Fortinet FortiGate-7000 Скачать руководство пользователя страница 75

Страница: 75 / 87

SSL VPN

FortiGate-7000 v5.4.5 special features and limitations

SSL VPN

Sending all SSL VPN sessions to the primary FPM module is recommended. You can do this by:

Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary
FPM module.

Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPM module.

Traffic shaping and DDoS policies

Each FPM module applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may
allow more traffic than expected.

Sniffer mode (one-arm sniffer)

One-arm sniffer mode is only supported after creating a load balance flow rule to direct sniffer traffic to a specific
FPM module.

FortiGuard Web Filtering

All FortiGuard rating queries are sent through management aggregate interface from the management VDOM
(named dmgmt-vdom).

Log messages include a slot field

An additional "slot" field has been added to log messages to identify the FPM module that generated the log.

FortiOS Carrier

You have to apply a FortiOS Carrier license separately to each FIM and FPM module to license a FortiGate-7000
chassis for FortiOS Carrier.

Special notice for new deployment connectivity testing

Only the primary FPM module can successfully ping external IP addresses. During a new deployment, while
performing connectivity testing from the Fortigate-7000, make sure to run

execute ping

tests from the

primary FPM module CLI.

FortiGate-7000

Fortinet Technologies Inc.

Содержание FortiGate-7000

Страница 1: ...FortiOS Handbook FortiGate 7000 VERSION 5 4 5 7000...

Страница 2: ...t FORTIGATE COOKBOOK http cookbook fortinet com FORTINET TRAINING SERVICES http www fortinet com training FORTIGUARD CENTER http www fortiguard com FORTICAST http forticast fortinet com END USER LICEN...

Страница 3: ...ortiGate 7040E 14 FortiGate 7040E front panel 14 FortiGate 7040E schematic 15 FortiGate 7030E 15 FortiGate 7030E front panel 16 FortiGate 7030E schematic 16 FIM 7901E interface module 18 FIM 7901E sch...

Страница 4: ...to an FIM module 41 Uploading firmware from a TFTP server to an FPM module 43 Operating a FortiGate 7000 45 Failover in a standalone FortiGate 7000 45 Replacing a failed FPM or FIM module 45 Replacin...

Страница 5: ...e 7000 72 Default management VDOM 72 Firewall 72 IP Multicast 72 High Availability 73 Shelf Manager Module 73 FortiOS features that are not supported by FortiGate 7000 v5 4 5 74 IPsec VPN tunnels term...

Страница 6: ...addr ipv4 src addr ipv6 dst addr ipv6 ip address netmask 83 protocol any icmp tcp udp igmp sctp gre esp ah ospf pim vrrp 83 src l4port dst l4port start end 83 action forward mirror ingress mirror egr...

Страница 7: ...section Recommended configuration for traffic that cannot be load balanced on page 37 Additional changes and fixes throughout the document November 7 2017 Changes to Installing firmware on an FIM or...

Страница 8: ...eat traffic 408386 The M1 and M2 interfaces can be configured to use different VLANs for HA heartbeat traffic The following command now configures the VLAN used by the M1 interface default 999 config...

Страница 9: ...face v0020 set peertype any set psksecret password end Configure the phase 2 to support dialup IPsec VPN set the destination subnet to 0 0 0 0 0 0 0 0 config vpn ipsec phase2 interface edit dialup ser...

Страница 10: ...sksecret password end config vpn ipsec phase2 interface edit to fgt7k set phase1name to fgt7k set src subnet 4 2 6 0 255 255 255 0 set dst subnet 4 2 0 0 255 255 0 0 next edit to fgt7k 2 set phase1nam...

Страница 11: ...ule or FIM to view the status of the FortiGate 7000 and make configuration changes The FortiOS firmware running on each module has the same configuration and when you make configuration changes to the...

Страница 12: ...ong the chassis slots FortiGate 7060E front panel The chassis is managed by two redundant management modules Each module includes an Ethernet connection as well as two switchable console ports that pr...

Страница 13: ...0x20 and the inactive management module always has the IPMB address 0x22 The active management module communicates with all modules in the chassis over the base backplane Each module including the man...

Страница 14: ...kplane designed by Fortinet The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots FortiGate 7040E front pa...

Страница 15: ...ommunication between modules FIM1 and FIM2 IPMB addresses 0x82 and 0x84 are the FIM modules in slots 1 and 2 The interfaces of these modules connect the chassis to data networks and can be used for Et...

Страница 16: ...ard configuration of the FortiGate 7030E includes one FIM interface module in chassis slot 1 and two FPM processing modules in chassis slots 3 and 4 The front panel also includes a sealed blank panel...

Страница 17: ...communication for management and heartbeat communication between modules FIM1 IPMB address 0x82 is the FIM module in slot 1 The interfaces of this module connect the chassis to data networks and can b...

Страница 18: ...ces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers These interfaces also support creating link aggregation groups LAGs that can include interfaces from both FI...

Страница 19: ...button l NMI switch for troubleshooting as recommended by Fortinet Support l Mounting hardware l LED status indicators FIM 7901E schematic The FIM 7901E includes an integrated switch fabric ISF that...

Страница 20: ...erfaces B1 to B8 These interfaces are connected to 40Gbps networks to distribute sessions to the FPM processor modules installed in chassis slots 3 and up Using 40GBASE SR10 multimode QSFP transceiver...

Страница 21: ...rfaces at the same time according to your requirements to avoid traffic disruption For example to split the B1 interface of the FIM 7904E in slot 1 this interface is named 1 B1 and the B1 and B4 inter...

Страница 22: ...The FIM 7910E includes an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules The FIM 7910E can be installe...

Страница 23: ...nnel for fabric backplane communication with the other FIM 7910E in the chassis l One 1Gbps base backplane channel for base backplane communication with the other FIM 7910E in the chassis l On board D...

Страница 24: ...wappable module that provides data management and session sync heartbeat interfaces base backplane switching and fabric backplane session aware load balancing for a FortiGate 7000 series chassis The F...

Страница 25: ...be on different broadcast domains If M1 and M2 are connected to the same switch Q in Q must be enabled on the switch l Four 10 100 1000BASE T out of band management Ethernet interfaces MGMT1 to MGMT4...

Страница 26: ...command Splitting the interfaces requires a system reboot so Fortinet recommends that you split multiple interfaces at the same time according to your requirements to avoid traffic disruption For exam...

Страница 27: ...esses sessions using a dual CPU configuration accelerates network traffic processing with 4 NP6 processors and accelerates content processing with 8 CP9 processors The NP6 network processors are conne...

Страница 28: ...ocessors combined with the FIM module integrated switch fabric ISF provide hardware acceleration by offloading load balancing from the FPM 7620E CPUs The result is enhanced network performance provide...

Страница 29: ...FPM 7620E processing module FIM 7904E interface module FPM 7620E hardware architecture 29 FortiGate 7000 Fortinet Technologies Inc...

Страница 30: ...512 96 128 192 256 with RFC1321 and FIPS180 l HMAC in accordance with RFC2104 2403 2404 and FIPS198 l ESN mode l GCM support for NSA Suite B RFC6379 RFC6460 including GCM 128 256 GMAC 128 256 l Key E...

Страница 31: ...T1 to MGMT4 interfaces of both interface modules have been added to a static 802 3 aggregate interface called mgmt with a default IP address of 192 168 1 99 LACP is not supported for the mgmt aggregat...

Страница 32: ...ocessed by a specific processor module You can connect to the GUI or CLI of individual modules in the chassis using the system management IP address with a special port number For example if the syste...

Страница 33: ...modem you log into Logging into different modules allows you to use FortiView or Monitor GUI pages to view the activity on that module Even though you can log into different modules you should only ma...

Страница 34: ...d cause a conflict that module is skipped If one of the console ports is disconnected then the other console port can connect to any CLI If you connect a PC to one of the management module console por...

Страница 35: ...s be the management VDOM You should also not add or remove interfaces from this VDOM You have full control over the configurations of other FortiGate 7000 VDOMs Firmware upgrades All of the modules in...

Страница 36: ...ipsport dport traffic load is distributed across all slots according to the source and destination IP address source port and destination port This is the default load balance distribution method and...

Страница 37: ...ules are recommended to handle common forms of traffic that cannot be load balanced These flow rules send GPRS port 2123 SSL VPN IPv4 and IPv6 IPsec VPN ICMP and ICMPv6 traffic to the primary or maste...

Страница 38: ...ipv4 ike natt dst next edit 25 set status enable set ether type ipv4 set protocol esp set comment ipv4 esp next edit 26 set status enable set ether type ipv6 set protocol udp set src l4port 500 500 se...

Страница 39: ...oved If an FPM module fails sessions being processed by that module fail All sessions are then load balanced to the remaining FPM modules Sessions that were being processed by the failed module are re...

Страница 40: ...any module CLI If this does not solve the problem contact Fortinet support Replacing a failed module in a FortiGate 7000 chassis in an HA cluster 1 Power down the failed module by pressing the front...

Страница 41: ...for upgrading FIM modules and one for upgrading FPM modules The two procedures are very similar but a few details most notably the local VLAN ID setting are different If you need to update both FIM an...

Страница 42: ...ddress The IP address of the TFTP server F Set firmware image file name The name of the firmware file to be installed 12 Press Q to quit this menu 13 Press R to review the configuration If you need to...

Страница 43: ...e 3 Connect the console cable supplied with your chassis to the Console 1 port on your chassis front panel and to your management computer s RS 232 console port 4 Start a terminal emulation program on...

Страница 44: ...starts up the module s configuration is reset to factory defaults The module s configuration is synchronized to match the configuration of the primary module The new module reboots again and can star...

Страница 45: ...ing on if you are operating in HA mode with two chassis or just operating a standalone chassis Replacing a failed module in a standalone FortiGate 7000 chassis 1 Power down the failed module by pressi...

Страница 46: ...tem ha set mode a p set chassis id 1 set hbdev m1 m2 set hbdev vlan id 999 set hbdev second vlan id 990 end 7 Optionally configure the hostname config system global set hostname name end The HA config...

Страница 47: ...ng any traffic If you are operating an HA configuration you should remove the chassis from the HA configuration before performing this procedure 1 Set up a TFTP server and copy the firmware file to be...

Страница 48: ...5 priority 2 slot_id 1 2 idx 0 flag 0x0 in_sync 1 FIM10E3E16000063 Master uptime 177415 38 priority 1 slot_id 1 1 idx 1 flag 0x0 in_sync 1 If in_sync is not equal to 1 or if a module is missing in the...

Страница 49: ...d port The name of the FIM module that can connect to the TFTP server FIM01 is the FIM module in slot 1 and FIM02 is the FIM module in slot 2 D Set DHCP mode Disabled I Set local IP address A temporar...

Страница 50: ...tatus of the FIM modules in a FortiGate 7000 chassis The field in_sync 1 indicates that the configurations of the modules are synchronized diagnose sys confsync status grep in_sy FIM04E3E16000080 Slav...

Страница 51: ...configuring and from which users connect to the destination subnet Configuring the source subnet is optional but recommended dst subnet is the destination subnet behind the remote IPsec VPN endpoint...

Страница 52: ...ds to create firewall addresses for each subnet config firewall address edit local_subnet_1 set subnet 4 2 1 0 255 255 255 0 next edit local_subnet_2 set subnet 4 2 2 0 255 255 255 0 next edit remote_...

Страница 53: ...s how to setup a dialup IPsec VPN configuration where the FortiGate 7000 acts as a dialup IPsec VPN server To configure the FortiGate 7000 as a dialup IPsec VPN server Configure the phase1 set type to...

Страница 54: ...t 4 2 0 0 255 255 0 0 next edit to fgt7k 2 set phase1name to fgt7k set src subnet 4 2 7 0 255 255 255 0 set dst subnet 4 2 0 0 255 255 0 0 end Troubleshooting Use the following commands to verify that...

Страница 55: ...oxyid_num 1 child_num 0 refcnt 8581 ilast 0 olast 0 auto discovery 0 ike_asssit_last_sent 4318202512 stat rxp 142020528 txp 147843214 rxb 16537003048 txb 11392723577 dpd mode on demand on 1 idle 20000...

Страница 56: ...e entry 5 checksum 27 AE 00 EA 10 8D 22 0C D6 48 AB 2E 7E 83 9D 24 vd 3 p1 to fgt2 p2 to fgt2 subnet 4 2 3 0 mask 255 255 255 0 enable 1 vd 3 p1 to fgt2 p2 to fgt2 subnet 4 2 4 0 mask 255 255 255 0 en...

Страница 57: ...ting information and so on is synchronized to the backup chassis If the primary chassis fails traffic automatically fails over to the backup chassis The primary chassis is selected based on a number o...

Страница 58: ...c5 50 f1 e6 8e all c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e all c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e all c0 68 d2 67 e1 23 d9 3a 10 50 45 c5 50 f1 e6 8e If the modules are synchroniz...

Страница 59: ...It is also recommended that these switches be dedicated to HA heartbeat communication and not used for other traffic If you use the same switch for both M1 and M2 separate the M1 and M2 traffic on the...

Страница 60: ...rtiGate 7030E except that each FortiGate 7030E only has one FIM interface module Each FIM interface module has to be configured for HA separately The HA configuration is not synchronized among FIMs Yo...

Страница 61: ...I command to view the status of the cluster You can enter this command from any module s CLI The HA members can be in a different order depending on the module CLI from which you enter the command If...

Страница 62: ...al_priority 3 usr_priority 128 usr_override 0 state worker_failure 0 2 lag total good down bad score 5 5 0 0 intf_state port up 0 force state 1 force to slave traffic bandwidth score 100 mgmt link 1 h...

Страница 63: ...nagement IP address is 1 1 1 1 you can browse to https 1 1 1 1 44323 to connect to the FPM module in chassis 2 slot 3 The special port number in this case 44323 is a combination of the service port ch...

Страница 64: ...and resynchronize Then all traffic fails over to the backup chassis which becomes the new primary chassis Then the modules in the new backup chassis upgrade their firmware and rejoin the cluster Unles...

Страница 65: ...w TCP or UDP session is added to the primary FortiGate 7000 session table that session is synchronized to the backup FortiGate 7000 This synchronization happens as quickly as possible to keep the sess...

Страница 66: ...on the criteria shown below After the cluster selects the primary the other chassis becomes the backup Negotiation and primary chassis selection also takes place if the one of the criteria for select...

Страница 67: ...Primary unit selection and failover criteria High Availability 67 FortiGate 7000 Fortinet Technologies Inc...

Страница 68: ...wever during operation if one of the chassis goes down the other will have a much higher uptime and will be selected as the primary chassis before priorty and serial number are tested Verifying primar...

Страница 69: ...live local_interface 2 M2 last_hb_time 0 00 status dead Chassis K FIM01E3E16000086 Master priority 0 uptime 2203 30 slot 1 chassis 1 1 slot 1 chassis_uptime 2203 30 state worker_failure 1 2 lag total...

Страница 70: ...ver tolerance result in the default link and module failure behavior You can change these settings if you want to modify this behavior For example if you want a failover to occur if an FPM module fail...

Страница 71: ...ig system ha set priority number end The default priority is 128 The chassis with the highest total FIM module HA priority becomes the primary chassis Override and primary chassis selection Enabling o...

Страница 72: ...OM named dmgmt vdom For the FortiGate 7000 system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM You should also not add or...

Страница 73: ...broadcast domains Using a single switch for both M1 and M2 heartbeat traffic is possible if the switch supports q in q tunneling In this case use different VLANs for M1 traffic and M2 traffic to keep...

Страница 74: ...hing disk logging and GUI based packet sniffing l Log messages should be sent only using the management aggregate interface IPsec VPN tunnels terminated by the FortiGate 7000 This section lists FortiG...

Страница 75: ...ating a load balance flow rule to direct sniffer traffic to a specific FPM module FortiGuard Web Filtering All FortiGuard rating queries are sent through management aggregate interface from the manage...

Страница 76: ...FortiGate 7000 v5 4 5 special features and limitations Special notice for new deployment connectivity testing FortiGate 7000 Fortinet Technologies Inc 76...

Страница 77: ...m For the FortiGate 7000 system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM You should also not add or remove interfaces...

Страница 78: ...Gate 7000 v5 4 3 requires two switches The first switch to connect all M1 ports together The second second switch to connect all M2 ports together This is because the same VLAN is used for both M1 and...

Страница 79: ...fter creating a load balance flow rule for example config load balance flow rule edit 0 set status enable set vlan 0 set ether type ip set protocol gre set action forward set forward slot master set p...

Страница 80: ...6 bit l 12 34 0 0 255 254 0 0 netmask is less than 16 bit l 12 34 56 1 12 34 56 100 ip range is not supported l 12 34 56 78 255 255 220 0 invalid netmask SSL VPN Sending all SSL VPN sessions to the pr...

Страница 81: ...t VDOM named dmgmt vdom Log messages include a slot field An additional slot field has been added to log messages to identify the FPM module that generated the log FortiOS Carrier FortiOS Carrier is s...

Страница 82: ...match both traffic directions forward and reverse One common use of this command is to control how traffic that is not load balanced is handled For example use the following command to send all GRE tr...

Страница 83: ...be matched The default of 0 0 0 0 0 0 0 0 matches all traffic protocol any icmp tcp udp igmp sctp gre esp ah ospf pim vrrp If ether type is set to ip ipv4 or ipv6 specify the protocol of the IP or IPv...

Страница 84: ...fic to a specific FPM module FPM3 is the FPM module in slot 3 FPM4 is the FPM module in slot for And so on priority number Set the priority of the flow rule in the range 1 highest priority to 10 lowes...

Страница 85: ...dport src dst ip sport dport Set the method used to distribute sessions among workers Usually you would only need to change the method if you had specific requirements or you found that the default me...

Страница 86: ...ce setting The weight range is 1 to 10 5 is average 1 is 80 of average and 10 is 100 of average The weights take effect if weighted loadbalance is enabled config workers edit 3 set status enable set w...

Страница 87: ...inet enters a binding written contract signed by Fortinet s General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly identified...

Результаты поиска

Содержание FortiGate-7000

Отзывы:

Похожие инструкции для FortiGate-7000

Бренды по названию

Популярные бренды

Fortinet FortiGate-7000, Руководство пользователя

Результаты поиска

Содержание FortiGate-7000

Отзывы:

Похожие инструкции для FortiGate-7000

Бренды по названию

Популярные бренды