing Groups 11. Click on to display the dialogue. An example is shown below. Add Outbound LLB Group The group modification dialogue is the same, although the existing name of the Group will be displayed.
Page 499 Equalizer Administration Guide Set Up Subnet Routes 18. Select the configuration tab if it has not already been selected. System 19. Click on the arrow (►) beside Network to expand the branch. 20. Select a VLAN and then select a subnet. 21.
Page 500 Link Load Balancing Using the CLI Configuration of OLLB consists of the following: 1. Adding VLANs with subnets 2. Configuring gateways 3. Configuring OLLB groups 4. Configuring NAT 5. Configuring subnet routes The following is an example of an ILLB configuration using the CLI. Adding VLANs with Subnets 1.
Page 501 Equalizer Administration Guide 3. View the configured gateway using the show command. A message indicating whether the LLB Gateway is enabled is displayed. eqcli > show llb-gw 1.2.3.1 This LLB Gateway is enabled. LLB Gateway Name :1.2.3.1 Weight Health Check :8.8.8.8, 173.14.44.43 Flags a.
Page 502 Link Load Balancing Configuring NAT 5. If needed, set up NAT as shown. Outbound NAT can be set up by entering a from parameter in CIDR format that specifies the IP range. eqcli> vlan int subnet sn0 nat from 1.1.0.0/24 out 1.2.3.33 nat sn0 out gw 1.2.3.1 eqcli>...
Page 503: Inbound Link Load Balancing
Equalizer Administration Guide Inbound Link Load Balancing Similar to GSLB, Inbound Link Load Balancing (ILLB) is DNS-based, in that a client makes a DNS query to resolve the IP address of an FQDN. However, unlike GSLB, the IP address returned in the DNS reply does not represent a geographic location, but rather one of several links available on a single Equalizer.
Page 504: Configuring Inbound Link Load Balancing
Link Load Balancing Configuring Inbound Link Load Balancing In this process, you will be need to specify a Fully Qualified Domain Name (FQDN) that is associated with an ILLB group, and a set of link/IP pairs. The load balancer will, based on the policy in effect (e.g., round robin) and link state, select the appropriate link to use, and return the associated IP address.
Page 505 Equalizer Administration Guide 7. Enter the IP address of the gateway in the text box. Enter the IP addresses of the Gateway links to be health checked. Use a “,” to separate the IP addresses. You have the option of disabling the Gateway or disabling the Health Check by selecting the appropriate check boxes.
Page 506 Link Load Balancing Configuring ILLB Groups 10. The ILLB group is analogous to a geocluster in GSLB. Click on on the left nav- Inbound > Groups igational pane. The list will be displayed. Click on to activ- Inbound Link Load Balancing Groups ate the dialogue as shown below.
Page 507 Equalizer Administration Guide Add Targets to the OLLB Groups 12. The target describes an IP-gateway pair. If the gateway of the pair is selected as the “best” available gateway according to the policy in effect, the associated IP will be returned in a DNS response.
Page 508 Link Load Balancing 4. View the configured gateway by entering the following. A message is displayed, indicating whether the LLB Gateway is enabled/disabled. eqcli > show llb-gw 172.16.128.1 This LLB Gateway is enabled. LLB Gateway Name : 172.16.128.1 Weight : 50 Health Check : 8.8.8.8, 173.14.44.43 Flags :...
Page 509 Equalizer Administration Guide Configuring ILLB Groups 5. The ILLB group is analogous to a geocluster in GSLB. Enter the following: eqcli> illb-grp illb1 fqdn www.test.com ttl 60 The fqdn must include all name components up to the top level (com, net, org, etc). Do not include the trailing period.
Page 510 Link Load Balancing Add Targets to the OLLB Groups 8. Add a target to the illb-grp. This describes which IP address to return in an A/AAAA record if the specified gateway is selected, or a gateway to consider for the FQDN. eqcli >...
Page 511: Global Load Balance
Equalizer Administration Guide Chapter 17 Global Load Balance Sections in this chapter include: Overview of Envoy Geographic Load Balancing Envoy Configuration Summary DNS Configuration Using Envoy with Firewalled Networks Using Envoy with NAT Devices Configuring GeoClusters Configuring GeoSites GeoSite Instance Parameters GeoSite Resources and GeoSite Instance Resources Copyright ©...
Page 512: Overview Of Envoy Geographic Load Balancing
Global Load Balance Overview of Envoy Geographic Load Balancing Note - Envoy (GSLB) is not supported on E250GX model Equalizers. Geographic load balancing increases availability by allowing regional server clusters to share workload transparently, maximizing overall resource utilization. The Envoy® Geographic load balancer is an optional software add-on for the Equalizer product line that supports load balancing requests across servers in different physical locations or on different networks.
Page 513: Envoy Configuration Summary
Equalizer Administration Guide Envoy Configuration Summary Follow this general procedure when setting up Envoy for the first time: 1. Configure appropriate clusters (and servers) on all of the Equalizers to be included as Envoy sites in the GeoCluster. 2. Configure the GeoCluster on each Equalizer; the parameters used should be the same on all sites.
Page 514 Global Load Balance This is usually the last step performed when configuring Envoy. It is recommended to set up Envoy and test your Envoy configuration thoroughly before making changes on the authoritative name server. For example, assume you must balance www.coyotepoint.com across a GeoCluster containing two Envoy sites, east.coyotepoint.com (at 192.168.2.44) and west.coyotepoint.com (at 10.0.0.5).
Page 515 Equalizer Administration Guide remotesite.com. IN NS ns1.remotesite.com. remotesite.com. IN NS ns2.remotesite.com. www.remotesite.com. IN NS east.remotesite.com. www.remotesite.com. IN NS west.remotesite.com. ns1 IN A ns1-IP-address ns2 IN A ns2-IP-address east IN A 192.168.2.44 west IN A 10.0.0.5 In the example above, we left the domain parameters as zeros, since these vary widely between DNS installations.
Page 516: Using Envoy With Firewalled Networks
Global Load Balance Using Envoy with Firewalled Networks Envoy sites communicate with each other using UDP-based Geographic Query Protocol (GQP). Similarly, Envoy sites communicate with clients using the DNS protocol. If you protect one or more of your Envoy sites with a network firewall, you must configure the firewall to permit the Envoy packets to pass through.
Page 517: Configuring Geoclusters
Equalizer Administration Guide Configuring GeoClusters This section shows you how to add or delete a GeoCluster and how to configure a GeoCluster’s load-balancing options. Configuring a GeoCluster and its sites is analogous to configuring a virtual cluster and its servers. There are two parts to configuring GeoClusters.
Page 518 Global Load Balance Viewing and Modifying GeoCluster Parameters (GUI) To view or modify a GeoCluster’s load-balancing options, proceed with the following: 1. Log in to the GUI (See on page 230). "Logging In" 2. Click on the GeoCluster on the left navigation pane. The figure below will be displayed: 3.
Page 519 Equalizer Administration Guide The fully qualified domain name (e.g., "mail.example.com") to be returned if Equalizer receives a “mail exchanger” request for this GeoCluster. The mail Mail Exchanger FQDN exchanger is the host responsible for handling email sent to users in the domain.
Page 520 Global Load Balance Note - In Version 10, if ICMP triangulation is enabled and all GeoSites report that triangulation failed, then ICMP tri- angulation is ignored for GeoSite selection. That is, Envoy geographic load balancing will proceed as if ICMP triangulation were disabled.
Page 521 Equalizer Administration Guide Viewing and Modifying GeoCluster Parameters (CLI) To add a GeoCluster using eqcli as follows: 1. Log in to eqcli as described in Starting the CLI. 2. Use the parameter descriptions above and the command line sequences described in GeoCluster and GeoSite Instance Commands to view and modify GeoCluster parameters using eqcli.
Page 522: Configuring Geosites
Global Load Balance Configuring GeoSites In EQ/OS 10, GeoSites are defined separately (like Servers) and then added to GeoClusters as GeoSite Instances. This section describes how to add, delete and configure GeoSites and includes descriptions of the parameters used by GeoSites. Adding a GeoSite (GUI) To add a GeoSite using the GUI proceed with the following: 1.
Page 523: Geosite Instance Parameters
Equalizer Administration Guide Adding a GeoSite (CLI) Too add a GeoSite using eqcli as follows: 1. Log in to eqcli as described in on page 141. "Starting the CLI" 2. Enter the following at the CLI prompt: eqcli > GeoSite gsnamereq_cmds Deleting GeoSite (CLI) Too delete a GeoSite using eqcli as follows: 1.
Page 524 Global Load Balance b. Right click on a GeoCluster on the left navigational pane and select Add GeoSite Instance. The Add GeoSite Instance form will be displayed. If this method is used, you will need to enter the and select the desired GeoSite GeoSite IP Address using the drop down list.
Page 525 Equalizer Administration Guide 7. Select additional options for the GeoSite instance by clicking the GeoSite instance from the left navigational pane to display the screen.From this screen all con- Configuration > Required figuration options can be modified. Designates this site as the default site for the GeoCluster. Envoy load Default - balances to the default site whenever it cannot choose a site based on the GQP probe information it gets from the sites.
Page 526 Global Load Balance 1. Log in to eqcli as described in on page 141. "Starting the CLI" 2. Enter the following at the CLI prompt: eqcli > no geocluster gclname gsi gsimaname where: is the name of the GeoCluster gclname is the GeoSite instance is the name of the GeoSite instance.
Page 527: Geosite Resources And Geosite Instance Resources
Equalizer Administration Guide GeoSite Resources and GeoSite Instance Resources GeoSite Resources are named clusters defined within a GeoSite. They are assigned a name so that they can be configured into a GeoCluster. For example a GeoSite in New York may have a cluster “CLNY1”...
Page 528 Global Load Balance Add a GeoSite Resource Instance to a GeoCluster (GUI) 1. Log in to the GUI (See on page 230). "Logging In" 2. Right click the GeoSite Instance within a GeoCluster on the left navigation pane an select .
Page 529 Equalizer Administration Guide Add a GeoSite Resource Instance to a GeoCluster (CLI) 1. Log in to eqcli as described in on page 141. "Starting the CLI" 2. Enter the GeoCluster context and following at the CLI prompt: gcl-gclname> GeoSite gsname resource clname eqcli >...
Page 531: Failover
Equalizer Administration Guide Chapter 18 Failover Sections within this chapter include: Understanding Failover How the Load Balancer Determines if it Should Assume the Primary Role Releases Supported for Failover with EQ/OS 10 Guidelines for Updating a Failover Pair Failover Between Two EQ/OS 10 Systems Types of Failover Configurations Peer Failover Modes Failover Constraints...
Page 532: Understanding Failover
Failover Understanding Failover Failover, also known as "High Availability", allows a second ADC to take over quickly if the primary unit fails allowing data and applications to be continuously delivered without interruption. The load balancing pair can be configured into an active/standby (also known as Active/Passive) mode or in Active/Active mode.
Page 533: How The Load Balancer Determines If It Should Assume The Primary Role
Equalizer Administration Guide How the Load Balancer Determines if it Should Assume the Primary Role Equalizer expects to see a heartbeat from a failover peer (all failover peers in Active/Active Failover configuration [See Configuring Active/Active Failover Between Two Systems]).within a "heartbeat interval"...
Page 534: Releases Supported For Failover With Eq/Os 10
Failover Releases Supported for Failover with EQ/OS 10 An Equalizer running EQ/OS 10 can be configured into failover with another Equalizer running either of these releases: EQ/OS 10 EQ/OS 8.6 (latest release) Note - Failover is not supported between EQ/OS 10 and any release prior to EQ/OS 8.6.0c. Copyright ©...
Page 535: Guidelines For Updating A Failover Pair
Equalizer Administration Guide Guidelines for Updating a Failover Pair The following guidelines should be adhered to when upgrading a failover pair between two systems. 1. Verify that your current failover configuration is operating properly and that there are no error messages in the Peer Summary Screen on the GUI ("Configuring Active/Passive Failover on page 572) or CLI ("Peer Commands"...
Page 536: Failover Between Two Eq/Os 10 Systems
Failover Failover Between Two EQ/OS 10 Systems The procedures in this section show you how to configure failover using two Equalizers running EQ/OS 10. Displaying Failover Configuration You can display a summary of the current failover configuration on your local Equalizer in both the CLI and the GUI.
Page 537 Equalizer Administration Guide When two Equalizers are configured into Active/Passive failover, they form a "failover pair". An Equalizer in a failover pair is called a "peer". At any given time, only one of the load balancers in a failover pair is actually servicing requests sent to the cluster IP addresses defined in the configuration -- this unit is called the "active peer"...
Page 538: Peer Failover Modes
Failover Peer Failover Modes The Failover Mode is the current failover condition of an Equalizer peer or Failover Group when configured into Active/Passive, Active/Active, or N+1 failover configuration. It is shown both in the an eqcli display and on the GUI. The following table lists the possible Failover Modes that can be displayed along with a description of each.
Page 539: Failover Constraints
Equalizer Administration Guide To display the in the screen in the GUI, click on the configuration Failover Mode Failover Status System tab in the left navigational pane if it has not already been selected. Click on to display the Failover screen.
Page 540 Failover 4. Other important notes: Run http on the failover IP address, not the VLAN IP address. Only make changes when logging in over the failover IP address. If you run GUI/SSH on the VLAN IP addresses on both peers, then do NOT go back and forth between peers making configuration changes, unless you verify that each change is transferred before you making a change on the “other”...
Page 541: Configuration Synchronization Constraints
Equalizer Administration Guide Configuration Synchronization Constraints Whenever a configuration change is made on either EQ/OS 10 failover unit, the failover subsystem synchronizes the configuration by transferring the configuration file to the other unit over the VLAN subnet that has the command flag enabled. If the command flag (Command Transfer in the GUI) is NOT set for any VLAN, the system will use the first VLAN in the configuration file for Configuration transfer.
Page 542 Failover Synchronization Notes 1. Failover does not require the same set of VLANs on all Peers. Therefore, a failover group associated with a VLAN existing on one Peer cannot be configured into failover with other peers that do not have the same VLAN configured. All instances of a VLAN mismatch will be logged.
Page 543: Server / Gateway Availability Constraint
Equalizer Administration Guide Server / Gateway Availability Constraint For failover to initialize correctly, at least one server or gateway configured on a subnet defined on Equalizer must be responding to ARP (Address Resolution Protocol) requests. Otherwise, Equalizer will remain in the "initializing" failover state and will not assume the backup or primary role.
Page 544 Failover GUI Parameter (CLI Parameter) Description The number of successive failed heartbeats that must occur before a peer is marked "down" (default:3). A heartbeat is considered to have failed whenever the Heartbeat Interval has elapsed and no probe has been received from a peer during that interval. Failed Probe Count strike_count Failed Probe Count...
Page 545: Peer, Interface, Subnet States And Substates
Equalizer Administration Guide Peer, Interface, Subnet States and Substates The following table lists the various valid states/substates for Peers, Interfaces, and Subnets. Peer State Peer Substate Explanation Communicating with remote Peer to join into a Failover Start configuration. Send Join Attempt to configure remote Peer into a failover configuration Failed failed.
Page 546: Failover Between Eq/Os 8.6 And Eq/Os 10
Failover Failover Between EQ/OS 8.6 and EQ/OS 10 The procedures in this section show you how to configure failover using an Equalizer running EQ/OS 8.6 as the preferred primary and an Equalizer running EQ/OS 10 as the preferred backup. Guidelines for Upgrading a Failover Pair from EQ/OS 8.6 to EQ/OS 10 The preferred method of upgrading the OS from EQ/OS 8.6 to EQ/OS 10 is: 1.
Page 547: Server Availability Constraint
Equalizer Administration Guide Server Availability Constraint For failover to initialize correctly, at least one server or gateway configured on a subnet defined on Equalizer must be responding to ARP (Address Resolution Protocol) requests. Otherwise, Equalizer will remain in the "initializing" failover state and will not assume the backup or primary role.
Page 548: Enable Failover Of Eq/Os 8.6 To Eq/Os 10
Failover Enable Failover of EQ/OS 8.6 to EQ/OS 10 Note - EQ/OS 8.6 uses the web-based GUI for all failover configuration. On EQ/OS 10, you can set up failover using either the CLI or the GUI, but failover status information is currently only visible in the CLI peer context.
Page 549 Equalizer Administration Guide d. Do the following in the section, : Peer Equalizer Enter any name you like for and a string of characters Equalizer Name for the . The signature of the EQ/OS 10 peer can be found Signature Entering the peer context and entering eqcli peer-eq_*>...
Page 550 Failover 4. Configure the EQ/OS 10 system as the preferred backup: a. Configure all required VLANs, servers, and server pools as described in "Load on page 89, on page 627, Balancing & Networking" "Configuring Server Connections" on page 430, using settings that are equivalent to the "Managing Server Pools"...
Page 551 Equalizer Administration Guide You can copy the from the EQ/OS 8.6 GUI by clicking the os8-signature icon at the top of the left-frame tree to open up the tab. Failover > Required Copy the value from the group at the top of the tab. Signature This Equalizer If the EQ/OS 8.6 system is in dual network mode, replace...
Page 552 Failover 12200459: Last probe sent on this if : #1 at Fri Jan 7 22:03:40 2011 12200460: Last probe received in this if: #1 at Fri Jan 7 22:03:41 2011 12200461: Number of strikes : 1 Look carefully at the output for any errors. If you see any, or if the State is anything other than Probing: Check the VLAN configurations on both systems to ensure they are exactly the same, and correct if not.
Page 553 Equalizer Administration Guide 5. Set the parameter ( in the GUI) on the EQ/OS 10 (local) peer to a hb_interval Heartbeat Interval value that is the Probe Interval parameter on the EQ/OS 8.6 system times the number of interfaces (VLANs) configured on the EQ/OS 8.6 system. For example if the EQ/OS 8.6 Probe Interval value is "5"...
Page 554 Failover You can force the units to switch failover modes by rebooting the current Equalizer. primary Note that the coyote icons at the top of the left frame of the EQ/OS 8.6 GUI will not change to indicate when the EQ/OS 10 peer is in primary mode -- that is, the EQ/OS 10 system will always have the sitting coyote icon next to it.
Page 555: Configuring Active/Passive Failover Between Two Systems
Equalizer Administration Guide Configuring Active/Passive Failover Between Two Systems When two Equalizers are configured into Active/Passive failover, they form a "failover pair". An Equalizer in a failover pair is called a "peer". At any given time, only one of the Equalizers in a failover pair is actually servicing requests sent to the cluster IP addresses defined in the configuration -- this unit is called the "active peer"...
Page 556: Configuring Vlan (Subnet) Failover Settings (Cli)
Failover Configuring VLAN (Subnet) Failover Settings (CLI) Configure subnets for failover using the CLI as follows: 1. Configure VLANs and Subnets as described in on page 301. It is import- "Configuring Subnets" ant that both the VLANs are identical in both the preferred primary and the backup. 2.
Page 557 Equalizer Administration Guide - when enabled login will be permitted on the Failover IP address on fo_ssh the subnet. - when enabled will accept connections on the Failover IP address fo_snmp snmp on the subnet. - when enabled this will allow Envoy to monitor this subnet for failover fo_envoy - when enabled this will allow an Envoy agent to monitor this sub- fo_envoy_agent...
Page 558 Failover 6. Enter: eqcli > vlan vlname subnet sname hb_interval seconds Where vlname is the name of the VLAN, sname is the name of the subnet and seconds is the heartbeat interval or time in seconds (default: 2) between successful heartbeat checks of the peer.
Page 559: Configuring Vlan (Subnet) Failover Settings (Gui)
Equalizer Administration Guide Configuring VLAN (Subnet) Failover Settings (GUI) Configure subnets for failover using the GUI as follows: 1. Configure both Equalizers running EQ/OS 10: a. Perform initial system configuration as outlined in "Load Balancing & Networking" on page 89. b. Create all required VLANs, clusters, servers, etc., required for your con- figuration.
Page 560 Failover 6. Configure the failover parameters for the preferred primary Equalizer; in this case sn01 the VLAN . Use the check boxes and sliders as necessary. You will not be able to 172net change the . The is used primarily as a server gateway and Failover IP Address Failover IP Address to provide an IP address for system services such as the GUI, SSH, etc.
Page 561 Equalizer Administration Guide 11. Use the slider to adjust the number of failed peer probe attempts that must Failed Probe Count occur before marking a peer "down" (default: 3). If the reaches its spe- Failed Probe Count cified maximum value on the subnet, or if the reaches 1 on all subnets in a Failed Probe Count multi-subnet network configuration, then a failover can occur.
Page 562: Configuring Active/Passive Failover (Cli)
Failover Configuring Active/Passive Failover (CLI) Perform Steps 1 and 2 on both Equalizers 1. Perform initial system configuration on both units as outlined in "Networking Technologies" page 90. 2. Configure VLANs and subnets on both units; they must be exactly the same as noted in "Fail- on page 539 .
Page 563 Equalizer Administration Guide peer to display more details of the peer, including the signature. eqcli > show peer name Substitute the name of the peer displayed in the previous step for NameThe information for that peer definition is displayed, as in this example: eqcli >...
Page 564 Failover Perform Steps 4 and 5 on the preferred primary Equalizer to add failover flags and to create a new peer definition for the backup. You now need to configure the preferred primary Equalizer by adding failover flags and creating a peer on it for the backup that you created in steps 3 and 4.
Page 565 Equalizer Administration Guide 5. Now create a peer definition for the preferred backup on the primary Equalizer: a. Enter the following: eqcli > peer name signature signature Substitute the signature of the preferred backup that you obtained in Step 3, above. b.
Page 566 Failover emulator’s supported editing commands. You’ll need it in the following steps. Perform Step 6 on the preferred backup Equalizer to add failover flags and create a peer definition for the primary Equalizer. 6. Create a peer definition for the preferred primary, using the signature that you recorded in step 5: a.
Page 567 Equalizer Administration Guide e. Verify the peer definitions by entering the following that should show the new peer definition: eqcli > show peer ------------------------------------ Configuration Sequence Number: 4593 ------------------------------------ Peer Name Type Flags F/O Mode Error eq_00241DB2ABA0(Local) OS/10 F/O, P/P, xfr Primary eq_001D7D78E13E(Remote)OS/10 F/O, xfr...
Page 568 Failover Perform Step 7 on both Equalizers. 7. Once both units start to communicate, displaying the peer definitions should indicate that the units have assumed the primary and backup failover roles. a. Confirm this on both units by entering: eqcli > show peer ------------------------------------ Configuration Sequence Number: 4593 ------------------------------------...
Page 569 Equalizer Administration Guide Failover Mode : Primary Last Peer heartbeated : eq_001D7D78E13E Last Peer heartbeated from : eq_001D7D78E13E Interface : in1 State : Heartbeating Substate : Start Number of strikes : 0 Subnet : Me2 State : Heartbeating Substate : Start Number of strikes Interface : in2...
Page 570 Failover Last heartbeat sent : #322 at Wed Mar 14 12:07:10 2012 Last heartbeat received : #194 at Wed Mar 14 12:07:10 2012 Interface : in1a State : Heartbeating Substate : Start Last heartbeat sent : #161 at Wed Mar 14 12:07:10 2012 Last heartbeat received : #97 at Wed Mar 14 12:07:10 2012 Number of strikes : 0...
Page 571 Equalizer Administration Guide Displaying the Failover Summary. You can display the failover summary by entering show failover. The following is an eqcli > example of the failover summary: eqcli > show failover Local Peer Failover Information Command subnet: Vlan v2, Subnet sn172 Failover: Enabled Mode:...
Page 572: Configuring Active/Passive Failover (Gui)
Failover Configuring Active/Passive Failover (GUI) Perform Steps 1 and 2 on both Equalizers. 1. Perform initial system configuration on both units as outlined in Networking Technologies. 2. Configure VLANs and subnets on both units; they must be exactly the same as noted in Fail- over Constraints.
Page 573 Equalizer Administration Guide 4. Log in to the GUI for the preferred primary Equalizer using the procedures described in "Log- on page 230. ging In" a. Configure the preferred primary peer and check the Failover preferred_ flags to the preferred primary Equalizer as shown below. primary b.
Page 574 Failover c. Configure the timeout and interval sliders using the descriptions provided in on page 543. "Failover Peer Probes and Timeouts" c. Enable the Failover flag and click on Commit Note - Once the two peers are joined in a failover group (heartbeating and file sync are occurring), then they synchronize their remote peer definitions with the information obtained from the remote peer -The name and flags on the remote peer change.
Page 575 Equalizer Administration Guide b. Click on on the left navigational pane to display the Peers summary screen Peers as shown below. Note that since the first screen shows the preferred primary Equalizer as it is categorized as Local and if a failover state exists it Peer Summary will become the backup.
Page 576 Failover c. You can view the subnet stats of each by selecting the Subnet Status tab for each showing a Heartbeatingcondition. The first is the preferred primary load balancer and the second is the backup. Peer Summary Display Showing Errors If failover were NOT configured correctly or a problem existed with one of the peers, you would see a display similar to the following example.
Page 577: Configuring Active/Active Failover
Equalizer Administration Guide Configuring Active/Active Failover Active/Active (A/A) failover allows clusters to be active on both Peers that are configured into failover. For the same failure situations that cause a Peer to take over all the cluster and floating IP addresses in an Active/Passive failover configuration, Active/Active failover operates the same way - that is that the healthy Peer will take over all of the cluster and failover IPs.
Page 578: Configuring Active/Active Failover (Cli)
Failover Configuring Active/Active Failover (CLI) 1. Configure failover using the current procedures described in "Configuring Active/Passive Failover on page 562. (CLI)" 2. Activate the Active/Active failover mode by setting the active-active flag on the local Peers. This flag must be set on both Peers for A/A to be enabled. If the flag is set on only one, or no Peers, failover operates as in the current Active/Passive mode.
Page 579 Equalizer Administration Guide Backup Equalizer eqcli > show peer Peer Name Type Flags F/O Mode Message(s) Backup (Local) OS/10 F/O,A/A,xfr Primary Primary (Remote) OS/10 F/O,A/A,P/P,xfr Backup Flags Key: F/O => failover A/A => active-active P/P => preferred-primary xfr => fo_config_xfer ssl =>...
Page 580 Failover Show the cluster parameters by entering : eqcli > show cluster cl-tcp L4 Cluster Name : cl-tcp Protocol : tcp IP Address : 172.16.0.131 Port : 80 Port Range Preferred Peer : Primary Server Pool : testserverpool Sticky Timeout Sticky Netmask Idle Timeout Stale Timeout...
Page 581 Equalizer Administration Guide Display the elements of the failover group by entering show fogrp <name> - where <name> is one of the names in the list. For example: eqcli > show fogrp fo_group2 F/O Group fo_group1: Preferred Peer = Primary Primary Peer = Backup F/O Mode...
Page 582 Failover Testing Active/Active Failover 1. First verify that Active/Passive failover works. Refer to "Enabling Active/Passive Failover Between on page 555. Two Systems" 2. With Active/Active failover enabled: a. Configure more than 1 cluster, but all in the same Failover Group and verify that failover works the same as with an Active/Passive setup.
Page 583: Configuring N+1 Failover
Equalizer Administration Guide Configuring N+1 Failover N+1 Failover is a feature where the failover configuration consists of multiple active peers ("N") plus 1 passive peer. In this type of failover configuration, the Equalizer clusters are instantiated on all "N" peers and organized into failover groups. If the passive, or backup peer's connectivity for a failover group's resources is judged to be "healthier"...
Page 584: Network Design For N+1 Failover
Failover Network Design for N+1 Failover The design of the host network is critical to a successful failover configuration. The essential concept of active-active failover is that resources that are required for a cluster to serve client requests are organized into "failover groups". For any cluster, the required resources include: the cluster object and all objects to which it points including server pools, server instances, servers, responders, certificates, etc.
Page 585 Equalizer Administration Guide 5. If the preferred peer is not one of the systems that can provide connectivity, or if a cluster has no preferred peer set, then Equalizer checks to see if the peer that has the ‘preferred primary’ flag set can provide the required connectivity. If it can, the failover groups are moved to that peer.
Page 586: Monitoring N+1 Failover
Failover Monitoring N+1 Failover There are several CLI commands you can use to monitor failover status: Displaying Failover Group Status Failover groups are configured by Equalizer automatically according to your network topology and the subnets on which cluster and server IP addresses reside. You can modify the failover group configuration only by modifying your cluster IP addresses, server IP addresses, and subnet configuration.
Page 587 Equalizer Administration Guide Detailed failover group status can be obtained by supplying a group name to the show fogrp command: eqcli > show fogrp fo_group1 F/O Group fo_group1: Perferred Peer = Eq-A Primary Peer = Eq-A F/O Mode = Primary Subnet Members (num = 1): V12:172net Cluster members (num = 1):...
Page 588 Failover Displaying Peer Status The show peer command displays a summary of all the currently defined peers: eqcli > show peer Peer Name Type Flags F/O Mode Error? Eq-A (Local) OS/10 F/O, A/A, P/P, xfr Mixed Eq-B (Remote) OS/10 F/O, A/A, xfr Mixed Eq-C (Remote) OS/10...
Page 589 Equalizer Administration Guide For detailed output regarding heartbeat status between this peer and other peers in the failover set of Equalizers, specify the name of a remote peer: Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 590: Rebalancing
Failover Displaying Cluster Status Specify the name of a cluster to the show cluster command to see if the cluster is currently instantiated on the Equalizer to which you are logged in. The first couple of lines in the output indicate the cluster status, as in this example: eqcli >...
Page 591: Configuring N + 1 Failover With 3 Load Balancers (Cli)
Equalizer Administration Guide Configuring N + 1 Failover with 3 Load Balancers (CLI) In this configuration, three Equalizers (Eq-A, Eq-B, and Eq-C) cooperate to provide high availability. They do not need to be the same models. They are configured with: 2 VLAN subnets 2 clusters -- 1 preferred on each of Eq-A and Eq-B, no clusters on Eq-C 2 failover groups...
Page 592 Failover e. Set the timezone.The time zone setting is useful when examining logs. Enter: eqcli > timezone? Locate your timezone in the displayed list and press "q" to quit out of the list. Then, type in your timezone number and press <Enter>, as in this example for the "America/New York"...
Page 593 Equalizer Administration Guide 2. After you complete Step 1 on all three load balancers, do the following on load balancer Eq- a. Create the clusters, servers, server pools, and server instances necessary for your configuration. For the purposes of this procedure, we created the following objects and non-default settings: eqcli >...
Page 594 Failover 3. Do the following on Eq-B a. Update the flags for peer Eq-B eqcli > peer Eq-B flags failover,active-active. fo_config_xfer b. Create the peer definitions for the remote peers Eq-A Eq-C eqcli > peer Eq-A signature signature eqcli > peer Eq-C signature signature Note - The signature for each remote peer can be displayed by logging into the CLI on that peer and Eq-A...
Page 595 Equalizer Administration Guide 5. Verify that the peer status is correct: a. On Eq-A the peer status should now look like this: eqcli > show peer ------------------------------------ Configuration Sequence Number: XXXX ------------------------------------ Peer Name Type Flags F/O Mode Message(s)? Eq-A (Local) OS/10 F/O, A/A, P/P, xfr Primary Eq-B (Remote)OS/10 F/O, A/A, xfr...
Page 596 Failover 6. Show the fo group details and status as follows: a. For fo_group1: eqcli > show fogrp fo_group1 F/O Group fo_group1: Preferred Peer = Eq-A Primary Peer = Eq-A F/O Mode = Primary Subnet Members (num = 2): vlan2:172net vlan3:192net Cluster Members (num = 2): clB...
Page 597: Configuring N + 1 Failover With 4 Load Balancers (Cli)
Equalizer Administration Guide Configuring N + 1 Failover with 4 Load Balancers (CLI) In this configuration, four Equalizers (Eq-A, Eq-B, Eq-C, and Eq-D) cooperate to provide high availability. They do not need to be the same models. They are configured with: 3 VLAN subnets 3 clusters -- 1 preferred on each of Eq-A, Eq-B, and Eq-C;...
Page 598 Failover e. Set the timezone. Enter: eqcli > timezone? Locate your timezone in the displayed list and press "q" to quit out of the list. Then, type in your timezone number and press < >, as in this Enter example for the "America/New York" time zone: eqcli >...
Page 599 Equalizer Administration Guide 2. After you complete Step 1 on all three Equalizers, do the following on Equalizer Eq-A a. Create the clusters, servers, server pools, and server instances necessary for your configuration. For the purposes of this procedure, we created the following objects and non-default settings: eqcli >...
Page 600 Failover d. Set a preferred peer for each cluster: eqcli > cluster clA preferred_peer Eq-A eqcli > cluster clB preferred_peer Eq-B eqcli > cluster clC preferred_peer Eq-C 3. Do the following on Eq-B: a. Update the flags for peer Eq-B: eqcli >...
Page 601 Equalizer Administration Guide 5. Do the following on Eq-D: a. Update the flags for peer Eq-D: eqcli > peer Eq-D flags failover,active-active, fo_config_xfer b. Create the peer definitions for the remote peers Eq-A, Eq-B, and Eq-C: eqcli > peer Eq-A signature signature flags failover,fo_config_ xfer,preferred_primary eqcli >...
Page 602 Failover c. On Eq-C, the peer status should now look like this: eqcli > show peer ------------------------------------ Configuration Sequence Number: XXXX ------------------------------------ Peer Name Type Flags F/O Mode Message(s) Eq-C (Local) OS/10 F/O, A/A, xfr Backup Eq-A (Remote)OS/10 F/O, A/A, P/P, xfr Primary Eq-B (Remote)OS/10 F/O, A/A, xfr Backup...
Page 603 Equalizer Administration Guide 7. Show the fo group details and status as follows: a. For fo_group1: eqcli > show fogrp fo_group1 F/O Group fo_group1: Preferred Peer = Eq-A Primary Peer = Eq-A F/O Mode = Primary Subnet Members (num = 3): vlan2:172net-1 vlan2:172net-2 vlan3:192net...
Page 604 Failover c. For fo_group3: eqcli > show fogrp fo_group3 F/O Group fo_group3: Preferred Peer = Eq-C Primary Peer = Eq-A F/O Mode = Backup Subnet Members (num = 3): vlan2:172net-1 vlan2:172net-2 vlan3:192net Cluster Members (num = 3): clB clC Server Members (num = 3): sv3 sv4 eqcli >...
Page 605: Configuring N + 0 Failover With 4 Load Balancers (Cli)
Equalizer Administration Guide Configuring N + 0 Failover with 4 Load Balancers (CLI) In this configuration, four Equalizers (Eq-A, Eq-B, Eq-C, and Eq-D) cooperate to provide high availability. They do not need to be the same models. They are configured with: 4 VLAN subnets 4 clusters -- 1 preferred on each of Eq-A, Eq-B, Eq-C, and Eq-D 4 failover groups...
Page 606 Failover e. Set the timezone. Enter: eqcli > timezone? Locate your timezone in the displayed list and press "q" to quit out of the list. Then, type in your timezone number and press <Enter>, as in this example for the "America/New York" time zone: eqcli >...
Page 607 Equalizer Administration Guide 2. After you complete Step 1 on all three Equalizers, do the following on Equalizer Eq-A: a. Create the clusters, servers, server pools, and server instances necessary for your configuration. For the purposes of this procedure, we created the following objects and non-default settings: eqcli >...
Page 608 Failover c. Create the peer definitions for the remote peers Eq-B and Eq-C: eqcli > peer Eq-B signature signature eqcli > peer Eq-C signature signature eqcli > peer Eq-D signature signature Note - The signature for each remote peer can be displayed by logging into the CLI on that peer and executing show peer name , where...
Page 609 Equalizer Administration Guide 4. Do the following on Eq-C: a. Update the flags for peer Eq-C: eqcli > peer Eq-C flags failover,active-active,fo_config_xfer b. Create the peer definitions for the remote peers Eq-A, Eq-B, and Eq-D: eqcli > peer Eq-A signature signature eqcli >...
Page 610 Failover 6. Verify that the peer status is correct: a. On Eq-A, the peer status should now look like this: eqcli > show peer ------------------------------------ Configuration Sequence Number: XXXX ------------------------------------ Peer Name Type Flags F/O mode Message(s) Eq-A (Local) OS/10 F/O,A/A,P/P,xfr Primary Eq-B (Remote) OS/10 F/O,A/A,xfr...
Page 611 Equalizer Administration Guide d. On Eq-D, the peer status should now look like this: eqcli > show peer ------------------------------------ Configuration Sequence Number: XXXX ------------------------------------ Peer Name Type Flags F/O mode Message(s) Eq-D (Local) OS/10 F/O,A/A,xfr Backup Eq-A (Remote) OS/10 F/O,A/A,P/P,xfr Primary Eq-B (Remote) OS/10 F/O,A/A,xfr Backup...
Page 612 Failover b. For fo_group2: eqcli > show fogrp fo_group2 F/O Group fo_group2: Preferred Peer = Eq-B Primary Peer = Eq-A F/O Mode = Backup Subnet Members (num = 4): vlan2:172net-1 vlan2:172net-2 vlan3:192net-1 vlan3:192net-2 Cluster Members (num = 4): clB clC clD Server Members (num = 4): sv3...
Page 613 Equalizer Administration Guide d. For fo_group4: eqcli > show fogrp fo_group4 F/O Group fo_group4: Preferred Peer = Eq-D Primary Peer = Eq-A F/O Mode = Backup Subnet Members (num = 4): vlan2:172net-1 vlan2:172net-2 vlan3:192net-1 vlan3:192net-2 Cluster Members (num = 4): clB clC clD...
Page 615: Logs And Reports
Equalizer Administration Guide Chapter 19 Logs and Reports Sections within this chapter include: Displaying Logs Export to CSV Filtering Status Details Event Log System Log Audit Log Upgrade Log Remote System Logging Reporting Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 616: Displaying Logs
Logs and Reports Displaying Logs Logs can be displayed in both the CLI and the GUI. In the CLI, use the following command: eqcli > show log log type number of lines range datetime1-datetime2 Substitute log type as eq, sys, or audit to display the event log; system log, or audit log, respectively.
Page 617: Export To Csv
Equalizer Administration Guide Export to CSV Click on the button to download the load in comma separated values (*.csv) format. Export to CSV The file name will be in the format . An example is shown Equalizer-mon-dd[time frame]EventLog.csv below. This is an example of a change added to this document. Copyright ©...
Page 618: Filtering Status Details
Logs and Reports Filtering Status Details After displaying events for all of Equalizer’s configured objects or individual objects, the events displayed in the table can be filtered by specifying . Click on Start Times End Times Click to Filter to display the dialogue as shown below Data Filter Parameters...
Page 619: Event Log
Equalizer Administration Guide Event Log The event log displays events for each element configured on the Equalizer. This includes Clusters, Server Pools, Servers and Responders. 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In"...
Page 620: System Log
Logs and Reports System Log Clicking on the icon on the left will display the contents of the system log file, in which System Log information, warnings, and error messages that are contained in the file are displayed. 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In"...
Page 621: Audit Log
Equalizer Administration Guide Audit Log Clicking on the icon on the left will display the contents of the audit log showing all user Audit Log activity performed on the appliance. 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In"...
Page 622: Upgrade Log
Logs and Reports Upgrade Log Clicking on the icon on the left will display the contents of the upgrade log with Upgrade Log upgrade details of previous software upgrades on your appliance. 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In"...
Page 623: Remote System Logging
Equalizer Administration Guide Remote System Logging Remote system logging is enabled using commands in the global CLI context using the syslog-server commands, and in the GUI from the configuration tab. syslog Log and Reports Enabling Remote System Logging (GUI) 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In"...
Page 624 Logs and Reports To disable remote logging without removing the IP address or name of the current remote logging server, enter: eqcli > syslog disable Alternatively, removing the IP address or name of the current remote logging server will also automatically disable remote logging: eqcli >...
Page 625: Reporting
Equalizer Administration Guide Reporting The CPU & Memory Usage display indicates: - The average percent of non-idle CPU time over the selected time period. CPU Consumption - The average percent of in-use memory over the selected time period. Memory Utilization 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In"...
Page 627: Configuring Server Connections
Equalizer Administration Guide Chapter 20 Configuring Server Connections Sections within this chapter include: HTTP Multiplexing Enabling HTTP Multiplexing Disabling "spoof" for HTTP Multiplexing Server Options for HTTP Multiplexing Direct Server Return (DSR) Configuring a Cluster for Direct Server Return Configuring Servers for Direct Server Return Copyright ©...
Page 628: Http Multiplexing
Configuring Server Connections HTTP Multiplexing HTTP multiplexing is the re-use of established server connections for multiple clients connections. The best way to understand this feature is to compare non-multiplexing behavior to multiplexing behavior. When HTTP multiplexing is disabled (the default on Equalizer), each client connection requires a new connection between Equalizer and a server.
Page 629: Enabling Http Multiplexing
Equalizer Administration Guide Enabling HTTP Multiplexing On Equalizer, TCP multiplexing can be enabled for HTTP and HTTPS clusters only and is disabled by default. The figure below describes the general process to follow when enabling TCP multiplexing for the first time. After TCP multiplexing is enabled as above, it can be selectively disabled on clusters and server instances without modifying the TCP multiplexing parameters set on the server.
Page 630: Disabling "Spoof" For Http Multiplexing
Configuring Server Connections Disabling "spoof" for HTTP Multiplexing In the most common configurations, where many clients with unique IP addresses connect to the cluster, it makes sense to disable the spoof option when enabling TCP multiplexing, so that server connections can be re-used for any client request. This is because the spoof option causes Equalizer to use the client IP address as the source address in all packets sent to servers (disabling Source Network Address Translation or SNAT).
Page 631: Server Options For Http Multiplexing
Equalizer Administration Guide Server Options for HTTP Multiplexing Once a server sends a complete response to a client request, instead of closing the server connection, Equalizer keeps the connection open and places a record for the connection into a pool of connections available for re-use.
Page 632: Direct Server Return (Dsr)
Configuring Server Connections Direct Server Return (DSR) In a typical load balancing scenario, server responses to client requests are routed through Equalizer on their way back to the client. Equalizer examines the headers of each response and may insert a cookie, before sending the server response on to the client. In a Direct Server Return (DSR) configuration, the server receiving a client request responds directly to the client IP, bypassing Equalizer.
Page 633: Configuring A Cluster For Direct Server Return
Equalizer Administration Guide Configuring a Cluster for Direct Server Return The cluster dsr and spoof flags must be enabled for direct server return connections. In addition, the cluster idle timeout parameter should be set as described in the table below: Enables Direct Server Return.
Page 634: Configuring Servers For Direct Server Return
Configuring Server Connections Configuring Servers for Direct Server Return 1. Server configuration for DSR involves these basic steps: 2. Add a loopback network interface on the server. 3. Configure the loopback interface with the IP address and port of the DSR cluster. 4.
Page 635: Adjusting Arp Behavior On Linux Servers
Equalizer Administration Guide 4. To configure the IIS HTTP server for DSR: Start > Administrative Tools > Internet Information Service (IIS) Manager Open a. In the left frame, expand the local computer and then Web Sites to display a list of the web sites running on the server.
Page 636: Configuring A Loopback Interface On Other Systems For Dsr
Configuring Server Connections 2. Enter the following command to verify that the loopback alias was created: # ifconfig lo:dsr The output should look like this: lo:dsr Link encap:Local Loopback inet addr:cluster-ip Mask:255.255.255.255 UP LOOPBACK RUNNING MTU:16436 Metric:1 3. To configure an Apache 2.0 server for DSR, edit the server configuration file to add a Listen directive for the cluster IP (on many systems, the configuration file is found at /us- r/local/etc/apache/httpd.conf).
Page 637: Weak And Strong Host Models And Dsr
Equalizer Administration Guide Weak and Strong Host Models and DSR Network interfaces on non-routing systems use either the “weak host” or “strong host” models for packet transmission and reception (these models are defined in RFC1122). In the “strong host” model, a system that is not acting as a router cannot send or receive any packets on a given interface unless the destination/source IP in the packet is assigned to the interface.
Page 639: Server Health Check Probes
Equalizer Administration Guide Chapter 21 Server Health Check Probes Sections within this chapter include: About Server Health Check Probes Layer 3 ICMP Probes Enabling/Disabling Layer 3 ICMP Probes Configuring Layer 3 ICMP Probe Parameters L4 UDP Probes Enabling/Disabling L4 UDP Probes L4 TCP/IP Probes Enabling/Disabling L4 TCP Probes Active Content Verification (ACV) Probes...
Page 640: About Server Health Check Probes
Server Health Check Probes About Server Health Check Probes This chapter describes: How Equalizer uses health check probes to ensure server availability. How you can configure probe parameters and options to tailor them for your specific con- figuration and applications. On Equalizer, a "server"...
Page 641: Layer 3 Icmp Probes
Equalizer Administration Guide Layer 3 ICMP Probes By default, Equalizer sends an Internet Control Message Protocol (ICMP) echo request (commonly called a “ping”) to the IP address of every configured server object. If a server does not respond to an ICMP echo request, Equalizer continues to issue any other probes (TCP, ACV, server agent) configured for the cluster.
Page 642: Enabling/Disabling Layer 3 Icmp Probes
Server Health Check Probes Enabling/Disabling Layer 3 ICMP Probes Enable/Disable ICMP probes in the GUI ICMP probes are enabled by default for all servers. 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In"...
Page 643: Configuring Layer 3 Icmp Probe Parameters
Equalizer Administration Guide Configuring Layer 3 ICMP Probe Parameters ICMP server probes are configured using the global parameters described in the table below. Each server is sent ICMP ECHO Request packets by Equalizer and is marked up or down depending upon whether the server responds or not.
Page 644 Server Health Check Probes eqcli > parameter_name value [...] 2. Enter a parameter_name and value which are described in ICMP Probe Parameters above. Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 645: L4 Udp Probes
Equalizer Administration Guide L4 UDP Probes L4 UDP probes are performed on UDP protocol servers only. For specific Remote Procedure Call (RPC) services running on well-known ports - Network File System (NFS) and portmap - an RPC call is sent to the server. If no response is received the server is marked "DOWN".
Page 646: L4 Tcp/Ip Probes
Server Health Check Probes L4 TCP/IP Probes L4 TCP probes ( ) are performed on servers running TCP protocol only. Equalizer attempts to acvd open a TCP connection with a server on its configured IP address and probe port. A TCP probe is successful if the connection is established.
Page 647: Active Content Verification (Acv) Probes
Equalizer Administration Guide Active Content Verification (ACV) Probes Active Content Verification serves two purposes: L4 probing and L7 probing. It is a mechanism for checking the validity of a server pool. When you enable ACV for a server pool, Equalizer requests data from each server pool in a cluster and verifies that the returned data contains a character string that indicates that the data is valid.
Page 648: Enabling/Disabling Acv Probes
Server Health Check Probes Enabling/Disabling ACV Probes Enable/Disable ACV Probes in the GUI 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In" 230. 2. Select the configuration tab on the left navigational pane if it is not already selec- Load Balance ted.
Page 649: Setting Acv Query And Response Strings
Equalizer Administration Guide Setting ACV Query and Response Strings Specifying an ACV Query and an ACV Response String basically automates the exchange shown in Active Content Verification (ACV) Probes. Equalizer uses the probe string to request data from each server. To verify the server’s content, searches the returned data for the response string. For example, you can use “GET /index.html”...
Page 650: Testing Acv Probes
Server Health Check Probes If the page that is returned contains the correct response string (in the first 1024 characters, including headers) the server is marked “UP”; if ALL OK were not present, the server is marked “DOWN”. L4 TCP probes (acvd) are performed on servers running TCP protocol only.Verify that the Probe Layer 4 option is enabled on server instances on server pools using ACV.
Page 651: Configuring Udp And Tcp Parameters
Equalizer Administration Guide Configuring UDP and TCP Parameters UDP and TCP probe parameters are configured on all server pools and apply only to the server instances (and thus the servers) within a server pool: UDP and TCP Parameters GUI Probe Parameter (CLI Probe Parameter) Description A timer specifying the length of time (in seconds) during which a successful TCP or UDP server probe must occur,...
Page 652 Server Health Check Probes Setting UDP and TCP Probe Parameters in the GUI 1. Verify that you are logged into the GUI. If not, log in as described in on page "Logging In" 230. 2. Select the configuration tab on the left navigational pane if it is not already Load Balance selected.
Page 653: Simple Health Check Probes
Equalizer Administration Guide Simple Health Check Probes Simple health checks allow you to configure Equalizer to probe a specified target and retrieve a "load" value from the target which describes its current level of load. A user-supplied "server agent" must be running at the target, which supplies a load value in response to a simple health check query from the Equalizer with a load value.
Page 654 Server Health Check Probes GUI Parameter (CLI Parameter) Description The health check global timeout. The number of seconds (default: 5) Equalizer waits for a connection to the health Probe Global Timeout (probe_gto) check server application to complete before marking the server down.
Page 655 Equalizer Administration Guide 6. Enter a name in the area and select from the drop Health Check Name simple Health Check Type down list. 7. Click on to save the health check. Commit Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 656 Server Health Check Probes 8. Click on the simple health check that will appear in the accordion list on the right pane when a server pool is selected from the right navigational pane. The following will be displayed: 9. Enter Simple Health Check parameters using Simple Health Check Parameters above. 10.
Page 657 Equalizer Administration Guide 13. Select a from the drop down list and click on . The following will be Health Check Name Commit displayed. 14. Health check instances will be arranged in an expandable accordion list. The Name Type indicator will appear on the accordion label. Click on the accordion label to expand Status the display.
Page 658: Simple Health Checks And Load Balancing Policies
Server Health Check Probes 2. Display the configuration of HC1: eqcli > show srvpool MyPool health_check HC1 Health Check Name : HC1 Type : simple Port : 1510 Stimulus : Healthy : 0.000000 Loaded : 100.000000 Probe Interval : 15 Max tries per interval : 3 Global Timeout : 5 First state change timeout : 1...
Page 659: Server Agents
Equalizer Administration Guide Server Agents A server agent is a custom written application that runs on a server and listens on a specific port (default: 1510). When a connection request is received on that port, the server agent returns an integer value between -1 and 100 that indicates the relative load on the server (-1 meaning the server should be considered unavailable, 0 meaning very lightly loaded, and 100 meaning heavily loaded).
Page 660: Sample Server Agent
Server Health Check Probes Sample Server Agent You can create custom Server Agents as shell scripts, or in Java, Perl, C, or other languages. The code snippet below is an example of a simple server agent example written in Perl. This code assumes that an integer response value is supplied on the command line and returns that value when a connection is made on port 1510 (configurable via the server instance (probe_...
Page 661 Equalizer Administration Guide print "Connection from: [$client_ipnum]\n"; # send the server agent response value print CLIENT $response; # close connection close CLIENT; Here is the output of the server program when it is started on the server: $ ./serveragent.pl 50 Server agent started on port 1510 Connection from: [10.0.0.32] Another “Connection”...
Page 662: Vlb Health Check Probes
Server Health Check Probes VLB Health Check Probes All Equalizers support basic load balancing of VMware servers through VMware vConsole integration. Equalizer uses VMware's management API to retrieve real-time virtual server performance information from a VMware vCenter console that manages virtual machines running on ESX Server (or from a single ESX Server directly).
Page 663: Enabling/Disabling Vlb Health Check Probes
Equalizer Administration Guide Enabling/Disabling VLB Health Check Probes Enable/Disable VLB Health Check Probes in the GUI VLB probes are enabled as soon as a health check instance is added to a server instance in a server pool. Default settings for probe parameters are used unless specifically set on the Health Check Configuration screen.
Page 664: Configuring Vlb Health Check Probe Parameters
Server Health Check Probes Configuring VLB Health Check Probe Parameters The procedures in the Related Topics describe the process of configuring VLB manager, health checks and health check instances using both the GUI and the CLI. VLB Health Check Probe Parameters GUI Probe Parameter (CLI Probe Parameter) Description Set the relative weight (default:...
Page 665 Equalizer Administration Guide Configure VLB Managers A VLB Manager is a saved configuration by which Equalizer communicates with VMware. 4. Click on VLB Manager on the branch on the left navigational display. External Services 5. Click on to add a VLB Manager.The figure below will be displayed. The screen features accordion panes for the existing and the VLB managers that are labeled.
Page 666 Server Health Check Probes Associate an Equalizer server with a Virtual Machine on VMware 6. To associate an Equalizer server with a Virtual Machine on VMware, select the desired Equal- izer Server on the left navigational pane and then select Configuration VLB to display the >...
Page 667 Equalizer Administration Guide Add Health Checks. 7. Click on the configuration tab on the left navigational pane and select a Server Load Balance Pool from the Server Pool branch. Click on the tab. Click on the " " icon and Health Checks the figure below will be displayed.
Page 668 Server Health Check Probes Add VLB health check instances to server instances on the server pool. 11. Click on a server instance (from a server pool branch) in the left navigational pane and then tab. Click on the "+" icon and the figure below will be displayed. Health Check Instance Select a name from the drop down list.
Page 669 Equalizer Administration Guide The screen also features the last health check Status indicates “Succeeded”. indicates “Failed”. Disabled (--) [means the check box is checked. Disabled Checking the checkbox will disable this health check instance for Disable the server instance selected. 13.
Page 670 Server Health Check Probes Configuring VLB Health Check in the CLI Proceed with the following to configure VLB health check parameters using the CLI: Create a VLB Manager as an External Service 1. Log in to as described in Starting the CLI.
Page 671 Equalizer Administration Guide Associate a server with a Virtual Machine on VMware 5. Show the configured server by entering the server context and then entering: eqcli > server servernameshow where is the name of the server. An example with a server “ ”...
Page 672 Server Health Check Probes Set the VLB Health Check Parameters 8. Configure the VLB health check parameters by entering the following in the health check con- text: eqcli > srvpool serverpool spname health_check healthcheck name parameter value where: is the name of the server pool serverpool name is the name of the health check healthcheck name...
Page 673 Equalizer Administration Guide 10. Enter the following to display the available virtual machines on a VLB Manager. eqcli sv-name > vms where is the name of the server. In the example below, the list of virtual sv-name machines that are configured on a vlb manager “ ”...
Page 674 Server Health Check Probes Add a VLB Health Check Instance on a Server Instance in a Server Pool You now will need to add health check instances to server instances in server pools. 13. Enter server instance context for the server instance on which you would like to add the health check: eqcli >...
Page 675: Health Check Timeouts
Equalizer Administration Guide Health Check Timeouts Configure Health Check timeouts using either the CLI or the GUI. Layer 3 Health Check Timeouts By default, Equalizer sends an Internet Control Message Protocol (ICMP) echo request (commonly called a “ping”) to the IP address of every configured server object. The timeouts that control Layer 3 Health Check probes are located in the global CLI context and on the tab in the GUI: Global...
Page 676 Server Health Check Probes GUI Parameter (CLI Parameter) Location Description Optional. If this parameter is 0 (the default) probe using the port set on the server definition. If non- Probe Port (probe_port) server instance zero, use this parameter setting as the port number r TCP and ACV probes.
Page 677 Equalizer Administration Guide Simple and VLB Health Check Timeouts Simple and VLB health checks each have their own timeouts, defined within the health check definition. They are named the same and behave the same as the timeouts for Layer 4 TCP and ACV health checks in the previous section, with the exception that the Probe Data Timeout ( probe_ ) is the timeout for the server response for these health checks rather than ACV.
Page 679: Smart Control
Equalizer Administration Guide Chapter 22 Smart Control Sections within this chapter include: Smart Control Overview How Smart Control Works Smart Control Types Smart Control Configuration Guidelines Smart Control Classes Server Pool Class (srvpool) Server Class (server) Server Instance Class (si) ADC Class (adc) Sample Trigger Script for the Configuration of Multiple Hot Spare Servers Sample Trigger Script for Rebooting the System...
Page 680: Smart Control Overview
Smart Control Smart Control Overview The Smart Control feature allows you to define a common administrative function or, Smart Event that executes the function based on pre-set threshold values for system parameters and statistics. It is a method for administrators to configure the system to automatically perform functions that may be dependent on threshold values or timing.
Page 681: How Smart Control Works
Equalizer Administration Guide How Smart Control Works Automation framework drives the entire Smart Control infrastructure. This is managed by the Smart Control daemon-- smartd. This daemon loads configuration parameters from the configuration file and executes events as needed. An alerts daemon—alertd, is responsible for Smart Control alerts. This daemon already cognizant of important events in the system, so it notifies smartd when a triggered type event has occurred so that smartd can execute the necessary script.
Page 682: Smart Control Types
Smart Control Smart Control Types Your user account must have administrative privileges to create Smart Controls. They can execute scripts (events) in four ways: 1. They can be executed in real time using eqcli command line.syntax in the format eqcli > smart_control scname run.
Page 683: Smart Control Configuration Guidelines
Equalizer Administration Guide Smart Control Configuration Guidelines The Smart Control feature uses PHP as its underlying language. It is possible, however, to use this feature with minimal PHP knowledge. Some facts about Smart Control scripts: Each Smart Control script is wrapped inside of additional code prior to execution. The pur- pose of this is to enable added protection and save the environment when a script runs.
Page 684: Smart Control Classes
Smart Control Smart Control Classes Each object in the ADC configuration is represented as a PHP class. The classes currently supported are: server srvpool Note - Support for additional PHP classes will be available in future releases. A class variable is a variable defined in a class of which a single copy exists, regardless of how many instances of the class exist.
Page 685: Server Pool Class (Srvpool)
Equalizer Administration Guide Server Pool Class (srvpool) Parameters The following are Server Pool parameters. Refer to Server Pool and Server Instance Commands for descriptions. name (string) acvq (string) probe_maxtries (int) probe_dto (int) custom_actconn (int) policy (string) acvr (string) probe_gto (int) custom_hc (int) probe_ssl (bool) respv (int)
Page 686 Smart Control getInstanceList() Description: List server instances for this server pool from the configuration. Returns: A map with the following keys: si_list : list of server instance names as strings message: a status message indicating success or failure of the operation status: a status code: 0 indicates success, nonzero indicates failure Example:...
Page 687 Equalizer Administration Guide stats(string statName) Description: Get the value of the statistic named ‘ statName ’. The available statistics are the same as those displayed in the CLI when using the srvpool <name> stats command. Returns: On success, the last-measured value of this statistic. On failure, an exception describing what went wrong: invalid statistic name or no statistic specified.
Page 688 Smart Control $sp = new srvpool; $sp->name = "newsp"; $sp->commit(); // If we don’t do getByName(), the commit() below would fail with ‘object already exists’ error because the system will try to add this object instead of modify it. $sp = srvpool::getByName("newsp"); $sp->probe_maxtries = 2;...
Page 689: Server Class (Server)
Equalizer Administration Guide Server Class (server) The following are Server parameters. Refer to Server Commands for descriptions. Parameters name (string) proto (string) probe_l3 (bool) ip (string) max_reuse_conn (int) port (int) reuse_conn_timeout (int) bmc_addr (string) bmc_user (string) bmc_passwd (string) bmc_cmd (string) Methods getByName(string name) Description:...
Page 690 Smart Control Get the status of this server as a numeric value. Returns: A numeric value indicating the status: 0: There are no problems with this server. 1: There is an ‘informational’ status available, but the server is functional. 2: There is a problem with this server. Example: // If there is a problem with this server, print the status (accessible using ‘lastrun’...
Page 691 Equalizer Administration Guide delete(optional Boolean forceFlag) Description: getByName Delete this server. Can only be used on a server object which has been retrieved using server:: and it must not have been modified since the last time that it was retrieved. If the server is in use by forceFlag ‘TRUE’...
Page 692: Server Instance Class (Si)
Smart Control Server Instance Class (si) The following are Server Instance parameters. Refer to Server Pool and Server Instance Commands for descriptions. Parameters name(string) probe_port (int) quiesce (bool) sp (object): The server pool that this server instance belongs to, as retrieved using srvpool::getByName().
Page 693 Equalizer Administration Guide getStatusResp() Description: Get the status of this server instance as a numeric value. Returns: A numeric value indicating the status: 0: There are no problems with this server instance. 1: There is an ‘informational’ status available, but the server instance is functional. 2: There is a problem with this server instance.
Page 694 Smart Control delete(optional Boolean forceFlag) Description: Delete this server. Can only be used on a server instance object which has been retrieved using si::getByName() ,and it must not have been modified since the last time that it was retrieved. If the server instance is in use by another object in the system, the flag forceFlag must be set to ‘...
Page 695: Adc Class (Adc)
Equalizer Administration Guide ADC Class (adc) Parameters An ADC class currently has no publicly accessible parameters. Methods cli(string command) Description: Run the provided command exactly as it would be if entered into the CLI. Returns: Map containing cli_buf string with a status code. Status code will be 0 if the CLI command was successful and non-zero otherwise.
Page 696 Smart Control Returns: A map with the following keys: server_list : list of server names as strings message: a status message indicating success or failure of the operation status: a status code: 0 indicates success, nonzero indicates failure Example: // Get list of servers $list = adc::getServerList();...
Page 697: Sample Trigger Script For The Configuration Of Multiple Hot Spare Servers
Equalizer Administration Guide Sample Trigger Script for the Configuration of Multiple Hot Spare Servers The following is an example of a trigger script that allows the configuration of multiple hot spare servers. The purpose of this is to monitor the active servers; and if they both go down or become unavailable, the hot spare servers will become active: $commitChanges = FALSE;...
Page 698: Sample Trigger Script For Rebooting The System
Smart Control Sample Trigger Script for Rebooting the System The following is an example of a trigger script that will reboot the system (causing a failover) if a critical IP address cannot be reached or"‘pinged". It should be noted that the script uses string parsing and will consume a fair amount of CPU resources.
Page 699: Adding Smart Controls
Equalizer Administration Guide Adding Smart Controls Smart Controls can be added using the CLI or GUI. If you associated an alert with a Smart Control, the means which you selected to notified of the alert will be displayed. Refer to on page 211 for a listing of all of the CLI Smart Control commands.
Page 700 Smart Control b. Setting up a schedule will run the script at the times that you schedule .The schedule for Smart Control is in the local time zone. Therefore, if you set it to run at 12:00, this means 12:00 of whatever timezone the system is set to and not GMT or UTC.
Page 701 Equalizer Administration Guide Running a Script Manually Using the CLI After creating a script you can run the script manually through the CLI. Enter the following: eqcli > smart_control run scname To see when the Smart Control was last executed, use the following format: eqcli >...
Page 702 Smart Control Adding or Modifying a Smart Control using the GUI 1. Configure an alert as described in on page 715.You must set the "Configuring Alerts" Alert Noti- on the configuration screen to " " for the Smart Control to be fication Type Add Alert smartd...
Page 703 Equalizer Administration Guide Either method will display the dialogue as shown below. Note that Add Smart Control there are two options: The first option is to manually enter a script in the area provided. This option is available with the option is selected.
Page 704 Smart Control Configuration Summary The following is an example of the screen. From this screen, you have the Configuration > Summary option of: Enabling or Disabling the Smart Control using the check box. Click on the button if Commit you have changed this setting. Viewing the .
Page 705 Equalizer Administration Guide Schedule/Interval Configuration The following is an example of the screen. From this screen you have Configuration > Schedule/Interval the option of configuring the Smart Control to be executed using the fine-grained scheduling tools and options or you can configure it to be executed at regular intervals. To using the Schedule feature, click on the option and then select the frequency option that you want to use in Schedule...
Page 706 Smart Control Month The Monthly configuration screen will be displayed when you select and then select the Schedule option. This scheduling options allows you to configure a Smart Control to be executed on Month specific days of the month and the times by hour (24 hour clock), minutes and seconds. In the example below, the Smart Control is scheduled to be executed every month on the 12th of the month at 13:00 (1PM).
Page 707 Equalizer Administration Guide Week The Weekly configuration screen will be displayed when you select and then select the Schedule option. This scheduling options allows you to configure a Smart Control to be executed on Week specific days of the week and the times by hour (24 hour clock), minutes and seconds. In the example below, the Smart Control is scheduled to be executed every Sunday, Wednesday, and Friday at 13:00 (1PM).
Page 708 Smart Control The Daily configuration screen will be displayed when you select and then select the Schedule option. This scheduling options allows you to configure a Smart Control to be executed daily at times by hour (24 hour clock), minutes and seconds. In the example below, the Smart Control is scheduled to be executed every day at 13:00 (1PM).
Page 709 Equalizer Administration Guide Hour The Hourly configuration screen will be displayed when you select and then select the Schedule option. This scheduling options allows you to configure a Smart Control to be executed daily Hour and hourly by minutes and seconds. In the example below, the Smart Control is scheduled to be executed every hour at 10 minutes and 30 seconds, 20 minutes and 30 seconds, 30 minutes and 30 seconds, 40 minutes and 30 seconds, and 50 minutes and 30 seconds.
Page 710 Smart Control Advanced The Advanced configuration screen will be displayed when you select and then select the Schedule option. This scheduling options allows you to configure a Smart Control to be executed in Advanced a manually entered, string format in standard cron format, but with an additional first column -- second.
Page 711 Equalizer Administration Guide Interval The Interval configuration screen will be displayed when you select the . This scheduling Interval options allows you to configure a Smart Control to be executed at regular intervals. In the example below, the Smart Control is scheduled to be executed every day, every hour. 1.
Page 712 Smart Control Script Edit Selecting the tab displays the editing screen, which is virtually identical to the Script Add Smart dialogue screens. It displays either the manually entered script or the contents of the Control uploaded .txt file. You can edit scripts in this configuration screen. Since the Smart Control is already generated, there is no need to enter a name.
Page 713: Alerts
Equalizer Administration Guide Chapter 23 Alerts Sections within this chapter include: Alert Notification Types Configuring Alerts Configuring an SMTP Relay Configuring Alerts in the CLI Configuring Alerts in the GUI Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 714: Alert Notification Types
Alerts Alert Notification Types An alert is an administratively configured action that is executed whenever an event of a particular type occurs on a particular Equalizer object. For example: a user can be sent an email whenever a particular server is marked UP or DOWN by health check probes. email, syslog, snmp, and ui notification types are supported.
Page 715: Configuring Alerts
Equalizer Administration Guide Configuring Alerts Alerts can be set up and managed using the CLI or GUI. The use of "wild cards" in the name of an object that is configured for an alert is available. That is, for the "object" keyword when defining alerts in the CLI the last character of the name may be "*".
Page 716: Configuring An Smtp Relay
Alerts Configuring an SMTP Relay Email alerts require a configured SMTP relay in order to send email to the recipient specified in the alert definition. To set up an SMTP relay, you need to know: The SMTP server’s IP address or Fully Qualified Domain Name (FQDN). If an FQDN is used, DNS must also be configured.
Page 717 Equalizer Administration Guide Configuring an SMTP Relay Using the GUI SMTP Relays are commonly used when you want to configure email alerts. With email alerts, you be adding email addresses to the alert. screen is used to specify an SMTP Relay Server and specify an IP address and SMTP Relay Equalizer port to use.
Page 718: Configuring Alerts In The Cli
Alerts Configuring Alerts in the CLI Alerts are configured on a per-user basis. A user with administrative log in credentials can specify alerts for any user on any object; users without administrative credentials can only specify alerts for themselves on objects on which they have permissions. Refer to on page 735 for descriptions of object-user permissions.
Page 719 Equalizer Administration Guide Setting an alert on a server instance allows you to send email, log a message to the system log, or both, whenever a server instance is marked up or down by Layer 4 health check probes. For example, the following sequence of commands creates an alert for the user (touch) that sends email whenever the server (testserver) in server pool named realpool is marked up or down by Layer 4 probes: eqcli >...
Page 720 Alerts For example, the following sequence of commands creates an alert for the user ( ) that sends touch email whenever the local Equalizer (peer Eq_AD1122CC99, which is not in failover) reboots and changes to Standalone mode: eqcli > user touch eqcli user-tou*>...
Page 721: Configuring Alerts In The Gui
Equalizer Administration Guide Configuring Alerts in the GUI Alerts are configured on a per-user basis. A user login name with administrative permissions can specify alerts for any user on any object; users without the administrative permissions can only specify alerts for themselves on objects on which they have permission. Note - Prior to configuring alerts, you must have previously configured servers, server instances, peers, or user interfaces.
Page 722 Alerts 5. Click on to display the configuration dialogue. In the example shown below, an Add Alert email notification on a server instance has been configured. If you would like to edit a previously configured alert, select an alert using the check box and either click on the icon or double click on the selected alert to display the dialogue.
Page 723 Equalizer Administration Guide Alert Types are state_change and exception. The state_change alert indicates that the object has transitioned from one state to another (i.e., when a server stops responding to Alert Type health checks and is marked "down".) An exception alert indicates an error condition exists on the object of the alert.
Page 724 Alerts Server Alerts Setting an alert on a server allows you to send email, log a message to the system log, or both, whenever a server is marked up or down by Layer 3 health check probes. For example, the following alert configuration example creates an alert for the user that touch sends email whenever the server...
Page 725: Using Snmp Traps
Equalizer Administration Guide Chapter 24 Using SNMP Traps Sections within this chapter include: Setting Up SNMP Traps Setting Up an SNMP Management Station Enabling SNMP Enabling SNMP Traps Creating Alerts for SNMP Traps Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 726: Setting Up Snmp Traps
Using SNMP Traps Setting Up SNMP Traps The Simple Network Management Protocol (SNMP) is an internet standard that allows a management station to monitor the status of a device over the network. SNMP organizes information about Equalizer and provides a standard way to help gather that information. Using SNMP requires: An SNMP agent running on the system to be monitored.
Page 727: Setting Up An Snmp Management Station
Equalizer Administration Guide Setting Up an SNMP Management Station An SNMP management station is not provided with Equalizer. In order to use SNMP to manage Equalizer, a third-party management console must be installed and configured on a machine that can access Equalizer. Configuration procedures are specific to the management console used. At a minimum, the SNMP management console needs to be configured to: Use Equalizer’s IP address and port 161 for SNMP requests.
Page 728: Enabling Snmp
Using SNMP Traps Enabling SNMP By default, SNMP is a globally enabled service -- meaning that it will run on any subnet that is configured to offer the SNMP service. You must specifically enable SNMP on the subnet or subnets on which you want it to listen for SNMP MIB browser and management station connections.
Page 729: Enabling Snmp Traps
Equalizer Administration Guide on page 163. Commands" 2. Now, enable SNMP on the desired VLAN subnet, on either the subnet IP address or the sub- net failover (aka “virtual”) IP address. In this example, we enable it on the subnet IP address: eqcli >...
Page 730: Creating Alerts For Snmp Traps
Using SNMP Traps Creating Alerts for SNMP Traps SNMP Traps are configured as alerts and are configured on a per-user basis. A user login name with the admin flag can specify alerts for any user on any object; users without the admin flag can only specify alerts for themselves on objects on which they have permission.
Page 731 Equalizer Administration Guide Creating SNMP Trap Failover Group Alerts Setting an SNMP Trap alert enables the sending of snmp trap messages to the snmp management station whenever a Failover Group changes to Primary, Backup, or Standalone modes. For example, the following sequence of commands creates an snmp trap alert for the user touch that enables a trap message whenever a failover group (...
Page 732 Using SNMP Traps Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 733: User And Group Management
Equalizer Administration Guide Chapter 25 User and Group Management Sections within this chapter include: Best User and Group Management Practices Object Permission Types Required Task Permissions and Flags Single and Multiple User Scenarios Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 734: Best User And Group Management Practices
User and Group Management Best User and Group Management Practices When adding additional users and groups to your configuration, follow these guidelines to establish object permissions that will be effective and easy to manage: If you require multiple non-admin users in your configuration, it is preferable to first create all required objects (servers, server pools, clusters, etc.), and then create users with appropriate permissions to manage them.
Page 735: Object Permission Types
Equalizer Administration Guide Object Permission Types The following are the permissions available on Equalizer objects: Permission Type Descriptions The user can only view the object’s definition. For global parameters: the user can open all of the global parameter tabs displayed when you click on Equalizer in the left frame, but cannot use the commit button to Read make any changes.
Page 736: Required Task Permissions And Flags
User and Group Management Required Task Permissions and Flags The table below shows the permissions required for all object and administrative tasks in the CLI and the GUI. Operation Permissions Required Flags Required Notes write certificate_name adding a certificate file adding a CRL file write crl write certificate_name...
Page 737 Equalizer Administration Guide Operation Permissions Required Flags Required Notes vlan_name is the name of the VLAN that contains the subnet being write vlan_name adding a permit entry to modified. vlan_ read vlan_other a subnet other is the name of the VLAN being added to the permit list.
Page 738 User and Group Management Operation Permissions Required Flags Required Notes delete geosite_name deleting a GeoSite write geo cluster_name deleting a GeoSite write geocluster_name instance write geosite_name deleting a GeoSite IP deleting a GeoSite write geosite_name resource write cluster_name deleting a match rule delete responder_name deleting a responder write cluster_name...
Page 739 Equalizer Administration Guide Operation Permissions Required Flags Required Notes read crl_name displaying a CRL write_ displaying a file global displaying a read geocluster_name GeoCluster read geosite_name displaying a GeoSite displaying a GeoSite read geocluster_name instance displaying a GeoSite read geosite_name displaying a GeoSite read geosite_name resource...
Page 740 User and Group Management Operation Permissions Required Flags Required Notes displaying a read responder_name responder read server_name displaying a server displaying a server read srvpool_name instance displaying a server read srvpool_name pool read vlan_name displaying a subnet displaying a subnet read vlan_name permit list displaying subnet...
Page 741 Equalizer Administration Guide Operation Permissions Required Flags Required Notes A user can only change their modifying a user own password, admin (see note) password unless that user has the admin flag set. write vlan_name modifying a VLAN write port_name admin MSG_GET_CONFIG admin MSG_SET_CONFIG...
Page 742: Single And Multiple User Scenarios
User and Group Management Single and Multiple User Scenarios The following scenarios describe access permissions to Equalizer and Equalizer objects by a single user and with multiple users. Single User Scenario In this, the simplest of scenarios: There is one user with the "admin" flag set. The "admin"...
Page 743 Equalizer Administration Guide 2. Enter and reenter a password of at least 6 characters to be used for logging in user “Touch_ 1”. eqcli > user Touch_1 Enter desired user password:****** Retype desired user password:****** User “Touch_1” can now log in to Equalizer with these credentials. 3.
Page 744 User and Group Management 4. Create “read”, “write” and “delete” permissions for user “Touch_2” on “testserverpool2”. eqcli > user Touch_1 permit_object read,write,delete srvpool testserverpool2 5. Create “read”, “write” and “delete” permissions for user “Touch_1” on servers “test1” and “test2”. eqcli > user Touch_1 permit_object read,write,delete server test1 eqcli >...
Page 745 Equalizer Administration Guide geosites : users : certificates : CRLs : ports : clusters : Cl1 Create Permissions : servers : server pools : responders : VLANs : geoclusters : geosites : users : certificates : CRLs : ports : clusters : Delete Permissions : servers : test2, test1...
Page 746 User and Group Management clusters : Cl2 Write Permissions : servers : test3, test4 server pools : testserverpool2 responders : VLANs : vl2 geoclusters : geosites : users : certificates : CRLs : ports : clusters : Cl2 Create Permissions : servers : server pools : responders :...
Page 747: How To Use Regular Expressions
Equalizer Administration Guide Chapter 26 How to Use Regular Expressions Sections within this chapter include: Regular Expression Terms Learning About Atoms Creating a Bracket Expression Escape Sequences Matching in Regular Expressions Using Regular Expressions in Responders Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 748: Regular Expression Terms
How to Use Regular Expressions Regular Expression Terms The terms in this section describe the components of regular expressions. A regular expression (RE) is one or more non-empty branches, separated by pipe symbols . An expression matches anything that matches one of the branches. A branch consists of one or more concatenated pieces.
Page 749: Learning About Atoms
Equalizer Administration Guide Learning About Atoms An atom followed by a bound that contains one integer i and no comma matches a sequence of exactly i matches of the atom. An atom followed by a bound that contains one integer i and a comma matches a sequence of i or more matches of the atom.
Page 750: Creating A Bracket Expression
How to Use Regular Expressions Creating a Bracket Expression A bracket expression is a list of characters enclosed in brackets ([...]). It normally matches any single character from the list. If the list begins with ^, it matches any single character not from the rest of the list.
Page 751: Escape Sequences
Equalizer Administration Guide Escape Sequences The following escape character sequences match the indicated characters: matches a single backslash (\) example text matches the beginning of a word (e.g.: \bex matches " " but not " ") \n, \r, \t, \v match whitespace characters \', \"...
Page 752: Matching In Regular Expressions
How to Use Regular Expressions Matching in Regular Expressions If a real expression could match more than one substring of a given string, the real expression matches the one starting earliest in the string. If the real expression could match more than one substring starting at that point, it matches the longest.
Page 753: Using Regular Expressions In Responders
Equalizer Administration Guide Using Regular Expressions in Responders In some cases, it may be desirable to examine the URL of an incoming request and re-use parts of it in the URL returned to the client by a Redirect Responder. This is the purpose of the regex parameter: specify a custom regular expression that is used to: Parse the URL of an incoming request Break it down into separate strings (based on the positions of literal characters in the...
Page 755: Troubleshooting
Equalizer Administration Guide Chapter 27 Troubleshooting Sections within this chapter include: Connectivity and Configuration Issues Using Diagnostic Commands Using tcpdump Using Watchdog Timers Configuring the Baseboard Management Controller (BMC) Prerequisites Configuration Using IPMI to Power Servers On/Off Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 756: Connectivity And Configuration Issues
Troubleshooting Connectivity and Configuration Issues Many connectivity and configuration issues can be diagnosed using standard network troubleshooting techniques. This section identifies some common problems, the most likely causes, and the best solutions. It also describes the diagnostic commands available in the CLI (See on page 162) "Context Command Summaries"...
Page 757 Equalizer Administration Guide Backup Equalizer Continuously Reboots Primary and Backup Equalizer Are in a Conflict over Primary Certain Dell and Cisco switches have Spanning Tree enabled by default. This can cause a delay in the times that the network is accessible and cause the backup unit to enter into failover mode. If you cannot disable Spanning Tree, enable PortFast for all ports connected to the ADCs.
Page 758 Troubleshooting Web Server Cannot Tell Whether Incoming Requests Originate Externally or Internally IP Spoofing is not enabled Check the cluster’s configuration and enable the spoof option – this will cause the client’s IP address to be used as the source address in packets sent to the server. Also ensure that responses from the server go through Equalizer.
Page 759: Using Diagnostic Commands
Equalizer Administration Guide Using Diagnostic Commands Diagnostic commands using the CLI are available to allow an administrator to view information such as: Network ARP statistics Disk space on the appliance file system DNS look up The state of the appliance interfaces (ports) Network status information System processes The top processes of the sys-...
Page 760 Troubleshooting The df command displays the disk space and file system on your appliance. An examle of a df output is as follows: eqcli diags> df Df output: Filesystem 1K-blocks Used Avail %Cap Mounted on /dev/wd0b 1032238 152378 828250 15% / /dev/wd0g 1032238 3698...
Page 761 Equalizer Administration Guide The dig command displays the DNS lookup information. eqcli diags> dig Dig output: ; <<>> DiG 9.9.1-P4 <<>> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36827 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 23 ;;...
Page 762 Troubleshooting ifconfig The ifconfig command displays the state of all interfaces.An example of an ifconfig output is as follows: eqcli diags> ifconfig Ifconfig output: ixg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 4839 capabilities=3ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_ Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx,TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx> enabled=3ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_Tx,UDP4CSUM_ Rx,UDP4CSUM_Tx,TCP6CSUM_Rx,TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx> address: 00:0c:bd:05:a3:04 media: Ethernet autoselect (10GbaseSR full-duplex) status: active inet 172.16.5.90 netmask 0xfffff800 broadcast 172.16.7.255 inet alias 172.16.5.93 netmask 0xffffffff broadcast 172.16.5.93 inet alias 172.16.5.95 netmask 0xffffffff broadcast 172.16.5.95...
Page 763 Equalizer Administration Guide media: Ethernet autoselect (none) status: no carrier inet6 fe80::20c:bdff:fe05:a2fd%wm1 prefixlen 64 scopeid 0x4 wm2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 9000 capabilities=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_ Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx,TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_ Tx,TSO6> enabled=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_Tx,UDP4CSUM_ Rx,UDP4CSUM_Tx,TCP6CSUM_Rx,TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6> address: 00:0c:bd:05:a2:fe media: Ethernet autoselect (none) status: no carrier inet6 fe80::20c:bdff:fe05:a2fe%wm2 prefixlen 64 scopeid 0x5 wm3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST>...
Page 764 Troubleshooting media: Ethernet autoselect (none) status: no carrier inet6 fe80::20c:bdff:fe05:a302%wm6 prefixlen 64 scopeid 0x9 wm7: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 9000 capabilities=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_ Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx,TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_ Tx,TSO6> enabled=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_Tx,UDP4CSUM_ Rx,UDP4CSUM_Tx,TCP6CSUM_Rx,TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6> address: 00:0c:bd:05:a3:03 media: Ethernet autoselect (none) status: no carrier inet6 fe80::20c:bdff:fe05:a303%wm7 prefixlen 64 scopeid 0xa wm8: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 9000 capabilities=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx,TCP4CSUM_ Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx,TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_ Tx,TSO6>...
Page 765 Equalizer Administration Guide netstat The netstat command displays the network status information. An example of a netstat output is as follows: eqcli diags> netstat Netstat output: Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address State 192.168.5.90.29897 192.168.0.17.80 SYN_SENT 172.16.5.93.443...
Page 766 Troubleshooting 69b0fc44 stream 0 67b028cc 0 -> /tm- p/.Agent-- press space for mSockets/A 6ae0d7e4 dgram 0 66c3d5f4 0 6ab04234 -> /var/run/log 69b0fc94 dgram 0 6b474b00 0 /tm- p/eqsock/anon-cli_diag.5908-0 6b182e64 dgram 0 66c3d5f4 0 6ae0d294 -> /var/run/log 6b182eb4 dgram 0 6b1949a0 0 /tm- p/eqsock/anon-vlbd.1265-0 6ae0d294 dgram...
Page 767 Equalizer Administration Guide 6ab04b94 dgram 0 6ab162c0 0 /tm- p/eqsock/anon-lbmd.1075-0 6ab04c84 dgram 0 66c3d5f4 0 6ab04c34 -> /var/run/log 6ab04e14 dgram 0 66c3d5f4 0 69b0f6f4 -> /var/run/log 69b0f7e4 dgram 0 66c3d5f4 0 69b0f744 -> /var/run/log 69b0f6f4 dgram 0 66c3d5f4 0 69b0f7e4 -> /var/run/log 69b0fe24 dgram 0 6a94b16c...
Page 768 Troubleshooting 67b0273c dgram 0 66c3d5f4 0 67b02b4c -> /var/run/log 6ab04f54 dgram 0 6ab16210 0 /tm- p/eqsock/anon-lbmd.1049-0 67b02e6c dgram 0 66c3d5f4 0 66c3d1e4 -> /var/run/log 67b0269c dgram 1950 0 66e85f30 0 /tm- p/eqsock/anon-switchd.488-0 6ab04eb4 dgram 0 66c3d5f4 0 6ab04be4 -> /var/run/log 66c3d144 dgram 0 67af8160 0 /tm-...
Page 769 Equalizer Administration Guide The ps command displays information about all of the processes. An example of a ps output is as follows: eqcli diags> ps Ps output: PID TTY STAT TIME COMMAND 0:51.94 [system] 0:00.00 init 96 ? 0:00.16 /usr/local/libexec/hcd -F 97 ? 0:00.18 envoy_agent: Envoy Agent 207 ?
Page 770 Troubleshooting The top command displays the top processes on the system. An exmple of a top output is as follows: eqcli diags> top Top output: load averages: 0.02, 0.01, 0.00; up 0+06:50:58 20:06:32 39 processes: 37 sleeping, 2 on CPU CPU00 states: 0.0% user, 0.0% nice,...
Page 771 Equalizer Administration Guide 1052 _acvd 6288K 2860K kqueue/1 0:02 0.00% 0.00% acvd 484 _alertd 6432K 3124K kqueue/1 0:01 0.00% 0.00% alertd 1204 _l3pd 15M 2588K netio/14 0:01 0.00% 0.00% l3pd 5068 _eqcli 3288K 1328K CPU/12 0:00 0.00% 0.00% top 1265 _vlbd 34M 5684K nanosl/1 0:00 0.00%...
Page 772: Using Tcpdump
Troubleshooting Using tcpdump Note - You must have administrator privileges on your Equalizer to use the tcpdump feature. tcpdump is a packet analyzer tool that can be used to analyze Equalizer packet activity to/from: an interface (port) an aggregated interface VLAN cluster server...
Page 773 Equalizer Administration Guide The tcpdump files that will be stored in the Equalizer file system will be in the following format: tcpdump_objecttypeobjectname-tcp-pcap_MM_DD_YY_HH-MM{AM|PM}.tgz where objecttype can be; iface - an interface agr - an aggregated interface sv- a server vlan- a vlan cl- a cluster The time stamp in the file name is the time that the file was generated.
Page 774 Troubleshooting cale 6], length 0 12:33:35.314835 IP 192.168.10.19.49751 > 172.16.166.10.http: Flags [S], seq 1459230960, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,ws- cale 6], length 0 12:33:35.314842 IP 192.168.10.19.49753 > 172.16.166.10.http: Flags [S], seq 1461671172, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,ws- cale 6], length 0 12:33:35.314847 IP 172.16.166.10.http >...
Page 775 Equalizer Administration Guide Examples Expressions select which packets will be included in the packet capture. If no expression is given, ALL packets on the network with are from/to the specified VLAN/interface(port)/aggregated interface/cluster/server will be included. Otherwise, only packets for which the expression is "true"...
Page 776: Using Watchdog Timers
Troubleshooting Using Watchdog Timers Watchdog timers are used to reboot the system if something goes wrong. When working properly, a failover pair will continue functioning because the backup system can take over when the primary system is rebooted. Types of Watchdogs This is essentially a "power cycling"...
Page 777 Equalizer Administration Guide Watchdog Timers Timer Type Description This is a PCI hardware watchdog timer. It is generally immediately available after boot, however, may be unusable because of hardware limitations. In such an ichlpcib0 instance, the kernel prints out a message to the boot log which loads the software watchdog instead.
Page 778 Troubleshooting User Options There are three hidden eqcli options to control the behavior: 1. debug >configd ipmi_nmi <seconds> This sets the IPMI NMI timer. It has no effect on systems that do not have an IPMI (ipmi0) watchdog timer. The default value is 0. 2.
Page 779 Equalizer Administration Guide The system will then drop to the debugger after 30 seconds, and remain there until physically rebooted/power cycled. Note - The reset_timer can not be 0 in this configuration or the watchdog timer will not be armed! However, setting it to less than the NMI timer will keep the system from doing a CPU reset If Equalizer has lockup issues during boot, it is possible that the system will begin processing traffic and then lock up.
Page 780: Configuring The Baseboard Management Controller (Bmc)
Troubleshooting Configuring the Baseboard Management Controller (BMC) Note - Currently, the E970LX, E670LX, and E470LX ADCs feature this optional utility. The Equalizer E470LX, E670LX, and E970LX are equipped with a Baseboard Management Controller (BMC). This specialized service processor monitors the physical state of the ADC using sensors and communicates information to system administrators using an independent network connection.
Page 781 Equalizer Administration Guide Proceed with the following after powering up your Equalizer: 1. Enter the following to view the initial BMC configuration: eqcli > show bmc User Name: root Status: disabled IP Address: 0.0.0.0/32 (static) Gateway: 0.0.0.0 eqcli: 12000287: Operation successful eqcli >...
Page 782 Troubleshooting 5. Confirm your configuration by entering the following: eqcli > show bmc User Name: root Status: enabled IP Address: 192.168.1.8/21 (static) Gateway: 192.168.0.1 eqcli: 12000287: Operation successful eqcli > You should now be able to access the Integrated BMC Web Console for additional configuration options and for remote power control options.
Page 783 Equalizer Administration Guide Modifying the User Name, Password, User Status and Network Privileges In order to use the Web Console as described in this section, you must have already set the BMC Console up for web acess by following the instructions in the previous section. Once you have access to the Web Console and logged in, select the tab and then Configuration...
Page 784 Troubleshooting To add a , click on the button to display the screen shown below. Enter a User Add User Add New User and select the appropriate for the new user. Click the User Name Password Network Privileges button when finished. To modify an existing user's , select the user from the User Name...
Page 785 Equalizer Administration Guide Resetting a Forgotten BMC User Name and/or Password If you forgot your password you will need to follow the procedure for configuring a new password using the CLI only. Log in to the CLI and configure a new password as follows: 1.
Page 786 Troubleshooting Changing the BMC IP Address Note - Consult with your network administrator prior to making network changes. The Web Console also provides you with the ability to change the BMC IP address. Click on the tab at the top and then click on on the left navigational pane to display the Configuration IPv4 Network...
Page 787 Equalizer Administration Guide Server Power Control To access the power control interface, select the tab at the top of the screen and Remote Control then select on the left navigational pane. This will display the Server Power Control Power Control and screen shown below.
Page 788: Using Ipmi To Power Servers On/Off
Troubleshooting Using IPMI to Power Servers On/Off Note - Currently the E970LX, E670LX, and E470LX ADCs feature this utility. The Intelligent Platform Management Interface (IPMI) is an open standard for software-based control of hardware functions, such as powering the system on and off. IPMI is implemented by a set of software tools (IPMItools) that communicate with the local machine or over a LAN connection.
Page 789 Equalizer Administration Guide Entering IPMI "Power" Commands Using the CLI Enter IPMI commands using the following format: eqcli >diags ipmi ip IP address user user passwd password cmd command where: IP address - is the IP address of the target server or BMC being issued the command. user - is an enabled user name that is configured in the BMC or the target server or ADC.
Page 791: Equalizer Ondemand
Equalizer Administration Guide Appendix A Equalizer OnDemand Sections in this chapter include: What is Equalizer OnDemand? Differences from Equalizer Hardware Installing and Upgrading Equalizer OnDemand VMware Host Requirements Installing EQOD Using OVF Installing EQOD from a ZIP file Licensing EQOD Upgrading EQOD Copyright ©...
Page 792: What Is Equalizer Ondemand
Equalizer OnDemand What is Equalizer OnDemand? Equalizer OnDemand™ (EQOD) is a software-based virtual appliance that operates as an integral part of the virtual infrastructure model. EQOD is deployed as a single virtual server instance dedicated to load balancing and managing the application delivery needs of your business. The EQ/OS 10 platform on which Equalizer is built drives the robust application traffic management capabilities of the Virtual Equalizer.
Page 793: Differences From Equalizer Hardware
Equalizer Administration Guide Differences from Equalizer Hardware All load balancing functionality found in EQ/OS 10 running on an a virtual appliance is fully functional in EQOD. Some adjustments to functionality were necessary, however, in order to accommodate the VMware virtual machine environment. 1.
Page 794 Equalizer OnDemand Adding Ports on VM Workstation When adding an interface using VM Workstation (a.k.a. VM Player), you are not given the option to choose the type of network adapter added. as a result, you must edit the "vmx" file for the Virtual Machine manually and restart the Virtual Machine to see the new interface in the Equalizer OnDemand CLI and GUI.
Page 795 Equalizer Administration Guide 5. Save your edits to the file. 6. Start the Equalizer VM and log in to the CLI or GUI. You should now see 3 interfaces ports when you run the show interface command in the CLI and when you open the Interfaces tab in the GUI.
Page 796: Installing And Upgrading Equalizer Ondemand
Equalizer OnDemand Installing and Upgrading Equalizer OnDemand VMware Host Requirements The EQOD runs under any VMWare Hypervisors which support Version 8 virtual machines, including the following VMware releases: VMware ESX and ESXi 5.0 and higher VMware Fusion 4.X and higher VMware Workstation 8.X and higher VMware Player 4.X and higher A VM instance of Equalizer requires the following minimum hardware resources:...
Page 797: Installing Eqod Using Ovf
Equalizer Administration Guide Installing EQOD Using OVF VMware vSphere or vCenter Clients When installing a new instance of Equalizer OnDemand onto an ESX or ESXi VMware server, you must begin the installation using the supplied OVF file as instructed in this guide. Installing Equalizer OnDemand by deploying the VMDK or VMX file directly without using the OVF file will lead to networking issues after the install is complete and is not a supported deployment method...
Page 798 Equalizer OnDemand f. Associate the source network adapters in the OVF to networks defined on VMware. Click Next. g. A summary of the VM configuration is displayed. Click Next. h. The VMDK file for the OVF is now downloaded from the local directory. When it is done, the EQOD VM should now appear in your inventory.
Page 799: Installing Eqod From A Zip File
Equalizer Administration Guide Installing EQOD from a ZIP file To install EQOD using the ZIP file distribution open the zip file that can be downloaded from: http://www.coyotepoint.com/content/eqos-10-support-page Follow the instructions for the VMware product you are using in the sections that follow. VMware vSphere or vCenter Clients VMware ESX and ESXi servers are managed using either the vSphere or vCenter management clients.
Page 800: Vmware Player And Vmware Fusion
Equalizer OnDemand VMware Player and VMware Fusion Besides running on dedicated hardware with the VMware ESX operating system, VMware can also run on Windows and MAC computers. VMware Workstation and VMware Player are Windows- based hypervisors, while VMware Fusion is the MAC version. After installing one of these products, follow these instructions to add the EQOD VM into either of these products.
Page 801: Licensing Eqod
Equalizer Administration Guide Licensing EQOD When EQOD is first installed, it is unlicensed. In the unlicensed state, you can create objects but no clusters will accept connections until a valid license is installed. You can license your system offline using the CLI. Before you can register, you will need: Access to a new or existing Support Account.
Page 802 Equalizer OnDemand 6. To upload the license using the CLI: a. Decompress the *.lic license file. It uses gzip compression and can be decom- pressed using any tool with gzip decompression functionality. If preferable, you can decompress the file using UNIX command line syntax: dhcp-12:~ authorizeduser$ gzip -S .lic -d EQOD010000000498.lic When the license file decompresses a text file will be saved in it's place with the licensing information.
Page 803: Upgrading Eqod
Equalizer Administration Guide c. Enter eqcli > license upload and "Paste" the license file contents at the end of the line and . The following is an example showing a license file. ENTER eqcli > license upload license file contents <?xml version="1.0"...
Page 805: Using Certificates In Https Clusters
Equalizer Administration Guide Appendix B Using Certificates in HTTPS Clusters Sections within this chapter include: Using Certificates in HTTPS Clusters Configuring Cipher Suites Enabling HTTPS with a Server Certificate Enabling HTTPS with Server and Client Certificates Generating a CSR and Getting It Signed by a CA Generating a Self-Signed Certificate Installing Certificates for an HTTPS Cluster Converting a Certificate from PEM to PKCS12 Format...
Page 806: Using Certificates In Https Clusters
Using Certificates in HTTPS Clusters Using Certificates in HTTPS Clusters The HTTPS protocol supports encrypted, secure communication between clients and servers. It requires that a Secure Sockets Layer (SSL) authentication handshake occur between a client and a server in order for a connection request to succeed. When a client requests an HTTPS connection to a web server, the server (which has already been set up to support SSL connections) sends a server certificate to the client for verification.
Page 807 Equalizer Administration Guide About Server Certificates In a typical HTTPS scenario described above, the client and server are communicating directly, and the server is doing all the work of encrypting and decrypting packets, and sending the server certificate to the client. If you have many systems servicing requests for the same website, you need to install certificates on each server.
Page 808 Using Certificates in HTTPS Clusters About Client Certificates If you want to use client certificates with an HTTPS cluster, you’ll need to get a signed client certificate from a CA, or create a self-signed certificate. A client certificate needs to be installed on each client that will access the Equalizer cluster, as well as on Equalizer.
Page 809 Equalizer Administration Guide General Certificate Guidelines Currently, the following certificate/key file formats are supported: - PEM format certificates/keys are ascii files that usually use a ".pem" extension with the file name. PEM stands for Privacy Enhanced Mail. A PEM-format certificate contains a Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----"...
Page 810 Using Certificates in HTTPS Clusters Platform SSL offloading E970LX Hardware acceleration only for supported ciphers OnDemand Software only Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 811: Configuring Cipher Suites
Equalizer Administration Guide Configuring Cipher Suites HTTPS cluster parameter lists the supported encryption algorithms for incoming Cipher Suites HTTPS requests. If a client request comes into Equalizer that does not use a cipher in this list, the connection is refused. If this field is blank, then any cipher suite supported by Equalizer’s SSL implementation (or by Hardware SSL Acceleration, when enabled) will be accepted.
Page 812 Using Certificates in HTTPS Clusters Supported Software Cipher Suites The following table lists the cipher suites supported by Equalizer. software Message Ciphers Protocol Authentication Encryption Authentication Exchange Code AES256-GCM-SHA384 TLSv1.2 AESGCM(256) AEAD AES256-SHA256 TLSv1.2 AES(256) SHA256 AES256-SHA SSLv3 AES(256) SHA1 CAMELLIA256-SHA SSLv3 Camellia(256)
Page 813 Equalizer Administration Guide Supported PFS Ciphersuites The following table lists the PFS ciphersuites supported by Equalizer. Ciphers Key Exhange ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDSA ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDSA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDSA DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDA ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDSA ECDHE-RSA-AES128-SHA...
Page 814 Using Certificates in HTTPS Clusters Ciphers Key Exhange DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA ECDSA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDSA Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Page 815 Equalizer Administration Guide Supported Hardware Cipher Suites Message Ciphers Protocol Authentication Encryption Authentication Exchange Code TLS1_RSA_EXPORT1024_WITH_ <=TLS MD5 export RC4_56_MD5 TLS1_RSA_EXPORT1024_WITH_ <=TLS SHA export RC4_56_SHA; <=TLS SSL3_RSA_RC4_40_MD5 RC4 (40) TLS1_RSA_EXPORT1024_WITH_ <=TLS DES_CBC_SHA <=TLS SSL3_RSA_DES_40_CBC_SHA; DES (40) <=TLS SSL3_RSA_DES_64_CBC_SHA DES (64) SSL3_RSA_RC4_128_MD5 SSL 3.0 RC4 (128) SSL3_RSA_RC4_128_SHA...
Page 816 Using Certificates in HTTPS Clusters Choosing the Cipher Suite for an HTTPS Cluster Connection The cipher suite parameter for an HTTPS cluster lists all of the ciphers that can be negotiated between Equalizer and an incoming client attempting to connect to an HTTPS cluster. Similarly, the client application will have its own list of ciphers that it supports.
Page 817: Enabling Https With A Server Certificate
Equalizer Administration Guide Enabling HTTPS with a Server Certificate The following are the steps to follow to obtain and install a server certificate, and verify that it works. 1. Generate a Server Certificate Signing Request or a Self-Signed Server Certificate. To get a server certificate, do one of the following: a.
Page 818: Enabling Https With Server And Client Certificates
Using Certificates in HTTPS Clusters Enabling HTTPS with Server and Client Certificates The following are the steps to follow to obtain and install both server and client certificates, and verify that they work. 1. Perform the procedure in the previous section to enable HTTPS with a server side cer- tificate.
Page 819 Equalizer Administration Guide 4. Install the Client Certificate on Equalizer. Use the Equalizer Administration Interface to install the client certificate. See on page 349 "Layer 7 SSL Security (HTTPS Clusters)" 5. Install the Client Certificate on all clients. Import the client certificate into the client browser’s list of certificates.Follow the instruc- tions for Mozilla Firefox, Internet Explorer, Chrome, etc.
Page 820: Generating A Csr And Getting It Signed By A Ca
Using Certificates in HTTPS Clusters Generating a CSR and Getting It Signed by a CA Most CA vendors provide a means of generating a Certificate Signing Request (CSR) on their websites, and we recommend that you use the CA website to generate the CSR. For several good tutorials on how to get your certificates signed, please see: http://sial.org/howto/openssl/ A CSR can also be generated using the OpenSSL tools on any system, including Windows.
Page 821 Equalizer Administration Guide For a server certificate, the provided must be the DNS-resolvable fully Common Name qualified domain name (FQDN) used by the cluster. When a client receives the certificate from the server, the client browser will display a warning if the Common does not match the hostname of the request URI.
Page 822: Generating A Self-Signed Certificate
Using Certificates in HTTPS Clusters Generating a Self-Signed Certificate To generate a self signed certificate in PEM format: 1. Generate a self-signed x509 format certificate by entering this command: openssl req -new -x509 -newkey rsa:1024 -out selfcert.pem -days 1095 This creates a self-signed certificate (selfcert.pem) that will be valid for 1095 days (about three years) andalso generates a new private key to be output into a file named .
Page 823: Installing Certificates For An Https Cluster
Equalizer Administration Guide Installing Certificates for an HTTPS Cluster Refer to ."Layer 7 Security Certificate Screen (HTTPS Clusters)" on page 347 for a description of installing certificates on an HTTPS cluster. Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 824: Converting A Certificate From Pem To Pkcs12 Format
Using Certificates in HTTPS Clusters Converting a Certificate from PEM to PKCS12 Format Many browsers, such as FireFox and Internet Explorer, require private keys and certificates in PKCS12 format for installation. In order to install client and intermediate certificates into these browsers, you will first have to convert them from PEM format to PKCS12 format.
Page 825: Using The File Editor
Equalizer Administration Guide Appendix C Using the File Editor Sections within this chapter include: Editing Files Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 826: Editing Files
Using the File Editor Editing Files Files from the data store, for example, can be edited using the files edit command in the CLI using the "ee" editor . The most common example for using this feature is to edit CLI scripts which can then be executed using the run_script command, but there are other uses as well.
Page 827 Equalizer Administration Guide Main and Submenu Commands Leaves the ee editor. You will be prompted to save changes before a) leave editor exiting. b) help Will display a complete list of Control Keys and Commands. Will display a submenu of commands that includes: c) file operations read a file write afile...
Page 828 Using the File Editor Will display the following modes menu e) settings Will open a search submenu with 2 options: f) search a) search for - will prompt you to enter a search term(s) b) search - [not available] miscellaneous menu Will display the following g) miscellaneous Copyright ©...
Page 829: Eq/Os 8.6 To Eq/Os 10.0 Configuration Converter
Equalizer Administration Guide Appendix D EQ/OS 8.6 to EQ/OS 10.0 Configuration Converter Sections within this chapter include: EQ/OS 8.6 to EQ/OS 10 Configuration Conversion Process Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 830: Eq/Os 8.6 To Eq/Os 10 Configuration Conversion Process
EQ/OS 8.6 to EQ/OS 10.0 Configuration Converter EQ/OS 8.6 to EQ/OS 10 Configuration Conversion Process EQ/OS 8.6 and EQ/OS 10 configuration files are not compatible. It is not possible to simply copy an older configuration to a new installation during the upgrade process, as is done when upgrading from a 8.6 to an 8.6 version, or from a 10 to a 10 version.
Page 831 Equalizer Administration Guide Configuration Objects: Notes: Added as global server objects and server instances within server pools. The Server VID is now deprecated, and servers are automatically considered to be part of a particular subnet, based on their IP Servers address.
Page 832 EQ/OS 8.6 to EQ/OS 10.0 Configuration Converter >> cluster cl00 server sv00 The resulting cluster-server name in the configuration in EQ/OS 10 will be: server cl00_sv00 EQ/OS 10 uses Server Pools that contain Server Instances. When migrating to EQ/OS 10 a Server Pool will be created using the cluster-server details described.
Page 833 Equalizer Administration Guide Migration Process The following describes the process of converting an EQ/OS 8.6 configuration to EQ/OS 10. It is recommended that the migration be executed on a "clean" Equalizer, meaning, without configured objects. If there are configured objects on your system, it is advisable to review the names and IP configuration to verify that there are no conflicts with the migrating EQ/OS 8.6 configuration.
Page 834 EQ/OS 8.6 to EQ/OS 10.0 Configuration Converter Conversion using the CLI 1. Create a backup of the EQ/OS 8.6 system. Refer to the Equalizer Administration Guide for EQ/OS 8.6 for instructions. 2. Upgrade your EQ/OS 8.6 system to EQ/OS 10. Refer to on page "EQ/OS 8.6 Upgrade Procedure"...
Page 835 Equalizer Administration Guide eqcli: 12000287: Operation successful eqcli: 12020315: Processing line 2: server otherserver ip 3.4.5.6 port 81 proto tcp eqcli: 12000287: Operation successful eqcli: 12020318: All commands processed successfully. eqcli > 6. If the script completes successfully you can continue using the system as normal. You may need to install certificates first .
Page 836 EQ/OS 8.6 to EQ/OS 10.0 Configuration Converter The EQ/OS 8.6 backup file can be uploaded either from a URL or FTP server or from a local directory. Proceed with either step 5 or step 6 depending on the location of your backup file. After selecting a file from either method described in steps 5 and 6, proceed with step 7.: Note - By default, VLANs and Subnets in the EQ.OS 8.6 configuration will be converted.
Page 837 Equalizer Administration Guide 8. After clicking on the script is executed on Equalizer. If no errors occur and the script runs to completion a message will be displayed. If an error occurs the Configuration Complete screen will be displayed which is the same as the Correct Error and Continue Verify and Run Script screen except that it opens at the line at which the error occurred as indicated by the error...
Page 838 EQ/OS 8.6 to EQ/OS 10.0 Configuration Converter b. Click on to execute the script on Equalizer starting at the line on which Continue the error occurred. If no errors occur and the script runs to completion, a Con- message will be displayed. If an error occurs, the figuration Complete Correct Error screen will be displayed again and will open at the line at which the...
Page 839: Port Numbers
Equalizer Administration Guide Appendix E Port Numbers Sections within this chapter include: Port Numbers Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 840: Port Numbers
Port Numbers Port Numbers Communications between the Equalizer appliance, clients, and servers requires that any routers and firewalls between them permit specific protocols and port numbers. Default Ports Used by Equalizer for Outgoing Traffic (Client) Port Number Protocol Purpose HA failover of network interfaces. •...
Page 841 Equalizer Administration Guide Port Number Protocol Purpose SNMP queries. • HTTPS administrative web UI access. Only occurs if the destination address is a network interface’s IP address. • Predefined HTTPS service. Only occurs if the service is used by a virtual server or virtual cluster , and if the destination address is a virtual server or vir- tual cluster.
Page 843: Networking Translation Between Eq/Os 10.1.X And 10.2.X
Equalizer Administration Guide Appendix F Networking Translation Between EQ/OS 10.1.x and 10.2.x Sections within this chapter include: Networking Translation Between 10.1.x and 10.2.x Systems Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 844: Networking Translation Between 10.1.X And 10.2.X Systems
Networking Translation Between EQ/OS 10.1.x and 10.2.x Networking Translation Between 10.1.x and 10.2.x Systems Several, significant networking enhancements were made as part of EQ/OS 10.2.x development. These include: 1. Per-subnet static routes have been enhanced to allow the user to specify an optional source IP address.
Page 845 Equalizer Administration Guide EQ/OS 10.1.x EQ/OS 10.2.x What happens in an upgrade to Configuration Configuration 10.2.x Network 1: Network 1: In the 10.1.x configuration the Static route: 0/0 → GW combination of the def_src_addr def_src_addr Default route →GW flag and a default route meant that the network that was connected to the Internet. ...
Page 846 Networking Translation Between EQ/OS 10.1.x and 10.2.x EQ/OS 10.1.x EQ/OS 10.2.x What happens in an upgrade to Configuration Configuration 10.2.x Network 1: Network 1: This is a misconfiguration in the Default route → GW1 Static route: 0/0 → GW1 10.1.x configuration because a route has not been specified for Destination network: 0/0 communicating with the destination...
Page 847 Equalizer Administration Guide Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc. All Rights Reserved.
Page 848: Maximum Configuration Values
Maximum Configuration Values Appendix G Maximum Configuration Values The following table lists the allowable number of load balancing objects that can currently be defined on Equalizer: 970LX 670LX 470LX 370LX EQOD TCP, UDP, HTTP 1000 1000 1000 Clusters HTTPS Clusters Server Pools 190 ...
Page 849: Glossary
Equalizer Administration Guide Glossary 6in4 6in4 is an Internet transition mechanism for migrating from Internet Protocol version 4 (IPv4) to IPv6. Access Control Lists (ACLs) Refers to rules that are applied to port numbers or network daemon names that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service active connection count Shows the number of connections currently active on the server.
Page 850 Glossary administration address The IP address assigned to Equalizer on any VLAN. Access to Equalizer can be configured for each VLAN. administration interface The browser-based interface for setting up and managing Equalizer. affinity Affinity is a technique that enables the load balancer to remember which balanced server was chosen for a certain client at its initial request.
Page 851 Equalizer Administration Guide bound A character that represents the limit of part of a regular expression. bracket expression In a regular expression, a list of characters enclosed in brackets ( [...] ). branch In an Equalizer regular expression, a complete piece of a regular expression. You can concatenate and/or match branches. See atom, piece, and regular expression.
Page 852 Glossary cookie switching Refers to three distinct ways to perform cookie switching: cookie-read, cookie-insert, and cookie-rewrite. daemon An application that runs in the background and performs one or more actions when events trigger those actions. default gateway A default gateway is on the same subnet as Equalizer, and is the gateway which Equalier relies on to route traffic. delay weight The relative influence on the policy of the current response time between Equalizer and the server.
Page 853 Equalizer Administration Guide Envoy Equalizer add-on software that supports geographic clustering and load balancing. See geographic cluster, geographic load bal- ancing, and load balancing. See also intelligent load balancing. eqcli The Equalizer EQ/OS 10 Command Line Interface EQOD See "Equalizer OnDemand" Equalizer Administration Interface An Equalizer window with which you can monitor Equalizer’s operation;...
Page 854 Glossary gateway A network route that typically translates information between two different protocols. geographic cluster A collection of servers (such as Web sites) that provide a common service over different physical locations. See cluster. geographic load balancing Distributing requests as equally as possible across servers in different physical locations. See load balancing. See also intelligent load balancing.
Page 855 Equalizer Administration Guide ICMP Probes These are Server Health Checks. ICMP health checks basically have Equalizer sending a "ping" to a server and "listening" if the server sends a response. If the server does not respond within the configured time, the server is marked "down" and no further traffic is sent to that server until it starts responding to health checks.
Page 856 Glossary provides additional time for completely migrating to IPv6 architecture. ISO/IEC International Organization for Standardization/International Electrotechnical Commission; international standards organizations. ISO/OSI model International Organization for Standardization/Open Systems Interconnection model, a standard that consists of seven layers that control how computers communicate with other computers over a network. Layer 1, Physical, which sets the rules for physical con- nections via hardware, is the lowest layer.
Page 857 Equalizer Administration Guide Layer 7 (L7) The application layer; Layer 7 uses its rules and those of the other layers to control transmission of information from one application to another. Layer 7 is the highest layer in the ISO/OSI model. See ISO/OSI model and Layer 4. least cxns (least connections)load balancing Dispatches the highest percentage of requests to the server with the least number of active connections.
Page 858 Glossary Network Address Translation; an Internet standard that defines the process of converting IP addresses on a local-area network to Internet IP addresses. See NAT subsystem. NAT subsystem The Equalizer subsystem responsible for transferring connections to and from the back-end servers. netmask Address mask;...
Page 859 Equalizer Administration Guide Persistence Often, when a client (web browser) connects to an application, there is some "shared state" between the client and server which cannot be used with any other server. Using the following example: You point your web browser at www.website.com and log in. The server notes that you are logged in and allows you to use the application.
Page 860 Glossary protocol A set of rules that govern adherence to a set of standards. See protocol stack. protocol stack A layer of protocols that process network actions cooperatively and in tandem. See protocol. proxy server A utility, which is part of a firewall, that helps the regular tasks of managing data transmittal from a network to the Internet and from the Internet to the network.
Page 861 Equalizer Administration Guide response packet A packet that contains information that responds to a request. See packet and request packet. retry interval (ms) This is the time (in ms) between failed failover peer probes. round robin The default load balancing policy which distributes requests equally among all servers in a virtual cluster, without regard to initial weights or adaptive load balancing criteria.
Page 862 Glossary and the server is expected to reply with a number between -1 and 100 to say exactly how alive it is. In order to give Equalizer a proper answer to the health check query, the server needs to run a Server Agent. server cluster A group of servers that are components in a network and joined through hardware or software.
Page 863 Equalizer Administration Guide spoofing Using the client’s IP address for the source IP address in client requests. This fools (or spoofs) the server into regarding the client as the source of the request. For spoofing to work, the default gateway for the server must be set to Equalizer’s internal IP address.
Page 864 Glossary syslog A system log file, in which information, warning, and error messages are stored in a file, sent to a system, or printed. System Contact Contact is the name of the person responsible for this unit. System Descriptions The user-assigned description of the Equalizer. System Location Location describes Equalizer’s physical location.
Page 865 Equalizer Administration Guide User Datagram Protocol (UDP) Within TCP/IP, a protocol that is similar to Layer 4 (the transport layer). UDP converts data into packets to be sent from one server to another but does not verify the validity of the data. See ISO/OSI, TCP/IP, and transport layer. virtual cluster An endpoint that acts as the network-visible port for a set of hidden back-end servers.

This manual is also suitable for:

Equalizer lx series