Page 1 FortiWAN Handbook VERSION 4.2.1...
Page 2 FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTIGATE COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING SERVICES http://www.fortinet.com/training FORTIGUARD CENTER http://www.fortiguard.com END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK techdocs@fortinet.com Email: March 2, 2016 FortiWAN 4.2.1 Handbook Revision 1 38-421-356230-20160302...
Page 3: Table Of Contents
Introduction Product Benefits Key Concepts and Product Features Scope What's new Document enhancements How to set up your FortiWAN Registering your FortiWAN Planning the network topology WAN, LAN and DMZ Default port mappings WAN link and WAN port WAN types: Routing mode and Bridge mode...
Page 4 How to set up routing rules for Tunnel Routing Tunnel Routing - Benchmark Scenarios Virtual Server & Server Load Balancing WAN Link Health Detection IPSec IPSec VPN Concepts IPSec VPN overview IPSec key exchange How IPSec VPN Works IPSec set up About FortiWAN IPSec VPN...
Page 5 Limitation in the IPSec deployment Planning your VPN IPSec VPN in the Web UI Define routing policies for an IPSec VPN Establish IPSec VPN with FortiGate Optional Services Firewall Persistent Routing Bandwidth Management Inbound BM and Outbound BM Managing Bandwidth for Tunnel Routing and IPsec Scenarios Connection Limit Cache Redirect...
Page 6 Create a Report Export and Email Device Status Dashboard Bandwidth Session WAN Traffic WAN Reliability WAN Status TR Reliability TR Status Bandwidth Usage Inclass Outclass Services Internal IP Traffic Rate Function Status Connection Limit Firewall Virtual Server Multihoming Advanced Functions of Reports Drill In Custom Filter Export...
Page 7: Introduction
FortiWAN’s 7 different Load Balancing algorithms provide the flexibility to maximize productivity from any network scenario. FortiWAN gives you high-performance inter-site connectivity without the need to lease expensive links such as T1 and T3. FortiWAN aggregates multiple low-cost Internet access links to create site-to-site Virtual Private Line (VPL) Tunnels for LAN-like performance between company locations.
Page 8 IP traffic to ensure a stable and dependable network. Even multiple link failures, while reducing available bandwidth, will not stop traffic. By using diverse media (fiber, copper, wireless) and multiple ISPs (Telco, Cableco, 4G), FortiWAN can deliver better than carrier-class “5-9’s” reliability.
Page 9: Key Concepts And Product Features
Installation FortiWAN is an edge device that typically connects an internal local area network (LAN) with an external wide area network (WAN) or the Internet. The physical network ports on FortiWAN are divided into WAN ports, LAN ports and DMZ (Demilitarized Zone) ports, which are used to connect to the WAN or the Internet, subnets in LAN, and subnets in DMZ respectively.
Page 10: Scope
] for further information. Planning the network topology to introduce FortiWAN to current network. It requires a clear picture of your WAN link types the ISP provides and how to use the available public IP addresses of a WAN link. The topic [...
Page 11 FortiWAN's diagnostic tools is helpful for trouble shooting when configuring network, please refer to topic Diagnostic Tools Functions After installing FortiWAN into your network, the next step is to configure the major features, load balancing and fail- Load Balancing & Fault Tolerance over, on FortiWAN. Topic [...
Page 12: What's New
See " ". Basic subnet - Supports DHCP Relay on every LAN port and DMZ port. FortiWAN forwards the DHCP requests and responses between a LAN or DMZ subnet and the specified DHCP server (standalone), so that centralized DHCP management can be implemented.
Page 13 FortiWAN 1000B - The basic bandwidth is upgraded to 1 Gbps from 500Mbps. With a bandwidth license, system supports advanced bandwidth up to 2 Gbps. FortiWAN 3000B - The basic bandwidth is upgraded to 3 Gbps from 1 Gbps. With a bandwidth license, system supports advanced bandwidth up to 6 Gbps and 9 Gbps.
Page 14 WEB UI and CLI. See " Administration ". All the accounts belong to group Administrator are acceptable to login to FortiWAN over SSH. FortiWAN Handbook Fortinet Technologies Inc.
Page 15 FortiWAN 4.0.4 Bug fixes only. Please refer to FortiWAN 4.0.4 Release Notes. FortiWAN 4.0.3 FortiWAN 4.0.3 is the initial release for FortiWAN 3000B. For bug fixes, please refer to FortiWAN 4.0.3 Release Notes. FortiWAN 4.0.2 Bug fixes only. Please refer to FortiWAN 4.0.2 Release Notes.
Page 16 AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.0 is substantially similar to AscenLink V7.2.2 with the additions noted below. To assess the impact of deploying FortiWAN 4.0.0 on your network and processes, review the following new and enhanced features.
Page 17: Document Enhancements
Document enhancements Scope Document enhancements The following document content is enhanced or changed since FortiWAN 4.0.1: FortiWAN 4.2.1 R at the leftmost position of the topic line " Define routing policies for an IPSec A garbage character " in page 198 was removed.
Page 18 " was updated for supporting IPv6 default NAT rule. Content of " Administration > Firmware Update " and " FortiWAN in HA (High Availability) Mode " was updated for the new firmware update mechanism under HA deployment. For the new features that Reports supports, new topics "...
Page 19 Enable Reports "). Revision 1 "Default port mappings" Add a new page in section "How to set up your FortiWAN > Planning the network topology". Configurations for VLAN and Port Mapping" Content was changed and enhanced for pages " "...
Page 20: How To Set Up Your Fortiwan
How to set up your FortiWAN These topics describe the tasks you perform to initially introduce a FortiWAN appliance to your network. These topics contain the necessary information and instructions to plan network topology, using Web UI and Configure network interfaces on FortiWAN.
Page 21: Default Port Mappings
10 vNICs vNIC 2 vNIC 3 vNIC 4 FortiWAN 3000B's Prot 13 ~ Port 24 and FortiWAN VM's vNIC 5 ~ vNIC 10 are undefined by default, they can be VLAN and Port Mapping defined via Web UI (See " ").
Page 22: Wan Link And Wan Port
Configurations for a WAN link in Bridge Mode: DHCP ") To select appropriate WAN Type on FortiWAN, please identify the type of IP addresses that ISP provided you for accessing Internet and recognize the way to deploy FortiWAN in current network infrastructure. Here are considerations going to concern.
Page 23 Planning the network topology How to set up your FortiWAN A range of static IP addresses in a shared subnet For example, ISP provides an ADSL link with an IP range 61.88.100.1 ~3 that netmask is 255.255.255.0 and default gateway is 61.88.100.254. The result of subnet mask calculation shows there are 256 IP addresses in the subnet in total, but only 3 IP addresses you are allocated.
Page 24: Near Wan
FortiWAN defines a near WAN for a WAN link in different ways between routing mode and bridge mode. In routing mode, the default gateway of a subnet deployed in WAN or in WAN and DMZ is near to FortiWAN. Therefore, the area between the default gateway and FortiWAN is called near WAN. In the other words, FortiWAN treats directly the subnet deployed on the WAN port as near WAN.
Page 25: Public Ip Pass Through (Dmz Transparent Mode)
"). If you configure a bridge-mode WAN link that ISP provides on FortiWAN as Routing Mode and the bridge-mode WAN link might belong to a shared class C subnet, FortiWAN treats the whole class C network as near WAN, traffic goes to or comes from the class C network would be ignored for FortiWAN’s balancing, management and statistics functions.
Page 26: Scenarios To Deploy Subnets
No matter an available subnet (routing mode) or an IP range of a shared subnet you obtain from ISP, you will need making a plan how to deploy the multiple IP addresses. To deploy the available subnet that ISP provides (routing mode) on FortiWAN, there are four different scenarios (be called subnet types as well) for your options: Subnet in WAN Deploy the subnet in WAN.
Page 27: Ipv6/Ipv4 Dual Stack
When two FortiWAN units work together, they can be configured to HA (High Availability) double-device backup mode. This setup allows two FortiWAN units to server as backup for each other. The master is the main functioning unit, while the slave is the backup unit in standby. An FortiWAN unit alone already has built-in fault tolerance mechanism.
Page 28 Redundant LAN Port and/or redundant DMZ port: FortiWAN in HA mode As illustrated in the topology below, two FortiWAN units work in HA mode, with one active and the other in standby. Port1 and port2 acts as redundant LAN port for each other, putting the two units into hot backup mode. This mode offers a significant solution against single point failure in LAN/DMZ (See "...
Page 29 Planning the network topology How to set up your FortiWAN High Availability (HA) Scenarios Firmware Update Procedure in HA Deployment Firmware update on both master and slave units under HA deployment can be completed at once (one firmware update instruction). The firmware update procedure in HA deployment is similar to the non-HA (single unit) procedure: 1.
Page 30 It requires several Ethernet switches or bridges to connect the two appliances across areas or buildings. Since FortiWAN is designed to join a HA deployment by directly connecting the two RJ-45 ports (HA ports) with a Ethernet cable, it is supposed that there is not any non-HA Ethernet frames broadcasted between the two appliances. The HA messages interchanged for availability detection are raw Ethernet frames of EtherType 0x88B6 (LOCAL2), not 0x0800 (IPv4);...
Page 31: Web Ui And Cli Overview
Configure SNMP for your FortiWAN unit (See " ") to get the information in a MIB field via SNMP manager. Configure the SNMP manager on your FortiWAN and enable the event types "HA slave Notification failure and recovery"...
Page 32: Connecting To The Web Ui And The Cli
The default IP address of LAN port is 192.168.0.1 and the netmask is 255.255.255.0. For the first time accessing the Web UI, you can get the access via a computer connected directly to FortiWAN, or via a computer in a existing LAN subnet connected to FortiWAN.
Page 33 IP address: 192.168.0.2 (or 192.168.0.X) Subnet mask: 255.255.255.0 To connect to FortiWAN’s web UI, start a web browser and go to https://192.168.0.1. (Remember to include the “s” in https://.) Login to web UI with the default username,admin, and leave the password field blank (case sensitive).
Page 34 How to set up your FortiWAN Web UI and CLI Overview Note: FortiWAN CLI has limited functionality and cannot fully configure the system. Normal configuration changes should be done via the WebUI. Change network setting to LAN port via CLI 1.
Page 35: Using The Web Ui
Header contains information and items which is unrelated to FortiWAN's functions. Current login account: Display the account you login as and the IP address you login from.
Page 36 ") insensitive. An user get failed to log-in if there have been 20 users in the Web UI concurrently. FortiWAN Web UI does not accept multiple login from the same host and the same browser. Users that attempt to login to Web UI via the same host and browser (different tabs or windows) will be logged out (including the one who is already in Web UI).
Page 37 Basic concept to configure via Web UI FortiWAN's services (load balancing, fault tolerance and other optional services) are based on Policy and Filter. Policies (or called Classes as well) are specified items indicating different actions for a service. Policies are applied to different objects classified by the predefined filters.
Page 38 Web UI and CLI Overview Matches sessions coming from or going to LAN. Matches sessions coming from or going to DMZ. Localhost Matches sessions coming from or going to FortiWAN. Any Address Matches all sessions regardless of its source or destination. FQDN Matches sessions coming from or going to FQDN.
Page 39: Console Mode Commands
Web UI and CLI Overview How to set up your FortiWAN NTP (123) IMAP (143) SNMP (161) BGP (179) WAIS (210) LDAP (389) HTTPS (443) IKE (500) RLOGIN (513) SYSLOG (514) RIP (520) UUCP (540) H323 (1720) RADIUS (1812) RADIUS-ACCT (1813)
Page 40 : Specify an network interface (port) of FortiWAN to display, create or remove entries. -i <port> : Specify an network interface (port) of FortiWAN in format port#, e.g. port1, port2 and etc. <port> : Specify the target IP address or domain name.
Page 41 <port> System will restart the web server running on FortiWAN for the Web UI, or display the port number occupied by the web server, or specify port number to the web server. : Restart the web server.
Page 42 Set Reports database to factory default init_reports_db Set FortiWAN's Reports database to factory default. All the report data will be deleted. Please make sure the database is backed up if it is necessary (See " Reports Database Tool ").
Page 43 Note that if your system is not at base bandwidth and you do not have your Bandwidth Upgrade Keys, please contact Fortinet CSS before attempting a reactivation. reboot: Restart FortiWAN reboot [-t <second>] Restart FortiWAN immediately or restart it after a time period. FortiWAN Handbook Fortinet Technologies Inc.
Page 44 How to set up your FortiWAN Web UI and CLI Overview : Reboot FortiWAN after seconds. Parameter second is for this. : The parameter in specifying the time period (in second) system waits for to reboot. <second> Example: reboot -t 5 to restart the system after 5 seconds.
Page 45 Shut the FortiWAN system down shutdown This is command is used to shut FortiWAN system down, all the system processes and services will be terminated normally. Note that this command might not power the appliance off, please turn on/off the power switch or plug/unplug the power adapter to power on/off the appliance.
Page 46 Type sslcert set to set new SSL certificate for working with FortiWAN WebUI. You have to manually input the SSL private key and its correspondent certificate in text after the command prompt sslcert> line by line. The content inputted for the private key and certificate must start with “-----BEGIN CERTIFICATE-----”...
Page 47: Configuring Network Interface (Network Setting)
Dump network traffic tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [-E algo:secret] [-i PORT] [-s snaplen] [-T type] [-y datalinktype] [expression] : The parameter in specifying an network interface (port) of FortiWAN in format port#, e.g. port1, port2 and <port> etc. For details of the options and parameters, please refer to http://www.tcpdump.org/tcpdump_man.html...
Page 48: Set Dns Server To Fortiwan
DNS server on his computer for using the FortiWAN's Internal DNS (set DNS server as IP address of the gateway he connects to). It is unable to automatically allocate FortiWAN's internal DNS to users by FortiWAN's DHCP. The Internal DNS is recursive, which allows users to resolve other people's domains (external domains).
Page 49: Configurations For Vlan And Port Mapping
"), which is called Port Mapping here. Determined by the network topology, the mappings can be programed. Taking FortiWAN 200B for an example, its Port 1 can be changed to LAN port, Port 2 can be changed to DMZ port, and Port 3 ~ Port 5 can be changed to WAN ports, while the default mappings are Port 1 ~ Port 3 to WAN ports, Port 4 to LAN port and Port 5 to DMZ port (See "...
Page 50 FortiWAN supports IEEE 802.1Q (also known as VLAN Tagging), but it does not support Cisco’s ISL. Prior to its deployment, it is better to get ports mapped, for example. Port1 is mapped to WAN port. To better use FortiWAN with...
Page 51 Port pull-down menu for Private LAN Subnet setting ) and port 1.104 is connected with PCs in DMZ ( Port 1.104 is listed in the DMZ Port pull-down menu for WAN Setting ). In this network, FortiWAN acts as the role of router.
Page 52 Redundant LAN/DMZ Port and Aggregated LAN/DMZ Port Why redundant LAN port and redundant DMZ port are necessary? Because without these two ports, when FortiWAN is working in HA mode, single point failure can still occur over links connecting LAN/DMZ and LAN/DMZ ports on FortiWAN.
Page 53 How to set up your FortiWAN As illustrated in the topology below, FortiWAN port1 are mapped to WAN port. Port2 and port3 are configured as the redundant LAN ports which are connected to Switch1, port4 and port5 as the redundant DMZ ports which are connected to Switch2.
Page 54: Configuring Your Wan
Configuring your WAN [WAN Settings] is the major part to deploy FortiWAN in various types of WAN links. If your network has several WAN links, you have to configure one after another. Select any link from [WAN link] and check [Enable] to start a WAN link and WAN port configuration of the WAN connection (See "...
Page 55: Automatic Addressing Within A Basic Subnet
WAN-sided subnet, DMZ-sided subnet and LAN-sided subnet, which are supposed to connect to the WAN port, DMZ port and LAN port of FortiWAN. FortiWAN so that services the hosts in the subnets. For this reason, mechanisms to automatically address the hosts in those basic subnets are provided. FortiWAN's automatic addressing is designed to serve the hosts in DMZ-sided and LAN-sided subnets.
Page 56 DHCP Enable DHCP is checked. FortiWAN FortiWAN acts a DHCP server on the specified LAN port or DMZ port if checkbox receives DHCP requests and responds related information from/to hosts (DHCP clients) in the subnets connect to the LAN or DMZ ports.
Page 57 DHCP server, so that one DHCP server manages the address allocation for the three subnets, LAN 1, LAN 2 and a DMZ 1. As for subnet LAN 3, it employs FortiWAN's DHCP server on LAN port 3. The enabled DHCP server on LAN port 3, which is independent from the standalone DHCP server, serves only subent LAN 3.
Page 58 How to set up your FortiWAN Configuring Network Interface (Network Setting) To implement the deployment, you need to enable DHCP Relay for each of the subnets (enable DHCP Relay on each of the ports). In the example above, DHCP Relay is enabled on ports of LAN 1, LAN 2 and subnet in DMZ 1, and all the DHCP requests received on the ports will be forwarded to the DHCP server in the subnet DMZ 2.
Page 59 Internet; conversely, FortiWAN B (the headquarters) delivers the DHCP responses to the branch site over Internet and FortiWAN A will forward the response to its LAN to allocate a host the IP address. DHCP messages are delivered by Tunnel Routing encapsulation and decapsulation, just like normal Tunnel Routing transmission. The localhost of LAN port on FortWAN A is configured to 192.168.10.254.
Page 60 How to set up your FortiWAN Configuring Network Interface (Network Setting) Configurations on FortiWAN A Network Setting > LAN Private Subnet > IPv4 Basic Subnet and select the subnet 192.168.10.0/24 to Go to configure. Check the checkbox Enable DHCP Relay and configure the setting below.
Page 61 Comparing with SLAAC, IP pool and static IP mapping, administrators are able to control how the IPv6 addresses be allocated via DHCPv6. FortiWAN provides both SLAAC RDNSS and DHCPv6 for the stateless and stateful IPv6 automatic addressing Stateless IPv6 addressing: SLAAC Enabling the stateless IPv6 addressing for the "IPv6 Basic Subnets"...
Page 62 To enable the stateful IPv6 addressing for the "IPv6 Basic Subnets" or "IPv6 (IPs) in DMZ", you are required to enable and configure both SLAAC and DHCPv6 on Web UI. FortiWAN will not respond for any Router Advertisement (RA) if it SLAAC is disabled. The stateful IPv6 addressing via DHCPv6 requires RA to discover the default gateway for hosts, and therefor hosts fail to get default gateway if SLAAC is disabled.
Page 63: Configurations For A Wan Link In Routing Mode
Select [Routing Mode] from [WAN Type], and configure parameters in [Basic Settings]. Note that localhosts of FortiWAN’s WAN and DMZ ports belong to the basic subnet in Routing Mode; therefore at least one basic subnet is required. For the reason, [Basic Setting] contains no fields for setting IP(s) on Localhost and Netmask, which are the fields in [Basic Subnet].
Page 64 As mentioned previously, FortiWAN’s Routing Mode plays the role routing packets between subnets. For applications deploying different subnets in FortiWAN’s WAN or (and) DMZ, you are required to complete configuration of the subnets. There are two majore types of subnets for your options to deploy.
Page 65 IPv4 / IPv6 Static Routing Subnet Scenarios to Static routing subnets are the subnets connected indirectly to FortiWAN via a router or an L3 switch (See " deploy subnets "). According to the location a subnet deployed to, Static Routing Subnet is divided into: Subnet in WAN: A static routing subnet deployed in WAN, connected to a basic subnet in WAN or basic subnet in WAN and DMZ.
Page 66 WAN or a subnet in WAN and DMZ . As described in the topology, since the cluster of hosts are deployed in DMZ. FortiWAN port5 has to be mapped to DMZ with IP address 140.112.8.9. Thus the hosts in the subnet take the default gateway as 140.112.8.9. In this case, IP addresses 203.69.118.9 –...
Page 67 [IP(s) in WAN]. When you select [Subnet in WAN and DMZ] from [Subnet Type], FortiWAN will assume the IP addresses that are unlisted in [IP(s) on Localhost] and [IP(s) in WAN] are all in DMZ.
Page 68 This topology is rarely seen in actual network where static routing subnet is located on the WAN. In other words, the subnet in WAN does not connect to FortiWAN directly, but needs a router instead to transfer packets. In this example, a subnet 139.3.1.8/29 is located on the WAN and connects to router 203.69.118.9, while another subnet...
Page 69 Configuring Network Interface (Network Setting) How to set up your FortiWAN As described in the UI, FortiWAN transfers packets to the gateway 203.69.118.9 to deliver them to subnet 139.3.1.8/255.255.255.248. [Static Routing Subnet]: Subnet in DMZ This topology is similar with the one in last example [Static Routing Subnet]: Subnet in WAN. The only difference is subnet is in DMZ this time.
Page 70: Configurations For A Wan Link In Bridge Mode: Multiple Static Ip
How to set up your FortiWAN Configuring Network Interface (Network Setting) As described in the UI, FortiWAN transfers packets to the gateway 203.69.118.14 to deliver them to subnet 139.3.1.8/255.255.255.248 See also WAN link and WAN port VLAN and port mapping...
Page 71 Basic Setting WAN Port The physical port (network interface) on FortiWAN used to connect the WAN link. For the deployment of multiple WAN links on one WAN port, set this field with the same value for those WAN links. For example, select Port1 for con- figurations of WAN link1, WAN link2 and WAN link3 for deploying the three WAN links on WAN port1.
Page 72 This topology can be seen where a group of valid IP addresses ranging 211.21.40.32~211.21.40.34 have been given by ISP and assigned to port1 on FortiWAN. And their default gateway is 211.21.40.254 given by ISP as well. If there are other hosts deployed on the WAN, then configure their IP addresses in [IP(s) in WAN]. And if there are hosts deployed on the DMZ, then configure their IP addresses in [IP(s) in DMZ].
Page 73: Configurations For A Wan Link In Bridge Mode: One Static Ip
ISP assigned is located at ISP’s network, while the ATU-R works in bridge mode. FortiWAN’s Bridge Mode: One Static IP is suggested to apply for this case. IPv6/IPv4 dual static is supported for FortiWAN’s Bridge Mode: One Static IP. In the dual static similar as previous case, ISP might provide you a WAN IPv6 subnet and a LAN IPv6 subnet.
Page 74: Configurations For A Wan Link In Brideg Mode: Pppoe
[IP Address] blank if you are assigned an dynamic IP address; otherwise, enter your static IP address. Select an FortiWAN WAN port to which PPPoE ADSL Modem is connected, e.g. port1. Checks [Redial Enable] to enable redial. As some ISPs automatically reconnect to the network within a certain time interval, [Redial Enable] will avoid FortiWAN Handbook Fortinet Technologies Inc.
Page 75 Basic Setting WAN Port The physical port (network interface) on FortiWAN used to connect the WAN link. For the deployment of multiple WAN links on one WAN port, set this field with the same value for those WAN links. For example, select Port1 for con- figurations of WAN link1, WAN link2 and WAN link3 for deploying the three WAN links on WAN port1.
Page 76: Configurations For A Wan Link In Bridge Mode: Dhcp
Inbound Load Balancing and Failover (Multihoming) Configurations for a WAN link in Bridge Mode: DHCP [Bridge Mode: DHCP Client] is used when FortiWAN WAN port gets a dynamic IP address from DHCP host. IPv6 is not supported in this WAN type.
Page 77: Lan Private Subnet
Here is a simple example to demonstrate a configuration for the basic subnet in the typical LAN environment. As the illustration, FortiWAN port3 has been mapped to LAN port via [System / Network Setting / VLAN and Port Mapping] (See "...
Page 78 FortiWAN directly. The configurations here indicate how FortiWAN to route packets to subnet 192.168.99.x. FortiWAN supports the Routing Information Protocol (RIP v1, v2), RIP employs hot count as the metric, and uses timer broadcast to update the router. As RIP features configuration simplicity and operation convenience, it has been widely used across all fields.
Page 79 Configuring Network Interface (Network Setting) How to set up your FortiWAN Thus, FortiWAN can forward RIP v2 packets. Moreover, if you have enabled RIP v2 authentication, type the password in [Password]. Otherwise, keep [Password] blank. OSPF Apart from RIP, FortiWAN also supports OSPF (Open Shortest Path First), to assign LAN port router with given preference.
Page 80: Wan/Dmz Private Subnet
In addition, DHCP servers in LAN and DMZ should let clients use FortiWAN virtual IP and the default gateway (as FortiWAN's DHCP service does). If RIP and OSPF is used in LAN, FortiWAN uses real IP at OSPF and virtual IP at RIP to exchange route information.
Page 81 This topology is frequently found where cluster hosts in IPv4 private subnet are located on the DMZ. In this example, FortiWAN port5 has been mapped to DMZ port, with private IP 192.168.4.254. And subnet 192.168.4.X is located on the DMZ as a whole. From UI, select [Subnet in DMZ] from [Subnet Type] in [Basic Subnet].
Page 82 This topology is found where IPv4 private static routing subnet is located on the WAN. In other words, the private subnet on the WAN does not connect to FortiWAN directly. Instead, it connects to a router which helps to transfer its packets.
Page 83 [Static Routing Subnet]: Subnet in DMZ In this topology, in DMZ you create an IPv4 private subnet using one router (its IP, say, 192.168.34.50). But the subnet (its IP 192.168.99.0/24) does not connect to FortiWAN directly. Configure the subnet on FortiWAN to process its packets.
Page 84: Deployment Scenarios For Various Wan Types
Please refer to the ATU-R User manual provided by your ISP to connect the ATU-R to FortiWAN’s WAN #1. Connect LAN to FortiWAN’s LAN port via a switch or hub. In this example, FortiWAN’s Port2 is treated as LAN port. Please map FortiWAN’s LAN port to the Port2 in [System] →...
Page 85 Assume an SMTP server with IP 192.168.1.1 provides SMTP services to the outside via the virtual server. FortiWAN will perform NAT on this machine so that the outside clients can get SMTP services via FortiWAN’s public IP on WAN1. The settings for this are in [Service] → [Virtual Server].
Page 86 DMZ port is on port #2. ISP supplies the router. Hardware Configuration: Connect the router with FortiWAN in WAN1 by referring to router's user manual. Note: FortiWAN is viewed as a normal PC when connected to other network equipment. Configuration Steps: 1.
Page 87 “IP(s) in WAN” . WAN Type: Routing Mode Example 2 This example shows the scenario where a private subnet between the WAN router and FortiWAN. In addition, the public IP subnet inside the FortiWAN DMZ port requires a router.
Page 88 WAN Type: Routing Mode Example 3 In this example, both WAN links have its own routers and FortiWAN is connected to these routers using private IP addresses, as illustrated below. In addition, FortiWAN Port 3 has been assigned another private IP connecting to the LAN Core Switch (L3 switch), therefore there is a public IP subnet connected behind the Core Switch inside the LAN.
Page 89 Configuring Network Interface (Network Setting) How to set up your FortiWAN Configuration Steps: 1. Go to FortiWAN Web UI: [System] → [Network Settings] → [WAN Settings] management page. 2. Select [1] in the WAN Link menu. 3. Click Enable to activate the WAN link.
Page 90: Mib Fields For Wan Links And Vlans
WAN link fails or recovers. Configure SNMP for your FortiWAN unit (See " SNMP ") to get the information in a MIB field via SNMP manager. Configure the SNMP manager on your FortiWAN and enable the event types "" and "" to notify (See " Notification "), then notifications will be delivered to your SNMP manager for the events.
Page 91 Configuring Network Interface (Network Setting) How to set up your FortiWAN MIB Field Description fwnWanHealthReq 1.3.6.1.4.1.12356.118.2.1.2.1.7 Number of health detection (ping packets or TCP connect requests) sent out for every WAN link. fwnWanHealthRep 1.3.6.1.4.1.12356.118.2.1.2.1.8 Number of acknowledgements replied to every WAN link for the health detection.
Page 92 How to set up your FortiWAN Configuring Network Interface (Network Setting) MIB Field Description fwnWanTotalOctets64 1.3.6.1.4.1.12356.118.2.1.2.1.15 Sum (64bit unsigned integer) of oct- ets received and transmitted on/- from the interface (RX and TX) of every WAN link during system's uptime.
Page 93 Configuring Network Interface (Network Setting) How to set up your FortiWAN MIB Field Description fwnVlanTotalOctets 1.3.6.1.4.1.12356.118.2.2.2.1.4 Sum (32bit unsigned integer) of octets received and transmitted on/from the interface (RX and TX) of every VLAN during system's uptime. fwnVlanInOctets64 1.3.6.1.4.1.12356.118.2.2.2.1.5 Number (64bit unsigned integer) of...
Page 94: System Configurations
FortiWAN in HA (High Availability) Mode HA mode becomes active. As is mentioned in " ", HA (High Availability) is hot backup. In HA mode, one FortiWAN is the primary system while the other is the backup system. System Information / Peer Information System Information Version The firmware version of the device.
Page 95 Incompatible ". inconsistent with the local unit, this field displays " Note1: Connections may exceed 100 when FortiWAN is started, but will return to normal in a while. This happens because FortiWAN sends out ICMP packets to test the network.
Page 96 1.3.6.1.4.1.12356.118.1.7 Current CPU load (in percentage) of the system. fwnSysUsers 1.3.6.1.4.1.12356.118.1.8 Number of IP addresses connecting to the FortiWAN unit from the LAN and DMZ subnets. fwnSysPktPerSec 1.3.6.1.4.1.12356.118.1.9 Number of packets transferred via the system every second. FortiWAN Handbook...
Page 97: Optimum Route Detection
WAN efficiency over multiple ISPs. Considering the deployment that FortiWAN is connected to ISP-A and ISP-B and the peering between the two networks is bad. With general Auto Routing algorithms (See "...
Page 98 Auto Routing policy with algorithm - By Optimum Route, and the corresponding filters (See " Auto Routing "). FortiWAN provides DNS Proxy to cooperate with Optimum Route to resolve advanced peering issues (See " DNS Proxy ").
Page 99: Port Speed/Duplex Settings
Click to enable HA (switch between master and slave units) based on the status of net- work ports. While HA is enabled in FortiWAN, the port status of both master and slave FortiWAN units will be compared to determine which unit should be selected as master.
Page 100: Backup Line Settings
Backup lines in standby do not cost a cent, thus only basic fees are charged. Contrary to backup lines, main lines are lines commonly in use. The concept is to be used below. FortiWAN provides log mechanism to the Backup Line service, see " ".
Page 101: Service Grouping
Click the button to show or hide the table details. After Hide Detail has been clicked, the table only shows the name of the service group and whether it has been enabled. IPv4/IPv6 Rule Settings Table: FortiWAN Handbook Fortinet Technologies Inc.
Page 102: Busyhour Settings
As is shown in the figure, Sunday and hours beyond Mon-Sat: 09h00-18h00 are set to be idle hours. Remaining hours of the week belong to busy hours. Diagnostic Tools Click the tabs [IPv4] and [IPv6] on the upper side to choice diagnostic tools for IPv4 and IPv6. FortiWAN Handbook Fortinet Technologies Inc.
Page 103 Clean IPv4 Session Table (Only Non-TCP Sessions) The function is used to clean up non-TCP session tables in FortiWAN. In FortiWAN, protocols are managed with a session timer. Old sessions may be continuously retried by users that they keep unexpired. These old sessions, are always being valid and active instead of new ones.
Page 104 Clean IPv6 Session Table (Only Non-TCP Sessions) The function is used to clean up non-TCP session tables in FortiWAN. In FortiWAN, protocols are managed with a session timer. Old sessions may be continuously retried by users that they keep unexpired. These old sessions, are always being valid and active instead of new ones.
Page 105: Setting The System Time & Date
24-hour time system in the hour:minute:second format. [Time Zone] is represented by continent and city, [America] and [New York], for example. FortiWAN uses NTP time server for accurate time synchronization, simply by clicking the [Synchronize Time] button. And other time servers are also included in the drop-down list which can be added or deleted at your preference.
Page 106: Remote Assistance
Every FortiWAN is shipped with the same default passwords. For security concerns, it is thus strongly recommended that the passwords shall be changed. By default, FortiWAN uses 443 as the Web UI login port. And it allows administrators to change the port, to avoid possible port conflict caused for virtual server services.
Page 107 Verification Confirm the new password. Event notifications via SNMP trap You can receive notification via SNMP trap for any modification of the FortiWAN's account. Configure the SNMP Notification manager on your FortiWAN and enable the event type "Account change" to notify (See "...
Page 108: Radius Authentication
RADIUS Authentication Except FortiWAN's local authentication database described above, FortiWAN supports RADIUS authentication for Web UI login. Please make sure the following settings are complete on the RADIUS server working with FortiWAN. Add Fortinet's Vender Specific Attribute (VSA) to /etc/raddb/dictionary: VENDOR Fortinet 12356 BEGIN‐VENDOR Fortinet...
Page 109: Firmware Update
Incompatible version/build – Firmware version incompatible. System requires a higher version firmware for update and a lower version firmware for downgrade.Check with your dealer for the correct firmware version. Incompatible model/feature – Firmware image does not match the FortiWAN system. Check with your dealer for the correct model and version.
Page 110: Configuration File
[Restore] button. Configuration File for individual function Export and Import: Log on to FortiWAN as administrator. On every single function page of Web UI, click [Export Configuration] to back up the configuration in an editable text file.
Page 111 [Service > Virtual Server] virtual-server.txt [Service > Bandwidth Management] bandwidth-management.txt [Service > Connection Limit] connection-limit.txt [Service > Cache Redirect] cache-redirect.txt [Service > Multihoming] multihoming.txt [Service > Internal DNS] Internal-nameserver.txt [Service > SNMP] snmp.txt [Service > IP-MAC Mapping] ip-mac-mapping.txt FortiWAN Handbook Fortinet Technologies Inc.
Page 112: Maintenance
Type the port number in [New Port] and then click [Setport]. Enter the new port number when you log in again into Web UI. Additionally, the new port shall avoid conflict with FortiWAN reserved ports when configuring the port. Otherwise, FortiWAN will display error message of port settings failure and resume to the correct port number that was configured last time.
Page 113: License Control
License Control provides users with all the License Key configurations, including: Bandwidth Upgrade License: FortiWAN provides various bandwidth capabilities for individual model. Bandwidth upgrade on models is supported via a license key. You could ask your distributor for bandwidth upgrade license keys.
Page 114 System Configurations Administration Product Model Bandwidth Capability FortiWAN 200B 200 Mbps / 400 Mbps / 600 Mbps FortiWAN 1000B 1 Gbps / 2 Gbps FortiWAN 3000B 3 Gbps / 6 Gbps / 9 Gbps Note: Conditional bandwidth upgrade is provided for old models. Please contact customer support to gain further information.
Page 115: Load Balancing & Fault Tolerance
Load Balancing Algorithms FortiWAN offers seven types of auto routing algorithms for administrators to select the best policy to match their environment. It's based to sessions for Auto Routing to distribute traffic among multiple WAN links. All the packets of a session are routed to the WAN link that the session is distributed to.
Page 116: Outbound Load Balancing And Failover (Auto Routing)
When one of the WAN links fails, the administrator has to change the router configuration to bypass the failed link. The obvious drawback to this approach is the unnecessary workload for administrators. Whenever WAN link FortiWAN Handbook Fortinet Technologies Inc.
Page 117 FortiWAN has an internal “Virtual Trunk” circuit, which is essentially a combination of the multiple WAN links. Auto routing is capable of adjusting the ‘Virtual Trunk” to include only the WAN links that are functioning normally and to direct outbound traffic through the “Virtual Trunk circuit”...
Page 118 WAN link when it fails, but all subsequent sessions will be automatically routed to other working links. FortiWAN provides mechanisms to record, notify and analysis on events refer to the Auto Routing service, see " ", "...
Page 119 Check to enable logging. Whenever the rule is matched, system will record the event to log file. Configuration File Configuration file can be imported or exported and stored as “.txt” file. Note: Only the Administrator has the privilege to perform this function. FortiWAN Handbook Fortinet Technologies Inc.
Page 120 Check WAN#2 By Optimum Route By Optimum Route Check both WAN #1 and WAN By Downstream By Downstream Traffic Check both WAN #1 and WAN By Total By Total Traffic Check both WAN #1 and WAN FortiWAN Handbook Fortinet Technologies Inc.
Page 121 6. Route connections through WAN#1 and WAN#2 depending on the bandwidth left in the downstream traffic of each WAN link. 7. Route connections through WAN#2 and WAN#3 depending on the bandwidth left in the total traffic of each WAN link. FortiWAN Handbook Fortinet Technologies Inc.
Page 122 9. The connections from an arbitrary host to any host on the Internet will be routed by the policy "by Downstream". See also WAN Link Health Detection Configuring your WAN Load Balancing & Fault Tolerance Busyhour Settings Using the web UI FortiWAN Handbook Fortinet Technologies Inc.
Page 123: Inbound Load Balancing And Failover (Multihoming)
IN A 192.136.1.243 All DNS requests to www.example.com will be sent to FortiWAN. Multihoming will constantly measure the health conditions as well as the state of each WAN link and compute the optimal return answer to the DNS queries, defined as the SwiftDNS technology.
Page 124 Before the update time is up (i.e. TTL is expired), DNS requests may be answered with incorrect information. FortiWAN employs SwiftDNS for multihoming based on the health state of the link and a traffic re- directing algorithm. SwiftDNS dynamically answers DNS requests to prevent broken or congested links. In order to solve the TTL issue stated above, SwiftDNS maintains a very short TTL and actively sends out updates to internal DNS in case of link status changes.
Page 125 Multihoming supports basic DNSSEC which employs only one key pair KSK (Key Sign Key) to generate DNSKEY and RRSIG records for the zone (NSEC is not supported). The supported algorithm and key size are only RSASHA512 and 2048 bits. Note that Multihoming’s DNSSEC is not supported for Relay Mode. FortiWAN Handbook Fortinet Technologies Inc.
Page 126 WAN links and registered domain names for publicly accessible servers. Note that a DNS request from client is delivered to FortiWAN via a fixed WAN link, whose the IP address is registered with parent domain. It would be better to have multiple IP addresses registered to avoid single WAN link failure.
Page 127 Inbound Load Balancing and Failover (Multihoming) Load Balancing & Fault Tolerance FortiWAN offers two options for Multihoming: Non Relay Mode and Relay Mode. The details of will be explained in this section. The section explains how to configure Multihoming. First, check the box to enable Multihoming in "Enable Multihoming".
Page 128 Click the [+] button to generate DNSSEC private key used to sign the domain. This private key information will be listed. DNSKEY record and RRSIG record set for this domain are generated while applying the domain configuration. (For multiple keys, use the [+] key) FortiWAN Handbook Fortinet Technologies Inc.
Page 129 A Record Enter the prefix name of the primary workstation. For example: if the name is "www.- Host Name abc.com", enter “www”. When Options: All-Time/Busy/Idle Source Enter the IPv6/IPv4 address that the DNS query comes from. FortiWAN Handbook Fortinet Technologies Inc.
Page 130 "www.abc.com", enter “abc.com" as the prefix. TTL (Time To Live) specifies the amount of time that DName Record is allowed to be cached. SRV Record Specify the symbolic name prepended with an underscore, for example, _http, _ftp Service or _imap. FortiWAN Handbook Fortinet Technologies Inc.
Page 131 IP 10.16.130.2/24 are effective, while emails sent from other IPs are assumed as spams. External Subdomain Record (available only in non-relay mode) Enter the name of an external subdomain. To add an additional subdomain, press Subdomain Name FortiWAN Handbook Fortinet Technologies Inc.
Page 132 Please make sure external name servers of the sub-domains are active well for DNS queries. Relay Mode When Relay is enabled, FortiWAN will relay the DNS requests it receives to a specified name servers, and reprocess the answer with appropriate IP address according to the AAAA/A record policies. The necessary configurations for Multihoming in Relay Mode are AAAA/A Record Policy and Domain Settings.
Page 133 Enter the IPv6 address that the DNS query comes from. To Policy Select the defined AAAA Record Policy to be used for the domain setting. TTL (Time To Live) specifies the amount of time A Record is allowed to cache the record. FortiWAN Handbook Fortinet Technologies Inc.
Page 134 Multihoming settings in the example A Record Policy Settings Policy Name Algorithm Policy Advance Setting WAN Link IPv4 Address By Upstream 211.21.33.186 61.64.195.150 Domain Settings Domain Name Responsible Mail Primary Name IPv4 Address Server Domainname.com Abc.domainname.com 192.168.0.10 FortiWAN Handbook Fortinet Technologies Inc.
Page 135 Note: DNS server IP can be public IP and private IP. Example 2 Configure virtual server before setting multihoming. Its configuration looks like below in this example. WAN IP Server IP Service 211.21.33.186 192.168.0.200 SMTP (25) 61.64.195.150 192.168.0.200 SMTP (25) Multihoming settings in the example FortiWAN Handbook Fortinet Technologies Inc.
Page 136 Priority Mail Server mail mail Host Name v=spf1 ip4:211.21.33.186 ip4:61.64.195.150 ~all Note: 1. Refer to [System]->[Networking Settings]->[WAN Settings] and assign public IPs to WAN ports. 2. The example has configured multihoming for virtual server “mail.domainname.com”. FortiWAN Handbook Fortinet Technologies Inc.
Page 137: Tunnel Routing
Tunnel Routing is the transimission of GRE packets via a pair of WAN links predefined on the symmetric FortiWAN sites (a WAN link on the local FortiWAN, and another one on the remote FortiWAN) (See "Tunnel Group" and "Group Tunnel" in "...
Page 138: How The Tunnel Routing Works
Here is an example to explain the processes that how Tunnel Routing delivers packets to remote private internal network via Internet. Here are two FortiWAN sites (FWN-A and FWN-B) connected to Internet with two WAN links respectively. Two private LAN networks: 192.168.10.0/255.255.255.0 and 192.168.20.0/255.255.255.0 are connected to FWN-A and FWN-B respectively.
Page 139 "). Symmetric FortiWAN sites continue sending GRE encapsulated detection packets to each other via the defined tunnels. The detection receiver on each FortiWAN site decides the status of a tunnel (OK or Fails) by monitoring if the detection packets arrive continuously. Tunnel Routing's balancing algorithms distribute packets only over those healthy tunnels, so that the network connection and the data transfer reliability are guaranteed.
Page 140 A tunnel can be roughly divided into three parts, the WAN link between local FortiWAN and its ISP, the WAN link between remote FortiWAN and its ISP, and links between ISPs (Internet). Although there is nothing can do to transmission quality within Internet, it can be achieved to ensure good and equal quality for the WAN links between FortiWAN sites and ISPs.
Page 141: Tunnel Routing - Setting
Tunnel Routing transmission. Packets encapsulated by Tunnel Routing becomes invisible to Bandwidth Management; controlling the overall Tunnel Routing traffic by service GRE will go to failure. FortiWAN provides mechanisms to record, notify and analysis on events refer to the Tunnel Routing service, see " ", "...
Page 142 WAN link of local unit and one WAN link of remote unit. A which might be various combinations of WAN links between the two FortiWAN units. A tunnel group is the basic unit to be used for a Tunnel Routing transmission. Packets of a session transferred via tunnel routing between units would be distributed (according to the balancing algorithms) to the multiple tunnels defined in the tunnel group.
Page 143 Note that every tunnel group must contain at least one tunnel which is configured with one static public IP address In this table, tunnels are configured for a tunnel group with IP addresses of WAN links of local and remote FortiWAN units and the routing algorithm used to rout packets over tunnels.
Page 144 Configure local IP address for tunnels in the tunnel group. The local IP addresses here are the localhost IP defined on the WAN links of local FortiWAN. According to the WAN type defined on WAN links, here are several types of Local IP for options.
Page 145 Configure remote IP address for tunnels in the tunnel group. The remote IP addresses here are the localhost IP defined on the WAN links of remote FortiWAN. According to the WAN type defined on WAN links, here are several types of Remote IP for options.
Page 146: How To Set Up Routing Rules For Tunnel Routing
This is the general way to set routing rules for Tunnel Routing. A routing rule contains the three basic elements above, which evaluates traffic by Source, Destination, Service, (Tunnel) Group and Fail-Over. Note that a routing rule sat on a FortiWAN site is required symmetrically for the opposite FortiWAN site, so that the bidirectional transmission is achieved.
Page 147 Default Rule filters traffic by Source and Destination while ignoring the Service (Service = Any). To set the default rules up, only the source IP addresses need to be specified on both FortiWAN units that a automatically negotiate for the destinations;...
Page 148 Considering the illustration above, a tunnel group (Tunnel Group AB) containing two tunnels (Tunnel 1 and Tunnel 2) connects two FortiWAN units (FWN-A and FWN-B) that two internal networks connect respectively to. Configurations of default rules on two sites are as follow:...
Page 149 Tunnel: BackupGroup The sources sat on FWN-A's default rules, which are treated as destinations for FWN-B, are sent to FWN-B via the automatic negotiation. FWN-B then generates logically the following routing rules in system back-end. FortiWAN Handbook Fortinet Technologies Inc.
Page 150 (or a default rule) is invalid for sessions that are routed persistently to fixed tunnels. Source Using the web UI The source of the connection (See " "). Destination The destination of the connection (See " Using the web UI "). FortiWAN Handbook Fortinet Technologies Inc.
Page 151: Tunnel Routing - Benchmark
Scenarios Tunnel Routing - Benchmark To guarantee a performance aggregation transferring TR packets, FortiWAN requires equal quality for the WAN links employed in a tunnel group. The Benchmark here provides evaluation of WAN link quality for every single tunnel. Tunnels are judged in run trip time, packet loss and bandwidth. It is not suggested to employ a WAN link that is worse than others in a tunnel group.
Page 152 Tunnel Routing For the symmetric FortiWAN sites, one site that is not running benchmark server is took as a benchmark client which triggers the testing traffic. All the configured tunnel groups are listed in the table. Information of tunnel groups is also listed in the table, it includes the group name, remote host ID, algorithm, enable and the group tunnels of a tunnel group.
Page 153: Scenarios
A company’s headquarters and two branch offices are located in different cities. Each office has a LAN, multiple WAN links and a DMZ with VPN gateway: Headquarters Branch 1 Branch 2 WAN1 1.1.1.1 2.2.2.2 6.6.6.6 FortiWAN Handbook Fortinet Technologies Inc.
Page 154 Round-Robin 1.1.1.1 6.6.6.6 3.3.3.3 8.8.8.8 HQ-Branch2 Round-Robin Dynamic WAN 10.10.10.10 Backup Routing Rules Source Destination Service Group Fail-Over 192.168.1.1-192168.1.10 192.168.2.1-192.168.2.10 HQ-Branch1 HQ-Branch1 Backup 192.168.1.1-192.168.1.10 192.168.3.1-192.168.3.10 HQ-Branch2 HQ-Branch2 Backup 1.1.1.11 2.2.2.22 HQ-Branch1 1.1.1.11 6.6.6.66 HQ-Branch2 No-Action FortiWAN Handbook Fortinet Technologies Inc.
Page 155 Set the field Local Host ID as B2 Local Host ID: B2 Tunnel Group Group Name Remote Host Algorithm Tunnels Local IP Remote IP Weight Branch2-HQ Round-Robin 6.6.6.6 1.1.1.1 6.6.6.6 3.3.3.3 8.8.8.8 1.1.1.1 8.8.8.8 3.3.3.3 10.10.10.10 Dynamic IP FortiWAN Handbook Fortinet Technologies Inc.
Page 156 NOTE: When using tunnel routing in FortiWAN, the settings must correspond to each other or else tunnel routing will not perform its function. For example, if FortiWAN in Taipei has removed the values 2.2.2.2 to 3.3.3.3 in their routing rule settings, then the FortiWAN in Taichung will not be operational.
Page 157 Set the field Local Host ID as Branch Local Host ID: Branch Tunnel Group Group Name Remote Host Algorithm Tunnels Local IP Remote IP Weight Branch-HQ Round-Robin Dynamic IP at 211.21.33.186 WAN1 Dynamic IP at Dynamic IP at WAN2 WAN2 FortiWAN Handbook Fortinet Technologies Inc.
Page 158 The LAN links in branch 1 and branch 2 can communicate with each other via the tunnel established with the headquater. Summary of the Network Headquarters Branch 1 Branch 2 WAN 1 1.1.1.1 WAN 2 2.2.2.2 WAN 3 3.3.3.3 FortiWAN Handbook Fortinet Technologies Inc.
Page 159 Algorithm Tunnels Local IP Remote IP Weight Branch1-HQ Round-Robin 1.1.1.1 3.3.3.3 Routing Rules Source Destination Service Group Fail-Over 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0 Branch1-HQ No-Action The settings for the branch2 Set the field Local Host ID as Branch2 FortiWAN Handbook Fortinet Technologies Inc.
Page 160 1 does not have any public links to the internet and uses tunnel routing to connect to the internet via the WAN in the headquarters. The branch 2 uses a public WAN link for internet. In the event of WAN link failure, the tunnel between branch 2 and headquarters office will be the backup line for internet connection. FortiWAN Handbook Fortinet Technologies Inc.
Page 161 HQ-Branch2 No-Action Any Address 192.168.1.0/255.255.255.0 HQ-Branch1 No-Action Auto Routing Settings Policies Label Algorithm Parameter WAN4 Fixed Tick the check box "4" Default Policy By Downstream Traffic Tick the check boxes "1", "2", "3", "4" ... FortiWAN Handbook Fortinet Technologies Inc.
Page 162 Set the field Local Host ID as Branch2 Local Host ID: Branch2 Tunnel Group Group Name Remote Host Algorithm Tunnels Local IP Remote IP Weight Branch2-HQ Round-Robin 2.2.2.2 3.3.3.3 Routing Rules Source Destination Service Group Fail-Over 192.168.2.0/255.255.255.0 192.168.1.0/255.255.255.0 Branch2-HQ No-Action FortiWAN Handbook Fortinet Technologies Inc.
Page 163: Virtual Server & Server Load Balancing
It maps WAN IP address and a service (port or ports) to an internal server IP. The order of virtual server rules is like any other rule tables in FortiWAN as it also uses the “first match scheme”, viz. the first rule of request matched is the rule to take effect.
Page 164 Then FortiWAN is available to redirect these external requests to the servers in LAN or DMZ. Whenever an external request arrives, FortiWAN will consult the Virtual Server table and redirect the packet to the corresponding server in LAN or DMZ.
Page 165 The real IP (IPv6) of the server, most likely in LAN or DMZ. Check to enable logging: Whenever the rule is matched, system will record the event to log file. Example 1 The settings for virtual servers look like: FortiWAN Handbook Fortinet Technologies Inc.
Page 166 Forward all requests from 211.21.48.197 to 192.168.0.15 in LAN. Note: 1. FortiWAN can auto-detect both active and passive FTP servers. 2. All public IPs must be assigned to WAN 1. To configure these IPs, go to "IP(s) on Localhost of the Basic Subnet"...
Page 167 FTP (21) 192.168.0.200 ICMP FTP (21) 192.168.0.201 TCP@21 FTP (21) 211.21.48.195 SMTP (25) 192.168.0.200 ICMP SMTP (25) 192.168.0.201 TCP@25 SMTP (25) 211.21.33.189 SMTP (25) 192.168.0.200 ICMP SMTP (25) 192.168.0.201 TCP@25 SMTP (25) 211.21.48.197 192.168.0.15 ICMP FortiWAN Handbook Fortinet Technologies Inc.
Page 168 Enable external users to access WAN IP 211.21.48.194, and forward packets of TCP/UDP range 2000-3000 to host 192.168.0.15. Note: Port range redirecting is supported as well. Virtual server table for the settings above: WAN IP Service Server Pool Server IP Detect Service Weight 211.21.48.194 TCP@1999 192.168.0.100 ICMP TCP@1999 192.168.0.101 TCP@1999 TCP@1999 FortiWAN Handbook Fortinet Technologies Inc.
Page 169: Wan Link Health Detection
(defined in "Detection timeout in milliseconds"), otherwise this detection is consider failed (FortiWAN will not judge whether a WAN link is down by just one detection failure). No matter whether a single detection succeed, FortiWAN continues the detection after seconds (defined in "Detection Period in Second").
Page 170 IP address of a host that has been picked out randomly from the list. The TTL (Time to Live) of the ping packet is determined by Hops and generally defined as "3". FortiWAN takes the TTL expired message as a legal response for a ICMP detection, even the detection packet is not delivered to the destination.
Page 171: Ipsec
, which includes the descriptions of IPSec VPN overview, IPSec key exchange and How IPSec VPN works. The next topic describes how to set up FortiWAN IPSec VPN, see IPSec set up. IPSec VPN installation is divided into the stages as follows:...
Page 172 To connect two incompatible networks within an IPSec VPN network over an intermediate network, an IPSec VPN device is required to be deployed in front of each the network. The IPSec VPN devices (the FortiWAN units) establish an IPSec VPN tunnel with each other. Each of the IPSec VPN devices performs the processes to encrypt and encapsulate, or decapsulate and decrypt the incoming packets (from the network behind it or the opposite IPSec VPN device), and then forwards the packets to the destination (the opposite IPSec VPN device or the network behind it).
Page 173: Ipsec Key Exchange
IP header by decryption forward packets to host 192.168.2.10 Processes for traffic in the opposite direction are the same. From the standpoint of FortiWAN A, FortiWAN A is local unit and FortiWAN B is the remote unit, vice versa.
Page 174 (who also possess the secret key) to detect any changes to the message content. As with any MAC, it may be used to simultaneously verify both the data integrity and the authentication of a message. FortiWAN IPsec VPNs offer the following MAC algorithms, in descending order of security: hmac-sha512 A SHA512-based MAC algorithm with 512-bit hash output.
Page 175 (Authentication). The endpoint who begins the IKE Phase1 negotiation makes a declaration of who it is to the opposite pre-shared key to achieve the endpoint, and the opposite endpoint verifies the identity. FortiWAN's IPSec employs a identity verification. The pre-shared key is a common key (similar to a password) pre-shared between the two entities who join in the Phase 1 negotiations.
Page 176 Comparing with main mode, aggressive mode might not be such secure (weak identity protection and risk of pre-shared key crack), the advantage to aggressive mode is that it is faster than Main mode however. FortiWAN's IPSec, however, does not support IKE Phase 1 in Aggressive mode, only Main mode is available.
Page 177: How Ipsec Vpn Works
IPsec Security Association which protects the subsequent IPSec VPN communications. IKE Phase 2 is processed in one mode called Quick Mode (New Group Mode is not supported by FortiWAN). Similar to Phase 1, in IKE Phase 2, another proposal of encryption and authentication algorithms is negotiated, shared secret keys are derived, and the negotiation sessions are authenticated.
Page 178: Ipsec Set Up
IPSec protection). FortiWAN IPSec Transport mode is only available for Tunnel Routing. IPSec set up After basic concept of IPSec introduced previously, this section focus on the introduction of FortiWAN's IPSec and the configurations to set up FortiWAN's IPSec. FortiWAN provides a complete VPN solution through the cooperation of Tunnel Routing and IPSec.
Page 179 FortiWAN provides standard Tunnel mode to build IPSec VPN as the previous descriptions. By encapsulating the encrypted packet with a new IP header, a tunnel is established between two FortiWAN units so that IPSec packets can be delivered to the private networks deployed behind the two units through Internet (the public and untrusted network).
Page 180: Limitation In The Ipsec Deployment
IPSec SAs abort so that) if those Phase 1 configurations on any two FortiWAN devices contain a common WAN link IP address, no matter on the local side or remote side. The following diagrams give the clear explanation of this in details.
Page 181 Both the WAN link IP addresses, 2.2.2.2 and 4.4.4.4, participate in only one ISAKMP SA, the ISAKMP SA 1. As for WAN link 3 on FortiWAN 2, its IP address 3.3.3.3 participates in ISAKMP SA 2 and ISAKMP SA 3 (more than one ISAKMP SA), which causes failure to establish ISAKMP SA 2 and ISAKMP SA 3.
Page 182 IPSec IPSec set up valid IPSec deployment. There are three IPs deployed on FortiWAN 2's WAN The above diagram is anther example of Configuring your WAN link 2 (See " "), and each IP address participates in only one ISAKMP SA.
Page 183 IPSec set up IPSec Considering the IPSec deployment among more than two FortiWAN devices as the above example. ISAKMP SA State Reason ISAKMP SA 1 established For the two FortiWAN devices (FortiWAN1 and FortiWAN 2), the two WAN link IP addresses, 3.3.3.3 and 5.5.5.5, participate in only ISAKMP SA 1.
Page 184: Planning Your Vpn
This implies the public IP addresses (local IP and remote IP) used to establish a VPN tunnel through Internet. Note that only static IP addresses are supported. One WAN interface cannot serve for more than one IPSec connectivity between any two FortiWAN devices. You need to take this for consideration when you determine the topology. See "...
Page 185: Ipsec Vpn In The Web Ui
IPSec VPN tunnel. The IPSec VPN tunnel is established through connection of the two public IP addresses. You need to determine the WAN link of a FortiWAN unit to connect with each other for an IPSec VPN tunnel; and the IP addresses deployed on the two WAN ports are actually the two ends (local IP and remote IP) of the IPSec VPN tunnel.
Page 186 The modes for parameters exchanging, Main mode and Aggressive mode, used for IKE Phase 1 negotiations A FortiWAN unit exchange Phase 1 parameters with the remote unit in only Main mode. In Main mode, the Phase 1 parameters are exchanged in six messages with encrypted authentication information. As the previous introductions, Main mode gives securer authentication by a encryption with the negotiated secret key.
Page 187 IPSec set up IPSec you need to make sure that the IKE Phase 1 proposals on the two FortiWAN units are exactly the same, or Phase 1 negotiation goes to failure. IKE Phase 1 Web UI fields Go to Service > IPsec, select the Tunnel Mode or Transport Mode and click the add button to add a new configuration panel of Phase 1.
Page 188 IPSec IPSec set up Remote IP Type the IP address of remote FortiWAN's WAN port used to establish the IPSec VPN tunnel with the local FortiWAN unit. Packets of IKE negotiations (Both Phase 1 and Phase 2) and IPSec VPN communications are transferred through the WAN port on the remote side.
Page 189 Enter the time interval (in seconds) that the negotiated secret key (used for ISAKMP SA) is valid during. For the expiration of a key, IKE Phase 1 is performed automatically to negotiate a new key without interrupting normal IPSec VPN communications. FortiWAN Handbook Fortinet Technologies Inc.
Page 190 IP address, destination port and protocol of a packet. For Tunnel Mode, it usually implies the hosts (or a network) behind the two FortiWAN units trying to communicate to each other through the IPSec VPN tunnel established between the two FortiWAN. Make sure the Quick mode selector of one endpoint is correspondent to the opposite endpoint.
Page 191 Transport mode established on a TR tunnel (Local IP and Remote IP) protects all the passing TR packets. Therefore, multiple Phase 2 sets within a Phase 1 is not required for Transport mode. Remember that FortiWAN supports only two kinds of site-to-site IPSec VPN, "IPSec Tunnel mode" and "Tunnel Routing over IPSec Transport mode".
Page 192 It is also the index used in Statistics > IPSec IPSec Statistics (See " "). Hide Details / Show Details Click to expand or collapse the configuration details. FortiWAN Handbook Fortinet Technologies Inc.
Page 193 IKE Phase 2 negotiations. Make sure the Phase 2 proposals of the both units performing the Phase 2 negotiations are compatible. Incompatible proposals cause Phase 2 negotiations going to failure. FortiWAN Handbook Fortinet Technologies Inc.
Page 194 AES192: A 128-bit block algorithm that uses a 192-bit key. AES256: A 128-bit block algorithm that uses a 256-bit key. The remote peer or client must be configured to use at least one of the encryption proposals that you define. FortiWAN Handbook Fortinet Technologies Inc.
Page 195 SHA384: A SHA384-based MAC algorithm (hmac-sha384) with 384- bit message digest. SHA512: A SHA512-based MAC algorithm (hmac-sha512) with 512- bit message digest. The remote peer or client must be configured to use at least one of the authentication proposals that you define. FortiWAN Handbook Fortinet Technologies Inc.
Page 196 PFS Group 1: Enable PFS with DH Group 1, 768-bit group PFS Group 2: Enable PFS with DH Group 2, 1024-bit group PFS Group 5: Enable PFS with DH Group 5, 1536-bit group PFS Group 14: Enable PFS with DH Group 14, 2048-bit group FortiWAN Handbook Fortinet Technologies Inc.
Page 197 " ". So far, we have introduced the concept of IPSec VPN and how to configure the settings of FortiWAN's IPSec. However, the success of the IPSec VPN establishment and communications actually requires the cooperation between FortiWAN' IPSec and other functions, Auto Routing, NAT and Tunnel Routing. In other words, besides the configurations of IPSec, correspondent policies of Auto Routing, NAT or Tunnel Routing are required to set up an IPSec VPN.
Page 198: Define Routing Policies For An Ipsec Vpn
IPSec VPN communications (called "ESP packets" here). An IKE packet comes from the local FortiWAN unit and its source IP address is just the configured Local IP (a WAN port); an ESP packet comes from a private network behind the local FortiWAN and its source IP address is a private IP address.
Page 199 Routing filter for IKE negotiation must be configured with the Local IP and Remote IP (the IP address of WAN port of two FortiWAN units). Remember that the IPSec SAs are established on the WAN port of both the two FortiWANs.
Page 200 Routing of packets that are going to be transferred through IPsec VPN between the private networks (LANs) behind the two sites (local and remote) is also controlled by FortiWAN's Auto Routing. It is necessary to route packets to the WAN link that the IPSec SA is established on, so that the packets can be processed (evaluated by Quick Mode selector and ESP encapsulated) by IPSec on the WAN port.
Page 201 Auto Routing determines a WAN link for them. In IPSec VPN Tunnel mode, Packets of communications usually come from LAN subnet of FortiWAN and are evaluated with NAT rule before Phase 2 Quick Mode selector. If the source address of a IPSec packet is translated to another by NAT, the packet fails in matching the Quick Mode selector and the IPSec communication goes to failure.
Page 202 To set up a IPSec Tunnel-mode VPN, we suggest the steps to follow as below: 1. Configure Network Settings on both units. 2. Define correspondent Auto Routing and NAT policies on both units. 3. Configure the settings of IPSec Tunnel mode Phase 1 and Phase 2 on both units. FortiWAN Handbook Fortinet Technologies Inc.
Page 203 As previous descriptions, IPSec Transport mode provides secure data transmission without IP tunneling (IP encapsulation). However, IPSec Transport mode can give protections to FortiWAN's Tunnel Routing, which brings a securer (compare to the original TR) and more efficient (compare to the "IPsec Tunnel mode VPN" on load balancing and fault tolerance) VPN application.
Page 204 Routing filter for IKE negotiation must be configured with the Local IP and Remote IP (the IP address of WAN port of two FortiWAN units). Remember that the IPSec SAs are established on the WAN port of both the two FortiWANs.
Page 205 IPSec communication. For the details of Auto Routing, see " ". packets of IKE negotiations are generated from FortiWAN's localhost, the Source field of an AR filter must be configured to "Localhost" to match the negotiation traffic and direct it to correct WAN link.
Page 206 Define Tunnel Routing policies for IPSec communications As for the communication packets between networks behind the two FortiWAN units, Tunnel Routing controls the routing of them. You need the configurations to set up the two TR tunnels, and the policies to route GRE packets over the TR tunnels.
Page 207: Establish Ipsec Vpn With Fortigate
"). For example, IPSec Transport mode, IKE v2, authentication with certificates, IKE phase 1 aggressive mode, NAT traversal, dynamic IP address, and some algorithms are not supported for this deployment. An example for explaining how to set up a simple IPSec VPN (Tunnel mode) between a FortiWAN and a FortiGate is introduced below: FortiWAN Handbook Fortinet Technologies Inc.
Page 208 Perfect Forward Secrecy (PFS): enable Phase 2 DH Group: 5 Phase 2 Keylife: 120 Secs Configurations on FortiWAN Network Setting , Auto Routing , NAT and IPSec are required on To set up the IPSec VPN, configurations of FortiWAN (See "...
Page 209 Label IPSec_WAN1 (Any name you desire) Enable Threshold or not Algorithm Fixed Parameter Only 1 is checked IPv4 Filter Two IPv4 filters: one for IKE negotiations, and another for general IPSec communication. When All-Time All-Time FortiWAN Handbook Fortinet Technologies Inc.
Page 210 ". IPSec Go to Service > IPSec, and create a Tunnel Mode: Phase 1 Name IPSec_FGT_P1 Local IP 10.12.102.42 Remote IP 10.12.136.180 Authentication Method Pre-shared Key: 12345 Mode Main (ID protection) Dead Peer Detection Disable FortiWAN Handbook Fortinet Technologies Inc.
Page 211 1.1.1.0/255.255.255.0 Port Protocol So far, it is complete to set up the IPSec VPN on the FortiWAN side, configurations on the FortiGate side are IPSec VPN in the Web UI introduced next. For the details of IPSec parameters, see "...
Page 212 Static IP Address Remote Gateway 10.12.102.42 IP Address WAN1 Interface Disable Mode Config Disable NAT Traversal Dead Peer Detection Disable Authentication Method Pre-shared key Pre-shared key 12345 Version Mode Main (ID protection) Phase 1 Proposal FortiWAN Handbook Fortinet Technologies Inc.
Page 213 Authentication disable Enable Replay Detection enable Enable Perfect Forward Secrecy (PFS) Diffie-Hellman Group Local Port All check Remote Port All check Protocol All All check Autokey keep Alive disable Auto-negotiate disable Key Lifetime Seconds Seconds FortiWAN Handbook Fortinet Technologies Inc.
Page 214 Router Router > Static > Static Routes , and click Create New to create two rules for WAN1 and the IPSec tunnel - Go to IPSec_to_FWN_P1: 0.0.0.0/0.0.0.0 2.2.2.0/255.255.255.0 Destination IP/Mask Device wan1 IPSec_to_FWN_P1 Gateway 10.12.136.254 FortiWAN Handbook Fortinet Technologies Inc.
Page 215: Optional Services
Firewall Optional Services Optional Services As an edge device, FortiWAN provides other functions except the major traffic load balancing and fault tolerance. These optional functions are helpful to manage the network in all the ways. Firewall This section introduces how to set up the firewall. Unlimited number of rules can be added to the firewall rule list. The rules are prioritized from top to bottom that is rules at the top of the table will be given higher precedence over lower ranked ones.
Page 216 All other packets are blocked. The rules table for the example will look like this: Source Destination Service Action 211.21.48.195 FTP (21) Accept Deny HTTP (80) Accept SMTP (25) Accept FTP (21) Accept POP3 (110) Accept Deny FortiWAN Handbook Fortinet Technologies Inc.
Page 217 The hosts 192.168.0.100 – 192.168.0.150 in the LAN can access the Internet (WAN) but the others cannot. Users from the Internet (WAN) cannot connect to the port 443 on FortiWAN (i.e. Web Administration on FortiWAN). Note: “Localhost” represents the address of FortiWAN host machine.
Page 218: Nat
Reports: Firewall FortiWAN is an edge server that is usually placed on the boundary between WAN and LAN. When a connection is established from a private IP address (in LAN or DMZ) to the internet (WAN), it is necessary to translate the private IP address into one of the public IP addresses assigned to the FortiWAN's WAN link.
Page 219 WAN link 1 as following: When = All-Time, Source = 2001::/64, Destination = Any Address, Service = Any, Translated = No NAT When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 2001::1 FortiWAN Handbook Fortinet Technologies Inc.
Page 220 Enable the function, and NAT will translate any private IP to a fixed public IP assigned to a given WAN link. Disable the function; FortiWAN will act as a general router for the host in WAN to directly access the host in DMZ.
Page 221 The option [Dynamic IP] will be available while a Dynamic WAN link (Bridge Mode: PPPoE) is applied. Bridge Mode: DHCP does not support IPv6/IPv4 dual stack. Note that this field must be an IPv6 address obtained upon public DMZ subnet and with 64-bit or lower prefix length. FortiWAN Handbook Fortinet Technologies Inc.
Page 222 Any Address 172.31.5.51 Disable NAT Disable NAT sets FortiWAN to Non-NAT mode whereby all the WAN hosts can acccess DMZ hosts directly with proper routing setup. In this mode, FortiWAN acts as a router connecting multiple subnets. FortiWAN Handbook Fortinet Technologies Inc.
Page 223: Persistent Routing
Non-NAT is commonly used on Private Network and MPLS network, which makes possible for the hosts of the branch office to directly access the headquarters. In case that ISP 1 is down, FortiWAN will automatically route the link to ISP 2, and, accordingly, serve as VPN load balancer based on the status of each link.
Page 224 A second connection will be considered as a "new" one. Then auto-routing will secure the connection to go through a different WAN link. Example 1 The persistent routing policies to be established accordingly: FortiWAN Handbook Fortinet Technologies Inc.
Page 225 Connections from IP address 211.21.48.196 in DMZ to the WAN subnet 10.10.1.0/24 in WAN do NOT use persistent routing. Since the default action by IP Pair Ruels is Do PR, if no rule is added, all connections will use persistent routing. Then persistent routing table will look like: FortiWAN Handbook Fortinet Technologies Inc.
Page 226: Bandwidth Management
FortiWAN Bandwidth Management (BM) defines inbound and outbound bandwidth based on traffic direction, i.e. take FortiWAN as the center, traffic flows from WAN to LAN is inbound traffic, otherwise, it is outbound traffic. No matter which direction a connection is established in, a connection must contain inbound traffic and outbound traffic. The section will mainly explain how to guarantee bandwidth based on priority settings, and how to manage inbound and outbound traffic by configuring busy/idle hours, data source/destination, and service type, etc.
Page 227 Priority The priority of the connections on the WAN link. It can be High, Normal, or Low. The connections with higher priority will first be allocated bandwidth. FortiWAN Handbook Fortinet Technologies Inc.
Page 228 Inbound & Outbound IPv4/IPv6 Filter A filter is used to evaluate the traffic passing through FortiWAN by its source, destination and service. Traffic matches the filter will be associated to the corresponding BM class, so that the traffic is shaped according to the bandwidth allocation of the class.
Page 229: Managing Bandwidth For Tunnel Routing And Ipsec
FortiWAN Reports, statistics of the traffic that is transferred through Tunnel Routing is indicated as GRE in the reports but it is unable to drill down to the individual services. On the other hand, you cannot recognize a traffic as FortiWAN's...
Page 230: Scenarios
211.21.48.198 in DMZ is 500K on WAN1, 300K on WAN2 and WAN3. The guaranteed bandwidth is 200K on WAN1, WAN2 and WAN3. The bandwidth is prioritized as "Low" during both busy and idle periods. FortiWAN Handbook Fortinet Technologies Inc.
Page 231 During the busy period, the maximum bandwidth limited for hosts in LAN zone to download data from FTP server 192.192.10.10 is 128K on WAN1, 128K on WAN2, and 64K on WAN3. During the idle period, the maximum bandwidth FortiWAN Handbook Fortinet Technologies Inc.
Page 232 Normal Normal WAN3 Normal Normal WAN1 Normal Normal 192.168.0.10-50 WAN2 WAN3 WAN1 High High 192.168.100.0/24 WAN2 High High WAN3 High High Filter Settings Source Destination Service Classes 192.192.10.10 SMTP(25) For LAN Zone 192.168.0.10-192.168.0.50 HTTP(80) 192.168.0.10-50 FortiWAN Handbook Fortinet Technologies Inc.
Page 233 211.21.48.198 in DMZ is 256K on WAN1 and WAN2, and 512K on WAN3. The guaranteed bandwidth is zero on WAN1, WAN2 and WAN3, and the bandwidth is prioritized as "Low" during both busy and idle periods. FortiWAN Handbook Fortinet Technologies Inc.
Page 234 WAN. The other scenario is a remote user in WAN downloads data from a FTP server in the LAN. Both of these scenarios are sending data from LAN to WAN. Thus configuring BM rules for these two scenarios on the inbound BM page is necessary. FortiWAN Handbook Fortinet Technologies Inc.
Page 235: Connection Limit
IP address every second. The source of connection can be from any of the following options: IP address, IP Range, Subnet, WAN, LAN, DMZ, Localhost, and any specific IP address. FortiWAN provides mechanisms to record, notify and analysis on events refer to the Connection Limit service, see "...
Page 236: Cache Redirect
Cache Redirect FortiWAN is capable of working with external cache servers. When a user requests a page from a web server on the internet, FortiWAN will redirect the request to the cache server. If the requested web page is already on the cache server, it will return the page to the user, thus saving time on data retrieval.
Page 237 Example 1 The Requested Web Page is NOT on the Cache Server When FortiWAN receives a request from a client, the request will be redirected to the cache server. The cache server will determine if the data requested already exists or not. If not, then the request will be performed on behalf of the client with the data returned from the web server to the client.
Page 238: Internal Dns
Internal DNS When FortiWAN receives a request from a client, the request will be redirected to the cache server. In this case, the data requested already exists on the cache server. Therefore it will return the data requested to the client without passing the actual request to the internet.
Page 239 IP Address Enter the IPv4/IPv6 address of the primary workstation. CName Record Alias Enter the alias of the domain name. For example, if "www1.abc.com" is the alias of "www.abc.com", (domain name), enter “www1” in this field. FortiWAN Handbook Fortinet Technologies Inc.
Page 240 Name server - Enter the prefix of domain name (e.g. if the FQDN of the host is "ns1.abc.com", enter "ns1") IPv4 address - Enter the corresponding IPv4 address of the domain name. IPv6 address - Enter the corresponding IPv6 address of the domain name. FortiWAN Handbook Fortinet Technologies Inc.
Page 241: Dns Proxy
It is implemented by redirecting outgoing DNS requests to specified DNS server. No matter what the external DNS server a host is using, for any outgoing DNS request passing through FortiWAN, DNS Proxy replaces the original destination IP of the request with IP of another DNS server specified on each WAN link.
Page 242 DNS requests for the specified domain name will be matched. A wildcard character is accepted for the left-most label of a domain name, e.g. *.fortinet.com or *fortinet.com . www.*.com , www.fortinet.* or *.fortinet.* are not Note that other formats such as supported. Keep it blank for any domain name.
Page 243: Snmp
Compile the FortiWAN MIB file to your SNMP manager. Make sure at least one network interface is well-configured to send out SNMP traps and receive SNMP requests. The SNMP manager can communicate with a FortiWAN unit via the IP addresses configured on the localhost of a Network Settings WAN port, DMZ port or LAN port (See "...
Page 244: Ip Mac Mapping
Users can specify the IP-MAC table by classifying periods like peak hours and idle hours. Once the IP-MAC table is set up, a packet from a certain IP address can pass through FortiWAN only when its MAC address matches the table list and time period.
Page 245: Statistics
Statistics Statistics This topic deals with FortiWAN network surveillance system. Comprehensive statistics are collected to monitor networking status, bandwidth usage of traffic class, and dynamic IP WAN link. These data offer deep insight into the network, and help detect unexpected network failures, boosting network reliability and efficiency.
Page 246: Persistent Routing
Count Number of connections that the current persistent routing rule applies to. Timeout Length of time to lapse before the current connection times out. The WAN link through which the current persistent routing connection travels. FortiWAN Handbook Fortinet Technologies Inc.
Page 247: Wan Link Health Detection
Time interval to refresh table results. WAN connected by either PPPoE or DHCP. IP Address IP allocated to current WAN link. Gateway Gateway’s IP address for current WAN link. Netmask Sub network mask. Dynamic DNS Server IP. FortiWAN Handbook Fortinet Technologies Inc.
Page 248: Dhcp Lease Information
Automatic Refresh Select auto-refresh interval, or disable the function. Network IP Shows the Network IP of the private subnet. Netmask Shows the Netmask of the private subnet. Gateway Shows the Gateway of the private subnet. FortiWAN Handbook Fortinet Technologies Inc.
Page 249: Connection Limit
IP address, and release the occupied memory then. When system is under attacks with high volumes of malicious Connection Limit connections, FortiWAN's Connection Limit (See " ") stops sub- sequent connections established by the malicious IP addresses, but it takes time to recover system from the bandwidth and memory occupied by those malicious con- nections that are already in system.
Page 250: Fqdn
Statistics FQDN FQDN The IPv4 and IPv6 addresses of the FQDNs that connected via FortiWAN are shown in this page. IPv4 FQDN FQDN The FQDN connected via FortiWAN. IPv4 Address IPv4 addresses of the FQDN connected via FortiWAN. It maintains 20 addresses at most.
Page 251: Tunnel Traffic
Database and Security Policy Database. Security Association Database List information of each IPSec SA including local and remote IP addresses, negotiated encryption and authentication algorithms, timing and the states. Local IP The local IP address of the IPSec SA. FortiWAN Handbook Fortinet Technologies Inc.
Page 252 For IPSec in Transport mode, this is the source IP address of the Tunnel Routing packets (GRE encapsulated), which is equal to the Local IP of the IPSec SA (the Local IP configured to the Phase 1). Port information will not be list for this case. FortiWAN Handbook Fortinet Technologies Inc.
Page 253: Traffic Statistics For Tunnel Routing And Ipsec
Bandwidth Management, which implies traffic of Tunnel Routing and IPSec is partially transparent to the statistics function. FortiWAN gives the traffic statistics in three ways: BM log, statistics on Web UI and FortiWAN Reports. Traffic statistics for Tunnel Routing and IPSec in the three ways are discussed as follows.
Page 254 Tunnel Routing becomes invisible in Reports. The GRE traffic passing through FortiWAN from other VPN devices and the GRE traffic generated by FortiWAN Tunnel Routing will be counted into service GRE in page Reports > Bandwidth Usage > Services, which might be confusing. Drilling it down by Internal IP, Inclass or Outclass could figure it out. As for traffic transferred through IPSec, Reports counts the traffic by individual application (the original packets before/after be ESP encapsulated/decapsulated) rather than counting it into service ESP.
Page 255 From the BM logs, we have no idea which one is transferred through Tunnel Routing. The thing we know from the logs is 100MB FTP traffic and 100MB HTTP traffic passed through FortiWAN, and they are 200MB in total. In page Statistics > Tunnel Traffic, we see 60MB tunnel traffic (parts of the 200MB) belongs to the tunnel group.
Page 256: View
View This topic deals with how to configure logging and how to forward logs. Log records keep FortiWAN data and are capable of storing a wide variety of data concerning System, Firewall, Routing, and bandwidth management, etc. Log Log Control files can be forwarded to other servers for archiving or for notifying events via emails (see "...
Page 257 This log indicates source addresses of the packets of {IP‐5‐TUPLE} are translated to the new address {ADDR} by NAT. See " " for further information. Auto & Persistent Routing AR {IP‐5‐TUPLE} AR=[<widx>|NONE] TOTLEN=<pktlen> FortiWAN Handbook Fortinet Technologies Inc.
Page 258 This log is triggered every time-period if the number of connections generated by a source SRC=<ip> exceeds the limitation defined in Connection Limit > Count Limit. This log indicates connections generated by SRC=<ip> and passing through FortiWAN are more that the limitation, and there are <pkt_number> packets are dropped for the reason.
Page 259 DHCP DHCP WLINK=<widx> ACTION=<init|renew|rebind|expired|failed|release|stop|bind> [IP=<ip>] System triggers the log when a DHCP WAN link <widx> is acted for ACTION. ACTION=bind and IP=<ip> must be generated in pairs for a log. PPPoE PPPOE WLINK=<widx> ACTION=<start|terminated|bind> [IP=<ip>] FortiWAN Handbook Fortinet Technologies Inc.
Page 260 This log is triggered when a single GRE tunnel FROM=<ip> TO=<ip> is acted for actions ACTION. Tunnel Routing See " " for further information. IPSec ISAKMP-SA <established|expired|deleted> <LOCAL_IP_PORT>-<REMOTE_IP_PORT> An ISAKMP SA between <LOCAL_IP_PORT> and <REMOTE_IP_PORT> is established, expired or deleted. IPsec-SA <established|expired>: ESP/<Transport|Tunnel> <LOCAL_IP_PORT>-><REMOTE_ IP_PORT> FortiWAN Handbook Fortinet Technologies Inc.
Page 261: Admin Session
<account> logged out from <ip> Account change Administrator account <account> removed Monitor account <account> removed Administrator account <account> password successfully changed Administrator account <account> successfully added Monitor account <account> password successfully changed Monitor account <account> successfully added FortiWAN Handbook Fortinet Technologies Inc.
Page 262 Error in starting daemon for page Service -> Internal DNS Error in starting daemon for page Service -> Multihoming Info access error Cannot save log/event settings Update System firmware updated Config System configuration restored Multihoming daemon file write error FortiWAN Handbook Fortinet Technologies Inc.
Page 263 Preceded by the booting peer. Enter the Slave state. Master heartbeat detected. Enter the Slave state. Slave heartbeat detected. Enter the Master state. Panic heartbeat detected. Enter the Master state. No heartbeat detected. Enter the Master state. FortiWAN Handbook Fortinet Technologies Inc.
Page 264: Log Control
Log Control Control sets to forward data from FortiWAN to servers via FTP, E-mail and Syslog (protocol) for archiving and analysis. Configure log push method one log type by another, or use “Copy Settings to All Other Log Types”. It copies and applies settings of one log type to others avoiding unnecessary duplicating of settings.
Page 265 Start time for scheduled push. Period Duration for scheduled push. Methods FortiWAN transfer logs with FTP, Email and Syslog. It either forwards logs to external FTP server, administrator’s mail account via SMTP or a remote syslog servers. Server FTP Server’s IP or domain name...
Page 266: Notification
SMTP Port Specify the port (465 by default) that the SSL encrypted SMTP is using if the SSL check box is checked. FortiWAN uses fixed port:25 for non-encrypted SMTP. This field becomes ineffective if the SSL is unchecked. Check to enable SMTP transfers over SSL.
Page 267 WAN link) will be sent as an event noti- fication when it exceeds the threshold. Select All Click to check all the event types Clear All Click to uncheck all the event types FortiWAN Handbook Fortinet Technologies Inc.
Page 268: Enable Reports
Enable Reports FortiWAN's Reports provides long-term and advanced data analysis by processing system logs to database. The original logs FortiWAN generates contains raw data which is yet to be processed, and Reports can organize and analyze these data into readable statistics.
Page 269: Reports
MIS personnel can perform offline and more detailed analysis of the data to gain insight into user traffic patterns for better network design and management policy definition. However, FortiWAN generates large volumes of raw activity logs during the process of monitoring its functions. For long-term or trend analysis, Reports is an online companion tool that greatly simplifies the analysis of the data.
Page 270: Create A Report
Reporting can be done over a range of dates by specifying the start date and the end date on the Calendar. Enable Reports enable FortiWAN Reports via Log > Reports (See " Enable Reports Please complete the necessary setting to ") or...
Page 271: Export And Email
Export and Email All reports generated by FortiWAN can be sent to users via email. Reports saved in PDF or CSV format can be sent out as email attachments. Click the Email button on the right upper corner of any report page to edit settings of the report email. In the settings dialog, you may send current report through email immediately.
Page 272 The line chart in Total Bandwidth panel displays the distribution of traffic (inbound and outbound) passed through FortiWAN over the past one hour. The horizontal (x) axis is graduated in minutes, and the vertical (y) axis is graduated in bps (average) to indicate the bandwidth usage. The distributions of inbound and outbound traffic are marked with different color.
Page 273 80%. The line chart in CPU panel displays the distribution of FortiWAN's CPU usage over the past one hour. The horizontal (x) axis is graduated in minutes, and the vertical (y) axis is graduated in % to indicate the CPU usage. Moving the mouse to any point of the distribution will display the exact percentage of CPU used at the time.
Page 274: Bandwidth
The disk space used by Reports' database. Bandwidth The Bandwidth report shows the traffic distribution by the date range defined. Your FortiWAN model is rated by its data throughput (and number of simultaneous connections). This report will help you determine if you are using the correct FortiWAN model and bandwidth capability for the data volumes at our location.
Page 275: Cpu
Outbound bps: Traffic originating from inside of FortiWAN, going to the external port. The CPU report shows the distribution of CPU usage of FortiWAN by the date range defined. CPU usage is a measure of how much traffic is being managed or how much services the FortiWAN is required to do on that traffic. Sustained usage near 80% is a good indicator that a larger FortiWAN model is required to handle the required traffic and services load.
Page 276: Session
(among other things as noted above). This report will help you determine if you are using the correct FortiWAN model for the number of connections in use by your users.
Page 277: Wan Reliability
FortiWAN supports various numbers of WAN links, for example, FortiWAN 700 supports 25 WAN links, FortiWAN 5000 and FortiWAN 6000 support 50 WAN links. The WAN Status report shows the statuses on every FortiWAN’s WAN link. The various statuses are defined as below.
Page 278: Tr Status
"). Statistics Table Group: Tunnel Group configured on FortiWAN; the failed TR link belongs to. Select “Group” as primary sorting via clicking on the column title “Group”. Local IP: Local IP address of the failed TR link in the Tunnel Group. Select “Local IP” as primary sorting via clicking on the column title “Local IP”.
Page 279: Inclass
Report: Internal IP Report: Traffic Rate Inclass This report shows the statistics of each inbound class as defined in FortiWAN’s Bandwidth Management function (See " Bandwidth Management "). Each class is a classification (by service, by IP address and etc.) of incoming traffic passed through FortiWAN.
Page 280: Outclass
In Class. Traffic Rate: bandwidth distribution generated by this In Class by the date range defined. Outclass This report shows the statistics of each outbound class as defined in FortiWAN’s Bandwidth Management function (See " Bandwidth Management ").
Page 281: Wan
Export reports and send reports through email (See " "). Pie Chart: Pie chart of traffic statistics is generated based on WAN links defined on FortiWAN. Bar Chart: Bar chart statistics show the actual data volume used by the top 10 WAN links.
Page 282: Services
Traffic Rate: bandwidth distribution generated by this WAN link by the date range defined. Services This report shows the statistics of traffic passed through FortiWAN by various services. Create a Report Create a report for a specific day or over a range of dates (See "...
Page 283: Internal Ip
Traffic Rate: bandwidth distribution generated by this Service by the date range defined. Internal IP This report shows the statistics of traffic passed through FortiWAN by Internal IP addresses. Create a Report Create a report for a specific day or over a range of dates (See "...
Page 284: Traffic Rate
Traffic Rate: bandwidth distribution generated by this Internal IP address by the date range defined. Traffic Rate This report shows the statistics of traffic passed through FortiWAN by Traffic Rate. Create a Report Create a report for a specific day or over a range of dates (See "...
Page 285: Function Status
Function Status This report category is the function to monitor the status of FortiWAN’s major functions for a long period. Long term statistics of function status is helpful to administrators. This category can further be divided into Connection Limit, Firewall, Virtual Server and Multihoming.
Page 286: Virtual Server
FortiWAN’s Multihoming function performs load balancing and fault tolerance between WAN links for inbound traffic. Users from the public network are told dynamically by FortiWAN the best available WAN link to access in order to reach specific resources on the internal network (See "...
Page 287: Advanced Functions Of Reports
Lists the Domain Name and the count of the number of times this domain was accessed, sorted by the FQDN (default). FQDN: the domain name configured on FortiWAN. Select “FQDN” as primary sorting via clicking on the column title “FQDN”.
Page 288 Advanced Functions of Reports The HTTPS(TCP@443) service can be further drilled in to query which WAN link of FortiWAN are utilizing this service by clicking the Drill In magnifier icon in the row of HTTPS(TCP@443) listed in the table and select WAN (query result is...
Page 289 External IP addresses it is connected to by clicking the Drill In magnifier icon in the row of 125.227.251.80 IP listed in the table and select External IP (query result is as shown below): FortiWAN Handbook Fortinet Technologies Inc.
Page 290 (External IP) to a different one (such as traffic rate of bandwidth usage) using the same filter: WAN=2, Internal IP=125.227.251.80 and Service=HTTPS(TCP@443), by selecting Traffic Rate from the drop-down menu of External IP (as shown below): FortiWAN Handbook Fortinet Technologies Inc.
Page 291 Advanced Functions of Reports Reports The report presented by Traffic Rate using the same filter: Internal Group=Marketing, Internal IP=10.12.98.98 and Service=HTTP(TCP@80) is illustrated as follows. FortiWAN Handbook Fortinet Technologies Inc.
Page 292: Custom Filter
Custom Filter allows users to apply their own filters based on particular requirements for query on bandwidth usage reports. Click Filter above every Bandwidth Usage report to see an extended block for further settings. FortiWAN Handbook Fortinet Technologies Inc.
Page 293 Service = HTTPS(TCP@443). The query result of traffic statistics that are associated with the Service HTTPS (TCP@443) and passed through FortiWAN via WAN2 will then be displayed by Services accordingly. As illustrated below, the block marked in blue indicates the query subject of current report: FortiWAN Handbook Fortinet Technologies Inc.
Page 294 Continuing the example described above, apply the custom filter: HTTPS(TCP@443) and WAN2 in the Traffic Rate report, and the corresponding query result will show the traffic statistics of service HTTPS(TCP@443) and WAN2 by traffic rate as follows (the block marked in blue indicates the query subject of current report): FortiWAN Handbook Fortinet Technologies Inc.
Page 295: Export
Please refer to section of Customer Filters in Account Settings for more information. Export All reports generated by Reports can be exported as PDF or CSV format. By clicking Export button on the upper side of any report page, PDF and CSV are displayed for options. FortiWAN Handbook Fortinet Technologies Inc.
Page 296: Report Email
Click to send the report email immediately. Email Server: Click the Schedule tab to edit more settings. SMTP Server Enter the SMTP server used to transfer emails. Port Enter the port number of the SMTP server. FortiWAN Handbook Fortinet Technologies Inc.
Page 297: Reports Database Tool
The Reports database tool (DB tool) is an application running on remote host to manage FortiWAN Reports database. Note that the DB tool must be ran on a host that can access FortiWAN Web UI. Please contact Fortinet CSS to get the tool and install it following the instructions below.
Page 298 Step 4: Read the License Agreement carefully. Click the ‘I Agree’ button to accept the agreement and begin the installation process. Otherwise, please click ‘Cancel’. Step 5: Choose a destination folder for setup and click ‘Next’. FortiWAN Handbook Fortinet Technologies Inc.
Page 299 Step 6: Choose a Start Menu folder (or check ‘Do not create shortcuts’ to ignore it). Click ‘Install’ and then the installation process will begin. Step 7: Click ‘Finish’ to complete Reports DB Tool setup. FortiWAN Handbook Fortinet Technologies Inc.
Page 300 Start > Programs > FWN-dbtool , and DB Tool utility is available for To perform the database tool, please go to: selection. DB Tool: Tool to manage report data from the Reports database. Fortinet: Link to Fortinet web site. Uninstall: Uninstalls DB Tool. FortiWAN Handbook Fortinet Technologies Inc.
Page 301 Specify the port number that Reports database is listening. Please use the default port 5432. Save Click to save the setting. The DB tool can be used to backup, restore and delete data from FortiWAN's Reports database. FortiWAN Handbook Fortinet Technologies Inc.
Page 302 Click Browse to select a location where the backup data should be saved. Delete the data after exported Check it to delete the data in Reports database after it is backed up. Backup Click to start backing up the data of selected dates. FortiWAN Handbook Fortinet Technologies Inc.
Page 303 Advanced Functions of Reports Reports Restore Restore Click to select backup files to restore to database. FortiWAN Handbook Fortinet Technologies Inc.
Page 304: Reports Settings
The Settings here is used to simply manage the Reports on database, disk space and the SMTP server used to email reports. Click the listed settings and you can further configure them: Reports Enable/disable Reports (See " Reports "). FortiWAN Handbook Fortinet Technologies Inc.
Page 305: Reports
Reports FortiWAN Reports works by parsing and analyzing the various system logs. Before using the FortiWAN Reports, you have to enable it by specifying the way and the events to push system logs to Reports. You will be redirected to Log >...
Page 306: Dashboard Page Refresh Time
CPU usage especially when FortiWAN is processing large traffic flow. Please select the appropriate fresh interval for your 5 sec , 15 sec , 20 sec and 30 sec , or Do not refresh the system.
Page 307: Disk Space Control
Disk Space Control Disk space of the FortiWAN Reports is being consumed by increasing report database. Once the disk space is used up, Reports will fail to continue log processing. Disk Space Control monitors the disk space status of Reports and triggers actions (purge and alert) according to user-defined conditions.
Page 308 Display the disk amount used by Reports database in MB and percentage. Other Used Display the amount of disk overhead or pre-allocated space in MB and percentage. Total Space Display the total disk space in MB. Save Click to save the configuration. FortiWAN Handbook Fortinet Technologies Inc.
Page 309: Appendix A: Default Values
(Fortinet default) The Web UI login port will be restored to the default port 443. FortiWAN also supports SSH logins. The interface for SSH login is the same as the console with identical username and password. WAN Link Health Detection Default Values System default values contain 13 fixed servers IPs for health detection.
Page 310 Service Category Default Values Firewall: default security rules apply Persistent Routing: Enabled Auto Routing: By Downstream Traffic as default Virtual Server: Disabled Bandwidth Managemet: Disabled Cache Redirection: Disabled Multihoming: Disabled All fields in the Log/Control Category are cleared FortiWAN Handbook Fortinet Technologies Inc.
Page 311 Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests.

Fortinet FortiWAN Handbook

Introduction

What's New

Document Enhancements

How to Set up Your Fortiwan

System Configurations

Load Balancing & Fault Tolerance

Ipsec

Optional Services

Statistics

Log

Reports

Appendix A: Default Values

Quick Links

Need help?

Questions and answers

Related Manuals for Fortinet FortiWAN

Summary of Contents for Fortinet FortiWAN

Table of Contents