Category Archives: Administration Guides

FortiWLC Abbreviating Commands

Abbreviating Commands

You only have to enter enough characters for the CLI to recognize the command as unique. This example shows how to enter the show security command, with the command show abbreviated to sh:

Lab‐mc3200# sh security‐profile default

Security Profile Table

Security Profile Name : default

L2 Modes Allowed : clear

Data Encrypt : none

Primary RADIUS Profile Name :

Secondary RADIUS Profile Name :

WEP Key (Alphanumeric/Hexadecimal) : *****

Static WEP Key Index : 1

Re‐Key Period (seconds) : 0

Captive Portal : disabled

802.1X Network Initiation : off Tunnel Termination: PEAP, TTLS

Shared Key Authentication : off

Pre‐shared Key (Alphanumeric/Hexadecimal) : *****

Group Keying Interval (seconds) : 0

Key Rotation : disabled

Reauthentication : off

MAC Filtering : off

Firewall Capability : none

Firewall Filter ID :

Security Logging : off

Allow mentioned IP/Subnet to pass through Captive portal : 0.0.0.0

Subnet Mask for allowed IP/Subnet to pass through Captive portal : 0.0.0.0

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWLC Command Line-Only Commands

1 Reply

Command Line-Only Commands

Many CLI commands have an equivalent functionality in the Web Interface, so you can accomplish a task using either interface. The following lists commands that have no Web Interface functionality.

EXEC Mode Commands

configure terminal
no history
no prompt
no terminal length |width
help
cd
copy (including copy running-config startup-config, copy startup-config running-config and all local/remote copy)
delete flash: image
delete filename
dir [dirname]
debug
disable
enable
exit
quit
more (including more running-config, more log-file, more running-script)
prompt
rename

Command Line-Only Commands

terminal history|size|length|width
traceroute
show history
show running-config
show terminal

Config Mode Commands

do
ip username ftp|scp|sftp
ip password ftp|scp|sftp
show context

Commands that Invoke Applications or Scripts

calendar set
timezone set|menu
date
capture-packets
analyze-capture
debug
diagnostics[-controller]
ping
pwd
shutdown controller force
reload controller default
run
setup
upgrade
downgrade
poweroff
show calendar
show timezones
show file systems
show memory
show cpu-utilization
show processes

Command Line-Only Commands

show flash
show qosflows
show scripts
show station details
show syslog-host
show log
autochannel
rogue-ap log clear
telnet
syslog-host

FortiWLC CLI Concepts

3 Replies

CLI Concepts

Getting Started

To start using the Command Line Interface:

Connect to the controller using the serial console or Ethernet port, or remotely with a telnet or SSH2 connection once the controller has been assigned an IP address.
To assign the controller an IP address, refer to the “Initial Setup” chapter of the FortiWLC (SD) Getting Started Guide.
At the login prompt, enter a user ID and password. By default, the guest and admin user IDs are configured.
- If you log in as the user admin, with the admin password, you are automatically placed in privileged EXEC mode.
- If you log in as the user guest, you are placed in user EXEC mode. From there, you must type the enable command and the password for user admin before you can enter privileged EXEC mode.
- Start executing commands.

CLI Command Modes

The CLI is divided into different command modes, each with its own set of commands and in some modes, one or more submodes. Entering a question mark (?) at the system prompt or anywhere in the command provides a list of commands or options available at the current mode for the command.

User EXEC Mode

When you start a session on the controller, you begin in user mode, also called user EXEC mode. Only a subset of the commands are available in user EXEC mode. For example, most of the user EXEC commands are one-time and display-only commands, such as the show commands, which list the current configuration information, and the clear commands, which clear counters or interfaces. The user EXEC commands are not saved when the controller reboots.

Access method: Begin a session with the controller as the user guest.
Prompt: default>
Exit method: Enter either exit or
Summary: Use this mode to change console settings, obtain system information such as showing system settings and verifying network connectivity.

Privileged EXEC Mode

To access all the commands in the CLI, you need to be in privileged EXEC mode. You can either log in as admin, or enter the enable command at the user EXEC mode and provide the admin password to enter privileged EXEC mode. From this mode, you can enter any privileged EXEC command or enter Global Configuration mode.

Access method: Enter enable while in user EXEC mode, or log in as the user admin.
Prompt: default#
Exit method: Enter • Summary: Use this mode to manage system files and perform some troubleshooting. Change the default password (from Global Configuration mode) to protect access to this mode.

Global Configuration Mode

You make changes to the running configuration by using the Global Configuration mode and its many submodes. Once you save the configuration, the settings are stored and restarted when the controller reboots.

From the Global Configuration mode, you can navigate to various submodes (or branches), to perform more specific configuration functions. Some configuration submodes are security, qosrules, vlan, and so forth. • Description: configures parameters that apply to the controller as a whole.

Access method: Enter configure terminal while in privileged EXEC mode.
Prompt: controller(config)#
Exit method: enter exit, end, or press Ctrl-Z to return to privileged EXEC mode (one level back).
Summary: Use this mode to configure some system settings and to enter additional configuration submodes (security, qosrules, vlan).

FortiOS IPS Engine version 3.443

Leave a reply

Introduction

This document provides the following information for FortiOS IPS Engine version 3.443.

Bug ID	Description
443479	Support for FortiSandbox Sniffer user defined file extensions.

l What’s New in IPS Engine 3.443 l Product Integration and Support l Resolved Issues

For additional FortiOS documentation, see the Fortinet Document Library.

What’s New in IPS Engine 3.443

Product Integration and Support

Fortinet Product Support

The following table lists IPS engine product integration and support information:

FortiOS

5.2.0 and later

5.4.0 and later

5.6.0 and later

FortiClient

5.4.0 and later (Windows and Mac)

5.6.0 and later (Windows and Mac)

Resolved Issues

The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID	Description
446858	Fixed a crash caused by a NULL pointer de-reference.
445900 446782	Fixed two SSL deep inspection bugs.
444268	Fix IPS engine high CPU usage caused by TCP RST packets with data.
444811	Fix a crash in the IPS HTTP decoder on some proxy traffic. Fixed IPS_CONTEXT_URI_ DECODED context field_start and field_end value for proxy traffic.
440277	Fixed a random detection miss, and a random crash in SSL packet scanning.
411415	Support session clearing by VDOM.
379449	Updated the Brotli library to match the version used by Chromium 61.
450442	Fixed crashes caused by configuration errors in IPS sensors.
444237	Fixed two bugs in the SMB2 decoder that may cause high memory usage.
403562	Fixed a bug that could cause FortiOS to enter conserve mode because of memory corruption.
451677	Fixed a bug that caused the IPS engine to incorrectly identify Phoenix PACS traffic as BitTorrent traffic.
451763	Fixed a bug that caused the IPS engine to drop STUN packets because they were identified as partial SSL records.
460391	Fix crashes in the update_ftp_scan_ret function.
448646	Fix high CPU usage caused by retransmission bugs.
450693 460635	Fixed a bug that caused the ERR_SSL_DECRYPT_ERROR_ALERT message when SSL deep scanning is enabled.

What’s New in AV Engine 5.355

Leave a reply

What’s New in AV Engine 5.355

New features

Support for opening ACE, ISO, and CRX compression formats. l New Content Disarm and Reconstruction (CDR) feature. l Script checksum support for HTML files.
Support for hidden zlib files in Object Linking and Embedding (OLE) content. l New scan timeout control framework.

Enhancements

Content Pattern Recognition Language (CPRL) signature runtime performance improvements. l Win32 emulator optimization. l APK and ZIP decompression optimization. l Accelerated checksum calculation.
File typing supports more file types including Dotnet, CHM, Mach-O, DMG and XAR, and RTF. l Script file typing improvements.

AV Engine for FortiOS and FortiAP-S Release Notes 5

Fortinet Technologies Inc.

Fortinet Product Support Product Integration and Support

Product Integration and Support

Fortinet Product Support

The following table lists AV engine product integration and support information:

FortiOS

5.4.0 and later

5.6.0 and later

FortiAP-S

5.4.0 and later

5.6.0 and later

6 AV Engine for FortiOS and FortiAP-S Release Notes

Fortinet Technologies Inc.

Resolved Issues AV engine

Resolved Issues

The resolved issues listed below do not list every bug that has been corrected with this release. For inquires about a particular bug, please contact Customer Service & Support.

AV engine

Bug ID	Description
453487	Add support for gzip files with flag’s reserved bits set
453982	Apply more signatures on RTF files.
413069	Fixed a crash in the JS emulator.
421545	Fixed a signature loading failure bug on FortiOS SOC3 platforms.
	Fixed potential memory issues found by fuzzing in GZIP, CAB and HTML parsing.
413625	Fixed Win32Emulator performance down bug.
	Fixed memory leaks and overflows in pyarch, sis, and rar decompression.
	Fixed potential memory bugs in autoit, arj and aspack decompression.
440519	Flag UPX as archive bomb if the decompressed size is 100 times greater than original file size.
	Fixed AV engine X86_64 crash on Windows 10 build 1703.

FortiOS

Bug ID	Description
467820	Fixed missing file names for RAR v5.0.
458192	MSI and KGB file types are now on the list to be sent to FortiSandbox as potentially suspicious files.

FPM-7620E processing module

Leave a reply

FPM-7620E processing module

The FPM-7620E processing module is a high-performance worker module that processes sessions load balanced to it by FortiGate-7000 series interface (FIM) modules over the chassis fabric backplane. The FPM-7620E can be installed in any FortiGate-7000 series chassis in slots 3 and up.

The FPM-7620E includes two 80Gbps connections to the chassis fabric backplane and two 1Gbps connections to the base backplane. The FPM-7620E processes sessions using a dual CPU configuration, accelerates network traffic processing with 4 NP6 processors and accelerates content processing with 8 CP9 processors. The NP6 network processors are connected by the FIM switch fabric so all supported traffic types can be fast path accelerated by the NP6 processors.

The FPM-7620E includes the following hardware features:

Two 80Gbps fabric backplane channels for load balanced sessions from the FIM modules installed in the chassis. l Two 1Gbps base backplane channels for management, heartbeat and session sync communication. l Dual CPUs for high performance operation. l Four NP6 processors to offload network processing from the CPUs. l Eight CP9 processors to offload content processing and SSL and IPsec encryption from the CPUs. FPM-7620E front panel
Power button. l NMI switch (for troubleshooting as recommended by Fortinet Support). l Mounting hardware.
LED status indicators.

FPM-7620E processing module Physical Description

Physical Description

Dimensions	1.2 x 11.34 x 14 in. (3.1 x 28.8 x 35.1 cm) (Height x Width x Depth)
Weight	7.2 lb. (3.23 kg)
Operating Temperature	32 to 104°F (0 to 40°C)
Storage Temperature	-31 to 158°F (-35 to 70°C)
Relative Humidity	10% to 90% non-condensing

Front Panel LEDs

LED State		Description
STATUS	Off	The FPM-7620E is powered off.
	Green	The FPM-7620E is powered on and operating normally.
	Flashing Green	The FPM-7620E is starting up.
ALARM	Red	Major alarm.
	Amber	Minor alarm
	Off	No alarms
POWER	Green	The FPM-7620E is powered on and operating normally.
POWER	Off	The FPM-7620E is powered off.

Turning the module on and off

You can use the front panel power button to turn the module power on or off. If the module is powered on, press the power switch to turn it off. If the module is turned off and installed in a chassis slot, press the power button to turn it on.

NMI switch FPM-7620E processing module

NMI switch

When working with Fortinet Support to troubleshoot problems with the FPM-7620E you can use the front panel non-maskable interrupt (NMI) switch to assist with troubleshooting. Pressing this switch causes the software to dump registers/backtraces to the console. After the data is dumped the board reboots. While the board is rebooting, traffic is temporarily blocked. The board should restart normally and traffic can resume once its up and running.

NP6 network processors – offloading load balancing and network traffic

The four FPM-7620E NP6 network processors combined with the FIM module integrated switch fabric (ISF) provide hardware acceleration by offloading load balancing from the FPM-7620E CPUs. The result is enhanced network performance provided by the NP6 processors plus the network processing load is removed from the CPU. The NP6 processor can also handle some CPU intensive tasks, like IPsec VPN encryption/decryption. Because of the integrated switch fabric, all sessions are fast-pathed and accelerated.

FPM-7620E processing module Accelerated IPS, SSL VPN, and IPsec VPN (CP9 content processors)

Accelerated IPS, SSL VPN, and IPsec VPN (CP9 content processors)

The FPM-7620E includes eight CP9 processors that provide the following performance enhancements:

Flow-based inspection (IPS, application control etc.) pattern matching acceleration with over 10Gbps throughput l IPS pre-scan l IPS signature correlation l Full match processors
High performance VPN bulk data engine l IPsec and SSL/TLS protocol processor l DES/3DES/AES128/192/256 in accordance with FIPS46-3/FIPS81/FIPS197 l MD5/SHA-1/SHA256/384/512-96/128/192/256 with RFC1321 and FIPS180 l HMAC in accordance with RFC2104/2403/2404 and FIPS198 l ESN mode
GCM support for NSA “Suite B” (RFC6379/RFC6460) including GCM-128/256; GMAC-128/256
Key Exchange Processor that supports high performance IKE and RSA computation l Public key exponentiation engine with hardware CRT support l Primary checking for RSA key generation l Handshake accelerator with automatic key material generation l True Random Number generator l Elliptic Curve support for NSA “Suite B” l Sub public key engine (PKCE) to support up to 4096 bit operation directly (4k for DH and 8k for RSA with CRT)
DLP fingerprint support l TTTD (Two-Thresholds-Two-Divisors) content chunking l Two thresholds and two divisors are configurable

FPM-7620E mounting components

Hardware installation

This chapter describes installing a FPM-7620E processing module into a FortiGate-7000 chassis.

FPM-7620E mounting components

To install a FPM-7620E you slide the module into slot 3 or up in the front of an FortiGate-7000 series chassis and then use the mounting components to lock the module into place in the slot. When locked into place and positioned correctly the module front panel is flush with the chassis front panel. The module is also connected to the chassis backplane.

To position the module correctly you must use the mounting components shown below for the right of the FPM7620E front panel. The mounting components on the left of the front panel are the same but reversed. The FPM7620E mounting components align the module in the chassis slot and are used to insert and eject the module from the slot.

Open Closed

(when open the latch slides up about 2 mm)

The FPM-7620E handles align the module in the chassis slot and are used to insert and eject the module from the slot. The latches activate micro switches that turn on or turn off power to the module. When both latches are raised the module cannot receive power. When the latches are fully closed if the module is fully inserted into a chassis slot the module can receive power.

Inserting a FPM-7620E module into a chassis

This section describes how to install a FPM-7620E module into a FortiGate-7000 series chassis slot 3 or up.

You must carefully slide the module all the way into the chassis slot, close the handles to seat the module into the slot, and tighten the retention screws to make sure the module is fully engaged with the backplane and secured. You must also make sure that the sliding latches are fully closed by gently pushing them down. The handles must be closed, the retention screws tightened and the latches fully closed for the module to get power and start up. If the module is not receiving power all LEDs remain off.

FPM-7620Es are hot swappable. The procedure for inserting a FPM-7620E into a chassis slot is the same whether or not the chassis is powered on.

To insert a FPM-7620E into a chassis slot

Do not carry the FPM-7620E by holding the handles or retention screws. When inserting or removing the FPM-7620E from a chassis slot, handle the module by the front panel. The handles are not designed for carrying the board. If the handles become bent or damaged the FPM-7620E may not align correctly in the chassis slot.

To complete this procedure, you need: l A FPM-7620E

A FortiGate-7000 chassis with an empty hub/switch slot
An electrostatic discharge (ESD) preventive wrist strap with connection cord

FPM-7620Es must be protected from static discharge and physical shock. Only handle or work with FPM-7620Es at a static-free workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist strap when handling FPM-7620Es. Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal surface on the chassis or frame. (An ESD wrist strap is not visible in the photographs below because they were taken in an ESD safe lab environment.)

Inserting a FPM-7620E module into a chassis

Remove the FPM-7620E module from its packaging. Align the module with the chassis slot and slide the module part way into the slot.

In the photograph the FPM-7620E is being installed into chassis slot 4 of a FortiGate-7040E chassis.

Unlock the left and right handles by pushing the handle latches up about 2 mm until the handles pop open.

Fully open both handles before sliding the module into the chassis to avoid damaging the handle mechanism.

Damaging the handles may prevent the module from connecting to power.

Carefully slide the module into the slot until the handles engage with the sides of the chassis slot, partially closing the them.

Insert the module by applying moderate force to the front faceplate (not the handles) to slide the module into the slot. The module should glide smoothly into the chassis slot. If you encounter any resistance while sliding the module in, the module could be aligned incorrectly. Pull the module back out and try inserting it again.

Inserting a FPM-7620E module into a chassis

Push both handles closed and close the latches.

Closing the handles draws the module into place in the chassis slot and into full contact with the chassis backplane. The module front panel should be in contact with the chassis front panel and the latches should drop down and lock into place. You should gently push the latches down to make sure they lock. The module will not receive power until the latches are fully locked.

Tighten both retention screws to secure the module in the chassis.

You can tighten the retention screws by hand with a Phillips screwdriver. If you use a power screwdriver the tightening torque needs to be adjusted between 3 In-lb to 4 In-lb (0.4 N-m to 0.48 N-m).

As the latches are locked, power is supplied to the module. If the chassis is powered on during insertion the status LED flashes green as the module starts up. Once the board has started up and is operating correctly, the front panel LEDs are lit for normal operation.

Normal LED operation

LED		State
Status		Green
Alarm		Off
Power		Green

Shutting down and removing a FPM-7620E board from a chassis

To avoid potential hardware problems, always shut down the FPM-7620E operating system properly before removing the FPM-7620E from a chassis slot or before powering down the chassis.

Disconnect all cables from the FPM-7620E module, including all network cables and USB cables or keys.

FPM-7620Es are hot swappable. The procedure for removing a FPM-7620E from a chassis slot is the same whether or not the chassis is powered on.

To remove a FPM-7620E board from a chassis slot

Do not carry the FPM-7620E by holding the handles or retention screws. When inserting or removing the FPM-7620E from a chassis slot, handle the module by the front panel. The handles are not designed for carrying the board. If the handles become bent or damaged theFPM-7620E may not align correctly in the chassis slot.

To complete this procedure, you need:

l A FortiGate-7000 chassis with a FPM-7620E module installed l An electrostatic discharge (ESD) preventive wrist strap with connection cord

ESD safe lab environment.)

Shutting down and removing board from

Fully loosen the retention screws.

You must fully loosen the screws or the handles may be damaged when used to eject the board from the chassis slot.

Unlock the left and right handles by pushing the latches up about 2 mm until the handles pop open.

Shutting down and removing a FPM-7620E board from a chassis

Fully open the handles to eject the module from the chassis.

You need to open the handles with moderate force to eject the module from the chassis.

Hold the module front panel sides and slide it part way out of the slot. Then grasp the module by the sides and carefully slide it out of the slot.

Troubleshooting

This section describes some common troubleshooting topics:

FPM-7620E does not startup

Positioning of FPM-7620E handles and a few other causes may prevent a FPM-7620E from starting up correctly.

Latches and handles not fully closed

If the latches or handles are damaged or positioned incorrectly the FPM-7620E may not start up. Make sure the latches are fully closed and the handles are correctly aligned, fully inserted and locked and the retention screws are tightened.

Firmware problem

If the FPM-7620E is receiving power and the latches are handles are fully closed, and you have restarted the chassis and the FPM-7620E still does not start up, the problem could be with FortiOS. Connect to the FPM7620E console and try cycling the power to the board. If the BIOS starts up, interrupt the BIOS startup and install a new firmware image.

If this does not solve the problem, contact Fortinet Technical Support.

FPM-7620E status LED is flashing during system operation

Normally, the FPM-7620E Status LED is off when the FPM-7620E is operating normally. If this LED starts flashing while the module is operating, a fault condition may exist. At the same time the FPM-7620E may stop processing traffic.

To resolve the problem you can try removing and reinserting the FPM-7620E in the chassis slot. Reloading the firmware may also help.

If this does not solve the problem there may have been a hardware failure or other problem. Contact Fortinet Technical Support for assistance.

FortiGate-7000 Load balancing commands

3 Replies

FortiGate-7000 Load balancing commands

The most notable difference between a FortiGate-7000 and other FortiGates are the commands described in this section for configuring load balancing. The following commands are available:

config load-balance flow-rule config load-balance setting

In most cases you do not have to use these commands. However, they are available to customize some aspects of load balancing.

config load-balance flow-rule

Use this command to add flow rules that add exceptions to how matched traffic is processed by a FortiGate-7000. Specifically you can use these rules to match a type of traffic and control whether the traffic is forwarded or blocked. And if the traffic is forwarded you can specify whether to forward the traffic to a specific FPM or to all FPMs. Unlike firewall policies, load-balance rules are not stateful so for bi-directional traffic, you may need to define two flow rules to match both traffic directions (forward and reverse).

One common use of this command is to control how traffic that is not load balanced is handled. For example, use the following command to send all GRE traffic to the processor module in slot 4. In this example the GRE traffic is received by FortiGate-7000 front panel ports 1C1 and 1C5:

config load-balance flow-rule edit 0 set src-interface 1c1 1c5 set ether-type ip set protocol gre set action forward set forward-slot 4

end

The default configuration includes a number of flow rules that send traffic such as BGP traffic, DHCP traffic and so on to the primary worker. This is traffic that cannot be load balanced and is then just processed by the primary worker.

Syntax

config load-balance flow-rule edit 0 set status {disable | enable}

set src-interface <interface-name> [interface-name>…} set vlan <vlan-id> set ether-type {any | arp | ip | ipv4} set src-addr-ipv4 <ip-address> <netmask> set dst-addr-ipv4 <ip-address> <netmask> set src-addr-ipv6 <ip-address> <netmask> set dst-addr-ipv6 <ip-address> <netmask> set protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp } ah | ospf | pim | vrrp}

set src-l4port <start>[-<end>] set dst-l4port <start>[-<end>]

config load-balance flow-rule FortiGate-7000 Load balancing commands

set action {forward | mirror-ingress | mirror-egress | stats | drop} set mirror-interface <interface-name>

set forward-slot {master | all | load-balance | FPM3 | FMP4} set priority <number> set comment <text>

end

status {disable | enable}

Enable or disable this flow rule. Default for a new flow-rule is disable.

src-interface <interface-name> [interface-name>…}

The names of one or more FIM interface front panel interfaces accepting the traffic to be subject to the flow rule.

vlan <vlan-id>

If the traffic matching the rule is VLAN traffic, enter the VLAN ID used by the traffic.

ether-type {any | arp | ip | ipv4 | ipv6}

The type of traffic to be matched by the rule. You can match any traffic (the default) or just match ARP, IP, or

IPv4 traffic.

{src-addr-ipv4 | dst-addr-ipv4 | src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask>

The source and destination address of the traffic to be matched. The default of 0.0.0.0 0.0.0.0 matches all traffic.

protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp}

If ether-type is set to ip, ipv4 or ipv6 specify the protocol of the IP or IPv4 traffic to match the rule. The default is any.

{src-l4port | dst-l4port} <start>[-<end>]

Specify a source port range and a destination port range. This option appears for some protocol settings. For example if protocol is set to tcp or udp. The default range is 0-0.

action {forward | mirror-ingress | mirror-egress | stats | drop}

How to handle matching packets. They can be dropped, forwarded to another destination or you can record statistics about the traffic for later analysis. You can combine two or three settings in one command for example you can set action to both forward and stats to forward traffic and collect statistics about it. Use append to add multiple options.

The default action is forward.

The mirror-ingress option copies (mirrors) all ingress packets that match this flow rule and sends them to the interface specified with the mirror-interface option.

config load-balance setting

The mirror-egress option copies (mirrors) all egress packets that match this flow rule and sends them to the interface specified with the mirror-interface option.

set mirror-interface <interface-name>

The name of the interface to send packets matched by this flow-rule when action is set to mirror-ingress or mirroregress.

forward-slot {master | all | load-balance | FPM3 | FPM4 | FPM5 | FPM6}

The worker that you want to forward the traffic that matches this rule to. master forwards the traffic the worker that is operating as the primary worker (usually the FPM module in slot 3. All means forward the traffic to all workers. load-balance means use the default load balancing configuration to handle this traffic. FPM3, FPM4, FPM5 and FPM3 allow you to forward the matching traffic to a specific FPM module. FPM3 is the FPM module in slot 3. FPM4 is the FPM module in slot for. And so on. priority <number>

Set the priority of the flow rule in the range 1 (highest priority) to 10 (lowest priority). Higher priority rules are matched first. You can use the priority to control which rule is matched first if you have overlapping rules.

comment <text>

Optionally add a comment that describes the rule.

config load-balance setting

Use this command to set a wide range of load balancing settings.

config load-balance setting set gtp-load-balance {disable | enable} set max-miss-heartbeats <heartbeats> set max-miss-mgmt-heartbeats <heartbeats> set weighted-load-balance {disable | enable}

set dp-load-distribution-method {round-robin | src-ip | dst-ip | src-dst-ip | src-ipsport | dst-ip-dport | src-dst-ip-sport-dport}

config workers edit 3 set status enable set weight 5

end

gtp-load-balance {disable | enable}

Enable GTP load balancing for FortiGate-7000 configurations licensed for FortiOS Carrier.

config load-balance setting FortiGate-7000 Load balancing commands

max-miss-heartbeats <heartbeats>

Set the number of missed heartbeats before a worker is considered to have failed. If this many heartbeats are not received from a worker, this indicates that the worker is not able to process data traffic and no more traffic will be sent to this worker.

The time between heartbeats is 0.2 seconds. Range is 3 to 300. 3 means 0.6 seconds, 10 (the default) means 2 seconds, and 300 means 60 seconds. max-miss-mgmt-heartbeats <heartbeats>

Set the number of missed management heartbeats before a worker is considering to have failed. If a management heartbeat fails, there is a communication problem between a worker and other workers. This communication problem means the worker may not be able to synchronize configuration changes, sessions, the kernel routing table, the bridge table and so on with other workers. If a management heartbeat failure occurs, no traffic will be sent to the worker.

The time between management heartbeats is 1 second. Range is 3 to 300 seconds. The default is 20 seconds. weighted-load-balance {disable | enable}

Enable weighted load balancing depending on the slot weight. Use the config slot command to set the weight for each slot.

dp-load-distribution-method {round-robin | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-ipdport | src-dst-ip-sport-dport}

Set the method used to distribute sessions among workers. Usually you would only need to change the method if you had specific requirements or you found that the default method wasn’t distributing sessions in the manner that you would prefer. The default is src-dst-ip-sport-dport which means sessions are identified by their source address and port and destination address and port. round-robin Directs new requests to the next slot regardless of response time or number of connections. src-ip traffic load is distributed across all slots according to source IP address. dst-ip traffic load is statically distributed across all slots according to destination IP address. src-dst-ip traffic load is distributed across all slots according to the source and destination IP addresses. src-ip-sport traffic load is distributed across all slots according to the source IP address and source port.

dst-ip-dport traffic load is distributed across all slots according to the destination IP address and destination port.

src-dst-ipsport-dport traffic load is distributed across all slots according to the source and destination IP address, source port, and destination port. This is the default load balance schedule and represents true sessionaware load balancing.

config workers

Set the weight and enable or disable each worker. Use the edit command to specify the slot the worker is installed in. You can enable or disable each worker and set each worker’s weight.

config load-balance setting

The weight range is 1 to 10. 5 is average, 1 is -80% of average and 10 is +100% of average. The weights take effect if weighted-loadbalance is enabled.

config workers edit 3 set status enable set weight 5 end

FortiGate-7000 v5.4.3 special features and limitations

Leave a reply

FortiGate-7000 v5.4.3 special features and limitations

This section describes special features and limitations for FortiGate-7000 v5.4.3.

Managing the FortiGate-7000

Management is only possible through the MGMT1 to MGMT4 front panel management interfaces. By default the MGMT1 to MGMT4 interfaces of the FIM modules in slot 1 and slot 2 are in a single static aggregate interface named mgmt with IP address 192.168.1.99. You manage the FortiGate-7000 by connecting any one of these eight interfaces to your network, opening a web browser and browsing to https://192.168.1.99.

Default management VDOM

By default the FortiGate-7000 configuration includes a management VDOM named dmgmt-vdom. For the

FortiGate-7000 system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM. You should also not add or remove interfaces from this VDOM.

You have full control over the configurations of other FortiGate-7000 VDOMs.

Firewall

TCP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal TCP timer (which is 3605 seconds) should only be distributed to the master FPM using a flow rule. You can configure the distributed normal TCP timer using the following command:

config system global set dp-tcp-normal-timer <timer>

end

UDP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal UDP timer should only be distributed to the primary FPM using a flow rule.

Link monitoring and health checking

ICMP-based link monitoring for SD-WAN, ECMP, HA link monitoring, and firewall session load balancing monitoring (or health checking) is not supported. Using TCP or UDP options for link monitoring instead. v5.4.3 IP Multicast

IP Multicast

IPv4 and IPv6 Multicast traffic is only sent to the primary FPM module (usually the FPM in slot 3). This is controlled by the following configuration:

config load-balance flow-rule edit 18 set status enable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 224.0.0.0 240.0.0.0 set protocol any set action forward set forward-slot master set priority 5 set comment “ipv4 multicast”

next edit 19 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ff00::/8 set protocol any set action forward set forward-slot master set priority 5 set comment “ipv6 multicast”

end

High Availability

Only the M1 and M2 interfaces are used for the HA heartbeat communication.

When using both M1 and M2 for the heartbeat, FortiGate-7000 v5.4.3 requires two switches. The first switch to connect all M1 ports together. The second second switch to connect all M2 ports together. This is because the same VLAN is used for both M1 and M2 and the interface groups should remain in different broadcast domains.

Using a single switch for both M1 and M2 heartbeat traffic is possible if the switch supports q-in-q tunneling. In this case use different VLANs for M1 traffic and M2 traffic to keep two separated broadcast domains in the switch.

The following FortiOS HA features are not supported or are supported differently by FortiGate-7000 v5.4.3:

Remote IP monitoring (configured with the option pingserver-monitor-interface and related settings) is not supported
Active-active HA is not supported l The range for the HA group-id is 0 to 14. l Failover logic for FortiGate-7000 v5.4.3 HA is not the same as FGSP for other FortiGate clusters. l HA heartbeat configuration is specific to FortiGate-7000 systems and differs from standard HA.

Shelf Manager Module

FortiGate Session Life Support Procotol (FGSP) HA (also called standalone session synchronization) is not supported.

Shelf Manager Module

It is not possible to access SMM CLI using Telnet or SSH. Only console access is supported using the chassis front panel console ports as described in the FortiGate-7000 system guide.

For monitoring purpose, IPMI over IP is supported on SMM Ethernet ports. See your FortiGate-7000 system guide for details.

FortiOS features that are not supported by FortiGate-7000 v5.4.3

The following mainstream FortiOS 5.4.3 features are not supported by the FortiGate-7000 v5.4.3:

Hardware switch l Switch controller l WiFi controller l WAN load balancing (SD-WAN) l IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6 features l GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule edit 0 set status enable set vlan 0 set ether-type ip set protocol gre set action forward set forward-slot master set priority 3

end

Hard disk features including, WAN optimization, web caching, explicit proxy content caching, disk logging, and GUIbased packet sniffing. l Log messages should be sent only using the management aggregate interface

IPsec VPN tunnels terminated by the FortiGate-7000

This section lists FortiGate-7000 limitations for IPsec VPN tunnels terminated by the FortiGate-7000:

Interface-based IPsec VPN is recommended. l Policy based IPsec VPN is supported, but requires creating flow-rules for each Phase 2 selector. l Dynamic routing and policy routing is not supported for IPsec interfaces. l Remote network subnets are limited to /16 prefix.
IPsec static routes don’t consider distance, weight, priority settings. IPsec static routes are always installed in the routing table, regardless of the tunnel state.

v5.4.3 SSL VPN

IPsec tunnels are not load-balanced across the FPMs, all IPsec tunnel sessions are sent to the primary FPM module.
IPsec VPN dialup or dynamic tunnels require a flow rule that sends traffic destined for IPsec dialup IP pools to the primary FPM module.
In an HA configuration, IPsec SAs are not synchronized to the backup chassis. IPsec SAs are re-negociated after a failover.

More about IPsec VPN routing limitations

For IPv4 traffic, FortiGate-7000s can only recognize netmasks with 16-bit or 32-bit netmasks. For example:

The following netmasks are supported:

34.0.0/24 l 12.34.0.0 255.255.0.0 l 12.34.56.0/21 l 12.34.56.0 255.255.248.0 l 12.34.56.78/32 l 12.34.56.78 255.255.255.255
34.56.78 (for single IP addresses, FortiOS automatically uses 32-bit netmasks) The following netmasks are not supported:
34.0.0/15 (netmask is less than 16-bit) l 12.34.0.0 255.254.0.0 (netmask is less than 16-bit) l 12.34.56.1-12.34.56.100 (ip range is not supported) l 12.34.56.78 255.255.220.0 (invalid netmask)

SSL VPN

Sending all SSL VPN sessions to the primary FPM module is recommended. You can do this by:

Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary FPM module.
Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPM module. Authentication

This section lists FortiGate-7000 authentication limitations:

Active authentication that requires a user to manually log into the FortiGate firewall can be problematic because the user may be prompted for credentials more than once as sessions are distributed to different FPM modules. You can avoid this by changing the load distribution method to src-ip.
FSSO is supported. Each FPM independently queries the server for user credentials.
RSSO is only supported after creating a load balance flow rule to broadcast RADIUS accounting messages to all FPM modules.

Traffic shaping and DDoS policies

Each FPM module applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

Sniffer mode (one-arm sniffer)

One-arm sniffer mode is only supported after creating a load balance flow rule to direct sniffer traffic to a specific FPM module.

FortiGuard Web Filtering

All FortiGuard rating queries are sent through management aggregate interface from the management VDOM (named dmgmt-vdom).

Log messages include a slot field

An additional “slot” field has been added to log messages to identify the FPM module that generated the log.

FortiOS Carrier

FortiOS Carrier is supported by the FortiGate-7000 v5.4.3 but GTP load balancing is not supported.

You have to apply a FortiOS Carrier license separately to each FIM and FPM module to license a FortiGate-7000 chassis for FortiOS Carrier.

Special notice for new deployment connectivity testing

Only the primary FPM module can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the Fortigate-7000, make sure to run execute ping tests from the primary FPM module CLI.