Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config load-balance clone-pool

Use this command to create a new clone-pool, and to configure clone pool members inside it.

Syntax

config load-balance clone-pool

edit <name>

config pool_member

edit <name>

set mode <mirror-dst-mac-update/mirror-interface/mirror-ip-update/mirror=src-dst-mac-update/mirror-src-mac-update>

set destination-interface <port>

set destination-mac <xx:xx:xx:xx:xx:xx>

next

end

Clone Pool

 

name

Specify a unique clone pool name

Pool Member

 

name

Specify a unique pool member name.

Note: A pool member is a clone server. So this name is essentially the name you give to the clone server.

interface

Select the interface (port) FortiADC uses to send out packets to the clone server.

mode

The headers of duplicated packets need to be updated when sent to monitor servers. There are several modes in which this occurs. Select one of the following:

  • Mirror Interface—This mode does not change the packet header at all. It is most commonly used; with it, the monitor does not look at the content of the packet, neither does it receive the payload, it merely looks at how much data is being passed, and counts the bytes of the data. The original Layer 2 Destination Address (DA) or Source Address (SA) and Layer 3 IP Addresses are left intact. In this mode the FortiADC simply sends the packets "as is" out from the specified interface.
  • Mirror Destination MAC Address Update—This mode uses Layer 2 forwarding. With the incoming packet, the ADC replaces the destination MAC address with the specified destination MAC address. It is preferred when connecting the ADC to end devices like the IDS.
  • Mirror Source MAC Update—This mode replaces the source MAC address in the incoming packet with the specified MAC address on the FortiADC device. This option is recommended where not changing the source MAC address could cause a loop.
  • Mirror Source Destination MAC Update—This mode replaces both the source and destination MAC addresses at Layer 2, but does not change the Layer-3 IP addressing information.
  • Mirror IP Update—This mode replaces the incoming packet’s IP address with the specified IP address and then forwards the duplicated packet to those servers. This mode may also change the Layer 4 source and destination ports. If the virtual server port isn't set to wildcard port 0 while the port IS specified, the Layer 4 destination port on the duplicated packets will be changed to the specified value. This option is recommended for scenarios in which monitor servers are not directly connected to the ACOS device.

 

 

Example

FortiADC-VM (root) # config load-balance clone-pool

FortiADC-VM (clone-pool) # edit 1

FortiADC-VM (1) # config pool_member

FortiADC-VM (pool_member) # edit name

FortiADC-VM (name) # set

FortiADC-VM (name) # set mode mirror-dst-mac-update

 

FortiADC-VM (name) # get

mode : mirror-dst-mac-update

destination-interface :

destination-mac : 00:00:00:00:00:00

 

next

end

config load-balance clone-pool

Use this command to create a new clone-pool, and to configure clone pool members inside it.

Syntax

config load-balance clone-pool

edit <name>

config pool_member

edit <name>

set mode <mirror-dst-mac-update/mirror-interface/mirror-ip-update/mirror=src-dst-mac-update/mirror-src-mac-update>

set destination-interface <port>

set destination-mac <xx:xx:xx:xx:xx:xx>

next

end

Clone Pool

 

name

Specify a unique clone pool name

Pool Member

 

name

Specify a unique pool member name.

Note: A pool member is a clone server. So this name is essentially the name you give to the clone server.

interface

Select the interface (port) FortiADC uses to send out packets to the clone server.

mode

The headers of duplicated packets need to be updated when sent to monitor servers. There are several modes in which this occurs. Select one of the following:

  • Mirror Interface—This mode does not change the packet header at all. It is most commonly used; with it, the monitor does not look at the content of the packet, neither does it receive the payload, it merely looks at how much data is being passed, and counts the bytes of the data. The original Layer 2 Destination Address (DA) or Source Address (SA) and Layer 3 IP Addresses are left intact. In this mode the FortiADC simply sends the packets "as is" out from the specified interface.
  • Mirror Destination MAC Address Update—This mode uses Layer 2 forwarding. With the incoming packet, the ADC replaces the destination MAC address with the specified destination MAC address. It is preferred when connecting the ADC to end devices like the IDS.
  • Mirror Source MAC Update—This mode replaces the source MAC address in the incoming packet with the specified MAC address on the FortiADC device. This option is recommended where not changing the source MAC address could cause a loop.
  • Mirror Source Destination MAC Update—This mode replaces both the source and destination MAC addresses at Layer 2, but does not change the Layer-3 IP addressing information.
  • Mirror IP Update—This mode replaces the incoming packet’s IP address with the specified IP address and then forwards the duplicated packet to those servers. This mode may also change the Layer 4 source and destination ports. If the virtual server port isn't set to wildcard port 0 while the port IS specified, the Layer 4 destination port on the duplicated packets will be changed to the specified value. This option is recommended for scenarios in which monitor servers are not directly connected to the ACOS device.

 

 

Example

FortiADC-VM (root) # config load-balance clone-pool

FortiADC-VM (clone-pool) # edit 1

FortiADC-VM (1) # config pool_member

FortiADC-VM (pool_member) # edit name

FortiADC-VM (name) # set

FortiADC-VM (name) # set mode mirror-dst-mac-update

 

FortiADC-VM (name) # get

mode : mirror-dst-mac-update

destination-interface :

destination-mac : 00:00:00:00:00:00

 

next

end