Fortinet Document Library

Version:


Table of Contents

5.3.0
Download PDF
Copy Link

Important notes

The following are the important notes that you must heed to when integrate FortiADC with OpenStack:

  • When configuring the Monitor Details of the Load Balancer in OpenStack, make sure that the value for Timeout is less than the value for Interval for FortiADC.
  • If the interfaces of a FortiADC instance have changed in OpenStack, you must enable "retrieve_physical_hwaddr" of the physical ports in the CLI, and then reboot your FortiADC appliance. This allows FortiADC to update the MAC addresses of the physical ports.
  • FortiADC does not support "SOURCE_IP" as "lb_algorithm" and will use the default RR instead.
  • You cannot create a virtual server if "fadc_vs_persistency" in fadc_lbaas.ini is not supported for the virtual server profile.
  • FortiADC and OpenStack lbaas has different value ranges:
  • Connection limit starts from -1 in lbaas, but 0 in FortiADC. Setting lbaas to 0 or -1 will set FortiADC to 0.
  • Pool Member weight is 0–256 in lbaas, but 1–256 in FortiADC. FortiADC will not change the current weight when trying to configure weight 0.
  • Delay and timeout range in FortiADC is 1–3600 and the timeout value must be less than the interval. There is no such limit in lbaas.
  • After HA is enabled, FortiADC in OpenStack cannot be accessed. This is because OVS has a MAC spoofing protection table (see https://docs.openstack.org/dragonflow/latest/specs/mac_spoofing.html/). By default, OVS on ESXI allows MAC spoofing. As a result, FortiADC has service access restriction on each port. To get HA or a virtual server to work, do either of the following:
  • Add a forged MAC or IP address pair. See http://superuser.openstack.org/articles/implementing-high-availability-instances-with-neutron-using-vrrp/.
  • Disable port security on the port or the whole network. See http://kimizhang.com/neutron-ml2-port-security/.
  • By default, 'retrieve 'retrieve_physical_hwaddr' is not enabled in FortiADC. If network ports are changed in OpenStack VM, you must use the console and enable the settings in the changed FortiADC ports manually.
  • After you have deployed FortiADC in OpenStack and added data disk to it, you must reboot it to update its hardware information.

 

Important notes

The following are the important notes that you must heed to when integrate FortiADC with OpenStack:

  • When configuring the Monitor Details of the Load Balancer in OpenStack, make sure that the value for Timeout is less than the value for Interval for FortiADC.
  • If the interfaces of a FortiADC instance have changed in OpenStack, you must enable "retrieve_physical_hwaddr" of the physical ports in the CLI, and then reboot your FortiADC appliance. This allows FortiADC to update the MAC addresses of the physical ports.
  • FortiADC does not support "SOURCE_IP" as "lb_algorithm" and will use the default RR instead.
  • You cannot create a virtual server if "fadc_vs_persistency" in fadc_lbaas.ini is not supported for the virtual server profile.
  • FortiADC and OpenStack lbaas has different value ranges:
  • Connection limit starts from -1 in lbaas, but 0 in FortiADC. Setting lbaas to 0 or -1 will set FortiADC to 0.
  • Pool Member weight is 0–256 in lbaas, but 1–256 in FortiADC. FortiADC will not change the current weight when trying to configure weight 0.
  • Delay and timeout range in FortiADC is 1–3600 and the timeout value must be less than the interval. There is no such limit in lbaas.
  • After HA is enabled, FortiADC in OpenStack cannot be accessed. This is because OVS has a MAC spoofing protection table (see https://docs.openstack.org/dragonflow/latest/specs/mac_spoofing.html/). By default, OVS on ESXI allows MAC spoofing. As a result, FortiADC has service access restriction on each port. To get HA or a virtual server to work, do either of the following:
  • Add a forged MAC or IP address pair. See http://superuser.openstack.org/articles/implementing-high-availability-instances-with-neutron-using-vrrp/.
  • Disable port security on the port or the whole network. See http://kimizhang.com/neutron-ml2-port-security/.
  • By default, 'retrieve 'retrieve_physical_hwaddr' is not enabled in FortiADC. If network ports are changed in OpenStack VM, you must use the console and enable the settings in the changed FortiADC ports manually.
  • After you have deployed FortiADC in OpenStack and added data disk to it, you must reboot it to update its hardware information.