background image

FortiGate-7000 v5.4.3 special features and limitations

IP Multicast

IP Multicast

IPv4 and IPv6 Multicast traffic is only sent to the primary FPM module (usually the FPM in slot 3). This is
controlled by the following configuration:

config load-balance flow-rule

edit 18

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 224.0.0.0 240.0.0.0

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv4 multicast"

next

edit 19

set status enable

set vlan 0

set ether-type ipv6

set src-addr-ipv6 ::/0

set dst-addr-ipv6 ff00::/8

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv6 multicast"

end

High Availability

Only the M1 and M2 interfaces are used for the HA heartbeat communication.

When using both M1 and M2 for the heartbeat, FortiGate-7000 v5.4.3 requires two switches. The first switch to
connect all M1 ports together. The second second switch to connect all M2 ports together. This is because the
same VLAN is used for both M1 and M2 and the interface groups should remain in different broadcast domains.

Using a single switch for both M1 and M2 heartbeat traffic is possible if the switch supports q-in-q tunneling. In
this case use different VLANs for M1 traffic and M2 traffic to keep two separated broadcast domains in the switch.

The following FortiOS HA features are not supported or are supported differently by FortiGate-7000 v5.4.3:

l

Remote IP monitoring (configured with the option

pingserver-monitor-interface

and related settings) is

not supported

l

Active-active HA is not supported

l

The range for the HA

group-id

is 0 to 14.

l

Failover logic for FortiGate-7000 v5.4.3 HA is not the same as FGSP for other FortiGate clusters.

l

HA heartbeat configuration is specific to FortiGate-7000 systems and differs from standard HA.

FortiGate-7000
Fortinet Technologies Inc.

78

Summary of Contents for FortiGate-7000

Page 1: ...FortiOS Handbook FortiGate 7000 VERSION 5 4 5 7000...

Page 2: ...t FORTIGATE COOKBOOK http cookbook fortinet com FORTINET TRAINING SERVICES http www fortinet com training FORTIGUARD CENTER http www fortiguard com FORTICAST http forticast fortinet com END USER LICEN...

Page 3: ...ortiGate 7040E 14 FortiGate 7040E front panel 14 FortiGate 7040E schematic 15 FortiGate 7030E 15 FortiGate 7030E front panel 16 FortiGate 7030E schematic 16 FIM 7901E interface module 18 FIM 7901E sch...

Page 4: ...to an FIM module 41 Uploading firmware from a TFTP server to an FPM module 43 Operating a FortiGate 7000 45 Failover in a standalone FortiGate 7000 45 Replacing a failed FPM or FIM module 45 Replacin...

Page 5: ...e 7000 72 Default management VDOM 72 Firewall 72 IP Multicast 72 High Availability 73 Shelf Manager Module 73 FortiOS features that are not supported by FortiGate 7000 v5 4 5 74 IPsec VPN tunnels term...

Page 6: ...addr ipv4 src addr ipv6 dst addr ipv6 ip address netmask 83 protocol any icmp tcp udp igmp sctp gre esp ah ospf pim vrrp 83 src l4port dst l4port start end 83 action forward mirror ingress mirror egr...

Page 7: ...section Recommended configuration for traffic that cannot be load balanced on page 37 Additional changes and fixes throughout the document November 7 2017 Changes to Installing firmware on an FIM or...

Page 8: ...eat traffic 408386 The M1 and M2 interfaces can be configured to use different VLANs for HA heartbeat traffic The following command now configures the VLAN used by the M1 interface default 999 config...

Page 9: ...face v0020 set peertype any set psksecret password end Configure the phase 2 to support dialup IPsec VPN set the destination subnet to 0 0 0 0 0 0 0 0 config vpn ipsec phase2 interface edit dialup ser...

Page 10: ...sksecret password end config vpn ipsec phase2 interface edit to fgt7k set phase1name to fgt7k set src subnet 4 2 6 0 255 255 255 0 set dst subnet 4 2 0 0 255 255 0 0 next edit to fgt7k 2 set phase1nam...

Page 11: ...ule or FIM to view the status of the FortiGate 7000 and make configuration changes The FortiOS firmware running on each module has the same configuration and when you make configuration changes to the...

Page 12: ...ong the chassis slots FortiGate 7060E front panel The chassis is managed by two redundant management modules Each module includes an Ethernet connection as well as two switchable console ports that pr...

Page 13: ...0x20 and the inactive management module always has the IPMB address 0x22 The active management module communicates with all modules in the chassis over the base backplane Each module including the man...

Page 14: ...kplane designed by Fortinet The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots FortiGate 7040E front pa...

Page 15: ...ommunication between modules FIM1 and FIM2 IPMB addresses 0x82 and 0x84 are the FIM modules in slots 1 and 2 The interfaces of these modules connect the chassis to data networks and can be used for Et...

Page 16: ...ard configuration of the FortiGate 7030E includes one FIM interface module in chassis slot 1 and two FPM processing modules in chassis slots 3 and 4 The front panel also includes a sealed blank panel...

Page 17: ...communication for management and heartbeat communication between modules FIM1 IPMB address 0x82 is the FIM module in slot 1 The interfaces of this module connect the chassis to data networks and can b...

Page 18: ...ces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers These interfaces also support creating link aggregation groups LAGs that can include interfaces from both FI...

Page 19: ...button l NMI switch for troubleshooting as recommended by Fortinet Support l Mounting hardware l LED status indicators FIM 7901E schematic The FIM 7901E includes an integrated switch fabric ISF that...

Page 20: ...erfaces B1 to B8 These interfaces are connected to 40Gbps networks to distribute sessions to the FPM processor modules installed in chassis slots 3 and up Using 40GBASE SR10 multimode QSFP transceiver...

Page 21: ...rfaces at the same time according to your requirements to avoid traffic disruption For example to split the B1 interface of the FIM 7904E in slot 1 this interface is named 1 B1 and the B1 and B4 inter...

Page 22: ...The FIM 7910E includes an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules The FIM 7910E can be installe...

Page 23: ...nnel for fabric backplane communication with the other FIM 7910E in the chassis l One 1Gbps base backplane channel for base backplane communication with the other FIM 7910E in the chassis l On board D...

Page 24: ...wappable module that provides data management and session sync heartbeat interfaces base backplane switching and fabric backplane session aware load balancing for a FortiGate 7000 series chassis The F...

Page 25: ...be on different broadcast domains If M1 and M2 are connected to the same switch Q in Q must be enabled on the switch l Four 10 100 1000BASE T out of band management Ethernet interfaces MGMT1 to MGMT4...

Page 26: ...command Splitting the interfaces requires a system reboot so Fortinet recommends that you split multiple interfaces at the same time according to your requirements to avoid traffic disruption For exam...

Page 27: ...esses sessions using a dual CPU configuration accelerates network traffic processing with 4 NP6 processors and accelerates content processing with 8 CP9 processors The NP6 network processors are conne...

Page 28: ...ocessors combined with the FIM module integrated switch fabric ISF provide hardware acceleration by offloading load balancing from the FPM 7620E CPUs The result is enhanced network performance provide...

Page 29: ...FPM 7620E processing module FIM 7904E interface module FPM 7620E hardware architecture 29 FortiGate 7000 Fortinet Technologies Inc...

Page 30: ...512 96 128 192 256 with RFC1321 and FIPS180 l HMAC in accordance with RFC2104 2403 2404 and FIPS198 l ESN mode l GCM support for NSA Suite B RFC6379 RFC6460 including GCM 128 256 GMAC 128 256 l Key E...

Page 31: ...T1 to MGMT4 interfaces of both interface modules have been added to a static 802 3 aggregate interface called mgmt with a default IP address of 192 168 1 99 LACP is not supported for the mgmt aggregat...

Page 32: ...ocessed by a specific processor module You can connect to the GUI or CLI of individual modules in the chassis using the system management IP address with a special port number For example if the syste...

Page 33: ...modem you log into Logging into different modules allows you to use FortiView or Monitor GUI pages to view the activity on that module Even though you can log into different modules you should only ma...

Page 34: ...d cause a conflict that module is skipped If one of the console ports is disconnected then the other console port can connect to any CLI If you connect a PC to one of the management module console por...

Page 35: ...s be the management VDOM You should also not add or remove interfaces from this VDOM You have full control over the configurations of other FortiGate 7000 VDOMs Firmware upgrades All of the modules in...

Page 36: ...ipsport dport traffic load is distributed across all slots according to the source and destination IP address source port and destination port This is the default load balance distribution method and...

Page 37: ...ules are recommended to handle common forms of traffic that cannot be load balanced These flow rules send GPRS port 2123 SSL VPN IPv4 and IPv6 IPsec VPN ICMP and ICMPv6 traffic to the primary or maste...

Page 38: ...ipv4 ike natt dst next edit 25 set status enable set ether type ipv4 set protocol esp set comment ipv4 esp next edit 26 set status enable set ether type ipv6 set protocol udp set src l4port 500 500 se...

Page 39: ...oved If an FPM module fails sessions being processed by that module fail All sessions are then load balanced to the remaining FPM modules Sessions that were being processed by the failed module are re...

Page 40: ...any module CLI If this does not solve the problem contact Fortinet support Replacing a failed module in a FortiGate 7000 chassis in an HA cluster 1 Power down the failed module by pressing the front...

Page 41: ...for upgrading FIM modules and one for upgrading FPM modules The two procedures are very similar but a few details most notably the local VLAN ID setting are different If you need to update both FIM an...

Page 42: ...ddress The IP address of the TFTP server F Set firmware image file name The name of the firmware file to be installed 12 Press Q to quit this menu 13 Press R to review the configuration If you need to...

Page 43: ...e 3 Connect the console cable supplied with your chassis to the Console 1 port on your chassis front panel and to your management computer s RS 232 console port 4 Start a terminal emulation program on...

Page 44: ...starts up the module s configuration is reset to factory defaults The module s configuration is synchronized to match the configuration of the primary module The new module reboots again and can star...

Page 45: ...ing on if you are operating in HA mode with two chassis or just operating a standalone chassis Replacing a failed module in a standalone FortiGate 7000 chassis 1 Power down the failed module by pressi...

Page 46: ...tem ha set mode a p set chassis id 1 set hbdev m1 m2 set hbdev vlan id 999 set hbdev second vlan id 990 end 7 Optionally configure the hostname config system global set hostname name end The HA config...

Page 47: ...ng any traffic If you are operating an HA configuration you should remove the chassis from the HA configuration before performing this procedure 1 Set up a TFTP server and copy the firmware file to be...

Page 48: ...5 priority 2 slot_id 1 2 idx 0 flag 0x0 in_sync 1 FIM10E3E16000063 Master uptime 177415 38 priority 1 slot_id 1 1 idx 1 flag 0x0 in_sync 1 If in_sync is not equal to 1 or if a module is missing in the...

Page 49: ...d port The name of the FIM module that can connect to the TFTP server FIM01 is the FIM module in slot 1 and FIM02 is the FIM module in slot 2 D Set DHCP mode Disabled I Set local IP address A temporar...

Page 50: ...tatus of the FIM modules in a FortiGate 7000 chassis The field in_sync 1 indicates that the configurations of the modules are synchronized diagnose sys confsync status grep in_sy FIM04E3E16000080 Slav...

Page 51: ...configuring and from which users connect to the destination subnet Configuring the source subnet is optional but recommended dst subnet is the destination subnet behind the remote IPsec VPN endpoint...

Page 52: ...ds to create firewall addresses for each subnet config firewall address edit local_subnet_1 set subnet 4 2 1 0 255 255 255 0 next edit local_subnet_2 set subnet 4 2 2 0 255 255 255 0 next edit remote_...

Page 53: ...s how to setup a dialup IPsec VPN configuration where the FortiGate 7000 acts as a dialup IPsec VPN server To configure the FortiGate 7000 as a dialup IPsec VPN server Configure the phase1 set type to...

Page 54: ...t 4 2 0 0 255 255 0 0 next edit to fgt7k 2 set phase1name to fgt7k set src subnet 4 2 7 0 255 255 255 0 set dst subnet 4 2 0 0 255 255 0 0 end Troubleshooting Use the following commands to verify that...

Page 55: ...oxyid_num 1 child_num 0 refcnt 8581 ilast 0 olast 0 auto discovery 0 ike_asssit_last_sent 4318202512 stat rxp 142020528 txp 147843214 rxb 16537003048 txb 11392723577 dpd mode on demand on 1 idle 20000...

Page 56: ...e entry 5 checksum 27 AE 00 EA 10 8D 22 0C D6 48 AB 2E 7E 83 9D 24 vd 3 p1 to fgt2 p2 to fgt2 subnet 4 2 3 0 mask 255 255 255 0 enable 1 vd 3 p1 to fgt2 p2 to fgt2 subnet 4 2 4 0 mask 255 255 255 0 en...

Page 57: ...ting information and so on is synchronized to the backup chassis If the primary chassis fails traffic automatically fails over to the backup chassis The primary chassis is selected based on a number o...

Page 58: ...c5 50 f1 e6 8e all c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e all c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e all c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e If the modules are synchroniz...

Page 59: ...It is also recommended that these switches be dedicated to HA heartbeat communication and not used for other traffic If you use the same switch for both M1 and M2 separate the M1 and M2 traffic on the...

Page 60: ...rtiGate 7030E except that each FortiGate 7030E only has one FIM interface module Each FIM interface module has to be configured for HA separately The HA configuration is not synchronized among FIMs Yo...

Page 61: ...I command to view the status of the cluster You can enter this command from any module s CLI The HA members can be in a different order depending on the module CLI from which you enter the command If...

Page 62: ...al_priority 3 usr_priority 128 usr_override 0 state worker_failure 0 2 lag total good down bad score 5 5 0 0 intf_state port up 0 force state 1 force to slave traffic bandwidth score 100 mgmt link 1 h...

Page 63: ...nagement IP address is 1 1 1 1 you can browse to https 1 1 1 1 44323 to connect to the FPM module in chassis 2 slot 3 The special port number in this case 44323 is a combination of the service port ch...

Page 64: ...and resynchronize Then all traffic fails over to the backup chassis which becomes the new primary chassis Then the modules in the new backup chassis upgrade their firmware and rejoin the cluster Unles...

Page 65: ...w TCP or UDP session is added to the primary FortiGate 7000 session table that session is synchronized to the backup FortiGate 7000 This synchronization happens as quickly as possible to keep the sess...

Page 66: ...on the criteria shown below After the cluster selects the primary the other chassis becomes the backup Negotiation and primary chassis selection also takes place if the one of the criteria for select...

Page 67: ...Primary unit selection and failover criteria High Availability 67 FortiGate 7000 Fortinet Technologies Inc...

Page 68: ...wever during operation if one of the chassis goes down the other will have a much higher uptime and will be selected as the primary chassis before priorty and serial number are tested Verifying primar...

Page 69: ...live local_interface 2 M2 last_hb_time 0 00 status dead Chassis K FIM01E3E16000086 Master priority 0 uptime 2203 30 slot 1 chassis 1 1 slot 1 chassis_uptime 2203 30 state worker_failure 1 2 lag total...

Page 70: ...ver tolerance result in the default link and module failure behavior You can change these settings if you want to modify this behavior For example if you want a failover to occur if an FPM module fail...

Page 71: ...ig system ha set priority number end The default priority is 128 The chassis with the highest total FIM module HA priority becomes the primary chassis Override and primary chassis selection Enabling o...

Page 72: ...OM named dmgmt vdom For the FortiGate 7000 system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM You should also not add or...

Page 73: ...broadcast domains Using a single switch for both M1 and M2 heartbeat traffic is possible if the switch supports q in q tunneling In this case use different VLANs for M1 traffic and M2 traffic to keep...

Page 74: ...hing disk logging and GUI based packet sniffing l Log messages should be sent only using the management aggregate interface IPsec VPN tunnels terminated by the FortiGate 7000 This section lists FortiG...

Page 75: ...ating a load balance flow rule to direct sniffer traffic to a specific FPM module FortiGuard Web Filtering All FortiGuard rating queries are sent through management aggregate interface from the manage...

Page 76: ...FortiGate 7000 v5 4 5 special features and limitations Special notice for new deployment connectivity testing FortiGate 7000 Fortinet Technologies Inc 76...

Page 77: ...m For the FortiGate 7000 system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM You should also not add or remove interfaces...

Page 78: ...Gate 7000 v5 4 3 requires two switches The first switch to connect all M1 ports together The second second switch to connect all M2 ports together This is because the same VLAN is used for both M1 and...

Page 79: ...fter creating a load balance flow rule for example config load balance flow rule edit 0 set status enable set vlan 0 set ether type ip set protocol gre set action forward set forward slot master set p...

Page 80: ...6 bit l 12 34 0 0 255 254 0 0 netmask is less than 16 bit l 12 34 56 1 12 34 56 100 ip range is not supported l 12 34 56 78 255 255 220 0 invalid netmask SSL VPN Sending all SSL VPN sessions to the pr...

Page 81: ...t VDOM named dmgmt vdom Log messages include a slot field An additional slot field has been added to log messages to identify the FPM module that generated the log FortiOS Carrier FortiOS Carrier is s...

Page 82: ...match both traffic directions forward and reverse One common use of this command is to control how traffic that is not load balanced is handled For example use the following command to send all GRE tr...

Page 83: ...be matched The default of 0 0 0 0 0 0 0 0 matches all traffic protocol any icmp tcp udp igmp sctp gre esp ah ospf pim vrrp If ether type is set to ip ipv4 or ipv6 specify the protocol of the IP or IPv...

Page 84: ...fic to a specific FPM module FPM3 is the FPM module in slot 3 FPM4 is the FPM module in slot for And so on priority number Set the priority of the flow rule in the range 1 highest priority to 10 lowes...

Page 85: ...dport src dst ip sport dport Set the method used to distribute sessions among workers Usually you would only need to change the method if you had specific requirements or you found that the default me...

Page 86: ...ce setting The weight range is 1 to 10 5 is average 1 is 80 of average and 10 is 100 of average The weights take effect if weighted loadbalance is enabled config workers edit 3 set status enable set w...

Page 87: ...inet enters a binding written contract signed by Fortinet s General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly identified...

Reviews: