FortiWAN What’s new

What’s new

The following features are new or changed since FortiWAN 4.0.0:

FortiWAN 4.3.1 l Tunnel Routing – From this release, the Generic Receive Offload (GRO) mechanism on each of FortiWAN’s network interfaces is disabled by default for better Tunnel Routing transmission performance. The parameter “generic-receive-offload” of CLI command sysctl added in release 4.2.3 to enable/disable GRO is removed; it is unable to enable GRO on FortiWAN. Related descriptions were removed from Console Mode Commands, How the Tunnel Routing Works and How to set up routing rules for Tunnel Routing

FortiWAN 4.3.0 l Tunnel Routing l Supports large-scale Tunnel Routing network deployment with allowing a maximum of l FWN-200B: 100 tunnel groups l FWN-1000B: 400 tunnel groups l FWN-3000B: 1000 tunnel groups

For all FortiWAN models, each tunnel group supports up to 16 enabled GRE tunnels, and a maximum total of 2500 enabled GRE tunnels is supported. See Tunnel Routing Scale, Tunnel Routing – Setting and How to set up routing rules for Tunnel Routing.

  • A new measurement case is added to benchmark to evaluate transmission performance of a tunnel group. Packets of a measurement session will be distributed and sent over all the tunnels of the tunnel group, just like how Tunnel Routing generally works in real practice. This is a more accurate way to evaluate your Tunnel Routing network. See Tunnel Routing – Benchmark.
  • IPSec – Supports Internet Key Exchange Protocol Version 2 (IKEv2) for the establishments of Security Association. Please note that a specific procedure will be required when you switch IKE version to an existing IPSec VPN connectivity. See Specifications of FortiWAN’s IPsec VPN and IKE Phase 1 Web UI fields – Internet Key Exchange.
  • DHCP Relay – Supports up to two DHCP servers for a relay agent. Once two DHCP servers are configured, the relay agent will forward a DHCP request to both of the DHCP servers. The first response received by the relay agent will be first apply to the DHCP client, and the subsequent responses will be ignored. See DHCP Relay.
  • Reports – Supports scheduled report email. According to the scheduling, system performs automatic report email sending periodically (daily, weekly or monthly). See Report Email and Scheduled Emails.
  • CLI command – A new parameter PORT is added to command resetconfig for specifying port mapping to LAN port while resetting configurations to factory default. See CLI Command – resetconfig.
  • DNS Proxy – It is acceptable to configure the Intranet Source field of a DNS Proxy policy with an IPv4 range or subnet. See DNS Proxy Setting Fields.
  • WAN link health detection – A new parameter that is used to indicate the number of continuously successful detections for declaring a WAN link indeed available is added to WAN link health detection policies. See WAN Link Health Detection.
  • Web UI account – The ability for Monitor accounts to reset their own password is removed. From this release, Web UI page System > Administration is not available to Monitor accounts and only

Administrator accounts have the permission to reset passwords. Also the Apply button is greyed-out and inactive for Monitor users. See Administrator and Monitor Password.

  • Multihoming – Supports SOA and NS records for the reverse lookup zones. See Global Settings: IPv4/IPv6 PTR Record. l Web UI – New look and feel.

FortiWAN 4.2.7

Bug fixes only. Please refer to FortiWAN 4.2.7 Release Notes.

FortiWAN 4.2.6

Bug fixes only. Please refer to FortiWAN 4.2.6 Release Notes.

FortiWAN 4.2.5

Bug fixes only. Please refer to FortiWAN 4.2.5 Release Notes.

FortiWAN 4.2.4

Bug fixes only. Please refer to FortiWAN 4.2.4 Release Notes.

FortiWAN 4.2.3 l Tunnel Routing – Performance of transmission in a tunnel group can be greatly enhanced (increased)

by disabling Generic Receive Offload (GRO) mechanism on each of participated network interfaces on both the participated FortiWAN units. A new parameter “generic-receive-offload” is added to CLI command sysctl to enable/disable the GRO module. See How the Tunnel Routing Works, Tunnel Routing – Setting and Console Mode Commands.

  • DHCP – Supports Vender Specific Information (Vender Encapsulated Options, option code: 43) and TFTP Server Name (option code: 66). The two DHCP options are used by DHCP clients to request vender specific information and TFTP server IP addresses from the DHCP server for device configuration purposes. FortiWAN’s DHCP server delivers the specified information to clients according to the two option codes. See Automatic addressing within a basic subnet.
  • Bandwidth Management – A new field Input Port is added to Bandwidth Managment’s outbound

IPv4/IPv6 filters to evaluate outbound traffic by the physical ports where it comes from. Corresponding network ports (VLAN ports, redundant ports, aggregated ports and etc.) will be the options for setting the field, if they are configured in Network Setting. See Bandwidth Management.

  • Port Mapping – The original configuration panels “Aggregated LAN Port” and “Aggregated DMZ Port” are merged into one panel “Aggregated Port”. Instead of mapping the member-ports to LAN/DMZ before aggregating them, it requires creating the logical aggregated port with two non-mapping member ports first, and then mapping LAN/DMZ or defining VLANs to the aggregated port. See Configurations for VLAN and Port Mapping.
  • Multihoming l Supports wildcard characters for configuring the Host Name field of A/AAAA records. A single wildcard character matches the DNS queries for any hostname that does not appear in any NS record, primary name server, external subdomains and other A/AAAA records of a domain, and so that the specified A/AAAA policy matches. Note that wildcard characters are not acceptable to records (NS, MX, TXT and etc.) except A/AAAA. See Inbound Load Balancing and Failover (Multihoming).
  • Supports configuring CName records for DKIM signing. It is acceptable to configure the Name Server, Alias, Target, Host Name and Mail Server fields of NS, CName, DName, MX and TXT records within dot characters. A dot character is still not acceptable to A/AAAA records. See Inbound Load Balancing and Failover (Multihoming).
  • Auto Routing – All the WAN links (WAN parameters) of an Auto Routing policy were set to checked by default when you create it on the Web UI for configuring. To programe it for the real networks, you might to uncheck the unused WAN links one at a time. From this release, the WAN parameters of an AR policy are checked by default only if the corresponding WAN links have been enabled via Network Setting. See Outbound Load Balancing and Failover (Auto Routing).
  • Statistics – Measurement of Round Trip Time (RTT) is added to Statistics > Tunnel Status for each GRE tunnel of configured tunnel groups. See Tunnel Status.

FortiWAN 4.2.2

Bug fixes only. Please refer to FortiWAN 4.2.2 Release Notes.

FortiWAN 4.2.1

Bug fixes only. Please refer to FortiWAN 4.2.1 Release Notes.

FortiWAN 4.2.0 l IPSec VPN – Supports standard IPSec VPN which is based on the two-phase Internet Key Exchange (IKE) protocol. FortiWAN’s IPSec VPN provides two communication modes, tunnel mode and transport mode. Tunnel mode is a common method used to establish IPSec VPN between two network sites.

FortiWAN IPSec tunnel mode transfers data traffic within single connection (single WAN link), therefore bandwidth aggregation and fault tolerance are not available to the VPN. On the other hand, FortiWAN’s transport mode is designed to provide protections to Tunnel Routing transmission on each of the TR tunnels, so that the IPSec VPN with ability of bandwidth aggregation and fault tolerance can be implemented.

FortiWAN’s IPSEC tunnel mode supports single-link connectivity between FortiWAN devices, FortiWAN and FortiGate and FortiWAN and any appliance supporting standard IPSEC. FortiWAN’s IPSEC transport mode supports multi-link Tunnel Routing between FortiWAN devices. IPSEC Aggressive Mode is not supported in this release. See “IPSec VPN”.

  • Tunnel Routing – Supports IPSec encryption. With cooperation with FortiWAN’s IPSec tunnel mode, the Tunnel Routing communication can be protected by IPSec Security Association (IPSec SA), which provides strict security negotiations, data privacy and authenticity. The VPN network implemented by Tunnel Routing and IPSec transport mode has the advantages of high security level, bandwidth aggregation and fault tolerance. See “Tunnel Routing”.
  • Basic subnet– Supports DHCP Relay on every LAN port and DMZ port. FortiWAN forwards the DHCP

requests and responses between a LAN or DMZ subnet and the specified DHCP server (standalone), so that centralized DHCP management can be implemented. With appropriate deployments of Tunnel Routing (or Tunnel Routing over IPSec Transport mode), the DHCP server of headquarters is capable to manage IP allocation to regional sites through DHCP relay. FortiWAN’s DHCP relay is for not only a local network but also a Tunnel Routing VPN network. See “Automatic addressing within a basic subnet”.

  • DHCP – Supports static IP allocation by Client Identifier (Options code: 61).According to the client identifier, FortiWAN’s DHCP recognizes the user who asks for an IP lease, and assigns the specified IP address to him. See “Automatic addressing within a basic subnet”.
  • Bandwidth Management – Supports the visibility to Tunnel Routing traffic. In the previous version, individual application encapsulated by Tunnel Routing was invisible to FortiWAN’s Bandwidth Management. Bandwidth Management is only capable of shaping the overall tunnel (GRE) traffic. From this release, Bandwidth Management evaluates traffic before/after Tunnel Routing encapsulation/decapsulation, so that traffic of individual application in a Tunnel Routing transmission can be controlled. See “Bandwidth Management”.
  • Administration – Ability of changing their own password for Monitor accounts is added. In the previous version, password of accounts belonging to Monitor group can be changed by only administrators. From this release, Monitor accounts can change their own password. See “Administration”.
  • HA synchronization – After system configuration file is restored (System > Administration > Configuration File), the master unit automatically synchronizes the configurations to slave unit. See “Administration”.
  • DNS Proxy – Supports wildcard character for configuration of Proxy Domains on Web UI. See “DNS

Proxy”. l Account – The default account maintainer was removed from FortiWAN’s authentication.

FortiWAN 4.1.3

Bug fixes only. Please refer to FortiWAN 4.1.3 Release Notes.

FortiWAN 4.1.2

Bug fixes only. Please refer to FortiWAN 4.1.2 Release Notes.

FortiWAN 4.1.1 l New CLI command shutdown – Use this command to shut FortiWAN system down. All the system

processes and services will be terminated normally. This command might not power the appliance off, please turn on/off the power switch or plug/unplug the power adapter to power on/off the appliance. See “Console Mode Commands”.

  • Firmware upgrade – A License Key will no longer be required for upgrading system firmware to any release.

FortiWAN 4.1.0 l The timezone of FortiWAN’s hardware clock (RTC) is switched to UTC from localtime. The system time might be incorrect after updating firmware from previous version to this version due to mismatched timezone. Please reset system time and synchronize it to FortiWAN’s hardware clock (executing Synchronize Time in System > Date/Time via Web UI), so that the hardware clock is kept in UTC.

  • New models – FortiWAN introduces two models, FortiWAN-VM02 and FortiWAN-VM04, for

deployment on VMware. FortiWAN V4.1.0 is the initial version of the two models. FortiWAN-VM02

supports the maximum of 2 virtual CPUs, and FortiWAN-VM04 supports the maximum of 4 virtual CPUs. Both of the two models support 9 virtual network adapters. Each port can be programmed as WAN, LAN or DMZ. Each of the two models. FortiWAN-VM supports the deployments on VMware vSphere ESXi. Refer to “FortiWAN-VM Install Guide”.

  • Bandwidth capability changes :
  • FortiWAN 200B – The basic bandwidth is upgraded to 200Mbps from 60Mbps. With a bandwidth license, system supports advanced bandwidth up to 400Mbps and 600Mbps.
  • FortiWAN 1000B – The basic bandwidth is upgraded to 1 Gbps from 500Mbps. With a bandwidth license, system supports advanced bandwidth up to 2 Gbps.
  • FortiWAN 3000B – The basic bandwidth is upgraded to 3 Gbps from 1 Gbps. With a bandwidth license, system supports advanced bandwidth up to 6 Gbps and 9 Gbps.
  • Notification – Supports delivering event notifications via secure SMTP. See “Notification”.
  • Connection Limit – Customers can manually abort the connections listed in Connection Limit’s Statistics. FortiWAN’s Connection Limit stops subsequent connections from malicious IP addresses when system is under attacks with high volumes of connections. However, system takes time to normally terminate the existing malicious connections (connection time out). Connection Limit’s Statistics lists the existing connections; aborting these connections recovers system immediately from memory occupied. See “Statistics > Connection Limit”.
  • Multihoming – Supports specifying an IPv6 address in an A record and an IPv4 address in an AAAA record to evaluate the source of a DNS request. See “Inbound Load Balancing and Failover (Multihoming)”.
  • Automatic default NAT rules – Supports for all the types of IPv6 WAN link. Previously, system

generates automatically the default NAT rules for any type of IPv4 WAN link and PPPoE IPv6 WAN link after the WAN links are applied. From this release, all the types of IPv6 WAN links are supported. See “NAT”.

  • Firmware update under HA deployment – Simple one-instruction update to both master and slave units. The master unit triggers firmware update to slave unit first, and then runs update itself. See “FortiWAN in HA (High Availability) Mode”. l New Reports pages:
  • Dashboard – This is a chart-based summary of FortiWAN’s system information and hardware states. See “Reports > Device Status > Dashboard”.
  • Settings – This is used to manage FortiWAN Reports. See “Reports Settings”.
  • Auto Routing – A new field Input Port is added to Auto Routing’s rules to evaluate outbound traffic by the physical ports where it comes from. Correspondent VLAN ports, redundant LAN ports, redundant DMZ ports, aggregated LAN ports and aggregated DMZ ports are the options for setting the field, if they are allocated. See “Using the Web UI”.
  • New and enhanced CLI commands (See “Console Mode Commands”):
  • New command arp – Use this command to manipulate (add and delete entries) or display the IPv4 network neighbor cache.
  • Enhanced command resetconfig – A new parameter is added to the CLI command

resetconfig to specify a static routing subnet to the default LAN port. With specifying a proper

private LAN subnet and static routing rule, users can connect to Web UI via the default LAN port without modifications of their current network after system reboots from resetting system to factory default.

  • Pagination – Paginate the output of a command if it is longer than screen can display.
  • Changes on FortiWAN Logins l Fortinet default account/password (admin/null) is supported for FortiWAN’s Web UI and CLI. The old default accounts/passwords will be still accessible. See “Connecting to the Web UI and the CLI”.
  • FortiWAN CLI accepts logins of any customized account belongs to group Administrator. A special account maintainer is provided to reset admin password to factory default via CLI for case that no one with the password is available to login to the WEB UI and CLI. See

“Administration”.

  • All the accounts belong to group Administrator are acceptable to login to FortiWAN over SSH.
  • Web UI Supports multiple sign-in. System accept the maximum of 20 concurrent logins. Note that system does not provide concurrent executions of Tunnel Routing Benchmark for multiple logins. See “Using the Web UI”.

FortiWAN 4.0.6

Bug fixes only. Please refer to FortiWAN 4.0.6 Release Notes.

FortiWAN 4.0.5

Bug fixes only. Please refer to FortiWAN 4.0.5 Release Notes.

FortiWAN 4.0.4

Bug fixes only. Please refer to FortiWAN 4.0.4 Release Notes.

FortiWAN 4.0.3

FortiWAN 4.0.3 is the initial release for FortiWAN 3000B. For bug fixes, please refer to FortiWAN 4.0.3 Release Notes.

FortiWAN 4.0.2

Bug fixes only. Please refer to FortiWAN 4.0.2 Release Notes.

FortiWAN 4.0.1

FortiWAN introduces new hardware platforms FortiWAN 1000B and FortiWAN 3000B, and new FortiWAN 4.0.1 firmware based on the AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.1 is substantially similar to AscenLink V7.2.3 with the additions noted below.

To assess the impact of deploying FortiWAN 4.0.1 on your network and processes, review the following new and enhanced features.

  • Data Port Changes l FortiWAN 1000B supports 3 GE RJ45 ports and 4 GE SFP ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG

LAN or DMZ ports can be configured. Default LAN port is Port 6 and default DMZ port is Port 7.

  • FortiWAN 3000B supports 8 GE RJ45 ports, 8 GE SFP ports and 8 10GE SFP+ ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG LAN or DMZ ports can be configured. Default LAN port is Port 11 and default DMZ port is Port 12.
  • HA Configuration Synchronization – Two FortiWAN appliances can be connected in active-passive High Availability mode via an Ethernet cable between the systems’ HA RJ-45 ports. HA will not interoperate between AscenLink and FortiWAN and will not interoperate between different FortiWAN models or the same model with different Throughput licenses. Model and Throughput must match.
  • HDD – FWN 1000B and FWN 3000B add internal 1TB HDDs for Reports data storage.
  • Hardware Support – FortiWAN 4.0.1 for FortiWAN supports FortiWAN 200B and FortiWAN 1000B. AscenLink series models are not supported. Note that FortiWAN 4.0.1 does not support FortiWAN 3000B, please look forward to the sequential releases.

FortiWAN 4.0.0

FortiWAN introduces new hardware platform FortiWAN 200B and new FortiWAN 4.0.0 firmware based on the AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.0 is substantially similar to AscenLink V7.2.2 with the additions noted below.

To assess the impact of deploying FortiWAN 4.0.0 on your network and processes, review the following new and enhanced features.

  • Data Port Changes – FortiWAN 200B supports 5 GE RJ45 ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG LAN or DMZ ports can be configured. Default LAN port is Port4 and default DMZ port is Port 5.
  • HA Port Change – FortiWAN supports one GE RJ45 HA Port. This port must be direct-cabled via Ethernet cable, to a second FWN unit HA port for HA operation. HA will not interoperate between AscenLink and FortiWAN and will not interoperate between different FortiWAN models.
  • HDD – FWN 200B adds an internal 500BG HDD for Reports data storage. See below for more information on Reports.
  • HA Configuration Synchronization – Two FWN 200B appliances can be connected in active-passive High Availability mode via an Ethernet cable between the systems’ HA RJ-45 ports.
  • New Functionality – FortiWAN 4.0.0 has the same functionality as AscenLink V7.2.2 PLUS the addition of built-in Reports which is the equivalent functionality to the external LinkReport for AscenLink.
  • Reports – Reports captures and stores data on traffic and applications across all WAN links in the system. Reports include connections, link and aggregate bandwidth, link and VPN reliability, and data on Multi-Homing requests, Virtual Server (SLB) requests, and more. Reports can be viewed on-screen, exported to PDF or CSV files or emailed immediately in PDF or CSV format. l GUI – FWN 4.0.0 adopts the Fortinet “look and feel”.
  • Hardware Support – FortiWAN 4.0.0 for FortiWAN supports FortiWAN 200B. AscenLink series models are not supported.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWAN and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.