FortiGate-7000 v5.4.3 special features and limitations
SSL VPN
l
IPsec tunnels are not load-balanced across the FPMs, all IPsec tunnel sessions are sent to the primary FPM
module.
l
IPsec VPN dialup or dynamic tunnels require a flow rule that sends traffic destined for IPsec dialup IP pools to the
primary FPM module.
l
In an HA configuration, IPsec SAs are not synchronized to the backup chassis. IPsec SAs are re-negociated after a
failover.
More about IPsec VPN routing limitations
For IPv4 traffic, FortiGate-7000s can only recognize netmasks with 16-bit or 32-bit netmasks. For example:
The following netmasks are supported:
l
12.34.0.0/24
l
12.34.0.0 255.255.0.0
l
12.34.56.0/21
l
12.34.56.0 255.255.248.0
l
12.34.56.78/32
l
12.34.56.78 255.255.255.255
l
12.34.56.78 (for single IP addresses, FortiOS automatically uses 32-bit netmasks)
The following netmasks are not supported:
l
12.34.0.0/15 (netmask is less than 16-bit)
l
12.34.0.0 255.254.0.0 (netmask is less than 16-bit)
l
12.34.56.1-12.34.56.100 (ip range is not supported)
l
12.34.56.78 255.255.220.0 (invalid netmask)
SSL VPN
Sending all SSL VPN sessions to the primary FPM module is recommended. You can do this by:
l
Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary
FPM module.
l
Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPM module.
Authentication
This section lists FortiGate-7000 authentication limitations:
l
Active authentication that requires a user to manually log into the FortiGate firewall can be problematic because the
user may be prompted for credentials more than once as sessions are distributed to different FPM modules. You
can avoid this by changing the load distribution method to
src-ip
.
l
FSSO is supported. Each FPM independently queries the server for user credentials.
l
RSSO is only supported after creating a load balance flow rule to broadcast RADIUS accounting messages to all
FPM modules.
FortiGate-7000
Fortinet Technologies Inc.
80