1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Firewall
  5. FortiGate-7060E
  6. Handbook

More About Ipsec Vpn Routing Limitations - Fortinet FortiGate-7060E Handbook

Fortios
Hide thumbs Also See for FortiGate-7060E:
Table of Contents

Advertisement

FortiGate-7000 v5.4.3 special features and limitations
IPsec tunnels are not load-balanced across the FPMs, all IPsec tunnel sessions are sent to the primary FPM
l
module.
IPsec VPN dialup or dynamic tunnels require a flow rule that sends traffic destined for IPsec dialup IP pools to the
l
primary FPM module.
In an HA configuration, IPsec SAs are not synchronized to the backup chassis. IPsec SAs are re-negociated after a
l
failover.

More about IPsec VPN routing limitations

For IPv4 traffic, FortiGate-7000s can only recognize netmasks with 16-bit or 32-bit netmasks. For example:
The following netmasks are supported:
12.34.0.0/24
l
12.34.0.0 255.255.0.0
l
12.34.56.0/21
l
12.34.56.0 255.255.248.0
l
12.34.56.78/32
l
12.34.56.78 255.255.255.255
l
12.34.56.78 (for single IP addresses, FortiOS automatically uses 32-bit netmasks)
l
The following netmasks are not supported:
12.34.0.0/15 (netmask is less than 16-bit)
l
12.34.0.0 255.254.0.0 (netmask is less than 16-bit)
l
12.34.56.1-12.34.56.100 (ip range is not supported)
l
12.34.56.78 255.255.220.0 (invalid netmask)
l
SSL VPN
Sending all SSL VPN sessions to the primary FPM module is recommended. You can do this by:
Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary
l
FPM module.
Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPM module.
l
Authentication
This section lists FortiGate-7000 authentication limitations:
Active authentication that requires a user to manually log into the FortiGate firewall can be problematic because the
l
user may be prompted for credentials more than once as sessions are distributed to different FPM modules. You
can avoid this by changing the load distribution method to src-ip.
FSSO is supported. Each FPM independently queries the server for user credentials.
l
RSSO is only supported after creating a load balance flow rule to broadcast RADIUS accounting messages to all
l
FPM modules.
FortiGate-7000
Fortinet Technologies Inc.
SSL VPN
80

Advertisement

Table of Contents
loading

Related Manuals for Fortinet FortiGate-7060E

Related Content for Fortinet FortiGate-7060E

This manual is also suitable for:

Fortigate-7000Fortigate-7904eFortigate-7901eFortigate-7040eFortigate-7030eFortigate-7910e ... Show all

Table of Contents