manualshive.com logo in svg

Fortinet FortiWAN, Руководство пользователя

Поделиться
Скачать
Fortinet FortiWAN Скачать руководство пользователя страница 175

IPSec VPN Concepts

IPSec

Security Association

To support secure communications (data encryption and authentication) between two VPN gateways, the common
security attributes must be shared in advance, which are the cryptographic and authentication algorithms, encryption
secret key and other necessary parameters. A common set of the security attributes maintained by two IPSec VPN
gateways for an IPSec VPN tunnel is what called Security Association (SA), which is used to provide a secure channel
and protect the communications between the two site networks. Each of the two IPSec VPN gateways
encrypts/decrypts data according to the established Security Association. The process to establish a Security
Association involves sharing and negotiation of the security attributes.

IKE key exchange

Internet Key Exchange (IKE) is the protocol used to establish a Security Association (SA), which is included in the
IPSec protocol suite. The purposes of IKE are to

l

Negotiate an encrypt algorithm and an authentication algorithm

l

Generate a shared secret key to encrypt/decrypt IPSec VPN communications (data transmission).

Both are used by IPSec VPN to provide secure communications between two endpoints.

IKE consists of two phases, Phase 1 and Phase 2. The purpose of IKE Phase 1 is to establish a secure and
authenticated channel, which is actually a Security Association (called ISAKMP SA as well), between two entities for
further IKE Phase 2 negotiations. With the protection of ISAKMP SA, Phase 2 will then be performed to establish the
final Security Association (called IPSec SA as well) used to protect the VPN communications (data transmission)
between two sites. In other words, before users' VPN communication starts (data packet being transferred to each
other), the correspondent IKE Phase 1 and Phase 2 must be done to establish the SAs between the two VPN
gateways. With the established SA between two VPN gateways, privacy and authenticity are so that guaranteed to the
VPN communications (by encryption and authentication). Basically, IKE Phase 1 authenticates a remote peer and sets
up a secure channel for going forward Phase 2 negotiations to establish the IPSec SA.

IKE Phase 1

Before we talk about the details of IKE Phase 1, let us have an overview on Phase 1's Identity Verification
(Authentication). The endpoint who begins the IKE Phase1 negotiation makes a declaration of who it is to the opposite
endpoint, and the opposite endpoint verifies the identity. FortiWAN's IPSec employs a

pre-shared key

to achieve the

identity verification. The pre-shared key is a common key (similar to a password) pre-shared between the two entities
who join in the Phase 1 negotiations. This pre-shared key is used for verification of the declared identity in a
cryptographic system (MAC calculation of the identity). This mechanism is on the premise that the pre-shared key is
never compromised to the third-party. Although it looks like a password, the pre-shared key, also known as a shared
secret, is never sent by either endpoint during the processes of authentication. Actually, the pre-shared key is involved
in the calculations of encryption keys, which is actually used for the authentication, at each endpoint.Unmatched pre-
shared keys result in unmatched encryption keys, and indirectly cause the authentication in IKE Phase 1 failed.

Now back to the IKE Phase 1. Phase 1 achieves the following objectives to establish ISAKMP Security Association:

IKE Proposals negotiation

An IKE proposal is a set of necessary parameters for negotiations to establish a Security Association. The negotiation
initiator offers opposite endpoint the proposals of the suggested encryption and authentication algorithms, the time-
period that keys should remain active, and the strength of the keys used in Diffie-Hellman key exchange process. The
opposite endpoint chooses an appropriate proposal and responds it to the initiator, so that the algorithms and other
parameters used to protect data transmission between two endpoints are determined.

FortiWAN Handbook
Fortinet Technologies Inc.

175

Содержание FortiWAN

Страница 1: ...FortiWAN Handbook VERSION 4 2 1...

Страница 2: ...ORT https support fortinet com FORTIGATE COOKBOOK http cookbook fortinet com FORTINET TRAINING SERVICES http www fortinet com training FORTIGUARD CENTER http www fortiguard com END USER LICENSE AGREEM...

Страница 3: ...ual Stack 27 FortiWAN in HA High Availability Mode 27 Web UI and CLI Overview 31 Connecting to the Web UI and the CLI 32 Using the Web UI 35 Console Mode Commands 39 Configuring Network Interface Netw...

Страница 4: ...Configuration File 110 Maintenance 112 Web UI Port 112 License Control 113 Load Balancing Fault Tolerance 115 WAN Link Fault Tolerance 115 Load Balancing Algorithms 115 Outbound Load Balancing and Fai...

Страница 5: ...IPsec 229 Scenarios 230 Connection Limit 235 Cache Redirect 236 Internal DNS 238 DNS Proxy 241 SNMP 243 IP MAC Mapping 244 Statistics 245 Traffic 245 Bandwidth 245 Persistent Routing 246 WAN Link Hea...

Страница 6: ...tclass 280 WAN 281 Services 282 Internal IP 283 Traffic Rate 284 Function Status 285 Connection Limit 285 Firewall 285 Virtual Server 286 Multihoming 286 Advanced Functions of Reports 287 Drill In 287...

Страница 7: ...l Enable Cloud Web 2 0 Applications l Monitor Network Performance Increase Network Performance FortiWAN increases network performance in three key areas l Access to Internet resources from the Enterp...

Страница 8: ...dware for increased reliability Larger FortiWAN models also feature redundant power supplies for further protection from hardware failures Enable Cloud Web 2 0 Applications Traditional WAN Optimizatio...

Страница 9: ...om the FortiWAN internal to elsewhere external For example a request from the internal network to a HTTP server on the Internet means the first asking packet is outgoing to the external server which i...

Страница 10: ...route for mission critical applications Non critical traffic can be routed away from the best links when prioritized traffic is present on the links or traffic can be assigned permanently to different...

Страница 11: ...d failover mechanisms for incoming and outgoing traffic virtual servers and single session services l Topic Optional Services gives the information about configurations of FortiWAN s optional services...

Страница 12: ...security level bandwidth aggregation and fault tolerance See Tunnel Routing l Basic subnet Supports DHCP Relay on every LAN port and DMZ port FortiWAN forwards the DHCP requests and responses between...

Страница 13: ...g Synchronize Time in System Date Time via Web UI so that the hardware clock is kept in UTC l New models FortiWAN introduces two models FortiWAN VM02 and FortiWAN VM04 for deployment on VMware FortiWA...

Страница 14: ...the physical ports where it comes from Correspondent VLAN ports redundant LAN ports redundant DMZ ports aggregated LAN ports and aggregated DMZ ports are the options for setting the field if they are...

Страница 15: ...hanges l FortiWAN 1000B supports 3 GE RJ45 ports and 4 GE SFP ports Each port can be programmed as WAN LAN or DMZ Redundant LAN and DMZ ports can be configured 2 link LACP LAG LAN or DMZ ports can be...

Страница 16: ...erate between different FortiWAN models l HDD FWN 200B adds an internal 500BG HDD for Reports data storage See below for more information on Reports l HA Configuration Synchronization Two FWN 200B app...

Страница 17: ...nt and performing synchronization to slave unit after configurations are restored on master unit l The description of the account maintainer in Connecting to the Web UI and the CLI was removed l Conte...

Страница 18: ...support to evaluate traffic by its Input Port l For the new CLI command arp and enhanced command resetconfig correspondent content was added and updated to Console Mode Commands l Content of Connectin...

Страница 19: ...ing Setting and Tunnel Routing Benchmark FortiWAN 4 0 2 l A note about the restrictions on duplicate configurations of group tunnel was added in Tunnel Routing l Content was enhanced for Multihoming i...

Страница 20: ...cially with multiple WAN links and various WAN type A plan of network topology before adding FortiWAN recklessly into current network would be suggested to avoid damages WAN LAN and DMZ Wide Area Netw...

Страница 21: ...HA deployment See FortiWAN in HA High Availability Mode Connections have to correspond with the port types Except the HA port each port can be programmed as WAN LAN or DMZ via Web UI Moreover redunda...

Страница 22: ...IP l Bridge Mode Multiple Static IP See Configurations for a WAN link in Bridge Mode Multiple Static IP l Bridge Mode PPPoE See Configurations for a WAN link in Brideg Mode PPPoE l Bridge Mode DHCP Cl...

Страница 23: ...subnet in total but only 3 IP addresses you are allocated In this case the default gateway is located in ISP s network and your ATU R only transfers packets to the gateway In the other words you are a...

Страница 24: ...ould not be controlled by FortiWAN FortiWAN defines a near WAN for a WAN link in different ways between routing mode and bridge mode l In routing mode the default gateway of a subnet deployed in WAN o...

Страница 25: ...herefore one IP subnetwork can be deployed over the two segments and accessibility between WAN and DMZ is the action taken without NAT or routing Note public IP pass through is available when a WAN li...

Страница 26: ...IP subnetwork See Public IP Pass through Subnet on Localhost Deploy the whole subnet on localhost For cases of obtaining an IP range bridge mode the IP addresses could be allocated to IP s on Localhos...

Страница 27: ...re stored in Flash Memory so sudden loss of electricity will not damage the system But when the network must provide non stop service for mission critical applications the HA mode becomes a must With...

Страница 28: ...mits 4 beeps and the Slave does 3 The status of the Slave is displayed under System Summary Peer Information on the master s Web UI Note that a slave s Web UI is not available Once the master is down...

Страница 29: ...mpletes Once slave completes its update the master unit starts updating itself then while slave gets into reboot procedure The whole update procedure will complete after the two units recover from sys...

Страница 30: ...ount Go to System Summary and double check and make sure the peer device is under normal condition See Summary 2 Turn the Master off if the Master is to be removed The Slave will take over the network...

Страница 31: ...n 1 3 6 1 4 1 12356 118 1 2 Firmware version of the slave unit deployed with this local unit in HA mode fwnSysSlaveSerialNumber 1 3 6 1 4 1 12356 118 1 3 Serial number of the slave unit deployed with...

Страница 32: ...e default LAN IP address below However the default subnet configured on LAN port might conflict with or be unreachable from your existing network especially for the deployments of FortiWAN VM If you w...

Страница 33: ...net Explorer and select Internet Option on Tools menu Click the Connection tab LAN settings and open Local Area Network Settings dialog box then disable Proxy server 2 Default account admin has the Ad...

Страница 34: ...orrespond to the subnet you would like to connect to For example type resetconfig 10 10 10 1 255 255 255 0 if 10 10 10 0 255 255 255 0 is the subnet connected to the LAN port Then IP address of LAN po...

Страница 35: ...unctions l Current login account Display the account you login as and the IP address you login from l System Time Display the FortiWAN s system time l Current operating page Display the path Main cate...

Страница 36: ...the advanced analysis and long term statistics of FortiWAN s system services and traffic they are Bandwidth CPU Session WAN Traffic WAN Reliability WAN Status TR Reliability TR Status In Class Out Cl...

Страница 37: ...the rules are prioritized in descending order Click this button to add a new rule below the current rule Click this button to delete the rule Click this button to move the rule up a row Click this bu...

Страница 38: ...AN DMZ ports defined in Network Setting VLAN and Port Mapping See Configurations for VLAN and Port Mapping are listed for options Port X Matches sessions coming from the specified normal port Port X V...

Страница 39: ...mmands Before logging onto serial console via HyperTerminal please ensure the following settings are in place Bits per second 9600 Data bits 8 Parity None Stop bits 1 Flow control None See Connecting...

Страница 40: ...sending ARP requests arping hostname link index Send an ARP request to ask the MAC address of an IP address and display the result hostname Specify the target IP address or domain name MAC address is...

Страница 41: ...or cases where after the initial installation of FortiWAN machines or servers sitting in the DMZ are unable to be able to connect to the internet export Display configurations of NAT Multihoming and V...

Страница 42: ...r page Service Nat Type abort in command prompt import to leave the prompt any time Please refer to the exported configurations displayed by command export or saved via Web UI See Configuration File i...

Страница 43: ...Set DNS server for FortiWAN For more on ICMP related error messages please refer to other ICMP PING materials reactivate Reactivate the FortiWAN apparatus reactivate Reactivating the FortiWAN apparat...

Страница 44: ...n appropriate IP address command resetconfig returns all the configurations to factory default but assigns LAN port with the specified IP address so that users can connect to Web UI via the LAN port w...

Страница 45: ...ge 2 100 full Note Not all network devices support full 100M speed This command has no effect on fiber interface The port is the port number of the FortiWAN port interface exact number varies accordin...

Страница 46: ...in base64 sslcert END CERTIFICATE Please enter the private key It should starts with BEGIN RSA PRIVATE KEY and end with END RSA PRIVATE KEY To abort please enter an empty line sslcert BEGIN RSA PRIVA...

Страница 47: ...a WAN link if link is specified as wan The valid values are 1 2 3 etc Example traceroute www hinet net wan 1 showes the trace routes from WAN link1 to www hinet net Note If domain name is to be used...

Страница 48: ...any registered public DNS server An user can configure the setting of DNS server on its own computer manually or automatically be allocated by DHCP This DNS server is also necessary to FortiWAN itself...

Страница 49: ...rtiWAN itself to resolve unknown domains The max imum of three IPv4 addresses is allowed The DNS servers set here will be used in a top down order if the DNS request timed out IPv6 Domain Name Server...

Страница 50: ...hich are specified as WAN ports and DMZ ports are automatically listed in the WAN Port and DMZ Port pull down menus for WAN Setting and WAN DMZ Private Subnet See Configuring your WAN and WAN DMZ Priv...

Страница 51: ...no longer accept untagged VLAN packets Port 1 101 and port 1 102 on VLAN Switch are directly connected with WAN links Port 1 101 and Port 1 102 are listed in the WAN Port pull down menu for WAN Setti...

Страница 52: ...t lacp_rate slow as default max_bonds 1 as default miimon 100 as recommended min_links 0 as default updelay 0 as default use_carrier 1 as default xmit_hash_policy layer2 as default Note that ports tha...

Страница 53: ...Port 1 is set as WAN Port 2 and Port 3 as HA LAN port pair and Port 4 and 5 as HA DMZ port pair Each of the LAN DMZ pair is connected via a single switch switch 1 or switch 2 This will remove the chan...

Страница 54: ...See WAN link and WAN port A configuration of WAN link is divided into three parts Basic Settings Basic Subnet and Static Routing Subnet Before starting configuration here are several important concept...

Страница 55: ...a basic subnet FortiWAN functions for various network topologies which consists of connectivity of multiple subnets basic subnet Deployments of basic subnets varies for purposes but they can be simpl...

Страница 56: ...es answering the DHCP clients with all the defined DNZ servers information Domain Name Suffix The domain name suffix that FortiWAN responds to the DHCP clients within the DHCP OFFER messages if the cl...

Страница 57: ...CP relay agent acts the proxy receiving DHCP requests from hosts in the same subnet and resending them to the DHCP server located in another subnet The DHCP relay agent then delivers the DHCP messages...

Страница 58: ...eld IP s on Localhost of a LAN subnet a subnet in DMZ or a subnet in WAN and DMZ then any of them could be took as the DHCP Relay Agent IP Next are the configurations of DHCP Relay on the LAN 1 LAN 2...

Страница 59: ...must be a standalone server FortiWAN s DHCP function is not supported to work with DHCP Relay a port with DHCP being enabled can not cooperate with the ports that DHCP Relay is enabled on The central...

Страница 60: ...Server 192 168 100 100 DHCP Relay Agent IP 192 168 10 254 Go to Service Tunnel Routing and define a Tunnel Group with the two tunnels below Local IP Remote IP 10 10 10 10 11 11 11 11 20 20 20 20 21 21...

Страница 61: ...t Stateless Address Autoconfiguration SLAAC is a standard mechanism to equip hosts with IPv6 addresses and related routing information through the IPv6 router advertisements RA SLAAC has two propertie...

Страница 62: ...x information to the hosts so that an IPv6 address can be determined with the Host ID on a host Depending on the subnet type it could be a global IPv6 subnet or a unique local IPv6 subnet DNS Search L...

Страница 63: ...ss deployment system behaves answering the hosts with all the defined DNZ servers information DHCP Range The address pools that DHCPv6 server assigns and manages IPv6 addresses from Define the DHCP ra...

Страница 64: ...IPv4 address of the default gateway This field is mandatory IPv6 Gateway The IPv6 address of the default gateway This field is optional Ignore it for IPv4 WAN links or configure it for IPv4 IPv6 dual...

Страница 65: ...net in WAN and DMZ Next comes a few examples to further illustrate configurations in Basic Subnet and Static Routing Subnet Examples of Basic Subnets Basic Subnet Subnet in WAN This topology is freque...

Страница 66: ...CP Range If any host in the subnet uses static IP address then in Static Mapping enter its IP and MAC address Similarly if ISP provides another LAN IPv6 subnet you can deploy it in DMZ The SLAAC and D...

Страница 67: ...example except 203 69 118 10 203 69 118 9 and 203 69 118 11 203 69 118 12 the rest IP addresses of subnet 203 69 118 8 29 are assigned to DMZ for Public IP Pass through In this case IP addresses 203 6...

Страница 68: ...an access Internet without setting NAT rules manually For FortiWAN V4 0 x system does not generate NAT default rules for IPv6 WAN links setting NAT rules manually is required See NAT Examples of Stati...

Страница 69: ...rs packets to the gateway 203 69 118 9 to deliver them to subnet 139 3 1 8 255 255 255 248 Static Routing Subnet Subnet in DMZ This topology is similar with the one in last example Static Routing Subn...

Страница 70: ...rough DMZ Transparent Mode l IPv6 IPv4 Dual Stack Configurations for a WAN link in Bridge Mode Multiple Static IP Bridge Mode Multiple Static IPs is used for a range of static IPv4 addresses of a C cl...

Страница 71: ...en layer of a communications protocol can pass onwards It allows dividing the packet into pieces each small enough to pass over a single link IPv4 IP s on Localhost The IPv4 addresses that are deploye...

Страница 72: ...ng between IPv6 Addresses and client IDs The SLAAC and DHCPv6 in FortiWAN are designed to work together which the SLAAC responses router advertisement including default gateway and DNS server to a hos...

Страница 73: ...v6 subnet and a LAN IPv6 subnet You can deploy the LAN IPv6 subnet as a basic subnet in DMZ Although the deployment is under FortiWAN s Bridge Mode FortiWAN routes packets between WAN and DMZ for the...

Страница 74: ...ost IP The IPv6 address that ISP provides See Scenarios to deploy subnets IP addresses specified here can be used for NAT to transfer the source IP address of packets to and will be used to generate t...

Страница 75: ...as failed FortiWAN s Auto Routing and Multihoming See Outbound Load Balancing and Failover Auto Routing and Inbound Load Balancing and Failover Multi homing use the value while balancing traffic betw...

Страница 76: ...or VLAN and Port Mapping Up Down Stream The WAN link s transfer speed at which you can upload download data to from the Internet e g 512Kbps Up Down Stream Threshold Specify upstream downstream Kbps t...

Страница 77: ...in LAN port3 192 168 34 254 serves as gateway as well Enter the netmask 255 255 255 0 for the subnet in the field Netmask Select the LAN port Check the field in Enable DHCP to allocate IP address any...

Страница 78: ...nfigurations here indicate how FortiWAN to route packets to subnet 192 168 99 x RIP FortiWAN supports the Routing Information Protocol RIP v1 v2 RIP employs hot count as the metric and uses timer broa...

Страница 79: ...becomes DR Designated Router The value of the OSPF Router Priority can be a number between 0 and 255 Hello Interval Set the interval in seconds to instruct the router to send out OSPF keepalive packe...

Страница 80: ...ox to enable When enabled the backup router will check whether the master is responding ARP on the specified WAN port See also l Scenarios to deploy subnets l VLAN and Port Mapping l Summary l RIP OSP...

Страница 81: ...e unlisted in IP s on Localhost are all in WAN Basic Subnet Subnet in DMZ This topology is frequently found where cluster hosts in IPv4 private subnet are located on the DMZ In this example FortiWAN p...

Страница 82: ...ng the subnet spreads across WAN port2 and DMZ port5 FortiWAN employs Proxy ARP to connet the whole subnet togther In this example more than one IP addresses are needed for FortiWAN in bridging These...

Страница 83: ...t of the router Static Routing Subnet Subnet in DMZ In this topology in DMZ you create an IPv4 private subnet using one router its IP say 192 168 34 50 But the subnet its IP 192 168 99 0 24 does not c...

Страница 84: ...as LAN port Please map FortiWAN s LAN port to the Port2 in System Network Setting VLAN and Port Mapping Note FortiWAN is treated as a normal PC when connecting to other networking equipments WAN conf...

Страница 85: ...e WAN IP field 5 Select SMTP 25 in the Service field 6 Select Round Robin in the Algorithm field 7 Click to create a new server in Server Pool 8 Enter 192 168 1 1 in the Server IP field 9 Select SMTP...

Страница 86: ...referring to router s user manual Note FortiWAN is viewed as a normal PC when connected to other network equipment Configuration Steps 1 Log onto the FortiWAN Web UI 2 Go to System Network Settings W...

Страница 87: ...router Sample Configuration l Assume the private IP subnet 192 168 0 0 24 is between the WAN link router and FortiWAN WAN port l FortiWAN s port 1 IP 192 168 0 253 is connected to the WAN link router...

Страница 88: ...ield enter 192 168 0 253 18 In the Netmask field enter 255 255 255 0 19 In the WAN Port field select Port 1 and the configuration is complete WAN Type Routing Mode Example 3 In this example both WAN l...

Страница 89: ...8 1 254 18 In the Static Routing Subnet field use to add a new rule with the Subnet Type field as Subnet in DMZ 19 In the Network IP field enter 53 244 43 0 20 In the Netmask field enter 255 255 255 0...

Страница 90: ...mber 1 3 6 1 4 1 12356 118 2 1 1 Maximum of WAN links that the system supports fwnWanTable 1 3 6 1 4 1 12356 118 2 1 2 This is a table containing one ele ment of object fwnWanEntry used to describe th...

Страница 91: ...disability fwnWanInOctets 1 3 6 1 4 1 12356 118 2 1 2 1 5 Number 32bit unsigned integer of octets received on the interface RX of every WAN link during sys tem s uptime fwnWanOutOctets 1 3 6 1 4 1 12...

Страница 92: ...ined on the sys tem fwnVlanTable 1 3 6 1 4 1 12356 118 2 2 2 This is a table containing one element of object fwnVlanEntry used to describe the properties and man agement information of every VLAN def...

Страница 93: ...r of octets received on the interface RX of every VLAN during system s uptime fwnVlanOutOctets64 1 3 6 1 4 1 12356 118 2 2 2 1 6 Number 64bit unsigned integer of octets transmitted from the interface...

Страница 94: ...model supports You can purchase a license for higher bandwidth capability from your Fortinet channel partner See subsection License Control in Administration For deployment of FortiWAN VM the Total R...

Страница 95: ...mber of the slave Uptime The time the slave has been up and running State Normally this field displays Slave During the procedure of reboot this field displays Rebooting System panic happens this fiel...

Страница 96: ...118 1 2 Firmware version of the slave unit deployed with this local unit in HA mode fwnSysSlaveSerialNumber 1 3 6 1 4 1 12356 118 1 3 Serial number of the slave unit deployed with this local unit in...

Страница 97: ...se the transmission very inefficient l An ISP restricts the bandwidth for peering with other ISPs on the purpose of competition in business The peering becomes bottleneck to traffic being exchanged be...

Страница 98: ...Static IP Table Uses static IP table only Dynamic Detect Uses dynamic detection only Static Dynamic Uses static detection first then switches over to dynamic detection after static detec tion has fai...

Страница 99: ...lly it is set to auto detect by default which works properly in most cases Manual speed duplex mode configuration is still necessary in event that some old devices are either not supporting auto detec...

Страница 100: ...kup lines l All fail when all lines defined in Main line are down l One fails when one of the lines defined in Main line is down l Inbound bandwidth usage reached when the inbound bandwidth consumptio...

Страница 101: ...exceptions in an IP range or subnet that belongs to the IP group the action of not to belong makes the configuration easier than separating an IP range or sub net into several groups Service Grouping...

Страница 102: ...intensive applications in both intranet and extranet Default Type Time segment unspecified in Rules below fall into this Default type either as idle or busy hours Rules Defines time segment The time...

Страница 103: ...n up non TCP session tables in FortiWAN In FortiWAN protocols are managed with a session timer Old sessions may be continuously retried by users that they keep unexpired These old sessions are always...

Страница 104: ...Pv6 Neighbor Discovery Enforcement When IPv6 Neighbor Discovery is enforced FortiWAN will send out a neighbor discovery packet to neighbor servers or network devices within the same network to request...

Страница 105: ...e from optical Type list Any A AAAA CNAME DNAME HINFO MX NS PTR SOA SRV TXT and select a server from optical Server list Internal DNS Multihoming etc Click Nslookup to start the inquiring session and...

Страница 106: ...server services Update downgrade section enables to update or downgrade firmwares once new firmwares are available from our website or dealers Simply click the Update Downgrade button and follow exact...

Страница 107: ...added or modified an account Password Verification Confirm the new password Event notifications via SNMP trap You can receive notification via SNMP trap for any modification of the FortiWAN s account...

Страница 108: ...correspondent attributes between BEGIN VENDOR Fortinet and END VENDOR Fortinet Construct user database on RADIUS server for authentication For example we have accounts Administrator 1234 and admin nul...

Страница 109: ...o System Administration l Click on Update l Use Browse to select the path of the new firmware image l For High Availability HA deployment See FortiWAN in HA High Availability Mode check Update Slave t...

Страница 110: ...on Configuration File for individual function Export and Import l Log on to FortiWAN as administrator On every single function page of Web UI click Export Configuration to back up the configuration in...

Страница 111: ...ckup and restore configurations of service list in a file named service_ list txt l Click Import Configuration Export Configuration you may backup and restore configurations of Service Grouping saved...

Страница 112: ...Web UI Port Type the port number in New Port and then click Setport Enter the new port number when you log in again into Web UI Additionally the new port shall avoid conflict with FortiWAN reserved po...

Страница 113: ...14 shell 4045 Lockd 95 supdup 515 printer 6000 x11 101 hostriame 526 tempo 49152 FortiWAN reserved License Control License Control provides users with all the License Key configurations including Band...

Страница 114: ...rtiWAN 200B 200 Mbps 400 Mbps 600 Mbps FortiWAN 1000B 1 Gbps 2 Gbps FortiWAN 3000B 3 Gbps 6 Gbps 9 Gbps Note Conditional bandwidth upgrade is provided for old models Please contact customer support to...

Страница 115: ...essions are transferred via different WAN links according to algorithm but packets of a session are transferred via one WAN link All the routing policies except the fixed one will ONLY use working WAN...

Страница 116: ...Considering the example that WAN1 is 1Mbps and WAN2 is 2Mbps and total traffic of the both WAN links is 0 5M Thus the traffic load of WAN1 and WAN2 are 0 5 and 0 25 the next session will be routed to...

Страница 117: ...lly a combination of the multiple WAN links Auto routing is capable of adjusting the Virtual Trunk to include only the WAN links that are functioning normally and to direct outbound traffic through th...

Страница 118: ...Each policy can be named accordingly and administrator can decide which WAN links to be used before adding in the filters table Filter FortiWAN will base on the filters table to manage the outbound tr...

Страница 119: ...nd rout the out going traffic of VLANs by evaluate traffic against Input Port Source Established connections from specified source will be matched See Using the web UI Destination The connections to s...

Страница 120: ...4k upstream 3 Route connections with algorithm Optimum Route 4 Route connections based on the current downstream traffic of WAN links 5 Route connections based on the total traffic of each WAN link Po...

Страница 121: ...195 in DMZ to POP3 server on the internet will be routed by WAN1 512 512 If WAN 1 fails no action will be taken Note When WAN 1 fails connection to the external POP server will also fail Example 2 The...

Страница 122: ...routed by WAN3 5 The connections from 211 21 48 196 to FTP 210 10 10 11 are routed by policy Round Robin1 2 3 6 The connections from 211 21 48 195 to any SMTP server on the internet are routed by poli...

Страница 123: ...3 www IN A 192 136 1 243 All DNS requests to www example com will be sent to FortiWAN Multihoming will constantly measure the health conditions as well as the state of each WAN link and compute the op...

Страница 124: ...exas edu about sales xtera com Suppose it is not in the cache of dns utexas edu The DNS server goes to a Root DNS server to find the DNS server for COM TLD The DNS server for COM TLD tells dns utexas...

Страница 125: ...tion that adds data authentications and integrity to standard DNS To resist tampering with DNS responses DNSSEC introduces PKI Public Key Infrastructure to sign and authenticate DNS resource record se...

Страница 126: ...resses specified on the Slave unit When the Master s Multihoming works properly the Slave s Multihoming will get into non active mode Unit that is in non active mode will not answer to any DNS request...

Страница 127: ...ecord TTL Set DNS query response time TTL Time To Live Specifies the amount of time other DNS servers and applications are allowed to cache the record Zone Name Reverse domain name of a host For examp...

Страница 128: ...of each WAN link It is available only when algorithm of By Weight is in use Domain Settings The table below configures Domain Settings multihoming domain names DNS servers names for querying domain an...

Страница 129: ...rate multiple key pairs in batches from the configuration panel Generally one key pair is in Active state for using while the other key pairs are in Standby state for manually key rollover at the appr...

Страница 130: ...the domain name For example if www1 abc com is the alias of www abc com domain name enter www1 in this field Target Enter the real domain name For example if www1 abc com is the alias of www abc com e...

Страница 131: ...For example if domain name is mail abc com enter mail Priority Enter the priority of the mail servers The higher the priority is the lower the num ber is Mail Server Enter the IP address of the mail s...

Страница 132: ...necessary to update the registrations on your parent domain with FortiWAN s localhost IP addresses so that a request for your domain can be delivered to FortiWAN and forwarded to the specified name se...

Страница 133: ...ww abc com the prefix will be www When Options are Busy Idle and All Time Refer to System Date Time for more information Source IP Enter the IPv4 address that the DNS query comes from To Policy Select...

Страница 134: ...168 0 100 HTTP 80 61 64 195 150 192 168 0 100 HTTP 80 This web server is bound to two WAN ports For more information see System Networking settings WAN Settings Multihoming settings in the example A...

Страница 135: ...All Time Any Web 30 Note DNS server IP can be public IP and private IP Example 2 Configure virtual server before setting multihoming Its configuration looks like below in this example WAN IP Server IP...

Страница 136: ...ddress Domainname com 30 Abc domainname com ns1 192 168 0 10 Name Server IPv4 Address ns1 192 168 0 10 Host Name When Source IP To Policy TTL mail All Time Any smtp 30 TTL Host Name Priority Mail Serv...

Страница 137: ...unnel FortiWAN s Tunnel Routing sets up proprietary tunnels between symmetric FortiWAN sites local and remote with GRE Generic Routing Encapsulation protocol GRE Generic Routing Encapsulation Protocol...

Страница 138: ...g rule is predefined for packets from 192 168 10 0 255 255 255 0 to 192 168 20 0 255 255 255 0 3 According the specified balancing algorithm determining a WAN link for transferring FWN A encapsulates...

Страница 139: ...et while WLHD only detects the status of connections to Internet Therefore the two mechanisms might show different detection result For example the Web UI reports a WAN link is OK but a tunnel establi...

Страница 140: ...supported for Tunnel Routing over IPSec Besides deployments of Tunnel Routing over IPSec is limited For more information about Tunnel Routing over IPSec please refer to IPSec About FortiWAN IPSec VPN...

Страница 141: ...see the tables Default Rules Routing Rules and Persistent Rules Tunnel Routing works in symmetric FortiWAN sites when the unit we are talking about or configuring to is called local host or local site...

Страница 142: ...lished with FWN A s WAN 1 and FWN B s WAN 1 and tunnel 2 is established with FWN A s WAN 2 and FWN B s WAN 2 A transmission via Tunnel Group 1 will be distributed over tunnel 1 and tunnel 2 Tunnel Gro...

Страница 143: ...setting panel Group Name Assign a group name to the tunnel group Remote Host ID Enter the Host ID of the Remote unit the Tunnel Group connects to Algorithm l Round Robin Route the connections in every...

Страница 144: ...ss please select Dynamic WANx for the configuration l Dynamic IP WAN link with NAT on local side If the WAN link of local FortiWAN you want to employ for the tunnel is configured with a dynamic IP add...

Страница 145: ...ed to correspondent IPSec Phase 1 See IPSec Define routing policies for an IPSec VPN Weight The weight priority of the tunnel for the Round Robin balancing algorithm This field is dis played only if R...

Страница 146: ...l Routing s tunnel healthy detection mechanism Therefore it is necessary to specify another way for the traffic Note that as long as one tunnel in a tunnel group remains connected Tunnel Routing keeps...

Страница 147: ...the beck up tunnel group is also failed Note it takes the same action as NO ACTION if a tunnel group that is the same as what specified in field Group is selected as back up for fail over here Defaul...

Страница 148: ...ated against Auto Routing s rules and transferred according to the Auto Routing policies Transmission gets failed if there is no rule matches Tunnel Group Name All the defined tunnel groups are listed...

Страница 149: ...roup AB NO ACTION 192 168 1 10 192 168 2 11 Any Tunnel Group AB NO ACTION 192 168 1 10 192 168 2 12 Any Tunnel Group AB NO ACTION 192 168 1 11 192 168 2 10 Any Tunnel Group AB Auto Routing 192 168 1 1...

Страница 150: ...s LAN or DMZ for a default rule It is necessary to re apply the configurations of Default Rule to trigger the negotiation and update the default rules if any change to LAN or DMZ networks setting Pers...

Страница 151: ...hat is worse than others in a tunnel group Tunnel Routing s Benchmark works as Client Server mode Test traffic is sent from the client site to the server site via every single configured tunnel and th...

Страница 152: ...t benchmark test to all the tunnels of the tunnel group Note that testing is per formed individually to every single tunnel in a top down order Test Click to start benchmark test to the specified tunn...

Страница 153: ...tunnel See also Tunnel Routing How the Tunnel Routing Works Tunnel Routing Setting How to set up routing rules for Tunnel Routing Scenarios Scenarios Example 1 A company s headquarters and two branch...

Страница 154: ...in 1 1 1 1 2 2 2 2 1 1 1 1 1 4 4 4 4 1 HQ Branch1 Backup B1 Round Robin 3 3 3 3 2 2 2 2 1 3 3 3 3 4 4 4 4 1 HQ Branch2 B2 Round Robin 1 1 1 1 6 6 6 6 1 3 3 3 3 8 8 8 8 1 HQ Branch2 Backup B2 Round Rob...

Страница 155: ...1 Routing Rules Source Destination Service Group Fail Over 192 168 2 1 192168 2 10 192 168 1 1 192 168 1 10 Any Branch1 HQ No Action 2 2 2 22 1 1 1 11 Any Branch1 HQ AR The settings for the branch2 S...

Страница 156: ...must correspond to each other or else tunnel routing will not perform its function For example if FortiWAN in Taipei has removed the values 2 2 2 2 to 3 3 3 3 in their routing rule settings then the...

Страница 157: ...11 21 33 186 Dynamic IP at WAN1 1 Dynamic IP at WAN2 Dynamic IP at WAN2 1 Routing Rules Source Destination Service Group Fail Over 192 168 1 0 255 255 255 0 192 168 2 0 255 255 255 0 Any HQ Branch No...

Страница 158: ...oversea Each office deploys a public line to access Internet Each branch office sets up an individual tunnel with the headquarters to access the corporate Intranet Requirements The LAN links in branch...

Страница 159: ...oup Fail Over 192 168 1 0 255 255 255 0 192 168 2 0 255 255 255 0 Any HQ Branch2 No Action 192 168 2 0 255 255 255 0 192 168 1 0 255 255 255 0 Any HQ Branch1 No Action The settings for the branch1 Set...

Страница 160: ...ion Example 4 Central Routing of Tunnel Routing A company operates two branch offices oversea Intranet is established throughout the three locations but the branch 1 does not have any public links to...

Страница 161: ...e Remote Host ID Algorithm Tunnels Local IP Remote IP Weight HQ Branch1 Branch1 Round Robin 3 3 3 3 1 1 1 1 1 HQ Branch2 Branch2 Round Robin 3 3 3 3 2 2 2 2 1 Routing Rules Source Destination Service...

Страница 162: ...Weight Branch1 HQ HQ Round Robin 1 1 1 1 3 3 3 3 1 Routing Rules Source Destination Service Group Fail Over Any Address WAN Any Branch1 HQ No Action The settings for the branch2 Set the field Local Ho...

Страница 163: ...from the gateway machine Inbound traffic does not have to know where the real servers are or whether there are just one or many servers This method prevents direct access by users and therefore incre...

Страница 164: ...er Status and Report Virtual Server IPv4 Virtual Server E Check the box to enable the rule When Options Busy hour Idle hour and All Time See Busyhour Settings WAN IP For external internet users the vi...

Страница 165: ...to enable the rule When Options Busy hour Idle hour and All Time See Busyhour Settings WAN IP For external internet users the virtual server is presented as a public IP IPv6 on WAN port This WAN IP i...

Страница 166: ...01 in LAN l Assign 211 21 48 195 and 211 21 33 189 to WAN 1 and WAN2 Forward all requests to 211 21 48 195 or 211 21 33 189 to two SMTP servers 192 168 0 200 and 192 168 0 201 in LAN l Forward all req...

Страница 167: ...TTP 80 1 192 168 0 101 TCP 80 HTTP 80 1 211 21 48 194 FTP 21 192 168 0 200 ICMP FTP 21 1 192 168 0 201 TCP 21 FTP 21 1 211 21 33 186 FTP 21 192 168 0 200 ICMP FTP 21 1 192 168 0 201 TCP 21 FTP 21 1 21...

Страница 168: ...ftp data l Enable external users to access WAN IP 211 21 33 186 and connect PcAnywhere to LAN hosts l Note PcAnywhere uses TCP port 5631 and UDP port 5632 Refer to PcAnywhere software manual for more...

Страница 169: ...sts Picked out per Detection via a WAN link defined in WAN Link FortiWAN determines the WAN link alive if receiving response from at least one of those targets in a time period defined in Detection ti...

Страница 170: ...TL Time to Live of the ping packet is determined by Hops and generally defined as 3 FortiWAN takes the TTL expired message as a legal response for a ICMP detection even the detection packet is not del...

Страница 171: ...s As we know a private network deployment of private IP addresses is invisible closed to public network usually the Internet Two private networks in geographically different location can not directly...

Страница 172: ...tions for Once these security parameters are shared securely between the two entities which is called a establishment of Security Association See the privacy and authentication of data transmission ar...

Страница 173: ...twork FortiWAN B FortiWAN B receives the packets and performs l recover the encrypted packets by decapsulation l recover the original data and IP header by decryption l forward packets to host 192 168...

Страница 174: ...ether someone or something is in fact who or what it is declared to be In authentication one has to prove its identity to the remote one and the identity will be verified by the remote one A typical p...

Страница 175: ...city are so that guaranteed to the VPN communications by encryption and authentication Basically IKE Phase 1 authenticates a remote peer and sets up a secure channel for going forward Phase 2 negotiat...

Страница 176: ...never sent by either gateway Actually it is involved in the generation of encryption secret key Message integrity A message authentication code MAC not only verifies identity but also provides integr...

Страница 177: ...compromised With enabling PFS the calculation of secret keys involves a new Diffie Hellman exchange The private key material of Diffie Hellman exchange protects the session secret keys of IKE Phase 2...

Страница 178: ...ly Usually Transport mode is applied to other tunneling protocols to provide protection of GRE L2TP encapsulated IP data packets GRE L2TP transmission over IPSec protection FortiWAN IPSec Transport mo...

Страница 179: ...nels through different WAN ports WAN interfaces between two FortiWAN units but bandwidth aggregation and fault tolerance are not available for the IPSec VPN transmission It is unable to distribute the...

Страница 180: ...dresses and NAT pass through in Tunnel Routing How the Tunnel Routing Works if it is protected by IPSec Type IPSec protection Tunneling Bandwidth Aggregation Fault Tolerance Peer device IPSec Tunnel m...

Страница 181: ...s 3 3 3 3 participates in ISAKMP SA 2 and ISAKMP SA 3 more than one ISAKMP SA which causes failure to establish ISAKMP SA 2 and ISAKMP SA 3 IPSec connections thus can not be established The above exam...

Страница 182: ...ent There are three IPs deployed on FortiWAN 2 s WAN link 2 See Configuring your WAN and each IP address participates in only one ISAKMP SA l ISAKMP SA 1 2 2 2 1 4 4 4 4 l ISAKMP SA 2 2 2 2 2 5 5 5 5...

Страница 183: ...sses 3 3 3 3 and 8 8 8 8 participate in only ISAKMP SA 2 ISAKMP SA 3 failed For the two FortiWAN devices FortiWAN 1 and FortiWAN 2 the WAN link IP addresses 6 6 6 6 participates in not only ISAKMP SA...

Страница 184: ...ses deployment You need to determine the participating private IP addresses the source and destination of traffic and make policies to permit traffic to pass through the VPN The VPN devices used to bu...

Страница 185: ...IPSec VPN tunnel The IPSec VPN tunnel is established through connection of the two public IP addresses You need to determine the WAN link of a FortiWAN unit to connect with each other for an IPSec VP...

Страница 186: ...d SAs would be removed once a disconnection is recognized by FortiWAN s IPSec DPD but FortiWAN would not automatically perform the reestablishment new establishment of the SAs is triggered only if an...

Страница 187: ...However both the two filters are required to be incompatible with the others Phase 1 configurations moving up or moving down is nothing about rule first match Name A unique description name for the Ph...

Страница 188: ...See Tunnel Routing l Additional routing policies are necessary for system to route the packets of IKE negotiations and IPSec VPN communications to the IP address WAN port you defined here See Define r...

Страница 189: ...ion Select one of the following authentication algorithms l MD5 A MD5 based MAC algorithm hmac md5 with 128 bit message digest l SHA1 A SHA1 based MAC algorithm hmac sha1 with 160 bit message digest l...

Страница 190: ...in Phase 1 two FortiWAN units handle the negotiations of encryption and authentication algorithms according to their IKE proposals The only thing that is different from Phase 1 is Perfect Forward Secr...

Страница 191: ...ncryption authentication algorithms and DH groups to the multiple quick mode selectors if multiple security levels are necessary For IPSec Transport mode the Phase 2 configuration does not require a Q...

Страница 192: ...Phase 2 negotiations This name can contain a piece of information used for simple management such as it can reflect where the correspondent remote unit is or what the purpose it is It is also the ind...

Страница 193: ...key lifetime Select the encryption and authentication algorithms strength of DH key exchange and the key lifetime for the IKE phase 2 proposal that will be used in the IKE Phase 2 negotiations Make s...

Страница 194: ...ption Standard a 64 bit block algorithm that uses a 56 bit key l 3DES Triple DES plain text is encrypted three times by three keys l AES128 A 128 bit block algorithm that uses a 128 bit key l AES192 A...

Страница 195: ...28 bit message digest l SHA1 A SHA1 based MAC algorithm hmac sha1 with 160 bit message digest l SHA256 A SHA256 based MAC algorithm hmac sha256 with 256 bit message digest l SHA384 A SHA384 based MAC...

Страница 196: ...n DH group actually which determines the strength of the private key material used in the Diffie Hellman key exchange process A higher group number implies a securer key against private key recover at...

Страница 197: ...nsferred via the IPSec VPN tunnel l Destination the destination of a packet that is allowed to be transferred via the IPSec VPN tunnel It can be an IPv4 address or an IPv4 subnet behind the remote For...

Страница 198: ...packets of IPSec VPN communications called ESP packets here An IKE packet comes from the local FortiWAN unit and its source IP address is just the configured Local IP a WAN port an ESP packet comes fr...

Страница 199: ...te B IP s on Localhost 192 168 10 254 192 168 100 254 Netmask 255 255 255 0 255 255 255 0 LAN Port Port3 Port3 For the details of LAN private subnet setting see LAN Private Subnet Define Auto Routing...

Страница 200: ...filter must be configured to Localhost to match the negotiation traffic and direct it to correct WAN link For IPSec communication packets Routing of packets that are going to be transferred through I...

Страница 201: ...N and are evaluated with NAT rule before Phase 2 Quick Mode selector If the source address of a IPSec packet is translated to another by NAT the packet fails in matching the Quick Mode selector and th...

Страница 202: ...10 10 10 and site B s WAN 1 20 20 20 20 The other parameters are not listed here Phase 2 Local endpoint Site A Remote endpoint Site B Name WAN1_WAN1_Phase2 WAN1_WAN1_Phase2 Quick Mode Source 192 168 1...

Страница 203: ...port and remote WAN port With the IPSec SAs established on these TR tunnels GRE packets will be protected encrypted decrypted by correspondent SA when they pass through a TR tunnel the local and remot...

Страница 204: ...ask 255 255 255 0 255 255 255 0 LAN Port Port3 Port3 For the details of LAN private subnet setting see LAN Private Subnet Define Auto Routing policies for IKE negotiation Our goal is two establish IPS...

Страница 205: ...E 500 Any or IKE 500 Any or IKE 500 Routing Policy IPSec_WAN1 IPSec_WAN2 IPSec_WAN1 IPSec_WAN2 Fail Over Policy NO ACTION NO ACTION NO ACTION NO ACTION Tunnel Routing itself takes the responsibility t...

Страница 206: ...tworks behind the two FortiWAN units Tunnel Routing controls the routing of them You need the configurations to set up the two TR tunnels and the policies to route GRE packets over the TR tunnels To e...

Страница 207: ...e selector being equal to a TR routing rule or Tunnel Routing goes to failure For the details of Tunnel Routing see Tunnel Routing Procedures to set up a Tunnel Routing over IPSec Transport mode To se...

Страница 208: ...Phase 1 Keylife 1200 Secs l Phase 2 Encryption DES l Phase 2 Authentication MD5 l Perfect Forward Secrecy PFS enable l Phase 2 DH Group 5 l Phase 2 Keylife 120 Secs Configurations on FortiWAN To set u...

Страница 209: ...rk Setting LAN Private Subnet and create a LAN subnet configuration IP s on Localhost 2 2 2 254 Netmask 255 255 255 0 LAN Port Port3 For the details of LAN private subnet setting see LAN Private Subne...

Страница 210: ...Auto Routing see Auto Routing NAT Go to Service NAT and create a NAT rule When All Time Source 2 2 2 0 255 255 255 0 Destination 1 1 1 0 255 255 255 0 Service Any Translated No NAT For the details of...

Страница 211: ...VPN on the FortiWAN side configurations on the FortiGate side are introduced next For the details of IPSec parameters see IPSec VPN in the Web UI Configurations on FortiGate To set up the IPSec VPN co...

Страница 212: ...ustom VPN Tunnel No Template and click Next to configure the settings as follows Network IP Version IPv4 Remote Gateway Static IP Address IP Address 10 12 102 42 Interface WAN1 Mode Config Disable NAT...

Страница 213: ...1 0 255 255 255 0 Remote Address Subnet 2 2 2 0 255 255 255 0 Phase 2 Proposal Encryption DES Authentication MD5 Enable Replay Detection disable Enable Perfect Forward Secrecy PFS enable Diffie Hellm...

Страница 214: ...Routes and click Create New to create two rules for WAN1 and the IPSec tunnel IPSec_to_FWN_P1 Destination IP Mask 0 0 0 0 0 0 0 0 2 2 2 0 255 255 255 0 Device wan1 IPSec_to_FWN_P1 Gateway 10 12 136 25...

Страница 215: ...ee options available Busy hour Idle hour and All Time See Busyhour Settings Source Packets sent from specified source will be matched See Using the web UI Destination Packets sent to a specific destin...

Страница 216: ...on the internet WAN through port 25 SMTP port 80 HTTP port 21 FTP and port 110 POP3 l All other packets are blocked The rules table for the example will look like this Source Destination Service Acti...

Страница 217: ...ts the address of FortiWAN host machine l Users from LAN can access FTP server 192 168 10 1 through port 21 l Users from the internet cannot ping FortiWAN Note To intercept ping messages users can den...

Страница 218: ...nal host starts the sessions An external host is unable to starts a session with an internal host via the typical NAT FortiWAN s 1 to 1 NAT gives the availability of two way transmission between an in...

Страница 219: ...ll packets into an IP address localhost of the WAN link The second or third rule from the bottom ignores NAT to packets coming from subnets of the WAN link Those default rules are added as the bottom...

Страница 220: ...ch specified how to translate source IP address of a out going packet into specified IP address of the WAN link Incoming packets from a external host can be accepted and forwarded to the correct inter...

Страница 221: ...rom the source will be matched See Using the web UI Note The source IPv6 to be translated must be the IPv6 address assigned to the LAN or DMZ Destination The packets sent to the destination will be ma...

Страница 222: ...the 1 to 1 NAT rule should be applied to See Using the web UI For a 1 to 1 NAT rule the amount of external IP address here must be the same as amount of internal IP address above Note External IP Add...

Страница 223: ...sses for the same client during an authenticated and certified session PR ensures that the source IP address remains unchanged in the same session Timeout For every session pair of source and destinat...

Страница 224: ...PR the matched connections will NOT be routed persistently L Check to enable logging Whenever the rule is matched system will record the event to log file Persistent routing is often used when destin...

Страница 225: ...use persistent routing As there is no default action set by Web Service Rules if no rule is added all connections will be based on IP Pair Rules to determine whether to use persistent routing The pers...

Страница 226: ...in inbound traffic and outbound traffic The section will mainly explain how to guarantee bandwidth based on priority settings and how to manage inbound and outbound traffic by configuring busy idle ho...

Страница 227: ...defined in inbound and outbound filters passing through the WAN link will be shaped according to the bandwidth limitation below Busy Hour Set tings This is the bandwidth allocation on a WAN link duri...

Страница 228: ...n and service Traffic matches the filter will be associated to the corresponding BM class so that the traffic is shaped according to the bandwidth allocation of the class The source and destination he...

Страница 229: ...al services it is try to classify the traffic by its Source and Destination the Source and Destination of the Routing Rules of Tunnel Routing or the Source and Destination of the Quick Mode selectors...

Страница 230: ...ed bandwidth on WAN1 is 20K and zero on WAN2 and WAN3 During the idle period the maximum bandwidth limited for 192 168 0 100 to download data from internet FTP servers is 50K on WAN1 200K on WAN2 and...

Страница 231: ...rce Destination Service Classes WAN 211 21 48 197 SMTP 25 Mail Server WAN LAN HTTP 80 For LAN Zone WAN 192 168 0 100 FTP 21 For 192 168 0 100 WAN 211 21 48 198 FTP 21 FTP Server There are two possible...

Страница 232: ...download data from internet FTP servers is 50K on WAN1 64K on WAN2 and WAN3 The guaranteed bandwidth on WAN1 is 20K and zero on WAN2 and WAN3 During the idle period the maximum bandwidth limited for...

Страница 233: ...w during both busy and idle periods During the busy period the maximum bandwidth limited for internet users to download data from a virture FTP server 192 168 0 100 in LAN is 200K on WAN1 100K on WAN2...

Страница 234: ...0 128 Low 0 256 Low WAN2 0 128 Low 0 256 Low WAN3 0 256 Low 0 512 Low Filter Settings Source Destination Service Classes 211 21 48 198 WAN FTP 21 FTP Server 211 21 48 197 WAN POP 110 Mail Server POP3...

Страница 235: ...e Limit is aimed to restrict the number of connections built by one IP address every second The source of connection can be from any of the following options IP address IP Range Subnet WAN LAN DMZ Loc...

Страница 236: ...ured here However cache servers have to support caching in transparent mode Note Cache Server can be in DMZ FortiWAN provides log mechanisms on events refer to the Connection Limit service see Log Cac...

Страница 237: ...gging will be enabled Whenever the rule is matched the system will write the event to the log file Redirect rules can be established to match requests that will be redirected to the specific cache ser...

Страница 238: ...l the set DNS servers are not available or the DNS server is not configured Internal DNS will ask the root domain name server for resolving the domain Allocate the Internal DNS to users in LAN and DMZ...

Страница 239: ...subnet or predefined IPv4 group IPv6 Address Query IPv6 address It can be IPv6 single address range subnet or predefined IPv6 group NS Record Name Server Enter server name s prefix For example if a s...

Страница 240: ...ce Target The hostname of the machine providing this service TTL TTL Time To Live specifies the amount of time that SRV Record is allowed to be cached MX Record Host Name Enter the prefix of the mail...

Страница 241: ...ually deploy servers in several ISP networks and maintain DNS servers or appropriate settings on ISP s DNS for common domain in each of the ISP network Those DNS servers in different ISP networks answ...

Страница 242: ...eam always routes the connection to the WAN link that has the lightest upstream traffic l By Total Traffic always route the connection to the WAN link that has the lightest total traffic WAN Select th...

Страница 243: ...N s firewall See Firewall l Configure SNMP settings and Event Notification to FortiWAN unit SNMP agent configuration To configure SNMP settings go to Service SNMP Check the box Enable SNMP to enable S...

Страница 244: ...le on the Fortinet Customer Service Support website https support fortinet com IP MAC Mapping Users can specify the IP MAC table by classifying periods like peak hours and idle hours Once the IP MAC t...

Страница 245: ...flow direction inbound and outbound WAN Link The number of WAN links for inspection Automatic Refresh Time interval to refresh statistical table Traffic Class The name of the traffic class defined on...

Страница 246: ...persistent routing data IPv4 IPv6 IP Pair IP Pair Entry Shows connection entries that match IP Pair Rules Source IP Source IP of the current persistent routing connection Destination IP Destination I...

Страница 247: ...ng packet if Detection Protocol is ICMP or a TCP connection request if Detection Pro tocol is TCP Number of Replies The number of responses received so far from the Destination IP A reply indicates a...

Страница 248: ...f the client s machine Client Hostname Shows the name of the client machine Expiration Time Shows the time period when the IP address is valid DHCPv6 Server Displays DHCPv6 server and range of IPv6 ad...

Страница 249: ...the occupied memory then When system is under attacks with high volumes of malicious connections FortiWAN s Connection Limit See Connection Limit stops sub sequent connections established by the malic...

Страница 250: ...nitor tunnel s working status and view its statistics in the last 3 Seconds 1 Minute etc Administrators can enable Automatic Refresh and choose a suitable time interval to refresh statistics automatic...

Страница 251: ...ector Select the combination of Mode and Phase 1 here and then the statistics of related IPSec SAs are reported Mode Select the mode Tunnel mode or Transport mode of the security asso ciations that yo...

Страница 252: ...and determined by system Status States of the IPSec SA l larval an IKE Phase 2 is in progress to establish an IPSec SA l mature the IPSec SA is established and still within validity l dying the IPSec...

Страница 253: ...N s traffic statistics is associated with the operation of Bandwidth Management which implies traffic of Tunnel Routing and IPSec is partially transparent to the statistics function FortiWAN gives the...

Страница 254: ...VPN devices and the GRE traffic generated by FortiWAN Tunnel Routing will be counted into service GRE in page Reports Bandwidth Usage Services which might be confusing Drilling it down by Internal IP...

Страница 255: ...l traffic As for Reports Service statistics by service is displayed as follows l FTP 60MB l HTTP 80MB l GRE 60MB l Total 200MB All the tunnel traffic FTP and HTTP generated by user B is classified int...

Страница 256: ...w has a sub menu of 13 log types see the table below Choose the desired log type and its corresponding events will show in display window Click the Refresh button to get the latest log records Please...

Страница 257: ...Firewall FW IP 5 TUPLE ACTION ACCEPT DENY TOTLEN pktlen The first packet of session IP 5 TUPLE matching a Firewall rule triggers the log System generates only one log for this session This log indicat...

Страница 258: ...log are generated in pairs Virtual Server VS IP 5 TUPLE NEW_DST ADDR TOTLEN pktlen The first packet of session IP 5 TUPLE matching a Virtual Server rule triggers the log System generates only one log...

Страница 259: ...size of the session is pktlen See Cache Redirect for further information Multihoming MH FROM ip TYPE A AAAA WLINK widx REPLY ip An DNS response queried for A or AAAA records by Multihoming triggers t...

Страница 260: ...icates destination MAC addresses MAC of the packets of IP 5 TUPLE and the MAC address defined in IP MAC table are mismatched and so that the packets are blocked See IP MAC Mapping for further informat...

Страница 261: ...not be correspondent with each other IP INFO received INITIAL CONTACT IP received the request for negotiation from the peer ERROR phase1 negotiation failed due to time up A queued or retransmitted pha...

Страница 262: ...l Failed to send test email to receiver UI setting l Settings are applied for page System page name l Settings are applied for page Service page name l Settings are applied for page Log page name l Un...

Страница 263: ...del l Peer serial number changed from Serial Number to Serial Number l Peer state changed from State to State l Responded to Slave s Time Synchronization Request l Responded to Slave s Configuration S...

Страница 264: ...a from FortiWAN to servers via FTP E mail and Syslog protocol for archiving and analysis Configure log push method one log type by another or use Copy Settings to All Other Log Types It copies and app...

Страница 265: ...unt Password FTP user password Path FTP server path E Mail SMTP Server SMTP server for logging Account Authenticated account for mail server Password Authenticated password for mail server Mail From S...

Страница 266: ...SSL Check to enable SMTP transfers over SSL Account Authenticated account for the mail server Password Authenticated password for the mail server Mail From Sender Mail To Receiver s Separate receivers...

Страница 267: ...over and integer 2 indicates the falseness of HA takeover VRRP takeover Send notification when the local unit in VRRP deployment was took over by its backup unit Integer 1 indicates the truth of VRRP...

Страница 268: ...isk Analysis and statistics are displayed via Web UI The Reports displays no data without enabling this Stand alone Reports Enable Reports UDP Enable it to push logs to specified stand alone Reports s...

Страница 269: ...link the minimum and maximum traffic volume for a given specified day range the traffic volume and service conditions of a certain server during a specified day range Bandwidth Usage presents the ana...

Страница 270: ...ere you can specify a single date or date range Click on the magnifier icon next to the date selector to start with date selection l Time between 00 00 to 23 59 of a selected date l Days from start to...

Страница 271: ...current configuration and close the dialog window l Send Click to send the report email immediately All reports generated by FortiWAN can be exported as PDF or CSV format By clicking Export button on...

Страница 272: ...h The bar chart aside the distribution displays the percentage of the traffic generated in the past five minutes The bandwidth capability denominator used to calculate the percentage is the sum of the...

Страница 273: ...d 80 are the two waterlines used in the bar chart to alert administrators to the exceedance The bar is marked with green if the CPU usage is less than 50 with orange if it is between 50 an 80 and with...

Страница 274: ...here reports the disk space usage so that an appropriate cleanup See Disk Space Control and Reports Database Tool can be took to low disk space Free space The available disk space Other used The disk...

Страница 275: ...n of CPU usage of FortiWAN by the date range defined CPU usage is a measure of how much traffic is being managed or how much services the FortiWAN is required to do on that traffic Sustained usage nea...

Страница 276: ...riods or dates if a date range is defined l Count Number of Sessions WAN Traffic The WAN Traffic report shows the traffic distribution of every FortiWAN s WAN link by the date range defined This repor...

Страница 277: ...link is not enabled from FortiWAN Web UI Create a report for a specific day or over a range of dates See Create a Report Export reports and send reports through email See Export and Email Statistics T...

Страница 278: ...t reports and send reports through email See Export and Email The various statuses are defined as below l OK TR link is enabled configured and connected physically l Fail TR link is enabled and config...

Страница 279: ...ws to be listed on the report page can be defined in account settings The Statistics Table may be re sorted by Inbound Bytes Outbound Bytes or Total Bytes by selecting the appropriate column header Th...

Страница 280: ...s shown by Out Class WAN Service Internal IP External IP Internal Group External Group and Traffic Rate Trend via the selected policy In Class l Out Class Out Classes that are associated with this In...

Страница 281: ...t Class shown by In Class WAN Service Internal IP External IP Internal Group External Group and Traffic Rate Trend via the selected policy Out Class l In Class In Classes that are associated with this...

Страница 282: ...affic is passed through this WAN link l Internal IP Any monitored internal IP addresses that traffic is passed through this WAN link l External IP Any monitored external IP addresses that traffic is p...

Страница 283: ...ternal Group Any monitored external IP group set up under the Settings menu that the external IP addresses are associated with this Service l Traffic Rate bandwidth distribution generated by this Serv...

Страница 284: ...Any monitored external IP group set up under the Settings menu that the external IP addresses are associated with this Internal IP address l Traffic Rate bandwidth distribution generated by this Inte...

Страница 285: ...associated within this time period Function Status This report category is the function to monitor the status of FortiWAN s major functions for a long period Long term statistics of function status i...

Страница 286: ...Table l Lists the Virtual Server IP Service and count of access sorted by the Server IP default l WAN IP the public IP address for external users to access the virtual server l WAN Service the service...

Страница 287: ...itched by clicking on the same column header Advanced Functions of Reports Reports provides advanced functions beyond the basic reports to give an accurate analysis Drill In and Custom Filter are the...

Страница 288: ...be further drilled in to query which WAN link of FortiWAN are utilizing this service by clicking the Drill In magnifier icon in the row of HTTPS TCP 443 listed in the table and select WAN query resul...

Страница 289: ...in the table and select Internal IP query result is as shown below As indicated in the blue box shown in the figure above this page presents the data of Internal IP report that includes the traffic o...

Страница 290: ...l see a summary of the query conditions used in the existing report highlighted in blue as shown in the image above making it clear for administrators to keep track of the query details Continuing the...

Страница 291: ...Reports Reports The report presented by Traffic Rate using the same filter Internal Group Marketing Internal IP 10 12 98 98 and Service HTTP TCP 80 is illustrated as follows FortiWAN Handbook Fortinet...

Страница 292: ...IP and External IP Usually administrators will need to check drilled in information for particular target regularly As discussed previously Drill in function can be used to obtain more report specifi...

Страница 293: ...Predefined L4 and L3 protocols are available Entering a single or a range of port number is also allowed l Internal IP Enter the Internal IP address you want to query include or exclude in the input...

Страница 294: ...r HTTPS TCP 443 and WAN2 in the Traffic Rate report and the corresponding query result will show the traffic statistics of service HTTPS TCP 443 and WAN2 by traffic rate as follows the block marked in...

Страница 295: ...from their account profile Please refer to section of Customer Filters in Account Settings for more information Export All reports generated by Reports can be exported as PDF or CSV format By clicking...

Страница 296: ...t emails The Email function is also available for custom filter reports and drill in reports No matter which report page you re at you can always click the Email button on that page to determine when...

Страница 297: ...a increases storage consumption increases The Reports database tool DB tool is an application running on remote host to manage FortiWAN Reports database Note that the DB tool must be ran on a host tha...

Страница 298: ...e License Agreement carefully Click the I Agree button to accept the agreement and begin the installation process Otherwise please click Cancel Step 5 Choose a destination folder for setup and click N...

Страница 299: ...tep 6 Choose a Start Menu folder or check Do not create shortcuts to ignore it Click Install and then the installation process will begin Step 7 Click Finish to complete Reports DB Tool setup FortiWAN...

Страница 300: ...abase tool please go to Start Programs FWN dbtool and DB Tool utility is available for selection DB Tool Tool to manage report data from the Reports database Fortinet Link to Fortinet web site Uninsta...

Страница 301: ...fy the location of the Reports database it would be the IP address of FortiWAN Web UI DB Port Specify the port number that Reports database is listening Please use the default port 5432 Save Click to...

Страница 302: ...e to back up the data by selecting a date from the drop down calendar Save to the directory Click Browse to select a location where the backup data should be saved Delete the data after exported Check...

Страница 303: ...Advanced Functions of Reports Reports Restore Restore Click to select backup files to restore to database FortiWAN Handbook Fortinet Technologies Inc 303...

Страница 304: ...specify the end date to delete the data Delete Click to start deleting data of selected dates Reports Settings The Settings here is used to simply manage the Reports on database disk space and the SMT...

Страница 305: ...IP addresses shown in Reports by predefined notes An annotation icon will appear next to the IP address listed in a report page Users can read the content of the annotation through clicking the icon C...

Страница 306: ...ec and 30 sec or Do not refresh the dashboard Email Server Individual reports See Report Email and system alerts See Disk Space Control can be sent to users via email It is necessary to configure the...

Страница 307: ...ount Leave the field empty if you want disable the condition Send notification after purge data Click to enable notification via email after data purging Settings Email Server must be configured to en...

Страница 308: ...of the chart displays the correspondent amount of space Free Space Display the amount of free disk space in MB and percentage Database Used Display the disk amount used by Reports database in MB and...

Страница 309: ...instrator 1234 admin null Fortinet default The Web UI login port will be restored to the default port 443 FortiWAN also supports SSH logins The interface for SSH login is the same as the console with...

Страница 310: ...2 168 0 1 l Netmask 255 255 255 0 l DHCP Server Disabled Port 5 DMZ Fields such as Domain Name Server VLAN and Port Mapping WAN DMZ Subnet Settings are all cleared Service Category Default Values l Fi...

Страница 311: ...et disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinet s General Counsel with a purchaser that expressly warrants tha...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды