Using clone pools
A clone pool is a set of destinations, of monitor servers.
The FortiADC is tasked with protecting the real-server pools. Before allowing traffic to reach the servers, it will duplicate the traffic, sending a copy towards the clone pool, which holds onto it.
As such, the clone pool is assigned to a virtual server. In the clone pool is a farm of monitor servers; some of these monitor servers can be IDS servers - intrusion detection system (IDS) - which will analyze traffic to identify suspicious patterns. The IDS server does not perform fire wall functions, like blocking the traffic. However, the IDS server will send out, say, an email, indicating that the server
Important: A clone pool receives all of the same traffic that the server pool receives.
To configure a clone pool, you first create a pool of IDS or sniffer devices and then assign the pool as a clone pool to a virtual server. The clone pool feature is the recommended method for copying production traffic to IDS systems or sniffer devices. Note that when you create the clone pool, the service port that you assign to each node is irrelevant; you can choose any service port. Also, when you add a clone pool to a virtual server, the system copies only new connections; existing connections are not copied.
You can configure a virtual server to copy client-side traffic, server-side traffic, or both:
- A client-side clone pool causes the virtual server to replicate client-side traffic (prior to address translation) to the specified clone pool.
- A server-side clone pool causes the virtual server to replicate server-side traffic (after address translation) to the specified clone pool.
Clone pool topology illustrates how clone pools work.
The following steps show the process in which FortiADC clones packets and sends them to the monitor servers:
- Duplicates the packet data structure.
- Looks up the route table by monitor server IP to find out the next-hop IP address and output device, if necessary.
- Looks up the neighbors by the next-hop IP address, if necessary.
- Updates packet headers with specified values or results of route and ARP look-up.
- Sends the packets out to the monitor servers.
Configuring a clone pool
Before starting to create clone pools, keep the following in mind:
- Only one clone pool can be configured for the virtual server.
- The clone pool can have at most four members. The traffic will be duplicated and sent to each of the members.
- Only IPv4 addresses are supported.
- There are four modes by which you may update and send the packets.
- When the clone pool is added to the virtual server, the traffic (of old sessions and new) is duplicated and sent to the monitor servers in the clone pool.
- The following is true:
- If the virtual server is of the type L7, then the profiles TURBOHTTP, HTTP, HTTPS, TCPS, RDP, are supported.
- If the virtual server is of the type L2, then the profiles TCP, UDP, IP, HTTP, HTTPS, TCPS, are supported.
- If the virtual server is of the type L4, then the profiles TCP, UDP, FTP, are supported.
- Traffic of both client and server sides may be cloned. For the client-side, traffic is replicated BEFORE the packet's address undergoes Network Address Translation (NAT) such that it may reach the clone members. For the server-side, however, NAT has already happened; the packet has already gone through the virtual server. Thus the traffic is replicated AFTER the packet address has been translated.
To configure a clone pool:
The following instructions assume that you have properly configured schedule groups, real servers, and real server pools.
- Go to Server Load Balance > Virtual Server > Clone Pool.
- Click Create New.
- Return to Clone Pool tab and select your clone pool, and click edit.
- Click Create New to create a member inside your clone pool. Create as many members as four.
- Refer to the table below for entries and/or selections required for creating a clone pool.
Parameters for clone pool configuration
Specify a unique clone pool name
Specify a unique pool member name.
Note: A pool member is a clone server. So this name is essentially the name you give to the clone server.
Select the interface (port) FortiADC uses to send out packets to the clone server.
The headers of duplicated packets need to be updated when sent to monitor servers. There are several modes in which this occurs. Select one of the following: