FortiWAN Administration

Administration

Go to System > Administration, Administration lets you perform administrative tasks, including changing passwords of Administrator and Monitor. Every FortiWAN is shipped with the same default passwords. For security concerns, it is thus strongly recommended that the passwords shall be changed.

By default, FortiWAN uses 443 as the Web UI login port. And it allows administrators to change the port, to avoid possible port conflict caused for virtual server services.

Update/downgrade section enables to update or downgrade firmwares once new firmwares are available (from our website or dealers). Simply click the Update/Downgrade button and follow exactly the on-screen instructions.

Configuration Files gives you the ability to back up configuration files, by clicking the [Save] button. Or you can click [Restore] to reload the previous backup files to FortiWAN. System configurations can be recovered from failures via the backup configuration files.

In Maintenance, you can restore factory default configurations and reboot FortiWAN. Due to the limitation of HTML syntax, no hint displays after reboot has been completed. Thus you have to wait about two minutes before navigating to Web UI in browser.

Administrator and Monitor Password

FortiWAN maintains a common local authentication database for its Web UI, CLI and SSH login (See

“Connecting to the Web UI and the CLI”). Accounts for authentication are classified into two groups,

Administrator and Monitor, with different permissions. Accounts belonging to Administrator have the permission to monitor and modify system parameters via Web UI, CLI and SSH login, while limited operations are allowed (monitor system information and traffic statistics via Web UI ONLY) to accounts belonging to Monitor.

Configurations applying, system administrations (managements introduced in this topic), Tunnel Routing Benchmark, CLI access and SSH login are invalid for Monitor group. Note that page System > Administration is not available to Monitor accounts.

Default account/password

While the first time you login to Web UI, you see the default accounts here. “Administrator” and “admin” are the default accounts of group Administrator, and “Monitor” is the default account of group Monitor. Passwords of accounts “Administrator” and “Monitor” are “1234” and “5678” respectively; password of account “admin” is null (See “Appendix A: Default Values”). All the accounts (default and customized) of group Administrator are able to log into Web UI, CLI and SSH login. All the accounts are case sensitive.

Create, modify and delete the account and password for Administrators or Monitors.

Select Account You can select and configure an account (old or new). If you select the current login account, [Add Account] button will change to [Set Account].
New Account Allows you to add a new account. Enter the new account ID here.
New Password Enter the new password after you have added or modified an account.
Password Verification Confirm the new password.

Event notifications via SNMP trap

You can receive notification via SNMP trap for any modification of the FortiWAN’s account. Configure the SNMP manager on your FortiWAN and enable the event type “Account change” to notify (See “Notification”), then notification will be delivered to your SNMP manager for the events. The correspondent MIB fields and OIDs are listed as following:

SNMP field names and OIDs

MIB Field OID Description
fwnEventAdminAccountPwChanged 1.3.6.1.4.1.12356.118.3.1.1.1 Send event notification when the password of an account in Administrator group is changed.
fwnEventAdminAccountAdded 1.3.6.1.4.1.12356.118.3.1.1.2 Send event notification when an account is added into Administrator group.
fwnEventAdminAccountRemoved 1.3.6.1.4.1.12356.118.3.1.1.3 Send event notification when an account is removed from Administrator group.
fwnEventMonitorAccountPwChanged 1.3.6.1.4.1.12356.118.3.1.1.4 Send event notification when the password of an account in Monitor group is changed.
fwnEventMonitorAccountAdded 1.3.6.1.4.1.12356.118.3.1.1.5 Send event notification when an account is added into Monitor group.
fwnEventMonitorAccountRemoved 1.3.6.1.4.1.12356.118.3.1.1.6 Send event notification when an account is removed from Monitor group.

FortiWAN – Remote Assistance

Remote Assistance

Enabling this function allows Fortinet’s technical support specialist to enter your system for further troubleshooting when assistance is needed. FortiWAN allows technical support specialist to access the Web UI and backend system remotely, so as to assist users promptly upon the occurrence of problems. Remote assistance opens both TCP ports 443 for web UI and 23 for SSH debug.

Note: To enter the backend system via SSH login, a debug patch file is required.

Enable : Click the checkbox to enable Remote Assistance.
Server : Enter the server IP address given by Fortinet’s technical support specialist.
Security Code : Displays the security code required for remote logins. This security code is automatically generated after clicking Apply to complete Remote Assistance settings, and is updated after every system reboot.

 

FortiWAN – Setting the system time & date

Setting the system time & date

[Date/Time] lets you configure time, date, and time zone. [Date] follows the year/month/day date format, and [Time] uses 24-hour time system in the hour:minute:second format. [Time Zone] is represented by continent and city, [America] and [New York], for example. FortiWAN uses NTP time server for accurate time synchronization, simply by clicking the [Synchronize Time] button. And other time servers are also included in the drop-down list which can be added or deleted at your preference.

FortiWAN – Diagnostic Tools

Diagnostic Tools

Click the tabs [IPv4] and [IPv6] on the upper side to choice diagnostic tools for IPv4 and IPv6.

IPv4

IPv4 ARP

Enforcement [ARP Enforcement] forces FortiWAN’s attached PCs and other devices to update ARP table. Click [Enforce] and system will send out ARP packets force ARP updates throughout the attached devices. Generally the function is used only when certain devices in DMZ cannot access the Internet after FortiWAN has been installed initially.

IP Conflict Test

[IP Conflict Test] checks if any PC’s IP address runs into conflict with that in WAN or DMZ settings in [Network Settings].

Click [Test] to start testing. And IP conflict message may be one of:

  • Test completed, no IP conflict has been found.
  • There is an IP conflict with a PC in DMZ, a public IP which has been assigned to WAN in [Network Settings] is now used in DMZ, for example. And the MAC address of this IP is also listed in the message.
  • There is an IP conflict with a PC in WAN; a public IP has been assigned to DMZ in [Network Settings] is now used in WAN, for example. And the MAC address of this IP is also listed in the message.

 

Clean IPv4 Session Table (Only Non-TCP Sessions)

The function is used to clean up non-TCP session tables in FortiWAN. In FortiWAN, protocols are managed with a session timer. Old sessions may be continuously retried by users that they keep unexpired. These old sessions, are always being valid and active instead of new ones. Hence, new sessions will not get into use unless session tables are cleaned up.

IPv4 Ping & Trace Route

Ping

[Ping] is used to detect network status. Enter an IP address or host name of target device. Select a port (WAN, LAN, or DMZ). If WAN port is selected, specify the WAN link number index. Details of ICMP error message and ping are outside the scope of this manual. Please refer to other documents for more information.

Note: If you ping a domain name, ensure DNS server have been specified in [System]->[Network Settings]->[DNS Server] (See “Set DNS server for FortiWAN”).

Trace

[Trace] is used to trace the route path of a packet from a specific port to destination host. Enter an IP address or host name of target device in [Target]. Select a link port (WAN, LAN, or DMZ). If WAN port is selected, specify the WAN link number index. [Host] can be an IP address or domain name of the target device.

Note: If you trace route with a domain name, ensure DNS server has been specified in [System]->[Network Settings]->[DNS Server] (See “Set DNS server for FortiWAN”).

Arping

[Arping] is used to detect the MAC address of a PC. Enter an IP address or host name of target device. Select a port (WAN, LAN, or DMZ). If WAN port has been selected, specify the WAN link number index. Details of ARP and error message are out of the scope of this manual; please refer to other documents for more information.

Note: If you arping with a domain name, ensure DNS server has been specified in [System]->[Network Settings]-> [DNS Server] (See “Set DNS server for FortiWAN”).

IPv4 ARP Table Show & Clear

[IPv4 ARP Table Show & Clear] is used to display or clear the ARP information of certain port. Select a [port] and click [Show], to display the ARP information of this port. Or select a [port], click [Clear] to clean up the ARP information of this port, and confirm the message to clear. After this, a message shows that ARP table has been cleared successfully.

Nslookup Tool

[Nslookup Tool] is used to inquire domain name of hosts. Enter a host in Target Domain. Select a host type from optical [Type] list: Any, A, AAAA, CNAME, DNAME, HINFO, MX, NS, PTR, SOA, SRV, TXT; and select a server from optical [Server] list: Internal DNS, Multihoming, etc. Click [Nslookup] to start the inquiring session, and the domain name of target host will show in the field. Click [Stop] to halt the session.

IPv6

IPv6 Neighbor Discovery Enforcement

When IPv6 Neighbor Discovery is enforced, FortiWAN will send out a “neighbor discovery” packet to neighbor servers or network devices within the same network to request for a reply of IPv6 and MAC address of devices found.

Clean IPv6 Session Table (Only Non-TCP Sessions)

The function is used to clean up non-TCP session tables in FortiWAN. In FortiWAN, protocols are managed with a session timer. Old sessions may be continuously retried by users that they keep unexpired. These old sessions, are always being valid and active instead of new ones. Hence, new sessions will not get into use unless session tables are cleaned up.

IPv6 Ping & Trace Route

Ping

[Ping] is used to detect network status. Enter an IP address or host name of target device. Select a port (WAN, LAN, or DMZ). If WAN port is selected, specify the WAN link number index. Details of ICMP error message and ping are outside the scope of this manual. Please refer to other documents for more information.

Note: If you ping a domain name, ensure DNS server have been specified in [System]->[Network Settings]->[DNS Server] (See “Set DNS server for FortiWAN”).

Trace

[Trace] is used to trace the route path of a packet from a specific port to destination host. Enter an IP address or host name of target device in [Target]. Select a link port (WAN, LAN, or DMZ). If WAN port is selected, specify the WAN link number index. [Host] can be an IP address or domain name of the target device.

Note: If you trace route with a domain name, ensure DNS server has been specified in [System]->[Network Settings]->[DNS Server] (See “Set DNS server for FortiWAN”).

Arping

[Arping] is used to detect the MAC address of a PC. Enter an IP address or host name of target device. Select a port (WAN, LAN, or DMZ). If WAN port has been selected, specify the WAN link number index. Details of ARP and error message are out of the scope of this manual; please refer to other documents for more information.

Note: If you arping with a domain name, ensure DNS server has been specified in [System]->[Network Settings]-> [DNS Server] (See “Set DNS server for FortiWAN”).

IPv6 Neighbor Table Show & Clear

[IPv6 Neighbor Table Show & Clear] is used to display or clear the IPv6 and MAC address of neighbor servers or devices. Select a [port] and click [Show], to display the neighbor information of this port. Or select a [port], click [Clear] to clean up the neighbor information of this port, and confirm the message to clear. After this, a message shows that neighbor table has been cleared successfully.

 

Nslookup Tool

[Nslookup Tool] is used to inquire domain name of hosts. Enter a host in Target Domain. Select a host type from optical [Type] list: Any, A, AAAA, CNAME, DNAME, HINFO, MX, NS, PTR, SOA, SRV, TXT; and select a server from optical [Server] list: Internal DNS, Multihoming, etc. Click [Nslookup] to start the inquiring session, and the domain name of target host will show in the field. Click [Stop] to halt the session.

Tcpdump

Interface : Tcpdump can capture FortiWAN data packets and download captured packets to local host for analysis and debug. Firstly, select an interface from [Interface] to capture packets. In its dropdown list, tunnel will display if Tunnel Routing has been configured. Option [Any] enables all interfaces to capture packets.
Timeout : Set [Timeout] value. Once time is over, capture will stop. Lastly, click [Start] to start capturing and download intercepted packets to local host. It should be noted that FortiWAN does not store the Tcpdump packets. Click [Stop] to stop capturing.

FortiWAN – Busyhour Settings

Busyhour Settings

[Busyhour Settings] plays a crucial role in managing bandwidth. .Generally opening hours Mon-Fri: 09h00 to 18h00 is configured to be busy hours, for this period sees the advent of bandwidth-intensive applications in both intranet and extranet.

 

Default Type : Time segment unspecified in [Rules] below fall into this Default type either as idle or busy hours.
Rules : Defines time segment. The time segments are matched in sequence on a first-match basis. If none of the rules match, the default type is used. If time segment in [Default Type] is defined as idle hours, then unspecified time segment in this [Rules] is taken as idle hours as well.
E : Check the field box to add time segments in this list to [Rules].
Day of Week : Select a day of the week.
From : Start time.
To : End time.
Type : Defines the time segment, either busy or idle hours.

For the case that time period 09:00-18:00 from Monday to Saturday belongs to busy hour and only Sunday belongs to idle hour, set an idle rule for 00:00-00:00 on Sunday beyond a busy rule for Any day 09:00-18:00. The rule would be first matched from the top down.

As is shown in the figure, Sunday and hours beyond Mon-Sat: 09h00-18h00 are set to be idle hours. Remaining hours of the week belong to busy hours.

FortiWAN – Service Grouping

Service Grouping

[Service Grouping] lets you create and manage service groups exclusively and efficiently. You can group an ICMP, a TCP/UDP Port, and a group of TCP/UDP Ports, particular applications and server ports. These predefined service groups are available and easy to use in the drop-down list of the fields of [Source] and [Destination] on such [Service] submenus as [Firewall], [NAT], [Virtual Server], [Auto Routing], [Inbound BM], [Outbound BM].

Group Name : Assign a name to a service group e.g. MSN File Transfer. The name will appear in the drop-down list of [Source] and [Destination] in [Service] submenus mentioned previously.
Enable : Check the field to enable a service group. Once the service group has been enabled, it will show in the drop-down list of [Source] and [Destination] in [Service] submenus mentioned previously.
Show/Hide IPv4/IPv6 Detail IPv4/IPv6 Rule Settings Table: : Click the button to show or hide the table details. After Hide Detail has been clicked, the table only shows the name of the service group and whether it has been enabled.
E : Check the field to add the list of services to the current service group.
Service : Enter a single or a set of ICMP / ICMPv6 or TCP / UDP ports. Single port follows the the format: port (xxx). A set of ports follow the format: xxx-yyy e.g. 6891-6900.
Action : Two options, to belong and not to belong, to determines whether service port defined in [Service] belongs to the service group. For exceptions in a set of service ports that belongs to the service group, the action of not to belong makes the configuration easier than separating the set of service ports into several groups.

Here is an example to elaborate on how to configure [Service Grouping]. Create a service group “MSN File Transfer”, which uses TCP 6891-6900. Then enter TCP@6891-6900 in the [Service] field.

FortiWAN – IP Grouping

IP Grouping

[IP Grouping] lets you create and manage IP groups exclusively and efficiently. These predefined IP groups are available and easy to use in the drop-down list of the fields of [Source] and [Destination] on such [Service] submenus as [Firewall], [NAT], [Persistent Routing], [Auto Routing], [Inbound BM], [Outbound BM], [Connection Limit], and [Cache Redirect]. This section walks you through the steps to create an IP group.

IP Grouping Table:

Group Name : Assign a name to an IP group. The name will show in the drop-down list of [Source] and [Destination] in [Service] submenus mentioned previously.
Enable : Check the field to enable an IP group. Once the IP group has been enabled, it will show in the drop-down list of [Source] and [Destination] in [Service] submenus mentioned previously.
Show/Hide IPv4/IPv6 Detail : Click the button to show or hide the IPv4/IPv6 table details. After Hide Detail has been clicked, the table only shows the name of the IP group and whether it has been enabled.

After you have clicked [Show IPv4/IPv6 Detail], [IPv4/IPv6 Rules Settings] table displays. You can click [Hide IPv4/IPv6 Details] to close the table.

IPv4/IPv6 Rule Settings Table:

E    :   Check the field to add the list of IP addresses to the current IP group.

IP Address         :       Enter a single IPv4/IPv6 address, IPv4/IPv6 range, IPv4/IPv6 subnet or FQDN.

Service Grouping

Action         :       Two options, to belong and not to belong, to determines whether an IP address defined in [IP Address] belongs to the IP group. For exceptions in an IP range or subnet that belongs to the IP group, the action of not to belong makes the configuration easier than separating an IP range or subnet into several groups.

FortiWAN – Backup Line Settings

Backup Line Settings

In the deployment of multiple links, a link might serve as backup line which is inactive unless it matches the enabling criteria. The choice of backup lines mostly depends on cost, especially in areas where charges are based on data traffic. Backup lines in standby do not cost a cent, thus only basic fees are charged. Contrary to backup lines, main lines are lines commonly in use. The concept is to be used below.

FortiWAN provides log mechanism to the Backup Line service, see “Log”.

Threshold Parameters

Backup Line Enable Time    :   The interval to enable backup lines after main lines have broken down.

Backup Line Disable Time    :   The interval to disable backup line after main lines have returned to normal.

Backup Line Rules table

Field Purpose / Description

Main Line    :   Select main lines, which can be multiple links.

 

IP Grouping

Backup Line    :   Select backup lines.

Algorithm    :          5 options to activate backup lines:

  • All fail: when all lines defined in [Main line] are down l One fails: when one of the lines defined in [Main line] is down l Inbound bandwidth usage reached: when the inbound bandwidth consumption of all lines defined in [Main Line] reaches the defined level
  • Outbound bandwidth usage reached: when the outbound bandwidth consumption of all lines defined in [Main Line] reaches the defined level
  • Total traffic reached: when the total bandwidth consumption of all lines defined in [Main Line] reaches the defined level

Parameter         :         When the latter 3 options are chosen in [Algorithm], you can define here the bandwidth usage of the main lines over which backup lines are to be enabled.