Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kiyoshi Kodama, SE Japan 07-Oct-2008

Published byBuck Hill Modified over 6 years ago

Similar presentations

Presentation on theme: "Kiyoshi Kodama, SE Japan 07-Oct-2008"— Presentation transcript:

1 Kiyoshi Kodama, SE Japan 07-Oct-2008
Internal test Fortinet Japan Internal test : Confidential Does IPS load-balance works with HA A-A configuration? Kiyoshi Kodama, SE Japan 07-Oct-2008

2 Fortinet Confidential IPS load-balance with HA A-A
Contents Test purpose I received question from partner that FortiGate product doesn’t support IPS load balance feature with HA A-A configuration. I would like to take evaluation test to clear that point them for government project. Configuration 2 x FortiGate 60B v3.00,build0726 (MR7) NAT mode Client PC connect to DMZ port. Target server connect to WAN1 port. Test scenarios Setup HA A-A configuration. Enable IPS and logging feature with Protection Profile. Enable Protection Profile on Firewall policy. Install nmap to client PC which is port scan tool. Run nmap, to send out the burst packets to “single” target server through FGT. Check HA status, it also take a look the attack log on FGT. Fortinet Confidential IPS load-balance with HA A-A

3 Fortinet Confidential IPS load-balance with HA A-A
Setup HA A-A configuration Master DMZ: x WAN1: x PC-1 Server Slave Fortinet Confidential IPS load-balance with HA A-A

4 Fortinet Confidential IPS load-balance with HA A-A
Enable IPS and logging features with Protection Profile. *You needs create IPS profile, under Intrusion Protection menu. Before select it. Fortinet Confidential IPS load-balance with HA A-A

5 Fortinet Confidential IPS load-balance with HA A-A
Enable PP on Firewall policy. Fortinet Confidential IPS load-balance with HA A-A

6 Fortinet Confidential IPS load-balance with HA A-A
Before, beginning to start test. Let’s check the Intrusion Detection counter on WEB UI. Fortinet Confidential IPS load-balance with HA A-A

7 Fortinet Confidential IPS load-balance with HA A-A
Launch nmap tool on client PC. Enter the target IP address. Select scan profile. Click the scan button to run. Let’s wait to finish the port scan. It will takes couple of minutes. Fortinet Confidential IPS load-balance with HA A-A

8 Fortinet Confidential IPS load-balance with HA A-A
Confirm when nmap process is stop. Go to HA status menu to check the Intrusion detection counter. It seems that 6 session was handle by slave device. But Master device IPS counter wasn’t same as slave. WHY? Let’s see the attack-log. Master Slave Fortinet Confidential IPS load-balance with HA A-A

9 Fortinet Confidential IPS load-balance with HA A-A
Go to the attack-log on both Master and Slave device. It seems that TCP traffic is load balanced (6 each), but UDP traffic doesn’t. Master TCP traffic (6) UDP traffic (3) Slave TCP traffic (6) Fortinet Confidential IPS load-balance with HA A-A

10 Fortinet Confidential IPS load-balance with HA A-A
HA Guide v3.0 MR5 The primary unit receives all network traffic. All UDP, ICMP, multicast, and broadcast traffic is processed by the primary unit. The primary unit load balances virus scanning traffic, or optionally all TCP traffic and virus scanning traffic, among all cluster units. I see… TCP traffic is load-balanced by Master and Slave device. But UDP traffic doesn’t. Reason why that number is different… OK, Let send out TCP traffic only. How FGT works. Please see next slide. Fortinet Confidential IPS load-balance with HA A-A

11 Fortinet Confidential IPS load-balance with HA A-A
FGT does load-balance TCP traffic. (5 each) Master Slave Fortinet Confidential IPS load-balance with HA A-A

12 Fortinet Confidential IPS load-balance with HA A-A
Go to attack-log both Master and Slave device. TCP traffic is load-balanced by FGT. It is very clear to me. Master TCP traffic (5) Slave TCP traffic (5) Fortinet Confidential IPS load-balance with HA A-A

13 Fortinet Confidential IPS load-balance with HA A-A
Summary FGT does support IPS load balance with HA A-A configuration for TCP traffic. (AV traffic as well) Partner and Customer will clear about this point. Fortinet Confidential IPS load-balance with HA A-A

14 Fortinet Confidential IPS load-balance with HA A-A
Configuration Points on this test. Enable to load-balance feature through CLI. # config sys ha #(HA) set load-balance-all The traffic is handle by weight-round-robin method, how to configure… #(HA) set schedule weight-round-robin The weighted round robin load balancing weight to assign to each cluster unit, e.g.… # set weight 0 1 …. 10 1 Need more information? -> Please refer to HA Guide. Fortinet Confidential IPS load-balance with HA A-A

15 Fortinet Confidential IPS load-balance with HA A-A
Thank you Fortinet Confidential IPS load-balance with HA A-A

Download ppt "Kiyoshi Kodama, SE Japan 07-Oct-2008"

Similar presentations

KX-NS1000 Initial Set Up For step by step : 16 May, 2012 1.

KX-NS1000 Initial Set Up For step by step : 16 May,
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.

Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
hotEx RADIUS Manager Installation

hotEx RADIUS Manager Installation
CLUSTER WEBLOGIC SERVER. 1.Creating clusters and understanding its concept GETTING STARTED.

CLUSTER WEBLOGIC SERVER. 1.Creating clusters and understanding its concept GETTING STARTED.
TEW-691GR Training TEW-691GR Training TEW-691GR 450Mbps Wireless N Gigabit Router.

TEW-691GR Training TEW-691GR Training TEW-691GR 450Mbps Wireless N Gigabit Router.
RADIUS Server (Brocade Controller)

RADIUS Server (Brocade Controller)
Advanced Networking for DVRs

Advanced Networking for DVRs
April WebEx Intel ® Active Management Technology (AMT) LANDesk Provisioning LANDesk Server Manager.

April WebEx Intel ® Active Management Technology (AMT) LANDesk Provisioning LANDesk Server Manager.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.

1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
Firewall Typical Networking and Troubleshooting Common Faults.

Firewall Typical Networking and Troubleshooting Common Faults.
Hands-on Networking Fundamentals

Hands-on Networking Fundamentals
CBAC L AB. Nmap Port scanner Nmap: the beef, Zenmap: GUI frontend Findings before CBAC firewall c. What services are running and available on R1 from.

CBAC L AB. Nmap Port scanner Nmap: the beef, Zenmap: GUI frontend Findings before CBAC firewall c. What services are running and available on R1 from.
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.

Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
Endpoint Control. Module Objectives By the end of this module participants will be able to: Define application detection lists to monitor applications.

Endpoint Control. Module Objectives By the end of this module participants will be able to: Define application detection lists to monitor applications.

Similar presentations

Ads by Google