FortiGate-7000 v5.4.5 special features and
limitations
FortiOS features that are not supported by FortiGate-7000
v5.4.5
For monitoring purpose, IPMI over IP is supported on SMM Ethernet ports. See your FortiGate-7000 system
guide for details.
FortiOS features that are not supported by FortiGate-7000 v5.4.5
The following mainstream FortiOS 5.4.5 features are not supported by the FortiGate-7000 v5.4.5:
l
Hardware switch
l
Switch controller
l
WiFi controller
l
WAN load balancing (SD-WAN)
l
IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6 features
l
GRE tunneling is only supported after creating a load balance flow rule, for example:
config load-balance flow-rule
edit 0
set status enable
set vlan 0
set ether-type ip
set protocol gre
set action forward
set forward-slot master
set priority 3
end
l
Hard disk features including, WAN optimization, web caching, explicit proxy content caching, disk logging, and GUI-
based packet sniffing.
l
Log messages should be sent only using the management aggregate interface
IPsec VPN tunnels terminated by the FortiGate-7000
This section lists FortiGate-7000 limitations for IPsec VPN tunnels terminated by the FortiGate-7000:
l
Interface-based IPsec VPN is recommended.
l
Policy based IPsec VPN is supported, but requires creating flow-rules for each Phase 2 selector.
l
Dynamic routing and policy routing is not supported for IPsec interfaces.
l
IPsec static routes don't consider distance, weight, priority settings. IPsec static routes are always installed in the
routing table, regardless of the tunnel state.
l
IPsec tunnels are not load-balanced across the FPMs, all IPsec tunnel sessions are sent to the primary FPM
module.
l
IPsec VPN dialup or dynamic tunnels require a flow rule that sends traffic destined for IPsec dialup IP pools to the
primary FPM module.
l
In an HA configuration, IPsec SAs are not synchronized to the backup chassis. IPsec SAs are re-negociated after a
failover.
FortiGate-7000
Fortinet Technologies Inc.
74