Yearly Archives: 2017

FortiWAN What’s new

What’s new

The following features are new or changed since FortiWAN 4.0.0:

FortiWAN 4.3.1 l Tunnel Routing – From this release, the Generic Receive Offload (GRO) mechanism on each of FortiWAN’s network interfaces is disabled by default for better Tunnel Routing transmission performance. The parameter “generic-receive-offload” of CLI command sysctl added in release 4.2.3 to enable/disable GRO is removed; it is unable to enable GRO on FortiWAN. Related descriptions were removed from Console Mode Commands, How the Tunnel Routing Works and How to set up routing rules for Tunnel Routing

FortiWAN 4.3.0 l Tunnel Routing l Supports large-scale Tunnel Routing network deployment with allowing a maximum of l FWN-200B: 100 tunnel groups l FWN-1000B: 400 tunnel groups l FWN-3000B: 1000 tunnel groups

For all FortiWAN models, each tunnel group supports up to 16 enabled GRE tunnels, and a maximum total of 2500 enabled GRE tunnels is supported. See Tunnel Routing Scale, Tunnel Routing – Setting and How to set up routing rules for Tunnel Routing.

A new measurement case is added to benchmark to evaluate transmission performance of a tunnel group. Packets of a measurement session will be distributed and sent over all the tunnels of the tunnel group, just like how Tunnel Routing generally works in real practice. This is a more accurate way to evaluate your Tunnel Routing network. See Tunnel Routing – Benchmark.
IPSec – Supports Internet Key Exchange Protocol Version 2 (IKEv2) for the establishments of Security Association. Please note that a specific procedure will be required when you switch IKE version to an existing IPSec VPN connectivity. See Specifications of FortiWAN’s IPsec VPN and IKE Phase 1 Web UI fields – Internet Key Exchange.
DHCP Relay – Supports up to two DHCP servers for a relay agent. Once two DHCP servers are configured, the relay agent will forward a DHCP request to both of the DHCP servers. The first response received by the relay agent will be first apply to the DHCP client, and the subsequent responses will be ignored. See DHCP Relay.
Reports – Supports scheduled report email. According to the scheduling, system performs automatic report email sending periodically (daily, weekly or monthly). See Report Email and Scheduled Emails.
CLI command – A new parameter PORT is added to command resetconfig for specifying port mapping to LAN port while resetting configurations to factory default. See CLI Command – resetconfig.
DNS Proxy – It is acceptable to configure the Intranet Source field of a DNS Proxy policy with an IPv4 range or subnet. See DNS Proxy Setting Fields.
WAN link health detection – A new parameter that is used to indicate the number of continuously successful detections for declaring a WAN link indeed available is added to WAN link health detection policies. See WAN Link Health Detection.
Web UI account – The ability for Monitor accounts to reset their own password is removed. From this release, Web UI page System > Administration is not available to Monitor accounts and only

Administrator accounts have the permission to reset passwords. Also the Apply button is greyed-out and inactive for Monitor users. See Administrator and Monitor Password.

Multihoming – Supports SOA and NS records for the reverse lookup zones. See Global Settings: IPv4/IPv6 PTR Record. l Web UI – New look and feel.

FortiWAN 4.2.7

Bug fixes only. Please refer to FortiWAN 4.2.7 Release Notes.

FortiWAN 4.2.6

Bug fixes only. Please refer to FortiWAN 4.2.6 Release Notes.

FortiWAN 4.2.5

Bug fixes only. Please refer to FortiWAN 4.2.5 Release Notes.

FortiWAN 4.2.4

Bug fixes only. Please refer to FortiWAN 4.2.4 Release Notes.

FortiWAN 4.2.3 l Tunnel Routing – Performance of transmission in a tunnel group can be greatly enhanced (increased)

by disabling Generic Receive Offload (GRO) mechanism on each of participated network interfaces on both the participated FortiWAN units. A new parameter “generic-receive-offload” is added to CLI command sysctl to enable/disable the GRO module. See How the Tunnel Routing Works, Tunnel Routing – Setting and Console Mode Commands.

DHCP – Supports Vender Specific Information (Vender Encapsulated Options, option code: 43) and TFTP Server Name (option code: 66). The two DHCP options are used by DHCP clients to request vender specific information and TFTP server IP addresses from the DHCP server for device configuration purposes. FortiWAN’s DHCP server delivers the specified information to clients according to the two option codes. See Automatic addressing within a basic subnet.
Bandwidth Management – A new field Input Port is added to Bandwidth Managment’s outbound

IPv4/IPv6 filters to evaluate outbound traffic by the physical ports where it comes from. Corresponding network ports (VLAN ports, redundant ports, aggregated ports and etc.) will be the options for setting the field, if they are configured in Network Setting. See Bandwidth Management.

Port Mapping – The original configuration panels “Aggregated LAN Port” and “Aggregated DMZ Port” are merged into one panel “Aggregated Port”. Instead of mapping the member-ports to LAN/DMZ before aggregating them, it requires creating the logical aggregated port with two non-mapping member ports first, and then mapping LAN/DMZ or defining VLANs to the aggregated port. See Configurations for VLAN and Port Mapping.
Multihoming l Supports wildcard characters for configuring the Host Name field of A/AAAA records. A single wildcard character matches the DNS queries for any hostname that does not appear in any NS record, primary name server, external subdomains and other A/AAAA records of a domain, and so that the specified A/AAAA policy matches. Note that wildcard characters are not acceptable to records (NS, MX, TXT and etc.) except A/AAAA. See Inbound Load Balancing and Failover (Multihoming).
Supports configuring CName records for DKIM signing. It is acceptable to configure the Name Server, Alias, Target, Host Name and Mail Server fields of NS, CName, DName, MX and TXT records within dot characters. A dot character is still not acceptable to A/AAAA records. See Inbound Load Balancing and Failover (Multihoming).
Auto Routing – All the WAN links (WAN parameters) of an Auto Routing policy were set to checked by default when you create it on the Web UI for configuring. To programe it for the real networks, you might to uncheck the unused WAN links one at a time. From this release, the WAN parameters of an AR policy are checked by default only if the corresponding WAN links have been enabled via Network Setting. See Outbound Load Balancing and Failover (Auto Routing).
Statistics – Measurement of Round Trip Time (RTT) is added to Statistics > Tunnel Status for each GRE tunnel of configured tunnel groups. See Tunnel Status.

FortiWAN 4.2.2

Bug fixes only. Please refer to FortiWAN 4.2.2 Release Notes.

FortiWAN 4.2.1

Bug fixes only. Please refer to FortiWAN 4.2.1 Release Notes.

FortiWAN 4.2.0 l IPSec VPN – Supports standard IPSec VPN which is based on the two-phase Internet Key Exchange (IKE) protocol. FortiWAN’s IPSec VPN provides two communication modes, tunnel mode and transport mode. Tunnel mode is a common method used to establish IPSec VPN between two network sites.

FortiWAN IPSec tunnel mode transfers data traffic within single connection (single WAN link), therefore bandwidth aggregation and fault tolerance are not available to the VPN. On the other hand, FortiWAN’s transport mode is designed to provide protections to Tunnel Routing transmission on each of the TR tunnels, so that the IPSec VPN with ability of bandwidth aggregation and fault tolerance can be implemented.

FortiWAN’s IPSEC tunnel mode supports single-link connectivity between FortiWAN devices, FortiWAN and FortiGate and FortiWAN and any appliance supporting standard IPSEC. FortiWAN’s IPSEC transport mode supports multi-link Tunnel Routing between FortiWAN devices. IPSEC Aggressive Mode is not supported in this release. See “IPSec VPN”.

Tunnel Routing – Supports IPSec encryption. With cooperation with FortiWAN’s IPSec tunnel mode, the Tunnel Routing communication can be protected by IPSec Security Association (IPSec SA), which provides strict security negotiations, data privacy and authenticity. The VPN network implemented by Tunnel Routing and IPSec transport mode has the advantages of high security level, bandwidth aggregation and fault tolerance. See “Tunnel Routing”.
Basic subnet– Supports DHCP Relay on every LAN port and DMZ port. FortiWAN forwards the DHCP

requests and responses between a LAN or DMZ subnet and the specified DHCP server (standalone), so that centralized DHCP management can be implemented. With appropriate deployments of Tunnel Routing (or Tunnel Routing over IPSec Transport mode), the DHCP server of headquarters is capable to manage IP allocation to regional sites through DHCP relay. FortiWAN’s DHCP relay is for not only a local network but also a Tunnel Routing VPN network. See “Automatic addressing within a basic subnet”.

DHCP – Supports static IP allocation by Client Identifier (Options code: 61).According to the client identifier, FortiWAN’s DHCP recognizes the user who asks for an IP lease, and assigns the specified IP address to him. See “Automatic addressing within a basic subnet”.
Bandwidth Management – Supports the visibility to Tunnel Routing traffic. In the previous version, individual application encapsulated by Tunnel Routing was invisible to FortiWAN’s Bandwidth Management. Bandwidth Management is only capable of shaping the overall tunnel (GRE) traffic. From this release, Bandwidth Management evaluates traffic before/after Tunnel Routing encapsulation/decapsulation, so that traffic of individual application in a Tunnel Routing transmission can be controlled. See “Bandwidth Management”.
Administration – Ability of changing their own password for Monitor accounts is added. In the previous version, password of accounts belonging to Monitor group can be changed by only administrators. From this release, Monitor accounts can change their own password. See “Administration”.
HA synchronization – After system configuration file is restored (System > Administration > Configuration File), the master unit automatically synchronizes the configurations to slave unit. See “Administration”.
DNS Proxy – Supports wildcard character for configuration of Proxy Domains on Web UI. See “DNS

Proxy”. l Account – The default account maintainer was removed from FortiWAN’s authentication.

FortiWAN 4.1.3

Bug fixes only. Please refer to FortiWAN 4.1.3 Release Notes.

FortiWAN 4.1.2

Bug fixes only. Please refer to FortiWAN 4.1.2 Release Notes.

FortiWAN 4.1.1 l New CLI command shutdown – Use this command to shut FortiWAN system down. All the system

processes and services will be terminated normally. This command might not power the appliance off, please turn on/off the power switch or plug/unplug the power adapter to power on/off the appliance. See “Console Mode Commands”.

Firmware upgrade – A License Key will no longer be required for upgrading system firmware to any release.

FortiWAN 4.1.0 l The timezone of FortiWAN’s hardware clock (RTC) is switched to UTC from localtime. The system time might be incorrect after updating firmware from previous version to this version due to mismatched timezone. Please reset system time and synchronize it to FortiWAN’s hardware clock (executing Synchronize Time in System > Date/Time via Web UI), so that the hardware clock is kept in UTC.

New models – FortiWAN introduces two models, FortiWAN-VM02 and FortiWAN-VM04, for

deployment on VMware. FortiWAN V4.1.0 is the initial version of the two models. FortiWAN-VM02

supports the maximum of 2 virtual CPUs, and FortiWAN-VM04 supports the maximum of 4 virtual CPUs. Both of the two models support 9 virtual network adapters. Each port can be programmed as WAN, LAN or DMZ. Each of the two models. FortiWAN-VM supports the deployments on VMware vSphere ESXi. Refer to “FortiWAN-VM Install Guide”.

Bandwidth capability changes :
FortiWAN 200B – The basic bandwidth is upgraded to 200Mbps from 60Mbps. With a bandwidth license, system supports advanced bandwidth up to 400Mbps and 600Mbps.
FortiWAN 1000B – The basic bandwidth is upgraded to 1 Gbps from 500Mbps. With a bandwidth license, system supports advanced bandwidth up to 2 Gbps.
FortiWAN 3000B – The basic bandwidth is upgraded to 3 Gbps from 1 Gbps. With a bandwidth license, system supports advanced bandwidth up to 6 Gbps and 9 Gbps.
Notification – Supports delivering event notifications via secure SMTP. See “Notification”.
Connection Limit – Customers can manually abort the connections listed in Connection Limit’s Statistics. FortiWAN’s Connection Limit stops subsequent connections from malicious IP addresses when system is under attacks with high volumes of connections. However, system takes time to normally terminate the existing malicious connections (connection time out). Connection Limit’s Statistics lists the existing connections; aborting these connections recovers system immediately from memory occupied. See “Statistics > Connection Limit”.
Multihoming – Supports specifying an IPv6 address in an A record and an IPv4 address in an AAAA record to evaluate the source of a DNS request. See “Inbound Load Balancing and Failover (Multihoming)”.
Automatic default NAT rules – Supports for all the types of IPv6 WAN link. Previously, system

generates automatically the default NAT rules for any type of IPv4 WAN link and PPPoE IPv6 WAN link after the WAN links are applied. From this release, all the types of IPv6 WAN links are supported. See “NAT”.

Firmware update under HA deployment – Simple one-instruction update to both master and slave units. The master unit triggers firmware update to slave unit first, and then runs update itself. See “FortiWAN in HA (High Availability) Mode”. l New Reports pages:
Dashboard – This is a chart-based summary of FortiWAN’s system information and hardware states. See “Reports > Device Status > Dashboard”.
Settings – This is used to manage FortiWAN Reports. See “Reports Settings”.
Auto Routing – A new field Input Port is added to Auto Routing’s rules to evaluate outbound traffic by the physical ports where it comes from. Correspondent VLAN ports, redundant LAN ports, redundant DMZ ports, aggregated LAN ports and aggregated DMZ ports are the options for setting the field, if they are allocated. See “Using the Web UI”.
New and enhanced CLI commands (See “Console Mode Commands”):
New command arp – Use this command to manipulate (add and delete entries) or display the IPv4 network neighbor cache.
Enhanced command resetconfig – A new parameter is added to the CLI command

resetconfig to specify a static routing subnet to the default LAN port. With specifying a proper

private LAN subnet and static routing rule, users can connect to Web UI via the default LAN port without modifications of their current network after system reboots from resetting system to factory default.

Pagination – Paginate the output of a command if it is longer than screen can display.
Changes on FortiWAN Logins l Fortinet default account/password (admin/null) is supported for FortiWAN’s Web UI and CLI. The old default accounts/passwords will be still accessible. See “Connecting to the Web UI and the CLI”.
FortiWAN CLI accepts logins of any customized account belongs to group Administrator. A special account maintainer is provided to reset admin password to factory default via CLI for case that no one with the password is available to login to the WEB UI and CLI. See

“Administration”.

All the accounts belong to group Administrator are acceptable to login to FortiWAN over SSH.
Web UI Supports multiple sign-in. System accept the maximum of 20 concurrent logins. Note that system does not provide concurrent executions of Tunnel Routing Benchmark for multiple logins. See “Using the Web UI”.

FortiWAN 4.0.6

Bug fixes only. Please refer to FortiWAN 4.0.6 Release Notes.

FortiWAN 4.0.5

Bug fixes only. Please refer to FortiWAN 4.0.5 Release Notes.

FortiWAN 4.0.4

Bug fixes only. Please refer to FortiWAN 4.0.4 Release Notes.

FortiWAN 4.0.3

FortiWAN 4.0.3 is the initial release for FortiWAN 3000B. For bug fixes, please refer to FortiWAN 4.0.3 Release Notes.

FortiWAN 4.0.2

Bug fixes only. Please refer to FortiWAN 4.0.2 Release Notes.

FortiWAN 4.0.1

FortiWAN introduces new hardware platforms FortiWAN 1000B and FortiWAN 3000B, and new FortiWAN 4.0.1 firmware based on the AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.1 is substantially similar to AscenLink V7.2.3 with the additions noted below.

To assess the impact of deploying FortiWAN 4.0.1 on your network and processes, review the following new and enhanced features.

Data Port Changes l FortiWAN 1000B supports 3 GE RJ45 ports and 4 GE SFP ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG

LAN or DMZ ports can be configured. Default LAN port is Port 6 and default DMZ port is Port 7.

FortiWAN 3000B supports 8 GE RJ45 ports, 8 GE SFP ports and 8 10GE SFP+ ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG LAN or DMZ ports can be configured. Default LAN port is Port 11 and default DMZ port is Port 12.
HA Configuration Synchronization – Two FortiWAN appliances can be connected in active-passive High Availability mode via an Ethernet cable between the systems’ HA RJ-45 ports. HA will not interoperate between AscenLink and FortiWAN and will not interoperate between different FortiWAN models or the same model with different Throughput licenses. Model and Throughput must match.
HDD – FWN 1000B and FWN 3000B add internal 1TB HDDs for Reports data storage.
Hardware Support – FortiWAN 4.0.1 for FortiWAN supports FortiWAN 200B and FortiWAN 1000B. AscenLink series models are not supported. Note that FortiWAN 4.0.1 does not support FortiWAN 3000B, please look forward to the sequential releases.

FortiWAN 4.0.0

FortiWAN introduces new hardware platform FortiWAN 200B and new FortiWAN 4.0.0 firmware based on the AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.0 is substantially similar to AscenLink V7.2.2 with the additions noted below.

To assess the impact of deploying FortiWAN 4.0.0 on your network and processes, review the following new and enhanced features.

Data Port Changes – FortiWAN 200B supports 5 GE RJ45 ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG LAN or DMZ ports can be configured. Default LAN port is Port4 and default DMZ port is Port 5.
HA Port Change – FortiWAN supports one GE RJ45 HA Port. This port must be direct-cabled via Ethernet cable, to a second FWN unit HA port for HA operation. HA will not interoperate between AscenLink and FortiWAN and will not interoperate between different FortiWAN models.
HDD – FWN 200B adds an internal 500BG HDD for Reports data storage. See below for more information on Reports.
HA Configuration Synchronization – Two FWN 200B appliances can be connected in active-passive High Availability mode via an Ethernet cable between the systems’ HA RJ-45 ports.
New Functionality – FortiWAN 4.0.0 has the same functionality as AscenLink V7.2.2 PLUS the addition of built-in Reports which is the equivalent functionality to the external LinkReport for AscenLink.
Reports – Reports captures and stores data on traffic and applications across all WAN links in the system. Reports include connections, link and aggregate bandwidth, link and VPN reliability, and data on Multi-Homing requests, Virtual Server (SLB) requests, and more. Reports can be viewed on-screen, exported to PDF or CSV files or emailed immediately in PDF or CSV format. l GUI – FWN 4.0.0 adopts the Fortinet “look and feel”.
Hardware Support – FortiWAN 4.0.0 for FortiWAN supports FortiWAN 200B. AscenLink series models are not supported.

FortiWAN Key Concepts and Product Features

Leave a reply

Key Concepts and Product Features

WAN load balancing (WLB)

General speaking, load balancing are mechanisms (methods) for managing (distributing) workload across available resources, such as servers, computers, network links, CPU or disk storage. The FortiWAN’s WAN load balancing aims to distribute (route) WAN traffic across multiple network links. The major purposes are optimizing bandwidth usage, maximizing transmission throughput and avoiding overload of any single network link. When we talk about WAN load balancing, it always implies automatic traffic distribution across multiple network links. Different from general routing, WAN load balancing involves algorithms, calculations and monitoring to dynamically determine the availability of network links for network traffic distribution.

Installation

FortiWAN is an edge device that typically connects an internal local area network (LAN) with an external wide area network (WAN) or the Internet. The physical network ports on FortiWAN are divided into WAN ports, LAN ports and DMZ (Demilitarized Zone) ports, which are used to connect to the WAN or the Internet, subnets in LAN, and subnets in DMZ respectively. Please refer to FortiWAN QuickStart Guides for the ports mapping for various models.

Bidirectional load balancing

Network date transmission passing through FortiWAN is bidirectional that are inbound and outbound. Network data transmission contains session establish and packet transmission. An inbound session refers to the session which is established from elsewhere (external) to the FortiWAN (internal), while an outbound session refers to the session which is established from the FortiWAN (internal) to elsewhere (external). For example, a request from the internal network to a HTTP server on the Internet means the first asking packet is outgoing to the external server, which is an outbound session established. Inversely, a request from the external area to a HTTP server behind FortiWAN means the first asking packet is incoming to the internal server, which is an inbound session established. No matter which direction a session is established in, packets transmission might be bidirectional (depends on the transmission protocol employed). FortiWAN is capable of balancing not only outbound but also inbound sessions and packets across multiple network links.

Auto Routing (Outbound Load Balancing)

FortiWAN distributes traffic across as many as 50 WAN links, under control of load balancing algorithms. FortiWAN’s many advanced load balancing algorithms let you easily fine-tune how traffic is distributed across the available links. Each deployment can be fully customized with the most flexible assignment of application traffic in the industry.

Multihoming (Inbound Load Balancing)

Many enterprises host servers for email, and other public access services. FortiWAN load balances incoming requests and responses across multiple WAN Links to improve user response and network reliability. Load balancing algorithms assure the enterprise that priority services are maintained and given appropriate upstream bandwidth.

Fall-back or Fail-over

FortiWAN detects local access link failures and end-to-end failures in the network and can either fall-back to remaining WAN links or fail-over to redundant WAN links, if needed. Fall-back and Fail-over behavior is under complete control of the administrator, with flexible rule definitions to meet any situation likely to occur. Links and routes are automatically recovered when performance returns to acceptable levels. Notifications will be sent automatically to administrators when link or route problems occur.

Virtual Private Services (Tunnel Routing)

FortiWAN offers the most powerful and flexible multi-link VPN functionality in the industry. Inter-site Tunnels can be created from fractional, full, multiple and fractions of multiple WAN links. Applications requiring large singlesession bandwidth such as VPN load balancing, video conferencing or WAN Optimization can use multiple links to build the bandwidth needed. Multi-session traffic can share an appropriately-sized Tunnel. Tunnels have the same functionality as single links, supporting Load Balancing, Fall-back, Failover and Health Detection within and between Tunnels. Dynamic IP addresses and NAT pass through are supported for the VPL services deployments.

Virtual Servers (Server Load Balancing and High Availability)

FortiWAN supports simple server load balancing and server health detection for multiple servers offering the same application. When service requests are distributed between servers, the servers that are slow or have failed are avoided and/or recovered automatically. Performance parameters are controlled by the administrator.

Optimum Routing

FortiWAN continuously monitors the public Internet to select the shortest and fastest route for mission-critical applications. Non-critical traffic can be routed away from the best links when prioritized traffic is present on the links or traffic can be assigned permanently to different groups of WAN links.

Traffic Shaping (Bandwidth Management)

FortiWAN optimizes, guarantees performance or increase usable bandwidth for specified traffic by traffic classification and rate limiting.

Firewall and Security

FortiWAN provides the stateful firewall, access control list and connection limit to protect FortiWAN unit, internal network and services from malicious attacks.

Scope

This document describes how to set up your FortiWAN appliance. For first-time system deployment, the suggested processes are:

Installation

Register your FortiWAN appliance before you start the installation. Please refer to the topic: [Register your FortiWAN] for further information. l Planning the network topology to introduce FortiWAN to current network. It requires a clear picture of your WAN link types the ISP provides and how to use the available public IP addresses of a WAN link. The topic [Planning the Network Topology] provides the sub-topics that are necessary concepts for planning your network topology.
Topic [Web UI Overview] and its sub-topics provide the instructions to connect and log into the Web management interface. System time and account/password resetting might be performed for FortiWAN while the first-time login, please refer to topics [Setting the System Time & Date] and [Administrator] for further information.
For implementation of the network topology you planned, topic [Configuring Network Interface (Network Setting)] and its sub-topics give the necessary information about the configurations of network deployments on Web UI. FortiWAN’s diagnostic tools is helpful for trouble shooting when configuring network, please refer to topic [Diagnostic Tools] .

Functions

After installing FortiWAN into your network, the next step is to configure the major features, load balancing and failover, on FortiWAN. Topic [Load Balancing & Fault Tolerance] and its sub-topics contain the information about performing FortiWAN’s load balancing and failover mechanisms for incoming and outgoing traffic, virtual servers and single-session services.
Topic [Optional Services] gives the information about configurations of FortiWAN’s optional services, such as Bandwidth Management, Firewall, Connection Limit, NAT, SNMP, Cache Redirect, and etc.

Monitoring

After FortiWAN works a while, related traffic logs, statistics and report analysis might be required for monitor or trouble shooting purposes. Topics [Logs], [Statistics] and [Reports] provide the information how to use those logs, statistics and reports to improve management policies on FortiWAN.

The following topics are covered elsewhere:

Appliance installation—Refer to the quick start guide for your appliance model. l Virtual appliance installation—Refer to the FortiWAN-VM Install Guide.

FortiWAN Handbook – Introduction

Leave a reply

Introduction

Enterprises are increasingly relying on the internet for delivery of critical components for everyday business operations. Any delays or interruptions in connectivity can easily result in reduced productivity, lost business opportunities and a damaged reputation. Maintaining a reliable and efficient internet connection to ensure the operation of critical applications is therefore key to the success of the enterprise.

FortiWAN is a separate and discrete hardware appliance with exclusive operating system, specifically designed to intelligently balance internet and intranet traffic across multiple WAN connections, providing additional low-cost incoming and outgoing bandwidth for the enterprise and substantially increased connection reliability. FortiWAN is supported by a user-friendly UI and a flexible policy-based performance management system.

FortiWAN provides a unique solution that offers comprehensive multi-WAN management that keeps costs down as well as keeping customers and users connected.

Product Benefits

FortiWAN is the most robust, cost-effective way to:

Increase the performance of your:
Internet access l Public-to-Enterprise access l Site-to-site private intranet
Lower Operating Costs l Increase your network reliability l Enable Cloud / Web 2.0 Applications l Monitor Network Performance

Increase Network Performance

FortiWAN increases network performance in three key areas:

l Access to Internet resources from the Enterprise l Access to Enterprise resources from the Internet l Creation of Enterprise Intranet connections between sites

FortiWAN intelligently aggregates multiple broadband and/or leased access lines to significantly increase Internet access performance. FortiWAN makes reacting to network demands fast, flexible and inexpensive. FortiWAN transforms underperforming networks into responsive, cost-effective and easy-to-manage business assets.

FortiWAN load balances Internet service requests from Enterprise users, optimally distributing traffic across all available access links. FortiWAN’s 7 different Load Balancing algorithms provide the flexibility to maximize productivity from any network scenario.

FortiWAN gives you high-performance inter-site connectivity without the need to lease expensive links such as T1 and T3. FortiWAN aggregates multiple low-cost Internet access links to create site-to-site Virtual Private Line Product Benefits Introduction

(VPL) Tunnels for LAN-like performance between company locations. By using multiple carriers and media, reliability of these VPL Tunnels can exceed that of traditional engineered carrier links.

Substantially Lower Operating Costs

Once bandwidth requirements exceed traditional asymmetrical Internet access services (like ADSL) there is a very high jump in bandwidth cost to engineered, dedicated access facilities like DS-1/DS-3. Even Metro Ethernet is a large cost increment where it is available. Adding shared Internet access links is substantially less expensive and delivery is substantially faster.

Traditional point-to-point private lines for company intranets are still priced by distance and capacity. Replacing or augmenting dedicated point-to-point services with Virtual Private Line Tunnels reduces costs substantially while increasing available bandwidth and reliability.

FortiWAN makes low-cost network access links behave and perform like specially-engineered carrier services at a fraction of the cost.

l Deploy DSL services and get DS-3/STM-1-like speed and reliability while waiting for the carrier to pull fiber. l Add and remove bandwidth for seasonal requirements quickly and easily. l Increase bandwidth to web servers and use multiple ISPs without BGP4 management issues.

Increase Network Reliability

Businesses can no longer afford Internet downtime. FortiWAN provides fault tolerance for both inbound and outbound IP traffic to ensure a stable and dependable network. Even multiple link failures, while reducing available bandwidth, will not stop traffic. By using diverse media (fiber, copper, wireless) and multiple ISPs (Telco, Cableco, 4G), FortiWAN can deliver better than carrier-class “5-9’s” reliability.

FortiWAN can be deployed in High Availability mode with fully redundant hardware for increased reliability. Larger FortiWAN models also feature redundant power supplies for further protection from hardware failures.

Enable Cloud / Web 2.0 Applications

Traditional WAN Optimization products expect that all users connect only to Headquarters servers and Internet gateways over dedicated, symmetric leased lines, but that is already “yesterday’s” architecture. Today users want to mix HQ connectivity with direct Cloud access to Web 2.0 applications like email, collaborative documentation, ERP, CRM and online backup.

FortiWAN gives you the flexibility to customize your network, giving you complete control. Direct cloud-based applications to links optimized for them and reduce the bandwidth demand on expensive dedicated circuits. Combine access links and/or dedicated circuits into Virtual Private Line Tunnels that will support the fastest video streaming or video conferencing servers that Headquarters can offer.

FortiWAN is designed for easy deployment and rapid integration into any existing network topology.

Monitor Network Performance

FortiWAN provides comprehensive monitoring and reporting tools to ensure your network is running at peak efficiency. With the built-in storage and database, FortiWAN’s Reports function provides historical detail and reporting over longer periods of time, so that it not only allows management to react to network problems, but to plan network capacity, avoiding unnecessary expense while improving network performance.

FortiWAN is managed via a powerful Web User Interface. Configuration changes are instantly stored without the need to re-start the system. Configuration files can be backed-up and restored remotely. Traffic measurements, alarms, logs and other management data are stored for trend analysis and management overview.

FortiCore 2.0.0 Release Notes

Leave a reply

Introduction

This document provides upgrade instructions and release information about FortiCore Version 2.0.0. Please review all sections in this document prior to upgrading your device.

Supported models

This release covers the following FortiCore models:

3600E
3700E
3800E
3805E

Summary of enhancements

FortiCore Version 2.0.0 includes the following new features:

OVSDB support for configuration
LAG for front panel ports

FortiCore features and capabilities are described in the FortiCore Admin Guide, available at the following location: http://docs.fortinet.com/forticore/admin-guides

Upgrade Information

Upgrading

FortiCore Version 2.0.0 supports upgrade from release 1.2.0. and downgrade from release 2.0.0 to 1.2.0.

To upgrade the firmware, follow these instructions from the dashboard page of the web-based admin tool:

Download the desired firmware version from the Fortinet support site to your local hard drive.
Click the update button next to the current firmware version.
Select the firmware file and click OK.
The system automatically loads the firmware and performs a system restart.

Firmware image checksums

Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support SDN Gateway Support

Product Integration and Support

SDN Gateway Support

FortiCore supports any SDN Gateway that is compliant to OpenFlow version 1.3.

FortiCore product was tested primarily with the OpenDaylight SDN controller, provided by the Linux Foundation.

Web Browser Support

The FortiCore web-based administration interface supports the following browser versions:

l Mozilla Firefox version 36 l Google Chrome version 43

Other web browsers may function correctly, but are not supported by FortiCore.

FortiAP 5.4.2 Release Notes

Leave a reply

Introduction

This document provides the following information for FortiAP version 5.4.2:

l Supported models l What’s new in FortiAP 5.4.2 l Upgrade Information l Product Integration and Support l Resolved Issues

For more information on upgrading your FortiAP device, see the Deploying Wireless Networks for FortiOS 5.4 guide in the Fortinet Document Library.

Supported models

FortiAP version 5.4.2 supports the following models:

Model support

Model

Build

FAP-11C, FAP-14C, FAP-21D, FAP-24D, FAP-25D, FAP-112B,

FAP-112D, FAP-221B, FAP-221C, FAP-222B, FAP-222C,

FAP-223B, FAP-223C, FAP-224D, FAP-320B, FAP-320C,

FAP-321C, FAP-CAM-214B

0354

What’s new in FortiAP 5.4.2

The following is a list of new features and enhancements in FortiAP version 5.4.2:

Support for DFS channels on more FAP SKUs:
FAP-321C-S, l FAP-222C-K l FAP-221B-I, FAP-221C-I, FAP-222C-I, FAP-223C-I, FAP-320B-I, FAP-320C-I, FAP-321C-I
Support for 64-digit hexadecimal passphrase in WPA2-Personal SSID

The following features require FortiCloud 3.1.0:

OKC support for FortiCloud WPA2-Enterprise SSID with RADIUS authentication l Dynamic VLAN support for FortiCloud WPA2-Enterprise SSID l Support for time zone and day-light-saving settings from FortiCloud l During firmware upgrade, FAP can download firmware image from a HTTPS server as instructed by FortiCloud.

What’s new in FortiAP 5.4.2 Introduction

The following features require FortiGate running FortiOS 5.6.0:

PMF support for local-standalone SSID with WPA2-Personal/Enterprise security
New security option for CAPWAP data channel: IPsec VPN

Note: FAP-320B cannot support this feature due to its flash limit. l Support for QoS Profile (rate limits per SSID and per client IP) l Add “lease-time” setting to NAT-mode local-standalone VAP

Upgrade Information

Upgrading from FortiAP version 5.4.1

FortiAP 5.4.2 supports upgrading from 5.4.1.

Downgrading to previous firmware versions

FortiAP 5.4.2 does not support downgrading to previous firmware versions.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Supported Upgrade Paths

To view all previous FortiAP versions, build numbers, and their supported upgrade pathways, see the following Fortinet Cookbook link:

http://cookbook.fortinet.com/supported-upgrade-paths-fortiap/

Product Integration and Support

FortiAP 5.4.2 support

The following table lists FortiAP version 5.4.2 product integration and support information.

FortiAP 5.4.2 support

Web Browsers	l Microsoft Internet Explorer version 11 l Mozilla Firefox version 41 l Google Chrome version 47 l Safari 8 Other web browsers may function correctly, but are not supported by Fortinet.
FortiOS	5.4.2 and later
FortiExplorer (Windows/MAC)	2.6.0 (model FAP-11C only)
FortiExplorer iOS	2.0.0 (models FAP-11C, 21D, 24D, 112D, 320B, and 320C only)

Resolved Issues

The following issues have been fixed in version 5.4.2. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID	Description
206429	FAP WIDS function could not detect spoofed de-authentication attack to its operating SSID.
300277	The NAT setting in FAP was not cleared correctly when VAP configuration in FortiGate has localstandalone disabled. (FortiGate will have the fix in FortiOS 5.6.0.)
369467	In FortiCloud captive-portal SSID setup, Social Media login page might become inaccessible due to DNS load balancing or rotation.
375543	FAP reported excess event logs about operating channel and Tx Power on 2.4 GHz radio.
307852	In FAP GUI, FortiCloud Account field now allows up to 50 characters.
381375	BPDU frames got truncated by FAP LAN to tunnel SSID when CAPWAP-data is plain text.
381602	Country code “AUSTRALIA” should be supported by FAP with region code “N “.
390947	Country code “SAUDI ARABIA” should be supported by FAP with region code “E “.
382926	Country code “INDONESIA” now is supported by a new region code “F “.
380931	Schedule of local-standalone SSID did not work when FAP lost connection with FortiCloud.
374626	Memory usage of IP pool of DHCP server in NAT-mode local-standalone SSID has been improved.
369162	For dual-radio FAP platforms, when both radios have the same NAT-mode local-standalone SSID configured, they can use the same IP and subnet mask settings now.
379123	Local-standalone SSID can support pre-authentication now.
391677	FAP-320C had lower TX power than expected.
281684	FAP sometimes encountered “PN check failed” issue.
395016	FAP-320C-E 2.4GHz Radio had inconsistent TX power when configured 1 dBm.
395010	FAP-320C-E 5Ghz Radio TX power was stuck at 0 once cwWtpd was killed.
395244	Improvement. Now FAP sends WTP ID information packet to FortiPresence Server more frequently.

Resolved Issues

Bug ID

Description

389205

FortiAP 5.4.2 is no longer vulnerable to the following CVE Reference: 2016-6308, 2016-6307, 2016-6306, 2016-6305, 2016-6304, 2016-6303, 2016-6302, 2016-2183, 2016-2182, 2016-2181, 2016-2180, 2016-2179, 2016-2178, 2016-2177.

Visit https://fortiguard.com/psirt for more information.

Known Issues

The following issues have been identified in version 5.4.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Bug ID	Description
301726	Sniffer mode does not work on 802.11ac radios. Sniffer will be stuck in INIT(0) state and no packets will be captured.
300081	FortiAPs may encounter high CPU usage intermittently after a FortiGate wireless controller pushes a local-authentication virtual AP (VAP) configuration to them.
245323	Spectrum analysis may result in high CPU usage on some FortiAP models including the FAP221B, FAP-223B, and FAP-221C.
236312	Split-tunneling SSIDs do not support VLANs.

FortiHypervisor 1.0 Admin Guide

Leave a reply

Introduction

The FortiHypervisor Hybrid Virtual Appliance enables rapid service deliver for enterprises and MSPs through the use of virtualization technology. Built to deliver virtualized services as virtual network functions (VNFs), FortiHypervisor consolidates advanced networking and security services on a single device, eliminating the need for multiple CPE while enabling on-demand service delivery.

FortiHypervisor is available in both a software instance for install on generic x86 platforms and also on Fortinet SPU accelerated hybrid appliances. A powerful Intel processor combined with SPU hardware acceleration delivers the high security performance that customers have come to expect from Fortinet. Ample storage and memory produce excellent compute, network and security performance for the most intensive tasks.

FortiHypervisor can run the wide range Fortinet VNFs delivering the greatest range of virtual functions in the industry but is also compatible with thirty party VMs in KVM format for the greatest flexibility.

Form-factors

FortiHypervisor is available in two form-factors to allowing customers to select the most appropriate solution for their requirements.

Appliance

FortiHypervisor comes in a range of physical appliances suitable for small office / retail deployments (vCPE) all the way up to the datacenter or MSP network core. The models come with different performance ratings, amounts of Hard Drive space, RAM and network access ports.

Software

FortiHypervisor is available as a bare metal hypervisor ISO image which can be installed on selected whitebox hardware.

Any selected hardware should be validated against the supported hardware list and should meet the minimum hardware specification lists below.

Whilst a minimum specification is provided, consideration should be made towards the VMs which will be installed as these may have additional performance and resource requirements.

If unsure, please validate your hardware selection with Fortinet Support before proceeding.

Pages: 1 2 3 4 5 6 7 8

FortiExtender Modem Compatibility Matrix

Leave a reply

FortiExtender Modem Compatibility Matrix

The following table lists the USB modems currently supported by FortiExtender.The list of supported modems below depends on the modem database version and not on the version of FortiOS. They are listed in alphabetical order. You can also find the list in the FortiOS web-based interface.

Note: FEX-100A has an internal modem, and therefore doesn’t support external USB modems.

To find the FortiExtender Modem list (FortiOS 5.4) – web-based manager:

1. Go to System > Feature Select and enable FortiExtender.

2. Go to Network > FortiExtender and select Configure Settings.

3. Under Modem Settings, select [Supported Modems].

4. Click the Update Now button to get the latest version of the Supported FortiGate Modems list.

5. Verify that the version number has updated, and select Supported FortiExtender Modems.

They are listed in alphabetical order.

Vendor

Model

Network

A-Link

3GU

Alcatel

One Touch X020

Alcatel

One Touch X030

Alcatel

OT X220L

Alcatel

OT-X080C

Alcatel

OT-X220D

Alcatel

X060S

Alcatel

X200

Alcatel

X215S

Alcatel-Lucent

T930S

Alcatel-sbell

ASB TL 131 TD-LTE

AnyDATA

ADU-500A

Vendor

Model

Network

AnyDATA

ADU-510A

AnyDATA

ADU-510L

AnyDATA

ADU-520A

AnyDATA

APE-540H

Axesstel

MU130

BandLuxe

C120

BandRich

BandLuxe C170

BandRich

BandLuxe C270

BandRich

BandLuxe C339

Beceem

BCSM250

C-motech

CDU-680

C-motech

CDU-685a

C-motech

CGU-628

C-motech

CHU-628S

C-motech

CHU-629S

C-motech

D-50

Celot

CT-680

Celot

K-300

Changhong

CH690

China TeleCom

CBP7.0

D-Link

DWM-156

D-Link

DWM-162-US

D-Link

DWR-510

Digicom

8E4455

EpiValley

SEC-7089

Vendor

Model

Network

Exiss Mobile

E-190 series

Franklin Wireless

CGU-628A

Franklin Wireless

U210

Franklin Wireless

U600

D301

Haier

CE 100

Haier

CE682 (EVDO)

Huawei

E1550

Huawei

E1612

Huawei

E169

Huawei

E1690

Huawei

E1692

Huawei

E171

Huawei

E173

Huawei

E1750

Huawei

E1762

Huawei

E177

Huawei

E180

Huawei

E1820

Huawei

E270+

Huawei

E3251

Huawei

E3276s-151

Huawei

E352

Huawei

E353

Huawei

E355s-1

Vendor

Model

Network

Huawei

E535

Huawei

E587

Huawei

E630

Huawei

EC156

Huawei

EC168C

Huawei

ET302

Huawei

ET8282

Huawei

GP02

Huawei

K3765

Huawei

K3770

Huawei

K3771

Huawei

K3772

Huawei

K4305

Huawei

K4505

Huawei

K4605

Huawei

R201

Huawei

U7510

Huawei

U7517

Huawei

U8110

Huawei

U8220

Huawei

U8300

I-O Data

WMX2-U Wimax

JOA Telecom

LM-700r

KDDI (Huawei)

HWD12 LTE

Kyocera

W06K

Vendor

Model

Network

AD600

HDM-2100

L-02C LTE

L-03D

L-05A

L-07A

L-08C

LDU-1900D

LUU-2100TI (aka AT&T USBConnect

Turbo)

SD711

Mediatek

MT6229

MediaTek

MT6276M

MediaTek

Wimax USB Card

Micromax

MMX 300c

MobiData

MBD-200HU

Netgear

WNDA3200

Netgear (Sierra Wireless)

AC313U

Netgear (Sierra Wireless)

AC340U

Netgear (Sierra Wireless)

AC341U

Novatel

MC760 3G

Novatel

MC990D

Novatel

MC996D

Novatel

U727

Novatel

U760

Novatel Wireless

MC545

Vendor

Model

Network

Novatel Wireless

Merlin XU950D

Novatel Wireless

Ovation 930D

Novatel Wireless

Ovation MC950D HSUPA

Novatel Wireless

Ovation USB551L

Novatel Wireless

U679 Turbo Stick

Olivetti

Olicard 100

Olivetti

Olicard 145

Onda

MT503HS

Onda

MT505UP

Onda

MT8205 LTE

Onda

MW833UP

Onda

MW836UP-K

Onda

TM201

Onda

WM301

Option

Beemo

Option

GI0643

Option

Globetrotter

Option

GlobeTrotter GI1515

Option

iCon 461

Option

iCon 711

Pantech

P4200 LTE

Pantech

UML290

Pantech

UML295

Pantech / UTStarcom

UMW190

Samsung

GT-B1110

Vendor

Model

Network

Samsung

GT-B3730

Samsung

SGH-Z810

Samsung

U209

Sierra Wireless

313, 320U

Sierra Wireless

AirCard 880U

Sierra Wireless

AirCard 881U

Sierra Wireless

Compass 597

Solomon

S3Gm-660

Sony Ericsson

MD300

Sony Ericsson

MD400

Sony Ericsson

MD400G

SpeedUp

SU-8000U

Toshiba

G450

TP-Link

MA180

TP-Link

MA260

UTStarcom

UM175

UTStarcom

UM185E

ZTE

6535-Z

ZTE

A371B

ZTE

AC2710

ZTE

AC2726

ZTE

AC581

ZTE

AC682

ZTE

AC8710

ZTE

AX226 WiMax

Vendor

Model

Network

ZTE

K3520-Z

ZTE

K3565

ZTE

K3805-Z

ZTE

MF100

ZTE

MF110

ZTE

MF112

ZTE

MF190

ZTE

MF190J

ZTE

MF192

ZTE

MF196

ZTE

MF620

ZTE

MF622

ZTE

MF626

ZTE

MF628

ZTE

MF652

ZTE

MF656A

ZTE

MF668A

ZTE

MF669

ZTE

MF671

ZTE

MF680

ZTE

MF691 (T-Mobile Rocket 2.0)

ZTE

MF820 4G LTE

ZTE

MF821

ZTE

MF821D

ZTE

MU351

FortiOS 5.6 Beta 3

7 Replies

FortiOS 5.6 Beta 3 was released. They are steadily improving upon it. There are some glaring bugs (for instance, if you are running in NGFW policy mode and put a deny for certain web categories at the very top…..it kills all traffic below it too, even if there is an allow). That is going to come with the territory though as they adjust how their system approaches a packet.

Either way, progress is being made and I am very excited about where this version of code is going. I think 5.6 will genuinely be able to shut Palo Alto Networks up when it comes to their marketing of how the policies differ.