manualshive.com logo in svg

Fortinet FortiWAN, Handbook

Share
Download
Fortinet FortiWAN Handbook Download Page 177

IPSec VPN Concepts

IPSec

IKE Phase 2

Under the protection of ISAKMP Security Association, IKE Phase 2 performs parameters negotiations to establish the
IPsec Security Association which protects the subsequent IPSec VPN communications. IKE Phase 2 is processed in
one mode called Quick Mode (New Group Mode is not supported by FortiWAN). Similar to Phase 1, in IKE Phase 2,
another proposal of encryption and authentication algorithms is negotiated, shared secret keys are derived, and the
negotiation sessions are authenticated. The negotiated encryption and authentication algorithms, derived secret keys
and other necessary parameters, which are the successful outcome of IKE Phase 2, constitute the IPSec Security
Association. So that the security association between two IPSec VPN gateways is established, and the VPN
communications are so that protected.

Perfect Forward Secrecy, PFS

Perfect Forward Secrecy is a property of communication security that past session keys can not be compromised by
the compromise of long-term keys if a session key is associated to the long-term key in some way. Actually, the shared
secret key we introduced in IKE Phase 2 is derived by calculation with the secret key derived in IKE Phase 1 and some
insecure (is public to any third-party) parameters (a Diffie-Hellman exchange is not involved in the calculation), if PFS
is not enabled for IKE Phase 2. Once the secret key of IKE Phase 1 is compromised to an attacker, all the secret
session keys derived in IKE Phase 2 might become compromised. With enabling PFS, the calculation of secret keys
involves a new Diffie-Hellman exchange. The private key material of Diffie-Hellman exchange protects the session
secret keys of IKE Phase 2 from the compromise of IKE Phase 1's keys. However, system performance might be
concerned if Diffie-Hellman exchange is performed twice (Phase 1 and Phase 2 individually) for a establishment of
IPsec Security Association.

How IPSec VPN Works

So far we have a overview of IPSec concept and how the Security Associations are established. Before a further
discussion, here is the IPSec VPN's operation broken down into five main steps:

1. The initial packet matching correspondent IPSec VPN policies and attempting to pass through the IPSec VPN

gateway triggers the IKE processes to establish Security Associations.

2. During IKE Phase 1, IKE proposals are negotiated, secret keys are shared and the two IPSec endpoints are

authenticated. The ISAKMP SA is established for IKE Phase 2.

3. IKE Phase 2 negotiates new parameters and calculates new secret keys. The IPSec SA is established for VPN

communications.

4. Communications over the two IPSec VPN gateways are protected according on the security parameters and keys

stored in Security Association database. Data packets are encapsulated with ESP header and new IP header,and
transferred over the IPSec VPN tunnel.

5. IPSec SAs terminate by timing out.

Modes of IPSec VPN data transmission

IPSec transfers the encrypted or authenticated IP packets (ESP or AH encapsulated packets) in a host-to-host
transport mode, as well as in a tunneling mode. Packet exchanges during IKE Phase 1 and Phase 2 are nothing about
the two modes.

FortiWAN Handbook
Fortinet Technologies Inc.

177

Summary of Contents for FortiWAN

Page 1: ...FortiWAN Handbook VERSION 4 2 1...

Page 2: ...ORT https support fortinet com FORTIGATE COOKBOOK http cookbook fortinet com FORTINET TRAINING SERVICES http www fortinet com training FORTIGUARD CENTER http www fortiguard com END USER LICENSE AGREEM...

Page 3: ...ual Stack 27 FortiWAN in HA High Availability Mode 27 Web UI and CLI Overview 31 Connecting to the Web UI and the CLI 32 Using the Web UI 35 Console Mode Commands 39 Configuring Network Interface Netw...

Page 4: ...Configuration File 110 Maintenance 112 Web UI Port 112 License Control 113 Load Balancing Fault Tolerance 115 WAN Link Fault Tolerance 115 Load Balancing Algorithms 115 Outbound Load Balancing and Fai...

Page 5: ...IPsec 229 Scenarios 230 Connection Limit 235 Cache Redirect 236 Internal DNS 238 DNS Proxy 241 SNMP 243 IP MAC Mapping 244 Statistics 245 Traffic 245 Bandwidth 245 Persistent Routing 246 WAN Link Hea...

Page 6: ...tclass 280 WAN 281 Services 282 Internal IP 283 Traffic Rate 284 Function Status 285 Connection Limit 285 Firewall 285 Virtual Server 286 Multihoming 286 Advanced Functions of Reports 287 Drill In 287...

Page 7: ...l Enable Cloud Web 2 0 Applications l Monitor Network Performance Increase Network Performance FortiWAN increases network performance in three key areas l Access to Internet resources from the Enterp...

Page 8: ...dware for increased reliability Larger FortiWAN models also feature redundant power supplies for further protection from hardware failures Enable Cloud Web 2 0 Applications Traditional WAN Optimizatio...

Page 9: ...om the FortiWAN internal to elsewhere external For example a request from the internal network to a HTTP server on the Internet means the first asking packet is outgoing to the external server which i...

Page 10: ...route for mission critical applications Non critical traffic can be routed away from the best links when prioritized traffic is present on the links or traffic can be assigned permanently to different...

Page 11: ...d failover mechanisms for incoming and outgoing traffic virtual servers and single session services l Topic Optional Services gives the information about configurations of FortiWAN s optional services...

Page 12: ...security level bandwidth aggregation and fault tolerance See Tunnel Routing l Basic subnet Supports DHCP Relay on every LAN port and DMZ port FortiWAN forwards the DHCP requests and responses between...

Page 13: ...g Synchronize Time in System Date Time via Web UI so that the hardware clock is kept in UTC l New models FortiWAN introduces two models FortiWAN VM02 and FortiWAN VM04 for deployment on VMware FortiWA...

Page 14: ...the physical ports where it comes from Correspondent VLAN ports redundant LAN ports redundant DMZ ports aggregated LAN ports and aggregated DMZ ports are the options for setting the field if they are...

Page 15: ...hanges l FortiWAN 1000B supports 3 GE RJ45 ports and 4 GE SFP ports Each port can be programmed as WAN LAN or DMZ Redundant LAN and DMZ ports can be configured 2 link LACP LAG LAN or DMZ ports can be...

Page 16: ...erate between different FortiWAN models l HDD FWN 200B adds an internal 500BG HDD for Reports data storage See below for more information on Reports l HA Configuration Synchronization Two FWN 200B app...

Page 17: ...nt and performing synchronization to slave unit after configurations are restored on master unit l The description of the account maintainer in Connecting to the Web UI and the CLI was removed l Conte...

Page 18: ...support to evaluate traffic by its Input Port l For the new CLI command arp and enhanced command resetconfig correspondent content was added and updated to Console Mode Commands l Content of Connectin...

Page 19: ...ing Setting and Tunnel Routing Benchmark FortiWAN 4 0 2 l A note about the restrictions on duplicate configurations of group tunnel was added in Tunnel Routing l Content was enhanced for Multihoming i...

Page 20: ...cially with multiple WAN links and various WAN type A plan of network topology before adding FortiWAN recklessly into current network would be suggested to avoid damages WAN LAN and DMZ Wide Area Netw...

Page 21: ...HA deployment See FortiWAN in HA High Availability Mode Connections have to correspond with the port types Except the HA port each port can be programmed as WAN LAN or DMZ via Web UI Moreover redunda...

Page 22: ...IP l Bridge Mode Multiple Static IP See Configurations for a WAN link in Bridge Mode Multiple Static IP l Bridge Mode PPPoE See Configurations for a WAN link in Brideg Mode PPPoE l Bridge Mode DHCP Cl...

Page 23: ...subnet in total but only 3 IP addresses you are allocated In this case the default gateway is located in ISP s network and your ATU R only transfers packets to the gateway In the other words you are a...

Page 24: ...ould not be controlled by FortiWAN FortiWAN defines a near WAN for a WAN link in different ways between routing mode and bridge mode l In routing mode the default gateway of a subnet deployed in WAN o...

Page 25: ...herefore one IP subnetwork can be deployed over the two segments and accessibility between WAN and DMZ is the action taken without NAT or routing Note public IP pass through is available when a WAN li...

Page 26: ...IP subnetwork See Public IP Pass through Subnet on Localhost Deploy the whole subnet on localhost For cases of obtaining an IP range bridge mode the IP addresses could be allocated to IP s on Localhos...

Page 27: ...re stored in Flash Memory so sudden loss of electricity will not damage the system But when the network must provide non stop service for mission critical applications the HA mode becomes a must With...

Page 28: ...mits 4 beeps and the Slave does 3 The status of the Slave is displayed under System Summary Peer Information on the master s Web UI Note that a slave s Web UI is not available Once the master is down...

Page 29: ...mpletes Once slave completes its update the master unit starts updating itself then while slave gets into reboot procedure The whole update procedure will complete after the two units recover from sys...

Page 30: ...ount Go to System Summary and double check and make sure the peer device is under normal condition See Summary 2 Turn the Master off if the Master is to be removed The Slave will take over the network...

Page 31: ...n 1 3 6 1 4 1 12356 118 1 2 Firmware version of the slave unit deployed with this local unit in HA mode fwnSysSlaveSerialNumber 1 3 6 1 4 1 12356 118 1 3 Serial number of the slave unit deployed with...

Page 32: ...e default LAN IP address below However the default subnet configured on LAN port might conflict with or be unreachable from your existing network especially for the deployments of FortiWAN VM If you w...

Page 33: ...net Explorer and select Internet Option on Tools menu Click the Connection tab LAN settings and open Local Area Network Settings dialog box then disable Proxy server 2 Default account admin has the Ad...

Page 34: ...orrespond to the subnet you would like to connect to For example type resetconfig 10 10 10 1 255 255 255 0 if 10 10 10 0 255 255 255 0 is the subnet connected to the LAN port Then IP address of LAN po...

Page 35: ...unctions l Current login account Display the account you login as and the IP address you login from l System Time Display the FortiWAN s system time l Current operating page Display the path Main cate...

Page 36: ...the advanced analysis and long term statistics of FortiWAN s system services and traffic they are Bandwidth CPU Session WAN Traffic WAN Reliability WAN Status TR Reliability TR Status In Class Out Cl...

Page 37: ...the rules are prioritized in descending order Click this button to add a new rule below the current rule Click this button to delete the rule Click this button to move the rule up a row Click this bu...

Page 38: ...AN DMZ ports defined in Network Setting VLAN and Port Mapping See Configurations for VLAN and Port Mapping are listed for options Port X Matches sessions coming from the specified normal port Port X V...

Page 39: ...mmands Before logging onto serial console via HyperTerminal please ensure the following settings are in place Bits per second 9600 Data bits 8 Parity None Stop bits 1 Flow control None See Connecting...

Page 40: ...sending ARP requests arping hostname link index Send an ARP request to ask the MAC address of an IP address and display the result hostname Specify the target IP address or domain name MAC address is...

Page 41: ...or cases where after the initial installation of FortiWAN machines or servers sitting in the DMZ are unable to be able to connect to the internet export Display configurations of NAT Multihoming and V...

Page 42: ...r page Service Nat Type abort in command prompt import to leave the prompt any time Please refer to the exported configurations displayed by command export or saved via Web UI See Configuration File i...

Page 43: ...Set DNS server for FortiWAN For more on ICMP related error messages please refer to other ICMP PING materials reactivate Reactivate the FortiWAN apparatus reactivate Reactivating the FortiWAN apparat...

Page 44: ...n appropriate IP address command resetconfig returns all the configurations to factory default but assigns LAN port with the specified IP address so that users can connect to Web UI via the LAN port w...

Page 45: ...ge 2 100 full Note Not all network devices support full 100M speed This command has no effect on fiber interface The port is the port number of the FortiWAN port interface exact number varies accordin...

Page 46: ...in base64 sslcert END CERTIFICATE Please enter the private key It should starts with BEGIN RSA PRIVATE KEY and end with END RSA PRIVATE KEY To abort please enter an empty line sslcert BEGIN RSA PRIVA...

Page 47: ...a WAN link if link is specified as wan The valid values are 1 2 3 etc Example traceroute www hinet net wan 1 showes the trace routes from WAN link1 to www hinet net Note If domain name is to be used...

Page 48: ...any registered public DNS server An user can configure the setting of DNS server on its own computer manually or automatically be allocated by DHCP This DNS server is also necessary to FortiWAN itself...

Page 49: ...rtiWAN itself to resolve unknown domains The max imum of three IPv4 addresses is allowed The DNS servers set here will be used in a top down order if the DNS request timed out IPv6 Domain Name Server...

Page 50: ...hich are specified as WAN ports and DMZ ports are automatically listed in the WAN Port and DMZ Port pull down menus for WAN Setting and WAN DMZ Private Subnet See Configuring your WAN and WAN DMZ Priv...

Page 51: ...no longer accept untagged VLAN packets Port 1 101 and port 1 102 on VLAN Switch are directly connected with WAN links Port 1 101 and Port 1 102 are listed in the WAN Port pull down menu for WAN Setti...

Page 52: ...t lacp_rate slow as default max_bonds 1 as default miimon 100 as recommended min_links 0 as default updelay 0 as default use_carrier 1 as default xmit_hash_policy layer2 as default Note that ports tha...

Page 53: ...Port 1 is set as WAN Port 2 and Port 3 as HA LAN port pair and Port 4 and 5 as HA DMZ port pair Each of the LAN DMZ pair is connected via a single switch switch 1 or switch 2 This will remove the chan...

Page 54: ...See WAN link and WAN port A configuration of WAN link is divided into three parts Basic Settings Basic Subnet and Static Routing Subnet Before starting configuration here are several important concept...

Page 55: ...a basic subnet FortiWAN functions for various network topologies which consists of connectivity of multiple subnets basic subnet Deployments of basic subnets varies for purposes but they can be simpl...

Page 56: ...es answering the DHCP clients with all the defined DNZ servers information Domain Name Suffix The domain name suffix that FortiWAN responds to the DHCP clients within the DHCP OFFER messages if the cl...

Page 57: ...CP relay agent acts the proxy receiving DHCP requests from hosts in the same subnet and resending them to the DHCP server located in another subnet The DHCP relay agent then delivers the DHCP messages...

Page 58: ...eld IP s on Localhost of a LAN subnet a subnet in DMZ or a subnet in WAN and DMZ then any of them could be took as the DHCP Relay Agent IP Next are the configurations of DHCP Relay on the LAN 1 LAN 2...

Page 59: ...must be a standalone server FortiWAN s DHCP function is not supported to work with DHCP Relay a port with DHCP being enabled can not cooperate with the ports that DHCP Relay is enabled on The central...

Page 60: ...Server 192 168 100 100 DHCP Relay Agent IP 192 168 10 254 Go to Service Tunnel Routing and define a Tunnel Group with the two tunnels below Local IP Remote IP 10 10 10 10 11 11 11 11 20 20 20 20 21 21...

Page 61: ...t Stateless Address Autoconfiguration SLAAC is a standard mechanism to equip hosts with IPv6 addresses and related routing information through the IPv6 router advertisements RA SLAAC has two propertie...

Page 62: ...x information to the hosts so that an IPv6 address can be determined with the Host ID on a host Depending on the subnet type it could be a global IPv6 subnet or a unique local IPv6 subnet DNS Search L...

Page 63: ...ss deployment system behaves answering the hosts with all the defined DNZ servers information DHCP Range The address pools that DHCPv6 server assigns and manages IPv6 addresses from Define the DHCP ra...

Page 64: ...IPv4 address of the default gateway This field is mandatory IPv6 Gateway The IPv6 address of the default gateway This field is optional Ignore it for IPv4 WAN links or configure it for IPv4 IPv6 dual...

Page 65: ...net in WAN and DMZ Next comes a few examples to further illustrate configurations in Basic Subnet and Static Routing Subnet Examples of Basic Subnets Basic Subnet Subnet in WAN This topology is freque...

Page 66: ...CP Range If any host in the subnet uses static IP address then in Static Mapping enter its IP and MAC address Similarly if ISP provides another LAN IPv6 subnet you can deploy it in DMZ The SLAAC and D...

Page 67: ...example except 203 69 118 10 203 69 118 9 and 203 69 118 11 203 69 118 12 the rest IP addresses of subnet 203 69 118 8 29 are assigned to DMZ for Public IP Pass through In this case IP addresses 203 6...

Page 68: ...an access Internet without setting NAT rules manually For FortiWAN V4 0 x system does not generate NAT default rules for IPv6 WAN links setting NAT rules manually is required See NAT Examples of Stati...

Page 69: ...rs packets to the gateway 203 69 118 9 to deliver them to subnet 139 3 1 8 255 255 255 248 Static Routing Subnet Subnet in DMZ This topology is similar with the one in last example Static Routing Subn...

Page 70: ...rough DMZ Transparent Mode l IPv6 IPv4 Dual Stack Configurations for a WAN link in Bridge Mode Multiple Static IP Bridge Mode Multiple Static IPs is used for a range of static IPv4 addresses of a C cl...

Page 71: ...en layer of a communications protocol can pass onwards It allows dividing the packet into pieces each small enough to pass over a single link IPv4 IP s on Localhost The IPv4 addresses that are deploye...

Page 72: ...ng between IPv6 Addresses and client IDs The SLAAC and DHCPv6 in FortiWAN are designed to work together which the SLAAC responses router advertisement including default gateway and DNS server to a hos...

Page 73: ...v6 subnet and a LAN IPv6 subnet You can deploy the LAN IPv6 subnet as a basic subnet in DMZ Although the deployment is under FortiWAN s Bridge Mode FortiWAN routes packets between WAN and DMZ for the...

Page 74: ...ost IP The IPv6 address that ISP provides See Scenarios to deploy subnets IP addresses specified here can be used for NAT to transfer the source IP address of packets to and will be used to generate t...

Page 75: ...as failed FortiWAN s Auto Routing and Multihoming See Outbound Load Balancing and Failover Auto Routing and Inbound Load Balancing and Failover Multi homing use the value while balancing traffic betw...

Page 76: ...or VLAN and Port Mapping Up Down Stream The WAN link s transfer speed at which you can upload download data to from the Internet e g 512Kbps Up Down Stream Threshold Specify upstream downstream Kbps t...

Page 77: ...in LAN port3 192 168 34 254 serves as gateway as well Enter the netmask 255 255 255 0 for the subnet in the field Netmask Select the LAN port Check the field in Enable DHCP to allocate IP address any...

Page 78: ...nfigurations here indicate how FortiWAN to route packets to subnet 192 168 99 x RIP FortiWAN supports the Routing Information Protocol RIP v1 v2 RIP employs hot count as the metric and uses timer broa...

Page 79: ...becomes DR Designated Router The value of the OSPF Router Priority can be a number between 0 and 255 Hello Interval Set the interval in seconds to instruct the router to send out OSPF keepalive packe...

Page 80: ...ox to enable When enabled the backup router will check whether the master is responding ARP on the specified WAN port See also l Scenarios to deploy subnets l VLAN and Port Mapping l Summary l RIP OSP...

Page 81: ...e unlisted in IP s on Localhost are all in WAN Basic Subnet Subnet in DMZ This topology is frequently found where cluster hosts in IPv4 private subnet are located on the DMZ In this example FortiWAN p...

Page 82: ...ng the subnet spreads across WAN port2 and DMZ port5 FortiWAN employs Proxy ARP to connet the whole subnet togther In this example more than one IP addresses are needed for FortiWAN in bridging These...

Page 83: ...t of the router Static Routing Subnet Subnet in DMZ In this topology in DMZ you create an IPv4 private subnet using one router its IP say 192 168 34 50 But the subnet its IP 192 168 99 0 24 does not c...

Page 84: ...as LAN port Please map FortiWAN s LAN port to the Port2 in System Network Setting VLAN and Port Mapping Note FortiWAN is treated as a normal PC when connecting to other networking equipments WAN conf...

Page 85: ...e WAN IP field 5 Select SMTP 25 in the Service field 6 Select Round Robin in the Algorithm field 7 Click to create a new server in Server Pool 8 Enter 192 168 1 1 in the Server IP field 9 Select SMTP...

Page 86: ...referring to router s user manual Note FortiWAN is viewed as a normal PC when connected to other network equipment Configuration Steps 1 Log onto the FortiWAN Web UI 2 Go to System Network Settings W...

Page 87: ...router Sample Configuration l Assume the private IP subnet 192 168 0 0 24 is between the WAN link router and FortiWAN WAN port l FortiWAN s port 1 IP 192 168 0 253 is connected to the WAN link router...

Page 88: ...ield enter 192 168 0 253 18 In the Netmask field enter 255 255 255 0 19 In the WAN Port field select Port 1 and the configuration is complete WAN Type Routing Mode Example 3 In this example both WAN l...

Page 89: ...8 1 254 18 In the Static Routing Subnet field use to add a new rule with the Subnet Type field as Subnet in DMZ 19 In the Network IP field enter 53 244 43 0 20 In the Netmask field enter 255 255 255 0...

Page 90: ...mber 1 3 6 1 4 1 12356 118 2 1 1 Maximum of WAN links that the system supports fwnWanTable 1 3 6 1 4 1 12356 118 2 1 2 This is a table containing one ele ment of object fwnWanEntry used to describe th...

Page 91: ...disability fwnWanInOctets 1 3 6 1 4 1 12356 118 2 1 2 1 5 Number 32bit unsigned integer of octets received on the interface RX of every WAN link during sys tem s uptime fwnWanOutOctets 1 3 6 1 4 1 12...

Page 92: ...ined on the sys tem fwnVlanTable 1 3 6 1 4 1 12356 118 2 2 2 This is a table containing one element of object fwnVlanEntry used to describe the properties and man agement information of every VLAN def...

Page 93: ...r of octets received on the interface RX of every VLAN during system s uptime fwnVlanOutOctets64 1 3 6 1 4 1 12356 118 2 2 2 1 6 Number 64bit unsigned integer of octets transmitted from the interface...

Page 94: ...model supports You can purchase a license for higher bandwidth capability from your Fortinet channel partner See subsection License Control in Administration For deployment of FortiWAN VM the Total R...

Page 95: ...mber of the slave Uptime The time the slave has been up and running State Normally this field displays Slave During the procedure of reboot this field displays Rebooting System panic happens this fiel...

Page 96: ...118 1 2 Firmware version of the slave unit deployed with this local unit in HA mode fwnSysSlaveSerialNumber 1 3 6 1 4 1 12356 118 1 3 Serial number of the slave unit deployed with this local unit in...

Page 97: ...se the transmission very inefficient l An ISP restricts the bandwidth for peering with other ISPs on the purpose of competition in business The peering becomes bottleneck to traffic being exchanged be...

Page 98: ...Static IP Table Uses static IP table only Dynamic Detect Uses dynamic detection only Static Dynamic Uses static detection first then switches over to dynamic detection after static detec tion has fai...

Page 99: ...lly it is set to auto detect by default which works properly in most cases Manual speed duplex mode configuration is still necessary in event that some old devices are either not supporting auto detec...

Page 100: ...kup lines l All fail when all lines defined in Main line are down l One fails when one of the lines defined in Main line is down l Inbound bandwidth usage reached when the inbound bandwidth consumptio...

Page 101: ...exceptions in an IP range or subnet that belongs to the IP group the action of not to belong makes the configuration easier than separating an IP range or sub net into several groups Service Grouping...

Page 102: ...intensive applications in both intranet and extranet Default Type Time segment unspecified in Rules below fall into this Default type either as idle or busy hours Rules Defines time segment The time...

Page 103: ...n up non TCP session tables in FortiWAN In FortiWAN protocols are managed with a session timer Old sessions may be continuously retried by users that they keep unexpired These old sessions are always...

Page 104: ...Pv6 Neighbor Discovery Enforcement When IPv6 Neighbor Discovery is enforced FortiWAN will send out a neighbor discovery packet to neighbor servers or network devices within the same network to request...

Page 105: ...e from optical Type list Any A AAAA CNAME DNAME HINFO MX NS PTR SOA SRV TXT and select a server from optical Server list Internal DNS Multihoming etc Click Nslookup to start the inquiring session and...

Page 106: ...server services Update downgrade section enables to update or downgrade firmwares once new firmwares are available from our website or dealers Simply click the Update Downgrade button and follow exact...

Page 107: ...added or modified an account Password Verification Confirm the new password Event notifications via SNMP trap You can receive notification via SNMP trap for any modification of the FortiWAN s account...

Page 108: ...correspondent attributes between BEGIN VENDOR Fortinet and END VENDOR Fortinet Construct user database on RADIUS server for authentication For example we have accounts Administrator 1234 and admin nul...

Page 109: ...o System Administration l Click on Update l Use Browse to select the path of the new firmware image l For High Availability HA deployment See FortiWAN in HA High Availability Mode check Update Slave t...

Page 110: ...on Configuration File for individual function Export and Import l Log on to FortiWAN as administrator On every single function page of Web UI click Export Configuration to back up the configuration in...

Page 111: ...ckup and restore configurations of service list in a file named service_ list txt l Click Import Configuration Export Configuration you may backup and restore configurations of Service Grouping saved...

Page 112: ...Web UI Port Type the port number in New Port and then click Setport Enter the new port number when you log in again into Web UI Additionally the new port shall avoid conflict with FortiWAN reserved po...

Page 113: ...14 shell 4045 Lockd 95 supdup 515 printer 6000 x11 101 hostriame 526 tempo 49152 FortiWAN reserved License Control License Control provides users with all the License Key configurations including Band...

Page 114: ...rtiWAN 200B 200 Mbps 400 Mbps 600 Mbps FortiWAN 1000B 1 Gbps 2 Gbps FortiWAN 3000B 3 Gbps 6 Gbps 9 Gbps Note Conditional bandwidth upgrade is provided for old models Please contact customer support to...

Page 115: ...essions are transferred via different WAN links according to algorithm but packets of a session are transferred via one WAN link All the routing policies except the fixed one will ONLY use working WAN...

Page 116: ...Considering the example that WAN1 is 1Mbps and WAN2 is 2Mbps and total traffic of the both WAN links is 0 5M Thus the traffic load of WAN1 and WAN2 are 0 5 and 0 25 the next session will be routed to...

Page 117: ...lly a combination of the multiple WAN links Auto routing is capable of adjusting the Virtual Trunk to include only the WAN links that are functioning normally and to direct outbound traffic through th...

Page 118: ...Each policy can be named accordingly and administrator can decide which WAN links to be used before adding in the filters table Filter FortiWAN will base on the filters table to manage the outbound tr...

Page 119: ...nd rout the out going traffic of VLANs by evaluate traffic against Input Port Source Established connections from specified source will be matched See Using the web UI Destination The connections to s...

Page 120: ...4k upstream 3 Route connections with algorithm Optimum Route 4 Route connections based on the current downstream traffic of WAN links 5 Route connections based on the total traffic of each WAN link Po...

Page 121: ...195 in DMZ to POP3 server on the internet will be routed by WAN1 512 512 If WAN 1 fails no action will be taken Note When WAN 1 fails connection to the external POP server will also fail Example 2 The...

Page 122: ...routed by WAN3 5 The connections from 211 21 48 196 to FTP 210 10 10 11 are routed by policy Round Robin1 2 3 6 The connections from 211 21 48 195 to any SMTP server on the internet are routed by poli...

Page 123: ...3 www IN A 192 136 1 243 All DNS requests to www example com will be sent to FortiWAN Multihoming will constantly measure the health conditions as well as the state of each WAN link and compute the op...

Page 124: ...exas edu about sales xtera com Suppose it is not in the cache of dns utexas edu The DNS server goes to a Root DNS server to find the DNS server for COM TLD The DNS server for COM TLD tells dns utexas...

Page 125: ...tion that adds data authentications and integrity to standard DNS To resist tampering with DNS responses DNSSEC introduces PKI Public Key Infrastructure to sign and authenticate DNS resource record se...

Page 126: ...resses specified on the Slave unit When the Master s Multihoming works properly the Slave s Multihoming will get into non active mode Unit that is in non active mode will not answer to any DNS request...

Page 127: ...ecord TTL Set DNS query response time TTL Time To Live Specifies the amount of time other DNS servers and applications are allowed to cache the record Zone Name Reverse domain name of a host For examp...

Page 128: ...of each WAN link It is available only when algorithm of By Weight is in use Domain Settings The table below configures Domain Settings multihoming domain names DNS servers names for querying domain an...

Page 129: ...rate multiple key pairs in batches from the configuration panel Generally one key pair is in Active state for using while the other key pairs are in Standby state for manually key rollover at the appr...

Page 130: ...the domain name For example if www1 abc com is the alias of www abc com domain name enter www1 in this field Target Enter the real domain name For example if www1 abc com is the alias of www abc com e...

Page 131: ...For example if domain name is mail abc com enter mail Priority Enter the priority of the mail servers The higher the priority is the lower the num ber is Mail Server Enter the IP address of the mail s...

Page 132: ...necessary to update the registrations on your parent domain with FortiWAN s localhost IP addresses so that a request for your domain can be delivered to FortiWAN and forwarded to the specified name se...

Page 133: ...ww abc com the prefix will be www When Options are Busy Idle and All Time Refer to System Date Time for more information Source IP Enter the IPv4 address that the DNS query comes from To Policy Select...

Page 134: ...168 0 100 HTTP 80 61 64 195 150 192 168 0 100 HTTP 80 This web server is bound to two WAN ports For more information see System Networking settings WAN Settings Multihoming settings in the example A...

Page 135: ...All Time Any Web 30 Note DNS server IP can be public IP and private IP Example 2 Configure virtual server before setting multihoming Its configuration looks like below in this example WAN IP Server IP...

Page 136: ...ddress Domainname com 30 Abc domainname com ns1 192 168 0 10 Name Server IPv4 Address ns1 192 168 0 10 Host Name When Source IP To Policy TTL mail All Time Any smtp 30 TTL Host Name Priority Mail Serv...

Page 137: ...unnel FortiWAN s Tunnel Routing sets up proprietary tunnels between symmetric FortiWAN sites local and remote with GRE Generic Routing Encapsulation protocol GRE Generic Routing Encapsulation Protocol...

Page 138: ...g rule is predefined for packets from 192 168 10 0 255 255 255 0 to 192 168 20 0 255 255 255 0 3 According the specified balancing algorithm determining a WAN link for transferring FWN A encapsulates...

Page 139: ...et while WLHD only detects the status of connections to Internet Therefore the two mechanisms might show different detection result For example the Web UI reports a WAN link is OK but a tunnel establi...

Page 140: ...supported for Tunnel Routing over IPSec Besides deployments of Tunnel Routing over IPSec is limited For more information about Tunnel Routing over IPSec please refer to IPSec About FortiWAN IPSec VPN...

Page 141: ...see the tables Default Rules Routing Rules and Persistent Rules Tunnel Routing works in symmetric FortiWAN sites when the unit we are talking about or configuring to is called local host or local site...

Page 142: ...lished with FWN A s WAN 1 and FWN B s WAN 1 and tunnel 2 is established with FWN A s WAN 2 and FWN B s WAN 2 A transmission via Tunnel Group 1 will be distributed over tunnel 1 and tunnel 2 Tunnel Gro...

Page 143: ...setting panel Group Name Assign a group name to the tunnel group Remote Host ID Enter the Host ID of the Remote unit the Tunnel Group connects to Algorithm l Round Robin Route the connections in every...

Page 144: ...ss please select Dynamic WANx for the configuration l Dynamic IP WAN link with NAT on local side If the WAN link of local FortiWAN you want to employ for the tunnel is configured with a dynamic IP add...

Page 145: ...ed to correspondent IPSec Phase 1 See IPSec Define routing policies for an IPSec VPN Weight The weight priority of the tunnel for the Round Robin balancing algorithm This field is dis played only if R...

Page 146: ...l Routing s tunnel healthy detection mechanism Therefore it is necessary to specify another way for the traffic Note that as long as one tunnel in a tunnel group remains connected Tunnel Routing keeps...

Page 147: ...the beck up tunnel group is also failed Note it takes the same action as NO ACTION if a tunnel group that is the same as what specified in field Group is selected as back up for fail over here Defaul...

Page 148: ...ated against Auto Routing s rules and transferred according to the Auto Routing policies Transmission gets failed if there is no rule matches Tunnel Group Name All the defined tunnel groups are listed...

Page 149: ...roup AB NO ACTION 192 168 1 10 192 168 2 11 Any Tunnel Group AB NO ACTION 192 168 1 10 192 168 2 12 Any Tunnel Group AB NO ACTION 192 168 1 11 192 168 2 10 Any Tunnel Group AB Auto Routing 192 168 1 1...

Page 150: ...s LAN or DMZ for a default rule It is necessary to re apply the configurations of Default Rule to trigger the negotiation and update the default rules if any change to LAN or DMZ networks setting Pers...

Page 151: ...hat is worse than others in a tunnel group Tunnel Routing s Benchmark works as Client Server mode Test traffic is sent from the client site to the server site via every single configured tunnel and th...

Page 152: ...t benchmark test to all the tunnels of the tunnel group Note that testing is per formed individually to every single tunnel in a top down order Test Click to start benchmark test to the specified tunn...

Page 153: ...tunnel See also Tunnel Routing How the Tunnel Routing Works Tunnel Routing Setting How to set up routing rules for Tunnel Routing Scenarios Scenarios Example 1 A company s headquarters and two branch...

Page 154: ...in 1 1 1 1 2 2 2 2 1 1 1 1 1 4 4 4 4 1 HQ Branch1 Backup B1 Round Robin 3 3 3 3 2 2 2 2 1 3 3 3 3 4 4 4 4 1 HQ Branch2 B2 Round Robin 1 1 1 1 6 6 6 6 1 3 3 3 3 8 8 8 8 1 HQ Branch2 Backup B2 Round Rob...

Page 155: ...1 Routing Rules Source Destination Service Group Fail Over 192 168 2 1 192168 2 10 192 168 1 1 192 168 1 10 Any Branch1 HQ No Action 2 2 2 22 1 1 1 11 Any Branch1 HQ AR The settings for the branch2 S...

Page 156: ...must correspond to each other or else tunnel routing will not perform its function For example if FortiWAN in Taipei has removed the values 2 2 2 2 to 3 3 3 3 in their routing rule settings then the...

Page 157: ...11 21 33 186 Dynamic IP at WAN1 1 Dynamic IP at WAN2 Dynamic IP at WAN2 1 Routing Rules Source Destination Service Group Fail Over 192 168 1 0 255 255 255 0 192 168 2 0 255 255 255 0 Any HQ Branch No...

Page 158: ...oversea Each office deploys a public line to access Internet Each branch office sets up an individual tunnel with the headquarters to access the corporate Intranet Requirements The LAN links in branch...

Page 159: ...oup Fail Over 192 168 1 0 255 255 255 0 192 168 2 0 255 255 255 0 Any HQ Branch2 No Action 192 168 2 0 255 255 255 0 192 168 1 0 255 255 255 0 Any HQ Branch1 No Action The settings for the branch1 Set...

Page 160: ...ion Example 4 Central Routing of Tunnel Routing A company operates two branch offices oversea Intranet is established throughout the three locations but the branch 1 does not have any public links to...

Page 161: ...e Remote Host ID Algorithm Tunnels Local IP Remote IP Weight HQ Branch1 Branch1 Round Robin 3 3 3 3 1 1 1 1 1 HQ Branch2 Branch2 Round Robin 3 3 3 3 2 2 2 2 1 Routing Rules Source Destination Service...

Page 162: ...Weight Branch1 HQ HQ Round Robin 1 1 1 1 3 3 3 3 1 Routing Rules Source Destination Service Group Fail Over Any Address WAN Any Branch1 HQ No Action The settings for the branch2 Set the field Local Ho...

Page 163: ...from the gateway machine Inbound traffic does not have to know where the real servers are or whether there are just one or many servers This method prevents direct access by users and therefore incre...

Page 164: ...er Status and Report Virtual Server IPv4 Virtual Server E Check the box to enable the rule When Options Busy hour Idle hour and All Time See Busyhour Settings WAN IP For external internet users the vi...

Page 165: ...to enable the rule When Options Busy hour Idle hour and All Time See Busyhour Settings WAN IP For external internet users the virtual server is presented as a public IP IPv6 on WAN port This WAN IP i...

Page 166: ...01 in LAN l Assign 211 21 48 195 and 211 21 33 189 to WAN 1 and WAN2 Forward all requests to 211 21 48 195 or 211 21 33 189 to two SMTP servers 192 168 0 200 and 192 168 0 201 in LAN l Forward all req...

Page 167: ...TTP 80 1 192 168 0 101 TCP 80 HTTP 80 1 211 21 48 194 FTP 21 192 168 0 200 ICMP FTP 21 1 192 168 0 201 TCP 21 FTP 21 1 211 21 33 186 FTP 21 192 168 0 200 ICMP FTP 21 1 192 168 0 201 TCP 21 FTP 21 1 21...

Page 168: ...ftp data l Enable external users to access WAN IP 211 21 33 186 and connect PcAnywhere to LAN hosts l Note PcAnywhere uses TCP port 5631 and UDP port 5632 Refer to PcAnywhere software manual for more...

Page 169: ...sts Picked out per Detection via a WAN link defined in WAN Link FortiWAN determines the WAN link alive if receiving response from at least one of those targets in a time period defined in Detection ti...

Page 170: ...TL Time to Live of the ping packet is determined by Hops and generally defined as 3 FortiWAN takes the TTL expired message as a legal response for a ICMP detection even the detection packet is not del...

Page 171: ...s As we know a private network deployment of private IP addresses is invisible closed to public network usually the Internet Two private networks in geographically different location can not directly...

Page 172: ...tions for Once these security parameters are shared securely between the two entities which is called a establishment of Security Association See the privacy and authentication of data transmission ar...

Page 173: ...twork FortiWAN B FortiWAN B receives the packets and performs l recover the encrypted packets by decapsulation l recover the original data and IP header by decryption l forward packets to host 192 168...

Page 174: ...ether someone or something is in fact who or what it is declared to be In authentication one has to prove its identity to the remote one and the identity will be verified by the remote one A typical p...

Page 175: ...city are so that guaranteed to the VPN communications by encryption and authentication Basically IKE Phase 1 authenticates a remote peer and sets up a secure channel for going forward Phase 2 negotiat...

Page 176: ...never sent by either gateway Actually it is involved in the generation of encryption secret key Message integrity A message authentication code MAC not only verifies identity but also provides integr...

Page 177: ...compromised With enabling PFS the calculation of secret keys involves a new Diffie Hellman exchange The private key material of Diffie Hellman exchange protects the session secret keys of IKE Phase 2...

Page 178: ...ly Usually Transport mode is applied to other tunneling protocols to provide protection of GRE L2TP encapsulated IP data packets GRE L2TP transmission over IPSec protection FortiWAN IPSec Transport mo...

Page 179: ...nels through different WAN ports WAN interfaces between two FortiWAN units but bandwidth aggregation and fault tolerance are not available for the IPSec VPN transmission It is unable to distribute the...

Page 180: ...dresses and NAT pass through in Tunnel Routing How the Tunnel Routing Works if it is protected by IPSec Type IPSec protection Tunneling Bandwidth Aggregation Fault Tolerance Peer device IPSec Tunnel m...

Page 181: ...s 3 3 3 3 participates in ISAKMP SA 2 and ISAKMP SA 3 more than one ISAKMP SA which causes failure to establish ISAKMP SA 2 and ISAKMP SA 3 IPSec connections thus can not be established The above exam...

Page 182: ...ent There are three IPs deployed on FortiWAN 2 s WAN link 2 See Configuring your WAN and each IP address participates in only one ISAKMP SA l ISAKMP SA 1 2 2 2 1 4 4 4 4 l ISAKMP SA 2 2 2 2 2 5 5 5 5...

Page 183: ...sses 3 3 3 3 and 8 8 8 8 participate in only ISAKMP SA 2 ISAKMP SA 3 failed For the two FortiWAN devices FortiWAN 1 and FortiWAN 2 the WAN link IP addresses 6 6 6 6 participates in not only ISAKMP SA...

Page 184: ...ses deployment You need to determine the participating private IP addresses the source and destination of traffic and make policies to permit traffic to pass through the VPN The VPN devices used to bu...

Page 185: ...IPSec VPN tunnel The IPSec VPN tunnel is established through connection of the two public IP addresses You need to determine the WAN link of a FortiWAN unit to connect with each other for an IPSec VP...

Page 186: ...d SAs would be removed once a disconnection is recognized by FortiWAN s IPSec DPD but FortiWAN would not automatically perform the reestablishment new establishment of the SAs is triggered only if an...

Page 187: ...However both the two filters are required to be incompatible with the others Phase 1 configurations moving up or moving down is nothing about rule first match Name A unique description name for the Ph...

Page 188: ...See Tunnel Routing l Additional routing policies are necessary for system to route the packets of IKE negotiations and IPSec VPN communications to the IP address WAN port you defined here See Define r...

Page 189: ...ion Select one of the following authentication algorithms l MD5 A MD5 based MAC algorithm hmac md5 with 128 bit message digest l SHA1 A SHA1 based MAC algorithm hmac sha1 with 160 bit message digest l...

Page 190: ...in Phase 1 two FortiWAN units handle the negotiations of encryption and authentication algorithms according to their IKE proposals The only thing that is different from Phase 1 is Perfect Forward Secr...

Page 191: ...ncryption authentication algorithms and DH groups to the multiple quick mode selectors if multiple security levels are necessary For IPSec Transport mode the Phase 2 configuration does not require a Q...

Page 192: ...Phase 2 negotiations This name can contain a piece of information used for simple management such as it can reflect where the correspondent remote unit is or what the purpose it is It is also the ind...

Page 193: ...key lifetime Select the encryption and authentication algorithms strength of DH key exchange and the key lifetime for the IKE phase 2 proposal that will be used in the IKE Phase 2 negotiations Make s...

Page 194: ...ption Standard a 64 bit block algorithm that uses a 56 bit key l 3DES Triple DES plain text is encrypted three times by three keys l AES128 A 128 bit block algorithm that uses a 128 bit key l AES192 A...

Page 195: ...28 bit message digest l SHA1 A SHA1 based MAC algorithm hmac sha1 with 160 bit message digest l SHA256 A SHA256 based MAC algorithm hmac sha256 with 256 bit message digest l SHA384 A SHA384 based MAC...

Page 196: ...n DH group actually which determines the strength of the private key material used in the Diffie Hellman key exchange process A higher group number implies a securer key against private key recover at...

Page 197: ...nsferred via the IPSec VPN tunnel l Destination the destination of a packet that is allowed to be transferred via the IPSec VPN tunnel It can be an IPv4 address or an IPv4 subnet behind the remote For...

Page 198: ...packets of IPSec VPN communications called ESP packets here An IKE packet comes from the local FortiWAN unit and its source IP address is just the configured Local IP a WAN port an ESP packet comes fr...

Page 199: ...te B IP s on Localhost 192 168 10 254 192 168 100 254 Netmask 255 255 255 0 255 255 255 0 LAN Port Port3 Port3 For the details of LAN private subnet setting see LAN Private Subnet Define Auto Routing...

Page 200: ...filter must be configured to Localhost to match the negotiation traffic and direct it to correct WAN link For IPSec communication packets Routing of packets that are going to be transferred through I...

Page 201: ...N and are evaluated with NAT rule before Phase 2 Quick Mode selector If the source address of a IPSec packet is translated to another by NAT the packet fails in matching the Quick Mode selector and th...

Page 202: ...10 10 10 and site B s WAN 1 20 20 20 20 The other parameters are not listed here Phase 2 Local endpoint Site A Remote endpoint Site B Name WAN1_WAN1_Phase2 WAN1_WAN1_Phase2 Quick Mode Source 192 168 1...

Page 203: ...port and remote WAN port With the IPSec SAs established on these TR tunnels GRE packets will be protected encrypted decrypted by correspondent SA when they pass through a TR tunnel the local and remot...

Page 204: ...ask 255 255 255 0 255 255 255 0 LAN Port Port3 Port3 For the details of LAN private subnet setting see LAN Private Subnet Define Auto Routing policies for IKE negotiation Our goal is two establish IPS...

Page 205: ...E 500 Any or IKE 500 Any or IKE 500 Routing Policy IPSec_WAN1 IPSec_WAN2 IPSec_WAN1 IPSec_WAN2 Fail Over Policy NO ACTION NO ACTION NO ACTION NO ACTION Tunnel Routing itself takes the responsibility t...

Page 206: ...tworks behind the two FortiWAN units Tunnel Routing controls the routing of them You need the configurations to set up the two TR tunnels and the policies to route GRE packets over the TR tunnels To e...

Page 207: ...e selector being equal to a TR routing rule or Tunnel Routing goes to failure For the details of Tunnel Routing see Tunnel Routing Procedures to set up a Tunnel Routing over IPSec Transport mode To se...

Page 208: ...Phase 1 Keylife 1200 Secs l Phase 2 Encryption DES l Phase 2 Authentication MD5 l Perfect Forward Secrecy PFS enable l Phase 2 DH Group 5 l Phase 2 Keylife 120 Secs Configurations on FortiWAN To set u...

Page 209: ...rk Setting LAN Private Subnet and create a LAN subnet configuration IP s on Localhost 2 2 2 254 Netmask 255 255 255 0 LAN Port Port3 For the details of LAN private subnet setting see LAN Private Subne...

Page 210: ...Auto Routing see Auto Routing NAT Go to Service NAT and create a NAT rule When All Time Source 2 2 2 0 255 255 255 0 Destination 1 1 1 0 255 255 255 0 Service Any Translated No NAT For the details of...

Page 211: ...VPN on the FortiWAN side configurations on the FortiGate side are introduced next For the details of IPSec parameters see IPSec VPN in the Web UI Configurations on FortiGate To set up the IPSec VPN co...

Page 212: ...ustom VPN Tunnel No Template and click Next to configure the settings as follows Network IP Version IPv4 Remote Gateway Static IP Address IP Address 10 12 102 42 Interface WAN1 Mode Config Disable NAT...

Page 213: ...1 0 255 255 255 0 Remote Address Subnet 2 2 2 0 255 255 255 0 Phase 2 Proposal Encryption DES Authentication MD5 Enable Replay Detection disable Enable Perfect Forward Secrecy PFS enable Diffie Hellm...

Page 214: ...Routes and click Create New to create two rules for WAN1 and the IPSec tunnel IPSec_to_FWN_P1 Destination IP Mask 0 0 0 0 0 0 0 0 2 2 2 0 255 255 255 0 Device wan1 IPSec_to_FWN_P1 Gateway 10 12 136 25...

Page 215: ...ee options available Busy hour Idle hour and All Time See Busyhour Settings Source Packets sent from specified source will be matched See Using the web UI Destination Packets sent to a specific destin...

Page 216: ...on the internet WAN through port 25 SMTP port 80 HTTP port 21 FTP and port 110 POP3 l All other packets are blocked The rules table for the example will look like this Source Destination Service Acti...

Page 217: ...ts the address of FortiWAN host machine l Users from LAN can access FTP server 192 168 10 1 through port 21 l Users from the internet cannot ping FortiWAN Note To intercept ping messages users can den...

Page 218: ...nal host starts the sessions An external host is unable to starts a session with an internal host via the typical NAT FortiWAN s 1 to 1 NAT gives the availability of two way transmission between an in...

Page 219: ...ll packets into an IP address localhost of the WAN link The second or third rule from the bottom ignores NAT to packets coming from subnets of the WAN link Those default rules are added as the bottom...

Page 220: ...ch specified how to translate source IP address of a out going packet into specified IP address of the WAN link Incoming packets from a external host can be accepted and forwarded to the correct inter...

Page 221: ...rom the source will be matched See Using the web UI Note The source IPv6 to be translated must be the IPv6 address assigned to the LAN or DMZ Destination The packets sent to the destination will be ma...

Page 222: ...the 1 to 1 NAT rule should be applied to See Using the web UI For a 1 to 1 NAT rule the amount of external IP address here must be the same as amount of internal IP address above Note External IP Add...

Page 223: ...sses for the same client during an authenticated and certified session PR ensures that the source IP address remains unchanged in the same session Timeout For every session pair of source and destinat...

Page 224: ...PR the matched connections will NOT be routed persistently L Check to enable logging Whenever the rule is matched system will record the event to log file Persistent routing is often used when destin...

Page 225: ...use persistent routing As there is no default action set by Web Service Rules if no rule is added all connections will be based on IP Pair Rules to determine whether to use persistent routing The pers...

Page 226: ...in inbound traffic and outbound traffic The section will mainly explain how to guarantee bandwidth based on priority settings and how to manage inbound and outbound traffic by configuring busy idle ho...

Page 227: ...defined in inbound and outbound filters passing through the WAN link will be shaped according to the bandwidth limitation below Busy Hour Set tings This is the bandwidth allocation on a WAN link duri...

Page 228: ...n and service Traffic matches the filter will be associated to the corresponding BM class so that the traffic is shaped according to the bandwidth allocation of the class The source and destination he...

Page 229: ...al services it is try to classify the traffic by its Source and Destination the Source and Destination of the Routing Rules of Tunnel Routing or the Source and Destination of the Quick Mode selectors...

Page 230: ...ed bandwidth on WAN1 is 20K and zero on WAN2 and WAN3 During the idle period the maximum bandwidth limited for 192 168 0 100 to download data from internet FTP servers is 50K on WAN1 200K on WAN2 and...

Page 231: ...rce Destination Service Classes WAN 211 21 48 197 SMTP 25 Mail Server WAN LAN HTTP 80 For LAN Zone WAN 192 168 0 100 FTP 21 For 192 168 0 100 WAN 211 21 48 198 FTP 21 FTP Server There are two possible...

Page 232: ...download data from internet FTP servers is 50K on WAN1 64K on WAN2 and WAN3 The guaranteed bandwidth on WAN1 is 20K and zero on WAN2 and WAN3 During the idle period the maximum bandwidth limited for...

Page 233: ...w during both busy and idle periods During the busy period the maximum bandwidth limited for internet users to download data from a virture FTP server 192 168 0 100 in LAN is 200K on WAN1 100K on WAN2...

Page 234: ...0 128 Low 0 256 Low WAN2 0 128 Low 0 256 Low WAN3 0 256 Low 0 512 Low Filter Settings Source Destination Service Classes 211 21 48 198 WAN FTP 21 FTP Server 211 21 48 197 WAN POP 110 Mail Server POP3...

Page 235: ...e Limit is aimed to restrict the number of connections built by one IP address every second The source of connection can be from any of the following options IP address IP Range Subnet WAN LAN DMZ Loc...

Page 236: ...ured here However cache servers have to support caching in transparent mode Note Cache Server can be in DMZ FortiWAN provides log mechanisms on events refer to the Connection Limit service see Log Cac...

Page 237: ...gging will be enabled Whenever the rule is matched the system will write the event to the log file Redirect rules can be established to match requests that will be redirected to the specific cache ser...

Page 238: ...l the set DNS servers are not available or the DNS server is not configured Internal DNS will ask the root domain name server for resolving the domain Allocate the Internal DNS to users in LAN and DMZ...

Page 239: ...subnet or predefined IPv4 group IPv6 Address Query IPv6 address It can be IPv6 single address range subnet or predefined IPv6 group NS Record Name Server Enter server name s prefix For example if a s...

Page 240: ...ce Target The hostname of the machine providing this service TTL TTL Time To Live specifies the amount of time that SRV Record is allowed to be cached MX Record Host Name Enter the prefix of the mail...

Page 241: ...ually deploy servers in several ISP networks and maintain DNS servers or appropriate settings on ISP s DNS for common domain in each of the ISP network Those DNS servers in different ISP networks answ...

Page 242: ...eam always routes the connection to the WAN link that has the lightest upstream traffic l By Total Traffic always route the connection to the WAN link that has the lightest total traffic WAN Select th...

Page 243: ...N s firewall See Firewall l Configure SNMP settings and Event Notification to FortiWAN unit SNMP agent configuration To configure SNMP settings go to Service SNMP Check the box Enable SNMP to enable S...

Page 244: ...le on the Fortinet Customer Service Support website https support fortinet com IP MAC Mapping Users can specify the IP MAC table by classifying periods like peak hours and idle hours Once the IP MAC t...

Page 245: ...flow direction inbound and outbound WAN Link The number of WAN links for inspection Automatic Refresh Time interval to refresh statistical table Traffic Class The name of the traffic class defined on...

Page 246: ...persistent routing data IPv4 IPv6 IP Pair IP Pair Entry Shows connection entries that match IP Pair Rules Source IP Source IP of the current persistent routing connection Destination IP Destination I...

Page 247: ...ng packet if Detection Protocol is ICMP or a TCP connection request if Detection Pro tocol is TCP Number of Replies The number of responses received so far from the Destination IP A reply indicates a...

Page 248: ...f the client s machine Client Hostname Shows the name of the client machine Expiration Time Shows the time period when the IP address is valid DHCPv6 Server Displays DHCPv6 server and range of IPv6 ad...

Page 249: ...the occupied memory then When system is under attacks with high volumes of malicious connections FortiWAN s Connection Limit See Connection Limit stops sub sequent connections established by the malic...

Page 250: ...nitor tunnel s working status and view its statistics in the last 3 Seconds 1 Minute etc Administrators can enable Automatic Refresh and choose a suitable time interval to refresh statistics automatic...

Page 251: ...ector Select the combination of Mode and Phase 1 here and then the statistics of related IPSec SAs are reported Mode Select the mode Tunnel mode or Transport mode of the security asso ciations that yo...

Page 252: ...and determined by system Status States of the IPSec SA l larval an IKE Phase 2 is in progress to establish an IPSec SA l mature the IPSec SA is established and still within validity l dying the IPSec...

Page 253: ...N s traffic statistics is associated with the operation of Bandwidth Management which implies traffic of Tunnel Routing and IPSec is partially transparent to the statistics function FortiWAN gives the...

Page 254: ...VPN devices and the GRE traffic generated by FortiWAN Tunnel Routing will be counted into service GRE in page Reports Bandwidth Usage Services which might be confusing Drilling it down by Internal IP...

Page 255: ...l traffic As for Reports Service statistics by service is displayed as follows l FTP 60MB l HTTP 80MB l GRE 60MB l Total 200MB All the tunnel traffic FTP and HTTP generated by user B is classified int...

Page 256: ...w has a sub menu of 13 log types see the table below Choose the desired log type and its corresponding events will show in display window Click the Refresh button to get the latest log records Please...

Page 257: ...Firewall FW IP 5 TUPLE ACTION ACCEPT DENY TOTLEN pktlen The first packet of session IP 5 TUPLE matching a Firewall rule triggers the log System generates only one log for this session This log indicat...

Page 258: ...log are generated in pairs Virtual Server VS IP 5 TUPLE NEW_DST ADDR TOTLEN pktlen The first packet of session IP 5 TUPLE matching a Virtual Server rule triggers the log System generates only one log...

Page 259: ...size of the session is pktlen See Cache Redirect for further information Multihoming MH FROM ip TYPE A AAAA WLINK widx REPLY ip An DNS response queried for A or AAAA records by Multihoming triggers t...

Page 260: ...icates destination MAC addresses MAC of the packets of IP 5 TUPLE and the MAC address defined in IP MAC table are mismatched and so that the packets are blocked See IP MAC Mapping for further informat...

Page 261: ...not be correspondent with each other IP INFO received INITIAL CONTACT IP received the request for negotiation from the peer ERROR phase1 negotiation failed due to time up A queued or retransmitted pha...

Page 262: ...l Failed to send test email to receiver UI setting l Settings are applied for page System page name l Settings are applied for page Service page name l Settings are applied for page Log page name l Un...

Page 263: ...del l Peer serial number changed from Serial Number to Serial Number l Peer state changed from State to State l Responded to Slave s Time Synchronization Request l Responded to Slave s Configuration S...

Page 264: ...a from FortiWAN to servers via FTP E mail and Syslog protocol for archiving and analysis Configure log push method one log type by another or use Copy Settings to All Other Log Types It copies and app...

Page 265: ...unt Password FTP user password Path FTP server path E Mail SMTP Server SMTP server for logging Account Authenticated account for mail server Password Authenticated password for mail server Mail From S...

Page 266: ...SSL Check to enable SMTP transfers over SSL Account Authenticated account for the mail server Password Authenticated password for the mail server Mail From Sender Mail To Receiver s Separate receivers...

Page 267: ...over and integer 2 indicates the falseness of HA takeover VRRP takeover Send notification when the local unit in VRRP deployment was took over by its backup unit Integer 1 indicates the truth of VRRP...

Page 268: ...isk Analysis and statistics are displayed via Web UI The Reports displays no data without enabling this Stand alone Reports Enable Reports UDP Enable it to push logs to specified stand alone Reports s...

Page 269: ...link the minimum and maximum traffic volume for a given specified day range the traffic volume and service conditions of a certain server during a specified day range Bandwidth Usage presents the ana...

Page 270: ...ere you can specify a single date or date range Click on the magnifier icon next to the date selector to start with date selection l Time between 00 00 to 23 59 of a selected date l Days from start to...

Page 271: ...current configuration and close the dialog window l Send Click to send the report email immediately All reports generated by FortiWAN can be exported as PDF or CSV format By clicking Export button on...

Page 272: ...h The bar chart aside the distribution displays the percentage of the traffic generated in the past five minutes The bandwidth capability denominator used to calculate the percentage is the sum of the...

Page 273: ...d 80 are the two waterlines used in the bar chart to alert administrators to the exceedance The bar is marked with green if the CPU usage is less than 50 with orange if it is between 50 an 80 and with...

Page 274: ...here reports the disk space usage so that an appropriate cleanup See Disk Space Control and Reports Database Tool can be took to low disk space Free space The available disk space Other used The disk...

Page 275: ...n of CPU usage of FortiWAN by the date range defined CPU usage is a measure of how much traffic is being managed or how much services the FortiWAN is required to do on that traffic Sustained usage nea...

Page 276: ...riods or dates if a date range is defined l Count Number of Sessions WAN Traffic The WAN Traffic report shows the traffic distribution of every FortiWAN s WAN link by the date range defined This repor...

Page 277: ...link is not enabled from FortiWAN Web UI Create a report for a specific day or over a range of dates See Create a Report Export reports and send reports through email See Export and Email Statistics T...

Page 278: ...t reports and send reports through email See Export and Email The various statuses are defined as below l OK TR link is enabled configured and connected physically l Fail TR link is enabled and config...

Page 279: ...ws to be listed on the report page can be defined in account settings The Statistics Table may be re sorted by Inbound Bytes Outbound Bytes or Total Bytes by selecting the appropriate column header Th...

Page 280: ...s shown by Out Class WAN Service Internal IP External IP Internal Group External Group and Traffic Rate Trend via the selected policy In Class l Out Class Out Classes that are associated with this In...

Page 281: ...t Class shown by In Class WAN Service Internal IP External IP Internal Group External Group and Traffic Rate Trend via the selected policy Out Class l In Class In Classes that are associated with this...

Page 282: ...affic is passed through this WAN link l Internal IP Any monitored internal IP addresses that traffic is passed through this WAN link l External IP Any monitored external IP addresses that traffic is p...

Page 283: ...ternal Group Any monitored external IP group set up under the Settings menu that the external IP addresses are associated with this Service l Traffic Rate bandwidth distribution generated by this Serv...

Page 284: ...Any monitored external IP group set up under the Settings menu that the external IP addresses are associated with this Internal IP address l Traffic Rate bandwidth distribution generated by this Inte...

Page 285: ...associated within this time period Function Status This report category is the function to monitor the status of FortiWAN s major functions for a long period Long term statistics of function status i...

Page 286: ...Table l Lists the Virtual Server IP Service and count of access sorted by the Server IP default l WAN IP the public IP address for external users to access the virtual server l WAN Service the service...

Page 287: ...itched by clicking on the same column header Advanced Functions of Reports Reports provides advanced functions beyond the basic reports to give an accurate analysis Drill In and Custom Filter are the...

Page 288: ...be further drilled in to query which WAN link of FortiWAN are utilizing this service by clicking the Drill In magnifier icon in the row of HTTPS TCP 443 listed in the table and select WAN query resul...

Page 289: ...in the table and select Internal IP query result is as shown below As indicated in the blue box shown in the figure above this page presents the data of Internal IP report that includes the traffic o...

Page 290: ...l see a summary of the query conditions used in the existing report highlighted in blue as shown in the image above making it clear for administrators to keep track of the query details Continuing the...

Page 291: ...Reports Reports The report presented by Traffic Rate using the same filter Internal Group Marketing Internal IP 10 12 98 98 and Service HTTP TCP 80 is illustrated as follows FortiWAN Handbook Fortinet...

Page 292: ...IP and External IP Usually administrators will need to check drilled in information for particular target regularly As discussed previously Drill in function can be used to obtain more report specifi...

Page 293: ...Predefined L4 and L3 protocols are available Entering a single or a range of port number is also allowed l Internal IP Enter the Internal IP address you want to query include or exclude in the input...

Page 294: ...r HTTPS TCP 443 and WAN2 in the Traffic Rate report and the corresponding query result will show the traffic statistics of service HTTPS TCP 443 and WAN2 by traffic rate as follows the block marked in...

Page 295: ...from their account profile Please refer to section of Customer Filters in Account Settings for more information Export All reports generated by Reports can be exported as PDF or CSV format By clicking...

Page 296: ...t emails The Email function is also available for custom filter reports and drill in reports No matter which report page you re at you can always click the Email button on that page to determine when...

Page 297: ...a increases storage consumption increases The Reports database tool DB tool is an application running on remote host to manage FortiWAN Reports database Note that the DB tool must be ran on a host tha...

Page 298: ...e License Agreement carefully Click the I Agree button to accept the agreement and begin the installation process Otherwise please click Cancel Step 5 Choose a destination folder for setup and click N...

Page 299: ...tep 6 Choose a Start Menu folder or check Do not create shortcuts to ignore it Click Install and then the installation process will begin Step 7 Click Finish to complete Reports DB Tool setup FortiWAN...

Page 300: ...abase tool please go to Start Programs FWN dbtool and DB Tool utility is available for selection DB Tool Tool to manage report data from the Reports database Fortinet Link to Fortinet web site Uninsta...

Page 301: ...fy the location of the Reports database it would be the IP address of FortiWAN Web UI DB Port Specify the port number that Reports database is listening Please use the default port 5432 Save Click to...

Page 302: ...e to back up the data by selecting a date from the drop down calendar Save to the directory Click Browse to select a location where the backup data should be saved Delete the data after exported Check...

Page 303: ...Advanced Functions of Reports Reports Restore Restore Click to select backup files to restore to database FortiWAN Handbook Fortinet Technologies Inc 303...

Page 304: ...specify the end date to delete the data Delete Click to start deleting data of selected dates Reports Settings The Settings here is used to simply manage the Reports on database disk space and the SMT...

Page 305: ...IP addresses shown in Reports by predefined notes An annotation icon will appear next to the IP address listed in a report page Users can read the content of the annotation through clicking the icon C...

Page 306: ...ec and 30 sec or Do not refresh the dashboard Email Server Individual reports See Report Email and system alerts See Disk Space Control can be sent to users via email It is necessary to configure the...

Page 307: ...ount Leave the field empty if you want disable the condition Send notification after purge data Click to enable notification via email after data purging Settings Email Server must be configured to en...

Page 308: ...of the chart displays the correspondent amount of space Free Space Display the amount of free disk space in MB and percentage Database Used Display the disk amount used by Reports database in MB and...

Page 309: ...instrator 1234 admin null Fortinet default The Web UI login port will be restored to the default port 443 FortiWAN also supports SSH logins The interface for SSH login is the same as the console with...

Page 310: ...2 168 0 1 l Netmask 255 255 255 0 l DHCP Server Disabled Port 5 DMZ Fields such as Domain Name Server VLAN and Port Mapping WAN DMZ Subnet Settings are all cleared Service Category Default Values l Fi...

Page 311: ...et disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinet s General Counsel with a purchaser that expressly warrants tha...

Reviews:

No comments

Brands by name

Popular brands

Load more brands