FortiGate-7000 v5.4.3 special features and limitations

FortiGate-7000 v5.4.3 special features and limitations

This section describes special features and limitations for FortiGate-7000 v5.4.3.

Managing the FortiGate-7000

Management is only possible through the MGMT1 to MGMT4 front panel management interfaces. By default the MGMT1 to MGMT4 interfaces of the FIM modules in slot 1 and slot 2 are in a single static aggregate interface named mgmt with IP address 192.168.1.99. You manage the FortiGate-7000 by connecting any one of these eight interfaces to your network, opening a web browser and browsing to https://192.168.1.99.

Default management VDOM

By default the FortiGate-7000 configuration includes a management VDOM named dmgmt-vdom. For the

FortiGate-7000 system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM. You should also not add or remove interfaces from this VDOM.

You have full control over the configurations of other FortiGate-7000 VDOMs.

Firewall

TCP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal TCP timer (which is 3605 seconds) should only be distributed to the master FPM using a flow rule. You can configure the distributed normal TCP timer using the following command:

config system global set dp-tcp-normal-timer <timer>

end

UDP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal UDP timer should only be distributed to the primary FPM using a flow rule.

Link monitoring and health checking

ICMP-based link monitoring for SD-WAN, ECMP, HA link monitoring, and firewall session load balancing monitoring (or health checking) is not supported. Using TCP or UDP options for link monitoring instead. v5.4.3          IP Multicast

IP Multicast

IPv4 and IPv6 Multicast traffic is only sent to the primary FPM module (usually the FPM in slot 3). This is controlled by the following configuration:

config load-balance flow-rule edit 18 set status enable set vlan 0 set ether-type ipv4 set src-addr-ipv4 0.0.0.0 0.0.0.0 set dst-addr-ipv4 224.0.0.0 240.0.0.0 set protocol any set action forward set forward-slot master set priority 5 set comment “ipv4 multicast”

next edit 19 set status enable set vlan 0 set ether-type ipv6 set src-addr-ipv6 ::/0 set dst-addr-ipv6 ff00::/8 set protocol any set action forward set forward-slot master set priority 5 set comment “ipv6 multicast”

end

High Availability

Only the M1 and M2 interfaces are used for the HA heartbeat communication.

When using both M1 and M2 for the heartbeat, FortiGate-7000 v5.4.3 requires two switches. The first switch to connect all M1 ports together. The second second switch to connect all M2 ports together. This is because the same VLAN is used for both M1 and M2 and the interface groups should remain in different broadcast domains.

Using a single switch for both M1 and M2 heartbeat traffic is possible if the switch supports q-in-q tunneling. In this case use different VLANs for M1 traffic and M2 traffic to keep two separated broadcast domains in the switch.

The following FortiOS HA features are not supported or are supported differently by FortiGate-7000 v5.4.3:

  • Remote IP monitoring (configured with the option pingserver-monitor-interface and related settings) is not supported
  • Active-active HA is not supported l The range for the HA group-id is 0 to 14. l Failover logic for FortiGate-7000 v5.4.3 HA is not the same as FGSP for other FortiGate clusters. l HA heartbeat configuration is specific to FortiGate-7000 systems and differs from standard HA.

Shelf Manager Module

  • FortiGate Session Life Support Procotol (FGSP) HA (also called standalone session synchronization) is not supported.

Shelf Manager Module

It is not possible to access SMM CLI using Telnet or SSH. Only console access is supported using the chassis front panel console ports as described in the FortiGate-7000 system guide.

For monitoring purpose, IPMI over IP is supported on SMM Ethernet ports. See your FortiGate-7000 system guide for details.

FortiOS features that are not supported by FortiGate-7000 v5.4.3

The following mainstream FortiOS 5.4.3 features are not supported by the FortiGate-7000 v5.4.3:

  • Hardware switch l Switch controller l WiFi controller l WAN load balancing (SD-WAN) l IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6 features l GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule edit 0 set status enable set vlan 0 set ether-type ip set protocol gre set action forward set forward-slot master set priority 3

end

  • Hard disk features including, WAN optimization, web caching, explicit proxy content caching, disk logging, and GUIbased packet sniffing. l Log messages should be sent only using the management aggregate interface

IPsec VPN tunnels terminated by the FortiGate-7000

This section lists FortiGate-7000 limitations for IPsec VPN tunnels terminated by the FortiGate-7000:

  • Interface-based IPsec VPN is recommended. l Policy based IPsec VPN is supported, but requires creating flow-rules for each Phase 2 selector. l Dynamic routing and policy routing is not supported for IPsec interfaces. l Remote network subnets are limited to /16 prefix.
  • IPsec static routes don’t consider distance, weight, priority settings. IPsec static routes are always installed in the routing table, regardless of the tunnel state.

v5.4.3                                                                                                                            SSL VPN

  • IPsec tunnels are not load-balanced across the FPMs, all IPsec tunnel sessions are sent to the primary FPM module.
  • IPsec VPN dialup or dynamic tunnels require a flow rule that sends traffic destined for IPsec dialup IP pools to the primary FPM module.
  • In an HA configuration, IPsec SAs are not synchronized to the backup chassis. IPsec SAs are re-negociated after a failover.

More about IPsec VPN routing limitations

For IPv4 traffic, FortiGate-7000s can only recognize netmasks with 16-bit or 32-bit netmasks. For example:

The following netmasks are supported:

  • 34.0.0/24 l 12.34.0.0 255.255.0.0 l 12.34.56.0/21 l 12.34.56.0 255.255.248.0 l 12.34.56.78/32 l 12.34.56.78 255.255.255.255
  • 34.56.78 (for single IP addresses, FortiOS automatically uses 32-bit netmasks) The following netmasks are not supported:
  • 34.0.0/15 (netmask is less than 16-bit) l 12.34.0.0 255.254.0.0 (netmask is less than 16-bit) l 12.34.56.1-12.34.56.100 (ip range is not supported) l 12.34.56.78 255.255.220.0 (invalid netmask)

SSL VPN

Sending all SSL VPN sessions to the primary FPM module is recommended. You can do this by:

  • Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary FPM module.
  • Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPM module. Authentication

This section lists FortiGate-7000 authentication limitations:

  • Active authentication that requires a user to manually log into the FortiGate firewall can be problematic because the user may be prompted for credentials more than once as sessions are distributed to different FPM modules. You can avoid this by changing the load distribution method to src-ip.
  • FSSO is supported. Each FPM independently queries the server for user credentials.
  • RSSO is only supported after creating a load balance flow rule to broadcast RADIUS accounting messages to all FPM modules.

Traffic shaping and DDoS policies

Traffic shaping and DDoS policies

Each FPM module applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

Sniffer mode (one-arm sniffer)

One-arm sniffer mode is only supported after creating a load balance flow rule to direct sniffer traffic to a specific FPM module.

FortiGuard Web Filtering

All FortiGuard rating queries are sent through management aggregate interface from the management VDOM (named dmgmt-vdom).

Log messages include a slot field

An additional “slot” field has been added to log messages to identify the FPM module that generated the log.

FortiOS Carrier

FortiOS Carrier is supported by the FortiGate-7000 v5.4.3 but GTP load balancing is not supported.

You have to apply a FortiOS Carrier license separately to each FIM and FPM module to license a FortiGate-7000 chassis for FortiOS Carrier.

Special notice for new deployment connectivity testing

Only the primary FPM module can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the Fortigate-7000, make sure to run execute ping tests from the primary FPM module CLI.

 

This entry was posted in Administration Guides, FortiGate and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.