Fortinet FortiWAN Administration Manual
  1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Network Router
  5. FortiWAN
  6. Administration manual

Fortinet FortiWAN Administration Manual

Handbook
Hide thumbs Also See for FortiWAN:
Table of Contents

Advertisement

Quick Links

See also: Handbook
FortiWAN Handbook
VERSION 4.0.2

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FortiWAN and is the answer not in the manual?

Questions and answers

Related Manuals for Fortinet FortiWAN

Summary of Contents for Fortinet FortiWAN

  • Page 1 FortiWAN Handbook VERSION 4.0.2...
  • Page 2 FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com  FORTIGATE COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING SERVICES http://www.fortinet.com/training FORTIGUARD CENTER http://www.fortiguard.com END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK techdocs@fortinet.com Email: April 29, 2015 FortiWAN 4.0.2 Handbook Revision 1...
  • Page 3 Product Benefits Key Concepts and Product Features Scope What's new Document enhancements How to set up your FortiWAN Registering your FortiWAN Planning the network topology WAN, LAN and DMZ WAN link and WAN port WAN types: Routing mode and Bridge mode...
  • Page 4 System Configurations Summary Optimum Route Detection Port Speed/Duplex Settings Backup Line Settings IP Grouping Service Grouping Busyhour Settings Diagnostic Tools Setting the system time & date Remote Assistance Administration Administrator and Monitor Password RADIUS Authentication Firmware Update Configuration File Maintenance Web UI Port License Control Load Balancing &...
  • Page 5 WAN Link Health Detection Dynamic IP WAN Link DHCP Lease Information RIP & OSPF Status Connection Limit Virtual Server Status FQDN Tunnel Status Tunnel Traffic View Log Control Log Notification Enable Reports Reports Create a Report Export and Email Device Status Bandwidth Session WAN Traffic...
  • Page 6 Report Email Appendix A: Default Values...

  • Page 7: Introduction

    FortiWAN’s 7 different Load Balancing algorithms provide the flexibility to maximize productivity from any network scenario. FortiWAN gives you high-performance inter-site connectivity without the need to lease expensive links such as T1 and T3. FortiWAN aggregates multiple low-cost Internet access links to create site-to-site Virtual Private Line (VPL) Tunnels for LAN-like performance between company locations.
  • Page 8 IP traffic to ensure a stable and dependable network. Even multiple link failures, while reducing available bandwidth, will not stop traffic. By using diverse media (fiber, copper, wireless) and multiple ISPs (Telco, Cableco, 4G), FortiWAN can deliver better than carrier-class “5-9’s” reliability.

  • Page 9: Key Concepts And Product Features

    Installation FortiWAN is an edge device that typically connects an internal local area network (LAN) with an external wide area network (WAN) or the Internet. The physical network ports on FortiWAN are divided into WAN ports, LAN ports and DMZ (Demilitarized Zone) ports, which are used to connect to the WAN or the Internet, subnets in LAN, and subnets in DMZ respectively.

  • Page 10: Scope

    ] for further information. Planning the network topology to introduce FortiWAN to current network. It requires a clear picture of your WAN link types the ISP provides and how to use the available public IP addresses of a WAN link. The topic [...
  • Page 11 FortiWAN's diagnostic tools is helpful for trouble shooting when configuring network, please refer to topic Diagnostic Tools Functions After installing FortiWAN into your network, the next step is to configure the major features, load balancing and fail- Load Balancing & Fault Tolerance over, on FortiWAN. Topic [...

  • Page 12: What's New

    FortiWAN introduces new hardware platforms FortiWAN 1000B and FortiWAN 3000B, and new FortiWAN 4.0.1 firmware based on the AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.1 is substantially similar to AscenLink V7.2.3 with the additions noted below.
  • Page 13 What's new Scope HA Port Change - FortiWAN supports one GE RJ45 HA Port. This port must be direct-cabled via Ethernet cable, to a second FWN unit HA port for HA operation. HA will not interoperate between AscenLink and FortiWAN and will not interoperate between different FortiWAN models.

  • Page 14: Document Enhancements

    Scope Document enhancements Document enhancements The following document content is enhanced or changed since FortiWAN 4.0.1: FortiWAN 4.0.2 Tunnel Routing A note about the restrictions on duplicate configurations of group tunnel was added in Multihoming Content was enhanced for in sections "Prerequisites for Multihoming", "DNSSEC Support", "Enable Backup", "Configurations", "Relay Mode"and "External Subdomain Record".

  • Page 15: How To Set Up Your Fortiwan

    How to set up your FortiWAN These topics describe the tasks you perform to initially introduce a FortiWAN appliance to your network. These topics contain the necessary information and instructions to plan network topology, using Web UI and Configure network interfaces on FortiWAN.

  • Page 16: Wan Link And Wan Port

    ISP such as IP addresses, default gateway, network mask or username/password (depend on the WAN link type you apply to the ISP). A WAN port on FortiWAN is a physical network interface. With the Configurations for VLAN and Port Mapping deployment of VLAN on a WAN port (See "...
  • Page 17 How to set up your FortiWAN Planning the network topology A range of static IP addresses in a shared subnet For example, ISP provides an ADSL link with an IP range 61.88.100.1 ~3 that netmask is 255.255.255.0 and default gateway is 61.88.100.254. The result of subnet mask calculation shows there are 256 IP addresses in the subnet in total, but only 3 IP addresses you are allocated.

  • Page 18: Near Wan

    FortiWAN defines a near WAN for a WAN link in different ways between routing mode and bridge mode. In routing mode, the default gateway of a subnet deployed in WAN or in WAN and DMZ is near to FortiWAN. Therefore, the area between the default gateway and FortiWAN is called near WAN. In the other words, FortiWAN treats directly the subnet deployed on the WAN port as near WAN.

  • Page 19: Public Ip Pass Through (Dmz Transparent Mode)

    "). If you configure a bridge-mode WAN link that ISP provides on FortiWAN as Routing Mode and the bridge-mode WAN link might belong to a shared class C subnet, FortiWAN treats the whole class C network as near WAN, traffic goes to or comes from the class C network would be ignored for FortiWAN’s balancing, management and statistics functions.

  • Page 20: Scenarios To Deploy Subnets

    No matter an available subnet (routing mode) or an IP range of a shared subnet you obtain from ISP, you will need making a plan how to deploy the multiple IP addresses. To deploy the available subnet that ISP provides (routing mode) on FortiWAN, there are four different scenarios (be called subnet types as well) for your options: Subnet in WAN Deploy the subnet in WAN.

  • Page 21: Ipv6/Ipv4 Dual Stack

    When two FortiWAN units work together, they can be configured to HA (High Availability) double-device backup mode. This setup allows two FortiWAN units to server as backup for each other. The master is the main functioning unit, while the slave is the backup unit in standby. An FortiWAN unit alone already has built-in fault tolerance mechanism.
  • Page 22 Redundant LAN Port and/or redundant DMZ port: FortiWAN in HA mode As illustrated in the topology below, two FortiWAN units work in HA mode, with one active and the other in standby. Port1 and port2 acts as redundant LAN port for each other, putting the two units into hot backup mode. This mode Configurations for VLAN and Port offers a significant solution against single point failure in LAN/DMZ (See "...
  • Page 23 How to set up your FortiWAN Planning the network topology High Availability (HA) Scenarios Firmware Update Procedure in HA Deployment The firmware update procedure in HA deployment differs from the non-HA (single unit) procedure: 1. Log onto the master unit (unit A) as Administrator, go to [System]→[Summary] and double check and make sure Summary the peer device is under normal condition (See "...

  • Page 24: Web Ui Overview

    Administrator Web UI Overview Once you log in, you will see the operating menu on FortiWAN Web UI. A navigation menu is located on the left side of the web UI. The menu consists of six main functions: System, Service, Statistics, Log, Reports and Language .

  • Page 25: Using The Web Ui And The Cli

    The function is enabled. Using the web UI and the CLI Be aware that the position of LAN port may vary depending on models. FortiWAN-200B, for example, has five network interfaces, with its fourth interface as LAN port and fifth as DMZ port.

  • Page 26: Using The Web Ui

    WebUI. Using the web UI FortiWAN's services (load balancing, fault tolerance and other optional services) are based on Policy and Filter. Policies (or called Classes as well) are specified items indicating different actions for a service. Policies are applied to different objects classified by the predefined filters.
  • Page 27 Matches sessions coming from or going to WAN. Matches sessions coming from or going to LAN. Matches sessions coming from or going to DMZ. Localhost Matches sessions coming from or going to FortiWAN. Any Address Matches all sessions regardless of its source or destination. FQDN Matches sessions coming from or going to FQDN.

  • Page 28: Console Mode Commands

    Web UI Overview How to set up your FortiWAN H323 (1720) RADIUS (1812) RADIUS-ACCT (1813) pcAnywhere-D (5631) pcAnywhere-S (5632) X-Windows (6000-6063) ICMP TCP@ UDP@ Protocol# Console Mode Commands This section provides further details on the Console mode commands. Before logging onto serial console via HyperTerminal, please ensure the following settings are in place: Bits per second: 9600;...
  • Page 29 Control web server for Web User Interface httpctl [restart|showport|setport [PORT]] System will restart the web server running on FortiWAN for the Web UI, or display the port number occupied by the web server, or reset the specified port number to the web server.
  • Page 30 Not all network devices support full 100M speed. This command has no effect on fiber interface. The INDEX is the port number of the FortiWAN port interface; exact number varies according to product models. shownetwork: Show the current status of all the WAN links available shownetwork Display WAN Type, Bandwidth, IP(s) on Local/WAN/DMZ, Netmask, Gateway, and WAN/DMZ Port.
  • Page 31 Web UI Overview Type “sslcert set” [Enter] to set new SSL certificate for working with FortiWAN WebUI. You have to manually input the SSL private key and its correspondent certificate in text after the command prompt “sslcert>” line by line. The content inputted for the private key and certificate must start with “-----BEGIN CERTIFICATE-----”...

  • Page 32: Configuring Network Interface (Network Setting)

    [DNS Server] feature enables administrators to define the host name the FortiWAN in the network, the IPv4/IPv6 address of domain name servers used by FortiWAN, and the suffix of the domain name. The following lists Web UI functions that may use the domain name servers here.

  • Page 33: Configurations For Vlan And Port Mapping

    VLN Switch are directly connected with WAN links, while port1.103 is connected with PCs in LAN and port1.104 is connected with PCs in DMZ. In this network, FortiWAN acts as the role of Router. PCs in DMZ can be assigned with public IP addresses, with their packets transparently passing through FortiWAN to WAN.
  • Page 34 As illustrated in the topology below, FortiWAN port1 are mapped to WAN port. Port2 and port3 are configured as the redundant LAN ports which are connected to Switch1, port4 and port5 as the redundant DMZ ports which are connected to Switch2.

  • Page 35: Configuring Your Wan

    Configuring your WAN [WAN Settings] is the major part to deploy FortiWAN in various types of WAN links. If your network has several WAN links, you have to configure one after another. Select any link from [WAN link] and check [Enable] to start a configuration of the WAN connection (See "...

  • Page 36: Configurations For A Wan Link In Routing Mode

    Select [Routing Mode] from [WAN Type], and configure parameters in [Basic Settings]. Note that localhosts of FortiWAN’s WAN and DMZ ports belong to the basic subnet in Routing Mode; therefore at least one basic subnet is required. For the reason, [Basic Setting] contains no fields for setting IP(s) on Localhost and Netmask, which are the fields in [Basic Subnet].
  • Page 37 IPv4 / IPv6 Static Routing Subnet Scenarios to Static routing subnets are the subnets connected indirectly to FortiWAN via a router or an L3 switch (See " deploy subnets "). According to the location a subnet deployed to, Static Routing Subnet is divided into: Subnet in WAN: A static routing subnet deployed in WAN, connected to a basic subnet in WAN or basic subnet in WAN and DMZ.
  • Page 38 This topology is frequently found where cluster hosts on a IPv4 public subnet are deployed in WAN. As described in the topology, FortiWAN uses port2 as WAN port with IP address 203.69.118.10. Its netmask obtained from ISP is 255.255.255.248, and the router's IP address 203.69.118.9. IP addresses that are unlisted in [IP(s) on localhost], 203.69.118.11 –...
  • Page 39 Configuring Network Interface (Network Setting) As described in the topology, since the cluster of hosts are deployed in DMZ. FortiWAN port5 has to be mapped to DMZ with IP address 140.112.8.9. Thus the hosts in the subnet take the default gateway as 140.112.8.9. In this case, IP addresses 203.69.118.9 –...
  • Page 40 [IP(s) in WAN]. When you select [Subnet in WAN and DMZ] from [Subnet Type], FortiWAN will assume the IP addresses that are unlisted in [IP(s) on Localhost] and [IP(s) in WAN] are all in DMZ.
  • Page 41 This topology is rarely seen in actual network where static routing subnet is located on the WAN. In other words, the subnet in WAN does not connect to FortiWAN directly, but needs a router instead to transfer packets. In this example, a subnet 139.3.1.8/29 is located on the WAN and connects to router 203.69.118.9, while another subnet...
  • Page 42 Configuring Network Interface (Network Setting) How to set up your FortiWAN As described in the UI, FortiWAN transfers packets to the gateway 203.69.118.9 to deliver them to subnet 139.3.1.8/255.255.255.248. [Static Routing Subnet]: Subnet in DMZ This topology is similar with the one in last example [Static Routing Subnet]: Subnet in WAN. The only difference is subnet is in DMZ this time.

  • Page 43: Configurations For A Wan Link In Bridge Mode: Multiple Static Ip

    How to set up your FortiWAN Configuring Network Interface (Network Setting) As described in the UI, FortiWAN transfers packets to the gateway 203.69.118.14 to deliver them to subnet 139.3.1.8/255.255.255.248 See also WAN link and WAN port VLAN and port mapping...
  • Page 44 Basic Setting WAN Port The physical port (network interface) on FortiWAN used to connect the WAN link. For the deployment of multiple WAN links on one WAN port, set this field with the same value for those WAN links. For example, select Port1 for con- figurations of WAN link1, WAN link2 and WAN link3 for deploying the three WAN links on WAN port1.

  • Page 45: Configurations For A Wan Link In Bridge Mode: One Static Ip

    This topology can be seen where a group of valid IP addresses ranging 211.21.40.32~211.21.40.34 have been given by ISP and assigned to port1 on FortiWAN. And their default gateway is 211.21.40.254 given by ISP as well. If there are other hosts deployed on the WAN, then configure their IP addresses in [IP(s) in WAN]. And if there are hosts deployed on the DMZ, then configure their IP addresses in [IP(s) in DMZ].
  • Page 46 Basic Setting WAN Port: The physical port (network interface) on FortiWAN used to connect the WAN link. For the deployment of multiple WAN links on one WAN port, set this field with the same value for those WAN links. For example, select Port1 for configurations of WAN link1, WAN link2 and WAN link3 for deploying the three WAN links on WAN port1.

  • Page 47: Configurations For A Wan Link In Brideg Mode: Pppoe

    [IP Address] blank if you are assigned an dynamic IP address; otherwise, enter your static IP address. Select an FortiWAN WAN port to which PPPoE ADSL Modem is connected, e.g. port1. Checks [Redial Enable] to enable redial. As some ISPs automatically reconnect to the network within a certain time interval, [Redial Enable] will avoid simultaneous redialing of WAN links, which properly staggers WAN redial time.

  • Page 48: Configurations For A Wan Link In Bridge Mode: Dhcp

    Inbound Load Balancing and Failover (Multihoming) Configurations for a WAN link in Bridge Mode: DHCP [Bridge Mode: DHCP Client] is used when FortiWAN WAN port gets a dynamic IP address from DHCP host. IPv6 is not supported in this WAN type.

  • Page 49: Lan Private Subnet

    Inbound Load Balancing and Failover (Multihoming) LAN Private Subnet [LAN Private Subnet] is the second most important part for deploying FortiWAN in your network. In contrast with configurations on WAN Settings to active the WAN link transmission from FortiWAN to Internet (external network), LAN Private Subnet is the configuration for deploying the internal network on FortiWAN’s LAN ports.
  • Page 50 Configuring Network Interface (Network Setting) How to set up your FortiWAN As the illustration, FortiWAN port3 has been mapped to LAN port via [System / Network Setting / VLAN and Port VLAN and Port Mapping Mapping] (See " "), and is assigned with private IP 192.168.34.254. Enter this IP address in the field [IP(s) on Localhost].
  • Page 51 Configuring Network Interface (Network Setting) FortiWAN supports the Routing Information Protocol (RIP v1, v2), RIP employs hot count as the metric, and uses timer broadcast to update the router. As RIP features configuration simplicity and operation convenience, it has been widely used across all fields.
  • Page 52 In addition, DHCP servers in LAN and DMZ should let clients use FortiWAN virtual IP and the default gateway (as FortiWAN's DHCP service does). If RIP and OSPF is used in LAN, FortiWAN uses real IP at OSPF and virtual IP at RIP to exchange route information.

  • Page 53: Wan/Dmz Private Subnet

    This topology is frequently found where cluster hosts in the IPv4 private subnet are located on the WAN. In this example, FortiWAN port2 has been mapped to WAN port, with IP 192.168.3.1. Select [Subnet in WAN] from [Subnet Type] in [Basic Subnet]. Then enter 192.168.3.1 in [IP(s) on Localhost] and the netmask offered by ISP in [Netmask].
  • Page 54 This topology is frequently found where cluster hosts in IPv4 private subnet are located on the DMZ. In this example, FortiWAN port5 has been mapped to DMZ port, with private IP 192.168.4.254. And subnet 192.168.4.X is located on the DMZ as a whole. From UI, select [Subnet in DMZ] from [Subnet Type] in [Basic Subnet].
  • Page 55 This topology is found where IPv4 private static routing subnet is located on the WAN. In other words, the private subnet on the WAN does not connect to FortiWAN directly. Instead, it connects to a router which helps to transfer its packets.
  • Page 56 [Static Routing Subnet]: Subnet in DMZ In this topology, in DMZ you create an IPv4 private subnet using one router (its IP, say, 192.168.34.50). But the subnet (its IP 192.168.99.0/24) does not connect to FortiWAN directly. Configure the subnet on FortiWAN to process its packets.

  • Page 57: Deployment Scenarios For Various Wan Types

    Please refer to the ATU-R User manual provided by your ISP to connect the ATU-R to FortiWAN’s WAN #1. Connect LAN to FortiWAN’s LAN port via a switch or hub. In this example, FortiWAN’s Port2 is treated as LAN port. Please map FortiWAN’s LAN port to the Port2 in [System] →...
  • Page 58 Assume an SMTP server with IP 192.168.1.1 provides SMTP services to the outside via the virtual server. FortiWAN will perform NAT on this machine so that the outside clients can get SMTP services via FortiWAN’s public IP on WAN1. The settings for this are in [Service] → [Virtual Server].
  • Page 59 DMZ port is on port #2. ISP supplies the router. Hardware Configuration: Connect the router with FortiWAN in WAN1 by referring to router's user manual. Note: FortiWAN is viewed as a normal PC when connected to other network equipment. Configuration Steps: 1.
  • Page 60 “IP(s) in WAN” . WAN Type: Routing Mode Example 2 This example shows the scenario where a private subnet between the WAN router and FortiWAN. In addition, the public IP subnet inside the FortiWAN DMZ port requires a router.
  • Page 61 WAN Type: Routing Mode Example 3 In this example, both WAN links have its own routers and FortiWAN is connected to these routers using private IP addresses, as illustrated below. In addition, FortiWAN Port 3 has been assigned another private IP connecting to the LAN Core Switch (L3 switch), therefore there is a public IP subnet connected behind the Core Switch inside the LAN.
  • Page 62 Configuring Network Interface (Network Setting) How to set up your FortiWAN Configuration Steps: 1. Go to FortiWAN Web UI: [System] → [Network Settings] → [WAN Settings] management page. 2. Select [1] in the WAN Link menu. 3. Click Enable to activate the WAN link.
  • Page 63 Configuring Network Interface (Network Setting) The example above illustrates a common FortiWAN deployment scenario where a private IP subnet is placed inside a WAN and DMZ, and a public IP subnet is connected to FortiWAN DMZ via a Core Switch.

  • Page 64: System Configurations

    FortiWAN in HA (High Availability) Mode HA mode becomes active. As is mentioned in " ", HA (High Availability) is hot backup. In HA mode, one FortiWAN is the primary system while the other is the backup system. System Information / Peer Information System Information Version The firmware version of the device.

  • Page 65: Optimum Route Detection

    State he "State" is always being “Slave”. Note1: Connections may exceed 100 when FortiWAN is started, but will return to normal in a while. This happens because FortiWAN sends out ICMP packets to test the network. Note2: Once HA becomes active, settings of master unit will be synchronized to slave unit automatically.
  • Page 66 (Default: 3 retries). Cache Aging Period, in Minutes The period of time to keep a cache of optimum route. After this period, system will redetect optimum route based on specific needs. (Default: 2880mins, ie. 2days). FortiWAN Handbook Fortinet Technologies Inc.

  • Page 67: Port Speed/Duplex Settings

    Click to enable HA (switch between master and slave units) based on the status of net- work ports. While HA is enabled in FortiWAN, the port status of both master and slave FortiWAN units will be compared to determine which unit should be selected as master.

  • Page 68: Ip Grouping

    Detail has been clicked, the table only shows the name of the IP group and whether it has been enabled. After you have clicked [Show IPv4/IPv6 Detail], [IPv4/IPv6 Rules Settings] table displays. You can click [Hide IPv4/IPv6 Details] to close the table. FortiWAN Handbook Fortinet Technologies Inc.

  • Page 69: Service Grouping

    Here is an example to elaborate on how to configure [Service Grouping]. Create a service group "MSN File Transfer", which uses TCP 6891-6900. Then enter TCP@6891-6900 in the [Service] field. FortiWAN Handbook Fortinet Technologies Inc.

  • Page 70: Busyhour Settings

    Enforcement [ARP Enforcement] forces FortiWAN's attached PCs and other devices to update ARP table. Click [Enforce] and system will send out ARP packets force ARP updates throughout the attached devices. Generally the function is used only when certain devices in DMZ cannot access the Internet after FortiWAN has been installed initially.
  • Page 71 Clean IPv4 Session Table (Only Non-TCP Sessions) The function is used to clean up non-TCP session tables in FortiWAN. In FortiWAN, protocols are managed with a session timer. Old sessions may be continuously retried by users that they keep unexpired. These old sessions, are always being valid and active instead of new ones.
  • Page 72 Clean IPv6 Session Table (Only Non-TCP Sessions) The function is used to clean up non-TCP session tables in FortiWAN. In FortiWAN, protocols are managed with a session timer. Old sessions may be continuously retried by users that they keep unexpired. These old sessions, are always being valid and active instead of new ones.

  • Page 73: Setting The System Time & Date

    24-hour time system in the hour:minute:second format. [Time Zone] is represented by continent and city, [America] and [New York], for example. FortiWAN uses NTP time server for accurate time synchronization, simply by clicking the [Synchronize Time] button. And other time servers are also included in the drop-down list which can be added or deleted at your preference.

  • Page 74: Administration

    Every FortiWAN is shipped with the same default passwords. For security concerns, it is thus strongly recommended that the passwords shall be changed. By default, FortiWAN uses 443 as the Web UI login port. And it allows administrators to change the port, to avoid possible port conflict caused for virtual server services.

  • Page 75: Firmware Update

    (.cfg) as readable content. Click [Restore] to recover whole system with the backed up configurations. The configuration file here is in binary format and should NOT be edited outside of FortiWAN tools and systems. The configuration file here contains all the configurations of FortiWAN’s functions. You can have individual configuration file of every single function via the export function in every function page.
  • Page 76 Incompatible versions and/or systems. Note: FortiWAN does not guarantee full compatibility of configuration files for different models. After the firmware upgrade, it is encouraged to backup the configuration file. Configuration file backup and restore are available in the following function page:...

  • Page 77: Maintenance

    Type the port number in [New Port] and then click [Setport]. Enter the new port number when you log in again into Web UI. Additionally, the new port shall avoid conflict with FortiWAN reserved ports when configuring the port. Otherwise, FortiWAN will display error message of port settings failure and resume to the correct port number that was configured last time.
  • Page 78 2005 FortiWAN reserved name 2049 nicname ldap 2223 FortiWAN reserved domain smtp+ssl 2251 FortiWAN reserved priv-rjs print/exec 3535 FortiWAN reserved finger login 3636 FortiWAN reserved ttylink shell 4045 Lockd supdup printer 6000 FortiWAN Handbook Fortinet Technologies Inc.

  • Page 79: License Control

    Note: Conditional bandwidth upgrade is provided for old models. Please contact customer support to gain further information. Firmware Upgrade License: A license key is necessary to upgrade FortiWAN system. You could ask your distributor for firmware upgrade license keys. FortiWAN Handbook...

  • Page 80: Load Balancing & Fault Tolerance

    Load Balancing Algorithms FortiWAN offers seven types of auto routing algorithms for administrators to select the best policy to match their environment. It's based to sessions for Auto Routing to distribute traffic among multiple WAN links. All the packets of a session are routed to the WAN link that the session is distributed to.

  • Page 81: Outbound Load Balancing And Failover (Auto Routing)

    When one of the WAN links fails, the administrator has to change the router configuration to bypass the failed link. The obvious drawback to this approach is the unnecessary workload for administrators. Whenever WAN link FortiWAN Handbook Fortinet Technologies Inc.
  • Page 82 FortiWAN has an internal “Virtual Trunk” circuit, which is essentially a combination of the multiple WAN links. Auto routing is capable of adjusting the ‘Virtual Trunk” to include only the WAN links that are functioning normally and to direct outbound traffic through the “Virtual Trunk circuit”...
  • Page 83 WAN link when it fails, but all subsequent sessions will be automatically routed to other working links. FortiWAN provides mechanisms to record, notify and analysis on events refer to the Auto Routing service, see " ", "...
  • Page 84 Check to enable logging. Whenever the rule is matched, system will record the event to log file. Configuration File Configuration file can be imported or exported and stored as “.txt” file. Note: Only the Administrator has the privilege to perform this function. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 85 Check both WAN #1 and WAN Note: Labeling the policies alone does not mean the policy has been set up. Configuring WAN link bandwidth must be done under [System] -> [Network Settings]. Defining filters for the following: FortiWAN Handbook Fortinet Technologies Inc.
  • Page 86 6. Route connections through WAN#1 and WAN#2 depending on the bandwidth left in the downstream traffic of each WAN link. 7. Route connections through WAN#2 and WAN#3 depending on the bandwidth left in the total traffic of each WAN link. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 87 9. The connections from an arbitrary host to any host on the Internet will be routed by the policy "by Downstream". See also WAN Link Health Detection Configuring your WAN Load Balancing & Fault Tolerance Busyhour Settings Using the web UI FortiWAN Handbook Fortinet Technologies Inc.

  • Page 88: Inbound Load Balancing And Failover (Multihoming)

    IN A 192.136.1.243 All DNS requests to www.example.com will be sent to FortiWAN. Multihoming will constantly measure the health conditions as well as the state of each WAN link and compute the optimal return answer to the DNS queries, defined as the SwiftDNS technology.
  • Page 89 Before the update time is up (i.e. TTL is expired), DNS requests may be answered with incorrect information. FortiWAN employs SwiftDNS for multihoming based on the health state of the link and a traffic re- directing algorithm. SwiftDNS dynamically answers DNS requests to prevent broken or congested links. In order to solve the TTL issue stated above, SwiftDNS maintains a very short TTL and actively sends out updates to internal DNS in case of link status changes.
  • Page 90 2048 bits. Note that Multihoming’s DNSSEC is not supported for Relay Mode. Remember that you have to configure DS records with your domain registrar after you complete configurations for DNSSEC. Please contact your domain registrar for further details about managing DS records. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 91 WAN links and registered domain names for publicly accessible servers. Note that a DNS request from client is delivered to FortiWAN via a fixed WAN link, whose the IP address is registered with parent domain. It would be better to have multiple IP addresses registered to avoid single WAN link failure.
  • Page 92 Multihoming". Multihoming supports Backup mechanism. To enable this function, check “Enable Backup” and enter the IP addresses of the backup server. FortiWAN provides mechanisms to record, notify and analysis on events refer to the Multihoming service, see " ", Statistics: Traffic...
  • Page 93 Click the [+] button to generate DNSSEC private key used to sign the domain. This private key information will be listed. DNSKEY record and RRSIG record set for this domain are generated while applying the domain configuration. (For multiple keys, use the [+] key) FortiWAN Handbook Fortinet Technologies Inc.
  • Page 94 A Record Enter the prefix name of the primary workstation. For example: if the name is "www.- Host Name abc.com", enter “www”. When Options: All-Time/Busy/Idle Source Enter the IPv4 address that the DNS query comes from. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 95 "www.abc.com", enter “abc.com" as the prefix. TTL (Time To Live) specifies the amount of time that DName Record is allowed to be cached. SRV Record Specify the symbolic name prepended with an underscore, for example, _http, _ftp Service or _imap. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 96 IP 10.16.130.2/24 are effective, while emails sent from other IPs are assumed as spams. External Subdomain Record (available only in non-relay mode) Enter the name of an external subdomain. To add an additional subdomain, press Subdomain Name FortiWAN Handbook Fortinet Technologies Inc.
  • Page 97 Please make sure external name servers of the sub-domains are active well for DNS queries. Relay Mode When Relay is enabled, FortiWAN will relay the DNS requests it receives to a specified name servers, and reprocess the answer with appropriate IP address according to the AAAA/A record policies. The necessary configurations for Multihoming in Relay Mode are AAAA/A Record Policy and Domain Settings.
  • Page 98 Enter the IPv6 address that the DNS query comes from. To Policy Select the defined AAAA Record Policy to be used for the domain setting. TTL (Time To Live) specifies the amount of time A Record is allowed to cache the record. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 99 Multihoming settings in the example A Record Policy Settings Policy Name Algorithm Policy Advance Setting WAN Link IPv4 Address By Upstream 211.21.33.186 61.64.195.150 Domain Settings Domain Name Responsible Mail Primary IPv4 Name Address Server Domainname.com Abc.domainname.com 192.168.0.10 FortiWAN Handbook Fortinet Technologies Inc.
  • Page 100 Note: DNS server IP can be public IP and private IP. Example 2 Configure virtual server before setting multihoming. Its configuration looks like below in this example. WAN IP Server IP Service 211.21.33.186 192.168.0.200 SMTP (25) 61.64.195.150 192.168.0.200 SMTP (25) Multihoming settings in the example FortiWAN Handbook Fortinet Technologies Inc.
  • Page 101 Priority Mail Server mail mail Host Name v=spf1 ip4:211.21.33.186 ip4:61.64.195.150 ~all Note: 1. Refer to [System]->[Networking Settings]->[WAN Settings] and assign public IPs to WAN ports. 2. The example has configured multihoming for virtual server “mail.domainname.com”. FortiWAN Handbook Fortinet Technologies Inc.

  • Page 102: Tunnel Routing

    (Original Packet) with Delivery Header and GRE Encapsulation Header. Then the packet is routed to the destination IP address. The feature of FortiWAN’s Tunnel Routing is that with proper policy setting it can do the routing between a single point and multiple points as well as between multiple points and multiple points. When packet arrives at the...
  • Page 103 Tunnel Group A tunnel between two FortiWAN units are the connection of one of the WAN links on the local FortiWAN unit and one of the WAN links on the remote FortiWAN unit. A tunnel group can contain multiple tunnels which might be various combinations of WAN links between the two FortiWAN units.
  • Page 104 Configure local IP address for tunnels in the tunnel group. The local IP addresses here are the localhost IP defined on the WAN links of local FortiWAN. According to the WAN type defined on WAN links, here are several types of Local IP for options.
  • Page 105 TCP/UDP packet. To specify a range of port numbers, type starting port number plus hyphen "-" and then end port number. e.g. "TCP@123-234" (See " Using the web UI "). Group The group permitted to use the tunnel. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 106 In testing, set one FortiWAN as server end and the other servers as client end by default. Simply click “Start Test Server” on one device to set it as server end. Testing over tunnel groups is conducted on client end. Click the button to start or stop test.
  • Page 107 A company’s headquarter and two branch offices are located in different cities. Each office has a LAN, multiple WAN links and a DMZ with VPN gateway: Headquarter Branch 1 Branch 2 WAN1 1.1.1.1 2.2.2.2 6.6.6.6 FortiWAN Handbook Fortinet Technologies Inc.
  • Page 108 Routing Rules Source Destination Service Group Fail-Over 192.168.1.1-192168.1.10 192.168.2.1-192.168.2.10 HQ-Branch1 HQ-Branch1 Backup 192.168.1.1-192.168.1.10 192.168.3.1-192.168.3.10 HQ-Branch2 HQ-Branch2 Backup 1.1.1.11 2.2.2.22 HQ-Branch1 1.1.1.11 6.6.6.66 HQ-Branch2 No-Action The settings for the branch1 Set the Local Host ID as B1 FortiWAN Handbook Fortinet Technologies Inc.
  • Page 109 Tunnels Local IP Remote IP Weight Branch2-HQ Round-Robin 6.6.6.6 1.1.1.1 6.6.6.6 3.3.3.3 8.8.8.8 1.1.1.1 8.8.8.8 3.3.3.3 10.10.10.10 Dynamic IP Routing Rules Source Destination Service Group Fail-Over 192.168.3.1-192168.3.10 192.168.1.1-192.168.1.10 Branch2- HQ No-Action 6.6.6.66 1.1.1.11 Branch2- HQ FortiWAN Handbook Fortinet Technologies Inc.
  • Page 110 NOTE: When using tunnel routing in FortiWAN, the settings must correspond to each other or else tunnel routing will not perform its function. For example, if FortiWAN in Taipei has removed the values 2.2.2.2 to 3.3.3.3 in their routing rule settings, then the FortiWAN in Taichung will not be operational.

  • Page 111: Virtual Server & Server Load Balancing

    Inbound traffic does not have to know where the real servers are, or whether there are just one or many servers. This method prevents direct access by users and therefore increases security and flexibility. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 112 It maps WAN IP address and a service (port or ports) to an internal server IP. The order of virtual server rules is like any other rule tables in FortiWAN as it also uses the “first match scheme”, viz. the first rule of request matched is the rule to take effect.
  • Page 113 The real IP (IPv6) of the server, most likely in LAN or DMZ. Check to enable logging: Whenever the rule is matched, system will record the event to log file. Example 1 The settings for virtual servers look like: FortiWAN Handbook Fortinet Technologies Inc.
  • Page 114 Forward all requests from 211.21.48.197 to 192.168.0.15 in LAN. Note: 1. FortiWAN can auto-detect both active and passive FTP servers. 2. All public IPs must be assigned to WAN 1. To configure these IPs, go to "IP(s) on Localhost of the Basic Subnet"...
  • Page 115 FTP (21) 192.168.0.200 ICMP FTP (21) 192.168.0.201 TCP@21 FTP (21) 211.21.48.195 SMTP (25) 192.168.0.200 ICMP SMTP (25) 192.168.0.201 TCP@25 SMTP (25) 211.21.33.189 SMTP (25) 192.168.0.200 ICMP SMTP (25) 192.168.0.201 TCP@25 SMTP (25) 211.21.48.197 192.168.0.15 ICMP FortiWAN Handbook Fortinet Technologies Inc.
  • Page 116 Enable external users to access WAN IP 211.21.48.194, and forward packets of TCP/UDP range 2000-3000 to host 192.168.0.15. Note: Port range redirecting is supported as well. Virtual server table for the settings above: WAN IP Service Server Pool Server IP Detect Service Weight 211.21.48.194 TCP@1999 192.168.0.100 ICMP TCP@1999 192.168.0.101 TCP@1999 TCP@1999 FortiWAN Handbook Fortinet Technologies Inc.

  • Page 117: Wan Link Health Detection

    (defined in "Detection timeout in milliseconds"), otherwise this detection is consider failed (FortiWAN will not judge whether a WAN link is down by just one detection failure). No matter whether a single detection succeed, FortiWAN continues the detection after seconds (defined in "Detection Period in Second").
  • Page 118 IP address of a host that has been picked out randomly from the list. The TTL (Time to Live) of the ping packet is determined by Hops and generally defined as "3". FortiWAN takes the TTL expired message as a legal response for a ICMP detection, even the detection packet is not delivered to the destination.

  • Page 119: Optional Services

    Optional Services Firewall Optional Services As an edge device, FortiWAN provides other functions except the major traffic load balancing and fault tolerance. These optional functions are helpful to manage the network in all the ways. Firewall This section introduces how to set up the firewall. Unlimited number of rules can be added to the firewall rule list. The rules are prioritized from top to bottom that is rules at the top of the table will be given higher precedence over lower ranked ones.
  • Page 120 All other packets are blocked. The rules table for the example will look like this: Source Destination Service Action 211.21.48.195 FTP (21) Accept Deny HTTP (80) Accept SMTP (25) Accept FTP (21) Accept POP3 (110) Accept Deny FortiWAN Handbook Fortinet Technologies Inc.
  • Page 121 The hosts 192.168.0.100 – 192.168.0.150 in the LAN can access the Internet (WAN) but the others cannot. Users from the Internet (WAN) cannot connect to the port 443 on FortiWAN (i.e. Web Administration on FortiWAN). Note: “Localhost” represents the address of FortiWAN host machine.
  • Page 122 Reports: Firewall FortiWAN is an edge server that is usually placed on the boundary between WAN and LAN. When a connection is established from a private IP address (in LAN or DMZ) to the internet (WAN), it is necessary to translate the private IP address into one of the public IP addresses assigned to FortiWAN.
  • Page 123 Mode: DHCP) is applied. Check to enable logging. Whenever the rule is matched, the system will record the event to the log file. IPv6 NAT Rules Customized rules for IPv6-to-IPv6 NAT. Enable NAT rule or not. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 124 172.31.5.51 Disable NAT Disable NAT sets FortiWAN to Non-NAT mode whereby all the WAN hosts can acccess DMZ hosts directly with proper routing setup. In this mode, FortiWAN acts as a router connecting multiple subnets. Note: Once NAT is disabled, it is disabled on all the WAN Links.

  • Page 125: Persistent Routing

    Non-NAT is commonly used on Private Network and MPLS network, which makes possible for the hosts of the branch office to directly access the headquarters. In case that ISP 1 is down, FortiWAN will automatically route the link to ISP 2, and, accordingly, serve as VPN load balancer based on the status of each link.
  • Page 126 The persistent routing policies to be established accordingly: In LAN, established connections from IP address 192.168.0.100 to 192.168.10.100 are NOT to be routed persistently. Established connections from DMZ to LAN are NOT to be routed persistently. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 127 Connections from IP address 211.21.48.196 in DMZ to the WAN subnet 10.10.1.0/24 in WAN do NOT use persistent routing. Since the default action by IP Pair Ruels is Do PR, if no rule is added, all connections will use persistent routing. Then persistent routing table will look like: FortiWAN Handbook Fortinet Technologies Inc.

  • Page 128: Bandwidth Management

    FortiWAN Bandwidth Management (BM) defines inbound and outbound bandwidth based on traffic direction, i.e. take FortiWAN as the center, traffic flows from WAN to LAN is inbound traffic, otherwise, it is outbound traffic. The section will mainly explain how to guarantee bandwidth based on priority settings, and how to manage inbound and outbound traffic by configuring busy/idle hours, data source/destination, and service type, etc.
  • Page 129 “TCP@123-234” (See " "). Classes The bandwidth class to be imposed. Defined in the bandwidth class table men- tioned earlier. Check to enable logging: Whenever the rule is matched, system will record the event to log file. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 130 211.21.48.198 in DMZ is 500K on WAN1, 300K on WAN2 and WAN3. The guaranteed bandwidth is 200K on WAN1, WAN2 and WAN3. The bandwidth is prioritized as "Low" during both busy and idle periods. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 131 During the busy period, the maximum bandwidth limited for hosts in LAN zone to download data from FTP server 192.192.10.10 is 128K on WAN1, 128K on WAN2, and 64K on WAN3. During the idle period, the maximum bandwidth FortiWAN Handbook Fortinet Technologies Inc.
  • Page 132 Normal Normal WAN3 Normal Normal WAN1 Normal Normal 192.168.0.10-50 WAN2 WAN3 WAN1 High High 192.168.100.0/24 WAN2 High High WAN3 High High Filter Settings Source Destination Service Classes 192.192.10.10 SMTP(25) For LAN Zone 192.168.0.10-192.168.0.50 HTTP(80) 192.168.0.10-50 FortiWAN Handbook Fortinet Technologies Inc.
  • Page 133 211.21.48.198 in DMZ is 256K on WAN1 and WAN2, and 512K on WAN3. The guaranteed bandwidth is zero on WAN1, WAN2 and WAN3, and the bandwidth is prioritized as "Low" during both busy and idle periods. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 134 WAN. The other scenario is a remote user in WAN downloads data from a FTP server in the LAN. Both of these scenarios are sending data from LAN to WAN. Thus configuring BM rules for these two scenarios on the inbound BM page is necessary. FortiWAN Handbook Fortinet Technologies Inc.

  • Page 135: Connection Limit

    IP address every second. The source of connection can be from any of the following options: IP address, IP Range, Subnet, WAN, LAN, DMZ, Localhost, and any specific IP address. FortiWAN provides mechanisms to record, notify and analysis on events refer to the Connection Limit service, see "...

  • Page 136: Cache Redirect

    Cache Redirect FortiWAN is capable of working with external cache servers. When a user requests a page from a web server on the internet, FortiWAN will redirect the request to the cache server. If the requested web page is already on the cache server, it will return the page to the user, thus saving time on data retrieval.
  • Page 137 Example 1 The Requested Web Page is NOT on the Cache Server When FortiWAN receives a request from a client, the request will be redirected to the cache server. The cache server will determine if the data requested already exists or not. If not, then the request will be performed on behalf of the client with the data returned from the web server to the client.

  • Page 138: Internal Dns

    Optional Services When FortiWAN receives a request from a client, the request will be redirected to the cache server. In this case, the data requested already exists on the cache server. Therefore it will return the data requested to the client without passing the actual request to the internet.
  • Page 139 "www.abc.com", (domain name), enter “www1” in this field. Target Enter the real domain name. For example, if "www1.abc.com" is the alias of "www.- abc.com", enter “www”. SRV Record Service Specify the symbolic name prepended with an underscore. (e.g. _http, _ftp or _imap) FortiWAN Handbook Fortinet Technologies Inc.

  • Page 140: Dns Proxy

    IPv6 address - Enter the corresponding IPv6 address of the domain name. DNS Proxy FortiWAN’s DNS Proxy redirects a DNS request sent from LAN or DMZ to the external DNS servers with better response time. There are two phases included in the DNS Proxy, auto routing among multiple WAN links and redirecting a DNS request to the DNS servers specified on the WAN link.

  • Page 141: Snmp

    DNS requests for the specified domain name will be matched. SNMP SNMP (Simple Network Management Protocol) is often used in managing TCP/IP networks by providing statistical data regarding network performance and security. SNMP v1 to v3 protocols are supported in FortiWAN. SNMP v1/2 Community Enter the community which the SNMP belongs to.

  • Page 142: Ip Mac Mapping

    Users can specify the IP-MAC table by classifying periods like peak hours and idle hours. Once the IP-MAC table is set up, a packet from a certain IP address can pass through FortiWAN only when its MAC address matches the table list and time period.

  • Page 143: Statistics

    Traffic Statistics This topic deals with FortiWAN network surveillance system. Comprehensive statistics are collected to monitor networking status, bandwidth usage of traffic class, and dynamic IP WAN link. These data offer deep insight into the network, and help detect unexpected network failures, boosting network reliability and efficiency.

  • Page 144: Persistent Routing

    Count Number of connections that the current persistent routing rule applies to. Timeout Length of time to lapse before the current connection times out. The WAN link through which the current persistent routing connection travels. FortiWAN Handbook Fortinet Technologies Inc.

  • Page 145: Wan Link Health Detection

    IP allocated to current WAN link. Gateway Gateway’s IP address for current WAN link. Netmask Sub network mask. Dynamic DNS Server IP. Connected Time Duration of WAN connectivity. Reconnect Reconnect a WAN link via PPPoE or DHCP. FortiWAN Handbook Fortinet Technologies Inc.

  • Page 146: Dhcp Lease Information

    Automatic Refresh Select auto-refresh interval, or disable the function. Network IP Shows the Network IP of the private subnet. Netmask Shows the Netmask of the private subnet. Gateway Shows the Gateway of the private subnet. FortiWAN Handbook Fortinet Technologies Inc.

  • Page 147: Connection Limit

    Detect Displays detection method, TCP or ICMP. Status Displays detection result. FQDN The IPv4 and IPv6 addresses of the FQDNs that connected via FortiWAN are shown in this page. IPv4 FQDN FQDN The FQDN connected via FortiWAN. FortiWAN Handbook Fortinet Technologies Inc.

  • Page 148: Tunnel Status

    Tunnel Status Statistics IPv4 Address IPv4 addresses of the FQDN connected via FortiWAN. It maintains 20 addresses at most. IPv6 FQDN FQDN The FQDN connected via FortiWAN. IPv6 Address IPv6 addresses of the FQDN connected via FortiWAN. It maintains 20 addresses at most.

  • Page 149: Tunnel Traffic

    Traffic flow direction. Time Collect statistics in the past 60 minutes, 24 hours, and 30 days. Tunnel Routing Group Select a group from the list. Depending on N tunnels the group gets, N statistical charts will show. FortiWAN Handbook Fortinet Technologies Inc.

  • Page 150: View

    View This topic deals with how to configure logging and how to forward logs. Log records keep FortiWAN data and are capable of storing a wide variety of data concerning System, Firewall, Routing, and bandwidth management, etc. Log Log Control files can be forwarded to other servers for archiving or for notifying events via emails (see "...

  • Page 151: Log Control

    Log Control Control sets to forward data from FortiWAN to servers via FTP, E-mail and Syslog (protocol) for archiving and analysis. Configure log push method one log type by another, or use “Copy Settings to All Other Log Types”. It copies and applies settings of one log type to others avoiding unnecessary duplicating of settings.

  • Page 152: Log Notification

    Assign a facility to the logging message to specify the program type. Note: If the Server is applied with a FQDN, then the DNS Server must be set in the Web UI [System]->[Network Set DNS server for FortiWAN Settings]->[DNS Server] (See "...

  • Page 153: Enable Reports

    Click to uncheck all the event types Enable Reports It controls the way FortiWAN log communicates with Reports server. The original log file FortiWAN produces contains raw data which is yet to be processed, and Reports can organize and analyze these data into readable statistics.
  • Page 154 Enable Reports Events Select the log type for FortiWAN to send to Reports. Firewall Virtual Server Bandwidth Usage Connection Limit Multihoming Tunnel Routing FortiWAN Handbook Fortinet Technologies Inc.

  • Page 155: Reports

    MIS personnel can perform offline and more detailed analysis of the data to gain insight into user traffic patterns for better network design and management policy definition. However, FortiWAN generates large volumes of raw activity logs during the process of monitoring its functions. For long-term or trend analysis, Reports is an online companion tool that greatly simplifies the analysis of the data.

  • Page 156: Create A Report

    Put a Start date and End date by clicking the input field and selecting from the calendar. Input the Start time and End time in the format of HH:MM. Note that the duration cannot exceed 90 days. Click Apply to complete date range selection and start generating reports. FortiWAN Handbook Fortinet Technologies Inc.

  • Page 157: Export And Email

    Export and Email All reports generated by FortiWAN can be sent to users via email. Reports saved in PDF or CSV format can be sent out as email attachments. Click the Email button on the right upper corner of any report page to edit settings of the report email. In the settings dialog, you may send current report through email immediately.
  • Page 158 Outbound bps: Traffic originating from inside of FortiWAN, going to the external port. The CPU report shows the distribution of CPU usage of FortiWAN by the date range defined. CPU usage is a measure of how much traffic is being managed or how much services the FortiWAN is required to do on that traffic. Sustained usage near 80% is a good indicator that a larger FortiWAN model is required to handle the required traffic and services load.

  • Page 159: Session

    (among other things as noted above). This report will help you determine if you are using the correct FortiWAN model for the number of connections in use by your users.

  • Page 160: Wan Reliability

    FortiWAN supports various numbers of WAN links, for example, FortiWAN 700 supports 25 WAN links, FortiWAN 5000 and FortiWAN 6000 support 50 WAN links. The WAN Status report shows the statuses on every FortiWAN’s WAN link. The various statuses are defined as below.

  • Page 161: Tr Status

    "). Statistics Table Group: Tunnel Group configured on FortiWAN; the failed TR link belongs to. Select “Group” as primary sorting via clicking on the column title “Group”. Local IP: Local IP address of the failed TR link in the Tunnel Group. Select “Local IP” as primary sorting via clicking on the column title “Local IP”.

  • Page 162: Inclass

    Report: Internal IP Report: Traffic Rate Inclass This report shows the statistics of each inbound class as defined in FortiWAN’s Bandwidth Management function (See Bandwidth Management " "). Each class is a classification (by service, by IP address and etc.) of incoming traffic passed through FortiWAN.

  • Page 163: Outclass

    In Class. Traffic Rate: bandwidth distribution generated by this In Class by the date range defined. Outclass This report shows the statistics of each outbound class as defined in FortiWAN’s Bandwidth Management function (See " Bandwidth Management ").
  • Page 164 Export reports and send reports through email (See " "). Pie Chart: Pie chart of traffic statistics is generated based on WAN links defined on FortiWAN. Bar Chart: Bar chart statistics show the actual data volume used by the top 10 WAN links.

  • Page 165: Services

    Traffic Rate: bandwidth distribution generated by this WAN link by the date range defined. Services This report shows the statistics of traffic passed through FortiWAN by various services. Create a Report Create a report for a specific day or over a range of dates (See "...

  • Page 166: Internal Ip

    Traffic Rate: bandwidth distribution generated by this Service by the date range defined. Internal IP This report shows the statistics of traffic passed through FortiWAN by Internal IP addresses. Create a report for a specific day or over a range of dates (See "...

  • Page 167: Traffic Rate

    Traffic Rate: bandwidth distribution generated by this Internal IP address by the date range defined. Traffic Rate This report shows the statistics of traffic passed through FortiWAN by Traffic Rate. Create a Report Create a report for a specific day or over a range of dates (See "...

  • Page 168: Function Status

    Function Status This report category is the function to monitor the status of FortiWAN’s major functions for a long period. Long term statistics of function status is helpful to administrators. This category can further be divided into Connection Limit, Firewall, Virtual Server and Multihoming.

  • Page 169: Virtual Server

    FortiWAN’s Multihoming function performs load balancing and fault tolerance between WAN links for inbound traffic. Users from the public network are told dynamically by FortiWAN the best available WAN link to access in order to reach specific resources on the internal network (See "...

  • Page 170: Advanced Functions Of Reports

    Reports allows traffic to be queried based on combination of multiple conditions. For example, select Service as the query subject from the menu in the category area, and the Service report will be displayed accordingly, as shown below: FortiWAN Handbook Fortinet Technologies Inc.
  • Page 171 Advanced Functions of Reports The HTTPS(TCP@443) service can be further drilled in to query which WAN link of FortiWAN are utilizing this service by clicking the Drill In magnifier icon in the row of HTTPS(TCP@443) listed in the table and select WAN (query result is...
  • Page 172 (External IP) to a different one (such as traffic rate of bandwidth usage) using the same filter: WAN=2, Internal IP=125.227.251.80 and Service=HTTPS(TCP@443), by selecting Traffic Rate from the drop-down menu of External IP (as shown below): FortiWAN Handbook Fortinet Technologies Inc.
  • Page 173 Reports Advanced Functions of Reports The report presented by Traffic Rate using the same filter: Internal Group=Marketing, Internal IP=10.12.98.98 and Service=HTTP(TCP@80) is illustrated as follows. FortiWAN Handbook Fortinet Technologies Inc.

  • Page 174: Custom Filter

    Custom Filter allows users to apply their own filters based on particular requirements for query on bandwidth usage reports. Click Filter above every Bandwidth Usage report to see an extended block for further settings. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 175 Service = HTTPS(TCP@443). The query result of traffic statistics that are associated with the Service HTTPS (TCP@443) and passed through FortiWAN via WAN2 will then be displayed by Services accordingly. As illustrated below, the block marked in blue indicates the query subject of current report: FortiWAN Handbook Fortinet Technologies Inc.
  • Page 176 Continuing the example described above, apply the custom filter: HTTPS(TCP@443) and WAN2 in the Traffic Rate report, and the corresponding query result will show the traffic statistics of service HTTPS(TCP@443) and WAN2 by traffic rate as follows (the block marked in blue indicates the query subject of current report): FortiWAN Handbook Fortinet Technologies Inc.

  • Page 177: Export

    Please refer to section of Customer Filters in Account Settings for more information. Export All reports generated by Reports can be exported as PDF or CSV format. By clicking Export button on the upper side of any report page, PDF and CSV are displayed for options. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 178 Click to send the report email immediately. Email Server: Click the Schedule tab to edit more settings. SMTP Server Enter the SMTP server used to transfer emails. Port Enter the port number of the SMTP server. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 179 Click to allow SMTP server to transfer emails through SSL. Account Enter the user name for SMTP server authentication. Password Enter the password for SMTP server authentication. Mail From Fill in the sender’s name of emails. FortiWAN Handbook Fortinet Technologies Inc.
  • Page 180 5678 The Web UI login port will be restored to the default port 443. FortiWAN also supports SSH logins. The interface for SSH login is the same as the console with identical username and password. WAN Link Health Detection Default Values System default values contain 13 fixed servers IPs for health detection.
  • Page 181 Service Category Default Values Firewall: default security rules apply Persistent Routing: Enabled Auto Routing: By Downstream Traffic as default Virtual Server: Disabled Bandwidth Managemet: Disabled Cache Redirection: Disabled Multihoming: Disabled All fields in the Log/Control Category are cleared FortiWAN Handbook Fortinet Technologies Inc.
  • Page 182 Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests.

Table of Contents