Category Archives: Administration Guides

System Configuration – Inter-VDOM Routing – FortiOS 6.2

Inter-VDOM routing

In the past, virtual domains (VDOMs) were separate from each other and there was no internal communication. Any communication between VDOMs involved traffic leaving on a physical interface belonging to one VDOM and re-entering the FortiGate unit on another physical interface belonging to another VDOM to be inspected by firewall policies in both directions.

Inter-VDOM routing changes this. With VDOM links, VDOMs can communicate internally without using additional physical interfaces.

Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual interfaces that connect VDOMs. A VDOM link contains a pair of interfaces, each one connected to a VDOM and forming either end of the inter-VDOM connection.

When VDOMs are configured on your FortiGate unit, configuring inter-VDOM routing and VDOM-links is very much like creating a VLAN interface. VDOM-links are managed through the web-based manager or CLI. In the web-based manager, VDOM link interfaces are managed in the network interface list.

To configure a VDOM link in the GUI:

  1. Go to Network > Interfaces.
  2. Click Create New > VDOM Link.
  3. Configure the fields including the Name, Virtual Domain, IP information, access levels, and other fields.

To configure a VDOM link in the CLI:

config system vdom-link edit “<vdom-link-name>” next

end

config system interface edit “<vdom-link-name0>” set vdom “<VDOM Name>” set type vdom-link

next

end

config system interface edit “<vdom-link-name1>” set vdom “<VDOM Name>” set type vdom-link

next

end

To delete a VDOM link in the GUI:

  1. Go to Network > Interfaces.
  2. Select a VDOM Link and click Delete.

To delete a VDOM link in the CLI:

config system vdom-link delete <VDOM-LINK-Name>

end

Sample configuration: Inter-VDOM routing

This example shows how to configure a FortiGate unit to use inter-VDOM routing.

Two departments of a company, Accounting and Sales, are connected to one FortiGate. The company uses a single ISP to connect to the Internet.

This example includes the following general steps. We recommend following the steps in the order below.

Create the VDOMs

To enable VDOMs and create the Sales and Accounting VDOMs:

config system global set vdom-mode multi-vdom

end

config system vdom edit Accounting

next edit Sales

next end

Configure the physical interfaces

Next, configure the physical interfaces. This example uses three interfaces on the FortiGate unit: port2 (internal), port3 (DMZ), and port1 (external). Port2 and port3 interfaces each have a department’s network connected. Port1 is for all traffic to and from the Internet and uses DHCP to configure its IP address, which is common with many ISPs.

config global config system interface edit port2 set alias AccountingLocal set vdom Accounting set mode static set ip 172.100.1.1 255.255.0.0 set allowaccess https ping ssh

set description “The accounting dept internal interface”

next edit port3 set alias SalesLocal set vdom Sales set mode static set ip 192.168.1.1 255.255.0.0 set allowaccess https ping ssh

set description “The sales dept. internal interface”

next edit port1 set alias ManagementExternal

set vdom root set mode DHCP set distance 5 set gwdetect enable set dns-server-override enable set allowaccess https ssh snmp

set description “The systemwide management interface.”

end end

Configure the VDOM links

To complete the connection between each VDOM and the management VDOM, add the two VDOM links. One pair is the Accounting – management link and the other is the Sales – management link.

When configuring inter-VDOM links, you do not have to assign IP addresses to the links unless you are using advanced features such as dynamic routing that require them. Not assigning IP addresses results in faster configuration and more available IP addresses on your networks.

To configure the Accounting and management VDOM link:

config global config system vdom-link edit AccountVlnk

next end

config system interface edit AccountVlnk0 set vdom Accounting set ip 11.11.11.2 255.255.255.0 set allowaccess https ping ssh

set description “Accounting side of the VDOM link“ next edit AccountVlnk1 set vdom root set ip 11.11.11.1 255.255.255.0 set allowaccess https ping ssh

set description “Management side of the VDOM link“

end

end

To configure the Sales and management VDOM link:

config global config system vdom-link edit SalesVlnk

end

config system interface edit SalesVlnk0 set vdom Accounting set ip 12.12.12.2 255.255.255.0 set allowaccess https ping ssh set description “Sales side of the VDOM link”

next edit SalesVlnk1 set vdom root set ip 12.12.12.1 255.255.255.0 set allowaccess https ping ssh

set description “Management side of the VDOM link”

end end

Configure the firewall and Security Profile

With the VDOMs, physical interfaces, and VDOM links configured, the firewall must now be configured to allow the proper traffic. Firewalls are configured per-VDOM, and firewall objects and routes must be created for each VDOM separately.

To configure the firewall policies from AccountingLocal to Internet:

config vdom edit Accounting config firewall policy edit 1 set name “Accounting-Local-to-Management”

set srcintf port2 set dstintf AccountVlnk set srcaddr all set dstaddr all set action accept set schedule always set service ALL set nat enable

end

end config vdom edit root config firewall policy edit 2 set name “Accounting-VDOM-to-Internet” set srcintf AccountVlnk set dstintf port1 set srcaddr all set dstaddr all set action accept set schedule always set service ALL set nat enable

end

end

To configure the firewall policies from SalesLocal to the Internet:

config vdom edit root config firewall policy edit 6 set name “Sales-local-to-Management”

set srcintf port2 set srcaddr all set dstintf SalesVlnk set dstaddr all set schedule always set service ALL set action accept set logtraffic enable

end

end config vdom edit Sales config firewall policy edit 7 set name “Sales-VDOM-to-Internet” set srcintf SalesVlnk set srcaddr SalesManagement set dstintf external set dstaddr all set schedule always set service OfficeServices set action accept set logtraffic enable end end

Test the configuration

When the inter-VDOM routing has been configured, test the configuration to confirm proper operation.

Testing connectivity ensures that physical networking connections, FortiGate unit interface configurations, and firewall policies are properly configured.

The easiest way to test connectivity is to use the ping and traceroute command to confirm the connectivity of different routes on the network.

Test both from AccountingLocal to Internet and from SalesLocal to Internet.

System Configuration – VLANs – FortiOs 6.2

VLANs

Virtual Local Area Networks (VLANs) multiply the capabilities of your FortiGate unit and can also provide added network security. VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security.

VLANs in NAT mode

In NAT mode, the FortiGate unit functions as a layer-3 device. In this mode, the FortiGate unit controls the flow of packets between VLANs and can also remove VLAN tags from incoming VLAN packets. The FortiGate unit can also forward untagged packets to other networks such as the Internet.

In NAT mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-compliant switches or routers. The trunk link transports VLAN-tagged packets between physical subnets or networks. When you add VLAN subinterfaces to the FortiGate’s physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate unit directs packets with VLAN IDs to subinterfaces with matching IDs.

You can define VLAN subinterfaces on all FortiGate physical interfaces. However, if multiple virtual domains are configured on the FortiGate unit, you only have access to the physical interfaces on your virtual domain. The FortiGate unit can tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a different VLAN tag to outgoing packets.

Normally in VLAN configurations, the FortiGate unit’s internal interface is connected to a VLAN trunk, and the external interface connects to an Internet router that is not configured for VLANs. In this configuration, the FortiGate unit can apply different policies for traffic on each VLAN interface connected to the internal interface, which results in less network traffic and better security.

Sample topology

In this example, two different internal VLAN networks share one interface on the FortiGate unit and share the connection to the Internet. This example shows that two networks can have separate traffic streams while sharing a single interface. This configuration can apply to two departments in a single company or to different companies.

There are two different internal network VLANs in this example. VLAN_100 is on the 10.1.1.0/255.255.255.0 subnet, and VLAN_200 is on the 10.1.2.0/255.255.255.0 subnet. These VLANs are connected to the VLAN switch.

The FortiGate internal interface connects to the VLAN switch through an 802.1Q trunk. The internal interface has an IP address of 192.168.110.126 and is configured with two VLAN subinterfaces (VLAN_100 and VLAN_200). The external interface has an IP address of 172.16.21.2 and connects to the Internet. The external interface has no VLAN subinterfaces.

When the VLAN switch receives packets from VLAN_100 and VLAN_200, it applies VLAN ID tags and forwards the packets of each VLAN both to local ports and to the FortiGate unit across the trunk link. The FortiGate unit has policies that allow traffic to flow between the VLANs, and from the VLANs to the external network.

Sample configuration

In this example, both the FortiGate unit and the Cisco 2950 switch are installed and connected and basic configuration has been completed. On the switch, you need access to the CLI to enter commands. No VDOMs are enabled in this example.

General configuration steps include:

  1. Configure the external interface.
  2. Add two VLAN subinterfaces to the internal network interface.
  3. Add firewall addresses and address ranges forthe internal and external networks.
  4. Add security policies to allow:

l the VLAN networks to access each other. l the VLAN networks to access the external network.

To configure the external interface:

config system interface edit external set mode static set ip 172.16.21.2 255.255.255.0

end

To add VLAN subinterfaces:

config system interface edit VLAN_100 set vdom root set interface internal set type vlan set vlanid 100 set mode static set ip 10.1.1.1 255.255.255.0 set allowaccess https ping telnet

next edit VLAN_200 set vdom root set interface internal set type vlan set vlanid 200 set mode static set ip 10.1.2.1 255.255.255.0 set allowaccess https ping telnet

end

To add the firewall addresses:

config firewall address edit VLAN_100_Net set type ipmask set subnet 10.1.1.0 255.255.255.0

next edit VLAN_200_Net set type ipmask set subnet 10.1.2.0 255.255.255.0

end

To add security policies:

Policies 1 and 2 do not need NAT enabled, but policies 3 and 4 do need NAT enabled.

config firewall policy edit 1 set srcintf VLAN_100 set srcaddr VLAN_100_Net set dstintf VLAN_200

set dstaddr VLAN_200_Net set schedule always set service ALL set action accept set nat disable set status enable

next edit 2 set srcintf VLAN_200

set srcaddr VLAN_200_Net set dstintf VLAN_100 set dstaddr VLAN_100_Net set schedule always set service ALL set action accept set nat disable set status enable

next edit 3 set srcintf VLAN_100 set srcaddr VLAN_100_Net set dstintf external set dstaddr all set schedule always set service ALL set action accept set nat enable set status enable

next edit 4 set srcintf VLAN_200 set srcaddr VLAN_200_Net set dstintf external set dstaddr all set schedule always set service ALL set action accept set nat enable set status enable

end

VLANs in transparent mode

In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide services such as antivirus scanning, web filtering, spam filtering, and intrusion protection to traffic. Some limitations of transparent mode is that you cannot use SSL VPN, PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent mode apply to IEEE 802.1Q VLAN trunks passing through the unit.

You can insert the FortiGate unit operating in transparent mode into the VLAN trunk without making changes to your network. In a typical configuration, the FortiGate unit internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal network VLANs. The FortiGate external interface forwards VLAN-tagged packets through another VLAN trunk to an external VLAN switch or router and on to external networks such as the Internet. You can configure the unit to apply different policies for traffic on each VLAN in the trunk.

To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the same VLAN ID, one to the internal interface and the other to the external interface. You then create a security policy to permit packets to flow from the internal VLAN interface to the external VLAN interface. If required, create another security policy to permit packets to flow from the external VLAN interface to the internal VLAN interface. Typically in transparent mode, you do not permit packets to move between different VLANs. Network protection features such as spam filtering, web filtering, and antivirus scanning, are applied through the UTM profiles specified in each security policy, enabling very detailed control over traffic.

When the FortiGate unit receives a VLAN-tagged packet on a physical interface, it directs the packet to the VLAN subinterface with the matching VLAN ID. The VLAN tag is removed from the packet and the FortiGate unit then applies security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through a VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding physical interface.

Sample topology

In this example, the FortiGate unit is operating in transparent mode and is configured with two VLANs: one with an ID of 100 and the other with ID 200. The internal and external physical interfaces each have two VLAN subinterfaces, one for VLAN_100 and one for VLAN_200.

The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the internal VLAN_200 network is 10.200.0.0/255.255.0.0.

The internal networks are connected to a Cisco 2950 VLAN switch which combines traffic from the two VLANs onto one in the FortiGate unit’s internal interface. The VLAN traffic leaves the FortiGate unit on the external network interface, goes on to the VLAN switch, and on to the Internet. When the FortiGate units receives a tagged packet, it directs it from the incoming VLAN subinterface to the outgoing VLAN subinterface for that VLAN.

In this example, we create a VLAN subinterface on the internal interface and another one on the external interface, both with the same VLAN ID. Then we create security policies that allow packets to travel between the VLAN_100_int interface and the VLAN_100_ext interface. Two policies are required: one for each direction of traffic. The same is required between the VLAN_200_int interface and the VLAN_200_ext interface, for a total of four security policies.

Sample configuration

There are two main steps to configure your FortiGate unit to work with VLANs in transparent mode:

  1. Add VLAN subinterfaces.
  2. Add security policies.

You can also configure the protection profiles that manage antivirus scanning, web filtering, and spam filtering.

To add VLAN subinterfaces:

config system interface edit VLAN_100_int set type vlan set interface internal set vlanid 100

next edit VLAN_100_ext set type vlan set interface external set vlanid 100

next edit VLAN_200_int set type vlan set interface internal set vlanid 200

next edit VLAN_200_ext set type vlan set interface external set vlanid 200

end To add security policies:

config firewall policy

edit 1

set srcintf VLAN_100_int set srcaddr all set dstintf VLAN_100_ext set dstaddr all set action accept set schedule always set service ALL

next edit 2

set srcintf VLAN_100_ext set srcaddr all set dstintf VLAN_100_int set dstaddr all set action accept set schedule always set service ALL

next edit 3

set srcintf VLAN_200_int set srcaddr all set dstintf VLAN_200_ext set dstaddr all set action accept set schedule always set service ALL

next edit 4

set srcintf VLAN_200_ext

set srcaddr all set dstintf VLAN_200_int set dstaddr all set action accept set schedule always set service ALL

end

Enhanced MAC VLANs

The Media Access Control (MAC) Virtual Local Area Network (VLAN) feature in Linux allows you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

FortiGate implements an enhanced MAC VLAN consisting of a MAC VLAN with bridge functionality. Because each MAC VLAN has a unique MAC address, virtual IP addresses (VIPs) and IP pools are supported, and you can disable Source Network Address Translation (SNAT) in policies.

MAC VLAN cannot be used in a Transparent mode virtual domain (VDOM). In a Transparent mode VDOM, a packet leaves an interface with the MAC address of the original source instead of the interface’s MAC address. FortiGate implements an enhanced version of MAC VLAN where it adds a MAC table in the MAC VLAN which learns the MAC addresses when traffic passes through.

If you configure a VLAN ID for an enhanced MAC VLAN, it won’t join the switch of the underlying interface. When a packet is sent to this interface, a VLAN tag is inserted in the packet and the packet is sent to the driver of the underlying interface. When the underlying interface receives a packet, if the VLAN ID doesn’t match, it won’t deliver the packet to this enhanced MAC VLAN interface.

If you use an interface in an enhanced MAC VLAN, do not use it for other purposes such as a management interface, HA heartbeat interface, or in Transparent VDOMs.

If a physical interface is used by an EMAC VLAN interface, you cannot use it in a Virtual Wire Pair.

In high availability (HA) configurations, enhanced MAC VLAN is treated as a physical interface. It’s assigned a unique physical interface ID and the MAC table is synchronized with the slaves in the same HA cluster.

Example 1: Enhanced MAC VLAN configuration for multiple VDOMs that use the same interface or VLAN

In this example, a FortiGate is connected, through port 1 to a router that’s connected to the Internet. Three VDOMs share the same interface (port 1) which connects to the same router that’s connected to the Internet. Three enhanced MAC VLAN interfaces are configured on port 1 for the three VDOMs. The enhanced MAC VLAN interfaces are in the same IP subnet segment and each have unique MAC addresses.

The underlying interface (port 1) can be a physical interface, an aggregate interface, or a VLAN interface on a physical or aggregate interface.

To configure enhanced MAC VLAN for this example in the CLI:

config system interface edit port1.emacvlan1 set vdom VDOM1 set type emac-vlan set interface port1

next

edit port 1.emacvlan2 set vdom VDOM2 set type emac-vlan set interface port1

next

edit port1.emacvlan3 set vdom VDOM3 set type emac-vlan set interface port1

next

end

Example 2: Enhanced MAC VLAN configuration for shared VDOM links among multiple VDOMs

In this example, multiple VDOMs can connect to each other using enhanced MAC VLAN on network processing unit (NPU) virtual link (Vlink) interfaces.

FortiGate VDOM links (NPU-Vlink) are designed to be peer-to-peer connections and VLAN interfaces on NPU Vlink ports use the same MAC address. Connecting more than two VDOMs using NPU Vlinks and VLAN interfaces is not recommended.

To configure enhanced MAC VLAN for this example in the CLI:

config system interface edit npu0_vlink0.emacvlan1 set vdom VDOM1 set type emac-vlan set interface npu0_vlink0

next

edit npu0_vlink0.emacvlan2 set vdom VDOM3 set type emac-vlan set interface npu0_vlink0

next

edit npu0_vlink1.emacvlan1 set vdom VDOM2 set type emac-vlan set interface npu0_vlink1

next

end

Example 3: Enhanced MAC VLAN configuration for unique MAC addresses for each VLAN interface on the same physical port

Some networks require a unique MAC address for each VLAN interface when the VLAN interfaces share the same physical port. In this case, the enhanced MAC VLAN interface is used the same way as normal VLAN interfaces.

To configure this, use the set vlanid command for the VLAN tag.

To configure enhanced MAC VLAN for this example in the CLI:

config system interface edit interface-name set type emac-vlan set vlanid <VLAN-ID>

set interface <physical-interface>

end

System Configuration – Interfaces – FortiOS 6.2

Interface

Interface settings

Administrator can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different options for configuring interfaces when FortiGate is in NAT mode or transparent mode.

To configure an interface in the GUI:

  1. Go to Network > Interfaces.
  2. Click Create New > Interface.
  3. Configure the interface fields.
Interface

Name

Physical interface names cannot be changed.
Alias Enter an alternate name for a physical interface on the FortiGate unit. This field appears when you edit an existing physical interface. The alias does not appear in logs.

The maximum length of the alias is 25 characters.

Link Status Indicates whether the interface is connected to a network or not (link status is up or down). This field appears when you edit an existing physical interface.
Interface This field appears when Type is set to VLAN.

Select the name of the physical interface that you want to add a VLAN interface to. Once created, the VLAN interface is listed below its physical interface in the Interface list. You cannot change the physical interface of a VLAN interface except when you add a new VLAN interface.

Virtual

Domain

Select the virtual domain to add the interface to.

Administrator accounts with the super_admin profile can change the Virtual Domain.

Interface

Members

This section can have two different formats depending on the interface type:

Software Switch: This section is a display-only field showing the interfaces that belong to the virtual interface of the software switch.

802.3ad Aggregate orRedundant Interface: This section includes the available interface list and the selected interface list.

IP/Netmask If Addressing Mode is set to Manual, enter an IPv4 address and subnet mask for the interface. FortiGate interfaces cannot have IP addresses on the same subnet.
IPv6 Address If Addressing Mode is set to Manual and IPv6 support is enabled, enter an IPv6 address and subnet mask for the interface. A single interface can have an IPv4 address, IPv6 address, or both.
Secondary IP Address Add additional IPv4 addresses to this interface.

To configure an interface in the CLI:

config system interface

edit “<Interface_Name>”

set vdom “<VDOM_Name>” set mode static/dhcp/pppoe set ip <IP_address> <netmask> set allowaccess ping https ssh http telnet

set secondary-IP enable config secondaryip

edit 1

set ip 9.1.1.2 255.255.255.0 set allowaccess ping https ssh snmp http telnet

next

end

next end

Configure administrative access to interfaces

You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing interfaces that you don’t want them to access, such as public-facing ports.

As a best practice, you should configure administrative access when you’re setting the IP address for a port.

To configure administrative access to interfaces in the GUI:

  1. Go to Network > Interfaces.
  2. Create or edit an interface.
  3. In the Administrative Access section, select which protocols to enable for IPv4 and IPv6 Administrative Access.
HTTPS Allow secure HTTPS connections to the FortiGate GUI through this interface. If configured, this option is enabled automatically.
PING The interface responds to pings. Use this setting to verify your installation and for testing.
HTTP Allow HTTP connections to the FortiGate GUI through this interface. If configured, this option also enables the HTTPS option.
SSH Allow SSH connections to the CLI through this interface.
SNMP Allow a remote SNMP manager to request SNMP information by connecting to this interface.
FMG-Access Allow FortiManager authorization automatically during the communication exchanges between FortiManager and FortiGate devices.
CAPWAP Allow the FortiGate wireless controller to manage a wireless access point such as a FortiAP device.

Aggregation and redundancy

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.

This feature is similar to redundant interfaces. The major difference is a redundant interface group only uses one link at a time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).

Some models support the IEEE standard 802.3ad for link aggregation.

An interface is available to be an aggregate interface if:

l It is a physical interface and not a VLAN interface or subinterface. l It is not already part of an aggregate or redundant interface. l It is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs. l It does not have an IP address and is not configured for DHCP or PPPoE. l It is not referenced in any security policy, VIP, IP Pool, or multicast policy. l It is not an HA heartbeat interface. l It is not one of the FortiGate-5000 series backplane interfaces.

When an interface is included in an aggregate interface, it is not listed on the Network > Interfaces page. Interfaces still appear in the CLI although configuration for those interfaces do not take affect. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.

Sample configuration

This example creates an aggregate interface on a FortiGate-140D POE using ports 3-5 with an internal IP address of 10.1.1.123, as well as the administrative access to HTTPS and SSH.

To create an aggregate interface using the GUI:

  1. Go to Network > Interfaces and select Create New > Interface.
  2. For Interface Name, enter Aggregate.
  3. For the Type, select 3ad Aggregate.
  4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
  5. For Addressing mode, select Manual.
  6. For the IP address for the port, enter 1.1.123/24.
  7. For Administrative Access, select HTTPS and SSH.
  8. Select OK.

To create an aggregate interface using the CLI:

FG140P3G15800330 (aggregate) # show config system interface edit “aggregate” set vdom “root”

set ip 10.1.1.123 255.255.255.0

set allowaccess ping https ssh snmp http fgfm radius-acct capwap ftm set type aggregate set member “port3” “port4” “port5” set device-identification enable set lldp-transmission enable set fortiheartbeat enable

set role lan set snmp-index 45

next

end

Redundancy

In a redundant interface, traffic only goes over one interface at any time. This differs from an aggregated interface where traffic goes over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.

An interface is available to be in a redundant interface if:

  • It is a physical interface and not a VLAN interface.
  • It is not already part of an aggregated or redundant interface. l It is in the same VDOM as the redundant interface.
  • It does not have an IP address and is not configured for DHCP or PPPoE. l It has no DHCP server or relay configured on it.
  • It does not have any VLAN subinterfaces. l It is not referenced in any security policy, VIP, or multicast policy.
  • It is not monitored by HA. l It is not one of the FortiGate-5000 series backplane interfaces.

When an interface is included in a redundant interface, it is not listed on the Network > Interfaces page. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, or routing.

Sample configuration

To create a redundant interface using the GUI:

  1. Go to Network > Interfaces and select Create New > Interface.
  2. For Interface Name, enter Redundant.
  3. For the Type, select Redundant Interface.
  4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
  5. For Addressing mode, select Manual.
  6. For the IP address for the port, enter 13.101.100/24.
  7. For Administrative Access, select HTTPS and SSH.
  8. Select OK.

To create a redundant interface using the CLI:

config system interface edit “red” set vdom “root”

set ip 10.13.101.100 255.255.255.0 set allowaccess https http set type redundant set member “port4” “port5” “port6” set device-identification enable

set role lan set snmp-index 9

next

end

System Configuration – Updating Firmware – FortiOS 6.2

Update FortiGate firmware

Updating or upgrading a firewall is similar to upgrading the operating system so you should make the same preparations. Make sure everything is backed up and you have a plan in case something doesn’t work. Make a checklist to confirm that the update is successful. Finally, ensure you have enough time to do the update.

This is a summary of the steps for updating FortiGate firmware:

  1. Backup and store the old configuration on another server.

Do a full configuration backup using the CLI. This should already be part of your disaster recovery plan. If the upgrade fails, be sure you have a plan to get the firewall back up and running.

  1. Have copy of old firmware available.

This should also be part of your disaster recovery plan. If the upgrade fails, you might be able to switch the active partition. But be prepared for the worst case scenario where you need your old firmware.

  1. Have a disaster recovery option on standby, especially for a remote site.

This should be part of your plan in a critical failure. In this scenario, this is your plan if your firewall doesn’t come back up after the upgrade. In this case, you need access to the console port to find out why, such as if the DHCP or the IP has changed, or the OS is corrupt. You must have access to the console to find out. If there is no simple fix, be prepared for a format and TFTP reload.

  1. Read the release notes, including the upgrade path and bug information.

Be sure to read the release notes, preferably more than once. The release notes contain lots of important information, known bugs, fixed bugs, upgrade issues such as lost configuration settings.

  1. Double check everything.

For example, double check that your TFTP server is working, your console connection functions properly, you have read the release notes and understand everything that affects the upgrade for your FortiGate models, you have backed up your configuration, you have covered everything you might need for the upgrade.

  1. Perform the upgrade.

The upgrade itself usually doesn’t take very long, usually just a few minutes. But make sure you schedule enough time for the entire process and possible contingencies. If the upgrade is successful, you need time to check and confirm that all important functions are working, such as VPNs etc. If the upgrade fails, you need time to sort things out.

Sample upgrade

This is an example of upgrading the FortiGate from FortiOS 6.0.4 to 6.2.0.

To view the FortiOS firmware:

  1. Go to Dashboard.

The System Information widget shows the current firmware version.

To check if a new FortiOS firmware version is available:

  1. Go to System > Firmware.

If a new firmware version is available, a notice appears in the Current version section.

When a new FortiOS version is released, it may not be listed on your FortiGate right away. You can download the firmware from Fortinet Support, then use Upload Firmware to upgrade your FortiGate.

To upgrade to the latest version from FortiGuard:

  1. Go to System > Firmware.
  2. In the FortiGuard Firmware section, click Latest.

If you see a message saying there is no valid upgrade path for this firmware version, click All available and select a suitable firmware version for your FortiGate.

  1. Click Release Notes and read the release notes for that version.

Release Notes are also available from the Fortinet Documentation Library.

  1. Click Backup config and upgrade and follow the prompts.
  2. Save the backup of your configuration in case you need to restore it after the upgrade.

To upgrade to the latest version from local PC:

  1. Ensure you have downloaded the firmware from Fortinet Support.
  2. Go to System > Firmware.
  3. In the Upload Firmware section, click Browse and select the firware.
  4. Click Backup config and upgrade and follow the prompts.
  5. Save the backup of your configuration in case you need to restore it after the upgrade.

FortiGate uploads and installs the firmware, and then restarts and displays the login screen.

See the procedure above to view the FortiOS firmware to ensure you are running the new firmware version.

System Configuration – Administrators – FortiOS 6.2

Administrators

Administrator profiles

Introduction

By default, the FortiGate has a super administrator account, called admin. Additional administrators can be added for various functions, each with a unique username, password, and set of access privileges.

Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or as little as is required.

Super_admin profile

This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile can’t be deleted or modified.

The super_admin profile is used by the default admin account. It is recommended that you add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required.

Creating customized profiles

To create a profile in the GUI:

  1. Go to System > Admin Profiles.
  2. Select Create New.
  3. Configure the following settings: l l Access permissions. l Override idle timeout.
  4. Select OK.

To create a profile in the CLI:

config system accprofile

edit “sample”

set secfabgrp read-write set ftviewgrp read-write set authgrp read-write set sysgrp read-write set netgrp read-write set loggrp read-write set fwgrp read-write set vpngrp read-write set utmgrp read-write set wanoptgrp read-write set wifi read-write

next

end

Edit profiles

To edit a profile in the GUI:

  1. Go to System > Admin Profiles.
  2. Choose the profile to be edited and select Edit.
  3. Select OK to save any changes made.

To edit a profile in the CLI:

config system accprofile edit “sample”

set secfabgrp read

next

end

Delete profiles

To delete a profile in the GUI:

  1. Go to System > Admin Profiles.
  2. Choose the profile to be deleted and select Delete.
  3. Select OK.

To delete a profile in the CLI:

config system accprofile

delete “sample” end

Add a local administrator

By default, FortiGate has one super admin named admin. You can create more administrator accounts with difference privileges.

To create an administrator account in the GUI:

  1. Go to System > Administrators.
  2. Select Create New > Administrator.
  3. Specify the Username.
  4. Set Type to Local User.
  5. Set the password and other fields.
  6. Click OK.

To create an administrator account in the CLI:

config system admin edit <Admin_name>

set accprofile <Profile_name> set vdom <Vdom_name>

set password <Password for this admin>

next end

Remote authentication for administrators

Administrators can use remote authentication, such as LDAP, to connect to the FortiGate.

Setting up remote authentication for administrators includes the following steps:

  1. Configure the LDAP server on page 153
  2. Add the LDAP server to a user group on page 154
  3. Configure the administrator account on page 154

Configure the LDAP server

To configure the LDAP server in the GUI:

  1. Go to User& Device > LDAP Servers and select Create New.
  2. Enter the server Name, ServerIP address or Name.
  3. Enter the Common Name Identifier and Distinguished Name.
  4. Set the Bind Type to Regular and enter the Username and Password.
  5. Click OK.

To configure the LDAP server in the CLI:

config user ldap

edit <ldap_server_name>

set server <server_ip> set cnid “cn”

set dn “dc=XYZ,dc=fortinet,dc=COM”

set type regular

set username “cn=Administrator,dc=XYA, dc=COM” set password <password>

next

end

Add the LDAP server to a user group

After configuring the LDAP server, create a user group that include the LDAP server you configured.

To create a user group in the GUI:

  1. Go to User& Device > UserGroups and select Create New.
  2. Enter a Name for the group.
  3. In the Remote groups section, select Create New.
  4. Select the Remote Server from the dropdown list.
  5. Click OK.

To create a user group in the CLI:

config user group

edit <Group_name>

set member “ldap_server_name”

next

end

Configure the administrator account

After configuring the LDAP server and adding it to a user group, create a new administrator. For this administrator, instead of entering a password, use the new user group and the wildcard option for authentication.

To create an administrator in the GUI:

  1. Go to System > Administrators.
  2. Select Create New > Administrator.
  3. Specify the Username.
  4. Set Type to Match a useron a remote servergroup.
  5. In Remote UserGroup, select the user group you created.
  6. Select Wildcard.

The Wildcard option allows LDAP users to connect as this administrator.

  1. Select an AdministratorProfile.
  2. Click OK.

To create an administrator in the CLI:

config system admin edit <admin_name>

set remote-auth enable set accprofile super_admin set wild card enable set remote-group ldap

end

Other methods of administrator authentication

Administrator accounts can use different methods for authentication, including RADIUS, TACACS+, and PKI.

RADIUS authentication for administrators

To use a RADIUS server to authenticate administrators, you must:

  • Configure the FortiGate to access the RADIUS server. l Create the RADIUS user group. l Configure an administrator to authenticate with a RADIUS server.

TACACS+ authentication for administrators

To use a TACACS+ server to authenticate administrators, you must:

  • Configure the FortiGate to access the TACACS+ server. l Create a TACACS+ user group. l Configure an administrator to authenticate with a TACACS+ server.

PKI certificate authentication for administrators

To use PKI authentication for an administrator, you must:

  • Configure a PKI user. l Create a PKI user group. l Configure an administrator to authenticate with a PKI certificate.

Password policy

Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.

Using secure passwords is vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:

  • Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
  • Use numbers in place of letters, for example, passw0rd. l Administrator passwords can be up to 64 characters. l Include a mixture of numbers, and upper and lower case letters. l Use multiple words together, or possibly even a sentence, for example keytothehighway. l Use a password generator.
  • Change the password regularly and always make the new password unique and not a variation of the existing password, such as changing from password to password1.
  • Make note of the password and store it in a safe place away from the management computer, in case you forget it; or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have two different admin logins.

FortiGate allows you to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password policy including:

  • Minimum length between 8 and 64 characters.
  • If the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters. l If the password must contain numbers (1, 2, 3). l If the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )). l Where the password applies (admin or IPsec or both). l The duration of the password before a new one must be specified.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, the administrator is prompted to update the password to meet the new requirements before proceeding to log in.

To create a system password policy the GUI:

  1. Go to System > Settings.
  2. In the Password Policy section, change the Password scope to Admin, IPsec, or Both.
  3. Specify the password options.
  4. Click Apply.

To create a system password policy the CLI:

config system password-policy

status      Enable/disable setting a password policy for locally defined administrator passwords and IPsec VPN pre-shared keys. apply-to Apply password policy to administrator passwords or IPsec preshared keys or both. Separate entries with a space.

minimum-length Minimum password length (8 – 128, default = 8).
min-lower-case-letter default = 0). Minimum number of lowercase characters in password (0 – 128,
min-upper-case-letter default = 0). Minimum number of uppercase characters in password (0 – 128,
min-non-alphanumeric 128, default = 0). Minimum number of non-alphanumeric characters in password (0 –
min-number default = 0). Minimum number of numeric characters in password (0 – 128,
change-4-characters (This attribute Enable/disable changing at least 4 characters for a new password

overrides reuse-password if both are enabled). expire-status     Enable/disable password expiration.

reuse-password          Enable/disable reusing of password (if both reuse-password and

change-4-characters are enabled, change-4-characters overrides). end

System Management

System management introduction

This topic contains information about FortiGate administration that you can do after installing the FortiGate in your network.

Basic system settings

Administrator

By default, FortiGate has an administrator account with the username admin and no password. To prevent unauthorized access to the FortiGate, we highly recommended that you protect this account with a password.

Administrator profile

An administrator profile defines what the administrator can do on the FortiGate. You can set up different administrator profiles depending on the nature of the administrator’s work, access level, or seniority. When you set up an administrator account, assign the administrator profile for what that administrator can do.

Interface

Both the physical and virtual interface allow traffic to flow between internal networks, and between the Internet and internal networks. FortiGate has options for setting up interfaces and groups of sub-networks that can scale as your organization grows. You can create and edit VLAN, EMAC-VLAN, switch interface, zone, and so on.

Advanced system settings

Password policy

Set up a password policy for administrators and IPsec pre-shared keys. A password policy can enforce password criteria and change frequency.

SNMP

The Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure hardware such as the FortiGate SNMP agent to report system information and traps. SNMP traps alert you to events that happen such as when a log disk is full or a virus is detected.

DHCP server

You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. Host computers must be configured to obtain their IP addresses using DHCP.

VDOM

You can use virtual domains (VDOMs) to divide a FortiGate into multiple virtual devices that function independently. For each separate VDOM, you can create different configurations including firewall policies, routing, VPNs, and security profiles.

Troubleshooting SD WAN – FortiOs 6.2

Troubleshooting

Tracking SD-WAN sessions

You can check the destination interface in FortiView in order to see which port the traffic is being forwarded to.

The example below demonstrates a source-based load-balance between two SD-WAN members.

  • If the source IP address is an even number, it will go to port13.
  • If the source IP address is an odd number, it will go to port12.

For information on other features of FortiView, see FortiView on page 91.

Understanding SD-WAN related logs

This topic lists the SD-WAN related logs and explains when the logs will be triggered.

Health-check detects a failure:

  • When health-check detects a failure, it will record a log:

34: date=2019-03-23 time=17:26:06 logid=”0100022921″ type=”event” subtype=”system” level=”critical” vd=”root” eventtime=1553387165 logdesc=”Routing information changed” name=”test” interface=”R150″ status=”down” msg=”Static route on interface R150 may be removed by health-check test. Route: (10.100.1.2->10.100.2.22 ping-down)”

  • When health-check detects a recovery, it will record a log:

32: date=2019-03-23 time=17:26:54 logid=”0100022921″ type=”event” subtype=”system” level=”critical” vd=”root” eventtime=1553387214 logdesc=”Routing information changed” name=”test” interface=”R150″ status=”up” msg=”Static route on interface R150 may be added by health-check test. Route: (10.100.1.2->10.100.2.22 ping-up)”

Health-check has an SLA target and detects SLA qualification changes:

  • When health-check has an SLA target and detects SLA changes, and changes to fail:

5: date=2019-04-11 time=11:48:39 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1555008519816639290 logdesc=”Virtual WAN Link status” msg=”SD-WAN Health Check(ping) SLA(1): number of pass members changes from 2 to 1.”

  • When health-check has an SLA target and detects SLA changes, and changes to pass:

2: date=2019-04-11 time=11:49:46 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1555008586149038471 logdesc=”Virtual WAN Link status” msg=”SD-WAN Health Check(ping) SLA(1): number of pass members changes from 1 to 2.”

SD-WAN calculates a link’s session/bandwidth over/under its ratio and stops/resumes traffic:

  • When SD-WAN calculates a link’s session/bandwidth over its configured ratio and stops forwarding traffic:

3: date=2019-04-10 time=17:15:40 logid=”0100022924″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1554941740185866628 logdesc=”Virtual WAN Link volume status” interface=”R160″ msg=”The member(3) enters into conservative status with limited ablity to receive new sessions for too much traffic.” l When SD-WAN calculates a link’s session/bandwidth according to its ratio and resumes forwarding traffic:

1: date=2019-04-10 time=17:20:39 logid=”0100022924″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1554942040196041728 logdesc=”Virtual WAN Link volume status” interface=”R160″ msg=”The member(3) resume normal status to receive new sessions for internal adjustment.”

The SLA mode service rule’s SLA qualified member changes:

  • When the SLA mode service rule’s SLA qualified member changes. In this example R150 fails the SLA check, but is still alive:

14: date=2019-03-23 time=17:44:12 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553388252 logdesc=”Virtual WAN Link status” msg=”Service2() prioritized by SLA will be redirected in seq-num order 2(R160) 1(R150).” 15: date=2019-03-23 time=17:44:12 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553388252 logdesc=”Virtual WAN Link status” interface=”R150″ msg=”The member1(R150) SLA order changed from 1 to 2. ”

16: date=2019-03-23 time=17:44:12 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553388252 logdesc=”Virtual WAN Link status” interface=”R160″ msg=”The member2(R160) SLA order changed from 2 to 1. ”

  • When the SLA mode service rule’s SLA qualified member changes. In this example R150 changes from fail to pass:

1: date=2019-03-23 time=17:46:05 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553388365 logdesc=”Virtual WAN Link status” msg=”Service2() prioritized by SLA will be redirected in seq-num order 1(R150) 2(R160).” 2: date=2019-03-23 time=17:46:05 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553388365 logdesc=”Virtual WAN Link status” interface=”R160″ msg=”The member2(R160) SLA order changed from 1 to 2. ” 3: date=2019-03-23 time=17:46:05 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553388365 logdesc=”Virtual WAN Link status” interface=”R150″ msg=”The member1(R150) SLA order changed from 2 to 1. ”

The priority mode service rule member’s link status changes:

  • When priority mode service rule member’s link status changes. In this example R150 changes to better than R160, and both are still alive:

1: date=2019-03-23 time=17:33:23 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553387603 logdesc=”Virtual WAN Link status” msg=”Service2() prioritized by packet-loss will be redirected in seq-num order 1(R150) 2 (R160).”

2: date=2019-03-23 time=17:33:23 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553387603 logdesc=”Virtual WAN Link status” interface=”R160″ msg=”The member2(R160) link quality packet-loss order changed from 1 to 2.

3: date=2019-03-23 time=17:33:23 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553387603 logdesc=”Virtual WAN Link status” interface=”R150″ msg=”The member1(R150) link quality packet-loss order changed from 2 to 1. ” l When priority mode service rule member’s link status changes. In this example R160 changes to better than R150, and both are still alive:

6: date=2019-03-23 time=17:32:01 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553387520 logdesc=”Virtual WAN Link status” msg=”Service2() prioritized by packet-loss will be redirected in seq-num order 2(R160) 1 (R150).”

7: date=2019-03-23 time=17:32:01 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553387520 logdesc=”Virtual WAN Link status” interface=”R150″ msg=”The member1(R150) link quality packet-loss order changed from 1 to 2.

8: date=2019-03-23 time=17:32:01 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553387520 logdesc=”Virtual WAN Link status” interface=”R160″ msg=”The member2(R160) link quality packet-loss order changed from 2 to 1. ”

SD-WAN member is used in service and it fails the health-check:

  • When SD-WAN member fails the health-check, it will stop forwarding traffic:

6: date=2019-04-11 time=13:33:21 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1555014801844089814 logdesc=”Virtual WAN Link status” interface=”R160″ msg=”The member2(R160) link is unreachable or miss threshold. Stop forwarding traffic. ”

  • When SD-WAN member passes the health-check again, it will resume forwarding logs:

2: date=2019-04-11 time=13:33:36 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1555014815914643626 logdesc=”Virtual WAN Link status” interface=”R160″ msg=”The member2(R160) link is available. Start forwarding traffic. ”

Load-balance mode service rule’s SLA qualified member changes:

  • When load-balance mode service rule’s SLA qualified member changes. In this example R150 changes to not meet SLA:

2: date=2019-04-11 time=14:11:16 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1555017075926510687 logdesc=”Virtual WAN Link status” msg=”Service1(rule2) will be load balanced among members 2(R160) with available routing.” 3: date=2019-04-11 time=14:11:16 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1555017075926508676 logdesc=”Virtual WAN Link status”

interface=”R150″ msg=”The member1(R150) SLA order changed from 1 to 2. ” 4: date=2019-04-11 time=14:11:16 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1555017075926507182 logdesc=”Virtual WAN Link status” interface=”R160″ msg=”The member2(R160) SLA order changed from 2 to 1. ”

  • When load-balance mode service rule’s SLA qualified member changes. In this example R150 changes to meet SLA:

1: date=2019-04-11 time=14:33:23 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1555017075926510668 logdesc=”Virtual WAN Link status” msg=”Service1(rule2) will be load balanced among members 1(R150) 2(R160) with available routing.”

2: date=2019-03-23 time=14:33:23 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553387603592651068 logdesc=”Virtual WAN Link status” interface=”R160″ msg=”The member2(R160) link quality packet-loss order changed from 1 to 2.

3: date=2019-03-23 time=14:33:23 logid=”0100022923″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553387603592651068 logdesc=”Virtual WAN Link status” interface=”R150″ msg=”The member1(R150) link quality packet-loss order changed from 2 to 1. ”

SLA link status logs, generated with interval sla-fail-log-period or sla-pass-log-period:

l When SLA fails, SLA link status logs will be generated with interval sla-fail-log-period:

7: date=2019-03-23 time=17:45:54 logid=”0100022925″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1553388352 logdesc=”Link monitor SLA information” name=”test” interface=”R150″ status=”up” msg=”Latency: 0.016, jitter: 0.002, packet loss: 21.000%, inbandwidth: 0Mbps, outbandwidth: 200Mbps, bibandwidth: 200Mbps, sla_map: 0x0″ l When SLA passes, SLA link status logs will be generated with interval sla-pass-log-period:

5: date=2019-03-23 time=17:46:05 logid=”0100022925″ type=”event” subtype=”system” level=”information” vd=”root” eventtime=1553388363 logdesc=”Link monitor SLA information” name=”test” interface=”R150″ status=”up” msg=”Latency: 0.017, jitter: 0.003, packet loss:

0.000%, inbandwidth: 0Mbps, outbandwidth: 200Mbps, bibandwidth: 200Mbps, sla_map: 0x1″

SD-WAN related diagnose commands

This topic lists the SD-WAN related diagnose commands and related output.

To check SD-WAN health-check status:

FGT # diagnose sys virtual-wan-link health-check Health Check(server):

Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0

Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0

FGT  # diagnose sys virtual-wan-link health-check Health Check(ping):

Seq(1): state(alive), packet-loss(0.000%) latency(0.683), jitter(0.082) sla_map=0x0 Seq(2): state(dead), packet-loss(100.000%) sla_map=0x0

FGT # diagnose sys virtual-wan-link health-check google Health Check(google):

Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0

Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

To check SD-WAN member status:

l When SD-WAN load-balance mode is source-ip-based/source-dest-ip-based.

FGT # diagnose sys virtual-wan-link member

Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0, weight: 0

Member(2): interface: port15, gateway: 10.100.1.5 2004:10:100:1::5, priority: 0, weight: 0 l When SD-WAN load-balance mode is weight-based.

FGT # diagnose sys virtual-wan-link member

Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0, weight: 33

Member(2): interface: port15, gateway: 10.100.1.5 2004:10:100:1::5, priority: 0, weight: 66 l When SD-WAN load-balance mode is measured-volume-based. l Both members are under volume and still have room:

FGT # diagnose sys virtual-wan-link member

Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0, weight: 33

Config volume ratio: 33, last reading: 8211734579B, volume room 33MB

Member(2): interface: port15, gateway: 10.100.1.5 2004:10:100:1::5, priority: 0, weight: 66

Config volume ratio: 66, last reading: 24548159B, volume room 66MB l Some members are overloaded and some still have room:

FGT # diagnose sys virtual-wan-link member

Member(1): interface: port1, gateway: 10.10.0.2, priority: 0, weight: 0

Config volume ratio: 10, last reading: 10297221000B, overload volume 1433MB

Member(2): interface: port2, gateway: 10.11.0.2, priority: 0, weight: 38 Config volume ratio: 50, last reading: 45944239916B, volume room 38MB l When SD-WAN load balance mode is usage-based/spillover. l When no spillover occurs:

FGT # diagnose sys virtual-wan-link member

Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0, weight: 255

Egress-spillover-threshold: 400kbit/s, ingress-spillover-threshold: 300kbit/s Egress-overbps=0, ingress-overbps=0

Member(2): interface: port15, gateway: 10.100.1.5 2004:10:100:1::5, priority: 0, weight: 254

Egress-spillover-threshold: 0kbit/s, ingress-spillover-threshold: 0kbit/s Egress-overbps=0, ingress-overbps=0 l When member has reached limit and spillover occurs:

FGT # diagnose sys virtual-wan-link member

Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0, weight: 255

Egress-spillover-threshold: 400kbit/s, ingress-spillover-threshold: 300kbit/s Egress-overbps=1, ingress-overbps=1

Member(2): interface: port15, gateway: 10.100.1.5 2004:10:100:1::5, priority: 0, weight: 254

Egress-spillover-threshold: 0kbit/s, ingress-spillover-threshold: 0kbit/s

Egress-overbps=0, ingress-overbps=0

  • You can also use the diagnose netlink dstmac list command to check if you are over the limit.

FGT # diag netlink dstmac list port13

dev=port13 mac=08:5b:0e:ca:94:9d rx_tcp_mss=0 tx_tcp_mss=0 egress_overspill_ threshold=51200 egress_bytes=103710 egress_over_bps=1 ingress_overspill_threshold=38400 ingress_bytes=76816 ingress_over_bps=1 sampler_rate=0

To check SD-WAN service rules status:

  • Manual mode service rules.

FGT # diagnose sys virtual-wan-link service

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members:

1: Seq_num(2), alive, selected

Dst address: 10.100.21.0-10.100.21.255 l Auto mode service rules.

FGT # diagnose sys virtual-wan-link service

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(auto), link-cost-factor(latency), link-costthreshold(10), health-check(ping) Members:

1: Seq_num(2), alive, latency: 0.011

2: Seq_num(1), alive, latency: 0.018, selected Dst address: 10.100.21.0-10.100.21.255 l Priority mode service rules.

FGT # diagnose sys virtual-wan-link service

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), linkcost-threshold(10), health-check(ping) Members:

1: Seq_num(2), alive, latency: 0.011, selected

2: Seq_num(1), alive, latency: 0.017, selected Dst address: 10.100.21.0-10.100.21.255 l Load-balance mode service rules.

FGT # diagnose sys virtual-wan-link service

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance) Members:

1: Seq_num(1), alive, sla(0x1), num of pass(1), selected

2: Seq_num(2), alive, sla(0x1), num of pass(1), selected Dst address: 10.100.21.0-10.100.21.255 l SLA mode service rules.

FGT # diagnose sys virtual-wan-link service

Service(1): Address Mode(IPV4) flags=0x0 TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla) Members:

1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected

2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(0), selected Dst address: 10.100.21.0-10.100.21.255

To check interface logs from the past 15 minutes:

FGT (root) # diagnose sys virtual-wan-link intf-sla-log R150

Timestamp: Fri Apr 12 11:08:36 2019, used inbandwidth: 0bps, used outbandwidth: 0bps, used bibandwidth: 0bps, tx bytes: 860bytes, rx bytes: 1794bytes.

Timestamp: Fri Apr 12 11:08:46 2019, used inbandwidth: 1761bps, used outbandwidth: 1710bps, used bibandwidth: 3471bps, tx bytes: 2998bytes, rx bytes: 3996bytes.

Timestamp: Fri Apr 12 11:08:56 2019, used inbandwidth: 2452bps, used outbandwidth: 2566bps, used bibandwidth: 5018bps, tx bytes: 7275bytes, rx bytes: 7926bytes.

Timestamp: Fri Apr 12 11:09:06 2019, used inbandwidth: 2470bps, used outbandwidth: 3473bps, used bibandwidth: 5943bps, tx bytes: 13886bytes, rx bytes: 11059bytes.

Timestamp: Fri Apr 12 11:09:16 2019, used inbandwidth: 2433bps, used outbandwidth: 3417bps, used bibandwidth: 5850bps, tx bytes: 17946bytes, rx bytes: 13960bytes.

Timestamp: Fri Apr 12 11:09:26 2019, used inbandwidth: 2450bps, used outbandwidth: 3457bps, used bibandwidth: 5907bps, tx bytes: 22468bytes, rx bytes: 17107bytes.

To check SLA logs in the past 15 minutes:

FGT (root) # diagnose sys virtual-wan-link sla-log ping 1

Timestamp: Fri Apr 12 11:09:27 2019, vdom root, health-check ping, interface: R150, status:

up, latency: 0.014, jitter: 0.003, packet loss: 16.000%.

Timestamp: Fri Apr 12 11:09:28 2019, vdom root, health-check ping, interface: R150, status:

up, latency: 0.015, jitter: 0.003, packet loss: 15.000%.

Timestamp: Fri Apr 12 11:09:28 2019, vdom root, health-check ping, interface: R150, status:

up, latency: 0.014, jitter: 0.003, packet loss: 14.000%.

Timestamp: Fri Apr 12 11:09:29 2019, vdom root, health-check ping, interface: R150, status: up, latency: 0.015, jitter: 0.003, packet loss: 13.000%.

To check application control used in SD-WAN and the matching IP addresses:

FGT # diagnose sys virtual-wan-link internet-service-app-ctrl-list

Ctrl application(Microsoft.Authentication 41475):Internet Service ID(4294836224)

Protocol(6), Port(443)

Address(2): 104.42.72.21 131.253.61.96

Ctrl application(Microsoft.CDN 41470):Internet Service ID(4294836225)

Ctrl application(Microsoft.Lync 28554):Internet Service ID(4294836226)

Ctrl application(Microsoft.Office.365 33182):Internet Service ID(4294836227)

Ctrl application(Microsoft.Office.365.Portal 41468):Internet Service ID(4294836228)

Ctrl application(Microsoft.Office.Online 16177):Internet Service ID(4294836229)

Ctrl application(Microsoft.OneNote 40175):Internet Service ID(4294836230)

Ctrl application(Microsoft.Portal 41469):Internet Service ID(4294836231)

Protocol(6), Port(443)

Address(8): 23.58.134.172 131.253.33.200 23.58.135.29 204.79.197.200 64.4.54.254

23.59.156.241 13.77.170.218 13.107.22.200

Ctrl application(Microsoft.Sharepoint 16190):Internet Service ID(4294836232)

Ctrl application(Microsoft.Sway 41516):Internet Service ID(4294836233)

Ctrl application(Microsoft.Tenant.Namespace 41471):Internet Service ID(4294836234)

To check IPsec aggregate interface when SD-WAN uses the per-packet distribution feature:

# diagnose sys ipsec-aggregate list agg1 algo=L3 member=2 run_tally=2 members: vd1-p1 vd1-p2

To check BGP learned routes and determine if they are used in SD-WAN service:

FGT # get router info bgp network

FGT # get router info bgp network 10.100.11.0

BGP routing table entry for 10.100.10.0/24

Paths: (2 available, best 1, table Default-IP-Routing-Table) Advertised to non peer-group peers:

172.10.22.2

20

10.100.20.2 from 10.100.20.2 (6.6.6.6)

Origin EGP metric 200, localpref 100, weight 10000, valid, external, best

Community: 30:5

Last update: Wen Mar 20 18:45:17 2019

FGT # get router info route-map-address

Extend-tag: 15, interface(wan2:16)

10.100.11.0/255.255.255.0

FGT # diagnose firewall proute list list route policy info(vf=root):

id=4278779905 vwl_service=1(DataCenter) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sportt=0:65535 iif=0 dport=1-65535 oif=16 source wildcard(1): 0.0.0.0/0.0.0.0

destination wildcard(1): 10.100.11.0/255.255.255.0

 

Using BGP tags with SD-WAN rules – FortiOS 6.2

Using BGP tags with SD-WAN rules

SD-WAN rules can use Border Gateway Protocol (BGP) learned routes as dynamic destinations.

In this example, a customer has two ISP connections, wan1 and wan2. wan1 is used primarily for direct access to internet applications, and wan2 is used primarily for traffic to the customer’s data center.

The customer could create an SD-WAN rule using the data center’s IP address range as the destination to force that traffic to use wan2, but the data center’s IP range is not static. Instead, a BGP tag can be used.

For this example, wan2’s BGP neighbor advertises the data center’s network range with a community number of 30:5.

This example assumes that SD-WAN is enable on the FortiGate, wan1 and wan2 are added as SD-WAN members, and a policy and static route have been created. See Creating the SD-WAN interface on page 105 for details.

To configure BGP tags with SD-WAN rules:

  1. Configure the community list:

config router community-list edit “30:5” config rule edit 1 set action permit set match “30:5”

next

end

next

end

  1. Configure the route map:

config router route-map edit “comm1” config rule edit 1 set match-community “30:5” set set-route-tag 15

next

end

next

end

  1. Configure BGP:

config router bgp set as xxxxx set router-id xxxx config neighbor edit “10.100.20.2” set soft-reconfiguration enable set remote-as xxxxx set route-map-in “comm1”

next

end

end

  1. Configure a firewall policy:

config firewall policy edit 1 set name “1” set srcintf “dmz”

set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

set nat enable

next

end

  1. Edit the SD-WAN configuration:

config system virtual-wan-link set status enable config members edit 1 set interface “wan1” set gateway 172.16.20.2

next edit 2 set interface “wan2”

next

end config service edit 1 set name “DataCenter” set mode manual set route-tag 15 set members 2

next

end

end

Troubleshooting

Check the network community

Use the get router info bgp network command to check the network community:

# get router info bgp network

BGP table version is 5, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i – internal, S Stale

Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 10.100.1.5 32768 0 ?

*> 1.1.1.1/32 0.0.0.0 32768 0 ?

*> 10.1.100.0/24 172.16.203.2 32768 0 ?

*> 10.100.1.0/30 0.0.0.0 32768 0 ?

*> 10.100.1.4/30 0.0.0.0 32768 0 ?

*> 10.100.1.248/29 0.0.0.0 32768 0 ? *> 10.100.10.0/24 10.100.1.5 202 10000 15 20 e *> 172.16.200.0/24 0.0.0.0 32768 0 ?

*> 172.16.200.200/32

0.0.0.0 32768 0 ?

*> 172.16.201.0/24 172.16.200.4 32768 0 ? *> 172.16.203.0/24 0.0.0.0 32768 0 ?

*> 172.16.204.0/24 172.16.200.4 32768 0 ?

*> 172.16.205.0/24 0.0.0.0 32768 0 ?

*> 172.16.206.0/24 0.0.0.0 32768 0 ?

*> 172.16.207.1/32 0.0.0.0 32768 0 ?

*> 172.16.207.2/32 0.0.0.0 32768 0 ?

*> 172.16.212.1/32 0.0.0.0 32768 0 ?

*> 172.16.212.2/32 0.0.0.0 32768 0 ?

*> 172.17.200.200/32

0.0.0.0 32768 0 ? *> 172.27.1.0/24 0.0.0.0 32768 0 ?

*> 172.27.2.0/24 0.0.0.0 32768 0 ?

*> 172.27.5.0/24 0.0.0.0 32768 0 ?

*> 172.27.6.0/24 0.0.0.0 32768 0 ?

*> 172.27.7.0/24 0.0.0.0 32768 0 ?

*> 172.27.8.0/24 0.0.0.0 32768 0 ?

*> 172.29.1.0/24 0.0.0.0 32768 0 ?

*> 172.29.2.0/24 0.0.0.0 32768 0 ? *> 192.168.1.0 0.0.0.0 32768 0 ?

Total number of prefixes 28

# get router info bgp network 10.100.11.0

BGP routing table entry for 10.100.10.0/24

Paths: (2 available, best 1, table Default-IP-Routing-Table) Advertised to non peer-group peers:

172.10.22.2

20

10.100.20.2 from 10.100.20.2 (6.6.6.6)

Origin EGP metric 200, localpref 100, weight 10000, valid, external, best

Community: 30:5 <<<<===========================

Last update: Wen Mar 20 18:45:17 2019

Check dynamic BGP addresses

Use the get router info route-map-address command to check dynamic BGP addresses:

# get router info route-map-address

Extend-tag: 15, interface(wan2:16)

10.100.11.0/255.255.255.0

Check dynamic BGP addresses used in policy routes

Use the diagnose firewall proute list command to check dynamic BGP addresses used in policy routes:

# diagnose firewall proute list list route policy info(vf=root):

id=4278779905 vwl_service=1(DataCenter) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sportt=0:65535 iif=0 dport=1-65535 oif=16 source wildcard(1): 0.0.0.0/0.0.0.0 destination wildcard(1): 10.100.11.0/255.255.255.0