FortiADC™ Basic Deployment Topologies

FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE
http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com 

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES
http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdocs@fortinet.com

January 15, 2016

FortiADC Deployment Guide: Basic Deployment Topologies

Revision 1
TABLE OF CONTENTS

Change Log 4
Introduction 5
Router Mode 6
One-Arm Mode 9
Direct Server Return 12
 Change Log

Change Log

Date Change Description

2016-1-15 Initial release.

FortiADC Basic Deployment Topologies 4

Fortinet Technologies Inc.
Introduction

Introduction

Welcome, and thank you for selecting Fortinet products for your network.

The FortiADC D-series family of application delivery controllers (ADC) optimizes the availability, user experience,
performance and scalability of enterprise application delivery.

The purpose of this guide is to give a brief overview of common deployment topologies.

5 FortiADC Basic Deployment Topologies

Fortinet Technologies Inc.
Router Mode

Router Mode

Figure 1 shows the Router Mode deployment topology. This is the most standard load balancing deployment
mode. In this mode:

l FortiADC is the default gateway of the servers, so all traffic will be sent through the FortiADC.
l Clients send HTTP requests to the FortiADC virtual server IP address (ex. 10.10.10.10), and FortiADC load
balances the traffic between the Web Servers.
Figure  1: Router Mode topology

The following tables show the source/destination addresses received and sent from the FortiADC.

6 FortiADC Basic Deployment Topologies

Fortinet Technologies Inc.
 Router Mode

Benefits

l No network changes needed

l Client IP address visibility

Cautions

l FortiADC must be the default gateway of the servers

Basic configuration
config system global
set hostname FortiADC-VM
end
config system interface
edit "port1"
set vdom root
set ip 10.10.10.1/24
set allowaccess https ping ssh http
config ha-node-ip-list
end
next
edit "port2"
set vdom root
set ip 192.168.1.1/24
set allowaccess https ping ssh http
config ha-node-ip-list
end
next
end
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
end
config system admin
edit "admin"
set is-system-admin yes
set vdom root
set access-profile super_admin_prof
next
end
config load-balance pool
edit "Web_Group"
set health-check-ctrl enable
set health-check-list LB_HLTHCK_ICMP
config pool_member
edit 1
set ip 192.168.1.100
next
edit 2
set ip 192.168.1.101
next
edit 3
set ip 192.168.1.102
next
end
next

FortiADC Basic Deployment Topologies 7

Fortinet Technologies Inc.
Router Mode

end
config load-balance virtual-server
edit "Web_VIP"
set interface port1
set ip 10.10.10.10
set load-balance-profile LB_PROF_TCP
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool Web_Group
set traffic-log enable
next
end

8 FortiADC Basic Deployment Topologies

Fortinet Technologies Inc.
One-Arm Mode

One-Arm Mode

Figure 2 shows the One-Arm Mode deployment topology. In this mode:

l FortiGate is the default gateway of the servers. Only load balancing traffic is sent to the FortiADC.
l Clients send HTTP requests to the FortiADC virtual server IP address (ex. 10.10.10.10). FortiADC acts as a reverse
proxy: it NATs the source address, opens new HTTP connections, and load balances the traffic between the Web
Servers.
l You can configure a FortiADC profile option to write the original source IP address to the X-Forwarded-For header.
You can configure the real server logging to write the X-Forwarded-For field.
Figure  2: One-Arm Mode topology

The following source/destination tables show the NAT translation.

9 FortiADC Basic Deployment Topologies

Fortinet Technologies Inc.
 One-Arm Mode

Benefits

l No network changes needed

l Easy to test and deploy

Cautions

l Lose client IP address visibility

l Requires source pool NAT on FortiADC

Basic configuration
config system global
set hostname FortiADC-VM
end
config system interface
edit "port1"
set vdom root
set ip 192.168.1.1/24
set allowaccess https ping ssh http
config ha-node-ip-list
end
next
end
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
end
config system admin
edit "admin"
set is-system-admin yes
set vdom root
set access-profile super_admin_prof
next
end
config load-balance ippool
edit "NAT"
set interface port1
set ip-min 192.168.1.3
set ip-max 192.168.1.3
config node-member
end
next
end
config load-balance pool
edit "Web_Group"
set health-check-ctrl enable
set health-check-list LB_HLTHCK_ICMP
config pool_member
edit 1
set ip 192.168.1.100
next
edit 2
set ip 192.168.1.101
next
edit 3

FortiADC Basic Deployment Topologies 10

Fortinet Technologies Inc.
One-Arm Mode

set ip 192.168.1.102
next
end
next
end
config load-balance virtual-server
edit "Web_VIP"
set packet-forwarding-method FullNAT
set interface port1 set ip 192.168.1.2
set load-balance-profile LB_PROF_TCP
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool Web_Group
set ippool NAT
set traffic-log enable
next
end

11 FortiADC Basic Deployment Topologies

Fortinet Technologies Inc.
Direct Server Return

Direct Server Return

Figure 3 shows the Direct Server Return deployment topology. In this mode:
l FortiGate is the default gateway of the servers. Only load balancing traffic is sent to the FortiADC.
l Clients send HTTP requests to the FortiADC virtual server IP address and FortiADC load balances the requests to
the server farm.
l FortiADC does not perform SNAT.
l The packets the server receive have the original client IP address, so the response traffic is sent to the client IP
address, not through FortiADC.
Figure  3: Direct Server Return topology

The following source/destination tables show the packet flow.

12 FortiADC Basic Deployment Topologies

Fortinet Technologies Inc.
 Direct Server Return

Benefits

l Performance (mostly for video and streaming)

Cautions

l Cannot use Layer 7 features

l Need to configure a loopback IP address on each real server

Basic configuration
config system global
set hostname FortiADC-VM
end
config system interface
edit "port1"
set vdom root
set ip 192.168.1.1/24
set allowaccess https ping ssh http
config ha-node-ip-list
end
next
end
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
end
config system admin
edit "admin"
set is-system-admin yes
set vdom root
set access-profile super_admin_prof
next
end
config load-balance pool
edit "Web_Group"
set health-check-ctrl enable
set health-check-list LB_HLTHCK_ICMP
config pool_member
edit 1
set ip 192.168.1.100
next
edit 2
set ip 192.168.1.101
next
edit 3
set ip 192.168.1.102
next
end
next
end
config load-balance virtual-server
edit "Web_VIP"
set interface port1 set ip 192.168.1.2
set load-balance-profile LB_PROF_TCP
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool Web_Group

FortiADC Basic Deployment Topologies 13

Fortinet Technologies Inc.
Direct Server Return

set traffic-log enable

next
end

14 FortiADC Basic Deployment Topologies

Fortinet Technologies Inc.
Copyright© 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.