Category Archives: Administration Guides

FortiWAN What’s new

What’s new

The following features are new or changed since FortiWAN 4.0.0:

FortiWAN 4.3.1 l Tunnel Routing – From this release, the Generic Receive Offload (GRO) mechanism on each of FortiWAN’s network interfaces is disabled by default for better Tunnel Routing transmission performance. The parameter “generic-receive-offload” of CLI command sysctl added in release 4.2.3 to enable/disable GRO is removed; it is unable to enable GRO on FortiWAN. Related descriptions were removed from Console Mode Commands, How the Tunnel Routing Works and How to set up routing rules for Tunnel Routing

FortiWAN 4.3.0 l Tunnel Routing l Supports large-scale Tunnel Routing network deployment with allowing a maximum of l FWN-200B: 100 tunnel groups l FWN-1000B: 400 tunnel groups l FWN-3000B: 1000 tunnel groups

For all FortiWAN models, each tunnel group supports up to 16 enabled GRE tunnels, and a maximum total of 2500 enabled GRE tunnels is supported. See Tunnel Routing Scale, Tunnel Routing – Setting and How to set up routing rules for Tunnel Routing.

  • A new measurement case is added to benchmark to evaluate transmission performance of a tunnel group. Packets of a measurement session will be distributed and sent over all the tunnels of the tunnel group, just like how Tunnel Routing generally works in real practice. This is a more accurate way to evaluate your Tunnel Routing network. See Tunnel Routing – Benchmark.
  • IPSec – Supports Internet Key Exchange Protocol Version 2 (IKEv2) for the establishments of Security Association. Please note that a specific procedure will be required when you switch IKE version to an existing IPSec VPN connectivity. See Specifications of FortiWAN’s IPsec VPN and IKE Phase 1 Web UI fields – Internet Key Exchange.
  • DHCP Relay – Supports up to two DHCP servers for a relay agent. Once two DHCP servers are configured, the relay agent will forward a DHCP request to both of the DHCP servers. The first response received by the relay agent will be first apply to the DHCP client, and the subsequent responses will be ignored. See DHCP Relay.
  • Reports – Supports scheduled report email. According to the scheduling, system performs automatic report email sending periodically (daily, weekly or monthly). See Report Email and Scheduled Emails.
  • CLI command – A new parameter PORT is added to command resetconfig for specifying port mapping to LAN port while resetting configurations to factory default. See CLI Command – resetconfig.
  • DNS Proxy – It is acceptable to configure the Intranet Source field of a DNS Proxy policy with an IPv4 range or subnet. See DNS Proxy Setting Fields.
  • WAN link health detection – A new parameter that is used to indicate the number of continuously successful detections for declaring a WAN link indeed available is added to WAN link health detection policies. See WAN Link Health Detection.
  • Web UI account – The ability for Monitor accounts to reset their own password is removed. From this release, Web UI page System > Administration is not available to Monitor accounts and only

Administrator accounts have the permission to reset passwords. Also the Apply button is greyed-out and inactive for Monitor users. See Administrator and Monitor Password.

  • Multihoming – Supports SOA and NS records for the reverse lookup zones. See Global Settings: IPv4/IPv6 PTR Record. l Web UI – New look and feel.

FortiWAN 4.2.7

Bug fixes only. Please refer to FortiWAN 4.2.7 Release Notes.

FortiWAN 4.2.6

Bug fixes only. Please refer to FortiWAN 4.2.6 Release Notes.

FortiWAN 4.2.5

Bug fixes only. Please refer to FortiWAN 4.2.5 Release Notes.

FortiWAN 4.2.4

Bug fixes only. Please refer to FortiWAN 4.2.4 Release Notes.

FortiWAN 4.2.3 l Tunnel Routing – Performance of transmission in a tunnel group can be greatly enhanced (increased)

by disabling Generic Receive Offload (GRO) mechanism on each of participated network interfaces on both the participated FortiWAN units. A new parameter “generic-receive-offload” is added to CLI command sysctl to enable/disable the GRO module. See How the Tunnel Routing Works, Tunnel Routing – Setting and Console Mode Commands.

  • DHCP – Supports Vender Specific Information (Vender Encapsulated Options, option code: 43) and TFTP Server Name (option code: 66). The two DHCP options are used by DHCP clients to request vender specific information and TFTP server IP addresses from the DHCP server for device configuration purposes. FortiWAN’s DHCP server delivers the specified information to clients according to the two option codes. See Automatic addressing within a basic subnet.
  • Bandwidth Management – A new field Input Port is added to Bandwidth Managment’s outbound

IPv4/IPv6 filters to evaluate outbound traffic by the physical ports where it comes from. Corresponding network ports (VLAN ports, redundant ports, aggregated ports and etc.) will be the options for setting the field, if they are configured in Network Setting. See Bandwidth Management.

  • Port Mapping – The original configuration panels “Aggregated LAN Port” and “Aggregated DMZ Port” are merged into one panel “Aggregated Port”. Instead of mapping the member-ports to LAN/DMZ before aggregating them, it requires creating the logical aggregated port with two non-mapping member ports first, and then mapping LAN/DMZ or defining VLANs to the aggregated port. See Configurations for VLAN and Port Mapping.
  • Multihoming l Supports wildcard characters for configuring the Host Name field of A/AAAA records. A single wildcard character matches the DNS queries for any hostname that does not appear in any NS record, primary name server, external subdomains and other A/AAAA records of a domain, and so that the specified A/AAAA policy matches. Note that wildcard characters are not acceptable to records (NS, MX, TXT and etc.) except A/AAAA. See Inbound Load Balancing and Failover (Multihoming).
  • Supports configuring CName records for DKIM signing. It is acceptable to configure the Name Server, Alias, Target, Host Name and Mail Server fields of NS, CName, DName, MX and TXT records within dot characters. A dot character is still not acceptable to A/AAAA records. See Inbound Load Balancing and Failover (Multihoming).
  • Auto Routing – All the WAN links (WAN parameters) of an Auto Routing policy were set to checked by default when you create it on the Web UI for configuring. To programe it for the real networks, you might to uncheck the unused WAN links one at a time. From this release, the WAN parameters of an AR policy are checked by default only if the corresponding WAN links have been enabled via Network Setting. See Outbound Load Balancing and Failover (Auto Routing).
  • Statistics – Measurement of Round Trip Time (RTT) is added to Statistics > Tunnel Status for each GRE tunnel of configured tunnel groups. See Tunnel Status.

FortiWAN 4.2.2

Bug fixes only. Please refer to FortiWAN 4.2.2 Release Notes.

FortiWAN 4.2.1

Bug fixes only. Please refer to FortiWAN 4.2.1 Release Notes.

FortiWAN 4.2.0 l IPSec VPN – Supports standard IPSec VPN which is based on the two-phase Internet Key Exchange (IKE) protocol. FortiWAN’s IPSec VPN provides two communication modes, tunnel mode and transport mode. Tunnel mode is a common method used to establish IPSec VPN between two network sites.

FortiWAN IPSec tunnel mode transfers data traffic within single connection (single WAN link), therefore bandwidth aggregation and fault tolerance are not available to the VPN. On the other hand, FortiWAN’s transport mode is designed to provide protections to Tunnel Routing transmission on each of the TR tunnels, so that the IPSec VPN with ability of bandwidth aggregation and fault tolerance can be implemented.

FortiWAN’s IPSEC tunnel mode supports single-link connectivity between FortiWAN devices, FortiWAN and FortiGate and FortiWAN and any appliance supporting standard IPSEC. FortiWAN’s IPSEC transport mode supports multi-link Tunnel Routing between FortiWAN devices. IPSEC Aggressive Mode is not supported in this release. See “IPSec VPN”.

  • Tunnel Routing – Supports IPSec encryption. With cooperation with FortiWAN’s IPSec tunnel mode, the Tunnel Routing communication can be protected by IPSec Security Association (IPSec SA), which provides strict security negotiations, data privacy and authenticity. The VPN network implemented by Tunnel Routing and IPSec transport mode has the advantages of high security level, bandwidth aggregation and fault tolerance. See “Tunnel Routing”.
  • Basic subnet– Supports DHCP Relay on every LAN port and DMZ port. FortiWAN forwards the DHCP

requests and responses between a LAN or DMZ subnet and the specified DHCP server (standalone), so that centralized DHCP management can be implemented. With appropriate deployments of Tunnel Routing (or Tunnel Routing over IPSec Transport mode), the DHCP server of headquarters is capable to manage IP allocation to regional sites through DHCP relay. FortiWAN’s DHCP relay is for not only a local network but also a Tunnel Routing VPN network. See “Automatic addressing within a basic subnet”.

  • DHCP – Supports static IP allocation by Client Identifier (Options code: 61).According to the client identifier, FortiWAN’s DHCP recognizes the user who asks for an IP lease, and assigns the specified IP address to him. See “Automatic addressing within a basic subnet”.
  • Bandwidth Management – Supports the visibility to Tunnel Routing traffic. In the previous version, individual application encapsulated by Tunnel Routing was invisible to FortiWAN’s Bandwidth Management. Bandwidth Management is only capable of shaping the overall tunnel (GRE) traffic. From this release, Bandwidth Management evaluates traffic before/after Tunnel Routing encapsulation/decapsulation, so that traffic of individual application in a Tunnel Routing transmission can be controlled. See “Bandwidth Management”.
  • Administration – Ability of changing their own password for Monitor accounts is added. In the previous version, password of accounts belonging to Monitor group can be changed by only administrators. From this release, Monitor accounts can change their own password. See “Administration”.
  • HA synchronization – After system configuration file is restored (System > Administration > Configuration File), the master unit automatically synchronizes the configurations to slave unit. See “Administration”.
  • DNS Proxy – Supports wildcard character for configuration of Proxy Domains on Web UI. See “DNS

Proxy”. l Account – The default account maintainer was removed from FortiWAN’s authentication.

FortiWAN 4.1.3

Bug fixes only. Please refer to FortiWAN 4.1.3 Release Notes.

FortiWAN 4.1.2

Bug fixes only. Please refer to FortiWAN 4.1.2 Release Notes.

FortiWAN 4.1.1 l New CLI command shutdown – Use this command to shut FortiWAN system down. All the system

processes and services will be terminated normally. This command might not power the appliance off, please turn on/off the power switch or plug/unplug the power adapter to power on/off the appliance. See “Console Mode Commands”.

  • Firmware upgrade – A License Key will no longer be required for upgrading system firmware to any release.

FortiWAN 4.1.0 l The timezone of FortiWAN’s hardware clock (RTC) is switched to UTC from localtime. The system time might be incorrect after updating firmware from previous version to this version due to mismatched timezone. Please reset system time and synchronize it to FortiWAN’s hardware clock (executing Synchronize Time in System > Date/Time via Web UI), so that the hardware clock is kept in UTC.

  • New models – FortiWAN introduces two models, FortiWAN-VM02 and FortiWAN-VM04, for

deployment on VMware. FortiWAN V4.1.0 is the initial version of the two models. FortiWAN-VM02

supports the maximum of 2 virtual CPUs, and FortiWAN-VM04 supports the maximum of 4 virtual CPUs. Both of the two models support 9 virtual network adapters. Each port can be programmed as WAN, LAN or DMZ. Each of the two models. FortiWAN-VM supports the deployments on VMware vSphere ESXi. Refer to “FortiWAN-VM Install Guide”.

  • Bandwidth capability changes :
  • FortiWAN 200B – The basic bandwidth is upgraded to 200Mbps from 60Mbps. With a bandwidth license, system supports advanced bandwidth up to 400Mbps and 600Mbps.
  • FortiWAN 1000B – The basic bandwidth is upgraded to 1 Gbps from 500Mbps. With a bandwidth license, system supports advanced bandwidth up to 2 Gbps.
  • FortiWAN 3000B – The basic bandwidth is upgraded to 3 Gbps from 1 Gbps. With a bandwidth license, system supports advanced bandwidth up to 6 Gbps and 9 Gbps.
  • Notification – Supports delivering event notifications via secure SMTP. See “Notification”.
  • Connection Limit – Customers can manually abort the connections listed in Connection Limit’s Statistics. FortiWAN’s Connection Limit stops subsequent connections from malicious IP addresses when system is under attacks with high volumes of connections. However, system takes time to normally terminate the existing malicious connections (connection time out). Connection Limit’s Statistics lists the existing connections; aborting these connections recovers system immediately from memory occupied. See “Statistics > Connection Limit”.
  • Multihoming – Supports specifying an IPv6 address in an A record and an IPv4 address in an AAAA record to evaluate the source of a DNS request. See “Inbound Load Balancing and Failover (Multihoming)”.
  • Automatic default NAT rules – Supports for all the types of IPv6 WAN link. Previously, system

generates automatically the default NAT rules for any type of IPv4 WAN link and PPPoE IPv6 WAN link after the WAN links are applied. From this release, all the types of IPv6 WAN links are supported. See “NAT”.

  • Firmware update under HA deployment – Simple one-instruction update to both master and slave units. The master unit triggers firmware update to slave unit first, and then runs update itself. See “FortiWAN in HA (High Availability) Mode”. l New Reports pages:
  • Dashboard – This is a chart-based summary of FortiWAN’s system information and hardware states. See “Reports > Device Status > Dashboard”.
  • Settings – This is used to manage FortiWAN Reports. See “Reports Settings”.
  • Auto Routing – A new field Input Port is added to Auto Routing’s rules to evaluate outbound traffic by the physical ports where it comes from. Correspondent VLAN ports, redundant LAN ports, redundant DMZ ports, aggregated LAN ports and aggregated DMZ ports are the options for setting the field, if they are allocated. See “Using the Web UI”.
  • New and enhanced CLI commands (See “Console Mode Commands”):
  • New command arp – Use this command to manipulate (add and delete entries) or display the IPv4 network neighbor cache.
  • Enhanced command resetconfig – A new parameter is added to the CLI command

resetconfig to specify a static routing subnet to the default LAN port. With specifying a proper

private LAN subnet and static routing rule, users can connect to Web UI via the default LAN port without modifications of their current network after system reboots from resetting system to factory default.

  • Pagination – Paginate the output of a command if it is longer than screen can display.
  • Changes on FortiWAN Logins l Fortinet default account/password (admin/null) is supported for FortiWAN’s Web UI and CLI. The old default accounts/passwords will be still accessible. See “Connecting to the Web UI and the CLI”.
  • FortiWAN CLI accepts logins of any customized account belongs to group Administrator. A special account maintainer is provided to reset admin password to factory default via CLI for case that no one with the password is available to login to the WEB UI and CLI. See

“Administration”.

  • All the accounts belong to group Administrator are acceptable to login to FortiWAN over SSH.
  • Web UI Supports multiple sign-in. System accept the maximum of 20 concurrent logins. Note that system does not provide concurrent executions of Tunnel Routing Benchmark for multiple logins. See “Using the Web UI”.

FortiWAN 4.0.6

Bug fixes only. Please refer to FortiWAN 4.0.6 Release Notes.

FortiWAN 4.0.5

Bug fixes only. Please refer to FortiWAN 4.0.5 Release Notes.

FortiWAN 4.0.4

Bug fixes only. Please refer to FortiWAN 4.0.4 Release Notes.

FortiWAN 4.0.3

FortiWAN 4.0.3 is the initial release for FortiWAN 3000B. For bug fixes, please refer to FortiWAN 4.0.3 Release Notes.

FortiWAN 4.0.2

Bug fixes only. Please refer to FortiWAN 4.0.2 Release Notes.

FortiWAN 4.0.1

FortiWAN introduces new hardware platforms FortiWAN 1000B and FortiWAN 3000B, and new FortiWAN 4.0.1 firmware based on the AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.1 is substantially similar to AscenLink V7.2.3 with the additions noted below.

To assess the impact of deploying FortiWAN 4.0.1 on your network and processes, review the following new and enhanced features.

  • Data Port Changes l FortiWAN 1000B supports 3 GE RJ45 ports and 4 GE SFP ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG

LAN or DMZ ports can be configured. Default LAN port is Port 6 and default DMZ port is Port 7.

  • FortiWAN 3000B supports 8 GE RJ45 ports, 8 GE SFP ports and 8 10GE SFP+ ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG LAN or DMZ ports can be configured. Default LAN port is Port 11 and default DMZ port is Port 12.
  • HA Configuration Synchronization – Two FortiWAN appliances can be connected in active-passive High Availability mode via an Ethernet cable between the systems’ HA RJ-45 ports. HA will not interoperate between AscenLink and FortiWAN and will not interoperate between different FortiWAN models or the same model with different Throughput licenses. Model and Throughput must match.
  • HDD – FWN 1000B and FWN 3000B add internal 1TB HDDs for Reports data storage.
  • Hardware Support – FortiWAN 4.0.1 for FortiWAN supports FortiWAN 200B and FortiWAN 1000B. AscenLink series models are not supported. Note that FortiWAN 4.0.1 does not support FortiWAN 3000B, please look forward to the sequential releases.

FortiWAN 4.0.0

FortiWAN introduces new hardware platform FortiWAN 200B and new FortiWAN 4.0.0 firmware based on the AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.0 is substantially similar to AscenLink V7.2.2 with the additions noted below.

To assess the impact of deploying FortiWAN 4.0.0 on your network and processes, review the following new and enhanced features.

  • Data Port Changes – FortiWAN 200B supports 5 GE RJ45 ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG LAN or DMZ ports can be configured. Default LAN port is Port4 and default DMZ port is Port 5.
  • HA Port Change – FortiWAN supports one GE RJ45 HA Port. This port must be direct-cabled via Ethernet cable, to a second FWN unit HA port for HA operation. HA will not interoperate between AscenLink and FortiWAN and will not interoperate between different FortiWAN models.
  • HDD – FWN 200B adds an internal 500BG HDD for Reports data storage. See below for more information on Reports.
  • HA Configuration Synchronization – Two FWN 200B appliances can be connected in active-passive High Availability mode via an Ethernet cable between the systems’ HA RJ-45 ports.
  • New Functionality – FortiWAN 4.0.0 has the same functionality as AscenLink V7.2.2 PLUS the addition of built-in Reports which is the equivalent functionality to the external LinkReport for AscenLink.
  • Reports – Reports captures and stores data on traffic and applications across all WAN links in the system. Reports include connections, link and aggregate bandwidth, link and VPN reliability, and data on Multi-Homing requests, Virtual Server (SLB) requests, and more. Reports can be viewed on-screen, exported to PDF or CSV files or emailed immediately in PDF or CSV format. l GUI – FWN 4.0.0 adopts the Fortinet “look and feel”.
  • Hardware Support – FortiWAN 4.0.0 for FortiWAN supports FortiWAN 200B. AscenLink series models are not supported.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWAN Key Concepts and Product Features

Key Concepts and Product Features

WAN load balancing (WLB)

General speaking, load balancing are mechanisms (methods) for managing (distributing) workload across available resources, such as servers, computers, network links, CPU or disk storage. The FortiWAN’s WAN load balancing aims to distribute (route) WAN traffic across multiple network links. The major purposes are optimizing bandwidth usage, maximizing transmission throughput and avoiding overload of any single network link. When we talk about WAN load balancing, it always implies automatic traffic distribution across multiple network links. Different from general routing, WAN load balancing involves algorithms, calculations and monitoring to dynamically determine the availability of network links for network traffic distribution.

Installation

FortiWAN is an edge device that typically connects an internal local area network (LAN) with an external wide area network (WAN) or the Internet. The physical network ports on FortiWAN are divided into WAN ports, LAN ports and DMZ (Demilitarized Zone) ports, which are used to connect to the WAN or the Internet, subnets in LAN, and subnets in DMZ respectively. Please refer to FortiWAN QuickStart Guides for the ports mapping for various models.

Bidirectional load balancing

Network date transmission passing through FortiWAN is bidirectional that are inbound and outbound. Network data transmission contains session establish and packet transmission. An inbound session refers to the session which is established from elsewhere (external) to the FortiWAN (internal), while an outbound session refers to the session which is established from the FortiWAN (internal) to elsewhere (external). For example, a request from the internal network to a HTTP server on the Internet means the first asking packet is outgoing to the external server, which is an outbound session established. Inversely, a request from the external area to a HTTP server behind FortiWAN means the first asking packet is incoming to the internal server, which is an inbound session established. No matter which direction a session is established in, packets transmission might be bidirectional (depends on the transmission protocol employed). FortiWAN is capable of balancing not only outbound but also inbound sessions and packets across multiple network links.

Auto Routing (Outbound Load Balancing)

FortiWAN distributes traffic across as many as 50 WAN links, under control of load balancing algorithms. FortiWAN’s many advanced load balancing algorithms let you easily fine-tune how traffic is distributed across the available links. Each deployment can be fully customized with the most flexible assignment of application traffic in the industry.

 

Multihoming (Inbound Load Balancing)

Many enterprises host servers for email, and other public access services. FortiWAN load balances incoming requests and responses across multiple WAN Links to improve user response and network reliability. Load balancing algorithms assure the enterprise that priority services are maintained and given appropriate upstream bandwidth.

Fall-back or Fail-over

FortiWAN detects local access link failures and end-to-end failures in the network and can either fall-back to remaining WAN links or fail-over to redundant WAN links, if needed. Fall-back and Fail-over behavior is under complete control of the administrator, with flexible rule definitions to meet any situation likely to occur. Links and routes are automatically recovered when performance returns to acceptable levels. Notifications will be sent automatically to administrators when link or route problems occur.

Virtual Private Services (Tunnel Routing)

FortiWAN offers the most powerful and flexible multi-link VPN functionality in the industry. Inter-site Tunnels can be created from fractional, full, multiple and fractions of multiple WAN links. Applications requiring large singlesession bandwidth such as VPN load balancing, video conferencing or WAN Optimization can use multiple links to build the bandwidth needed. Multi-session traffic can share an appropriately-sized Tunnel. Tunnels have the same functionality as single links, supporting Load Balancing, Fall-back, Failover and Health Detection within and between Tunnels. Dynamic IP addresses and NAT pass through are supported for the VPL services deployments.

Virtual Servers (Server Load Balancing and High Availability)

FortiWAN supports simple server load balancing and server health detection for multiple servers offering the same application. When service requests are distributed between servers, the servers that are slow or have failed are avoided and/or recovered automatically. Performance parameters are controlled by the administrator.

Optimum Routing

FortiWAN continuously monitors the public Internet to select the shortest and fastest route for mission-critical applications. Non-critical traffic can be routed away from the best links when prioritized traffic is present on the links or traffic can be assigned permanently to different groups of WAN links.

Traffic Shaping (Bandwidth Management)

FortiWAN optimizes, guarantees performance or increase usable bandwidth for specified traffic by traffic classification and rate limiting.

Firewall and Security

FortiWAN provides the stateful firewall, access control list and connection limit to protect FortiWAN unit, internal network and services from malicious attacks.

 

Scope

This document describes how to set up your FortiWAN appliance. For first-time system deployment, the suggested processes are:

Installation

  • Register your FortiWAN appliance before you start the installation. Please refer to the topic: [Register your FortiWAN] for further information. l Planning the network topology to introduce FortiWAN to current network. It requires a clear picture of your WAN link types the ISP provides and how to use the available public IP addresses of a WAN link. The topic [Planning the Network Topology] provides the sub-topics that are necessary concepts for planning your network topology.
  • Topic [Web UI Overview] and its sub-topics provide the instructions to connect and log into the Web management interface. System time and account/password resetting might be performed for FortiWAN while the first-time login, please refer to topics [Setting the System Time & Date] and [Administrator] for further information.
  • For implementation of the network topology you planned, topic [Configuring Network Interface (Network Setting)] and its sub-topics give the necessary information about the configurations of network deployments on Web UI. FortiWAN’s diagnostic tools is helpful for trouble shooting when configuring network, please refer to topic [Diagnostic Tools] .

Functions

  • After installing FortiWAN into your network, the next step is to configure the major features, load balancing and failover, on FortiWAN. Topic [Load Balancing & Fault Tolerance] and its sub-topics contain the information about performing FortiWAN’s load balancing and failover mechanisms for incoming and outgoing traffic, virtual servers and single-session services.
  • Topic [Optional Services] gives the information about configurations of FortiWAN’s optional services, such as Bandwidth Management, Firewall, Connection Limit, NAT, SNMP, Cache Redirect, and etc.

Monitoring

  • After FortiWAN works a while, related traffic logs, statistics and report analysis might be required for monitor or trouble shooting purposes. Topics [Logs], [Statistics] and [Reports] provide the information how to use those logs, statistics and reports to improve management policies on FortiWAN.

The following topics are covered elsewhere:

  • Appliance installation—Refer to the quick start guide for your appliance model. l Virtual appliance installation—Refer to the FortiWAN-VM Install Guide.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWAN Handbook – Introduction

Introduction

Enterprises are increasingly relying on the internet for delivery of critical components for everyday business operations. Any delays or interruptions in connectivity can easily result in reduced productivity, lost business opportunities and a damaged reputation. Maintaining a reliable and efficient internet connection to ensure the operation of critical applications is therefore key to the success of the enterprise.

FortiWAN is a separate and discrete hardware appliance with exclusive operating system, specifically designed to intelligently balance internet and intranet traffic across multiple WAN connections, providing additional low-cost incoming and outgoing bandwidth for the enterprise and substantially increased connection reliability. FortiWAN is supported by a user-friendly UI and a flexible policy-based performance management system.

FortiWAN provides a unique solution that offers comprehensive multi-WAN management that keeps costs down as well as keeping customers and users connected.

Product Benefits

FortiWAN is the most robust, cost-effective way to:

  • Increase the performance of your:
  • Internet access l Public-to-Enterprise access l Site-to-site private intranet
  • Lower Operating Costs l Increase your network reliability l Enable Cloud / Web 2.0 Applications l Monitor Network Performance

Increase Network Performance

FortiWAN increases network performance in three key areas:

l Access to Internet resources from the Enterprise l Access to Enterprise resources from the Internet l Creation of Enterprise Intranet connections between sites

FortiWAN intelligently aggregates multiple broadband and/or leased access lines to significantly increase Internet access performance. FortiWAN makes reacting to network demands fast, flexible and inexpensive. FortiWAN transforms underperforming networks into responsive, cost-effective and easy-to-manage business assets.

FortiWAN load balances Internet service requests from Enterprise users, optimally distributing traffic across all available access links. FortiWAN’s 7 different Load Balancing algorithms provide the flexibility to maximize productivity from any network scenario.

FortiWAN gives you high-performance inter-site connectivity without the need to lease expensive links such as T1 and T3. FortiWAN aggregates multiple low-cost Internet access links to create site-to-site Virtual Private Line Product Benefits     Introduction

(VPL) Tunnels for LAN-like performance between company locations. By using multiple carriers and media, reliability of these VPL Tunnels can exceed that of traditional engineered carrier links.

Substantially Lower Operating Costs

Once bandwidth requirements exceed traditional asymmetrical Internet access services (like ADSL) there is a very high jump in bandwidth cost to engineered, dedicated access facilities like DS-1/DS-3. Even Metro Ethernet is a large cost increment where it is available. Adding shared Internet access links is substantially less expensive and delivery is substantially faster.

Traditional point-to-point private lines for company intranets are still priced by distance and capacity. Replacing or augmenting dedicated point-to-point services with Virtual Private Line Tunnels reduces costs substantially while increasing available bandwidth and reliability.

FortiWAN makes low-cost network access links behave and perform like specially-engineered carrier services at a fraction of the cost.

l Deploy DSL services and get DS-3/STM-1-like speed and reliability while waiting for the carrier to pull fiber. l Add and remove bandwidth for seasonal requirements quickly and easily. l Increase bandwidth to web servers and use multiple ISPs without BGP4 management issues.

Increase Network Reliability

Businesses can no longer afford Internet downtime. FortiWAN provides fault tolerance for both inbound and outbound IP traffic to ensure a stable and dependable network. Even multiple link failures, while reducing available bandwidth, will not stop traffic. By using diverse media (fiber, copper, wireless) and multiple ISPs (Telco, Cableco, 4G), FortiWAN can deliver better than carrier-class “5-9’s” reliability.

FortiWAN can be deployed in High Availability mode with fully redundant hardware for increased reliability. Larger FortiWAN models also feature redundant power supplies for further protection from hardware failures.

Enable Cloud / Web 2.0 Applications

Traditional WAN Optimization products expect that all users connect only to Headquarters servers and Internet gateways over dedicated, symmetric leased lines, but that is already “yesterday’s” architecture. Today users want to mix HQ connectivity with direct Cloud access to Web 2.0 applications like email, collaborative documentation, ERP, CRM and online backup.

FortiWAN gives you the flexibility to customize your network, giving you complete control. Direct cloud-based applications to links optimized for them and reduce the bandwidth demand on expensive dedicated circuits. Combine access links and/or dedicated circuits into Virtual Private Line Tunnels that will support the fastest video streaming or video conferencing servers that Headquarters can offer.

FortiWAN is designed for easy deployment and rapid integration into any existing network topology.

Monitor Network Performance

FortiWAN provides comprehensive monitoring and reporting tools to ensure your network is running at peak efficiency. With the built-in storage and database, FortiWAN’s Reports function provides historical detail and reporting over longer periods of time, so that it not only allows management to react to network problems, but to plan network capacity, avoiding unnecessary expense while improving network performance.

FortiWAN is managed via a powerful Web User Interface. Configuration changes are instantly stored without the need to re-start the system. Configuration files can be backed-up and restored remotely. Traffic measurements, alarms, logs and other management data are stored for trend analysis and management overview.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiHypervisor 1.0 Admin Guide

Introduction

The FortiHypervisor Hybrid Virtual Appliance enables rapid service deliver for enterprises and MSPs through the use of virtualization technology.  Built to deliver virtualized services as virtual network functions (VNFs), FortiHypervisor consolidates advanced networking and security services on a single device, eliminating the need for multiple CPE while enabling on-demand service delivery.

FortiHypervisor is available in both a software instance for install on generic x86 platforms and also on Fortinet SPU accelerated hybrid appliances.  A powerful Intel processor combined with SPU hardware acceleration delivers the high security performance that customers have come to expect from Fortinet. Ample storage and memory produce excellent compute, network and security performance for the most intensive tasks.

FortiHypervisor can run the wide range Fortinet VNFs delivering the greatest range of virtual functions in the industry but is also compatible with thirty party VMs in KVM format for the greatest flexibility.

Form-factors

FortiHypervisor is available in two form-factors to allowing customers to select the most appropriate solution for their requirements.

Appliance

FortiHypervisor comes in a range of physical appliances suitable for small office / retail deployments (vCPE) all the way up to the datacenter or MSP network core.  The models come with different performance ratings, amounts of Hard Drive space, RAM and network access ports.

Software

FortiHypervisor is available as a bare metal hypervisor ISO image which can be installed on selected whitebox hardware.

Any selected hardware should be validated against the supported hardware list and should meet the minimum hardware specification lists below.

Whilst a minimum specification is provided, consideration should be made towards the VMs which will be installed as these may have additional performance and resource requirements.

If unsure, please validate your hardware selection with Fortinet Support before proceeding.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Best Practices: Log management

Best Practices: Log management

When the FortiGate unit records FortiGate activity, valuable information is collected that provides insight into how to better protect network traffic against attacks, including misuse and abuse. There is a lot to consider before enabling logging on a FortiGate unit, such as what FortiGate activities to enable and which log device is best suited for your network’s logging needs. A plan can help you in deciding the FortiGate activities to log, a log device, as well as a backup solution in the event the log device fails.

This plan should provide you with an outline, similar to the following:

  • what FortiGate activities you want and/or need logged (for example, security features)
  • the logging device best suited for your network structure
  • if you want or require archiving of log files
  • ensuring logs are not lost in the event a failure occurs.

After the plan is implemented, you need to manage the logs and be prepared to expand on your log setup when the current logging requirements are outgrown. Good log management practices help you with these tasks.

Log management practices help you to improve and manage logging requirements. Logging is an ever-expanding tool that can seem to be a daunting task to manage. The following management practices will help you when issues arise, or your logging setup needs to be expanded.

1. Revisit your plan on a yearly basis to verify that your logging needs are being met by your current log setup. For example, your company or organization may require archival logging, but not at the beginning of your network’s lifespan. Archival logs are stored on a FortiGate unit’s local hard drive, a FortiAnalyzer unit, or a FortiCloud server, in increasing order of size.

2. Configure an alert message that will notify you of activities that are important to be aware about. For example: if a branch office does not have a FortiGate administrator, you will need to know at all times that the IPsec VPN tunnel is still up and running. An alert email notification message can be configured to send only if IPsec tunnel errors occur.

3. If your organization or company uses peer-to-peer programs such as Skype or other instant messaging software, use the Applications FortiView dashboard, or the Executive Summary’s report widget (Top 10 Application Bandwidth Usage Per Hour Summary) to help you monitor the usage of these types of instant messaging software. These widgets can help you in determining how these applications are being used, including if there is any misuse and abuse. Their information is taken from application log messages; however, application log messages should be viewed as well since they contain the most detailed information.

4. Ensure that your backup solution is up-to-date. If you have recently expanded your log setup, you should also review your backup solution. The backup solution provides a way to ensure that all logs are not lost in the event that the log device fails or issues arise with the log device itself.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Reports – FortiManager 5.2

Reports

FortiManager units can analyze information collected from the log files of managed log devices. It then presents the information in tabular and graphical reports that provide a quick and detailed analysis of activity on your networks.

To reduce the number of reports needed, reports are independent from devices, and contain layout information in the form of a report template. The devices, and any other required information, can be added as parameters to the report at the time of report generation.

Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes on the Web-based Manager page to access these options.

The Reports tab allows you to configure reports using the predefined report templates, configure report schedules, view report history and the report calendar, and configure and view charts, macros, datasets, and output profiles.

If ADOMs are enabled, each ADOM will have its own report settings including chart library, macro library, dataset library, and output profiles.

FortiCarrier, FortiCache, FortiMail and FortiWeb reports are available when ADOMs are enabled. Reports for these devices are configured within their respective default ADOM. These devices also have device specific charts and datasets.

When rebuilding the SQL database, Reports will not be available until after the rebuild is completed. Select the Show Progress link in the message to view the status of the SQL rebuild.

This chapter contains the following sections:

l Reports l Report layouts l Chart library l Macro library l Report calendar l Advanced

Reports

FortiManager includes preconfigured reports and report templates for FortiGate, FortiMail, and FortiWeb log devices. These report templates can be used as is, or you can clone and edit the templates. You can also create new reports and report templates that can be customized to your requirements.

Predefined report templates are identified by a blue report icon and custom report templates are identified by a green report icon. When a schedule has been enabled, the schedule icon will appear to the left of the report template name.

FortiManager includes preconfigured reports and report templates for FortiGate, FortiMail, and FortiWeb log devices. These report templates can be used as is, or you can clone and edit the templates. You can also create new reports and report templates that can be customized to your requirements.

Predefined report templates are identified by a blue report icon and custom report templates are identified by a green report icon. When a schedule has been enabled, the schedule icon will appear to the left of the report template name.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Event Management – FortiManager 5.2

Event Management

In the Event Management tab you can configure events handlers based on log type and logging filters. You can select to send the event to an email address, SNMP community, or syslog server. Events can be configured per device, for all devices, or for the local FortiManager. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. In v5.2.0 or later, Event Management supports local FortiManager event logs.

Events can also be monitored, and the logs associated with a given event can be viewed.

When rebuilding the SQL database, Event Management will not be available until after the rebuild is completed. Select the Show Progress link in the message to view the status of the SQL rebuild.

Events

The events page provides a list of the generated events. Right-clicking on an event in the table gives you the option of viewing event details including the raw log entries associated with that event, adding review notes, and acknowledging the event.

To view events, go to the Event Management tab and select Event Management > All Events. You can also view events by severity and by handler. When ADOMs are enabled, select the ADOM, and then select All Events.

Events page

The following information is displayed:

Events

Count The number of log entries associated with the event. Click the heading to sort events by count.
Event Name The name of the event. Click the heading to sort events by event name.
Severity The severity level of the event. Event severity level is a user configured variable. The severity can be Critical, High, Medium, or Low. Click the heading to sort events by severity.
Event Type The event type. For example, Traffic orEvent. Click the heading to sort events by event type. IPS and Application Control event names are links. Select the link to view additional information.
Additional Info Additional information about the event. Click the heading to sort events by additional information.
Last Occurrence The date and time that the event was created and added to the events page. Click the heading to sort events by last occurrence.
Pagination Adjust the number of logs that are listed per page and browse through the pages.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Log View – FortiManager 5.2

Log view

Logging and reporting can help you determine what is happening on your network, as well as informing you of certain network activity, such as the detection of a virus, or IPsec VPN tunnel errors. Logging and reporting go hand in hand, and can become a valuable tool for information gathering, as well as displaying the activity that is happening on the network.

Your FortiManager device collects logs from managed FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiSandbox, FortiWeb, FortiClient, and syslog servers.

Collected logs

Device Type Log Type
FortiGate Traffic

Event: Endpoint, HA, System, Router, VPN, User, WAN Opt. & Cache, and Wireless

Security: Vulnerability Scan, AntiVirus, Web Filter, Application Control, Intrusion Prevention, Email Filter, Data Leak Prevention FortiClient

VoIP

Content logs are also collected for FortiOS 4.3 devices.

FortiCarrier Traffic, Event
FortiCache Traffic, Event, Antivirus, Web Filter
FortiClient Traffic , Event
FortiMail History, Event, Antivirus, Email Filter
FortiManager Event
FortiSandbox Malware, Network Alerts
FortiWeb Event, Intrusion Prevention, Traffic
Syslog Generic

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!