Category Archives: Administration Guides

FortiWAN Outbound Load Balancing and Failover (Auto Routing)

1 Reply

Outbound Load Balancing and Failover (Auto Routing)

Auto Routing Mechanism

Auto Routing load-balances the outbound traffic across multiple WAN links according to a pre-defined routing policies. During WAN link failures, auto routing will also adjust the routing methods to distribute the outbound traffic ONLY among the WAN links in fit and working conditions, thus avoiding the failed link(s).

The traditional method of backing up WAN links by having a secondary WAN link taking over the failed link. Basically having a main line and a second line as backup, aided by any standard router’s backup policy, minimum fault tolerance can be achieved. This kind of approach means certain lines remain idle for most of the time and it is a waste of resources. In addition, the router configurations can be tedious.

Another approach for multiple WAN links backup is by dividing the LAN into multiple segments, each doing its own thing as they are all independent WAN links. Under standard conditions, each segment has its own way using separate routers. When one of the WAN links fails, the administrator has to change the router configuration to bypass the failed link. The obvious drawback to this approach is the unnecessary workload for administrators. Whenever WAN link status changes, the LAN environment settings (such as gateway, netmask, router policies, proxy settings, etc) all need to be adjusted.

Fault Tolerance Mechanism

As previously stated, without WAN load-balancer such as FortiWAN, the traditional way of using multiple WAN links always involves human intervention.

FortiWAN has an internal “Virtual Trunk” circuit, which is essentially a combination of the multiple WAN links. Auto routing is capable of adjusting the ‘Virtual Trunk” to include only the WAN links that are functioning normally and to direct outbound traffic through the “Virtual Trunk circuit” without human intervention. Network users will therefore not be able to notice any change of status in WAN links (See “WAN Link Health Detection”).

The figure above illustrates auto routing securing uninterrupted connection to the internet even during WAN link failures. Compared to the traditional multiple WAN link usage, auto routing can effectively use all available WAN links to balance outbound traffic even when all the WAN links are in perfect working condition. Auto routing cannot prevent data loss on a WAN link when it fails, but all subsequent sessions will be automatically routed to other working links.

FortiWAN provides mechanisms to record, notify and analysis on events refer to the Auto Routing service, see “Log”, “Statistics: Traffic”, “Statistics: Bandwidth” and “Reports”.

Configurations

It allows administrators to determine the way traffic is routed to WAN links. Multiple WAN links have a variety of ideal auto-routing methods for any network environment. Auto routing is configured in 2 steps: Policies and Filters.

Policy

An Auto Routing policy defines how to dynamically distribute outbound traffic (sessions) over multiple WAN links according to traffic loading of the WAN links, which achieve the outbound load balancing. The basic items to define a policy are the load balancing algorithm and the related WAN parameters. By associating an Auto Routing filter rule with a policy, Auto Routing can determine a good WAN link among the candidates and route the outgoing sessions that match the filter rule to the WAN link.

Label   Enter a name to the auto routing policy. The label (policy name) will be listed in the Routing Policy drop-menu later for assigning a policy to a filter.
T   Check to enable threshold function to the policy.

Administrators can configure the downstream and upstream threshold of each WAN link on the configuration page of WAN Setting (See “Configuring your WAN”). WAN links with traffic that exceeds the threshold values will be considered as failed to Auto Routing, and traffic flow will be re-directed to other WAN links based on the selected algorithm.
Algorithm   Select an load balancing algorithm from the drop-down menu for this routing policy. System distributes sessions that match this policy among WAN links according to the algorithm. The algorithms for options are:

l Fixed l Round-Robin l By Connection l By Downstream Traffic l By Upstream Traffic l By Total Traffic l By Optimum Route

See Load Balancing Algorithms for the details.
Parameter Select the WAN links from the WAN parameters for this routing policy to distribute sessions among. Numbering schemes indicate the WAN links. According to the algorithm, system dynamically routes each matched session to one of the participating WAN links. The WAN parameters varies from the chosen algorithm:

l  For algorithms Fixed, By Upstream Traffic, By Downstream Traffic, By Total Traffic and By Optimum Route, check the check-box under a number scheme to apply the WAN link to this policy. Selecting multiple WAN links is allowed and it implies traffic is balanced among the selected WAN links. When you create a new policy by click the add button for configuring it, the WAN parameters are checked by default if the corresponding WAN links have been enabled (see Configuring your WAN). Uncheck the check-box of a WAN link to remove it from this routing policy.

l  For algorithms Round-Robin and By Connection, apply a WAN link to this policy by defining the weight (or ratio) on the input box under a number scheme. Selecting multiple WAN links is allowed and it implies traffic is balanced among the selected WAN links. When you create a new policy by click the add button for configuring it, weights are defined as 1 to the WAN parameters by default if the corresponding WAN links have been enabled (see Configuring your WAN). Change the weight of a WAN link to 0 (zero) to remove it from this routing policy.

Filter

Auto Routing filters are used to evaluate against the outbound sessions (sessions from LAN and DMZ to the Internet through the FortiWAN). The routing policy and fail-over of a matching filter rule are applied to the evaluated sessions. Base on the specified policies, Auto Routing determines which WAN port to use for forwarding packets of the sessions. A filter rule consists of a set of filter terms (When, Input Port, Source, Destination and Service) and the related policies (Routing policy and Fail-over policy) for action.

E Check to enable the rule.
When Select a time period for this filter term to evaluate the outbound sessions by the receiving time, or leave it as All-Time. See Busyhour Settings for details.
Input Port Select a interface that packets are received on for this filter term to evaluate the outbound sessions, or leave it as Any Port. See Using the web UI for details.
Source Define the source that packets come from for this filter term to evaluate the outbound sessions, or leave it as Any Address. See Using the web UI for details.
Destination Define the destination that packets are destined to for this filter term to evaluate the outbound sessions, or leave it as WAN. See Using the web UI for details.
Service Define the service that the packets belong to for this filter term to evaluate the outbound sessions, or leave it as Any. See Using the web UI for details.

 

Routing Policy Specify a routing policy for sessions that match this filter rule, or leave it as Default Policy. A matched session will be dynamically routed to a WAN link according to the policy. All the predefined routing policies are list here for options.
Fail-over Policy Once all the WAN links defined to a routing policy get failed, the fail-over policy will take effect. The fail-over policy could be one of the following options:

Predefined routing policy – Select another predefined routing policy as fail-over policy. The backup routing policy takes over to determine a WAN link for this session if the original routing policy fails.

Tunnel: TUNNEL_GROUP_NAME – This option is available only when Tunnel Routing is enabled. Select a predefined tunnel group as the fail-over policy. Once the fail-over policy takes over the original routing policy, packets of the session will be delivered to the remote FortiWAN device through Tunnel Routing. With defining appropriate Auto Routing policy and filter rule on the remote FortiWAN, packets of the session can be transferred through a WAN link of the remote FortiWAN. See Tunnel Routing for details.

NEXT-MATCH – When NEXT-MATCH takes over original routing policy, system continues evaluating the subsequent filter rules against the session and move on to the next matched policy where packets fall into. At least, it matches the default filter rule and goes to the default policy.

NO-ACTION – Take no actions when the original routing policy get failed, and packets of the session will be dropped.
L Check to enable logging. Whenever the rule is matched, system will record the event to log file.

Example 1

The auto routing policies to be established accordingly:

  1. Always route connections through WAN#1, which is an ADSL WAN link with 512k downstream/512k upstream.
  2. Always route connections through WAN#2, which is an ADSL WAN link with 1.5M downstream/384k upstream.
  3. Route connections with algorithm “Optimum Route”.
  4. Route connections based on the current downstream traffic of WAN links.
  5. Route connections based on the total traffic of each WAN link. Policy table will look like:
Label Algorithm Parameter
WAN1 (512/512) Fixed Check WAN#1
WAN2 (1536/384) Fixed Check WAN#2
By Optimum Route By Optimum Route Check both WAN #1 and WAN #2
By Downstream By Downstream Traffic Check both WAN #1 and WAN #2
By Total By Total Traffic Check both WAN #1 and WAN #2

Note: Labeling the policies alone does not mean the policy has been set up. Configuring WAN link bandwidth must be done under [System] -> [Network Settings].

Defining filters for the following:

  1. When LAN users access web server on the internet, use policy “By Optimum Route” to route connections to the best-conditioned link.
  2. When LAN users access the FTP server on the internet, use policy “WAN1(512/512)” to route connections. If WAN#1 fails, the connections will be routed “By Optimum Route”. Note: In this case, “By Optimum Route” will only route connections through WAN#2 as WAN #1 has failed.
  3. The connections from 211.21.48.195 in DMZ to SMTP server on the internet will be routed by policy “WAN1 (512/512)”. If WAN#1 fails, it will be routed by “WAN2 (1536/384)”.
  4. The connections from 211.21.48.195 in DMZ to POP3 server on the internet will be routed by “WAN1 (512/512)”. If WAN#1 fails, no action will be taken. Note: When WAN #1 fails, connection to the external POP server will also fail.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2

FortiWAN Load Balancing & Fault Tolerance

Leave a reply

Load Balancing & Fault Tolerance

With the rapid proliferation and decreasing prices of broadband solutions, more and more small and medium enterprises are opting for the use of multiple WAN links from various ISPs. The benefits include:

  • Single link failure does not result in a total loss of internet connectivity, thus WAN reliability increases.
  • Traffic can be evenly dispersed across multiple WAN links, resulting in increased efficiency and improved performance of bandwidth.
  • Multiple WAN links for fault tolerance and load balancing has two advantages:
  • The outbound traffic, i.e. traffic originating from LAN traveling outwards, can be load-balanced across multiple WAN links. This is Auto Routing. l Traffic from the WAN, i.e. traffic originating from WAN traveling towards the LAN, can be load-balanced across multiple WAN links. This is Multihoming.

Load Balancing Algorithms

Load balancing algorithm is one of the important components for achieving purpose of traffic load balancing via FortiWAN’s various services, such as Auto Routing, Multihoming, Tunnel Routing, Virtual Server and DNS Proxy. These services distribute inbound or outbound traffic over multiple resources (WAN links or internal servers) according to predefined policies, which consist of a load balancing algorithm and the participating resources. A Load balancing algorithm dynamically evaluates on the availability of the participants against factors such as weight, connections or traffic, and picks an appropriate one for the load balancing services assign traffic to. When traffic (sessions or packets) matches a filter rule or policy of a load balancing service, the corresponding algorithm (specified to the policy) determines the appropriate one from the specified resources for the service to handle the traffic. All the load balancing services detect and label the unavailable resources by their own mechanism, such as WAN link health detection (see WAN Link Health Detection). The algorithms will ignore the failed resources and work with the available ones.

The followings are the algorithms that FortiWAN provides for services Auto Routing, Multihoming, Tunnel Routing, Virtual Server and DNS Proxy.

  Auto Routing Multihoming Tunnel Routing Virtual Server Proxy DNS
Round-Robin O O O O O
By Connection O     O  
By Upstream O O O   O
By Downstream O O     O
By Total Traffic O O     O

See also

Outbound Load Balancing and Failover (Auto Routing)

Inbound Load Balancing and Failover (Multihoming)

Tunnel Routing

Virtual Server & Server Load Balancing DNS Proxy

Round Robin (weighted)

Weight Round Robin picks one of the participating resources in circular order according to the specified weights. Round Robin works without considering resource’s ability such as processing connections, available bandwidth and response time. In FortiWAN, algorithm Round Robin serves for Auto Routing, Multihoming, Tunnel Routing, Virtual Server and DNS Proxy (it is called By Weight in DNS Proxy). To create a load balancing policy with Round Robin, you need specify the participants (WAN links or internal servers) and assign the weight to each of them.

For example, if three WAN links (WAN1, WAN2 and WAN3) are defined in an Auto Routing policy with weight

3:1:2, Round Robin returns one of the three WAN links to Auto Routing in the order of WAN1, WAN1, WAN1, WAN2, WAN3, WAN3. So that Auto Routing can distribute sessions to WAN links in the order. If some of the participants get failed, Round Robin will ignore them and work with the rest participants. For example, if WAN2 goes to failure, then Round Robin return the WAN link to Auto Routing in the order of WAN1, WAN1, WAN1, WAN3, WAN3.

Round Robin works similarly for Multihoming, Tunnel Routing, Virtual Server and DNS Proxy. For the details of configuring a policy of a service, see the section relevant to each of them.

By Connection

By connection picks one of the participating resource (WAN links or internal servers) for Auto Routing and Virtual

Server, but the processes that By Connection works for Auto Routing and Virtual Server are totally different. For

Auto Routing, an idea of weighted Round Robin is involved in the By Connection algorithm. The goal of Auto Routing’s By Connection is to guarantee the number of connections being processed by each participating WAN link in a fixed weight. By Connection counts the number of connections running on each participating WAN link and picks one for a new-coming connection to keep the ration of connections running on the WAN links closely fixed after adding the new connection to the picked one. For example, there are three WAN links (WAN1, WAN2 and WAN3) are defined in an Auto Routing policy with weight 1:1:2. By Connection will respectively return WAN1, WAN2 and WAN3 to Auto Routing for the first three connections, if all the three WAN links are idle. So far, the count of connections running on WAN1, WAN2 and WAN3 goes to 1:1:1. To match the specified weight 1:1:2 of the policy, By Connection will return WAN3 for the forth connection. Next, By Connection returns WAN1 and WAN2 respectively for the fifth and sixth connections and so the count goes to 2:2:2. Obviously, By Connection will return WAN3 for the next two (seventh and eighth) connections, so that the count will be 2:2:4 which is in the ratio 1:1:2. Considering the two connections on WAN2 are closed (the counts become 2:0:4), By Connection must return WAN2 for the next two connections to keep the counts be in ratio 1:1:2. If some of the participants get failed, By Connection will ignore them and work with the rest participants. For example, if WAN2 goes to failure, By Connection will work by keeping the connection count on WAN1 and WAN3 in weight 1:2.

  WAN1 WAN2 WAN3
Weight 1 1 2
Connection 1 V    
Connection 2   V  
Connection 3     V
Connection 4     V
Connection counts 1 1 2
Connection 5 V    
Connection 6   V  
Connection 7     V
Connection 8     V
Connection counts 2 2 4
The two connections on WAN2 are closed.    
Connection counts            2 0 4
Connection 9 V  
Connection 10 V  
Connection counts            2 2 4
Connection 11                     V    
Connection counts            3 2 4
                                                       WAN1               WAN2                WAN3
One of the connections on WAN2 and one of the connections on WAN4 are cloased.
Connection counts            3                       1                       3
Connection 12                                              V
Connection 13                                              V
Connection 14                                                                       V
Connection 15                                                                       V
Connection 16                                                                       V
Connection counts            3                       3                       6

As for Virtual Server, By connection treats service requests coming from the same source IP address as the same connection. The algorithm determine an internal server from server pool for incoming requests of a connection by hashing source IP address of the connection. The hash mechanism that By connection uses is the same as algorithm Hash (see section Hash later). Every internal server in the server pool has the same weight for By connection’s hash mechanism.

By Downstream Traffic

By Downstream Traffic picks one of the participating resources (WAN links) according to the weight mainly relevant to their data downloading availability. Each of the participating WAN links is weighted every three seconds by summing 80% available inbound bandwidth and 20% available outbound bandwidth up. For example, there is an Auto Routing policy with participants WAN1, WAN2 and WAN3. If, at some time, the available inbound bandwidth on WAN1, WAN2 and WAN3 is 4Mbps, 10Mbps and 6Mbps, and the available outbound bandwidth on WAN1, WAN2 and WAN3 is 8Mbps, 5Mbps and 20Mbps, the weight of each WAN link is so that calculated as:

WAN1: 0.8*(4/10) + 0.2*(8/20) = 0.4

WAN2: 0.8*(10/10) + 0.2*(5/20) = 0.85

WAN3: 0.8*(6/10) + 0.2*(20/20) = 0.68

Before the weights are updated next time , By Downstream Traffic returns one of the three WAN links for the load balancing policy in circular order with weight 40:85:68. Weights will be updated by calculating with real-time available bandwidth every three seconds. By Downstream Traffic serves for Auto Routing, Multihoming and DNS Proxy.

By Upstream Traffic

By Upstream Traffic serves Auto Routing, Multihoming, Tunnel Routing and DNS Proxy. However, the process that By Upstream Traffic works for Tunnel Routing is different from Auto Routing, Multihoming and DNS Proxy. For working with Auto Routing, Multihoming and DNS Proxy, By Upstream Traffic picks one of the participating resources (WAN links) according to the weight mainly relevant to their data uploading availability. Each of the participating WAN links is weighted every three seconds by summing 80% available outbound bandwidth and 20% available inbound bandwidth up. For the same example, there is an Auto Routing policy with participants

WAN1, WAN2 and WAN3. If, at some time, the available inbound bandwidth on WAN1, WAN2 and WAN3 is 4Mbps, 10Mbps and 6Mbps, and the available outbound bandwidth on WAN1, WAN2 and WAN3 is 8Mbps, 5Mbps and 20Mbps, the weight of each WAN link is so that calculated as:

WAN1: 0.8*(8/20) + 0.2*(4/10) = 0.4

WAN2: 0.8*(5/20) + 0.2*(10/10) = 0.4

WAN3: 0.8*(20/20) + 0.2*(6/10) = 0.92

Before the weights are updated next time , By Upstream Traffic returns one of the three WAN links for the load balancing policy in circular order with weight 40:40:92. Weights will be updated by calculating with real-time available bandwidth every three seconds.

As for working with Tunnel Routing, By Upstream Traffic divides the available uploading bandwidth of each participating WAN link by the number of GRE tunnel deployed on the WAN link, and picks one with the most available uploading bandwidth. For example, there is a Tunnel Routing Group consisting of three GRE tunnels deployed on WAN1, WAN2 and WAN3 respectively. Other Tunnel Routing Groups deploy 2 GRE tunnels on WAN1, 3 GRE tunnels on WAN2 and 1 GRE tunnel on WAN3. Totally, there are 3 tunnels on WAN1, 4 tunnels on

WAN2 and 2 tunnels on WAN3. If, at a time, the available uploading bandwidth of WAN1, WAN2 and WAN3 is 6Mbps, 20Mbps and 12Mbps, By Upstream Traffic will picks WAN3 for transferring packets matching this Tunnel Routing Group because:

WAN1: 6Mbps/3 = 2Mbps

WAN2: 20Mbps/4 = 5Mbps

WAN3: 12Mbps/2 = 6Mbps

By Upstream Traffic for Tunnel Routing is not a Round-Robin based algorithm, it always picks the resource with most available uploading bandwidth.

By Total Traffic

By Total Traffic serves Auto Routing, Multihoming and DNS Proxy. By Total Traffic picks one of the participating resources (WAN links) according to the weight evenly relevant to their data downloading and uploading availability. Each of the participating WAN links is weighted every three seconds by summing 50% available inbound bandwidth and 50% available outbound bandwidth up. For example, there is an Auto Routing policy with participants WAN1, WAN2 and WAN3. If, at some time, the available inbound bandwidth on WAN1, WAN2 and WAN3 is 4Mbps, 10Mbps and 6Mbps, and the available outbound bandwidth on WAN1, WAN2 and WAN3 is 8Mbps, 5Mbps and 20Mbps, the weight of each WAN link is so that calculated as:

WAN1: 0.5*(4/10) + 0.5*(8/20) = 0.4

WAN2: 0.5*(10/10) + 0.5*(5/20) = 0.625

WAN3: 0.5*(6/10) + 0.5*(20/20) = 0.8

Before the weights are updated next time , By Total Traffic returns one of the three WAN links for the load balancing policy in circular order with weight 400:625:800. Weights will be updated by calculating with real-time available bandwidth every three seconds.

Notices of By Upstream Traffic, By Downstream Traffic and By Total Traffic

What the available bandwidth that algorithms By Upstream, Downstream and Total Traffic using for Auto Routing and Multihoming will depend on how Bandwidth Management (see Bandwidth Management) is configured. Considering that a Bandwidth Management class limits the usage of maximum downloading and uploading bandwidth of a 20Mbps/10Mbps WAN link to 6Mbps and 3Mbps respectively. For traffic classified to this BM class, the available downloading and uploading bandwidth for algorithms By Upstream, Downstream and Total Traffic to evaluate this WAN link will never exceed the bandwidth limits 6Mbps/3Mbps, even if the WAN link is wholly idle.

Algorithms By Upstream, Downstream and Total Traffic measure the transmission ability of a WAN link only between the FortiWAN device and the gateway of its ISP network (last mile). The available bandwidth of a WAN link is measured on the network interface of the WAN link. Algorithms By Upstream, Downstream and Total Traffic do not guarantee transmission ability between the ISP network and destinations.

By Optimum Route

Relative to algorithms By Upstream, Downstream and Total Traffic , By Optimum Route evaluates a WAN link with not only its traffic loading but also the round-trip time (RTT) between FortiWAN and the destinations. The evaluation involves bandwidth usage of a WAN link and the RTT, which responses the network conditions closer to reality. For example a WAN link with the most available bandwidth might not be the best choice for data transferring to a destination, if it has the worst RTT. Conversely, the WAN link with fewer available bandwidth might be picked by Optimum Route if the RTT is good. By Optimum Route works for Auto Routing and Multihoming to mainly avoid the peering issue between ISP networks. Optimum Route works via various detections and measures. It requires to have the details configured first to make sure it works appropriately (See Optimum Route Detection).

By Response Time

By Response Time is only used by Virtual Server (see Virtual Server & Server Load Balancing) for distribute incoming service requests to internal servers to achieve server load balancing. By Response Time measures the response time of each internal server by sending a detection packets, and picks one server with the lowest response time for Virtual Server routes the matched requests to it.

By Static

By Static is only used by Multihoming for responding fixed IP addresses to DNS requests for an A/AAAA record without considering the traffic loading and connectivity state of each WAN link. By Static deprives Multihoming of inbound load balancing and WAN link failover; retrogrades it back to general DNS service. Note that the external clients will access to the responded IP addresses, and the accesses might be stuck or failed if the WAN link is congested or unavailable.

By Fixed

By Fixed is only used by Auto Routing for routing outbound traffic to a fixed WAN link without considering the traffic loading on the WAN link. Different from Multihoming’s By Static, By Fixed will not return the WAN link to Auto Routing if it is unavailable. It requires a fail-over policy (configured in a filter rule) to achieve WAN link failover when the fixed WAN link is failed. By Fixed deprives Auto Routing of outbound load balancing.

 

Hash

Hash is only used by Virtual Server for distribute incoming service requests to weighted internal servers to achieve server load balancing. The source IP addresses of a service request will be translated from dot-decimal address to a decimal value first. This value is then hashed by calculating the reminder of the division of the value by the sum of weights (modulo operation), and the reminder indicates the internal server that the service request should be directed to. For example, if there are three servers (serv1, serv2 and serv3) weighted with 1:2:3 in the server pool, requests that their IP addresses are congruent modulo 6 (sum of the servers’ weight:1+2+3) will be assigned to the same server according to the weights (reminder 0 indicates serv1, reminders 1 and 2 indicate serv2, reminders 3, 4 and 5 indicate serv3). The following table lists the examples how the hash function works for Virtual Server:

Source IP of request Decimal value Hash value (mod 6) Assigned server
172.16.254.1 2886794753 5 serv3
172.16.254.2 2886794754 0 serv1
172.16.254.3 2886794755 1 serv2
172.16.254.4 2886794756 2 serv2
172.16.254.5 2886794757 3 serv3
172.16.254.6 2886794758 4 serv3
125.227.251.80 2112093008 2 serv2
125.227.251.88 2112093016 4 serv3
125.227.251.96 2112093024 0 serv1

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWAN License Control

Leave a reply

License Control

License Control provides users with all the License Key configurations, including:

Bandwidth Upgrade License:

FortiWAN provides various bandwidth capabilities for individual model. Bandwidth upgrade on models is supported via a license key. You could ask your distributor for bandwidth upgrade license keys.

  • FortiWAN 200B provides 200 Mbps, 400 Mbps and 600 Mbps bandwidth capability.
  • FortiWAN 1000B provides 1 Gbps, and 2 Gbps. l FortiWAN 3000B provides 3 Gbps, 6 Gbps, and 9 Gbps bandwidth capability.

Product Model Bandwidth Capability

Product Model Bandwidth Capability
FortiWAN 200B 200 Mbps / 400 Mbps / 600 Mbps
FortiWAN 1000B 1 Gbps / 2 Gbps
FortiWAN 3000B 3 Gbps / 6 Gbps / 9 Gbps

Note: Conditional bandwidth upgrade is provided for old models. Please contact customer support to gain further information.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWAN Maintenance

1 Reply

Maintenance

Click [Factory Default] to reset configurations to factory default. Or you can perform “resetconfig” command in console. Click [Reboot] to reboot FortiWAN. For information on console command, please refer to Console Mode Commands.

Web UI Port

Type the port number in [New Port] and then click [Setport]. Enter the new port number when you log in again into Web UI. Additionally, the new port shall avoid conflict with FortiWAN reserved ports when configuring the port. Otherwise, FortiWAN will display error message of port settings failure and resume to the correct port number that was configured last time.

 

Port Service Port Service Port Service
1 tcpmux 102 iso-tsap 530 courier
7 echo 103 gppitnp 531 Chat
9 discard 104 acr-nema 532 netnews
11 systat 109 pop2 540 uucp
13 daytime 110 pop3 556 remotefs
15 netstat 111 sunrpc 563 nntp+ssl
17 qotd 113 auth 587  
19 chargen 115 sftp 601  
20 ftp-data 117 uucp-path 636 ldap+ssl
21 ftp-cntl 119 nntp 993 imap+ssl
22 ssh 123 NTP 995 pop3+ssl
23 telnet 135 loc-srv/epmap 1111 FortiWAN reserved
25 smtp 139 netbios 1900 FortiWAN reserved
37 time 143 imap2 2005 FortiWAN reserved
42 name 179 BGP 2049 nfs
43 nicname 389 ldap 2223 FortiWAN reserved
53 domain 465 smtp+ssl 2251 FortiWAN reserved
77 priv-rjs 512 print/exec 3535 FortiWAN reserved
79 finger 513 login 3636 FortiWAN reserved
87 ttylink 514 shell 4045 Lockd
95 supdup 515 printer 6000 x11
Port Service Port Service Port Service
101 hostriame 526 tempo 49152 FortiWAN reserved

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWAN Firmware Update

Leave a reply

Firmware Update

Click [Update] or [Downgrade] and follow the on-screen instructions to perform firmware update/downgrade. Note that firmware downgrade will reset current configurations to factory default, please backup current configurations in advance. Firmware update and downgrade support jump directly to a version from current version without applying all the updates or downgrades that have been released between the versions.

Updating the FortiWAN Firmware:

  • Before proceeding with the firmware update, ALWAYS backup system configurations.
  • Obtain the latest firmware upgrade pack from https://support.fortinet.com. l Log onto the Web UI with administrator account and go to [System]→ [Administration]. l Click on “Update”. l Use [..] to select the path of the new firmware image.
  • For High Availability (HA) deployment (See “FortiWAN in HA (High Availability) Mode”), check [Update Slave] to perform firmware update on the slave unit at the same time. Please double check and make sure the peer device is under normal condition (from page [System > Summary]) before HA firmware update.
  • Click [Upload File] to start updating.
  • The firmware update will take a while, so please be patient. During the update process, be sure NOT to turn off the system or unplug the power adapter. DO NOT click on the [Upload] button more than once.
  • Update is completed when the “Update succeeded” message appears. FortiWAN unit(s) will reboot automatically then.

Errors that occur during the update can be caused by any reason below:

  • General error – Please contact your dealer if this happens repeatedly.
  • Invalid update file – The file uploaded for firmware update is invalid, please make sure the uploaded file is correct. l MD5 checksum error – Image file is damaged. Please reload and try again.
  • Incompatible version/build – Firmware version incompatible. System requires a higher version firmware for update and a lower version firmware for downgrade.Check with your dealer for the correct firmware version.
  • Incompatible model/feature – Firmware image does not match the FortiWAN system. Check with your dealer for the correct model and version.
  • Incompatible platform – Firmware image does not match the current FortiWAN platform. Check with your dealer for the correct model and version.
  • Update error – If this error message appears during firmware update, please do not turn off the device and contact your dealer immediately. l Unknown error – Contact your dealer.

When a firmware update has being processed in system, users (multi-account login, see “Using the Web UI”) are unable to perform concurrent firmware updates at the same time.

Configuration File

Click [Save] to back up the current configurations of all functions in one binary file on your PC. Click [Show] to display a binary configuration file (.cfg) as readable content. Click [Restore] to recover whole system with the backed up configurations. Note that Restore will apply the configurations to system and then perform synchronization to the slave unit if HA mode is deployed. After this, system automatically reboot. The configuration file here is in binary format and should NOT be edited outside of FortiWAN tools and systems. The configuration file here contains all the configurations of FortiWAN’s functions. You can have individual configuration file of every single function via the export function in every function page. Do NOT to turn off the power while restoring the configuration file, or repetitively clicking on the [Restore] button.

Configuration File for individual function Export and Import:

  • Log on to FortiWAN as administrator. On every single function page of Web UI, click [Export Configuration] to back up the configuration in an editable text file.
  • To import the previously saved configuration file, click [Browse] on the function page of Web UI to select the configuration file previously saved, and then click [Import Configuration] to import previous configurations. The imported configuration will be displayed on the Web UI, but not be applied to system. Click [Apply] button to apply it to system.

During the configuration file restoration process, if an error occurs, it is most likely the result of one of the following:

  • The total WAN bandwidth setting in the restored configuration file exceeds the max bandwidth defined for the current system. The bandwidth can be either upload stream and download stream.
  • The restored configuration file contains port numbers exceeding the port numbers defined by the system.
  • The restored configuration file contains VLAN parameters not supported by the machine. l The total number of WAN links in the restored configuration file exceeds the current system definition. l Incompatible versions and/or systems.

Note:

  • FortiWAN does not guarantee full compatibility of configuration files for different models. l After the firmware upgrade, it is encouraged to backup the configuration file.

Configuration file backup and restore are available in the following function page:

Function Page File Name
[System > Network] network.txt
[System > WAN Link Health

Detection]

 wan-link-health-detection.txt
[System > Optimum Route Detection] optimum-route.txt
[System > Port Speed / Duplex

Setting]

 port-speed.txt
[System > Backup Line Setting] backup-line.txt
[System > IP Grouping] l  Click [Import] & [Export], you may backup and restore configurations of ip list in a file named ip-list.txt.

l  Click [Import Configuration] & [Export Configuration], you may backup and restore configurations of IP Grouping saved in ip-group.txt.
[System > Service Grouping] l  Click [Import] & [Export], you may backup and restore configurations of service list in a file named service_ list.txt.

l  Click [Import Configuration] & [Export Configuration], you may backup and restore configurations of Service Grouping saved in service-group.txt.
[System > Busyhour Setting] busy-hour.txt
[Service > Firewall] firewall.txt
Function Page File Name
[Service > NAT] nat.txt
[Service > Persistent Routing] persistent-routing.txt
[Service > Auto Routing] auto-routing.txt
[Service > Virtual Server] virtual-server.txt
[Service > Bandwidth Management] bandwidth-management.txt
[Service > Connection Limit] connection-limit.txt
[Service > Cache Redirect] cache-redirect.txt
[Service > Multihoming] multihoming.txt
[Service > Internal DNS] Internal-nameserver.txt
[Service > SNMP] snmp.txt
[Service > IP-MAC Mapping] ip-mac-mapping.txt
[Service > DNS Proxy] dnsproxy.txt
[Service > Tunnel Routing] tunnel-routing.txt
[Log > Control] log-control.txt (This file includes Mail/FTP passwords.)
[Log > Notification] notification.txt (This file includes email/password)
[Log > Link Report] link-report.txt

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWAN RADIUS Authentication

Leave a reply

RADIUS Authentication

Except FortiWAN’s local authentication database described above, FortiWAN supports RADIUS authentication for Web UI login. Please make sure the following settings are complete on the RADIUS server working with FortiWAN.

Add Fortinet’s Vender Specific Attribute (VSA) to /etc/raddb/dictionary:

VENDOR Fortinet 12356 BEGIN‐VENDOR Fortinet …

ATTRIBUTE Fortinet‐FWN‐AVPair 26 string …

END‐VENDOR Fortinet

“12356” is Fortinet’s vender ID, “Fortinet-FWN-AVPair” is the attribute used for working with FortiWAN and “26” is the attribute ID. If the RADIUS server serves with other Fortinet products, please add the correspondent attributes between BEGIN‐VENDOR Fortinet and END‐VENDOR Fortinet.

Construct user database on RADIUS server for authentication. For example, we have accounts

“Administrator/1234” and “admin/(null)” belong to Administrator group, and “Monitor/5678” belongs to Monitor group.

Add the followings to /etc/raddb/users:

Administrator User‐Password := “1234”

Fortinet‐FWN‐AVPair := “user‐group=Administrator” admin User‐Password := “”

Fortinet‐FWN‐AVPair := “user‐group=Administrator”

Monitor User‐Password := “5678”

Fortinet‐FWN‐AVPair := “user‐group=Monitor”

Please make sure “user-group” is specified for every account, or FortiWAN denies the login even the account and password are authorized by RADIUS server.

To enable FortiWAN’s RADIUS authentication, please click the checkbox and complete the configuration below.

Priority Determines priority to the two authentications:

RADIUS, Local Database: Authorize a login via RADIUS first, then try local database if the authentication failed in RADIUS.

Local Database, RADIUS: Authorize a login via local database first, then try RADIUS if the authentication failed in local database.
Server IP IP address of the RADIUS server.
Server Port UDP port number of the RADIUS server (The standard port is 1812, but it might be 1645 for earlier RADIUS).
Secret The secret (password) shared with the RADIUS server.
NAS IP Enter the correspondent NAS-IP-Address attribute for Request/Response Authenticator if it is necessary, or leave it blank. See RFC2865 for details.
NAS Port Enter the correspondent NAS-Port attribute for Request/Response Authenticator if it is necessary, or leave it blank. See RFC2865 for details.
Apply Click to apply the configuration.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWAN Administration

Leave a reply

Administration

Go to System > Administration, Administration lets you perform administrative tasks, including changing passwords of Administrator and Monitor. Every FortiWAN is shipped with the same default passwords. For security concerns, it is thus strongly recommended that the passwords shall be changed.

By default, FortiWAN uses 443 as the Web UI login port. And it allows administrators to change the port, to avoid possible port conflict caused for virtual server services.

Update/downgrade section enables to update or downgrade firmwares once new firmwares are available (from our website or dealers). Simply click the Update/Downgrade button and follow exactly the on-screen instructions.

Configuration Files gives you the ability to back up configuration files, by clicking the [Save] button. Or you can click [Restore] to reload the previous backup files to FortiWAN. System configurations can be recovered from failures via the backup configuration files.

In Maintenance, you can restore factory default configurations and reboot FortiWAN. Due to the limitation of HTML syntax, no hint displays after reboot has been completed. Thus you have to wait about two minutes before navigating to Web UI in browser.

Administrator and Monitor Password

FortiWAN maintains a common local authentication database for its Web UI, CLI and SSH login (See

“Connecting to the Web UI and the CLI”). Accounts for authentication are classified into two groups,

Administrator and Monitor, with different permissions. Accounts belonging to Administrator have the permission to monitor and modify system parameters via Web UI, CLI and SSH login, while limited operations are allowed (monitor system information and traffic statistics via Web UI ONLY) to accounts belonging to Monitor.

Configurations applying, system administrations (managements introduced in this topic), Tunnel Routing Benchmark, CLI access and SSH login are invalid for Monitor group. Note that page System > Administration is not available to Monitor accounts.

Default account/password

While the first time you login to Web UI, you see the default accounts here. “Administrator” and “admin” are the default accounts of group Administrator, and “Monitor” is the default account of group Monitor. Passwords of accounts “Administrator” and “Monitor” are “1234” and “5678” respectively; password of account “admin” is null (See “Appendix A: Default Values”). All the accounts (default and customized) of group Administrator are able to log into Web UI, CLI and SSH login. All the accounts are case sensitive.

Create, modify and delete the account and password for Administrators or Monitors.

Select Account You can select and configure an account (old or new). If you select the current login account, [Add Account] button will change to [Set Account].
New Account Allows you to add a new account. Enter the new account ID here.
New Password Enter the new password after you have added or modified an account.
Password Verification Confirm the new password.

Event notifications via SNMP trap

You can receive notification via SNMP trap for any modification of the FortiWAN’s account. Configure the SNMP manager on your FortiWAN and enable the event type “Account change” to notify (See “Notification”), then notification will be delivered to your SNMP manager for the events. The correspondent MIB fields and OIDs are listed as following:

SNMP field names and OIDs

MIB Field OID Description
fwnEventAdminAccountPwChanged 1.3.6.1.4.1.12356.118.3.1.1.1 Send event notification when the password of an account in Administrator group is changed.
fwnEventAdminAccountAdded 1.3.6.1.4.1.12356.118.3.1.1.2 Send event notification when an account is added into Administrator group.
fwnEventAdminAccountRemoved 1.3.6.1.4.1.12356.118.3.1.1.3 Send event notification when an account is removed from Administrator group.
fwnEventMonitorAccountPwChanged 1.3.6.1.4.1.12356.118.3.1.1.4 Send event notification when the password of an account in Monitor group is changed.
fwnEventMonitorAccountAdded 1.3.6.1.4.1.12356.118.3.1.1.5 Send event notification when an account is added into Monitor group.
fwnEventMonitorAccountRemoved 1.3.6.1.4.1.12356.118.3.1.1.6 Send event notification when an account is removed from Monitor group.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWAN – Remote Assistance

Leave a reply

Remote Assistance

Enabling this function allows Fortinet’s technical support specialist to enter your system for further troubleshooting when assistance is needed. FortiWAN allows technical support specialist to access the Web UI and backend system remotely, so as to assist users promptly upon the occurrence of problems. Remote assistance opens both TCP ports 443 for web UI and 23 for SSH debug.

Note: To enter the backend system via SSH login, a debug patch file is required.

Enable : Click the checkbox to enable Remote Assistance.
Server : Enter the server IP address given by Fortinet’s technical support specialist.
Security Code : Displays the security code required for remote logins. This security code is automatically generated after clicking Apply to complete Remote Assistance settings, and is updated after every system reboot.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!