The recognized leader in proven and affordable load balancing and application delivery solutions ® Equalizer Administration Guide EQ/OS 10 April 18, 2013 Document Version:10.0.
Copyright © 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results.
Equalizer Administration Guide Table of Contents Table of Contents Introduction 3 19 Chapter Summary 20 Using the WebHelp 22 Differences From Prior Releases of EQ/OS 25 Typographical Conventions 26 Where to Go for More Help 27 Equalizer Overview 29 About Equalizer 30 Intelligent Load Balancing 30 Load Balancing Configuration 31 Real-Time Server Status Information 31 Network Address Translation and Spoofing 32 How a Server is Selected 33 Load Balancing Layer 7 Load Balancing and Se
Table of Contents First Time Configuration Using EQ OS 10 First Time VLAN Configuration Example 50 Sample Equalizer Configuration 51 Upgrading and Downgrading 57 Version 8.6 Upgrade Procedure 58 Downgrading to Version 8.
Equalizer Administration Guide Configuring Subnets 103 About Permitted Subnets 104 Configuring Outbound NAT 105 Enabling Outbound NAT Managing Interface Ports Configuring Front Panel Ports 105 107 107 Viewing Link Status and Port Settings 107 Displaying Port Statistics 109 Policy Routing Destination and Source Based Routing 110 110 Configuring Subnet Destination Routes 111 Source Based Routing Scenarios 113 Source Selection 113 Source Routing Scenarios 115 Spoof Load Balancing Toward
Table of Contents Exiting the CLI 129 Working in the CLI 130 CLI Contexts and Objects 130 Object Relationships 132 Command Line Editing 133 Entering Names for Equalizer Objects 133 Using White Space in a Command Line 133 Enabling and Disabling Flags 134 Command Abbreviation and Completion 135 Detection of Invalid Commands and Arguments 135 Specifying Multiple Server Instances 135 Using the no Form of a Command 136 Queued Commands 137 Context Help 138 Global Parameters 139 Cont
Equalizer Administration Guide User Flags 182 Setting the Locale 182 Creating a User 182 Deleting a User 183 User Passwords 183 User Permissions 183 User Permissions Assigned on Object Creation 185 Displaying User Information 185 VLAN and Subnet Commands VLAN and Subnet Command Notes 186 188 Using the GUI 191 Logging In 192 Navigating Through the Interface 193 Entering Names for Equalizer Objects 196 Global Settings 196 Parameters 196 SNMP 198 MIB Compliance 200 MIB Files
Table of Contents Manage Software 211 Tools 213 Interfaces 215 Viewing Link Status and Port Settings 215 Modifying Port Settings 217 Displaying Port Statistics 218 Reporting 220 Additional Equalizer Objects on the GUI 221 Configuring an IPv6 Tunnel 223 IPv6 Tunnel Overview 224 Configuring an IPv6 Tunnel 225 Creating a "6in4" IPv6 Tunnel (CLI) 225 Configuring DNS for IPv6 Tunnels 227 Server Pools and Server Instances Managing Server Pools 230 Configuring Server Pool Load-Balancin
Equalizer Administration Guide Server Configuration Constraints 244 Configuring Routing on Servers 245 Spoof Controls SNAT 245 How Spoof Influences Routing 245 Managing Servers 246 Adding a Server (GUI) 246 Modifying a Server (GUI) 246 Adding a Server (CLI) 249 Modifying a Server (CLI) 249 Server Summary Screen 250 Server Software Configuration 250 Adding a Server to a Cluster 251 Adjusting a Server’s Initial Weight 253 Setting Initial Weights for Homogenous Clusters 253 Setting
Table of Contents UDP Cluster Configuration Persistence 280 UDP Cluster Configuration Timeouts 281 Modifying a Layer 7 HTTP or HTTPS Cluster 282 Layer 7 Cluster Configuration Summary 283 Layer 7 HTTP and HTTPS Cluster Settings 284 Layer 7 TCP Cluster Settings 288 Layer 7 TCP Cluster Persistence Layer 7 HTTP and HTTPS Cluster Persistence Fallback Persistence Scenarios Layer 7 Cluster Reporting 290 293 296 Layer 7 Cluster Timeouts 296 Layer 7 Security Certificate Screen (HTTPS Clusters only)
Equalizer Administration Guide How Match Rules are Processed 319 Match Rule Order 319 Match Rule Expressions and Bodies 321 Match Rule Expressions 321 Match Bodies 323 Match Rule Functions 324 Match Rule Operators 327 Match Rule Definitions 327 Match Rule Expression Examples 328 Match Rule Expression Notes 329 Match Rule Behavior When Server Status is Not "Up" Managing Match Rules 329 332 Displaying Match Rules 332 Default Match Rule 332 Creating a New Match Rule 333 Modifying a
Table of Contents Creating a Match Rule to Redirect All Traffic for a Specific URL More Responder Examples 356 Responders and Hot Spares 356 Configuring Server Connections HTTP Multiplexing 359 360 Enabling HTTP Multiplexing 360 Disabling "spoof" for HTTP Multiplexing 361 Server Options for HTTP Multiplexing 362 Outbound NAT 362 Configuring Outbound NAT (CLI) 363 Configuring Outbound NAT (GUI) 363 Direct Server Return (DSR) 363 Configuring a Cluster for Direct Server Return 364 Config
Equalizer Administration Guide Simple Health Check Probes 378 Configuring Simple Health Check Probe Parameters 378 Simple Health Checks and Load Balancing Policies 382 Server Agents 382 Sample Server Agent VLB Health Check Probes 383 384 Enabling/Disabling VLB Health Check Probes 385 Configuring VLB Health Check Probe Parameters 386 Health Check Timeouts Logging 394 399 Displaying Logs 400 Remote System Logging 400 Reporting (Statistics and Plotting) 403 Cluster and Match Rule Repor
Table of Contents Failover Probes and Failover Timeouts Modifying Failover Timeouts in Production Peer, Interface, Subnet States and Substates Configuring Active/Passive Failover Between Two EQ/OS 10 Systems 438 438 439 Configuring VLAN (Subnet) Failover Settings (CLI) 439 Configuring VLAN (Subnet) Failover Settings (GUI) 441 Configuring Active/Passive Failover (CLI) 443 Configuring Active/Passive Failover (GUI) 451 Configuring Active/Active Failover Between Two EQ/OS 10 Systems 456 Failover Gr
Equalizer Administration Guide Creating Alerts for SNMP Traps 497 User and Group Management 499 Best User and Group Management Practices 500 Object Permission Types 500 Required Task Permissions and Flags 501 Single and Multiple User Scenarios 506 Using Envoy Overview of Envoy® Geographic Load Balancing 513 514 Envoy Configuration Summary 514 DNS Configuration 515 Local (Caching) DNS Server 515 Configuring an Authoritative DNS Name Server for Envoy 515 Using Envoy with Firewalled Netw
Table of Contents Name a GeoSite Resource (CLI) 537 Add a GeoSite Resource Instance to a GeoCluster (GUI) 537 Add a GeoSite Resource Instance to a GeoCluster (CLI) 539 Backup and Restore 541 Backup 542 Backup (GUI) 542 Backup (CLI) 543 Restore 543 Restore (GUI) 544 Restore (CLI) 545 How to Use Regular Expressions Regular Expression Terms 548 Learning About Atoms 548 Creating a Bracket Expression 549 Escape Sequences 549 Matching in Regular Expressions 550 Using Regular Express
Equalizer Administration Guide VMware Host Requirements 570 Installing Equalizer OnDemand Using OVF 570 VMware vSphere or vCenter Clients 571 Installing Equalizer OnDemand from a ZIP file 572 VMware vSphere or vCenter Clients 572 VMware Player and VMware Fusion 573 Licensing Equalizer OnDemand 573 Upgrading Equalizer OnDemand 575 Glossary Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Equalizer Administration Guide Chapter 1 Introduction Subsections in this chapter include: Chapter Summary 20 Using the WebHelp 22 Differences From Prior Releases of EQ/OS 25 Typographical Conventions 26 Where to Go for More Help 27 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Introduction Chapter Summary Equalizer is designed to be administered equally as well from either a console Command Line Interface or a browser-based Administrative Interface. This guide describes both administrative environments. Within this guide, the Command Line Interface or eqcli is referred to as the “CLI”. The web-based Administrative Interface is referred to as “GUI”. EQ/OS 10 is a major revision of Equalizer software.
Equalizer Administration Guide l Clusters -- tells you how to add and remove virtual clusters and servers, changing load balancing options, and shutting down servers. l Match Rules -- shows you to create match rules that distribute requests based on a request’s attributes. l Automatic Cluster Responders -- this section describes the configuration of and use of automatic cluster responders and association with match rules.
Introduction l Equalizer OnDemand -- discusses the differences between Equalizer OnDemand and Equalizer hardware, prerequisite requirements, installation and use of EQoD. l Glossary -- A glossary of common load balancing terminology in addition to Equalizer-specific terminology. Using the WebHelp Installed on your Equalizer is an html-based WebHelp system that is fully functional in all web browsers.
Equalizer Administration Guide This text entry box is where you can enter a search term to search the open topic for specific details. Click on after you have entered a search term. Toolbar The toolbar contains buttons for quick navigation, display options, topic printing, highlighting and a search area. Enter a search term in this box and the open topic will be searched. If the search yields results, they will be highlighted on the page.
Introduction Glossary Select the Glossary accordion tab to access a glossary of load balancing and Equalizer-specific terminology. Click on each term to display a definition. 24 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Differences From Prior Releases of EQ/OS The following are differences from previous versions of EQ/OS: New Command Line Interface The Equalizer Command Line Interface, CLI, gives you complete administrative control over Equalizer and is one of the major new features in EQ/OS 10. The GUI is also available to view and modify the configuration, however, not all administrative options have been enabled in the GUI.
Introduction 1. Create servers -- use the IP addresses and ports of the real servers behind Equalizer. 2. Create server pools -- set load balancing parameters that will apply to a group of real servers. 3. Associate servers with server pools -- associate real server names with the server pool, creating a server instance, and set options on the server instance. 4. Associate server pools with clusters.
Equalizer Administration Guide l Bold courier text is text the user must type at the CLI prompt. Bold courier text in brackets -- indicates a keyboard key or key sequence that must be typed. l Bold text sequences such as “Equalizer > Status > Event Log” are used to indicate the GUI controls a user needs to click to display the GUI form relevant to the task at hand.
Introduction 28 l Online device manuals, supplements, and release notes: the latest Equalizer documentation and updates. l Links to additional resources, and more. Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Chapter 2 Equalizer Overview Sections within this chapter include: About Equalizer 30 Intelligent Load Balancing 30 Load Balancing Configuration 31 Real-Time Server Status Information 31 Network Address Translation and Spoofing 32 How a Server is Selected 33 Load Balancing Server Selection Process Flow Persistence Why a Server May Not Be Selected 33 35 37 39 Geographic Load Balancing 39 Sizing of Equalizer Objects 40 Copyright © 2013 Coyote Point Systems.
Equalizer Overview About Equalizer Equalizer is a high-performance content switch that features: l Intelligent load balancing based on multiple, user-configurable criteria. l Non-stop availability with no single point of failure, through the use of redundant servers in a cluster and the optional addition of a failover (or backup) Equalizer. l Layer 7 content-sensitive routing. l Connection persistence using cookies or IP addresses. l Real-time server and cluster performance monitoring.
Equalizer Administration Guide Cluster Type Feature L4 UDP Load balancing policies Server failure detection (probes) Persistence Server selection by request content (i.e., Match Rules) Load balanced protocols NAT and spoofing L4, L7 TCP L7 HTTP L7 HTTPS Round Robin, Static Weight, Adaptive, Fastest response, Least Connections, Server Agent, Custom ICMP, TCP, Health Check ICMP, TCP, ACV, Health Check Based on IP Using Cookies No; load is balanced according to current load balancing policy.
Equalizer Overview ICMP Probes uses the Internet Control Message Protocol to send an "Echo request" to the server, and then wait for the server to respond with an ICMP "Echo reply" message (like the Unix ping command). ICMP is a Layer 3 protocol. ICMP probes can be disabled via a global flag. TCP Probes establish (and tear down) a TCP connection between Equalizer and the server, in a typical Layer 4 exchange of TCP SYN, ACK, and FIN packets.
Equalizer Administration Guide to one of Equalizer’s IP addresses before forwarding packets to a server. The servers will send responses back to Equalizer’s IP (so it is usually not necessary to set Equalizer as the default gateway on the servers when spoof is disabled). Match rules can be used to selectively apply the spoof option to client requests. This is sometimes called selective SNAT. See the section "Changing the Spoof (SNAT) Setting Using Match Rules" on page 340 . 3.
Equalizer Overview l Active connections - The number of connections a server currently has active and the number of connections that it tends to have open. l Connection latency - The amount of time that it takes a server to respond to a client request. l Health check performance values - Depending on the health checks configured, this may be not used at all, or it can completely define how the load is calculated.
Equalizer Administration Guide l load balance all other requests across all of the servers Match Rules are constructed using match functions that make decisions based on the following: l HTTP protocol version; for HTTPS connections, the SSL protocol level the client uses to connect. l Client IP address l Request method (GET, POST, etc.) l All elements of the request URI (host name, path, filename, query, etc.
Equalizer Overview The figure below shows the connection establishment and server failover mechanism. For Layer 7 clusters, the connection must be established within the connect_timeout . If we receive an active refusal (RST) from a server, we will repeat the load balancing process and choose another server. Otherwise we will continue trying to connect to the same server until the connect timeout expires. Fore Layer 4 clusters, the connection must be established within the stale_timeout .
Equalizer Administration Guide Persistence The persistence of session data is important when a client and server need to refer to data previously generated again and again as they interact over more than one transaction, possibly more than one connection. Whenever a client places an item in a shopping cart, for example, session data (the item in the cart, customer information, etc.
Equalizer Overview not aware. What Equalizer does know is that a specific client has been load balanced to a specific server in one of its virtual clusters. With this knowledge, Equalizer can track that information and send that client back to the same server they were connected the first time. Layer 7 Persistence Equalizer provides server or connection persistence using cookies in Layer 7 HTTP and HTTPS clusters, and using the client IP address in Layer 4 TCP and UDP clusters.
Equalizer Administration Guide sticky connections. If Equalizer does not find a sticky record, Equalizer proceeds to check all of the other clusters that have the same IP address. If Equalizer still does not find a sticky record, it connects the user based on the current load balancing policy. Why a Server May Not Be Selected There are several reasons that a server may not be selected by Equalizer: 1. The various configured health checks within Equalizer have detected that this server is "down".
Equalizer Overview Geographic load balancing can dramatically improve reliability by ensuring that your service remains available even if a site-wide failure occurs. Equalizer can also improve performance by routing requests to the location with the least network latency. A discussion about Geographic Load Balancing and Envoy is provided in "Envoy" on page 514.
Equalizer Administration Guide Chapter 3 Installation Subsections in this chapter include: Warnings and Precautions 42 Power Requirements 43 Power Consumption 43 Operating Environment 45 Regulatory Certification 45 Hardware Installation 46 Setting Up a Terminal or Terminal Emulator 46 Serial Connection Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Installation Warnings and Precautions Short-Circuit Protection Warning This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that a fuse or circuit breaker no larger than 120 VAC, 15A U.S. (240 VAC, 10A international) is used on the phase conductors (all current-carrying conductors). Attention Pour ce qui est de la protection contre les courts-circuits (surtension), ce produit dépend de l'installation électrique du local.
Equalizer Administration Guide l This unit should be mounted at the bottom of the rack if it is the only unit in the rack. l When mounting this unit in a partially filled rack, load the rack from the bottom to the top with the heaviest component at the bottom of the rack. l If the rack is provided with stabilizing devices, install the stabilizers before mounting or servicing the unit in the rack.
Installation l Watts -- total power consumed by product l PF -- Power Factor (a ratio of the real power and apparent power consumed by the product) l Volts -- test voltage l Amp -- total current consumed by product 110V Test Results Model E370LX E650GX E450GX E350GX 110V/60Hz Watts PF Volts Amps Rush-in 70.7 0.984 121.5 0.591 No Load 61.7 1.000 121.6 0.505 100% CPU 84.1 1.000 121.3 0.682 Rush-in 112.5 1.000 118.9 0.954 No Load 112.2 1.000 118.7 0.
Equalizer Administration Guide Model E650GX E450GX E350GX 220V/50Hz Watts PF Volts Amps Rush-in 109.1 0.645 224 0.752 No Load 109.9 0.925 222 0.536 100% CPU 140.5 0.943 222 0.671 Rush-in 109.1 0.645 224 0.752 No Load 109.9 0.925 222 0.536 100% CPU 140.5 0.943 222 0.671 Rush-in 74.6 0.877 445 0.378 No Load 68.5 0.862 225 0.354 100% CPU 96.3 0.923 224 0.466 Rush-in E250GX No Load 100% CPU Operating Environment l Temperature: 40 - 105 °F, 5 - 40 °C.
Installation Hardware Installation To install Equalizer, follow these steps: 1. Carefully remove the Equalizer rack-mount enclosure and cables from the shipping container. Save the original packaging in case you need to ship the Equalizer for any reason, such as sending it in for warranty service. The Equalizer chassis does not contain any parts that you can service. If you open the chassis or attempt to make repairs, you may void your warranty. 2.
Equalizer Administration Guide l no parity l one stop bit l VT100 terminal emulation l ignore hang-ups (if supported); this allows a single terminal session to continue running even if Equalizer restarts On Windows systems, you can use the Windows built-in terminal emulator, HyperTerminal, or the Tera Term Pro terminal emulator to log in to Equalizer over the serial port. On Unix systems, you can use the cu(1) command or any other Unix serial communication program.
Equalizer Administration Guide Chapter 4 First Time Configuration Using EQ OS 10 Sections within this chapter include: First Time VLAN Configuration Example 50 Sample Equalizer Configuration 51 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
First Time Configuration Using EQ OS 10 First Time VLAN Configuration Example Follow the steps below to get Equalizer onto your network and start using the (CLI and GUI). 1. Log in using the default administrative user name, touch: Equalizer -- EQ/OS 10.0.4c Username: touch Password: Login successful. 12008239: There are Envoy geocluster configured. These are automatically disabled until an Envoy license is loaded. EQ/OS 10.0.2f Copyright 2013 Fortinet, Inc. Welcome to Equalizer! eqcli > 2.
Equalizer Administration Guide eqcli > vlan 172net subnet sn01 ip 172.16.0.200/21 default_route 172.16.0.1 services ssh,http flags def_src_addr 5. Connect Equalizer to your network using the VLAN ports that you set up in Step 3. You should now be able to display the Equalizer GUI by pointing a browser at this URL: http://VLAN_IP_addr Substitute the VLAN IP address you used in Step "Quick Start" on page 50 for VLAN_IP_addr, as in this example using the IP address from Step 4. http://172.16.0.
First Time Configuration Using EQ OS 10 The procedure below shows you how to use one line commands in the global context to set up the configuration illustrated above. 1. Power on Equalizer and enter the CLI, as shown in "Starting the CLI" on page 128. 2. Configure a VLAN for the GUI, SSH, and cluster IP addresses: eqcli > vlan 172net vid 2 untagged_ports 1,2 3.
Equalizer Administration Guide Otherwise, set the time manually on all systems to the current time: eqcli > date HHmmss 9. Create two real servers: eqcli > server sv01 proto tcp ip 192.168.0.5 port 80 eqcli > server sv02 proto tcp ip 192.168.0.6 port 80 10. Create a server pool: eqcli > srvpool sp01 policy adaptive respv 3 11. In server pool sp01, create server instances for the servers created in Step 6. eqcli > srvpool sp01 si sv01 weight 100 eqcli > srvpool sp01 si sv02 weight 100 12.
First Time Configuration Using EQ OS 10 eqcli > certificate ct01 eqcli-cert> certfile ftp://10.0.0.21/certfile.pem eqcli-cert> keyfile ftp://10.0.0.21/keyfile.pem If you want to cut and paste the certificate and key using an editor, use commands like the following: eqcli > certificate ct01 certfile edit eqcli > certificate ct01 keyfile edit Certificates and keys must be downloaded separately, in PEM format.
Equalizer Administration Guide 20. Add a redirect responder that will redirect all requests coming into the same cluster IP as cl03 on port 80 (via HTTP); the responder will be configured to redirect these requests to cl03 on port 443 (via HTTPS).
Equalizer Administration Guide Chapter 5 Upgrading and Downgrading Sections within this chapter include: Version 8.6 Upgrade Procedure 58 Downgrading to Version 8.6 62 Upgrading to the Latest Release 65 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Upgrading and Downgrading Version 8.6 Upgrade Procedure 1. Connect Equalizer with a serial console. Refer to "Setting Up a Terminal or Terminal Emulator" on page 46 . 2. Set up a local FTP server that can be accessed by Equalizer. This will be used during the upgrade process to save a Version 8.6 system image that can be used to restore Equalizer to Version 8.6. The creation of the restore image is required in order to be able to downgrade Equalizer back to Version 8.6. 3. The Version 8.
Equalizer Administration Guide 8. Enter the upgrade URL using the Version 8.6 syntax and press "Enter". For example, the following URL downloads the image from a local server: ftp://10.0.0.121/pub/patches/upgrades/10.0.0/os8upgrade/upgrade.tgz 9. Once the upgrade image is downloaded, the following prompt is displayed: EQUALIZER OS 8.6 -> OS 10.
Upgrading and Downgrading 11. The following message is displayed: PERMANENTLY upgrade this system to EQ/OS 10 [Y/N]? Press "Y" and then "Enter" to proceed with the upgrade. 12. The user is now prompted for the second stage upgrade URL: This installer uses a 2-stage process. You must enter the URL for the second-stage install bundle. It is usually the same URL from which you retrieved the first-stage installer, except without the last component.
Equalizer Administration Guide Press "Y" and then "Enter" to create a restore image. 14. The system then prompts you to enter a URL for the restore image as well as a username and password to : Do you want to create a restore image [Y/N]? ^Cy Cleaning up log and temporary files before restore imaging process. Flushing disk write cache. Building restore image. 3891+0 records in.1 MiB / 242.1 MiB = 0.348 1.2 MiB/s 3:23 3891+0 records out 255000576 bytes transferred in 204.
Upgrading and Downgrading 18. Press any key to reboot the system. 19. As the system reboots, you may see prompts indicating that the front panel switch firmware needs to be upgraded: Switch firmware is down-level. WARNING: This upgrade contains firmware which requires an immediate reboot after installation, which will be automatically performed. The switch firmware is automatically upgraded if required. This process can take several minutes.
Equalizer Administration Guide 1. Connect Equalizer with a serial console. Refer to "Setting Up a Terminal or Terminal Emulator" on page 46. 2. Log into the CLI. 3. At the global context prompt, enter: eqcli > upgrade URL The URL is an unadorned ftp:// or http:// URL that completely specifies the path to the downgrade directory, as in this example: upgrade ftp://ftp.coyotepoint.com/pub/patches/upgrades/10.0.2/os8downgr ade eqcli > 4. The downgrade software is downloaded, unpacked, and run.
Upgrading and Downgrading prompts indicated in the sample output below, enter the restore image password (restore_ password) and press the Enter key to continue: Retrieving expected SHA1 signature for restore image file. Computing SHA1 signature of restore image file. If you were prompted (and re-prompted) to enter a restore image password when you created the restore image, then the image was encrypted.
Equalizer Administration Guide Beginning image restore process. /tmp/restore.img.xz (1/1) Once the image is restored, the system reboots again. After the reboot is complete, the Version 8.6 login prompt is displayed. Upgrading to the Latest Release To upgrade a system that is already running Version 10 to the latest release using the CLI, do the following: 1. Ensure that the upgrade image is available on an FTP or HTTP server that is accessible to Equalizer.
Equalizer Administration Guide Chapter 6 Licensing Equalizer Sections within this chapter include: Licensing Equalizer 68 Adding and Removing Licenses (CLI) 68 Adding and Removing Licenses (GUI) 70 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Licensing Equalizer Licensing Equalizer Equalizer can be configured without a license, but will not process any cluster traffic until it is licensed. These instructions are for hardware Equalizers. Refer to "Licensing Equalizer OnDemand" on page 573 for instructions for the Equalizer OnDemand virtual load balancer. 1. Obtain the Serial Number of your Equalizer from the tag on the back of the unit. 2. Display the System ID and copy it for use later in these procedures. Adding and Removing Licenses (CLI) 1.
Equalizer Administration Guide a. Log into the CLI. b. Enter: license genreq c. Copy the output of the above command into an email and send it to support@coyotepoint.com, requesting an offline license for Equalizer OnDemand. d. Once you receive an email from Coyote Point Support containing your license, enter the following command: license upload e. Copy the license information from the email sent by Coyote Point Support and paste it into the CLI. f. Press . g.
Licensing Equalizer Adding and Removing Licenses (GUI) 1. Log in to the GUI as described in "Logging In" on page 192. 2. Click on the host name on the left navigation pane. 3. Select the Maintenance tab and then Licensing to display the following. 4. To retrieve an Online License: Click on the Retrieve Online License button to connect with the licensing server.
Equalizer Administration Guide 5. To request an Offline License: Note - When generating an offline license for upload to Equalizer, be sure that the last line in the file is a blank line. Click on the Request Offline License button. An LIC_REQ.cps file will be downloaded locally to the directory specified by your web browser and a diaglogue will appear with instructions. Email the downloaded license request file to the address specified and click OK.
Licensing Equalizer b. Click on Choose File to locate and select the file received from Coyote Point Support. c. Click on Commit to upload the file to Equalizer. The details of the license including the License Name, Product and Key can be viewed by clicking grayed license listing. Removing Licenses To remove licenses using the GUI: 1. Log in to the GUI as described in "Logging In" on page 192. 2. Click on the host name on the left navigation pane. 3.
Equalizer Administration Guide Chapter 7 Configuring Access Sections within this chapter include: Default Login 74 Creating Additional Logins 74 Serial Access 74 Network Access 74 Global Services VLAN Subnet Network Services Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Configuring Access Default Login The “touch“ login (password: “touch“) is the default Equalizer administrative login for both the CLI and the GUI. For security, you should change the login for the touch user the first time you log in.
Equalizer Administration Guide The global services settings provide a convenient way to enable and disable services on all subnets, should the need arise. For example, when you are upgrading or performing a system backup, it may be desirable to use the serial connection and disable all network services to ensure that no other administrative users are accessing the system.
Configuring Access CLI GUI Network Service fo_https Failover HTTPS Failover HTTPS GUI service; when enabled, the Equalizer will listen for HTTPS connections on Equalizer’s Failover IP address (if configured) on the subnet. The global HTTPS GUI service must also be enabled. ssh SSH SSH log in service; when enabled, SSH log in will be permitted on Equalizer’s IP address on the subnet. The global SSH service must also be enabled.
Equalizer Administration Guide Chapter 8 Network Configuration Sections in this chapter include: Networking Conventions 78 Networking Technologies 78 Common Equalizer Networking Scenarios 82 Blank Configuration Single VLAN/Subnet Single VLAN/Subnet with a Default Gateway Dual VLAN/Network Dual VLAN/Network with 2 Gateways Dual VLAN/Network with Outbound NAT Dual VLAN/Network with Multiple Destination Networks Equalizer Use of VLAN Technology Configuring VLANs Configuring Subnets 82 82 83 85 89 91 9
Network Configuration Networking Conventions Several conventions are used within this section: • Network addresses are represented in Classless Inter-Domain Routing (CIDR) notation, an IP addressing scheme in the form A.B.C.D/X where X is the number of bits in the subnet mask. • Subnets are referenced by the name of the VLAN which contains them, followed by the subnet name. For example, internal:net means VLAN internal, subnet net. • All VLAN configurations presented are untagged.
Equalizer Administration Guide If the destination IP address is on a local network, source-based routing is not used. The packet is sent to the destination system via Ethernet. If the destination IP address is on a local network, source-based routing is not used by default. The packet is sent to the destination system via Ethernet.
Network Configuration In this configuration, 192.168.211.0/24 is a local network for Equalizer, configured by adding a subnet to the configuration. 192.168.105.0/24 can be configured as a destination network of the 192.168.211.0/24 network. When adding a destination network, the administrator is configuring several things: l In order to send packets from Equalizer to the destination network, Equalizer should use its IP address on the local network.
Equalizer Administration Guide In this example, neither the 192.168.211.0/24 nor the 192.168.105.0/24 networks can access the Internet directly. The administrator configures Equalizer to provide outbound NAT service for these networks by using an IP address on the 10.0.0.0/24 network when these internal networks need to talk to the Internet.
Network Configuration Common Equalizer Networking Scenarios This section describes individual networking scenarios that can be used to build up a large, more complicated configuration for Equalizer . Each section starts at a specific pre-configured configuration, and references the section which helps set up that configuration.
Equalizer Administration Guide IPv4 Rules: 1: pass on interface lo0 all hits: 0 bytes: 0 2: pass on interface wm1 hits: 227 bytes: 7025 From To 192.168.211.0/24 -> 192.168.211.0/24 3: block all hits: 26 bytes: 2579 IPv6 Rules: 1: pass on interface lo0 all hits: 0 bytes: 0 2: pass hits: 0 bytes: 0 From To fe80::/10 -> any 3: block all hits: 0 bytes: 0 The new rule shows that packets from network internal:net are allowed into the system if they are being sent to the same network.
Network Configuration IP Filter Rules: IPv4 Rules: 1: pass on interface lo0 all hits: 0 bytes: 0 2: pass on interface wm1 hits: 32 bytes: 1368 From To 192.168.211.0/24 -> 192.168.211.0/24 3: block on interface wm1 hits: 0 bytes: 0 From To 192.168.211.0/24 -> 192.168.211.0/24 4: pass on interface wm1 hits: 0 bytes: 0 From To 192.168.211.0/24 -> any 5: pass on interface wm1 hits: 0 bytes: 0 From To any -> 192.168.211.
Equalizer Administration Guide Dual VLAN/Network Another typical configuration is to have two networks connected to Equalizer: 1. One for external connectivity (this is where the Equalizerclients and clusters are) 2. One for internal resources (this is where the servers are) We start with a single-VLAN configuration with no default route (See "Single VLAN/Subnet" on page 82) and add a second network for external connectivity, along with a default route for that network, as shown below.
Network Configuration 2: pass on interface wm1 hits: 36 bytes: 1608 From To 192.168.211.0/24 -> 192.168.211.0/24 3: pass on interface wm0 hits: 48 bytes: 2926 From To 10.0.0.0/24 -> 10.0.0.0/24 4: block on interface wm0 hits: 0 bytes: 0 From To 10.0.0.0/24 -> 192.168.211.0/24 10.0.0.0/24 5: pass on interface wm0 hits: 27 bytes: 4916 From To 10.0.0.0/24 -> any 6: pass on interface wm0 hits: 0 bytes: 0 From To any -> 10.0.0.0/24 7: block all hits: 1 bytes: 328 The 192.168.211.
Equalizer Administration Guide We see that setting this flag has created a DSS table entry. This entry is a definition for the 0/0 destination network, which specifies that the external VLAN is the one connected to this network, and when Equalizer needs to send packets to this network, it should use the 10.0.0.68 IP address. This setup is sufficient for most dualnetwork configurations: With this configuration, clients can connect to cluster IP addresses on the 10.0.0.
Network Configuration 2: pass on interface wm1 hits: 141 bytes: 7025 From To 192.168.211.0/24 -> 192.168.211.0/24 3: pass on interface wm0 hits: 5 bytes: 399 From To 10.0.0.0/24 -> 10.0.0.0/24 0.0.0.0/0 0.0.0.0/0 4: block on interface wm0 hits: 0 bytes: 0 From To 10.0.0.0/24 192.168.211.0/24 -> 10.0.0.0/24 0.0.0.0/0 5: pass on interface wm0 hits: 4 bytes: 756 From To 10.0.0.0/24 -> any 6: pass on interface wm0 hits: 0 bytes: 0 From To any -> 10.0.0.0/24 0.0.0.
Equalizer Administration Guide Dual VLAN/Network with 2 Gateways Imagine a scenario very similar to the one described in Dual VLAN/Network, but the internal network is also able to route to the Internet: As far as Equalizer is concerned, the configuration doesn't have to change at all from the previous scenario. There is still a single destination network (the Internet), and Equalizer is statically configured to use the 10.0.0.0 network to communicate with this destination network.
Network Configuration Source Routing Table: 0.0.0.0/00: default via 10.0.0.254 192.168.211.0/24: default via 192.168.211.2 10.0.0.0/24: default via 10.0.0.254 The IP Filter rules are updated as well, analogous to the rules which were created when we added routing in Single VLAN/Subnet with a Default Gateway. The new rules allow routing from the internal network. IPv4 Rules: 1: pass on interface lo0 all hits: 0 bytes: 0 2: pass on interface wm1 hits: 39 bytes: 1368 From To 192.168.211.0/24 -> 192.
Equalizer Administration Guide -> 10.0.0.0/24 0.0.0.0/0 7: pass on interface wm0 hits: 4 bytes: 756 From To 10.0.0.0/24 -> any 8: pass on interface wm1 hits: 0 bytes: 0 From To any -> 192.168.211.0/24 9: pass on interface wm0 hits: 0 bytes: 0 From To any -> 10.0.0.0/24 0.0.0.0/0 10: block all hits: 1 bytes: 328 It can also be verified using the traceroute tool, available in most Operating Systems.
Network Configuration Outbound NAT allows the administrator to associate two subnets together using the outbound_nat parameter. This parameter is configured on the internal network, and is set to one of the Equalizer IP addresses of the external network. eqcli > vlan internal subnet net outbound_nat 10.0.0.68 eqcli: 12000287: Operation successful This command can be read as "when sending packets from the internal network to any network which is reached through the external network, use the IP address 10.
Equalizer Administration Guide All three rules are created for the single NAT change that we made. They can be read as "whenever traffic is leaving through the wm0 interface, if it has a 192.168.211.0 network source IP address, change the source IP address to 10.0.0.68". Second, we changed the default gateway: Source Routing Table: 0.0.0.0/00: default via 10.0.0.254 192.168.211.0/24: default via 10.0.0.254 10.0.0.0/24: default via 10.0.0.
Network Configuration 0.0.0.0/0 5: pass on interface wm1 hits: 0 bytes: 0 From To 192.168.211.0/24 -> any 6: block on interface wm0 hits: 0 bytes: 0 From To 10.0.0.0/24 192.168.211.0/24 -> 10.0.0.0/24 0.0.0.0/0 7: pass on interface wm0 hits: 3 bytes: 517 From To 10.0.0.0/24 -> any 8: pass on interface wm0 hits: 0 bytes: 0 From To any 192.168.211.0/24 -> 10.0.0.0/24 0.0.0.
Equalizer Administration Guide Dual VLAN/Network with Multiple Destination Networks The scenario above is sufficient if the servers are directly connected to (or are within the same broadcast domain) as the internal network of the Equalizer. However, if there are servers that are connected to the internal network of Equalizer through a router, additional configuration steps are necessary.
Network Configuration successful eqcli > vlan external subnet net destination 0.0.0.0/0gw10.0.0.68 12000287: Operation successful eqcli > vlan external subnet net route 192.168.105.0/24gw192.168.211.2 eqcli: 12000287: Operation successful The first two commands simply replace the def_src_addr flag with the same rule but entered manually. This will allow us to enter manual rules for the internal network later.
Equalizer Administration Guide 192.168.105.0/24: 192.168.105.0/24 via 192.168.211.2 default via 10.0.0.254 10.0.0.0/24: 192.168.105.0/24 via 192.168.211.2 default via 10.0.0.254 IP Filter Rules: IPv4 Rules: 1: pass on interface lo0 all hits: 0 bytes: 0 2: pass on interface wm1 hits: 92 bytes: 3700 From To 192.168.211.0/24 192.168.211.0/24 192.168.105.0/24 -> 192.168.105.0/24 10.0.0.0/24 0.0.0.0/0 3: pass on interface wm0 hits: 7 bytes: 435 From To 10.0.0.0/24 10.0.0.0/24 0.0.0.0/0 -> 0.0.0.0/0 192.168.
Network Configuration 7: pass on interface wm0 hits: 6 bytes: 956 From To 10.0.0.0/24 -> any 8: pass on interface wm0 hits: 0 bytes: 0 From To any 192.168.211.0/24 -> 192.168.105.0/24 10.0.0.0/24 0.0.0.0/0 9: block all hits: 0 bytes: 0 IP NAT Rules: List of active MAP/Redirect filters: map wm0 192.168.211.0/24 -> 10.0.0.68/32 proxy port ftp ftp/tcp map wm0 192.168.211.0/24 -> 10.0.0.68/32 portmap tcp/udp auto map wm0 192.168.211.0/24 -> 10.0.0.68/32 map wm0 192.168.105.0/24 -> 10.0.0.
Equalizer Administration Guide Equalizer Use of VLAN Technology Equalizer models E350GX, E450GX, E650GX support tagged and untagged VLANs on all front panel interface ports. This section provides a basic technical introduction to VLAN technology. Many networking technologies use a technique called broadcasting to provide services on a Local Area Network (LAN).
Network Configuration A number of methods can be used to mitigate problems and threats associated with large broadcast domains, including broadcast filtering and physically separating large broadcast domains into smaller domains. The problem with these solutions is that the are typically implemented at the Network Layer (Layer 3), and require Layer 3 devices (such as routers and firewalls) to implement them.
Equalizer Administration Guide Task Command / Procedure 1. Expand the VLANs node in the left frame. GUI 2. Right-click the name of the VLAN you want to delete. 3. Select Delete VLAN from the popup command menu. 4. Click Confirm. CLI eqcli > vlan name [parameters] 1. Expand the VLANs node in the left frame. Modify a VLAN GUI 2. Click the name of the VLAN you want to modify. The VLAN configuration tabs appear in the right frame. 3. Edit the VLAN configuration using the controls on each tab.
Network Configuration l VID - A unique integer identifier for the VLAN, between 1 and 4094. l MTU - MTU can be specified for tagged and untagged VLANs on all switched systems (E350GX, E450GX, E650GX)for tagged VLANs on non-switched systems (E250GX, Equalizer OnDemand. The MTU is set on the VLAN, and the values you can set depend on the Equalizer model and the subnet configuration of the VLAN, as follows: l For the E350GX, E450GX and E650GX, the maximum MTU value is 1500.
Equalizer Administration Guide l tagged - Tagged ports can be assigned to more than one VLAN. l untagged - Untagged ports can be assigned to exactly one VLAN. Click on Commit to save your settings or Reset to revert to the previous settings. VLAN Port Assignment Using the CLI Refer to "VLAN and Subnet Commands" on page 186.
Network Configuration Task Command / Procedure 1. Expand the VLANs node in the left frame object tree. VLAN GUI 2. Expand a VLAN. 3. Click the Subnets node for that VLAN. CLI eqcli > show vlan name subnet name 1. Expand the VLANs node in the left frame object tree. Display details for a subnet 2. Expand a VLAN. GUI 3. Expand the Subnets node for that VLAN. 4. Click a subnet name to display the configuration tabs for that subnet in the right frame.
Equalizer Administration Guide Click on Reset to revert to the default permissions. Click on Commit to save any subnet permission changes made. See "VLAN and Subnet Commands" on page 186 for commands used in permitted subnets using the CLI. Configuring Outbound NAT Enabling outbound NAT allows servers on a non-routable network to communicate with hosts on the internet by mapping the server's IP address to another IP address that is routable on the internet. On Equalizer, this is disabled by default.
Network Configuration 1. Log into the GUI using a login that has add/del access for global parameters (See "Logging In" on page 192) 2. Click on Equalizer in the left navigational pane and select the subnet of the internal or server VLAN. The subnet configuration screen will be displayed as shown below. 3. Enter an Outbound NAT Address that should be used for this subnet when communicating with hosts on the Internet.
Equalizer Administration Guide eqcli > vlan [internal vlan name] subnet [internal subnet name] default_ route [IP address] 4. If there are any static routes configured for the external network, replicate that static routing configuration on the internal (server) subnet.(See "Configuring Subnet Destination Routes" on page 111). Managing Interface Ports All Equalizer GX models have two Ethernet adapters on the motherboard.
Network Configuration The same information for a single port can be displayed by specifying the port name: eqcli > show interface swport03 Interface Number : swport03 Autonegotiation mode : full Duplex mode : full Link Speed : 1000 Link Status : Link Up Maximum MTU : 0 eqcli > Port settings are as follows: l Autonegotiation Mode - One of the following: full - Full autonegotiation at all supported speed and duplex settings.
Equalizer Administration Guide l MTU - MTU can be specified for tagged and untagged VLANs on all switched systems (E350GX, E450GX, E650GX)for tagged VLANs on non-switched systems (E250GX, Equalizer OnDemand. The MTU is set on the VLAN, and the values you can set depend on the Equalizer model and the subnet configuration of the VLAN, as follows: l For the E350GX, E450GX and E650GX, the maximum MTU value is 1500. l For E250GX models and Equalizer OnDemand, the maximum MTU is 9000.
Network Configuration Policy Routing Routing is the process of selecting the network path to use when one device (the source) sends a packet to another device (the destination) on the network. The other device can be on a subnet that is directly connected to Equalizer, or it may be on a remote subnet.
Equalizer Administration Guide routed from Equalizer based on each scenario. Refer to"How Spoof Influences Routing" on page 245 for additional information on spoofing and "Source Based Routing Scenarios" on page 113 for details on Source Routing with Equalizer.
Network Configuration l Destination IP Address - The IP address for the host or subnet. For IPv4, specified as a Classless Internet Domain Routing (CIDR) address (e.g. 192.168.1.0/24). For IPv6, specified using IPv6 subnet notation. l Gateway - The IP address of the gateway used to reach the host or subnet. l Prefer - Enabling this flag allows you to specify the “preferred” route to be used for any matching destination - even if the destination address is on a subnet that is defined on Equalizer.
Equalizer Administration Guide Source Based Routing Scenarios Source routing allows the originator of a packet to partially or completely specify the path that a packet will take through a network, as well as the return path. In contrast, non-source-routing devices determine that path based on the packet’s destination. Source routing allows: l Easier troubleshooting l Improved traceroute l Enables a node to discover all the possible routes to a host.
Network Configuration 114 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Source Routing Scenarios The following are possible scenarios for load balancing source-based routing through Equalizer: Scenario Source Destination DSS Used Spoof Load Balancing Toward Server 1. Local Server, Local Client 2. Routed Server, Local Client Client Server No Equalizer Server Yes Cluster Client No Cluster Client No Source Destination No Equalizer Destination Yes 3. Local Server, Remote Client 4.
Network Configuration Spoof Load Balancing Toward Server In the load balancing source-based routing scenario presented below, spoofing is enabled so that the source is specified by a client and the destination is a server. As indicated in the table above, four scenarios are possible: 1. Local Server, Local Client - In this case the server is local and the client is local so no routing will be required.
Equalizer Administration Guide Spoof Load Balancing Toward Client In the load balancing source-based routing scenario presented below, spoofing is enabled so that the source is specified by a cluster and the destination is a server. Two scenarios are possible: 1. Local Destination- in this case the packets originating from a cluster and destined for a client has a source IP address and the destination IP address is on a local VLAN.
Network Configuration Non-Spoof Load Balancing Toward Client This scenario is the same as "Spoof Load Balancing Toward Client" however, spoofing is disabled and the source is a cluster IP address and the destination is a client. Two scenarios are possible: 1. Local Destination- in this case the packet originating from a cluster and destined for a client has a source IP address and the destination IP address is on a local VLAN.
Equalizer Administration Guide Source, Destination Specified In this scenario, the source and destination are both specified by the client. Equalizer will function as a router to send the packet directly to the addresses specified. Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Network Configuration Generated by Equalizer This scenario is typically used for administrative and probing purposes. It can also be used for upgrades, pinging and Equalizer image updates. As shown below, a packet will be dropped if no source IP address is found. As shown below, the packet routing will be determined by the default gateway specified in the DSS table. 120 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Enabling DNS To enable the Domain Name Service (DNS), add a name server to the configuration. Name servers are added to the name-server list one at a time, with a maximum of three name servers in the list. The following table shows you how to perform DNS tasks using the CLI and the GUI: Task Command / Procedure CLI eqcli > name-server name GUI Not implemented. CLI eqcli > no name-server name GUI Not implemented. CLI eqcli > no name-server GUI Not implemented.
Network Configuration latency, for example, the two clocks may never be in sufficient agreement to increase the delay towards maxpoll. In this case, Equalizer will continue to sync approximately every 64 seconds. This behavior indicates that a different NTP server should be chosen. NTP packets are very small and should not cause any problems with Equalizer or network operation, except as described in the following section on NTP and plotting.
Equalizer Administration Guide Or, for the US, you would use: 0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org Be careful when using country based NTP pool servers, since some countries contain a very limited number of time servers. In these cases, it is best to use a mix of country and continent based pool servers.
Network Configuration Default Source Selection The DSS, or Default Source Selection table is a listing of all destination networks configured in Equalizer , and a mapping of the IP addresses that Equalizer should use when communicating with these networks. The local network that the destination network is attached to can be inferred from the IP addresses. The DSS table can be viewed by entering: eqcli > show sbr The display will be as follows: In the example above the DSS table contains two rules: 1.
Equalizer Administration Guide To view the current IP Filter rules, the show sbr command can once again be used. The example below is shortened due to its length. IP Filter Rules: IPv4 Rules: 1: pass on interface lo0 all hits: 287 bytes: 14900 2: pass on interface wm1 hits: 11394 bytes: 326068 From To 192.168.211.0/24 192.168.211.0/24 192.168.105.0/24 -> 192.168.105.0/24 10.0.0.0/24 0.0.0.0/0 3: pass on interface wm0 hits: 120406 bytes: 7689819 From To 10.0.0.0/24 10.0.0.0/24 0.0.0.0/0 -> 0.0.0.
Network Configuration Using this command while trying to establish a connection that may not be working can be a good method of finding out what is wrong. In this example, 0 packets were blocked by the filter in rule 4 because rules 2 and 3 allowed all packets needed. If there is a misconfiguration, seeing packets being blocked can be a hint of what is wrong. IP NAT Rules Equalizer performs outbound NAT by creating IP NAT rules.
Equalizer Administration Guide Chapter 9 Working in the CLI Sections in this chapter include: Starting the CLI Logging In to the CLI Over a Serial Connection Logging In to the CLI Over an SSH Connection 128 128 128 Exiting the CLI 129 Working in the CLI 130 CLI Contexts and Objects Object Relationships Command Line Editing Entering Names for Equalizer Objects Using White Space in a Command Line Enabling and Disabling Flags Command Abbreviation and Completion Detection of Invalid Commands and Argument
Working in the CLI Starting the CLI The Equalizer Command Line Interface, CLI, gives you complete administrative control over Equalizer and is one of the major new features in EQ/OS 10. The GUI is also available to view and modify the configuration, however, not all administrative options have been enabled in the GUI. The CLI can be used over either a serial connection or an SSH connection. Logging In to the CLI Over a Serial Connection To start the Equalizer CLI over a serial connection: 1.
Equalizer Administration Guide 2. Use SSH client software to open a connection with Equalizer using the enabled VLAN IP address and port 22. Specify the login eqadmin, as shown in the example command line below: $ssh eqadmin@172.16.0.200 3. Upon successful SSH login, Equalizer displays the Username prompt. Enter an Equalizer login, such as the default login, touch: Username: touch 4. Enter the password for the user name specified in the previous step: Password: touch 1.
Working in the CLI Working in the CLI The Equalizer command line interface, or CLI, was developed to be an easy to use, intuitive, and flexible command line interface. It was patterned after CLIs used in other common networking equipment, so if you’ve used a CLI on another network device (such as a router), you should quickly feel comfortable using eqcli. The CLI provides a number of features that are designed to make working at the command line easier and more effective, as described in this section.
Equalizer Administration Guide In each context, you can perform operations on the objects and parameters that exist in that context (e.g., create, delete, modify, display, set). When you change to another context, the eqcli prompt changes to include the suffix indicated in the chart above for each context. For example, when you change to the server context, the eqcli prompt changes from “eqcli >” to “eqcli sv>”.
Working in the CLI Object Relationships Most contexts in the CLI correspond to an Equalizer object -- servers, server instances, server pools, clusters, match rules, responders, CRLs, certificates. The following diagram shows the relationships among these objects. On Equalizer, a server corresponds to a real server hosting an application behind Equalizer. Each server has an IP address that Equalizer uses to send client requests to the server.
Equalizer Administration Guide Command Line Editing Use the key sequences below to edit the current command line ctrl–a ctrl–e ctrl–b ctrl–f esc–b esc–f Move the cursor to the beginning of the line Move the cursor to the end of the line Move the cursor one character to the left Move the cursor one character to the right Move the cursor one word to the left (also left arrow) Move the cursor one word to the right (also right arrow) ctrl–h ctrl-k esc-d Delete the character to the left of the cursor Delet
Working in the CLI eqcli > srvpool sp01 si “sv01, sv02” flags “hot_spare, quiesce” Enabling and Disabling Flags Most objects have a flags keyword that is followed by one or more keywords that enable and disable particular object behavior. A single flag is specified as in this example: eqcli> srvpool sp01 si sv01 flags hot_spare Multiple flags in a command line can be separated using either a comma (, ) or a vertical bar (|) between each flag.
Equalizer Administration Guide Command Abbreviation and Completion You do not need to type an entire command name in order to execute a command. If you type enough characters to uniquely identify a command and then type a or character, eqcli will automatically display the remainder of the command name.
Working in the CLI When specifying server instances on the command line, the user can specify either a single object or a comma separated list of objects. For example, to create server instances of two servers (sv01 and sv02) in an existing server pool (sp01), you could enter: eqcli> srvpool sp01 si sv01,sv02 eqcli sp-sp01-si-sv01*> When you enter multiple server instances as in the command above, eqcli enters a special combined context that applies commands to all of the specified objects.
Equalizer Administration Guide For parameters, the no form requires the complete command used to set the parameter, minus the argument setting the value.
Working in the CLI For example, if sv01 exists and the current context is “sv-sv01”, then the following commands are queued until a commit , exit , or command is entered: eqcli eqcli eqcli eqcli > server sv-sv01> sv-sv01> sv-sv01> sv01 ip 192.168.0.211 port 8080 commit Queued commands can be committed or discarded using the following commands: l commit - Commits all queued commands; does not change the current context.
Equalizer Administration Guide l If you type the complete name of a command that is valid in the current context and type , context help for that command is displayed. For example: eqcli > cluster cl01 eqcli cl-cl01> clientto? clientto: Set the client timeout for this cluster. Syntax: cluster clientto Warning: Only valid for proto http or https.
Working in the CLI date Tue Apr 2 18:39:36 UTC 2013 timezone UTC locale en global services name-servers http, https, ssh, snmp, envoy, envoy_agent 10.0.0.120 ntp-server pool. ntp.org - Enabled syslog-server None GUI logo Coyote Point Systems Inc. boot image Equalizer Image B EQ/OS Version 10.0.4a (Build 22939) eqcli > Context Command Summaries This section contains a table for each CLI context that summarizes all the commands that can be executed in each context.
Equalizer Administration Guide Global Commands The table below lists the global configuration commands that are available in the global context of the CLI. These commands allow you to: l Configure, enable, and disable settings such as Equalizer’s hostname, NTP, and DNS. l Perform system operations, such as upgrading and rebooting Equalizer. Global Commands eqcli > backup : Upload a system backup to remote FTP. eqcli > boot : Set the EQ/OS image (A or B) to use on at next boot.
Working in the CLI Global Commands eqcli > icmp_maxtries : Set the maximum number of ICMP probes in a probe interval eqcli > interface : Modify an interface. eqcli > keywords : Display reserved keywords. These can not be used as names in eqcli. eqcli > license : Get the online or offline license. eqcli > locale : Set the locale of the system. eqcli > name-server : Add a DNS name server entry. One IP address can be specified on the command line. A total of 3 IP addresses can be added.
Equalizer Administration Guide Global Commands eqcli > syslog : Enable or disable remote logging. eqcli > syslog-server : Set the syslog server IP address eqcli > timezone : Set the system timezone. eqcli > traceroute : Trace the network path to a host using UDP packets. eqcli > tunnel : Set the tunnel. eqcli > upgrade : Load an EQ/OS upgrade image. eqcli > user : Create or modify a user object. eqcli > version : Show detailed system and version information.
Working in the CLI Certificate Commands Each SSL certificate installed on Equalizer has a CLI context that provides commands for managing the certificate and its associated private key. Certificates, private keys, and CRLs (see the following section) are used by Equalizer to provide SSL offloading for HTTPS clusters.
Equalizer Administration Guide Certificate Revocation List Commands The crl context provides commands for managing Certificate Revocation Lists (or CRLs). CRLs can be used to verify that the certificates used by Equalizer are valid and have not been compromised. A CRL is uploaded to Equalizer using commands in the crl context, and then associated with one or more clusters in the cluster specific context.
Working in the CLI Cluster and Match Rule Commands Each cluster has its own context and the settings available in the cluster’s context depends on the cluster’s proto parameter -- this parameter must be specified first on the command line when creating a cluster. A Layer 7 cluster may have one or more match rules associated with it, each with its own context. Cluster and match rule commands are summarized in the tables below.
Equalizer Administration Guide Using Cluster Commands in a Cluster Specific Context [!]ignore_case,[!]insert_client_ip, [!]no_header_rewrite, [!]once_only, [!]spoof,[!]tcp_mux} For Layer 7 https clusters: {[!]allow_sslv2,[!]allow_sslv3, [!]always,[!]compress, [!]disable,[!]ignore_case, [!]insert_client_ip,[!]once_only, [!]push_client_cert,[!]require_client_cert, [!]rewrite_redirects,[!]spoof, [!]strict_crl_chain,[!]tcp_mux, [!]allow_utf8,[!]ics,[!]ignore_critical_extns [!]software_ssl_only,[!]allow_tls10,[
Working in the CLI Using Cluster Commands in a Cluster Specific Context {[!]allow_sslv2,[!]allow_sslv3, [!]push_client_cert,[!]require_client_cert, [!]strict_crl_chain} eqcli cl-clname> crl crlname eqcli cl-clname> no {cert|cipherspec |clientca|crl|valdepth} : Reset the parameter to its default value eqcli cl-clname> valdepth} : Set validation depth for cluster.
Equalizer Administration Guide Using Match Rule Commands in the Global Context eqcli > cluster clname match maname req_cmds : Create maname (req_cmds = * commands below) eqcli > cluster clname match maname cmd ...
Working in the CLI Cluster and Match Rule Command Notes l When creating a cluster, the list of available parameters depends on the protocol selected for the cluster. As a result, the proto parameter must be specified before any other cluster parameters on the command line. l Layer 7 clusters can have one or more match rules that override the options set on the cluster when the expression specified in the match rule matches an incoming client request. (Layer 4 clusters do not support match rules.
Equalizer Administration Guide https only allow_sslv2 Enable SSLv2 for client connections. Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Working in the CLI allow_sslv3 152 Enable SSLv3 for client connections. Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide push_client_cert Send the entire client certificate to the back-end server. This allows the server to confirm that the client connection is authenticated without having to do a complete SSL renegotiation. require_client_cert Require that clients present certificates. When disabled (the default), an HTTPS cluster performs hardware SSL acceleration using the version of OpenSSL supported in previous releases.
Working in the CLI (the default), only the last certificate in the chain is checked for validity. 154 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide External Services Commands Using External Services Commands in the Global Context eqcli > ext_services : Add or modify a mail server in the'ext_services' context. eqcli > show ext_services : Display the configured external services. External Services Context Commands eqcli xs> no smtp_relay name : Delete the specified SMTP Relay mail server. eqcli xs> show smtp_relay name : Display a list of SMTP Relay mail servers, or detail for the specified SMTP Relay mail server.
Working in the CLI GeoCluster and GeoSite Instance Commands Envoy provides cluster load balancing between Equalizers running at two or more geographically distributed locations -- called GeoSites. Each GeoSite is configured with a cluster that is capable of responding to requests for the same content. A GeoCluster is a collection of GeoSites that act together to determine the “best” GeoSite to respond to a particular request.
Equalizer Administration Guide GeoCluster Context Commands responsiveness eqcli gcl-gclname> ttl integer : DNS cache lifetime for Envoy responses Using Geosite Instance Commands in the Global Context eqcli > geocluster gclname gsi gsiname req_cmds : Create a geosite instance eqcli > geocluster gclname gsi gsiname cmds : Modify a geosite instance eqcli > no geocluster gclname gsi gsimaname : Delete a geosite instance eqcli > show geocluster gsi : Display geosite instance summary eqcli > show geocl
Equalizer Administration Guide GeoSite Commands A GeoSite definition points to an Equalizer running Envoy and a cluster defined on that Equalizer. GeoSites are associated with GeoClusters by using the GeoSite name when creating a GeoSite Instance. See "GeoCluster and GeoSite Instance Commands" on page 156.
Interface Commands The interface context commands let you configure and manage Equalizer’s front panel interface ports. There is a separate context corresponding to each front panel port. Ports are created automatically by the system and cannot be deleted. To view a summary of the current port configuration and status, enter: eqcli > show interface The name of each port is displayed, along with the port’s current autonegotiation, duplex, speed, and link status.
Equalizer Administration Guide Number of transmitted QoS Class 3 frames The total number of received Quality of Service (QoS) Class 3 frames transmitted by this port Total number of dropped frames on egress path The total number of packets that were dropped (e.g., lack of transmit buffer , collision detection). These packets are not transmitted by the port. Total transmitted octets The total number of bytes (8 bits) transmitted by this port.
errors The total number of bad packets (e.g., CRC errors,, alignment errors) received on this interface. drops The total number of packets that were dropped (e.g., lack of receive buffer, congestion, invalid classification, e.g., tagged frame received on untagged port) by the receiving interface. unknown protocol Tot total number of packets received on this interface that used an unknown protocol. 162 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Object List Commands Object lists make it easier to manage user permissions by allowing an administrator to assign user permissions via list of objects. An entry in an object list is an “object type” and “object name” pair. Once an object list is created, object list names are used as arguments to user context commands (see "User Commands" on page 180) to give a user permission to access objects in the list.
Peer Commands Peer context commands are used to manage the configuration of failover peers, including the failover peer configuration for this Equalizer, which is created when the system is booted for the first time.
Equalizer Administration Guide Peer Context Commands eqcli peer-peer> debug : Set the debug level eqcli peer-peer> flags [!]failover|fo_config_xfer| [!]os8|[!]preferred_primary : Set peer flags (see below) [!]active-active eqcli peer-peer> os8_intip : V8.
Responder Commands Responders are global objects in the sense that a single responder can be assigned to multiple clusters. They are used when no servers in the associated server pool are available: l A responder can be added in the cluster context, in which case it is used when no servers in the server pool defined for the cluster are available.
Equalizer Administration Guide l sorry - A customized HTML “sorry page” that can, for example, ask the client to retry later or go to another URL For example, the following command creates a sorry responder named Sorry01, and downloads the redirect URL from the URL specified on the command line: eqcli > resp Sorry01 type sorry html ftp://mylocalftpserver/redirect.html The contents of the file redirect.html will be used as the redirect URL for the responder.
Server Commands In the server context, you define a real server using a minimal set of parameters (IP address, port, protocol, etc.). Once defined, a real server can then be associated with one or more server pools, which in turn are associated with one or more Layer 4 clusters or Layer 7 match rules.
Equalizer Administration Guide Server Pool and Server Instance Commands A server is attached to a cluster via a server pool. A server pool is a collection of server definitions, each of which has additional parameters assigned to it in the server pool -- these additional parameters are organized by the server’s name and are referred to as server instances within the server pool context.
Using Server Pool Commands in a Server Pool Specific Context slowest,5 = fastest. Default = 3. eqcli sp-spname> show : Show the server pool configuration eqcli sp-spname> si siname : Enter the server instance context eqcli sp-spname> si cmd : Execute a server instance command eqcli sp-spname> stats : Display server pool statistics eqcli sp-spname> test : Test the ACV probing on specified server instance or on all server instances.
Equalizer Administration Guide Using Health Check Commands in a Server Pool Specific Context 'down'. eqcli sp-spname-hc-hcname> stimulus stimulus : Set the stimulus string for the health check probes. eqcli sp-spname-hc-hcname> type health_check type : Set the type for the health check probes. Required. eqcli sp-spname-hc-hcname> weight value : Set the weight for the health check measurement.
hot_spare Enable the hot spare check box if you plan to use this server as a backup server, in case the other server instances in a server pool on the cluster fail. Enabling hot spare forces Equalizer to direct incoming connections to this server only if all the other servers in the cluster are down. You should only configure one server in a cluster as a hot spare.
Equalizer Administration Guide once_only Evaluate the first set of headers in a client connection only. persist_override If cluster persist is enabled, disable it for this server. spoof Use the client IP as source IP in packets sent to servers. tcp_mux Enable/disable HTTP multiplexing. See "HTTP Multiplexing" on page 360. Server instance specific commands can be applied to multiple server instances by entering a comma-separated list of server instance names on the command line.
Load Balancing Policy Description static weight static weight load balancing distributes requests among the servers depending on their assigned initial weights. A server with a higher initial weight gets a higher percentage of the incoming requests. Think of this method as aweighted round robin implementation. Static weight load balancing does not support Equalizer’s adaptive load balancing feature; Equalizer does not dynamically adjust server weights based on server performance.
Equalizer Administration Guide l Optimization Threshold controls how frequently Equalizer adjusts dynamic weights. If Equalizer adjusts server weights too aggressively, oscillations in server weights can occur and cluster-wide performance can suffer. On the other hand, if Equalizer does not adjust weights often enough, server overloads might not be compensated for quickly enough and cluster-wide performance can suffer.
SNMP Commands The parameters in the SNMP context specify return values for the following Object IDs (OIDs) in the Equalizer SNMP Management Information Base (MIB): OID Parameter Default Value Description community Equalizer Any SNMP management console needs to send the correct community string along with all SNMP requests. If the sent community string is not correct, Equalizer discards the request and will not respond. contact public Contact is the name of the person responsible for this unit.
Equalizer Administration Guide Enabling SNMP (CLI) By default, SNMP is a globally enabled service -- meaning that it will run on any subnet that is configured to offer the SNMP service. You must specifically enable SNMP on the subnet or subnets on which you want it to listen for SNMP MIB browser and management station connections. SNMP can be enabled on at most one IPv4 subnet address/port and one IPv6 subnet address/port. SNMP runs on Equalizer’s IP address on the configured subnet.
IP address. “fo_snmp” means that SNMP is globally enabled for any subnet failover IP address. If either of these keywords has a preceding exclamation point (!), then SNMP is disabled for that class of IP addresses. You can enable and disable these flags using the services command, as shown in "Global Commands" on page 141. 2. Now, enable SNMP on the desired VLAN subnet, on either the subnet IP address or the subnet failover (aka “virtual”) IP address.
Equalizer Administration Guide Tunnel Commands Use tunnel context commands to configure Equalizer to access the IPv6 Internet via an IPv6 “6in4” tunnel. Note that you must first request a tunnel configuration from a tunnel broker before setting up the tunnel endpoint on Equalizer. See"Configuring an IPv6 Tunnel" on page 225 for more information.
User Commands Using "User" Comands in the Global Context eqcli > user uname [cmds] : Create user uname (see below for cmds) eqcli > user uname cmds : Modify user uname (see below for cmds) eqcli > no user uname : Delete user uname eqcli > show user [uname] : Display all users or a specific user eqcli > user uname : Change to the "user-login" context (see below) "User" Context Comands eqcli user-uname > alert alert name : Set a user alert.
Equalizer Administration Guide Using User-alert context commands: User-alert Context Commands eqcli > user-uname-alertname > alerttypealert flags {[!]exception, [!]state_change} : Set the alert type. Required. eqcli > user-uname-alertname > from email address : : Set the from email address. eqcli > user-uname-alertname > notify_ type notify_flags : Set the alert notify flags. Required.
email When enabled, sends an email to the specified recipients, using a specified SMTP relay mail server. When this notification type is used, an email address is also required. A subject line for the email is optional ui When enabled this notifies users of an alert in the CLI. snmp When enabled, allows SNMP traps to enable an agent to notify a management station of significant events by way of unsolicited SNMP messages.
Equalizer Administration Guide l A default user (i.e. "touch") is assigned a duration of 0 seconds . When additional users are created the default duration value is 3600 seconds. l The user creating the new user name is prompted for a password (regardless of whether they specified the password keyword on the command line).
be separated by commas. If spaces are included, the entire list of permissions must be enclosed in quotes. l type - One of the following object types: cert,cluster,crl,geocluster,geosite,port,server,srvpool,subnet,user,vlan. l object_name - The name of an existing object of the type given on the command line.
Equalizer Administration Guide l This form of the permit_objlist command allows the user to create objects of the specified type. The command arguments for assigning permission to objects in an object list are as follows: l type - One of the following object types: cert,cluster,crl,geocluster,geosite,port,server, srvpool,subnet,user,vlan. l default - Specifies that objects created by this user will only be visible to the user creating the object and any user with the admin flag set.
VLAN and Subnet Commands Using VLAN Commands in the Global Context eqcli > vlan vlname req_cmds : Create vlname (req_cmds = * commands below) eqcli > vlan vlname cmds : Modify vlname (cmds = any commands below) eqcli > no vlan vlname : Delete vlname eqcli > show vlan [vlname] : Display all VLANs or vlname eqcli > vlan vlname : Change to the “vl-vlname” context (see below) VLAN Specific Context Commands eqcli vl-vlname> show : Display VLAN configuration eqcli vl-vlname> subnet subname : Change t
Equalizer Administration Guide Subnet Specific Context Commands eqcli vl-vlname-sn-subname> default_route ip_addr : Set default route eqcli vl-vlname-sn-subname> flags {[!]command,[!]def_src_addr, [!]heartbeat} : Set subnet flags eqcli vl-vlname-sn-subname> *ip cidr_addr : Subnet IP address eqcli vl-vlname-sn-subname> no parameter : Reset parameter eqcli vl-vlname-sn-subname> no permit : Set list to null eqcli vl-vlname-sn-subname> no permit vlname:subname : Remove permit entry eqcli vl-vlname-
def_src_addr Stipulates that this subnet is to be used for the default equalizer source IP. heartbeat Allows the failover peers to probe one another over the subnet. At least one subnet must have a Heartbeat flag enabled. VLAN Subnet Services Services may be turned off by prefixing with "!". http When enabled, the Equalizer will listen for HTTP connections on Equalizer’s IP address on the subnet. The global HTTP GUI service must also be enabled.
Equalizer Administration Guide VLAN Subnets A single VLAN can have more than one subnet assigned to it. In most configurations, there is a one-to-one relationship between VLANs and subnets, but some practical problems are sometimes solved by adding an additional subnet to a VLAN. For example, if all the IP addresses on the subnet assigned to a VLAN are exhausted, the easiest way to add more IP addresses without reconfiguring the network is to add an additional subnet to the VLAN.
Similarly, you’ll need to specify the reverse route: let’s say you only want to route packets to vlan1 from ports configured for vlan2 if they originated on subnet sn03. To accomplish this, you’ll need to specifically add that VLAN/subnet combination to the permitted VLAN list for vlan2: eqcli > vlan vlan2 subnet sn03 permit vlan1 Source IP Address for Outbound Packets When Equalizer originates connections to other hosts (for example, when Equalizer sends out probes, queries an NTP or DNS server, etc.
Equalizer Administration Guide Chapter 11 Using the GUI Sections in this chapter include: Logging In Navigating Through the Interface 192 193 Entering Names for Equalizer Objects 196 Global Settings 196 Parameters SNMP Certificates Certificate Revocation Lists Events Log Export to CSV Filtering Status Details Remote Syslog 196 198 201 202 205 206 206 206 External Services 207 SMTP Relay VLB Manager 207 208 Maintenance Setting Date and Time Backup and Restore Licensing Manage Software Tools I
Using the GUI Logging In The Equalizer Administrative Interface, here inafter referred to as the “GUI” is a browser based interface. In general, the GUI should function properly using any browser that: l Is enabled for JavaScript (required) l Has an Adobe PDF viewer plug-in or extension installed (required to view the manual and online help) 1.
Equalizer Administration Guide Navigating Through the Interface The Equalizer Administration Interface is divided into three major sections: 1. Left Navigational Pane Click this item to manage global parameter settings, display the system log, and perform general system maintenance. Current Host Name Click this item to manage global parameter settings, display the system log, and perform general system maintenance. Right-click this item to display the global command menu.
Using the GUI Click this item to display the Cluster Summary. Right-click this item to display the cluster command menu. If clusters are defined, click the triangle to display all existing clusters. Click a cluster name to open the cluster configuration tabs. Clusters Right-click on a cluster name to display the cluster specific command menu. If a cluster is a Layer 7 cluster and has match rules defined, click the triangle next to the cluster name to display the match rules.
Equalizer Administration Guide Click this item to display the VLAN Summary. Right-click this item to display the VLAN command menu. If VLANs are defined, click the triangle to display all existing VLANs. Click a VLAN name to open the VLAN configuration tabs. VLANs Right-click on a VLAN name to display the VLAN specific command menu. If a VLAN has subnets defined, click the triangle next to the VLAN name to display the subnets. Click a subnet name to open the subnet configuration tabs.
Using the GUI Click on any item in the left pane, or right click to choose a command for that object. The right pane will display the management tabs for the object or the appropriate command dialog. The easy-to-use management tabs organize configuration information into forms and tables that make configuring Equalizer simple. Sub-tabs provide a second level of organization within top-level tabs.
Equalizer Administration Guide The following Global Parameters are configured on this screen (tab). Click on Commit to save your parameters or Reset to return the default values. Hostname This is Equalizer’s host name (default: Equalizer). Locale Sets the Equalizer locale. en to set english locale. ja to set japanese locale. Domain Name Server (1,2 or 3) If using a Domain Name Server, the Domain Name Server Equalizer will use.
Using the GUI least probe interval seconds apart. This value is solely a target; the monitoring process adjusts itself based on a number of factors, including system load. The default value is 20 seconds. This is the time (in ms) between failed failover peer probes. Retry Interval (ms) This is the maximum number of failed failover peer probes. The global Failed Probe Count is not used until ALL heartbeating subnets have at least one strike.
Equalizer Administration Guide l l l l l Device name and Model Software version Internal and External IP addresses and netmasks Default gateway Failover alias Equalizer's failover details l l Sibling Name Sibling Status (Primary or Secondary) Dynamic configuration information, such as: l l l l l l l l l l l l l l l Failover Status (Primary or Secondary) NAT enabled L4 configuration state L7 configuration state Server Health check status Email status notification Cluster parameters (timeouts, buffers)
Using the GUI System Name - this is the name assigned to the system. By default it is Equalizer. Community String - Any SNMP management console needs to send the correct community string along with all SNMP requests. If the sent community string is not correct, Equalizer discards the request and will not respond. System Contact - Contact is the name of the person responsible for this unit. System Location - Location describes Equalizer’s physical location.
Equalizer Administration Guide MIB Files All MIBs referenced by the supported MIBs are included on Equalizer. The MIB filenames comprise the MIB name plus the filename extension ”.my”: CPS-EQUALIZER-v10-MIB.my CPS-REGISTRATIONS-v10-MIB.my HOST-RESOURCES-MIB.my HOST-RESOURCES-TYPES.my IANAifType-MIB.my IF-MIB.my INET-ADDRESS-MIB.my IP-MIB.my RFC1155-SMI.my RFC1213-MIB.my SNMPv2-CONF.my SNMPv2-MIB.my SNMPv2-SMI.my SNMPv2-TC.my TCP-MIB.my UDP-MIB.
Using the GUI 2. Click on Add Certificate to display the Add Certificate dialogue form as shown below. 3. Click on Choose File to select a locally stored Certificate File. Repeat the same for adding a locally stored Key File. 4. Click on Commit to save the upload the new Certificate File and Key File. Certificate Revocation Lists The Certificate Revocation List (CRL) can be used to verify that the certificates used by Equalizer are valid and have not been compromised.
Equalizer Administration Guide If a CRL attached to a cluster was generated by a Certificate Authority (CA) different from the CA used to generate a client certificate presented when connecting to the cluster, an error will occur, The CRL and client certificate must be signed by the same CA. Installing a Certificate Revocation List (CRL) Installed CRLs will be displayed in an accordion style list. Click on each list item to expand it and display the contents of the CRL.
Using the GUI Click on Commit if the CRL is the one you would like to upload to Equalizer. The CRL file will be uploaded to Equalizer and will appear on the Global > CRL screen as shown above. 204 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Events Log The events log displays events for each element configured on the Equalizer. This includes Clusters, Server Pools, Servers and Responders. It is accessed by clicking on the hostname on the left navigational pane on the GUI and clicking on the Status tab. An example of a display is shown below. If you clicking on each individual Clusters, Server Pools, Servers or Responders the objects to the left of events table will display events for the object selected.
Using the GUI Export to CSV Click on the Export to CSV button to download the load in comma separated values (*.csv) format. The file name will be in the format equalizer-mon-dd[time frame]EventLog.csv. An example is shown below. This is an example of a change added to this document. Filtering Status Details After displaying events for all of Equalizer’s configured objects or individual objects, the events displayed in the table can be filtered by specifying Start Times and End Times.
Equalizer Administration Guide Enter a name of the Remote Syslog server and enable the logging by checking the Enable Remote Logging checkbox. Click on Commit to save the entry. External Services SMTP Relay The SMTP Relay screen is used to specify an SMTP Relay Server and specify an IP address and Equalizer port to use. It is accessed by clicking on the host name on the left navigational pane and selecting the External Services tab. Currently, only one SMTP relay is supported.
Using the GUI To add and SMTP relay, click on to display the Add SMTP Relay form as shown below: Enter an IP Address for the SMTP Relay in the SMTP Server IP Address field. Specify an Equalizer port to use using the SMTP Server Port selection. The Port defaults to 25 and can range from 1 to 65535. Click on Commit to save the entries. To delete an STMP relay, select the relay and click on the icon.
Equalizer Administration Guide l Click on the appropriate label at the bottom of the screen to expand the screen so that you can edit parameters on any of the existing connections. l Click on the "+" sign to add a new VLB Manager. l Click on delete icon ("trash can") to delete the displayed VLB Manager. Enter the following details for each VLB used: URL - The URL configured on the system running vCenter (or on an ESX Server) for VMware API connections.
Using the GUI Maintenance The Maintenance screen (tab) allows you to access the sections in the related topics. Setting Date and Time The System time setting screen is used to manually enter the current system date and time. This is accessed by selecting Equalizer on the left navigational pane and selecting the Maintenance (tab) and then selecting Date & Time to display the following. Set Time Zone Use the Time Zone drop down list to set the Time Zone. Click on Commit to save the settings.
Equalizer Administration Guide The Backup feature allows you to back up an Equalizer’s user-configured objects and parameters to a file that can be uploaded and later restored to another Equalizer. Backup files may be uploaded to an FTP site or saved locally. The Restore feature allows you to restored a previous backup file containing user-configured objects and parameters to another Equalizer. Restored files may be uploaded to an Equalizer through FTP or from a locally saved backup file.
Using the GUI Current Boot Image The current boot image and the partition where it resides is displayed. EQ/OS Release Status When you select the upgrade tab the GUI downloads the well-known page on our website and retrieves the current release and URL information. If the release running on your Equalizer is older than the latest version available on the Coyote Point website, then the red bold text with a message “A software update is available” will be displayed.
Equalizer Administration Guide Tools The Tools screen provides three useful utilities that includes: l A Halt/Shutdown command, allows you to turn your Equalizer "off" from directly in the GUI. l A Reboot System command, allows you to reboot your Equalizer from directly in the GUI. l A Save System State feature, that allows you to create an archive of your various configuration files, logs and other details used to help in diagnosing any issues that may arise.
Using the GUI Save System State Click on the Save System State accordian tab to display the following. In this screen you can set up a Save State or system information archive that contains various configuration files, logs, and other information used by Coyote Point Support to help diagnose problems you are having with Equalizer. The file can be saved locally or uploaded to an FTP server. 1. Click on the Maintenance tab and then Save State to display the following: 2. Enter a File Name for the archive.
Equalizer Administration Guide a. If you select Local, the archive will be saved in the default “save” directory specified in your web browser options. b. If you select FTP URL, enter the URL of the FTP site on which you will upload the archive file.The URL should be in the format: ftp://[user[:password]@]server/[path/]. 4. Select the Save State button to create the archive. Once Equalizer collects the information for the archive, a dialog box is displayed by your browser to open or save the archive. 5.
Using the GUI The following is en example of a switched system, Equalizer E650GX. The E350GX and E450GX are also switched systems. The following is an example of an non switched system, Equalizer E370LX. The E250GX is also non switched. The following symbols will be displayed, indicating status: Red box indicates that the port has been selected, which will display the Port Configuration pop up as shown above. Link, VLANs Assigned. No Link, VLANs Assigned. 216 Copyright © 2013 Coyote Point Systems.
Equalizer Administration Guide No Link, No VLANs Assigned. Administratively Disabled. Modifying Port Settings You modify settings for any selected port using the GUI by selecting Equalizer on the left navigational pane and then selecting the Interfaces tab. Select a port on the Equalizer display to modify as shown below. Port Configuration - the following options are available: Autonegotiation If the you select Full from the drop down list, the Speed and Duplex selections are not available.
Using the GUI autonegotiation. Duplex Mode If the port status is Link Up, this is the current port duplex setting. If the status is Link Down, this is either the highest duplex that can be negotiated, or the force setting. Can be set to Full or Half. If the Port Status is Link Up, this is the current port speed. If the Port Status is Link Down, this is the highest speed that can be negotiated, or the force setting. Can be set to 10, 100, or 1000 Mbits.
Equalizer Administration Guide Number of good broadcasts and multicasts The total number of good broadcast/multicast (e.g., ARP) packets received on this port. Number of bad packets received The total number of bad packets (e.g., CRC errors, alignment errors, too short) received on this port. Number of received QoS Class 3 frames The total number of received Quality of Service (QoS) Class 3 frames received by this port.
Using the GUI errors The total number of bad packets (e.g., CRC errors,, alignment errors) received on this interface. drops The total number of packets that were dropped (e.g., lack of receive buffer, congestion, invalid classification, e.g., tagged frame received on untagged port) by the receiving interface. unknown protocol Tot total number of packets received on this interface that used an unknown protocol.
Equalizer Administration Guide Additional Equalizer Objects on the GUI The Equalizer Command Line Interface eqcli or “CLI” is a major new feature in EQ/OS 10. In addition to configuration using the GUI Equalizer can be configured using the CLI. Since the additional Equalizer Objects that appear on the left navigational pane of the GUI can be configured using the CLI as well as the GUI, they are described within their own sections of this Guide.
Equalizer Administration Guide Chapter 12 Configuring an IPv6 Tunnel Sections in this chapter include: IPv6 Tunnel Overview 224 Configuring an IPv6 Tunnel 225 Creating a "6in4" IPv6 Tunnel (CLI) Configuring DNS for IPv6 Tunnels Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Configuring an IPv6 Tunnel IPv6 Tunnel Overview Every network administrator needs to have a strategy to address the transition to the IPv6 Internet. Various transition mechanisms have been defined that are intended to make it as easy as possible for organizations to get on the IPv6 Internet using their current IPv4 network infrastructure. For many organizations, the easiest and fastest way to get applications up and running on the IPv6 Internet is to use a transition mechanism called an IPv6 tunnel.
Equalizer Administration Guide For example, Hurricane Electric provides what they call “regular” tunnels and “BGP” tunnels. For Equalizer, you would choose a “regular” Hurricane Electric tunnel, which is a 6in4 tunnel. A 6in4 tunnel allows a user to access the IPv6 internet by tunneling over an existing IPv4 connection from an IPv6enabled host to one of Hurricane Electric's IPv6 routers on the internet.
Configuring an IPv6 Tunnel created in Step 1, or its routable NAT address. Hurricane Electric will set up the tunnel and provide you with the following information: l The IPv4 and IPv6 addresses for the Hurricane Electric tunnel endpoint. l The IPv6 address of the default route for the tunnel. l The IPv6 address block assigned by Hurricane Electric (a /64 prefix subnet). l The IP addresses of Hurricane Electric's IPv6 and IPv4 DNS servers.
Equalizer Administration Guide l You can choose any names for the VLAN and subnet. l The VLAN ID (vid) supplied must be appropriate for your network configuration. l The IPv6 address used for the subnet ip parameter must be the same as the local_address specified for the tunnel command in the previous step. l The default_route parameter must be set to the IPv6 address provided by the tunnel broker as the default tunnel route.
Equalizer Administration Guide Chapter 13 Server Pools and Server Instances Sections in this chapter include: Managing Server Pools Configuring Server Pool Load-Balancing Options Using Active Content Verification (ACV) Server Pool Summary (GUI) Adding and Configuring a Server Pool (GUI) Adding and Configuring a Server Pool (CLI) Adding Server Instances(GUI) Server Instance Summary Screen Adding Server Instances (CLI) Testing ACV on a Server Instance Associate a Server Pool with a Cluster (GUI) Associate a
Server Pools and Server Instances Managing Server Pools A server is attached to a cluster via a server pool. A server pool is a collection of server definitions, each of which has additional parameters assigned to it in the server pool -- these additional parameters are organized by the server’s name and are referred to as server instances within the server pool context.
Equalizer Administration Guide server. l Response load balancing - dispatches the highest percentage of requests to the server with the shortest response time. Equalizer does this carefully: if Equalizer sends too many requests to a server, the result can be an overloaded server with slower response time. The fastest response policy optimizes the clusterwide response time.
Server Pools and Server Instances l Weight Spread Coefficient regulates the speed of change to a server’s dynamic weight. The weight spread coefficient causes dynamic weight changes to happen more slowly as the difference between the dynamic weight and the initial weight increases. l Optimization Threshold controls how frequently Equalizer adjusts dynamic weights. If Equalizer adjusts server weights too aggressively, oscillations in server weights can occur and cluster-wide performance can suffer.
Equalizer Administration Guide Equalizer can perform the same exchange automatically and verify the server’s response by checking the returned data against an expected result. Specifying an ACV probe string and an ACV response string basically automates the above exchange. Equalizer uses the probe string to request data from each server. To verify the server’s content, Equalizer searches the returned data for the response string. For example, you can use “GET /index.
Server Pools and Server Instances Clicking on the icon will delete the currently selected server pool. In addition to the names of the server pool on the expandable table the following is also displayed: Policy Displays the load balancing policy used with the server pool. Status The Status icons display the same conditions that are displayed next the the server pool name on the left navigational pane.
Equalizer Administration Guide 4. Configure the Handshake Probesas described in "Health Check Timeouts" on page 394. 5. Configure the load balancing options as described above in "Configuring Server Pool Load-Balancing Options" on page 230. 6. Click on Commit to save the configuration. Adding and Configuring a Server Pool (CLI) To add and configure a server pool using the CLI proceed with the following: 1. Log in to the CLI as described in "Starting the CLI" on page 128 . 2.
Server Pools and Server Instances 3. Use the load balancing options as described above in "Configuring Server Pool Load-Balancing Options" on page 230 and the "Server Pool and Server Instance Commands" on page 169 to configure the other server pool parameters.
Equalizer Administration Guide 5. Configure the server instance using the following parameters: Note - For servers in Layer 7 HTTPS clusters, set the probe port to something other than 443, since Equalizer communicates with the servers via HTTP. In many configurations, it is set to the server port. The server agent port, set on the cluster, remains a separate port that is used only for server agent communication.
Server Pools and Server Instances For example, you might configure a server as a hot spare if you are using licensed software on your servers and the license allows you to run the software only on one node at a time. In this situation, you could configure the software on two servers in the cluster and then configure one of those servers as a hot spare.
Equalizer Administration Guide Adding Server Instances (CLI) Server instance specific commands can be applied to multiple server instances by entering a comma-separated list of server instance names on the command line.
Server Pools and Server Instances The CLI is now in the aggregate server instance context “sv01,sv02,sv03” -- only the first three characters of which are displayed in the command line. To see the entire context name, use the context command: eqcli sp-sp01-si-sv0*> context The context is “sv01,sv02,sv03”. eqcli sp-sp01-si-sv0*> In an aggregate server instance context, the show command will display the configuration of all the server instances in the context.
Equalizer Administration Guide eqcli sp-spname> test acv 12020289: There are no server instances in the server pool to test. Associate a Server Pool with a Cluster (GUI) 1. To associate a server pool with a cluster proceed with the following: 2. Verify that you are logged into the GUI. If not, log in as described in "Logging In" on page 192. 3. Verify that you have successfully created a server pool as described in the procedures above. 4. Select a cluster from the tree on the left navigational pane.
Server Pools and Server Instances pane and select Delete Server Pool. 3. Click on Confirm when prompted on the Delete Server Pool dialogue form. Deleting a Server Pool (CLI) To remove a server pool proceed with the following: 1. Access eqcli as described in "Starting the CLI" on page 128 . 2. Use the following format to enter the cluster context. eqcli> cluster clname 3.
Equalizer Administration Guide Chapter 14 Servers Sections within this chapter include: Server Configuration Constraints 244 Configuring Routing on Servers 245 Spoof Controls SNAT How Spoof Influences Routing Managing Servers Adding a Server (GUI) Modifying a Server (GUI) Adding a Server (CLI) Modifying a Server (CLI) Server Summary Screen Server Software Configuration Adding a Server to a Cluster Adjusting a Server’s Initial Weight Setting Maximum Connections per Server Interaction of Server Options
Servers Server Configuration Constraints When configuring servers on Equalizer, you must observe the following constraints: l In general, there must be no Layer 3 devices (e.g., such as a router) between a server and Equalizer in order for health check probes to work correctly. l Equalizer operation depends on reliable communication between Equalizer and the servers behind it.
Equalizer Administration Guide Configuring Routing on Servers The way you configure routing on servers behind Equalizer depends largely on whether Equalizer’s spoof option is enabled on a cluster. Spoof Controls SNAT If spoof is disabled, SNAT (Source Network Address Translation) is performed on client requests before sending them on to the server -- the source address used in the packet sent to the server is Equalizer’s IP address on the VLAN used to communicate with the server.
Servers Note that you should configure routing on each server from the server’s system console, not through a telnet session. This will avoid any disconnects that might otherwise occur as you adjust the network settings on the server. Managing Servers The sections in the Related Topics discuss viewing, adding, and deleting servers, as well as server configuration options: Adding a Server (GUI) Perform this procedure once for each real server that you want to add to Equalizer. 1.
Equalizer Administration Guide 1. Log into the GUI using a login that has at least write access for the cluster that contains the server (See "Logging In" on page 192.) The following will be displayed. 2. In the left frame, select the name of the server to modify. The server Configuration tab opens in the right frame: Note - For servers in Layer 7 HTTPS clusters, set Port to something other than 443, since Equalizer communicates with the servers via HTTP.
Servers Maximum Reused Connections - Sets the maximum number of permitted open connections for the server. Once this limit is reached, no more traffic is routed to the server until the number of open connections falls below this limit. This limit is set by default to 0, which means that there is no maximum connections limit on the server. See "Maximum Connections Limits, Responders, and Hot Spares" on page 255 for more information.
Equalizer Administration Guide Adding a Server (CLI) Perform this procedure once for each real server that you want to add to Equalizer. Enter the following: eqcli > server [server name] proto tcp ip xxx.xxx.x.x port xx where: proto The server protocol ip The dotted decimal IP address of the server. This is the address Equalizer uses to communicate with the server. The numeric port number on the Equalizer to be used for traffic between Equalizer and the server. The default is port 80.
Servers Server Summary Screen Clicking on a Server on the Server branch displays the Server Summary Screen that displays active connection information as well as parameters and a graphical display of traffic from the previous thirty minutes.
Equalizer Administration Guide l You do not need to configure Equalizer as the gateway for the servers if you have disabled the IP spoof flag for the cluster.
Servers quiesce option on the server’s Configuration tab. If the server is already configured for operation when you add it to Equalizer, you can disable this option. Unless you want to set up port redirection, you can accept the default value; to redirect to a port other than the cluster port, enter the appropriate value for Server Port .
Equalizer Administration Guide Adjusting a Server’s Initial Weight Equalizer uses a server’s initial weight as the starting point for determining the percentage of requests to route to that server. As Equalizer gathers information about the actual performance of a server against client requests, it adjusts the server’s current weight so that servers that are performing well receive a higher percentage of the cluster load than servers that are performing at a slower rate.
Servers Setting initial Weights for Mixed Clusters Equalizer enables you to build heterogeneous clusters using servers of widely varying capabilities. Adjust for the differences by assigning initial weights that correspond to the relative capabilities of the available servers. This enables you to get the most out of existing hardware, so you can use an older server side-by-side with a new one. After you assign relative initial weights, monitor cluster performance for two to three hours under load.
Equalizer Administration Guide d. Click on Commit to save your changes to the server configuration.
Servers incoming connection has an existing Layer 4 sticky record or Layer 7 cookie for a server, however, the request will be sent to that server even when hot spare is enabled. Note - If dont persist is also enabled on the server, the sticky record or cookie is ignored. Shutting Down a Server Gracefully To avoid interrupting user sessions, make sure that a server to be shut down or deleted from a cluster no longer has any active connections.
Equalizer Administration Guide 1. In the left frame, click the name of the server to be removed. The server’s parameters appear in the right frame. 2. Set the server’s weight to zero; Click on Commit to save the change. This action prevents Equalizer from routing new connections to the server. 3. Click on Equalizer > Status > Cluster Summary and click on the cluster name in the table. Watch the server’s number of active and sticky connections.
Equalizer Administration Guide Chapter 15 Clusters Sections in this chapter include: Cluster Types and Use with Equalizer 260 Cluster Connection Timeouts 261 Adding and Deleting Clusters 267 Cluster Summary 270 Modifying a Layer 4 TCP or UDP Cluster 273 TCP Cluster Configuration Summary TCP Cluster Configuration Settings TCP Cluster Persistence TCP Cluster Timeouts UDP Cluster Configuration Summary UDP Cluster Configuration Settings UDP Cluster Configuration Persistence UDP Cluster Configuration
Clusters Cluster Types and Use with Equalizer A virtual cluster is a collection of server pools with a single network-visible IP address. All client requests come into Equalizer through a cluster IP address, and are routed by Equalizer to an appropriate server, according to the load balancing options set on the cluster. The figure below shows a conceptual diagram of an Equalizer with three clusters.
Equalizer Administration Guide balancing decisions can be based on application specific criteria through the use of "Match Rules" on page 317.) the request is not examined. IP Addressing IPv4 IPv4 / IPv6 IPv4 IPv4 / IPv6 IPv4 / IPv6 Protocols Any TCP protocol. Any TCP protocol. Any UDP protocol. HTTP HTTPS Notes: l The Layer 4 TCP and UDP clusters can use only IPv4 cluster addresses and can only be used with servers that have IPv4 addresses.
Clusters 1. Equalizer has an idle timer for the established client connection, a connect timer to establish a server connection, and an idle timer for the established server connection. Only one timeout is in use at any given time. This is a summary of how timeouts are used when a client connects to Equalizer: 2. When a client successfully connects to a Virtual Cluster IP, the client timeout applies from the time the connection is established until the client request headers are completely transmitted.
Equalizer Administration Guide The timeline below shows the sequence of timeout events when a new connection is received by Equalizer. Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Clusters The following table shows the value range for the Layer 7 HTTP / HTTPS connection timeouts. Parameter Minimum Default Maximum Units client timeout 1.0 5.0 64535.0 seconds server timeout 1.0 60.0 2147483647.0 seconds connect timeout 1.0 10.0 60.0 seconds The default timeout values are sufficient for many common applications.
Equalizer Administration Guide The previous sections describe how the connection timeouts work when the once only flag is disabled on a cluster; that is, when Equalizer is examining every set of headers received on a connection. The once only option, when enabled, specifies that Equalizer will examine only the first set of headers received on a connection.
Clusters Parameter Minimum Default Maximum Units idle timeout 0 0 2147483647.0 seconds stale timeout 1.0 15.0 120.0 seconds Note that if you change the stale timeout setting while partially established Layer 4 connections are currently in the queue, those connections will be affected by the new setting.
Equalizer Administration Guide eq.l7lb.http.client_timeouts The total number of Layer 7 (HTTP and HTTPS) connections that were terminated because the client timeout expired. eq.l7lb.http.connect_timeouts The total number of Layer 7 (HTTP and HTTPS) connections that were terminated because the connect timeout expired. eq.l7lb.http.server_timeouts The total number of Layer 7 (HTTP and HTTPS) connections that were terminated because the server timeout expired.
Clusters Cluster Name - The logical name for the cluster, or accept Equalizer’s default. Each cluster must have a unique name that begins with an alphabetical character. The cluster name is limited to 63 characters. Cluster IP Address - Enter the IP address, which is the dotted decimal IP address of the cluster. The IP address of the cluster is the external address (for example, 172.16.0.201) with which clients connect to the cluster.
Equalizer Administration Guide Follow these steps to delete a new Layer 7 or Layer 4 virtual cluster using the GUI: 1. Log into the GUI using a login that has add/del access for global parameters (See "Logging In" on page 192) 2. Do one of the following: a. Right click on a cluster on the left navigational pane and select Delete Cluster. b. Click on a cluster on the left navigational pane and drag to the Delete (Trash) icon. Using the CLI: Copyright © 2013 Coyote Point Systems.
Clusters Add a cluster using eqcli as follows. In this example a Layer 7 HTTPS cluster is created. Since the protocol is HTTPS, port 443 is used. 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2. Enter the following at the CLI prompt: eqcli > cluster [clustername] proto protocol ip [xxx.xx.x.xxx] port xxx Do the following to delete a cluster using eqcli as follows: 1.
Equalizer Administration Guide Sticky - For Layer 4 clusters only. This is the number of entries in the "sticky table" for each server. Customizing the Display The cluster summary has 3 display options as shown below: No Filter - selecting this option will display a cluster summary for all of the clusters configured on your Equalizer. Filter by Cluster Name - selecting this option will display the cluster summary based on the cluster names that you select with the checkboxes.
Clusters eqcli > show cluster httptest-1 The following is an example of the http cluster summary display. It is different than the GUI display in that it reflects only information such as the cluster settings, timeouts, responders and persistence. 272 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Modifying a Layer 4 TCP or UDP Cluster The configuration tabs for a cluster are displayed automatically when a cluster is added to the system, or by selecting the cluster name from the left frame Configuration Tree. To update the settings on any tab, make changes and select the commit button to save them.
Clusters navigational pane and then selecting the Configuration>Settings tabs. Protocol The protocol used for the cluster. VID The VLAN ID number. This is an integer between 1 and 4095. IP Enter the IP address, which is the dotted decimal IP address of the cluster. The IP address of the cluster is the external address (for example, 199.146.85.0) with which clients connect to the cluster.
Equalizer Administration Guide When the Spoof option is enabled on a cluster, Equalizer uses the client’s IP address as the source IP address in all packets sent to a server in that cluster. When Spoof is enabled, all server responses to client requests that came through the Equalizer cluster IP address must be routed by the server back to the client through Equalizer.
Clusters Sticky Netmask Enables sticky network aggregation for a subnet. Sticky network aggregation is applicable for Layer 4 and Layer 7 clusters. Sticky network aggregation enables Equalizer to correctly handle sticky connections from ISPs that use multiple proxy servers to direct user connections. When you enable sticky network aggregation, all the connections coming from a particular network are directed to the same server. (Typically, all the servers in a proxy farm are on the same network.
Equalizer Administration Guide Server Timeout The time in seconds that Equalizer waits before closing an idle server connection. The default is the global value. (between 1 and 65535 seconds) Connect Timeout The time in seconds that Equalizerwaits for a server to respond to a connection request. The default is the global value. Click on the Commit button after making changes to the settings. Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Clusters UDP Cluster Configuration Summary The UDP Cluster Configuration Summary screen is displayed automatically when a UDP cluster is added to the system, or by selecting the cluster name from the Cluster branch on the left navigation pane. This screen displays a snapshot of the cluster and all of its associated objects (i.e., server pools, server instances and responders), the status of the objects, the Active Connections, Connections/Second and Transactions/Second.
Equalizer Administration Guide Protocol The protocol used for the cluster. VID The VLAN ID number. This is an integer between 1 and 4095. IP Enter the IP address, which is the dotted decimal IP address of the cluster. Port For TCP protocol clusters the numeric port number on the Equalizer to be used for traffic between the clients and the cluster. For TCP clusters, the port defaults to 80.
Clusters When Spoof is enabled, all server responses to client requests that came through the Equalizer cluster IP address must be routed by the server back to the client through Equalizer. In many cases, the easiest way to do this is to set the default gateway on the server instances in the server pool on a cluster to Equalizer’s IP address on the server VLAN.
Equalizer Administration Guide Sticky Netmask Enables sticky network aggregation for a subnet. Sticky network aggregation is applicable for Layer 4 and Layer 7 clusters. Sticky network aggregation enables Equalizer to correctly handle sticky connections from ISPs that use multiple proxy servers to direct user connections. When you enable sticky network aggregation, all the connections coming from a particular network are directed to the same server.
Clusters Click on the Commit button after making changes to the settings. Modifying a Layer 7 HTTP or HTTPS Cluster On the GUI, the Configuration >Summary for a layer 7 cluster is displayed automatically when a cluster is added to the system, or by selecting the cluster name from Cluster branch on the left navigation pane.
Equalizer Administration Guide Layer 7 Cluster Configuration Summary As described in "Modifying a Layer 7 HTTP or HTTPS Cluster" on page 282 the Layer 7 Cluster Configuration Summary screen is displayed automatically when a cluster is added to the system, or by selecting the cluster name from the Cluster branch on the left navigation pane. This screen displays a snapshot of the cluster and all of its associated objects (i.e.
Clusters Sample Layer 7 HTTP, HTTPS, and TCP Cluster Configuration Summary Screen Layer 7 HTTP and HTTPS Cluster Settings The following are descriptions of the functionality and configuration parameters used with Layer 7 HTTP and HTTPS Clusters. The figure below shows a Layer 7 Configuration>Settings screen. 284 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide The fields on this screen are as follows: Protocol The protocol selected in the Add Cluster form will be displayed “grayed out”. VID The VLAN ID number assigned to the VLAN on which the cluster resides. Refer to "Common Equalizer Networking Scenarios" on page 82 for details. IP Enter the IP address, which is the dotted decimal IP address of the cluster. The IP address of the cluster is the external address (for example, 172.16.0.
Clusters "Specifying a Custom Header for HTTP/HTTPS Clusters" on page 308. Compression Minimum Size (E650GX Only) The minimum file size in bytes required for GZIP compression, if enabled. Equalizer uses GZIP to compress the payload (or content) of the server response before sending it back to the client. This is typically done for 2 reasons: faster client response and better user experience. In addition. less ISP bandwidth is used in sending smaller files back to clients.
Equalizer Administration Guide Insert client IP When this flag is enabled, Equalizer inserts an X-forwarded-for: header with the client's IP address into all client requests before they are sent to the server. This flag is disabled by default for HTTP clusters and enabled by default for HTTPS clusters. TCP Multiplexing This selection enables TCP multiplexing for a cluster.
Clusters server so that they are HTTPS. You can direct Equalizer to pass responses from the server without rewriting them by enabling this option. Control whether Equalizer will process "CRL Distribution Point" extensions in client certificates.
Equalizer Administration Guide The fields on this screen are as follows: Protocol The protocol selected in the Add Cluster form will be displayed “grayed out”. VID The VLAN ID number assigned to the VLAN on which the cluster resides. Refer to "Common Equalizer Networking Scenarios" on page 82 for details. IP Enter the IP address, which is the dotted decimal IP address of the cluster. The IP address of the cluster is the external address with which clients connect to the cluster.
Clusters netstat console command. Delayed Binding When enabled, this option will require servers to send the first byte of information on newly established connections. When the spoof option is enabled on a cluster, Equalizer uses the client’s IP address as the source IP address in all packets sent to a server in that cluster. This option is enabled by default.
Equalizer Administration Guide Equalizer can use cookies or a server’s IP address to maintain a persistent session between a client and a particular server. A cookie is included with the server’s response header on its way back to the client. This cookie uniquely identifies the server to which the client was just connected.
Clusters persistence method and the “fallback” persistence method by dragging and dropping as well. As indicated previously, with “fallback persistence” Equalizer provides a secondary option where if, for example, a cookie response is not received, a secondary, or “fallback” option such as Source IP can be used. The cookie scheme specifies the format of the cookie to be used for the cluster as an integer between 0 and 2 (default is 2).
Equalizer Administration Guide number embedded in the cookie. Conversely, if you need to invalidate old cookies, increment this number. Always - When this flag is disabled Equalizer will insert a cookie if a server was not selected based on a cookie received from the client. A cookie would only be inserted when a new client is seen or if cookie is received or if a cookie received cannot validate a server.
Clusters Persist Type Fallback Persist Type Result [none] [none] The server is selected on the load balancing Policy/Algorithm. [none] Source IP invalid configuration [none] Cookie 0:Cluster IP/Port, Server IP/Port invalid configuration [none] Cookie 1:Cluster IP, Server IP /Port invalid configuration [none] Cookie 2:Cluster IP, Server IP invalid configuration Source IP [none] A server is selected on a sticky record (Source IP).
Equalizer Administration Guide Persist Type Fallback Persist Type Result selected using the Load balancing Policy/Algorithm. Cookie 0:Cluster IP/Port, Server IP/Port Cookie 2:Cluster IP, Server IP A server is selected based on the cookie. If no cookie or a cookie other then Cookie 0:Cluster IP/Port, Server IP/Port or Cookie 2:Cluster IP, Server IP is in the request the server is selected using the Load balancing Policy/Algorithm.
Clusters Layer 7 Cluster Reporting Refer to "Cluster and Match Rule Reporting (CLI and GUI)" on page 404 for details. Layer 7 Cluster Timeouts The Layer 7 Cluster Timeouts screen is used to configure timeouts used in cluster connection with clients and servers. It can be accessed by clicking on the cluster on the left navigational pane and selecting the Configuration> Timeouts tabs. Client Timeout The time in seconds that Equalizer waits before closing an idle client connection.
Equalizer Administration Guide 3. PFX - PFX format files are also in PKCS #12 format, however, with additional Microsoft specifics. These files usually have a ".pfx" extension with the file name. Currently, PEM-format certificates and keys must be uploaded separately in the CLI using the certfile and keyfile parameters in the certificate context or as shown below in the GUI. PKCS #12 and PFX format files usually contain both the certificate and the associated key.
Clusters chain. The default of 2 indicates that the client certificate (level 0) and two levels above it (levels 1 and 2) are checked; any certificates above level 2 in the chain are ignored. You should only need to increase this value if the Certificate Authority that issued your certificate provided you with more than 2 chained certificates in addition to your client certificate. Flags Push Client Certificate Enabling this option sends the entire client certificate to the back-end server.
Equalizer Administration Guide Allow SSLv3 Software SSL Only (E450GX & E650GX only) Enables SSLv3 for client connections. When disabled (default), an HTTPS cluster performs hardware SSL acceleration using the version of OpenSSL supported in previous releases. When enabled, an HTTPS cluster uses the updated version of OpenSSL (1.0.1e). Click on Commit to save changes to the cluster configuration.
Clusters 1. Configure an HTTPS cluster on Equalizer. Use the GUI as described in "Adding and Deleting Clusters" on page 267 2. Add a default certificate to the cluster.as described in "Layer 7 Security Certificate Screen (HTTPS Clusters only)" on page 296 if one has not been added previously. 3. Upload additional certificates and their associated key files to Equalizer's file store as described in "Installing a Certificate" on page 201. 4.
Equalizer Administration Guide associated with Certificate Use the drop down list to select the name of a certificate that you would like to associate the SNI with. 7. Click on Commit to save the SNI where it will be displayed on the accordion list on the SNI tab. 8. Add additional SNI objects to certificates as necessary.There is no maximum limit to the number of SNI objects that can be associated with each certificate.
Clusters where: testsni is the name of the SNI snicertificate1 is the name of the certificate being added to the SNI. 6. Display the contents of the new certificate by entering the following. Note that the SNI svname has not yet been entered. eqcli cl-NEW*-sni-testsni> show SNI Name : test Certificate : snicertificate1 Flags : SNI svname : eqcli cl-NEW*-sni-test> 7.
Equalizer Administration Guide About Passive FTP Translation In version 8.6 if your servers were on a network that the outside world could not reach, you were provided the capability of enabling a passive FTP translation option. This option caused Equalizer to rewrite outgoing FTP PASV control messages from the servers so they could contain the IP address of the virtual cluster rather than that of the server. This was a global option.
Clusters Sticky connections are managed on Equalizer using sticky records that record the IP address, port and other information for the client-server connection. When you enable sticky connections, the memory and CPU overhead for a connection increase. This overhead increases as the sticky time period increases. Consequently, you should use the shortest reasonable period for your application and avoid enabling sticky connections for applications unless they need it.
Equalizer Administration Guide For example, before HTTP 1.1, if a browser wished to retrieve the file index.html from the server www.coyotepoint.com, the browser would take the following actions: 1. Browser opens TCP connection to www.coyotepoint.com. 2. Browser sends request to server “GET /index.html”. 3. Server responds with the content of the page (HTML). 4. Server closes connection. 5.
Clusters Requests in a single keep-alive connection once only enabled once only disabled hit, send the request to the server in the cookie only if it is in the list of servers selected in the match rule definition. Otherwise, ignore the cookie. If there is no cookie, load balance the request and send to the server chosen. hit, send the request to the server in the cookie only if it is in the list of servers selected in the match rule definition. Otherwise, ignore the cookie.
Equalizer Administration Guide always enabled always disabled once only enabled once only disabled Equalizer always inserts a cookie into the first set of response headers on a connection only. The cookie is inserted regardless of whether the server included one in the response. Subsequent responses on the same connection are forwarded to the client unchanged by Equalizer. Equalizer inserts its own cookie into all server responses on a connection.
Clusters Note that the GUI does not permit you to enable once only and disable no header rewrite -- this option combination would rewrite the Location: header in only the first response in the connection, and not rewrite the headers in subsequent responses in the same connection. Doing so would produce errors on the client. Of course, you can also direct Equalizer to pass responses from the server without rewriting URLs by enabling the no header rewrite flag on the cluster.
Equalizer Administration Guide Front-End-Https: on 7. Select commit to modify the cluster. Performance Considerations for HTTPS Clusters Layer 7 HTTPS clusters have several options that can have a significant impact on the performance and behavior of the cluster: 1. The injection of a customheader to provide transaction-specific information to the server.
Clusters When a connection is established by a client for an HTTPS cluster, Equalizer performs the SSL processing on the request (this is called SSL off loading), and adds some additional headers to the client's request before forwarding the request on to a server: X-LoadBalancer: CoyotePoint Equalizer X-Forwarded-For: (client's IP address) If the client provides an SSL certificate, the following are also added: X-SSL-Subject: (certificate's X509 subject) X-SSL-Issuer: (certificate's X509 issuer) X-SSL-not
Equalizer Administration Guide Consult the documentation for the firewalls and NAT devices used at your site to determine how to set up those devices appropriately for FTP transfers. See the next section for how to configure an Equalizer cluster for responding to FTP requests from clients. FTP Cluster Configuration When configuring an FTP cluster on Equalizer, the following guidelines must be followed: l The protocol for the cluster must be Layer 4 TCP.
Clusters Configuring Direct Server Return (DSR) In a typical load balancing scenario, server responses to client requests are routed through Equalizer on their way back to the client. Equalizer examines the headers of each response and may insert a cookie, before sending the server response on to the client. In a Direct Server Return (DSR) configuration, the server receiving a client request responds directly to the client IP, bypassing Equalizer.
Equalizer Administration Guide Note - In both configurations that the incoming client traffic is assumed to originate on the other side of the gateway device for the subnets on which Equalizer and the servers reside. The servers will usually have their default gateway set to something other than Equalizer so that they can respond directly to client requests.
Clusters DSR can also be used in dual network mode, although this is a less common configuration than single network mode. Cluster IPs are on the external interface, and server IPs are on the internal interface. An example of a dual network mode DSR configuration is shown below. Note - In both configurations that the incoming client traffic is assumed to originate on the other side of the gateway device for the subnets on which Equalizer and the servers reside.
Equalizer Administration Guide The cluster parameters Direct Server Return, Spoof, and Idle Timeout are directly related to direct server return connections: l Direct Server Return - this option enables Direct Server Return. All requests to this cluster IP will be forwarded to the server with the client IP as the source IP, and the cluster IP as the destination IP. The loopback interface of the server must be configured with the cluster IP to receive the requests.
Clusters Testing Your Basic Configuration Once you have installed and configured Equalizer and your servers, perform tests to verify that Equalizer is working properly. To perform these tests, you need the following: l A test machine on the internal network (the same physical network as the servers; one of the server machines can be used for this purpose). l If you have a two-network configuration, a test machine on the external network.
Equalizer Administration Guide Chapter 16 Match Rules Sections in this chapter include: Using Match Rules How Match Rules are Processed Match Rule Order 318 319 319 Match Rule Expressions and Bodies 321 Match Rule Expressions Match Bodies Match Rule Functions Match Rule Operators Match Rule Definitions Match Rule Expression Examples Match Rule Expression Notes Managing Match Rules Using Responders in Match Rules Example Match Rules Using the Match Rule Expression Editor 321 323 324 327 327 328 329 332
Match Rules Using Match Rules The ability to make load balancing decisions based on the content of a client request is what separates Layer 7 processing from the processing options available at Layer 4. For Layer 7 HTTP and HTTPS clusters, Match Rules provide fine-grained control over load balancing decisions based on the content of the client request. If you need to be able to route requests to the servers in a cluster based on the content of the request, Match Rules are the answer.
Equalizer Administration Guide Some sites may want to have one system serve only requests for graphics, and one system serve only text requests. By adding appropriate Match Rules, Equalizer can examine each request to determine if the content requested is Text or Graphics, and send the request to the appropriate server pool. In this example, the servers need only hold the content they are serving, text or graphics.
Match Rules In other words, the goal is to load balance the highest possible number of requests according to the settings in the first match rule, which has the effect of reducing to a minimum the amount of match rule processing required for requests to that cluster. This is best illustrated by an example. Let’s say you want to construct a set of match rules that achieves these goals: l Direct all requests whose URL contains one of two specific directories to specific server pools.
Equalizer Administration Guide At left in the figure above are the expressions for the three match rules, shown in the order in which they are configured in the cluster. At right, the decision tree describes how the match rules are evaluated for every client request that comes into this cluster. As described previously, the first match rule (ma01) is meant to match any request that does not have a directory in it.
Match Rules !expression giving rise to the next simplest example: !any() which always evaluates to false and always results in the match rule not being selected. With the addition of the logical OR (||) and logical AND (&&) operators, you can specify complex expressions, selecting precise attributes from the request, as in this: !happy() || (round() && happy()) Match expressions are read from left to right. Expressions contained within parentheses get evaluated before other parts of the expression.
Equalizer Administration Guide Some function arguments can take the form of a regular expression1. Note that you cannot put regular expressions. Matching regular expressions (using *_regex() functions) is many times more processing-intensive than using other match functions. It is usually possible to avoid using regular expressions by carefully crafting match expressions using other functions.
Match Rules Match Rule Functions Match rule functions generally test for certain strings or settings in the headers and URI of a client request. In the table below, we first discuss match rule functions that examine information in the request other than the URI, and then we discuss the URI related functions. The following table lists the non-URI functions supported by Equalizer match rules: any() This function always evaluates to true -- that is, this function matches any incoming request.
Equalizer Administration Guide tls1() HTTPS only. This function evaluates to true if the client negotiated the encrypted connection using TLS version 1.0. Non-URI header match functions See Match Bodies, for the headers that can be specified in these functions. header_prefix(header, string) This function evaluates to true if the selected header is present and if the string-valued argument string is a prefix of the associated header text.
Match Rules l Match functions for the optional component are not provided. Use the pathname*() and filename*() functions to match characters at the end of the path and filename components. l Match functions for the optional component are not provided. The fragment portion of a URI is not transmitted by the browser to the server, but is instead retained by the client and applied after the reply from the server is received.
Equalizer Administration Guide URI Function Description dirname_regex(string) This function evaluates to true if the string argument, interpreted as a regular expression, matches the directory portion of the path component of the request URI. filename(string) This function evaluates to true if the string argument exactly matches the filename portion of the URI path.
Match Rules Match rules are defined in the file /var/eq/eq.conf with the definition of the cluster to which the match rule applies. A match rule as it appears in eq.conf looks like the following example: match ma01 { client_ip("10.0.0.19") } then { flags =!spoof; srvpool = sv_01; } In this example (the match rule is named “ma01”), the match function, client_ip, has an argument that matches all requests from IP address 10.0.0.19, which are all sent to server sv_01.
Equalizer Administration Guide Functions can be negated using the “!” operator. To change the above example to match all client requests with a source IP not on the 10.10.10/24 network, use this expression: expression “!client_ip(\“10.10.10/24\”)” Functions can be combined using the logical operators shown in the previous section.
Match Rules If we instead were to skip a match rule because, for example, the server selected by the match rule is down, the request would be evaluated by the next match rule -- or the default match rule. The request, therefore, could potentially be sent to a server in the cluster that does not have the requested content. This means that the client would receive a “not found” error, instead of an error indicating that the appropriate server is not currently available.
Equalizer Administration Guide Accept-Language If-Modified-Since Transfer-Encoding Authorization If-None-Match Upgrade Cache-Control If-Range User-Agent Connection If-Unmodified-Since Via Content-Length Max-Forwards Warning Cookie Pragma X-Forwarded-For Date Proxy-Authorization Expect Range HTTPS Protocol Matching Equalizer permits the construction of virtual clusters running the HTTPS protocol. HTTPS is HTTP running over an encrypted transport, typically SSL version 2.0 or 3.
Match Rules match rule hit on... once only disabled once only enabled list, send the request to the server in the cookie. Otherwise, send the request to the server that was selected by the first request. on the same connection Note that Equalizer always honors a cookie that specifies a server in the match rule’s server pool list, regardless of the setting of the once only flag: the request is sent to the server pool specified by the cookie.
Equalizer Administration Guide All Layer 7 clusters created via the Equalizer Administration Interface start with a single match rule (named Default) that matches all requests and selects all servers. match Default { any() } then { servers = all; } When displayed any() appears in the Expression field in the GUI as shown below.
Match Rules 6. Use the Expression Editor to build your match expression. Refer to"Match Rule Expression Examples" on page 328 for details on using this feature. 7. Use the Server Pool drop down list to select a Server Pool to direct Layer 7 traffic if it complies with the match rule conditions specified. Refer to "Managing Server Pools" on page 230 for instructions on configuring Server Pools. 8. Configure the other parameters for the Match Rule as necessary.
Equalizer Administration Guide connection. Ignore Case This function always evaluates to true, and is intended to be used to apply the Ignore Caseflag for comparisons when it is not set on the cluster. When this function is ANDed with other functions, it has the effect of forcing case to be ignored for any comparisons done by the match rule.
Match Rules 3. Assign a Server Pool to the newly created Match Rule by entering: eqcli cl-clname-ma-maname> srvpool spname 4. Add or remove Responder, Cookie Path, Cookie Domain, Cookie Scheme, Cookie Age and Cookie Generation and Flags using the procedures above. 5. Configure the Match Expressions using the following at the eqcli prompt. Descriptions of the Expressions are provided in "Match Rule Functions" on page 324.
Equalizer Administration Guide Using Responders in Match Rules Responders are used to send automated responses to clients when all the server pools in a match rule are down. See "Automatic Cluster Responders" on page 347 for a complete description of Responders as well as examples of using Responders in Match Rules. Example Match Rules The Related Topics navigate to examples of how to create a few of the most commonly used types of match rules.
Match Rules 4. Type “support” into the hostname prefix text box as follows: 5. Click on accept after entering “support” and then click on the continue button at the bottom of the Expression Editor to save the expression. Now, all requests for URIs that start with “support” should go to the sv_support server pool, and all other requests that do not match this rule to be load balanced across all server pools in the cluster.
Equalizer Administration Guide b. Select the server pool that this new rule will precede using the Next Match Rule drop-down list and click on Commit. The new rule will appear on the navigation tree in within the cluster from which is was created. c. On the match rule Configuration screen (tab) select the Server Pool that will be used for load balancing with the Persist checkbox disabled. 3. Click on the Expression Editor button to display the Expression editor. a.
Match Rules When a match rule is configured you can specify that persistence methods for that match rule -- which supercede those the persistence method specified for a cluster. This is the persistence type to be used when the match rules conditions are met. For example, if you configured a match rule expression to redirect requests to Server A based on the criteria configured in an expression, you can also configure the persistence type to be used when that criteria is met.
Equalizer Administration Guide The procedure below shows you how to create a match rule that selectively disables the cluster Spoof option based on the client IP address of an incoming connection. It is assumed that the cluster for which the match rule is created has Spoof enabled on the cluster Configuration screen (tab), and that the cluster works properly for clients on subnets other than the subnet to which the server pools in the cluster are connected. 1.
Match Rules To do this, we’ll create two match rules, as follows: 1. Log into the GUI using a login that has add/del access for the cluster. 2. In the navigation pane on the left, click the name of the Layer 7 cluster to which you want to add the rule. The cluster Configuration screen (tab) will appear on the right: a. Make sure that the Once Only checkbox is not checked; otherwise, uncheck it and click Commit. b. Make sure the Persist checkbox is not checked; otherwise, uncheck it and click Commit.
Equalizer Administration Guide c. Select continue. 5. Repeat Step 4 for each of the other filename suffixes on our example servers -- gif , bmp, tif and png. 6. In our example, we want all the images to be served from serverpool1. On the images Configuration screen (tab), select serverpool1 from the Server Pool drop-down list. When you are done, the match expression should look like this: Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Match Rules 7. Click on Commit. The images rule we created selects all the requests for image files; now we need a rule to determine which servers will receive all the other requests. The Default rule is not sufficient, and in fact we don’t want it to be reached, since it could send a request for content to one of the image servers. So, we’ll create another rule with the same match expression as the Default [any()], but a restricted list of servers.
Equalizer Administration Guide The Match Rule Expression Editor is separated into 3 panes. l The Operators pane displays the available operators: “$$” is used for the logical AND operator. “!” is used for the logical NOT operator. “ll” is used for the logical OR operator. “()” is used to group functions and operators l The Functions (refer to "Match Rule Functions" on page 324 ) are displayed on the right pane displays a list of all of the available functions. Note - On releases prior to version 10.
Match Rules Clicking on the continue or cancel button will close the Expression Editor. Clicking on the Reset button will remove all of your configured parameters and return to the default screen. Clicking on the Commit button will assign all of your match rule configurations to the cluster. The figure below shows an example of a completed Match Rule configuration. In this example a match rule is configured so that the incoming URL will be analyzed for the file extensions.jpg,.gif and.png.
Equalizer Administration Guide Chapter 17 Automatic Cluster Responders Note - Responders are not supported on E250GX model Equalizers Sections within this chapter include: Overview 348 Managing Responders 348 Adding a Responder Modifying a Responder Using Regular Expressions in Redirect Responders Using Responders in Match Rules More Responder Examples Responders and Hot Spares Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Automatic Cluster Responders Overview A Responder is a server-like object that can be associated with a Match Rule. It provides you with the ability to cleanly load balance traffic where server pools associated with a cluster are not available to satisfy a client's request. The feature extends Cluster Match Rules to allow them to specify a target Responder which is used to provide a response to the client when the server pool in the match rule is not available.
Equalizer Administration Guide The Add New Responder dialog appears. By default, the form for creating a Redirect Responder is displayed: 2. Type a Name for the Responder or leave the default name provided. 3. Do one of the following: l Create a custom HTML page by selecting Sorry Server. The dialog changes to a text entry box, into which you can type the HTML that Equalizer will return to clients. The text size limit is 4096 bytes.
Automatic Cluster Responders 4. In the screen that follows, you can optionally test your responder. Do one of the following: l For a Sorry Server responder, click the test button to see a preview of the page. Click the close button to close the preview. l For a Redirect responder, enter a Test URL (or use the default) and click the test button to see how the regular expression breaks the test URL into variables for re-use in the URL you supplied in the previous step.
Equalizer Administration Guide l parse the URL of an incoming request l break it down into separate strings (based on the positions of literal characters in the expression) l assign each string to a named variable These named variables can then be used in the URL field of the Redirect Responder. When the Responder replies to a client, it performs string substitution on the URL.
Automatic Cluster Responders This Responder can be used in any cluster where a Redirect to an HTTPS cluster is desired. Example 2 - Multi-Hostname Redirect Let’s assume that we have a set of ".com" host names, all of which resolve to the same cluster IP, and we need a Responder that redirects requests to the same hostname prefixes with a ".net" suffix. We also want to include the rest of the URL exactly as specified by the client. For example, we want requests to URLs in these formats: http://www.example.
Equalizer Administration Guide It should be noted that this example will not work for requests with destination URLs specified with an IP address for a hostname (e.g.,"12.34.56.78" instead of "www.example.com").
Automatic Cluster Responders This Responder can be used in a Match Rule in any cluster where a similar directory name based redirect is required. Using Responders in Match Rules Once a responder is created, it can be associated with a cluster using a match rule (See "Using Match Rules" on page 318).
Equalizer Administration Guide l matches any incoming request l selects the server pool specified l has a Sorry Server Responder selected For example, let’s say you have two Responders defined and there is an existing cluster that you would like to redirect to http://www.example.com when no server pools in the cluster are available. To accomplish this, we need to create a new Responder and then add a match rule to the cluster: 1.
Automatic Cluster Responders Another common cluster configuration requirement is to be able to automatically redirect all traffic that uses a specific URL. To do this, you need to add a new match rule that: l matches any incoming request l has a Redirect Responder selected For example, let’s say that we want all traffic to a cluster that uses the URL http://cluster/special/ to be redirected to https://www.example.com/special/.
Equalizer Administration Guide Responders provide functionality that automates the very basic functions of a hot spare server, and off loads them onto Equalizer. If more functionality is desired, than a separate real server should be used as a hot spare for the cluster. It should also be noted that resources Equalizer uses to service client requests via the Responder feature are resources potentially taken away from processing other client requests.
Equalizer Administration Guide Chapter 18 Configuring Server Connections Sections within this chapter include: HTTP Multiplexing Enabling HTTP Multiplexing Disabling "spoof" for HTTP Multiplexing Server Options for HTTP Multiplexing Outbound NAT Configuring Outbound NAT (CLI) Configuring Outbound NAT (GUI) Direct Server Return (DSR) Configuring a Cluster for Direct Server Return Configuring Servers for Direct Server Return Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Configuring Server Connections HTTP Multiplexing HTTP multiplexing is the re-use of established server connections for multiple clients connections. The best way to understand this feature is to compare non-multiplexing behavior to multiplexing behavior. When HTTP multiplexing is disabled (the default on Equalizer), each client connection requires a new connection between Equalizer and a server.
Equalizer Administration Guide After TCP multiplexing is enabled as above, it can be selectively disabled on clusters and server instances without modifying the TCP multiplexing parameters set on the server. Refer to "Modifying a Layer 7 HTTP or HTTPS Cluster" on page 282 or "Cluster and Match Rule Commands" on page 146 (on the CLI) for details.
Configuring Server Connections Server Options for HTTP Multiplexing Once a server sends a complete response to a client request, instead of closing the server connection, Equalizer keeps the connection open and places a record for the connection into a pool of connections available for re-use. The connection will be re-used by Equalizer when another client request is load balanced to the same server.
Equalizer Administration Guide In releases of EQ/OS previous to Version 10, an outbound NAT address was specified on a per-server basis. In EQ/OS 10, outbound NAT addresses are configured on subnets -- the specified outbound NAT address is used for any server connection originating on that subnet.
Configuring Server Connections address. Since the cluster IP address is configured on the loopback interface of each server (See "Configuring Direct Server Return" on page 313 ), one or more may respond to the ARP request. The client, and possibly even the gateway, will then route requests for the cluster IP to servers directly without going through Equalizer.
Equalizer Administration Guide respond to clients directly. In most DSR configurations, the default gateway used on servers is the gateway most appropriate for reaching the client network. If routes are also needed through Equalizer, they should be configured through static routes on the servers. See the Related Topics below for examples of configuring the loopback adapter and an HTTP server on Windows and Linux platforms for DSR.
Configuring Server Connections c. On the Web Site tab, next to IP address, select the Advanced button. d. Select the Add... button under the top list box. e. Enter the IP address and the TCP port for the Layer 4 cluster, as configured on Equalizer. Click OK. f. Click OK twice to return to the Internet Information Service (IIS) Manager. You should now be able to send client requests to the cluster IP and port, and get responses directly from the IIS HTTP server running on Windows 2003.
Equalizer Administration Guide The output should look like this: lo:dsr Link encap:Local Loopback inet addr:cluster-ip Mask:255.255.255.255 UP LOOPBACK RUNNING MTU:16436 Metric:1 3. To configure an Apache 2.0 server for DSR, edit the server configuration file to add a Listen directive for the cluster IP (on many systems, the configuration file is found at /usr/local/etc/apache/httpd.conf).
Configuring Server Connections Most Linux and Unix systems default to the “weak host” model on all network interfaces, so no additional configuration is usually necessary. For example, on FreeBSD and NetBSD, this behavior is controlled by the setting of sysctl net.inet.ip.check_interface, which by default is set to 0 (“weak host”). Windows XP and Windows 2003 use the “weak host” model on all IPv4 interfaces and the “strong host” model on all IPv6 interfaces, and this is not configurable.
Equalizer Administration Guide Chapter 19 Server Health Check Probes Sections within this chapter include: About Server Health Check Probes 370 Layer 3 ICMP Probes 370 Enabling/Disabling Layer 3 ICMP Probes Configuring Layer 3 ICMP Probe Parameters L4 UDP Probes Enabling/Disabling L4 UDP Probes L4 TCP/IP Probes Enabling/Disabling L4 TCP Probes Active Content Verification (ACV) Probes Enabling/Disabling ACV Probes Setting ACV Query and Response Strings Testing ACV Probes 371 371 372 373 373 373 3
Server Health Check Probes About Server Health Check Probes This chapter describes: l How Equalizer uses health check probes to ensure server availability. l How you can configure probe parameters and options to tailor them for your specific configuration and applications. On Equalizer, a "server" equates to an application running at an IP address and a port.
Equalizer Administration Guide If a server does not respond to an ICMP echo request and no other probes are configured, the server is marked "DOWN", and Equalizer continues to send ICMP requests to the server’s IP address. If an ICMP echo response is subsequently received, the server is marked "UP". Responding to ICMP echo requests is an option on most server platforms.
Server Health Check Probes When the ICMP Interval timer expires, a server is marked "up" if a response to any probe sent during the ICMP Interval was received. A server is marked "down" by lack of a response to an ICMP probe only if no response is received and the server had been marked "up” at least once since the last Equalizer reboot. This is to prevent marking a server down when it has been configured to ignore ICMP ECHO Requests.
Equalizer Administration Guide Enabling/Disabling L4 UDP Probes UDP probes are enabled for a UDP server as soon as a server instance for the server is added to a server pool. Default settings for probe parameters are used unless specifically set on the server pool. L4 TCP/IP Probes L4 TCP probes (acvd) are performed on servers running TCP protocol only. Equalizer attempts to open a TCP connection with a server on its configured IP address and probe port.
Server Health Check Probes Equalizer can perform the same exchange automatically and verify the server pool’s response by checking the returned data against an expected result. Enabling/Disabling ACV Probes Enable/Disable ACV Probes in the GUI 1. Click on a server pool name in the left navigational pane. 2. Enable ACV by typing a response string into the ACV Response edit box. 3. Disable ACV by clearing the contents of the ACV Response edit box or leaving it blank. 4. Click on Commit.
Equalizer Administration Guide l Must be enclosed in single or double quotes if it contains a space character. l Any single or double quotes included within the string must be preceded by the backslash character (\). Note -In ACV Query strings character escapes such as “\n” for new-line, “\r” for carriage return and “\t” for Tab are supported. "\r" and "\n" must be manually inserted at the end of all HTTP and HTTPS ACV probes. The system does not do this manually at Layer 7.
Server Health Check Probes UDP, TCP, and ACV Probe Parameters GUI Probe Parameter (CLI Probe Parameter) Description Probe Interval (probe_interval) A timer specifying the length of time (in seconds) during which a successful TCP or UDP server probe must occur, or the server is marked "down". If one or more successful probes have occurred before this timer expires, the server is marked "up" and the timer is reset. If no successful probes have occurred, the server is marked ‘down" and the timer is reset.
Equalizer Administration Guide 2. Modify the appropriate probe parameter values, as described in UDP, TCP, and ACV Probe Parameters above. 3. Click on Commit to save the configuration or Reset to return all values to the default settings. Setting TCP, UDP and ACV Probe Parameters in the CLI 1. To set TCP, UDP, and ACV probe parameters in the CLI, enter the following command in the global context. eqcli > srvpool srvpool_name parameter_name value [...] 2.
Server Health Check Probes Simple Health Check Probes Simple health checks allow you to configure Equalizer to probe a specified target and retrieve a "load" value from the target which describes its current level of load. A user-supplied "server agent" must be running at the target, which supplies a load value in response to a simple health check query from the Equalizer with a load value. This information is obtained by the server agent by any means available at the target server.
Equalizer Administration Guide GUI Parameter (CLI Parameter) Description Probe Connect Timeout (probe_cto) The health check connection timeout. The number of seconds (default: 1) that Equalizer will wait for a connection attempt to the health check server application to succeed before marking the server down. Probe Data Timeout (probe_dto) The health check data timeout.
Server Health Check Probes 6. Enter Simple Health Check parameters using Simple Health Check Parameters above. 7. Click on Commit to save the configuration or Reset to return all values to the default settings. Add an instance of the health check (health check instance) to the server a server instance in the server pool. Health check instances are applied to server instances (and thus the servers) within a server pool to determine the health and to determine the "best" server to use. 8.
Equalizer Administration Guide 10. Select a Health Check Name from the drop down list and click on Commit . The following will be displayed. 11. Health check instances will be arranged in an expandable accordion list. The Name, Type and a Status indicator will appear on the accordion label. Click on the accordion label to expand the display.
Server Health Check Probes 2. Display the configuration of HC1: eqcli > show srvpool MyPool health_check HC1 Health Check Name : HC1 Type : simple Port : 1510 Stimulus : Healthy : 0.000000 Loaded : 100.000000 Probe Interval : 15 Max tries per interval : 3 Global Timeout : 5 First state change timeout : 1 Second state change timeout : 2 Weight : 100 3.
Equalizer Administration Guide By default, server agents are disabled on all new server pools. To enable server agents for a server pool, you need to write the agent, install and run it on each server pool in the cluster, and then enable server agents for the server pool on Equalizer.
Server Health Check Probes # bind to the port, then listen on it bind(SERVER, $paddr) or die "bind: $!"; listen(SERVER, SOMAXCONN) or die "listen: $!"; print "Server agent started on port $port\n"; # accepting a connection my $client_addr; while ($client_addr = accept(CLIENT, SERVER)) { # find out who connected my ($client_port, $client_ip) = sockaddr_in($client_addr); my $client_ipnum = inet_ntoa($client_ip); # print who has connected -- this is for debugging only print "Connection from: [$client_ipnum]\n
Equalizer Administration Guide By default VLB health using the information in the VLB Manager object and the UUID as specified by the server object. If the use_server_port is set, the server object's port is used. Otherwise the probe_port specified in the health check object is used. Typically, VLB health check probes are configured in the following manner: 1. Provide VMware login information by creating "VLB Managers". 2. Associate Equalizer servers with virtual machines on VMware. 3.
Server Health Check Probes Configuring VLB Health Check Probe Parameters The procedures in the Related Topics describe the process of configuring VLB manager, health checks and health check instances using both the GUI and the CLI.
Equalizer Administration Guide a. Enter a URL for the VLB Manager you would like to connect with in the VLB Manager URL field. Add Username/Password credentials for login as well. b. The Connect Timeout slider is used to configure the allowable time to connect with VMware. By default this is 1. c. The Disable checkbox is used to disable the VLB Manager if necessary. d. Clicking on the Test Login button will test your URL and credentials using the Connect Timeout settings that you configure.
Server Health Check Probes select a VLB Manager from the drop-down list above and click Get VMList. The figure below will be displayed. The popup contains the list of the Virtual Machines (VMs) retrieved from the VLB Manager. The VM with the matching IP address (if found) is pre-chosen (highlighted) in the list. Click on Select to select the pre-highlighted VM, or choose another before clicking Select. The tab is then redisplayed with the Virtual Server ID of the selected VM.
Equalizer Administration Guide Note - Use the custom load balancing policy when you want to primarily rely on the load values specified by VLB health checks. Refer to "Equalizer’s Load Balancing Policies" on page 230 for details. 5. The Health Check screen below will be displayed after adding a health check. The screen allows the configuration of all health checks and features accordion tabs, labeled with the health check name and type and the currently set health check relative weight.
Server Health Check Probes The Health Check Instances screen features accordion panes for the existing and the new health check instances that are labeled with the health check instance. Clicking on the icon will display the figure above to add a new health check instance. Clicking on the icon will delete the health check whose accordion pane is currently open. Use the drop down list to select a VLB Parameter. This can be either VM CPU or VM RAM. The default is VM CPU.
Equalizer Administration Guide where: name is the name of the vlb manager 3. Enter the new VLB Manager, adding a URL, Username, Password, Connect Timeout parameters and flags. Enter: eqcli eqcli eqcli eqcli xs xs xs xs vlb-nam* vlb-nam* vlb-nam* vlb-nam* > > > > URL value username name password name flags disablea a. The only flag used is disable which would disable the VLB Manager if necessary. 4. Enter the following to verify the new VLB Manager and parameters.
Server Health Check Probes 6. Enter the server context and set the vlb_manager value by entering the following. In this example the vlb_ manager is “esxi-01” on a server “centos216”: eqcli sv-cen*> vlb_manager esxi-01 eqcli sv-cen*> commit eqcli: 12000287: Operation successful Add Health Checks 7. The next step is to add a new health check to a specific server pool.
Equalizer Administration Guide Name URL esxi-01 https://192.168.213.196/sdk eqcli > show server Name Protocol IP Address Port Flags mac-80 tcp 192.168.213.222 80 probe_l3 xp-80 tcp 192.168.213.211 80 probe_l3 bsd-80 tcp 192.168.213.212 80 probe_l3 bsdvm213 tcp 192.168.213.213 22 probe_l3 freebsd215 tcp 192.168.213.215 22 probe_l3 centos216 tcp 192.168.213.216 22 probe_l3 ubuntu217 tcp 192.168.213.217 22 probe_l3 bsdvm214 tcp 192.168.213.214 22 probe_l3 10.
Server Health Check Probes This server is enabled. Server Name : centos216 IP Address : 192.168.213.216 Port : 22 Protocol : tcp VID : 1 Max Reuse Connections : 0 Reuse Connections Timeout : 0 VLB Manager : esxi-01 UUID : 564d4447-ee96-1b6e-a993-76314f36eac6 Flags : probe_l3 Add a VLB Health Check Instance on a Server Instance in a Server Pool You now will need to add health check instances to server instances in server pools. 13.
Equalizer Administration Guide to the IP address of every configured server object. The timeouts that control Layer 3 Health Check probes are located in the global CLI context and on the EQUALIZER > Global tab in the GUI: Layer 3 Health Check Parameters (CLI Parameter) Minimum Default Maximum Units ICMP Probe Maximum Tries (icmp_maxtries) 0 3 30 integer ICMP Probe Interval (icmp_interval) 0 15.0 60.
Server Health Check Probes GUI Parameter (CLI Parameter) Location Description expects to receive in the first 1024 characters of the server instance response. If this string is not specified, ACV probes are disabled. Probe SSL (probe_ssl) server pool A flag on a server pool, disabled by default. If enabled, the TCP and ACV probe exchange between Equalizer and the server instance will be performed over an encrypted SSL connection.
Equalizer Administration Guide Simple and VLB Health Check Timeouts Simple and VLB health checks each have their own timeouts, defined within the health check definition. They are named the same and behave the same as the timeouts for Layer 4 TCP and ACV health checks in the previous Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Server Health Check Probes section, with the exception that the Probe Data Timeout (probe_dto) is the timeout for the server response for these health checks rather than ACV. This affects only the part of the flowchart that is outlined in the previous section. 398 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Chapter 20 Logging Sections within this chapter include: Displaying Logs 400 Remote System Logging 400 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Logging Displaying Logs Equalizer logs can be displayed in both the CLI and the GUI. In the CLI, use the following command: eqcli > show log name lines number Substitute sys for name to display the system log; use eq to display the Equalizer log. By default, the entire log is displayed. Use the lines keyword to specify the number of lines to display, starting with the most recent log message. In the GUI, open the Equalizer > Status tab to display the graphical log browser.
Equalizer Administration Guide Substitute the IP address or hostname of a working syslog() server for IPaddr_or_name. If the remote syslog server is later removed using the no form of the syslog-server command, use the syntax shown above to re-enable remote logging. If remote logging is later disabled using the syslog disable command, use syslog enable to re-enable it.
Equalizer Administration Guide Chapter 21 Reporting (Statistics and Plotting) Sections within this chapter include: Cluster and Match Rule Reporting 404 Server Pool and Server Instance Reporting (CLI and GUI) 410 Server Reporting (CLI and GUI) 416 Responder Reporting (CLI and GUI) 420 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Reporting (Statistics and Plotting) Cluster and Match Rule Reporting The CLI display of Statistics can be seen by entering the following within the cluster or match rule context: Sample of Layer 7 Cluster Statistical Display Sample of Layer 7 HTTP and HTTPS Match Rule Statistical Display Sample of Layer 4 Cluster Statistical Display To view the GUI display, select a cluster or responder Server on the left navigational pane and click on the Reporting tab to display statistics.
Equalizer Administration Guide Sample Layer 7 Cluster GUI Statistical Displays The following are definitions for the statistical terms shown on both the CLI and GUI: Layer 7 Cluster Statistic Definitions CLI Term GUI Term Definition TOTALPRCSD Total Connections Connections Processed. TOTALRESPPRCSD Total Transactions The total responses processed. TIMESPENT Total Time For Server Responses The total time spent on this object. Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Reporting (Statistics and Plotting) CLI Term GUI Term Definition ACTIVECONX Active Connections Active Connections. BYTERCVD Bytes Received Bytes received. BYTESEND Bytes Sent Bytes transmitted. REQPARSED Number of Request Headers Parsed This is the total number of times that an HTTP request header was parsed.
Equalizer Administration Guide CLI Term GUI Term Definition N/A Transactions/second (TPS) The total responses processed. N/A Throughput Throughput N/A Total Connections Total connections. N/A Total Transactions Total transactions. N/A Active Connections Active connections. N/A Bytes Received Bytes received. N/A Bytes Sent Bytes transmitted.
Reporting (Statistics and Plotting) The following is an example of a graphical plot that can be displayed on the GUI. Select a Cluster or Match Rule on the left navigational pane and click on the Reporting tab and then Plotting. The following will be displayed: Sample Layer 7 Cluster Graphical Plot The specific types of statistics that are displayed are determined by the selections on the Statistics pane on the upper right corner of the GUI.Make selections based on the data that you require.
Equalizer Administration Guide Sample Match Rule Graphical Plot Sample Layer 4 Cluster Graphical Plot The specific types of statistics that are displayed are determined by the selections on the Statistics pane on the upper right corner of the GUI.Make selections based on the data that you require. Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Reporting (Statistics and Plotting) The Plot Type selection determines whether the display shown reflects a Static Time Span which is configured using the slider or whether a real time duration is display. If Real Time Duration is selected the slider controls will change to Duration and Refresh controls as shown below. In this case set the Duration of time in which you would like to review statistics and the Refresh rate desired.
Equalizer Administration Guide To view the GUI display, select a server pool or server instance on the left navigational pane and click on the Reporting tab to display statistics. The following will be displayed. Sample Server Pool and Server Instance GUI Statisical Display The following are definitions for the statistical terms shown on both the CLI and GUI: Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Reporting (Statistics and Plotting) Server Pool Statistic Definitions CLI Term GUI Term Definition Total connections processed Total Connections Connections Processed. Total response processed Total Transactions Responses Processed. Total time taken for server to respond Total Time For Server Responses Total Time For Server Responses Current Active Connections Active Connections Active Connections. No of Times Server Selected By Sticky Total Sticky Records Total Sticky Records.
Equalizer Administration Guide CLI Term GUI Term Definition TCP MUX Reuse Pool Overflow Overflow Total Connections Closed by Server in TCP MUX Reuse Pool Overflow Cx Dropped Due To Server Closed Cx In Reuse Pool Total connections closed by server in TCP MUX reuse pool overflow.
Reporting (Statistics and Plotting) CLI Term GUI Term Definition Failed Parsing RSPFAILHDR CLNTTO Total Responses Dropped for Exceeding Header Limit Cx Dropped Due To Client Timeout Responses dropped for exceeding header limit. Connections dropped due to client timeout. SRVRTO Cx Dropped Due To Server Timeout Connections dropped due to server timeout CONNTO Cx Dropped Due To Connect Timeout Connections dropped due to connect timeout.
Equalizer Administration Guide The specific types of statistics that are displayed are determined by the selections on the Statistics pane on the upper right corner of the GUI.Make selections based on the data that you require. The Plot Type selection determines whether the display shown reflects a Static Time Span which is configured using the slider or whether a real time duration is display.
Reporting (Statistics and Plotting) Server Reporting (CLI and GUI) The CLI display of Statistics can be seen by entering the following within the server context: Sample Server Statistics Display To view the GUI display, select a server on the left navigational pane and click on the Reporting tab to display statistics. The following will be displayed. Sample Server Statistics GUI Display 416 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide The following are definitions for the statistical terms shown on both the CLI and GUI: Server Statistic Definitions CLI Term GUI Term Definition TOTALPRCSD N/A Connections processed. TOTALRESPPRCSD Total Transactions Responses processed. TIMESPENT Total Time For Server Responses The total time spent on this object. ACTIVECONX Active Connections Active connections. Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Reporting (Statistics and Plotting) CLI Term GUI Term Definition BYTERCVD Bytes Received Bytes received. BYTESEND Bytes Sent Bytes transmitted. TOTALSTKY Total Sticky Records Total sticky connections. CURRSTKY Current Sticky Records Current sticky records. IDLECONXDROPED Cx Dropped Due To Idle Timeout Connections dropped for idle timeout. STALECONXDROPED Cx Dropped Due To Stale Timeout Connections dropped for stale timeout.
Equalizer Administration Guide CLI Term GUI Term Definition N/A Input Bytes To Compress Input Bytes To Compress N/A Output Bytes After Compression Output Bytes After Compression The following is a graphical plot that can be displayed on the GUI. Select a server e on the left navigational pane and click on the Reporting tab and then Plotting.
Reporting (Statistics and Plotting) Responder Reporting (CLI and GUI) The CLI display of Statistics can be seen by entering the following within the responder context: Sample Responder Statistics Display) To view the GUI display, select a responder on the left navigational pane and click on the Reporting tab to display statistics. The following will be displayed.
Equalizer Administration Guide The following is a graphical plot that can be displayed on the GUI. Select a Responder on the left navigational pane and click on the Reporting tab and then Plotting. The following will be displayed: Sample Responder Plot The specific types of statistics that are graphically displayed are determined by the selections on the Statistics pane on the upper right corner of the GUI.Make selections based on the data that you require.
Equalizer Administration Guide Chapter 22 Failover Sections within this chapter include: Understanding Failover How Equalizer Determines if it Should Assume the Primary Role Releases Supported for Failover with EQ/OS 10 424 424 425 Guidelines for Upgrading a Failover Pair from EQ/OS 8.6 to EQ/OS 10 425 Guidelines for Updating a Failover Pair with Both Units Using EQ/OS 10 425 Failover Between EQ/OS 8.6 and EQ/OS 10 426 EQ/OS Version 8.
Failover Understanding Failover In an Active/Passive failover configuration, two Equalizers are configured into active and passive roles, with the active Equalizer serving cluster traffic. A "failover" is said to occur when the active Equalizer stops processing client requests and the passive Equalizer starts processing cluster traffic. When two Equalizers are configured into this failover configuration, they form a "failover pair". An Equalizer in a failover pair is called a "peer".
Equalizer Administration Guide c. If the "Failed Probe Count" configured on the subnet is reached BEFORE the Global "Failed Probe Count" a failover will occur. 3. If Equalizer determines that no other systems own any of its cluster or failover IP addresses AND it has better connectivity than the peer, it becomes "Primary" otherwise, it will remain a "Backup". Heartbeating MUST be established on an interface before failover can occur.
Failover 1. Verify that your current failover configuration is operating properly and that there are no error messages in the Peer Summary Screen on the GUI ("Configuring Active/Passive Failover (GUI)" on page 451) or CLI ("Peer Commands" on page 164). 2. Upgrade the backup Equalizer first. ("Upgrading to the Latest Release" on page 65) The unit should be configured in failover prior to the upgrade. 3.
Equalizer Administration Guide l On the EQ/OS 8.6 system, failover must be configured manually as shown in the procedure below (i.e., you cannot use the Failover Wizard). Server Availability Constraint For failover to initialize correctly, at least one server or gateway configured on a subnet defined on Equalizer must be responding to ARP (Address Resolution Protocol) requests. Otherwise, Equalizer will remain in the "initializing" failover state and will not assume the backup or primary role.
Failover 3. Configure failover peers on the EQ/OS 8.6 system. a. Click Mode: Standalone at the top of the left frame to open the Failover > Required tab. b. Uncheck (turn off) the Disable Failover check box. c. In the This Equalizer section, check (turn on) the Preferred Primary check box. d. In the Peer Equalizer section, do the following: l Enter any name you like for Equalizer Name and any string of characters for Signature.
Equalizer Administration Guide l Be sure to use the same VLAN IP addresses on the EQ/OS 10 system that you specified in Step "Failover Between EQ/OS 8 and EQ/OS 10" on page 427"Failover Between EQ/OS 8 and EQ/OS 10" on page 427. b. Assign a virtual IP address to the default subnet of each already configured VLAN, as in the examples below. The virt_addr values entered must match the Failover IP addresses and Failover Netmasks assigned on the EQ/OS 8.6 system in Step 2b.
Failover 12200451: 12200452: 12200453: 12200456: 12200457: 12200458: 12200459: 12200460: 12200461: 12200456: 12200457: 12200458: 12200459: 12200460: 12200461: Last probe sent to this Peer : #2 at Fri Jan 7 22:03:40 2011 Last probe received from this Peer: #2 at Fri Jan 7 22:03:41 2011 Number of interfaces : 2 Interface : Mgmt State : Probing Substate : Start Last probe sent on this if : #1 at Fri Jan 7 22:03:40 2011 Last probe received in this if: #1 at Fri Jan 7 22:03:41 2011 Number of strikes : 1 Interf
Equalizer Administration Guide b. Since the EQ/OS 10 Equalizer is in Backup Mode, it will not attempt to assume the cluster IP addresses until a failover occurs. 5. Set the hb_interval global parameter (Heartbeat Interval in the GUI) to the Probe Interval parameter on the EQ OS 8.6 system times the number of interfaces (VLANs) configured on the EQ OS 8.6 system. For example if the EQ OS 8.
Failover Note that the coyote icons at the top of the left frame of the EQ/OS GUI will not change to indicate when the EQ/OS 10 system is the primary unit -- that is, the EQ/OS 10 system will always have the sitting coyote icon next to it. For the Beta, this is normal and expected. Always use the Help > About screen or the Equalizer log (Equalizer > Status > Event Log) to check failover status on EQ/OS 8.6.
Equalizer Administration Guide N+1 Failover N+1 Failover is a feature of EQ/OS 10 where the failover configuration consists of multiple active peers ("N") plus 1 passive peer. In this type of failover configuration, the Equalizer clusters are instantiated on all "N" peers and organized into failover groups.
Failover Failover Mode Description Standalone No failover configured. Not Initialized A peer has not completed initialization. This is a temporary condition. Primary The Equalizer is the primary failover peer. Backup The Equalizer is the backup failover peer. Not Used This is always shown with the Unassigned F/O Group.It is specifically used with Active/Active or N+1 failover. This display is essentially a placeholder and indicates that there are no members to this failover group.
Equalizer Administration Guide EQ/OS Version 10 Failover Constraints Before you begin configuring failover, you must do the following: 1. Ensure that the VLAN configuration on both EQ/OS 10 Equalizer is exactly the same. This includes all VLAN and subnet parameters except for the tagged and untagged ports assigned to a VLAN. 2. In some cases there may appear to be an issue where the Primary and Backup Equalizers are in a conflict over Primary.
Failover The following Equalizer objects ARE synchronized in a Failover configuration: The following Equalizer objects ARE NOT synchronized in a Failover configuration: Alerts Clusters Interfaces (Switch Port Configuration) Server Pools Peers SSL Certificates VLANs CRLs Subnets Servers Tunnels Responders Users GeoClusters Licenses GeoSite GeoSite Instances Global Parameters: Syslog server NTP server Name servers Health Checks Health Check Instances SMTP Relays VLB Managers Server / Gateway
Equalizer Administration Guide When Equalizers are configured into a failover group, they continually probe (or heartbeat) each other so that a backup peer can assume the primary role, should the active primary unit become unreachable. Heartbeat probes are performed over a long-lived TCP connection. Whenever Equalizer starts heartbeating a peer, it opens a heartbeat connection to the peer which remains open for as long as the two systems are operational and have network connectivity.
Failover Modifying Failover Timeouts in Production When an failover pair is actively serving traffic, any changes to the global or subnet failover parameters could result in a failover if you do not perform them in the correct manner. Note - These parameters are not currently synchronized. To prevent a failover from occurring , proceed with the following to prevent an inadvertent failover: 1.
Equalizer Administration Guide Configuring Active/Passive Failover Between Two EQ/OS 10 Systems When two Equalizers are configured into Active/Passive failover, they form a "failover pair". An Equalizer in a failover pair is called a "peer". At any given time, only one of the Equalizers in a failover pair is actually servicing requests sent to the cluster IP addresses defined in the configuration -- this unit is called the "active peer" or the "current primary" Equalizer in the failover pair.
Failover 1. Configure VLANs and Subnets as described in "Configuring Subnets" on page 103. It is important that both the VLANs are identical in both the preferred primary and the backup. 2. Access the CLI as described in "Starting the CLI" on page 128. 3. Configure the failover service parameters for the preferred primary equalizer: Enter: eqcli > vlan vlname subnet sname flags flagname Where vlname is the name of the VLAN, sname is the name of the subnet and flagname is the name of the flag.
Equalizer Administration Guide a. fo_https- when enabled the Equalizer will listen for https connections on the Failover IP address on the subnet. b. fo_ssh - when enabled ssh login will be permitted on the Failover IP address on the subnet. c. fo_snmp - when enabled snmp will accept connections on the Failover IP address on the subnet. d. fo_envoy - when enabled this will allow Envoy to monitor this subnet for failover e.
Failover 2. Configure VLANs and subnets on both units; they must be exactly the same as noted above under "EQ/OS Version 10 Failover Constraints" on page 435"EQ/OS Version 10 Failover Constraints" on page 435 3. Designate a preferred primary and preferred backup using "Configuring Active/Passive Failover (CLI)" on page 443 beginning with step 3. 4. Open the Equalizer Graphical User Interface (or GUI) and select the subnet of the VLAN to be used as the "Preferred Primary". 5.
Equalizer Administration Guide which the configuration file transfers (between preferred primary and preferred backup) can occur. b. Checking the Heartbeat checkbox will allow the failover peers to probe one another over the subnet. At least one subnet must have a Heartbeat flag enabled. Note - Command Transfer and Heartbeat use the subnet IP address, not the failover IP address. 8.
Failover eqcli > ping gateway_IP_address If no gateways are responding, then configure a server with an IP address on a subnet with heartbeat enabled. Make sure it is responding to a ping command: eqcli > server name proto {tcp|udp} ip IP_address port port_number eqcli > ping server_IP_address Perform Step 3 on the preferred backupEqualizer to obtain the peer signature: 3. Obtain the failover signature of the preferred backup Equalizer. a.
Equalizer Administration Guide Perform Steps 4 and 5 on the preferred primaryEqualizer to add failover flags and to create a new peer definition for the backup. You now need to configure the preferred primary Equalizer by adding failover flags and creating a peer on it for the backup that you created in steps 3 and 4. You will need the peer signature from the backup that you retained in step 4. 4. Log in to the Equalizer you will designate as the preferred primary and do the following: a.
Failover Peer Name eq_00241DB2ABA0 (Local) eq_001D7D78E13E (Remote) Type Flags F/O Mode OS/10 F/O, P/P, xfr Primary OS/10 F/O Backup Flags Key: F/O A/A P/P xfr => => => => failover active-active preferred-primary fo_config_xfer c. Now you will need the peer signature from the primary Equalizer. Enter the following: eqcli > show peer name Where name is the name of the peer for the primary Equalizer. The following will be displayed.
Equalizer Administration Guide b. Add the failover flag to the backup by entering: eqcli > peer name flags failover Where the peer name is the same one that appears beneath the Peer Name heading. c. Verify that the flag was assigned by entering: eqcli > show peer d.
Failover eqcli > show peer Peer Name Type eq_00241DB2ABA0 (Local) OS/10 eq_001D7D78E13E (Remote) OS/10 Flags F/O Mode Error F/O, P/P, xfr Primary No F/O Backup No Note that the F/O Mode column should appear as above when failover is working properly. The system on which you are logged in will always appear first in the list. b.
Equalizer Administration Guide The remote peer definition includes detailed information about the success or failure of the health check probes being sent by the local Equalizer (the unit on which you are logged in) to the remote Equalizer (the other peer). Look carefully at the output for any errors.
Failover Last heartbeat sent : #161 at Wed Mar 14 12:07:10 2012 Last heartbeat received : #97 at Wed Mar 14 12:07:10 2012 Number of strikes : 0 The above display includes detailed information about the success or failure of the health check probes being sent by the remote Equalizer (the other peer) to the local Equalizer (the unit on which you are logged in). Refer to "Peer Interface Subnet States and Substates" on page 438 for descriptions of the Peer states and substate conditions.
Equalizer Administration Guide Configuring Active/Passive Failover (GUI) Perform Steps 1 and 2 on both Equalizer. 1. Perform initial system configuration on both units as outlined in "Networking Technologies" on page 78. 2. Configure VLANs and subnets on both units; they must be exactly the same as noted in "EQ/OS Version 10 Failover Constraints" on page 435. Perform Step 3 on the preferred backup Equalizer to obtain the peer signature. 3.
Failover b. Highlight and copy the failover Signatureof the preferred primary Equalizer. Copy the signature to an electronic clipboard, notepad or whatever means available to save it. c. Click on Commit to save the flag assignments. 5. Create a peer definition for the backup peer- on the preferred primary Equalizer. a. Right click on Peers on the left navigational pane and select Add failover peer. The failover peer entry form as shown below: b.
Equalizer Administration Guide d. Enable the Failover flag and click on Commit. Both peers should appear on the left navigational pane on the Peers branch. Perform Step 6 on the preferred backup Equalizer to add failover flags and create a peer definition for the primary Equalizer. 6. Log back in to the GUI for the backup Equalizer using the procedures described in "Logging In" on page 192. You will need to create a peer for the preferred primary, using the signature that you recorded from step 4b. a.
Failover 7. Access the GUI for the preferred primary or backup Equalizer. a. Right click on Peerson the left navigational pane to display the Peers summary screen as shown below. Note that since the first screen shows the preferred primary EqualizerPeer Summaryas it is categorized as Local and if a failover state exists it will become the backup. The following shows the preferred backup Equalizer Peer Summary and shows the reversed condition in a failover state. b.
Equalizer Administration Guide Peer Summary Display Showing Errors If failover were NOT configured correctly or a problem existed with one of the peers, you would see a display similar to the following example. Note that a failure icon ( ) appears on the left navigational pane beside the peer with an error as well as on the right indicating that Failover is not configured. : Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Failover Refer to "Peer Interface Subnet States and Substates" on page 438 for descriptions of the Peer states and substate conditions. Configuring Active/Active Failover Between Two EQ/OS 10 Systems Active/Active (A/A) failover allows clusters to be active on both Peers that are configured into failover.
Equalizer Administration Guide eqcli > peer [name] flags active-active Once you have added active-active flags to each local peer if the Equalizers are heartbeating you should see the A/A flags should be displayed when you enter show peer for each Equalizer as shown below. One Equalizer should be displayed as “Backup” while the other as “Primary”. l If all Failover groups are instantiated on a Peer, the F/O column will display Primary. l If none are instantiated, the F/O column will display Backup.
Failover 4. Set the preferred_peer flag on a cluster. The purpose of the preferred_peer parameter is to indicate the failover peer on which the cluster is "desired" to run, and it is the peer on which the cluster will be run if the user runs the rebalance command. This parameter is set on the Peer that your want the cluster to be associated with, in the non-failover case. If this parameter is not set, the cluster defaults to the Peer that has been set as the preferred primary.
Equalizer Administration Guide Display the elements of the failover group by entering show fogrp - where is one of the names in the list. For example: eqcli > show fogrp fo_group1 F/O Group fo_group1:ID = 1 Preferred Peer = eq_001D7D78E13E Subnet Members (num = 1): God:Me Cluster Members (num = 2): cl01 cl02 No Server Members Note - At least 2 subnets must be configured, along with their failover IP addresses. 6.
Failover (172.16.0.181) and floating IP 172.16.0.219. l F/O Group 2 - has subnet 192.168.0/24 with cluster cl02 (192.168.0.211), server sv02 (192.168.0.181) and floating IP 192.168.0.219. l If the clusters are using spoof and sv03 (192.168.0.182) is added to the server pool for cluster cl01, this will cause F/O Groups 1 and 2 to be merged into a single F/ O Group that includes cl01, cl02, sv01, sv02, sv03, and subnets 172.16.0/24 and 192.168.0/24. e.
Equalizer Administration Guide Network Design for N+1 Failover The design of the host network is critical to a successful failover configuration. The essential concept of active-active failover is that resources that are required for a cluster to serve client requests are organized into "failover groups". For any cluster, the required resources include: l the cluster object and all objects to which it points including server pools, server instances, servers, responders, certificates, etc.
Failover 5. If the preferred peer is not one of the systems that can provide connectivity, or if a cluster has no preferred peer set, then Equalizer checks to see if the peer that has the ‘preferred primary’ flag set can provide the required connectivity. If it can, the failover groups are moved to that peer. 6.
Equalizer Administration Guide The four columns contain the following details information: F/O Group Name These are determined by Equalizer, according to cluster IP addresses, server IP addresses, and the network configuration. ‘Unassigned’ is the failover group used when active-active failover is not yet enabled. Failover groups are not used in activepassive failover configurations. F/O Group ID An identifying number for the failover group. This is set by Equalizer and not direcetly modifiable.
Failover For "N+1" failover: 1. Each peer should have the A/A (active-active) flag enabled 2. The modes displayed will be different for active-active, as explained below. As cables are removed, re-attached, and systems rebooted, the F/O Mode displayed for each peer will move through the following failover mode variations: Primary The peer has instantiated all cluster IP addresses, and all subnet failover IP addresses. Heartbeating is working properly.
Equalizer Administration Guide Displaying Cluster Status Specify the name of a cluster to the show cluster command to see if the cluster is currently instantiated on the Equalizer to which you are logged in.
Failover Also shown in the output are the preferred peer and VID (VLAN ID) settings. Basic troubleshooting for failover includes verifying that all preferred peer and VID settings on clusters are correct. Rebalancing Rebalancing is usually done after a failover event occurs and all system have been returned to normal service. This instantiates each cluster (and its required objects, such as servers) on the peer set in the cluster’s preferred_peer parameter.
Equalizer Administration Guide c. Set the command and heartbeat flags on the subnets. One subnet must have the command flag enabled, both subnets need the heartbeat flag since we want to fail over when there is a connectivity issue on any subnet: eqcli > vlan vlan2 subnet 172net flags command,heartbeat eqcli > vlan vlan3 subnet 192net flags heartbeat d. Change the system hostname so it is unique: eqcli > hostname name e. Set the timezone.
Failover Note that the above means press the Tab key on your keyboard to autocomplete the local peer name. Since this unit currently has only one peer definition it fills it out with the local peer name. 2. After you complete Step 1 on all three Equalizers, do the following on Equalizer Eq-A: a. Create the clusters, servers, server pools, and server instances necessary for your configuration.
Equalizer Administration Guide eqcli > peer Eq-B signature signature flags failover eqcli > peer Eq-C signature signature flags failover Note - The signature for each remote peer can be displayed by logging into the CLI on that peer and executing "show peer name", where name is Eq-B or Eq-C. e. Set a preferred peer for each cluster: eqcli > cluster clA preferred_peer Eq-A eqcli > cluster clB preferred_peer Eq-B f. Verify that the clusters have been configured into two failover groups: 3.
Failover eqcli > peer Eq-C flags failover,active-active b. Create the peer definitions for the remote peers Eq-A and Eq-B: eqcli > peer Eq-A signature signature flags failover,fo_config_ xfer,preferred_primary eqcli > peer Eq-B signature signature flags failover Note - The signature for each remote peer can be displayed by logging into the CLI on that peer and executing "show peer name", where name is Eq-A or Eq-B. c. On Eq-A, the peer status should now look like this: d.
Equalizer Administration Guide l 3 VLAN subnets l 3 clusters -- 1 preferred on each of EQ-A, Eq-B, and EQ-C; no clusters on Eq-D l 3 failover groups 1. Do the following on all four Equalizers: a. Create all VLANs and subnets necessary for your configuration (see "Configuring VLANs" on page 100). For this example, we assume two VLANs (vlan2 with two subnets and vlan3 with one. These are cabled to Equalizer through separate front-panel ports.
Failover Locate your timezone in the displayed list and press "q" to quit out of the list. Then, type in your timezone number and press , as in this example for the "America/New York" time zone: eqcli > timezone 161 g.
Equalizer Administration Guide sp02 eqcli eqcli eqcli eqcli sp03 > > > > server sv4 proto tcp ip 192.168.0.24 port 80 srvpool sp03 policy adaptive srvpool sp03 si sv4 weight 100 cluster clC proto http ip 192.168.0.161 port 80 srvpool Note - In this procedure, we create all the clusters, servers, and server pools on the preferred primary Equalizer, assign a preferred peer to each cluster, and then rebalance to move the clusters to their preferred peer Equalizers.
Failover f. Verify that the clusters have been configured into three failover groups: 3. Do the following on Eq-B: a. Update the flags for peer Eq-B: eqcli > peer Eq-B flags failover,active-active b.
Equalizer Administration Guide 5. Do the following on Eq-D: a. Update the flags for peer Eq-D: eqcli > peer Eq-D flags failover,active-active b.
Failover d. On Eq-D, the peer status should now look like this: If all peers sharing several failover groups are rebooted or powered on in a sequential fashion (first reboot Eq-A, then Eq-B etc.), the expected behavior is that one unit may become Primary for all failover groups, depending upon the sequence in which the systems become active on the network. If this occurs, running the "rebalance" command will re-distribute the failover groups to their preferred primary Equalizers.
Equalizer Administration Guide Configuring N + 0 Failover with 4 Equalizers (CLI) In this configuration, four Equalizers (Eq-A, Eq-B, Eq-C, and Eq-D) cooperate to provide high availability. They do not need to be the same models, and can include Equalizer OnDemand. They are configured with: l 4 VLAN subnets l 4 clusters -- 1 preferred on each of Eq-A, Eq-B, Eq-C, and Eq-D l 4 failover groups 1. Do the following on all four Equalizers: a.
Failover eqcli > hostname name f. Set the timezone. Enter: eqcli > timezone? Locate your timezone in the displayed list and press "q" to quit out of the list. Then, type in your timezone number and press , as in this example for the "America/New York" time zone: eqcli > timezone 161 g.
Equalizer Administration Guide default settings: eqcli > server sv2 proto tcp ip 172.16.0.170 port 80 eqcli > srvpool sp01 policy adaptive eqcli > srvpool sp01 si sv2 weight 100 eqcli > cluster clA proto http ip 172.16.0.161 port 80 srvpool sp01 eqcli > server sv3 proto tcp ip 172.16.1.170 port 80 eqcli > srvpool sp02 policy adaptive eqcli > srvpool sp02 si sv3 weight 100 eqcli > cluster clB proto http ip 172.16.1.161 port 80 srvpool sp02 eqcli > server sv4 proto tcp ip 192.168.0.
Failover d. Create the peer definitions for the remote peers Eq-B and Eq-C: eqcli > peer Eq-B signature signature flags failover eqcli > peer Eq-C signature signature flags failover eqcli > peer Eq-D signature signature flags failover Note - The signature for each remote peer can be displayed by logging into the CLI on that peer and executing peer name, where name is Eq-B, Eq-C, or Eq-D. show e.
Equalizer Administration Guide eqcli > peer Eq-A signature signature flags failover,fo_config_ xfer,preferred_primary eqcli > peer Eq-C signature signature flags failover eqcli > peer Eq-D signature signature flags failover Note - The signature for each remote peer can be displayed by logging into the CLI on that peer and executing "show peer name", where name is Eq-A, Eq-C, and Eq-D. 4. Do the following on Eq-C: a. Update the flags for peer Eq-C: eqcli > peer Eq-C flags failover,active-active b.
Failover 6. Check failover group status on each Equalizer: a. On Eq-A, the peer status should now look like this: b. On Eq-B, the peer status should now look like this: c. On Eq-C, the peer status should now look like this: d. On Eq-D, the peer status should now look like this: After the above procedure is completed, the object configuration should get synchronized over to Eq-B, Eq-C, and Eq-D. All Equalizer objects will be visible in the CLI and GUI of all peers.
Equalizer Administration Guide Chapter 23 Alerts Sections within this chapter include: Overview of Alerts 484 Alert Object Names 484 Alert Types and Object Types 484 Alert Notification Types 485 Configuring Alerts 486 Configuring an SMTP Relay in the CLI Configuring Alerts in the CLI Alert Notifications Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Alerts Overview of Alerts An alert is an administratively configured action that is executed whenever an event of a particular type occurs on a particular Equalizer object. For example: a user can be sent an email whenever a particular server is marked UP or DOWN by health check probes. Currently, Equalizer supports email alerts when a server and server instance state change event occurs. The alert system will be expanded to include more object types and events in future releases.
Equalizer Administration Guide Alert Type Object Type When an alert is generated exception Peer An alert is generated when Equalizer has received a heartbeat from a peer on a subnet on which it had previously lost contact. exception Peer An alert is generated when failover is disabled because of a configuration mismatch. exception Peer An alert is generated when a VLAN/subnet mismatch is detected and reports the error.
Alerts 3. snmp - SNMP traps enable an agent to notify a management station of significant events by way of unsolicited SNMP messages. Refer to "Setting Up SNMP Traps" on page 494 for additional information. 4. ui -The "ui" alert notification type is now supported for notifying users of an alert in the CLI. Configuring Alerts Alerts must currently be set up and managed using the CLI. Support for alerts in the GUI will be provided in a future release.
Equalizer Administration Guide Configuring an SMTP Relay in the CLI Email alerts require an SMTP relay in order to send email to the recipient specified in the alert definition. To set up an SMTP relay, you need to know: l The SMTP server’s IP address or Fully Qualified Domain Name (FQDN). If an FQDN is used, DNS must also be configured. l The port on which the SMTP server accepts incoming mail (usually port 25). Currently, Equalizer supports one SMTP relay.
Alerts Alert Parameters name A descriptive name for the alert. object The fully qualified name of the object to which the alert applies. Currently, must be a server, server instance, or a peer. See "Alert Types and Object Types" on page 484. object_type One of server, si (server instance), or peer. alert_type Currently, state_change is implemented. notify_type Currently supported are: email and syslog.
Equalizer Administration Guide eqcli eqcli eqcli eqcli eqcli user-tou*-alert-tes*> user-tou*-alert-tes*> user-tou*-alert-tes*> user-tou*-alert-tes*> user-tou*-alert-tes*> object testserver object_type server to user@example.com subject "Server status email from Eq450-100." commit Peer Alerts Setting an alert on a peer allows you to send email, log a message to the system log, or both, whenever a peer changes to Primary, Backup, or Standalone modes.
Alerts Welcome to Equalizer! 12000004: You have 2 pending alert notifications. eqcli > You can configure notifications, via the user alert_interval parameter, a regular interval at which the presence of pending notifications will be checked. If there are any pending notifications, they are displayed as shown above if: 1. The number of pending notifications has changed, and 2. You have not entered data at the command prompt. In this case, the pending notifications will be displayed after clicking ENTER.
Equalizer Administration Guide Alert Name : al_switch Object Type : interface Object Name : swport01 Message : 50000197: Port 1 has become ACTIVE eqcli > To show the first notification matching one or more filters enter: eqcli > show notification first alert_type alerttype object_type objecttype object_name objectname If the object_name is specified, object_type must also be specified. The following is an example showing the state change for swport01 above.
Alerts eqcli > no notification id-number 492 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Chapter 24 Using SNMP Traps Sections within this chapter include: Setting Up SNMP Traps Setting Up an SNMP Management Station Enabling SNMP Enabling SNMP Traps Creating Alerts for SNMP Traps Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Using SNMP Traps Setting Up SNMP Traps The Simple Network Management Protocol (SNMP) is an internet standard that allows a management station to monitor the status of a device over the network. SNMP organizes information about Equalizer and provides a standard way to help gather that information. Using SNMP requires: l An SNMP agent running on the system to be monitored. l A Management Information Base (MIB) database on the system to be monitored.
Equalizer Administration Guide Setting Up an SNMP Management Station An SNMP management station is not provided with Equalizer. In order to use SNMP to manage Equalizer, a thirdparty management console must be installed and configured on a machine that can access Equalizer. Configuration procedures are specific to the management console used. At a minimum, the SNMP management console needs to be configured to: l Use Equalizer’s IP address and port 161 for SNMP requests.
Using SNMP Traps eqcli > show Variable Value recv_timeout 2 conn_timeout 1 hb_interval 2 retry_interval 5 strike_count 3 icmp_interval 15 icmp_maxtries 3 hostname Equalizer date Thu Sep 13 11:49:09 UTC 2012 timezone UTC locale en global services name-servers http, https, ssh, fo_snmp, snmp, envoy, envoy_agent None ntp-server pool.ntp.org - Unavailable: name-server undefined syslog-server None GUI logo Coyote Point Systems Inc. boot image Equalizer Image B EQ/OS Version 10.0.
Equalizer Administration Guide Enabling SNMP Traps SNMP traps must first be enabled using the CLI. An snmp trap address and port is required to enable the traps. Enter the following at the CLI prompt: eqcli> snmp serverip ip serverport port where: is the snmp trap server IP and port is the snmp trap server port. The port is optional. If it is NOT entered, the default trap server port (162) will be used. Multiple trap servers can be defined if desired.
Using SNMP Traps Setting an SNMP Trap alert enables the sending of snmp trap messages to the snmp management station whenever a peer state changes to Primary, Backup, or Standalone modes. Primary and Backup modes apply to Equalizer in a failover configuration. Standalone mode is the normal operational state for a single Equalizer not deployed in a failover pair when it is first booted.
Equalizer Administration Guide Chapter 25 User and Group Management Sections within this chapter include: Best User and Group Management Practices 500 Object Permission Types 500 Required Task Permissions and Flags 501 Single and Multiple User Scenarios 506 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
User and Group Management Best User and Group Management Practices When adding additional users and groups to your configuration, follow these guidelines to establish object permissions that will be effective and easy to manage: If you require multiple non-admin users in your configuration, it is preferable to first create all required objects (servers, server pools, clusters, etc.), and then create users with appropriate permissions to manage them.
Equalizer Administration Guide Permission Type Descriptions In addition to read permission, the user can modify existing objects, but cannot add new objects or delete existing objects. For global parameters: the user can update all global parameters (including parameters that are not already assigned a value). The user cannot, however, add or delete global objects (for example: logins, clusters, and responders).
User and Group Management Operation Permissions Required adding a GeoCluster create geocluster adding a GeoSite create geosite adding a GeoSite instance write cluster_name read geosite_name adding a GeoSite IP write geosite_name adding a GeoSite resource write geosite_name adding a match rule write cluster_name read srvpool_name read responder_name Flags Required adding an NTP server write_ global adding a peer write_ global adding a permit entry to a subnet write_ global adding a resp
Equalizer Administration Guide Operation Permissions Required Flags Required add/delete/modify group permit list admin add/delete/modify user admin add/delete/modify user permit list admin deleting a certificate delete certificate_name write cluster_name deleting a cluster delete cluster_name deleting a crl delete crl_name write cluster_name deleting a GeoCluster delete geocluster_name deleting a GeoSite delete geosite_name write geocluster_name deleting a GeoSite instance write geoclus
User and Group Management Operation Permissions Required delete: peer DNS server NTP server syslog server Flags Required write_ global displaying a certificate file read certificate_name displaying a CRL file read crl_name displaying a certificate read certificate_name displaying a cluster read cluster_name displaying a CRL read crl_name write_ global displaying a file displaying a GeoCluster read geocluster_name displaying a GeoSite read geosite_name displaying a GeoSite instance read
Equalizer Administration Guide Operation displaying a number of subnet routes Permissions Required Flags Required read vlan_name displaying a peer read_global displaying peer status read_global displaying a responder read responder_name displaying a server read server_name displaying a server instance read srvpool_name displaying a server pool read srvpool_name displaying a subnet read vlan_name displaying a subnet permit list read vlan_name displaying subnet routes read vlan_name dis
User and Group Management Operation modifying a subnet Permissions Required Notes admin (see note) A user can only change their own password, unless that user has the admin flag set.
Equalizer Administration Guide l User “Touch_1” will be able to read, write, create and delete all of the servers, server pools and associated VLAN and subnets used on an Equalizer. l User “Touch_2” will be able to read, write, create and delete all of the servers, server pools and associated VLAN and subnets used on the same Equalizer. l Neither of the users will have any access at all to the other user’s servers, server pools and associated VLAN and subnets.
User and Group Management permissions for cluster “Cl2”. The next step is to add specific permissions on the Equalizer objects within each cluster for each user. Object Permissions for Each User Setup the object permissions for users “Touch_1” and “Touch_2”. Use "Required Task Permissions and Flags" on page 501"Required Task Permissions and Flags" on page 501as a guideline. 1. Create “read” and “write” permissions for user “Touch_1” on VLAN “vl1”.
Equalizer Administration Guide User Name : Touch_1 Duration : 3600 Flags : Locale : en Read Permissions : servers : test2, test1 server pools : testserverpool1 responders : VLANs : vl1 geoclusters : geosites : users : certificates : CRLs : ports : clusters : Cl1 Write Permissions : servers : test2, test1 server pools : testserverpool1 responders : VLANs : vl1 geoclusters : geosites : users : certificates : CRLs : ports : clusters : Cl1 Create Permissions : servers : server pools : responders : VLANs : geoc
User and Group Management ports : clusters : eqcli > show user Touch_2 show user Touch_2 User Name : Touch_2 Duration : 3600 Flags : Locale : en Read Permissions : servers : test3, test4 server pools : testserverpool2 responders : VLANs : vl2 geoclusters : geosites : users : certificates : CRLs : ports : clusters : Cl2 Write Permissions : servers : test3, test4 server pools : testserverpool2 responders : VLANs : vl2 geoclusters : geosites : users : certificates : CRLs : ports : clusters : Cl2 Create Permi
Equalizer Administration Guide servers : test3, test4 server pools : testserverpool2 responders : VLANs : geoclusters : geosites : users : certificates : CRLs : ports : clusters : Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Equalizer Administration Guide Chapter 26 Using Envoy Sections within this chapter include: Overview of Envoy® Geographic Load Balancing Envoy Configuration Summary DNS Configuration Using Envoy with Firewalled Networks Using Envoy with NAT Devices Configuring GeoClusters Adding a GeoCluster (GUI) Deleting a GeoCluster (GUI) Adding a GeoCluster (CLI) Deleting a GeoCluster (CLI) Viewing and Modifying GeoCluster Parameters (CLI) Viewing and Modifying GeoCluster Parameters (GUI) Configuring GeoSites Adding
Using Envoy Overview of Envoy® Geographic Load Balancing Geographic load balancing increases availability by allowing regional server clusters to share workload transparently, maximizing overall resource utilization. The Envoy® Geographic load balancer is an optional software add-on for the Equalizer product line that supports load balancing requests across servers in different physical locations or on different networks.
Equalizer Administration Guide 3. Configure the authoritative DNS server for your website’s domain with DNS records for all Equalizers in the GeoCluster. The DNS server returns these records to clients in response to DNS requests to resolve the website (GeoCluster) name. DNS Configuration Every Web site is assigned a unique IP address. To access a website, a client needs to know what the site IP address is.
Using Envoy An example of a DNS zone file for this configuration is shown below. In this example, the systems ns1 and ns2 are assumed to be the authoritative name servers (master and slave) for the coyotepoint.com domain. $TTL 86400 coyotepoint.com. IN SOA ns1.coyotepoint.com. hostmaster.coyotepoint.com. ( 0000000000 00000 0000 000000 00000 ) coyotepoint.com. IN NS ns1.coyotepoint.com. coyotepoint.com. IN NS ns2.coyotepoint.com. www.coyotepoint.com. IN NS east.coyotepoint.com. www.coyotepoint.com.
Equalizer Administration Guide In the example above, we left the domain parameters as zeros, since these vary widely between DNS installations. Please see the documentation for the version of DNS that you are using for more information on the zone file content and format. Envoy also supports AAAA (also called "quad-A" records) for IPv6 addresses.
Using Envoy Configuring GeoClusters This section shows you how to add or delete a GeoCluster and how to configure a GeoCluster’s load-balancing options. Configuring a GeoCluster and its sites is analogous to configuring a virtual cluster and its servers. There are two parts to configuring GeoClusters. The first is to Add a GeoCluster and the second is to modify the GeoCluster parameters. Adding a GeoCluster (GUI) When Envoy is first enabled, there are no GeoClusters defined. To add a GeoCluster: 1.
Equalizer Administration Guide 1. Log in to the GUI (See "Logging In" on page 192). 2. Click on the GeoCluster on the left navigation pane. The figure below will be displayed: 3. View and Modify paramaters using the following guidelines: FQDN The GeoCluster name which is the fully-qualified domain name (FQDN) of the GeoCluster (for example, www.coyotepoint.com). The FQDN must include all name components up to the top level (com, net, org, etc).
Using Envoy than other criteria. Mail Exchanger FQDN The fully qualified domain name (e.g., "mail.example.com") to be returned if Equalizer receives a “mail exchanger” request for this GeoCluster. The mail exchanger is the host responsible for handling email sent to users in the domain. This field is not required. Responsiveness This value controls how aggressively Equalizeradjusts the site’s dynamic weights. Equalizer provides five response settings: slowest, slow, medium, fast, and fastest.
Equalizer Administration Guide send a NULL response.] If only some GeoSites report failed triangulation, and there are others that did not fail and that are not down, then GeoSite selection will only include those sites that successfully completed ICMP triangualtion. [This is the same as the Version 8.6 behavior.] Adding a GeoCluster (CLI) To add a GeoCluster using eqcli as follows: 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2.
Using Envoy 3. Enter a GeoCluster Name in the space provided. 4. Enter a FQDN in the space provided. This is the Fully Qualified Domain Name of the GeoCluster (for example, www.coyotepoint.com). The FQDN must include all name components up to the top level (com, net, org, etc). Do not include the trailing period. 5. Click on Commit to add the GeoCluster. The new GeoCluster will appear on the left navigational pane as shown below. Deleting a GeoCluster (GUI) 1.
Equalizer Administration Guide 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2. Enter the following at the CLI prompt: eqcli > no geocluster gcname Viewing and Modifying GeoCluster Parameters (CLI) To add a GeoCluster using eqcli as follows: 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2.
Using Envoy GeoCluster (for example, www.coyotepoint.com). The FQDN must include all name components up to the top level (com, net, org, etc). Do not include the trailing period. Three basic metrics are used by the policy to load balance requests among sites: the current load on the site, the initial weight setting of the site, and ICMP triangulation responses.
Equalizer Administration Guide selected GeoSite. Those that follow will be any site which is up in the list of GeoSites. When a request for name resolution is received by Envoy from a client’s local DNS, this option (if enabled) tells Envoy to request network latency information from all sites in order to make load balancing decisions based on the proximity of each site to the client’s DNS server. To do this, all Envoy sites send an ICMP echo request (“ping") to the client’s DNS server.
Using Envoy Configuring GeoSites In EQ/OS 10, GeoSites are defined separately (like Servers) and then added to GeoClusters as GeoSite Instances. This section describes how to add, delete and configure GeoSites and includes descriptions of the parameters used by GeoSites. Adding a GeoSite (GUI) To add a GeoSite using the GUI proceed with the following: 1. Log in to the GUI(See "Logging In" on page 192). 2. Right-click on GeoSites on the left navigational pane and select Add GeoSite.
Equalizer Administration Guide Too add a GeoSite using eqcli as follows: 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2. Enter the following at the CLI prompt: eqcli > GeoSite gsnamereq_cmds Deleting GeoSite (CLI) Too delete a GeoSite using eqcli as follows: 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2. Enter the following at the CLI prompt: eqcli > no GeoSite gsname Adding a GeoSite (GUI) To add a GeoSite using the GUI proceed with the following: 1.
Using Envoy Deleting a GeoSite (GUI) To delete a GeoSite using the GUI proceed with the following: 1. Log in to the GUI (See "Logging In" on page 192). 2. Right-click on a GeoSite on the left navigational pane and select Delete GeoSite. Adding a GeoSite (CLI) Too add a GeoSite using eqcli as follows: 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2.
Equalizer Administration Guide a. Using the GUI drag and drop functionality, click on a GeoSite on the left navigational pane and drag it to the desired GeoCluster on the tree. The GeoSite instance weight form will be displayed. b. Right click on a GeoCluster on the left navigational pane and select Add GeoSite Instance. The Add GeoSite Instance form will be displayed.
Using Envoy Dynamic site weights can vary from 50% to 150% of the assigned initial weights. To optimize GeoCluster performance, you might need to adjust the initial weights of the sites in the cluster based on their performance. Site weights can range from 10 to 200. When you set up sites in a GeoCluster, you should set each site’s initial weight value in proportion to its capacity for handling requests. It is not necessary for all of the initial weights in a cluster to add up to any particular number. 6.
Equalizer Administration Guide To remove a GeoSite instance from a GeoCluster using the GUI proceed with the following: 1. Log in to the GUI (See "Logging In" on page 192). 2. Click on the GeoSite Instance on a GeoCluster branch on the left navigational pane and select Delete GeoSite Instance. Adding and Configuring a GeoSite Instance (CLI) To add and configure a GeoSite instance using eqcli proceed with the following: 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2.
Using Envoy where: gclname is the name of the GeoCluster gsi is the GeoSite instance gsimaname is the name of the GeoSite instance. Adding and Configuring a GeoSite Instance (GUI) To add a GeoSite instance to a GeoCluster using the GUI proceed with the following: 1. Log in to the GUI (See "Logging In" on page 192). 2. Refer to "Adding a GeoSite (GUI)" on page 527 or "Adding a GeoSite (CLI)" on page 528 to configure a GeoCluster. 3.
Equalizer Administration Guide 4. In both methods of creating GeoSite Instances the GeoSite IP Address is required. This is the IP address returned by DNS to a client when the GeoCluster is accessed. For example, when a client opens www.coyotepoint.com, the local DNS server returns an A record that contains the IP address for www.coyotepoint.com. This is usually the address of an Equalizer cluster and in this case is also used as the resource IP.
Using Envoy Default Designates this site as the default site for the GeoCluster. Envoy load balances to the default site whenever it cannot choose a site based on the GQP probe information it gets from the sites. This can happen, for example, when GQP probe responses are not received from any site, when the resource (cluster) is down at all available sites, etc. If no default site is selected for a GeoCluster and all sites are down, then Envoy sends a null response to the client DNS.
Equalizer Administration Guide Name a GeoSite Resource (GUI) 1. Log in to the GUI (See "Logging In" on page 192). 2. Select a GeoSite from the left navigational pane. 3. Right-click on the GeoSite and select Add GeoSite Resource and the following will be displayed. 4. Enter a name for the Resource and click on Commit . The GeoSite Resource will appear on the left navigation pane as shown below. Add a GeoSite Resource Instance to a GeoCluster (GUI) 1. Log in to the GUI (See "Logging In" on page 192). 2.
Using Envoy Name a GeoSite Resource (CLI) 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2. Enter the GeoSite context and add the following at the CLI prompt: eqcli > ga-gsname> resource clname where: clname is the cluster name at the GeoSite. Add a GeoSite Resource Instance to a GeoCluster (CLI) 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2.
Equalizer Administration Guide 4. Enter a name for the Resource and click on Commit . The GeoSite Resource will appear on the left navigation pane as shown below. Name a GeoSite Resource (CLI) 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2. Enter the GeoSite context and add the following at the CLI prompt: eqcli > ga-gsname> resource clname where: clname is the cluster name at the GeoSite. Add a GeoSite Resource Instance to a GeoCluster (GUI) 1.
Using Envoy 3. Use the Resource Name drop down list to select one of the previously defined GeoSite Resources. 4. Click on Commit to add the Resource Instance. It will be displayed on the left navigation tree as shown below. 538 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Add a GeoSite Resource Instance to a GeoCluster (CLI) 1. Log in to eqcli as described in "Starting the CLI" on page 128. 2. Enter the GeoCluster context and following at the CLI prompt: eqcli > gcl-gclname> GeoSite gsname resource clname where: gcl is the GeoCluster name gsname is the GeoSite name. clname is the name of the GeoSite Resource Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Equalizer Administration Guide Chapter 27 Backup and Restore Sections within this chapter include: Backup Backup (GUI) Backup (CLI) Restore Restore (GUI) Restore (CLI) Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Backup and Restore Backup The Backup feature allows you to back up an Equalizer’s user-configured objects and parameters to a file that can be uploaded and later restored to another Equalizer. Backup files may be uploaded to an FTP site or saved locally. Backup features are available through the GUI and through eqcli. Note – eqcli backup of an archive to a local directory is not supported.
Equalizer Administration Guide 4. In the Destination section, select either FTP URL to upload to an FTP site or Local File to save the file locally. a. For FTP URL, you must type the full FTP URL path to the backup file -leaving off the file name. A terminating slash (/) is required. The italic text shown indicates the required URL format. Entry of an FTP URL will replace the italic text. b.
Backup and Restore If a unique local peer definition is found, the System ID found in the local peer definition is compared against the System ID being used by the running system. If they do not match (as in the case where a backup file from one Equalizer is being restored on another Equalizer), the configuration file is modified to reflect the System ID of the running system and the signature is re-generated. If they do match, the configuration is not modified.
Equalizer Administration Guide 3. In the Restore section select either FTP URL or Local File. For FTP URL you must type in the full path name (including the file name) into the text box. The italic text shown indicates the required format. Entry of an FTP URL will replace the italic text. When the Restore button is clicked, the file is downloaded from the specified FTP site and a popup displays a summary of the configuration in the archive.
Backup and Restore ftp://[user[:password]@]server[/path] Note - You will be prompted to enter a password if it is not supplied in the URL 546 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Chapter 28 How to Use Regular Expressions Sections within this chapter include: Regular Expression Terms 548 Learning About Atoms 548 Creating a Bracket Expression 549 Escape Sequences 549 Matching in Regular Expressions 550 Using Regular Expressions in Match Rules 550 Using Regular Expressions in Responders 550 Using Regular Expressions with ACV 551 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
How to Use Regular Expressions Regular Expression Terms The terms in this section describe the components of regular expressions. l A regular expression (RE) is one or more non-empty branches, separated by pipe symbols (|). An expression matches anything that matches one of the branches. l A branch consists of one or more concatenated pieces. A branch matches a match for the first piece, followed by a match for the second, and so on.
Equalizer Administration Guide l A single character with no other significance, which simply matches that character. Note that regular expressions are case-insensitive. l An open brace ({) followed by a character other than a digit is an ordinary character, not the beginning of a bound. It is illegal to end a real expression with a backslash (\). Creating a Bracket Expression A bracket expression is a list of characters enclosed in brackets ([...]).
How to Use Regular Expressions \\ matches a single backslash (\) \b matches the beginning of a word (e.g.: \bex matches "example" but not "text") \n, \r, \t, \v match whitespace characters \', \" match single and double quotes Matching in Regular Expressions If a real expression could match more than one substring of a given string, the real expression matches the one starting earliest in the string.
Equalizer Administration Guide Using Regular Expressions with ACV TBD Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Equalizer Administration Guide Appendix A Physical Dimensions Sections within this chapter include: Physical Dimensions Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Physical Dimensions Physical Dimensions The following are the physical dimensions of the E370LX Equalizer as well as the GX series Equalizer. 554 Model Weight Height Width Depth E370LX 15.4 lbs. (7kg) 1.75 in. 17 in. 12 in. E250GX 7 lbs. (3.2kg) 1.75 in. 17.25 in. 10.5 in. E350GXE450GX / E650GX 14 lbs. (6.4kg) 15 lbs. (6.8kg) 1.75 in. 17.25 in. 15.5 in. Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Appendix B Using the File Editor Sections within this chapter include: Editing Files Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Using the File Editor Editing Files Files from the data store, for example, can be edited using the files edit command in the CLI using the "ee" editor . The most common example for using this feature is to edit CLI scripts which can then be executed using the run_script command, but there are other uses as well. You will be able to edit existing files, however you will not be able to create and save new files to the data store. (Use the files download command to place a new file into the datastore).
Equalizer Administration Guide Main and Submenu Commands a) leave editor Leaves the ee editor. You will be prompted to save changes before exiting. b) help Will display a complete list of Control Keys and Commands. Will display a submenu of commands that includes: c) file operations read a file,write afileand print editor contents are all restricted and not available save file - will save the changes that you made to the file. d) redraw screen Will redraw the open screen.
Using the File Editor Will open a search submenu with 2 options: f) search a) search for - will prompt you to enter a search term(s) b) search - [not available] Will display the following miscellaneous menu: g) miscellaneous 558 Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.
Equalizer Administration Guide Appendix C Version 8.6 to 10.0 Configuration Converter Sections within this chapter include: EQ/OS 8.6 to EQ/OS 10 Configuration Conversion Process Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Version 8.6 to 10.0 Configuration Converter EQ/OS 8.6 to EQ/OS 10 Configuration Conversion Process EQ/OS 8.6 and EQ/OS 10 configuration files are not compatible. It is not possible to simply copy an older configuration to a new installation during the upgrade process, as is done when upgrading from a 8.6 to an 8.6 version, or from a 10 to a 10 version. The reason for this is that the two versions use different operating systems and cannot read each other's file systems.
Equalizer Administration Guide Added as global server objects and server instances within server pools. Servers The Server VID is now deprecated, and servers are automatically considered to be part of a particular subnet, based on their IP address. If using multi netting with servers, start with the converted configuration and then modify it by adding an additional subnet in a VLAN to achieve the multi-netting desired. Outbound NAT is configured differently now.
Version 8.6 to 10.0 Configuration Converter EQ/OS 10 uses Server Pools that contain Server Instances. When migrating to EQ/OS 10 a Server Pool will be created using the cluster-server details described. A server instance (si) will be created for the new EQ/OS 10 server and assigned to a new cluster.
Equalizer Administration Guide 1. Create a backup of the Version 8.6 system. Refer to the Equalizer Administration Guide for version 8.6 for instructions. 2. Upgrade your version 8.6 system to version 10. Refer to "Version 8.6 Upgrade Procedure" on page 58 for instructions. 3. Upload the EQ/OS 8 backup file onto the system: eqcli > files download [URL or Path to *.bkp file] For example: eqcli > files download ftp://10.0.0.10/os8backup.bkp 4.
Version 8.6 to 10.0 Configuration Converter eqcli: 12020315: Processing line 2: server otherserver ip 3.4.5.6 port 81 proto tcp eqcli: 12000287: Operation successful eqcli: 12020318: All commands processed successfully. eqcli > 6. If the script completes successfully you can continue using the system as normal. You may need to install certificates first . 7.
Equalizer Administration Guide The EQ/OS 8.6 backup file can be uploaded either from a URL or FTP server or from a local directory. Proceed with either step 5 or step 6 depending on the location of your backup file. After selecting a file from either method described in steps 5 and 6, proceed with step 7.: 5. To upload from a URL or FTP Server: a. Click on the FTP URL option and enter the FTP location or URL in the space provided. b. Click on Continue to upload the file.
Version 8.6 to 10.0 Configuration Converter 8. After clicking on Run the script is executed on Equalizer. If no errors occur and the script runs to completion a Configuration Complete message will be displayed. If an error occurs the a Correct Error and Continue screen will be displayed which is the same as the Verify and Run Script screen except that it opens at the line at which the error occurred as indicated by the error message. a.
Equalizer Administration Guide Appendix D Equalizer OnDemand Sections in this chapter include: What is Equalizer OnDemand? 568 Differences from Equalizer Hardware 568 Adding Ports on VM Workstation Installing and Upgrading Equalizer OnDemand VMware Host Requirements Installing Equalizer OnDemand Using OVF Installing Equalizer OnDemand from a ZIP file Licensing Equalizer OnDemand Upgrading Equalizer OnDemand Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc. All Rights Reserved.
Equalizer OnDemand What is Equalizer OnDemand? Equalizer OnDemand™ is a software-based virtual appliance that operates as an integral part of the virtual infrastructure model. Equalizer OnDemand is deployed as a single virtual server instance dedicated to load balancing and managing the application delivery needs of your business. The EQ/OS 10 platform on which Equalizer OnDemand is built drives the robust application traffic management capabilities of the Virtual Equalizer.
Equalizer Administration Guide 3. Equalizer OnDemand is delivered with no serial console configured because this requires additional configuration by the user. A serial console can be added by editing the Virtual Machine settings. See your VMware product documentation for more information. Adding Ports on VM Workstation When adding an interface using VM Workstation (a.k.a. VM Player), you are not given the option to choose the type of network adapter added.
Equalizer OnDemand line (highlighted in green) that indicates the network interface device type. The text highlighted in yellow is what VMware added to the file for the third interface. Note that there is no virtualDev line in this set of properties that indicates the interface type. This line needs to be added for the interface to work on Equalizer OnDemand. 5. The text below shows what the "ethernet2." set of properties should look like after editing: 6. Save your edits to the file. 7.
Equalizer Administration Guide VMware vSphere or vCenter Clients VMware ESX and ESXi servers are managed using either the vSphere or vCenter management clients. If you are using either of these products, the OVF can be installed directly from the FTP site following the directions below. 1. Open the vSphere or vCenter client. 2. If your client has Internet access, do the following; otherwise goto the next step. a. Select File > Deploy OVF Template. b.
Equalizer OnDemand h. The VMDK file for the OVF is now downloaded from the local directory. When it is done, the EqualizerOnDemand VM should now appear in your inventory. 4. The first time you start Equalizer OnDemand, login to the CLI on the VM console using the touch login (default password is touch). We recommend that you immediately change the default password for the touch login.
Equalizer Administration Guide eqcli > user touch password VMware Player and VMware Fusion Besides running on dedicated hardware with the VMware ESX operating system, VMware can also run on Windows and MAC computers. VMware Workstation and VMware Player are Windows-based hypervisors, while VMware Fusion is the MAC version. After installing one of these products, follow these instructions to add the Equalizer OnDemand VM into either of these products. 1. Copy the ZIP file onto your Windows or MAC host.
Equalizer OnDemand l In the CLI, enter: eqcli > version l In the GUI, the System ID is shown on the Welcome screen that is displayed when you log in. 4. Register your copy of Equalizer OnDemand on the Coyote Point Registration site. a. Go to: http://www.coyotepoint.com b. Click Support > Register Your Product to open the registration form. c. Enter your System ID and your system Serial Number (see the Note above). d. Click continue. e. Follow the prompts to complete registration. 5.
Equalizer Administration Guide found in the section "Configuring VLANs" on page 100. d. Confirm you can reach the default route gateway using the ping command: eqcli > ping ip_addr Use the default route IP address supplied for the subnet, above. e. License the system: eqcli > license get Equalizer connects to the Coyote Point license server and automatically downloads a license. Your system is now licensed and you can skip the next step. 6. To license your system offline, do the following: a.
Equalizer Administration Guide Glossary 6 6in4 6in4 is an Internet transition mechanism for migrating from Internet Protocol version 4 (IPv4) to IPv6. A Access Control Lists (ACLs) Refers to rules that are applied to port numbers or network daemon names that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service active connection count Shows the number of connections currently active on the server.
Glossary administration address The IP address assigned to Equalizer on any VLAN. Access to Equalizer can be configured for each VLAN. administration interface The browser-based interface for setting up and managing Equalizer. affinity Affinity is a technique that enables the load balancer to remember which balanced server was chosen for a certain client at its initial request. Subsequent requests are then directed to the same server again.
Equalizer Administration Guide backup Equalizer The backup unit in a failover pair of Equalizers. The backup unit constantly monitors the health of the active (primary) unit, and replaces the primary unit in the event that the primary becomes unavailable. See hot backup and primary Equalizer. bound A character that represents the limit of part of a regular expression. bracket expression In a regular expression, a list of characters enclosed in brackets ( [...] ).
Glossary cookie header One of Equalizer's supported headers, a cookie header is an HTTP data string previously sent by a server that is stored in Equalizer for future routing. cookie persistence In cookie-based persistence, Equalizer "stuffs" a cookie into the server's response header on its way back to the client. This cookie uniquely identifies the server to which the client was just connected. The client includes (sends) the cookie in subsequent requests to the Equalizer.
Equalizer Administration Guide the network infrastructure so that configuration and routing protocols handle both IPv4 and IPv6 addressing. dynamic weight The weight that Equalizer assigns to a particular server during operation. See server weight, initial weight, and weight. E echo An IP address-port pair that identifies the start or end of an address; a value that ends a process.
Glossary firewall A set of security programs, which is located at a network gateway server and which protect the network from any user on an external network. See gateway. FQDN See Fully Qualified Domain Name (FQDN). FTP File Transfer Protocol; rules for transferring files from one computer to another. FTP cluster A virtual cluster providing service on the FTP control port (port 21). See cluster and virtual cluster.
Equalizer Administration Guide hub A device that joins all the components attached to a network. I ICMP Internet Control Message Protocol. Used by operating systems of networked computers to send error messages indicating that a requested service is not available or that a host or router could not be reached. ICMP echo request The act of repeating a stream of characters (for example, echoing on the computer screen characters as a user types those characters). See ping. See also echo.
Glossary packet, and TCP/IP. IP address A 32-bit address assigned to a host using TCP/IP. IP addresses are written in dotted decimal format, for example, 192.22.33.1. IPv4 Internet Protocol version 4 (IPv4) is the fourth revision in the development of the Internet Protocol (IP) and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet.
Equalizer Administration Guide is a more performant protocol which does not protect data from all the issues described above. It is however more useful for time-sensitive data so it is commonly used for audio, video and... DNS L7 See Layer 7. L7 Load Balancing Layer 7 refers to the "application layer". That is, data embedded within the part of the data packet which is not TCP or IP header information.
Glossary specify that if a page is requested which is company-internal only and the client is not on the local network to drop the request (or hand out a denied response). Multi-gateway A dedicated 0/0 gateway for every IP network defined on Equalizer Multi-netting Adding multiple layer 3 IP networks, to a single layer 2 environment (vlan, interface) MX exchanger Mail exchanger; a fully qualified domain name to be returned if a server receives a mail exchanger request.
Equalizer Administration Guide P packet A group of data that is transmitted as a single entity. passive FTP connection An Equalizer option that rewrites outgoing FTP PASV control messages from the servers so that they contain the IP address of the virtual cluster rather than that of the server. See FTP and PASV. PASV Passive mode FTP; a mode with which you can establish FTP connections for clients that are behind firewalls. See firewall, FTP, and passive FTP connections.
Glossary port The abstraction used by Internet transport protocols to distinguish among multiple simultaneous connections to a single destination host. port grouping Refers to the configuration of a load balancers with a list of application ports that must be treated as one group. port number The number used to identify a service contact port, such as HTTP port 80. Port-Address Translation (PAT) PAT is inherent in load balancers and refers to tranlsating the port number in TCP/UDP packets.
Equalizer Administration Guide redirection The process of receiving input from or sending output to a different resource than usual. regular expression (RE) One or more non-empty branches, separated by pipe symbols (|). An expression matches anything that matches one of the branches. See atom, branch and piece. request packet A packet that contains information that requests a response. See packet and response packet.
Glossary RST Refers to the TCP protocol’s reset command, which instructs a device to end a connection. S Secure Sockets Layer (SSL) A protocol that enables secure communication between two hosts, using data encryption and authentication. server A computer or application that controls access to a network and its associated devices and applications. A server communicates with one or more clients as well as other servers.
Equalizer Administration Guide session A logical connection between a server and a client that may span a series of individual client requests and server responses (i.e., transactions). Depending on the application, a session may also span multiple client-server connections as well as transactions. Session data is typically maintained using cookies inserted into client requests and server responses, by Equalizer, servers, or both. Session data may also be maintained on clients and servers.
Glossary sticky connection A Layer 4 connection in which a particular client remains connected to same server to handle subsequent requests within a set period of time. Sticky connections are managed on Equalizer using sticky records, which record the server-client connection details; sticky records expire according to the configured sticky timer setting. sticky network aggregation Basically, this is server affinity determined by a network mask at Layer 4.
Equalizer Administration Guide T TCP Transmission Control Protocol; the rules for the conversion of data messages into packets. TCP providesSee ISO/OSI model, Layer 4, packet, transport layer. TCP Probes These are Server Health Checks. TCP health checks basically have Equalizer attempting to open a TCP connection to a server and determining if the server accepts.
Glossary virtual server address An IP address that is aliased to a physical server that has its own, separate IP address. See virtual web server. virtual web server Software that imitates HTTP server hardware. A virtual web server has its own domain name and IP address. See domain name, HTTP, IP address, server, and virtual server address. See also authoritative name server, backend server, name server, physical server, and proxy server. VLAN See Virtual Local Area Network.
