How to set up your FortiWAN

How to set up your FortiWAN

These topics describe the tasks you perform to initially introduce a FortiWAN appliance to your network. These topics contain the necessary information and instructions to plan network topology, using Web UI and Configure network interfaces on FortiWAN. These topics introduce some key concepts for deploying FortiWAN, but you are assumed to have and be familiar with the fundamental concepts related networking knowledge.

Registering your FortiWAN

Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site: https://support.fortinet.com

Many Fortinet customer services such as firmware updates, technical support, and FortiGuard services require product registration.

For more information, see the Fortinet Knowledge Base article Registration Frequently Asked Questions.

Planning the network topology

FortiWAN is the appliance designed to perform load balancing and fault tolerance between different networks. The network environment that a FortiWAN is introducing into might be various, especially with multiple WAN links and various WAN type. A plan of network topology before adding FortiWAN recklessly into current network would be suggested to avoid damages.

Glossary for FortiWAN network setting

This glossary gives definitions of the key terms and concepts that are frequently used in the following chapters. It will be a great help for making a deployment plan, configuring and using the FortiWAN if you are clearly understand the these terms and concepts.

The glossary contains the following terms and concepts:

WAN, LAN and DMZ

Network interfaces and port mapping

WAN link and WAN port

WAN types: Routing mode and Bridge mode

Near WAN

Public IP pass through (DMZ transparent mode)

VLAN and port mapping

IPv6/IPv4 dual stack

FortiWAN in HA (High Availability) mode Scenarios to deploy subnets?

WAN, LAN and DMZ

According to the scale and purpose, a network can be defined as a Wide Area Network (WAN), Local Area Network (LAN) and Demilitarized Zone (DMZ).

  • Wide Area Network: WAN (Wide Area Network) is the network that geographically covers a large area which consists of telecommunications networks. It can be simply considered the Internet as well. An internal user can communicate with the Internet via a telecommunications (called Internet Service Provider as well) network connected to FortiWAN’s WAN ports. The transmission lines can be classified as xDSL, leased line (T1, E1 and etc.), ISDN, frame relay, cable modem, FTTB, FTTH and etc.
  • Local Area Network: LAN (Local Area Network) is the computer networks within a small geographical area without leased telecommunication lines involved. In this document, a LAN is considered as an internal private network which is a closed network to WAN.
  • Demilitarized Zone: DMZ (Demilitarized Zone) is a local subnetwork that is separated from LAN for security issues. A DMZ is used to locate external-facing server farm which is accessible from an untrusted network (usually the Internet), but inaccessible to LAN. FortiWAN provides physical ports for the DMZ purpose.

A network site generally consists of the three basic components, WAN, LAN and DMZ. As an edge device of a network site, FortiWAN basically plays the role routing packets and provides services for communications among LAN, WAN and DMZ. The FortiWAN connects those networks (WAN, LAN and DMZ) to its network interfaces (called network ports as well) and so that the networks can communicate with each other appropriately. This involves two configurations, defining the purpose of a network port (see Network interfaces and port mapping) and correct network settings on the network port for the connected network (see Configuring Network Interface).

 

Network interfaces and port mapping

Physical network interfaces and the port mapping

The physical network ports (network interfaces) on the panel of a FortiWAN appliance are used to connect the FortiWAN with WAN, LAN and DMZ networks, so that the networks can communicate with each other. Each of the network ports can be mapped to one of the following types which differ in function:

l WAN port: is used to connect FortiWAN with a WAN network. l LAN port: is used to connect FortiWAN with a LAN network. l DMZ port: is used to connect FortiWAN with a DMZ network. l HA port: is used to connect two FortiWAN units for HA deployment (See FortiWAN in HA (High Availability) Mode).

The network port type indicates the network type (WAN, LAN or DMZ) that a network port is supposed to connect to. Most of FortiWAN’s functions, such as NAT, auto routing, firewall, bandwidth management, traffic statistics, public IP pass-through and etc., are relative to the direction of traffic flow passing through FortiWAN. It strongly requires correspondence between types of a network port and the connected network. FortiWAN might function incorrectly if a network is not corrected to a corresponding network port, for example connecting a WAN network (WAN link) to a LAN port. For the details of physical network interfaces, you can see FortiWAN Quick Start Guide.

The diagram above shows the port mapping of a FortiWAN that ports 1~3 are WAN ports, port 4 and port 5 are a LAN port and a DMZ port respectively. Port mapping can be programmed from FortiWAN’s Web UI, see Configurations for VLAN and Port Mapping.

Note: To make a FortiWAN operate correctly with the connected networks, it requires not only the correspondence between types of network ports and the connected networks, but also corresponding configurations to the network port (see Configuring Network Interface).

Default port mappings

Except the HA port, each of the physical network ports can be programmed as WAN, LAN or DMZ via Web UI. However, for the first time you access the Web UI (see Connecting to the web UI and the CLI), you probably need to know the default port mapping so that you can access the correct network port for Web UI. All the network ports on the panel of FortiWAN appliance are numbered, and the default mappings are as follows:

Model Ports Supported WAN Ports LAN

Port

DMZ

Port

FWN 200B 5 GE RJ45 ports Port 1 ~ Port 3 Port 4 Port 5
FWN 1000B 3 GE RJ45 ports and 4 GE SFP ports Port 1 ~ Port 5 Port 6 Port 7
FWN 3000B 8 GE RJ45 ports, 8 GE SFP ports and 8 10GE SFP+ ports Port 1 ~ Port 10 Port 11 Port 12
FWN VM 10 vNICs vNIC 2 vNIC 3 vNIC 4

FortiWAN 3000B’s Prot 13 ~ Port 24 and FortiWAN VM’s vNIC 5 ~ vNIC 10 are undefined by default, they can be defined via Web UI (see VLAN and Port Mapping). After logging onto the Web UI, you can also check and program the network port mapping on System > Network Setting > VLAN and Port Mapping.

Logical network interfaces

For extension, aggregation and redundancy, you can create multiple VLAN ports on a physical network interface, and an aggregated or a redundant port on any pair of the physical network interfaces. Each of the created logical network interfaces can be programmed as WAN, LAN or DMZ port (whether a physical or a logical port, the port type must be defined to connect the network port with a network). FortiWAN supports the IEEE 802.1Q for VLAN tagging and the IEEE 802.3ad for port aggregation (see Configurations for VLAN and Port Mapping).

WAN link and WAN port

A FortiWAN appliance has limited physical network interfaces (ports) depending on the models, but unlimited logical network interfaces (ports) can be created on the physical ports. With correct port mappings, FortiWAN can connect to more networks than the supported number of physical ports.

As previous description, whether a physical or a logical network interface, it requires the network interface mapped to a port type (WAN, DMZ or LAN) for connecting to corresponding network type. A WAN port is a physical or logical network port that is port mapped to the WAN type. A WAN link is a connectivity between a FortiWAN and an ISP network. Actually, a WAN link connects a WAN port of FortiWAN with the remote device (modem or ATU-R) of an ISP, so that the internal networks and the Internet can communicate to each other through the WAN link. A WAN link requires corresponding settings on the WAN port. Configuration of a WAN port contains the information provided by the ISP, such as the IP addresses, default gateway, network mask or username/password, it depends on the WAN link type you apply to the ISP (See “WAN types: Routing mode and Bridge mode”). You will see the two terms, WAN link and WAN port, frequently in this document.

For purposes of traffic load balancing and fault tolerance, you will need multiple WAN links to connect to the Internet. In case that the WAN links demanded are more that the physical network ports of a FortiWAN appliance in quantity, you can have enough WAN ports for the WAN links by creating multiple logical network ports (VLAN ports) on a physical port (See “Configurations for VLAN and Port Mapping”). Although you can create VLAN ports on a physical port without limitation in quantity, FortiWAN supports limited WAN links. FortiWAN 200B supports up to 25 WAN links, FortiWAN 1000B and 3000B support up to 50 WAN links, even if you create more than 50 VLAN ports. These WAN links are named with numbers, such as WAN 1, WAN 2 and WAN 3. You will see this when you configure settings of a WAN port (See “Configuring your WAN”).

 

The above diagram shows how to create N WAN ports (WAN 1 ~ WAN N) through the three physical network ports of a FortiWAN. Two of the WAN ports use two of the physical network ports and the rest of the WAN ports use the VLAN ports. The N WAN links connect the N WAN ports with N ISP networks. Traffic of WAN link 1 and 2 will be transferred through physical port 2 and port 3 respectively, and traffic of the remaining WAN link (WAN link 3 ~ WAN link N) will be transferred through physical port 1.

See also

Configurations for VLAN and Port Mapping

FortiWAN Document enhancements

Document enhancements

The following document content is enhanced or changed since FortiWAN 4.0.1:

FortiWAN 4.3.1 l Parameter generic-receive-offload of command sysctl was removed from Console Mode Commands. Related descriptions about disabling GRO were removed as well from How the Tunnel Routing Works and How to set up routing rules for Tunnel Routing.

  • An appendix was added for suggested maximum configuration values, see Appendix B: Suggested

Maximum Configuration Values l A topic about possible query loop was added in DNS Proxy.

  • A description was added for suggested IPSec encryption algorithms, see IPSec VPN in the Web UI.

FortiWAN 4.3.0 l Content of Tunnel Routing was updated for large-scale TR network support and the updated benchmark. See Tunnel Routing Scale, Tunnel Routing – Setting, How to set up routing rules for Tunnel Routing and Tunnel Routing – Benchmark. l Content of IPSec was updated for IKEv2 support. See Specifications of FortiWAN’s IPsec VPN and IKE Phase 1 Web UI fields.

  • Content of automatic IP addressing was updated for dual DHCP servers support in a DHCP relay. See DHCP Relay. l Content of Report Email and Reports Settings was updated, and a new page Scheduled Emails was added for the new Reports feature – scheduled report email.
  • Content of Reports Settings and Reports Database Tool was updated, andA new page Database Data Utility was added for the new Reports feature – Web-based Rpeorts database management tool.
  • Content of CLI commands was updated for the new parameter PORT of resetconfig and the change to init_reports_db. See CLI Command – resetconfig.
  • Content of DNS Proxy was updated for the changes to the Source configuration. See DNS Proxy Setting

Fields.

  • Content of WAN link health detection was updated for the new condition “Number of successful detection” to declare a WAN link available. See WAN Link Health Detection.
  • Content of Administrator was updated for the changes to Monitor account. See Administrator and Monitor Password. l Content of Multihoming was updated for the new configurations to support SOA and NS records for the reverse lookup zones. See Global Settings: IPv4/IPv6 PTR Record. l Diagrams related to Web UI were updated for the new look and feel. l A glossary for FortiWAN network setting was added. See Glossary for FortiWAN network setting.
  • Content about network deployment was enhanced: Configuring networks to FortiWAN, Configuring Network Interface (Network Setting), Configuring your WAN and DMZ, Network interfaces and port mapping, WAN, LAN and DMZ, WAN link and WAN port, WAN types: Routing mode and Bridge mode, Public IP Pass-through (DMZ Transparent Mode), Aggregated, Redundant, VLAN Ports and Port Mapping, Bridge-mode (one static IP) WAN link, Routing-mode WAN link and Bridge-mode (multiple static IP) WAN link.
  • Description about default rule was added to Firewall section. See Firewall.

Document enhancements

  • A note about accessing to WebUI through WAN ports was added, see Connecting to the Web UI and the

CLI.

FortiWAN 4.2.7 l None FortiWAN 4.2.6 l None FortiWAN 4.2.5

l Content of section Performance in How the Tunnel Routing Works was enhanced by adding two subsections, Throughput of bidirectional TR transmission and Persistent Route in Tunnel Routing. A description about configuring for better bidirectional TR transmission was added in Tunnel Routing Setting.

FortiWAN 4.2.4 l None

FortiWAN 4.2.3 l Content about how to enhance Tunnel Routing performance was added to section Performance in How the Tunnel Routing Works and section Tunnel Group in Tunnel Routing – Setting.

  • Content about a new system parameter generic-receive-offload-<port> of CLI command sysctlwas added in Console Mode Commands, and the other content of command sysctl was enhanced.
  • Content about DHCP options 43 (Vender Specific Information) and 66 (TFTP Server Name) was added to section DHCP in Automatic addressing within a basic subnet.
  • Content about the new filter item Input Port was added to section Inbound & Outbound IPv4/IPv6 Filter

in Bandwidth Management.

  • Content about aggregated port in Configurations for VLAN and Port Mapping was updated, and the other content was enhanced also.
  • Content about supporting wildcard for A/AAAA records and dot characters for other resource records was added in Inbound Load Balancing and Failover (Multihoming), and the other content was enhanced also.
  • Content of Parameter of section Configurations in Outbound Load Balancing and Failover (Auto Routing) was updated.
  • Content about a new measure Round Trip Time (RTT) was added to section Tunnel Health Status in Tunnel Status.
  • Content of Load Balancing Algorithms was enhanced. l Content of Optimum Route Detection was enhanced.

FortiWAN 4.2.2 l None FortiWAN 4.2.1

  • A garbage character R at the leftmost position of the topic line “Define routing policies for an IPSec VPN” in page 198 was removed.

FortiWAN 4.2.0 l New page “Automatic addressing within a basic subnet” was added for the new features DHCP Relay

and static addressing by client identifier. Related pages “LAN Private Subnet”, “Configurations for a WAN link in Routing Mode” and “Configurations for a WAN link in Bridge Mode: Multiple Static IP” were enhanced.

  • New topic “IPSec” and new page “Statistics > IPSec” were added for new feature IPSec. Related pages “Log > View”, “Log > Log Control”, “How the Tunnel Routing Works” and “Tunnel Routing – Setting” were enhanced.
  • Content of “Bandwidth Management” was updated for a behavior change – visibility to Tunnel Routing traffic. A new page “Traffic Statistics for Tunnel Routing and IPSec” was added for this.
  • Content of “Administration” was updated in sections “Administrator and Monitor Password” and “Configuration File” for updated features – allowing change personal password by Monitor account and performing synchronization to slave unit after configurations are restored on master unit. l The description of the account “maintainer” in “Connecting to the Web UI and the CLI” was removed.
  • Content of “Optimum Route Detection”, “DNS Proxy”, “Configurations for VLAN and Port Mapping”, “Internal DNS”, “Set DNS server for FortiWAN”, “FortiWAN in HA (High Availability) Mode” and “Inbound Load Balancing and Failover (Multihoming)” was enhanced.

FortiWAN 4.1.3

  • A section describing log format was added in “Log > View”.

FortiWAN 4.1.2 l Content of “Global Settings: IPv4 / IPv6 PTR Record” in “Inbound Load Balancing and Failover (Multihoming)” was changed.

FortiWAN 4.1.1 l Content was added to “Console Mode Commands” for the new CLI command shutdown.

  • Requirement of License Key was removed from section Firmware Upgrade in “FortiWAN in HA (High Availability) Mode” and “Administration”.
  • Two deployment scenarios were added to “Tunnel Routing > Scenarios”.
  • Correspondent MIB fields and OIDs were added to “FortiWAN in HA (High Availability) Mode”, “Summary”, “Administration” and “Network Setting > MIB fields for WAN links and VLANs”. l Content of “SNMP” and “Notification” was enhanced.
  • Content of “Statistics > WAN Link Health Detection” was enhanced.

FortiWAN 4.1.0 l Content was added to “Scope”, “Default Port Mapping”, “FortiWAN in HA (High Availability) Mode”, “Connecting to the Web UI and the CLI”, “Configurations for VLAN and Port Mapping” and “Summary” for the new model FortiWAN-VM.

  • Content of “Administration > License Control” was updated for new bandwidth capabilities that FortiWAN supports.
  • Content was added to “Notification” for the support to notify via secure SMTP. l Content was added to “Statistics > Connection Limit” for the Abort function.
  • Content was added to “Multihoming” for the support to evaluate an A record query by its IPv6 source and an AAAA record query by its IPv4 source.
  • Content of “Configurations for a WAN link in Bridge Mode: One Static IP” and “Configurations for a WAN link in Bridge Mode: Multiple Static IP” was updated for supporting IPv6 default NAT rule.
  • Content of “Administration > Firmware Update” and “FortiWAN in HA (High Availability) Mode” was updated for the new firmware update mechanism under HA deployment.

Document enhancements

  • For the new features that Reports supports, new topics “Dashboard”, “Reports Settings”, “Reports

Settings > Reports”, “Reports Settings > IP Annotation”, “Reports Settings > Dashboard Page Refresh Time”, “Reports Settings > Email Server” and “Reports Settings > Disk Space Control” were added , and content of “Reports” and “Create a Report” was updated.

  • Content was added to “Using the Web UI” for the support to evaluate traffic by its Input Port.
  • For the new CLI command arp and enhanced command resetconfig, correspondent content was

added and updated to “Console Mode Commands”.

  • Content of “Connecting to the Web UI and the CLI”, “Administration > Administrator and Monitor Password” and “Appendix A: Default Values” for the updated local authentication mechanism. l Content was added to “Using the Web UI” for supporting concurrent multiple logins.
  • The parameters of CLI command sysctl were fixed from “sip_helper” and “h323_helper” to “siphelper” and “h323-helper” (See “Console Mode Commands”).

FortiWAN 4.0.6 l None FortiWAN 4.0.5 l None

FortiWAN 4.0.4 l Content was enhanced for Reports > Session (See “Reports > Session”).

  • Content was enhanced for Virtual Server (See “Load Balancing & Fault Tolerance” and “Virtual Server” ) and Persistent Routing (See “Persistent Routing”). FortiWAN 4.0.3
  • Revision 2
  • Topic “Web UI and CLI Overview” was reorganized and content was enhanced on connecting to Web UI and CLI (See “Connecting to the Web UI and the CLI”), Web UI operations (See “Using the web UI”) and CLI commands (See “Console Mode Commands”).
  • Content was enhanced on account management, RADIUS, and firmware update (See

“Administration”).

  • Content was enhanced for NAT, NAT default rule in pages “NAT”, “Configurations for a WAN link in Routing Mode”, “Configurations for a WAN link in Bridge Mode: Multiple Static IP” and “Configurations for a WAN link in Bridge Mode: One Static IP”.
  • Content was enhanced for the state of peer information in page “Summary”.
  • A new topic “Reports Database Tool” was added, and Reports related topics are enhanced (See “Reports Database Tool”, “Reports”, and “Enable Reports”).
  • Revision 1 l Add a new page “Default port mappings” in section “How to set up your FortiWAN > Planning the network topology”.
  • Content was changed and enhanced for pages “Configurations for VLAN and Port Mapping”, “WAN, LAN and DMZ”, “WAN link and WAN port” and “Configuring your WAN”.
  • Content was changed and enhanced for Tunnel Routing. New subsections were added “GRE Tunnel”, “Routing”, “How the Tunnel Routing Works”. Subsections were enhanced “Tunnel Routing – Setting” and “Tunnel Routing – Benchmark”.

FortiWAN 4.0.2

  • A note about the restrictions on duplicate configurations of group tunnel was added in Tunnel Routing.
  • Content was enhanced for Multihoming in sections “Prerequisites for Multihoming”, “DNSSEC Support”, “Enable Backup”, “Configurations”, “Relay Mode”and “External Subdomain Record”.
  • Content was changed and enhanced for WAN Link Health Detection and FortiWAN in HA (High

Availability) Mode.

  • A typographical error in Introduction > Scope was fixed.

FortiWAN 4.0.1

  • The default username to login to Command Line Interface (Console Mode) was fixed from

“administrator” to “Administrator” in Using the web UI and the CLI and Appendix A: Default Values.

  • The reference for information on console command in Administration > Maintenance was fixed from “Appendix A: Default Values” to “Console Mode Commands”.

 

FortiWAN What’s new

What’s new

The following features are new or changed since FortiWAN 4.0.0:

FortiWAN 4.3.1 l Tunnel Routing – From this release, the Generic Receive Offload (GRO) mechanism on each of FortiWAN’s network interfaces is disabled by default for better Tunnel Routing transmission performance. The parameter “generic-receive-offload” of CLI command sysctl added in release 4.2.3 to enable/disable GRO is removed; it is unable to enable GRO on FortiWAN. Related descriptions were removed from Console Mode Commands, How the Tunnel Routing Works and How to set up routing rules for Tunnel Routing

FortiWAN 4.3.0 l Tunnel Routing l Supports large-scale Tunnel Routing network deployment with allowing a maximum of l FWN-200B: 100 tunnel groups l FWN-1000B: 400 tunnel groups l FWN-3000B: 1000 tunnel groups

For all FortiWAN models, each tunnel group supports up to 16 enabled GRE tunnels, and a maximum total of 2500 enabled GRE tunnels is supported. See Tunnel Routing Scale, Tunnel Routing – Setting and How to set up routing rules for Tunnel Routing.

  • A new measurement case is added to benchmark to evaluate transmission performance of a tunnel group. Packets of a measurement session will be distributed and sent over all the tunnels of the tunnel group, just like how Tunnel Routing generally works in real practice. This is a more accurate way to evaluate your Tunnel Routing network. See Tunnel Routing – Benchmark.
  • IPSec – Supports Internet Key Exchange Protocol Version 2 (IKEv2) for the establishments of Security Association. Please note that a specific procedure will be required when you switch IKE version to an existing IPSec VPN connectivity. See Specifications of FortiWAN’s IPsec VPN and IKE Phase 1 Web UI fields – Internet Key Exchange.
  • DHCP Relay – Supports up to two DHCP servers for a relay agent. Once two DHCP servers are configured, the relay agent will forward a DHCP request to both of the DHCP servers. The first response received by the relay agent will be first apply to the DHCP client, and the subsequent responses will be ignored. See DHCP Relay.
  • Reports – Supports scheduled report email. According to the scheduling, system performs automatic report email sending periodically (daily, weekly or monthly). See Report Email and Scheduled Emails.
  • CLI command – A new parameter PORT is added to command resetconfig for specifying port mapping to LAN port while resetting configurations to factory default. See CLI Command – resetconfig.
  • DNS Proxy – It is acceptable to configure the Intranet Source field of a DNS Proxy policy with an IPv4 range or subnet. See DNS Proxy Setting Fields.
  • WAN link health detection – A new parameter that is used to indicate the number of continuously successful detections for declaring a WAN link indeed available is added to WAN link health detection policies. See WAN Link Health Detection.
  • Web UI account – The ability for Monitor accounts to reset their own password is removed. From this release, Web UI page System > Administration is not available to Monitor accounts and only

Administrator accounts have the permission to reset passwords. Also the Apply button is greyed-out and inactive for Monitor users. See Administrator and Monitor Password.

  • Multihoming – Supports SOA and NS records for the reverse lookup zones. See Global Settings: IPv4/IPv6 PTR Record. l Web UI – New look and feel.

FortiWAN 4.2.7

Bug fixes only. Please refer to FortiWAN 4.2.7 Release Notes.

FortiWAN 4.2.6

Bug fixes only. Please refer to FortiWAN 4.2.6 Release Notes.

FortiWAN 4.2.5

Bug fixes only. Please refer to FortiWAN 4.2.5 Release Notes.

FortiWAN 4.2.4

Bug fixes only. Please refer to FortiWAN 4.2.4 Release Notes.

FortiWAN 4.2.3 l Tunnel Routing – Performance of transmission in a tunnel group can be greatly enhanced (increased)

by disabling Generic Receive Offload (GRO) mechanism on each of participated network interfaces on both the participated FortiWAN units. A new parameter “generic-receive-offload” is added to CLI command sysctl to enable/disable the GRO module. See How the Tunnel Routing Works, Tunnel Routing – Setting and Console Mode Commands.

  • DHCP – Supports Vender Specific Information (Vender Encapsulated Options, option code: 43) and TFTP Server Name (option code: 66). The two DHCP options are used by DHCP clients to request vender specific information and TFTP server IP addresses from the DHCP server for device configuration purposes. FortiWAN’s DHCP server delivers the specified information to clients according to the two option codes. See Automatic addressing within a basic subnet.
  • Bandwidth Management – A new field Input Port is added to Bandwidth Managment’s outbound

IPv4/IPv6 filters to evaluate outbound traffic by the physical ports where it comes from. Corresponding network ports (VLAN ports, redundant ports, aggregated ports and etc.) will be the options for setting the field, if they are configured in Network Setting. See Bandwidth Management.

  • Port Mapping – The original configuration panels “Aggregated LAN Port” and “Aggregated DMZ Port” are merged into one panel “Aggregated Port”. Instead of mapping the member-ports to LAN/DMZ before aggregating them, it requires creating the logical aggregated port with two non-mapping member ports first, and then mapping LAN/DMZ or defining VLANs to the aggregated port. See Configurations for VLAN and Port Mapping.
  • Multihoming l Supports wildcard characters for configuring the Host Name field of A/AAAA records. A single wildcard character matches the DNS queries for any hostname that does not appear in any NS record, primary name server, external subdomains and other A/AAAA records of a domain, and so that the specified A/AAAA policy matches. Note that wildcard characters are not acceptable to records (NS, MX, TXT and etc.) except A/AAAA. See Inbound Load Balancing and Failover (Multihoming).
  • Supports configuring CName records for DKIM signing. It is acceptable to configure the Name Server, Alias, Target, Host Name and Mail Server fields of NS, CName, DName, MX and TXT records within dot characters. A dot character is still not acceptable to A/AAAA records. See Inbound Load Balancing and Failover (Multihoming).
  • Auto Routing – All the WAN links (WAN parameters) of an Auto Routing policy were set to checked by default when you create it on the Web UI for configuring. To programe it for the real networks, you might to uncheck the unused WAN links one at a time. From this release, the WAN parameters of an AR policy are checked by default only if the corresponding WAN links have been enabled via Network Setting. See Outbound Load Balancing and Failover (Auto Routing).
  • Statistics – Measurement of Round Trip Time (RTT) is added to Statistics > Tunnel Status for each GRE tunnel of configured tunnel groups. See Tunnel Status.

FortiWAN 4.2.2

Bug fixes only. Please refer to FortiWAN 4.2.2 Release Notes.

FortiWAN 4.2.1

Bug fixes only. Please refer to FortiWAN 4.2.1 Release Notes.

FortiWAN 4.2.0 l IPSec VPN – Supports standard IPSec VPN which is based on the two-phase Internet Key Exchange (IKE) protocol. FortiWAN’s IPSec VPN provides two communication modes, tunnel mode and transport mode. Tunnel mode is a common method used to establish IPSec VPN between two network sites.

FortiWAN IPSec tunnel mode transfers data traffic within single connection (single WAN link), therefore bandwidth aggregation and fault tolerance are not available to the VPN. On the other hand, FortiWAN’s transport mode is designed to provide protections to Tunnel Routing transmission on each of the TR tunnels, so that the IPSec VPN with ability of bandwidth aggregation and fault tolerance can be implemented.

FortiWAN’s IPSEC tunnel mode supports single-link connectivity between FortiWAN devices, FortiWAN and FortiGate and FortiWAN and any appliance supporting standard IPSEC. FortiWAN’s IPSEC transport mode supports multi-link Tunnel Routing between FortiWAN devices. IPSEC Aggressive Mode is not supported in this release. See “IPSec VPN”.

  • Tunnel Routing – Supports IPSec encryption. With cooperation with FortiWAN’s IPSec tunnel mode, the Tunnel Routing communication can be protected by IPSec Security Association (IPSec SA), which provides strict security negotiations, data privacy and authenticity. The VPN network implemented by Tunnel Routing and IPSec transport mode has the advantages of high security level, bandwidth aggregation and fault tolerance. See “Tunnel Routing”.
  • Basic subnet– Supports DHCP Relay on every LAN port and DMZ port. FortiWAN forwards the DHCP

requests and responses between a LAN or DMZ subnet and the specified DHCP server (standalone), so that centralized DHCP management can be implemented. With appropriate deployments of Tunnel Routing (or Tunnel Routing over IPSec Transport mode), the DHCP server of headquarters is capable to manage IP allocation to regional sites through DHCP relay. FortiWAN’s DHCP relay is for not only a local network but also a Tunnel Routing VPN network. See “Automatic addressing within a basic subnet”.

  • DHCP – Supports static IP allocation by Client Identifier (Options code: 61).According to the client identifier, FortiWAN’s DHCP recognizes the user who asks for an IP lease, and assigns the specified IP address to him. See “Automatic addressing within a basic subnet”.
  • Bandwidth Management – Supports the visibility to Tunnel Routing traffic. In the previous version, individual application encapsulated by Tunnel Routing was invisible to FortiWAN’s Bandwidth Management. Bandwidth Management is only capable of shaping the overall tunnel (GRE) traffic. From this release, Bandwidth Management evaluates traffic before/after Tunnel Routing encapsulation/decapsulation, so that traffic of individual application in a Tunnel Routing transmission can be controlled. See “Bandwidth Management”.
  • Administration – Ability of changing their own password for Monitor accounts is added. In the previous version, password of accounts belonging to Monitor group can be changed by only administrators. From this release, Monitor accounts can change their own password. See “Administration”.
  • HA synchronization – After system configuration file is restored (System > Administration > Configuration File), the master unit automatically synchronizes the configurations to slave unit. See “Administration”.
  • DNS Proxy – Supports wildcard character for configuration of Proxy Domains on Web UI. See “DNS

Proxy”. l Account – The default account maintainer was removed from FortiWAN’s authentication.

FortiWAN 4.1.3

Bug fixes only. Please refer to FortiWAN 4.1.3 Release Notes.

FortiWAN 4.1.2

Bug fixes only. Please refer to FortiWAN 4.1.2 Release Notes.

FortiWAN 4.1.1 l New CLI command shutdown – Use this command to shut FortiWAN system down. All the system

processes and services will be terminated normally. This command might not power the appliance off, please turn on/off the power switch or plug/unplug the power adapter to power on/off the appliance. See “Console Mode Commands”.

  • Firmware upgrade – A License Key will no longer be required for upgrading system firmware to any release.

FortiWAN 4.1.0 l The timezone of FortiWAN’s hardware clock (RTC) is switched to UTC from localtime. The system time might be incorrect after updating firmware from previous version to this version due to mismatched timezone. Please reset system time and synchronize it to FortiWAN’s hardware clock (executing Synchronize Time in System > Date/Time via Web UI), so that the hardware clock is kept in UTC.

  • New models – FortiWAN introduces two models, FortiWAN-VM02 and FortiWAN-VM04, for

deployment on VMware. FortiWAN V4.1.0 is the initial version of the two models. FortiWAN-VM02

supports the maximum of 2 virtual CPUs, and FortiWAN-VM04 supports the maximum of 4 virtual CPUs. Both of the two models support 9 virtual network adapters. Each port can be programmed as WAN, LAN or DMZ. Each of the two models. FortiWAN-VM supports the deployments on VMware vSphere ESXi. Refer to “FortiWAN-VM Install Guide”.

  • Bandwidth capability changes :
  • FortiWAN 200B – The basic bandwidth is upgraded to 200Mbps from 60Mbps. With a bandwidth license, system supports advanced bandwidth up to 400Mbps and 600Mbps.
  • FortiWAN 1000B – The basic bandwidth is upgraded to 1 Gbps from 500Mbps. With a bandwidth license, system supports advanced bandwidth up to 2 Gbps.
  • FortiWAN 3000B – The basic bandwidth is upgraded to 3 Gbps from 1 Gbps. With a bandwidth license, system supports advanced bandwidth up to 6 Gbps and 9 Gbps.
  • Notification – Supports delivering event notifications via secure SMTP. See “Notification”.
  • Connection Limit – Customers can manually abort the connections listed in Connection Limit’s Statistics. FortiWAN’s Connection Limit stops subsequent connections from malicious IP addresses when system is under attacks with high volumes of connections. However, system takes time to normally terminate the existing malicious connections (connection time out). Connection Limit’s Statistics lists the existing connections; aborting these connections recovers system immediately from memory occupied. See “Statistics > Connection Limit”.
  • Multihoming – Supports specifying an IPv6 address in an A record and an IPv4 address in an AAAA record to evaluate the source of a DNS request. See “Inbound Load Balancing and Failover (Multihoming)”.
  • Automatic default NAT rules – Supports for all the types of IPv6 WAN link. Previously, system

generates automatically the default NAT rules for any type of IPv4 WAN link and PPPoE IPv6 WAN link after the WAN links are applied. From this release, all the types of IPv6 WAN links are supported. See “NAT”.

  • Firmware update under HA deployment – Simple one-instruction update to both master and slave units. The master unit triggers firmware update to slave unit first, and then runs update itself. See “FortiWAN in HA (High Availability) Mode”. l New Reports pages:
  • Dashboard – This is a chart-based summary of FortiWAN’s system information and hardware states. See “Reports > Device Status > Dashboard”.
  • Settings – This is used to manage FortiWAN Reports. See “Reports Settings”.
  • Auto Routing – A new field Input Port is added to Auto Routing’s rules to evaluate outbound traffic by the physical ports where it comes from. Correspondent VLAN ports, redundant LAN ports, redundant DMZ ports, aggregated LAN ports and aggregated DMZ ports are the options for setting the field, if they are allocated. See “Using the Web UI”.
  • New and enhanced CLI commands (See “Console Mode Commands”):
  • New command arp – Use this command to manipulate (add and delete entries) or display the IPv4 network neighbor cache.
  • Enhanced command resetconfig – A new parameter is added to the CLI command

resetconfig to specify a static routing subnet to the default LAN port. With specifying a proper

private LAN subnet and static routing rule, users can connect to Web UI via the default LAN port without modifications of their current network after system reboots from resetting system to factory default.

  • Pagination – Paginate the output of a command if it is longer than screen can display.
  • Changes on FortiWAN Logins l Fortinet default account/password (admin/null) is supported for FortiWAN’s Web UI and CLI. The old default accounts/passwords will be still accessible. See “Connecting to the Web UI and the CLI”.
  • FortiWAN CLI accepts logins of any customized account belongs to group Administrator. A special account maintainer is provided to reset admin password to factory default via CLI for case that no one with the password is available to login to the WEB UI and CLI. See

“Administration”.

  • All the accounts belong to group Administrator are acceptable to login to FortiWAN over SSH.
  • Web UI Supports multiple sign-in. System accept the maximum of 20 concurrent logins. Note that system does not provide concurrent executions of Tunnel Routing Benchmark for multiple logins. See “Using the Web UI”.

FortiWAN 4.0.6

Bug fixes only. Please refer to FortiWAN 4.0.6 Release Notes.

FortiWAN 4.0.5

Bug fixes only. Please refer to FortiWAN 4.0.5 Release Notes.

FortiWAN 4.0.4

Bug fixes only. Please refer to FortiWAN 4.0.4 Release Notes.

FortiWAN 4.0.3

FortiWAN 4.0.3 is the initial release for FortiWAN 3000B. For bug fixes, please refer to FortiWAN 4.0.3 Release Notes.

FortiWAN 4.0.2

Bug fixes only. Please refer to FortiWAN 4.0.2 Release Notes.

FortiWAN 4.0.1

FortiWAN introduces new hardware platforms FortiWAN 1000B and FortiWAN 3000B, and new FortiWAN 4.0.1 firmware based on the AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.1 is substantially similar to AscenLink V7.2.3 with the additions noted below.

To assess the impact of deploying FortiWAN 4.0.1 on your network and processes, review the following new and enhanced features.

  • Data Port Changes l FortiWAN 1000B supports 3 GE RJ45 ports and 4 GE SFP ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG

LAN or DMZ ports can be configured. Default LAN port is Port 6 and default DMZ port is Port 7.

  • FortiWAN 3000B supports 8 GE RJ45 ports, 8 GE SFP ports and 8 10GE SFP+ ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG LAN or DMZ ports can be configured. Default LAN port is Port 11 and default DMZ port is Port 12.
  • HA Configuration Synchronization – Two FortiWAN appliances can be connected in active-passive High Availability mode via an Ethernet cable between the systems’ HA RJ-45 ports. HA will not interoperate between AscenLink and FortiWAN and will not interoperate between different FortiWAN models or the same model with different Throughput licenses. Model and Throughput must match.
  • HDD – FWN 1000B and FWN 3000B add internal 1TB HDDs for Reports data storage.
  • Hardware Support – FortiWAN 4.0.1 for FortiWAN supports FortiWAN 200B and FortiWAN 1000B. AscenLink series models are not supported. Note that FortiWAN 4.0.1 does not support FortiWAN 3000B, please look forward to the sequential releases.

FortiWAN 4.0.0

FortiWAN introduces new hardware platform FortiWAN 200B and new FortiWAN 4.0.0 firmware based on the AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.0 is substantially similar to AscenLink V7.2.2 with the additions noted below.

To assess the impact of deploying FortiWAN 4.0.0 on your network and processes, review the following new and enhanced features.

  • Data Port Changes – FortiWAN 200B supports 5 GE RJ45 ports. Each port can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG LAN or DMZ ports can be configured. Default LAN port is Port4 and default DMZ port is Port 5.
  • HA Port Change – FortiWAN supports one GE RJ45 HA Port. This port must be direct-cabled via Ethernet cable, to a second FWN unit HA port for HA operation. HA will not interoperate between AscenLink and FortiWAN and will not interoperate between different FortiWAN models.
  • HDD – FWN 200B adds an internal 500BG HDD for Reports data storage. See below for more information on Reports.
  • HA Configuration Synchronization – Two FWN 200B appliances can be connected in active-passive High Availability mode via an Ethernet cable between the systems’ HA RJ-45 ports.
  • New Functionality – FortiWAN 4.0.0 has the same functionality as AscenLink V7.2.2 PLUS the addition of built-in Reports which is the equivalent functionality to the external LinkReport for AscenLink.
  • Reports – Reports captures and stores data on traffic and applications across all WAN links in the system. Reports include connections, link and aggregate bandwidth, link and VPN reliability, and data on Multi-Homing requests, Virtual Server (SLB) requests, and more. Reports can be viewed on-screen, exported to PDF or CSV files or emailed immediately in PDF or CSV format. l GUI – FWN 4.0.0 adopts the Fortinet “look and feel”.
  • Hardware Support – FortiWAN 4.0.0 for FortiWAN supports FortiWAN 200B. AscenLink series models are not supported.

 

FortiWAN Key Concepts and Product Features

Key Concepts and Product Features

WAN load balancing (WLB)

General speaking, load balancing are mechanisms (methods) for managing (distributing) workload across available resources, such as servers, computers, network links, CPU or disk storage. The FortiWAN’s WAN load balancing aims to distribute (route) WAN traffic across multiple network links. The major purposes are optimizing bandwidth usage, maximizing transmission throughput and avoiding overload of any single network link. When we talk about WAN load balancing, it always implies automatic traffic distribution across multiple network links. Different from general routing, WAN load balancing involves algorithms, calculations and monitoring to dynamically determine the availability of network links for network traffic distribution.

Installation

FortiWAN is an edge device that typically connects an internal local area network (LAN) with an external wide area network (WAN) or the Internet. The physical network ports on FortiWAN are divided into WAN ports, LAN ports and DMZ (Demilitarized Zone) ports, which are used to connect to the WAN or the Internet, subnets in LAN, and subnets in DMZ respectively. Please refer to FortiWAN QuickStart Guides for the ports mapping for various models.

Bidirectional load balancing

Network date transmission passing through FortiWAN is bidirectional that are inbound and outbound. Network data transmission contains session establish and packet transmission. An inbound session refers to the session which is established from elsewhere (external) to the FortiWAN (internal), while an outbound session refers to the session which is established from the FortiWAN (internal) to elsewhere (external). For example, a request from the internal network to a HTTP server on the Internet means the first asking packet is outgoing to the external server, which is an outbound session established. Inversely, a request from the external area to a HTTP server behind FortiWAN means the first asking packet is incoming to the internal server, which is an inbound session established. No matter which direction a session is established in, packets transmission might be bidirectional (depends on the transmission protocol employed). FortiWAN is capable of balancing not only outbound but also inbound sessions and packets across multiple network links.

Auto Routing (Outbound Load Balancing)

FortiWAN distributes traffic across as many as 50 WAN links, under control of load balancing algorithms. FortiWAN’s many advanced load balancing algorithms let you easily fine-tune how traffic is distributed across the available links. Each deployment can be fully customized with the most flexible assignment of application traffic in the industry.

 

Multihoming (Inbound Load Balancing)

Many enterprises host servers for email, and other public access services. FortiWAN load balances incoming requests and responses across multiple WAN Links to improve user response and network reliability. Load balancing algorithms assure the enterprise that priority services are maintained and given appropriate upstream bandwidth.

Fall-back or Fail-over

FortiWAN detects local access link failures and end-to-end failures in the network and can either fall-back to remaining WAN links or fail-over to redundant WAN links, if needed. Fall-back and Fail-over behavior is under complete control of the administrator, with flexible rule definitions to meet any situation likely to occur. Links and routes are automatically recovered when performance returns to acceptable levels. Notifications will be sent automatically to administrators when link or route problems occur.

Virtual Private Services (Tunnel Routing)

FortiWAN offers the most powerful and flexible multi-link VPN functionality in the industry. Inter-site Tunnels can be created from fractional, full, multiple and fractions of multiple WAN links. Applications requiring large singlesession bandwidth such as VPN load balancing, video conferencing or WAN Optimization can use multiple links to build the bandwidth needed. Multi-session traffic can share an appropriately-sized Tunnel. Tunnels have the same functionality as single links, supporting Load Balancing, Fall-back, Failover and Health Detection within and between Tunnels. Dynamic IP addresses and NAT pass through are supported for the VPL services deployments.

Virtual Servers (Server Load Balancing and High Availability)

FortiWAN supports simple server load balancing and server health detection for multiple servers offering the same application. When service requests are distributed between servers, the servers that are slow or have failed are avoided and/or recovered automatically. Performance parameters are controlled by the administrator.

Optimum Routing

FortiWAN continuously monitors the public Internet to select the shortest and fastest route for mission-critical applications. Non-critical traffic can be routed away from the best links when prioritized traffic is present on the links or traffic can be assigned permanently to different groups of WAN links.

Traffic Shaping (Bandwidth Management)

FortiWAN optimizes, guarantees performance or increase usable bandwidth for specified traffic by traffic classification and rate limiting.

Firewall and Security

FortiWAN provides the stateful firewall, access control list and connection limit to protect FortiWAN unit, internal network and services from malicious attacks.

 

Scope

This document describes how to set up your FortiWAN appliance. For first-time system deployment, the suggested processes are:

Installation

  • Register your FortiWAN appliance before you start the installation. Please refer to the topic: [Register your FortiWAN] for further information. l Planning the network topology to introduce FortiWAN to current network. It requires a clear picture of your WAN link types the ISP provides and how to use the available public IP addresses of a WAN link. The topic [Planning the Network Topology] provides the sub-topics that are necessary concepts for planning your network topology.
  • Topic [Web UI Overview] and its sub-topics provide the instructions to connect and log into the Web management interface. System time and account/password resetting might be performed for FortiWAN while the first-time login, please refer to topics [Setting the System Time & Date] and [Administrator] for further information.
  • For implementation of the network topology you planned, topic [Configuring Network Interface (Network Setting)] and its sub-topics give the necessary information about the configurations of network deployments on Web UI. FortiWAN’s diagnostic tools is helpful for trouble shooting when configuring network, please refer to topic [Diagnostic Tools] .

Functions

  • After installing FortiWAN into your network, the next step is to configure the major features, load balancing and failover, on FortiWAN. Topic [Load Balancing & Fault Tolerance] and its sub-topics contain the information about performing FortiWAN’s load balancing and failover mechanisms for incoming and outgoing traffic, virtual servers and single-session services.
  • Topic [Optional Services] gives the information about configurations of FortiWAN’s optional services, such as Bandwidth Management, Firewall, Connection Limit, NAT, SNMP, Cache Redirect, and etc.

Monitoring

  • After FortiWAN works a while, related traffic logs, statistics and report analysis might be required for monitor or trouble shooting purposes. Topics [Logs], [Statistics] and [Reports] provide the information how to use those logs, statistics and reports to improve management policies on FortiWAN.

The following topics are covered elsewhere:

  • Appliance installation—Refer to the quick start guide for your appliance model. l Virtual appliance installation—Refer to the FortiWAN-VM Install Guide.

FortiWAN Handbook – Introduction

Introduction

Enterprises are increasingly relying on the internet for delivery of critical components for everyday business operations. Any delays or interruptions in connectivity can easily result in reduced productivity, lost business opportunities and a damaged reputation. Maintaining a reliable and efficient internet connection to ensure the operation of critical applications is therefore key to the success of the enterprise.

FortiWAN is a separate and discrete hardware appliance with exclusive operating system, specifically designed to intelligently balance internet and intranet traffic across multiple WAN connections, providing additional low-cost incoming and outgoing bandwidth for the enterprise and substantially increased connection reliability. FortiWAN is supported by a user-friendly UI and a flexible policy-based performance management system.

FortiWAN provides a unique solution that offers comprehensive multi-WAN management that keeps costs down as well as keeping customers and users connected.

Product Benefits

FortiWAN is the most robust, cost-effective way to:

  • Increase the performance of your:
  • Internet access l Public-to-Enterprise access l Site-to-site private intranet
  • Lower Operating Costs l Increase your network reliability l Enable Cloud / Web 2.0 Applications l Monitor Network Performance

Increase Network Performance

FortiWAN increases network performance in three key areas:

l Access to Internet resources from the Enterprise l Access to Enterprise resources from the Internet l Creation of Enterprise Intranet connections between sites

FortiWAN intelligently aggregates multiple broadband and/or leased access lines to significantly increase Internet access performance. FortiWAN makes reacting to network demands fast, flexible and inexpensive. FortiWAN transforms underperforming networks into responsive, cost-effective and easy-to-manage business assets.

FortiWAN load balances Internet service requests from Enterprise users, optimally distributing traffic across all available access links. FortiWAN’s 7 different Load Balancing algorithms provide the flexibility to maximize productivity from any network scenario.

FortiWAN gives you high-performance inter-site connectivity without the need to lease expensive links such as T1 and T3. FortiWAN aggregates multiple low-cost Internet access links to create site-to-site Virtual Private Line Product Benefits     Introduction

(VPL) Tunnels for LAN-like performance between company locations. By using multiple carriers and media, reliability of these VPL Tunnels can exceed that of traditional engineered carrier links.

Substantially Lower Operating Costs

Once bandwidth requirements exceed traditional asymmetrical Internet access services (like ADSL) there is a very high jump in bandwidth cost to engineered, dedicated access facilities like DS-1/DS-3. Even Metro Ethernet is a large cost increment where it is available. Adding shared Internet access links is substantially less expensive and delivery is substantially faster.

Traditional point-to-point private lines for company intranets are still priced by distance and capacity. Replacing or augmenting dedicated point-to-point services with Virtual Private Line Tunnels reduces costs substantially while increasing available bandwidth and reliability.

FortiWAN makes low-cost network access links behave and perform like specially-engineered carrier services at a fraction of the cost.

l Deploy DSL services and get DS-3/STM-1-like speed and reliability while waiting for the carrier to pull fiber. l Add and remove bandwidth for seasonal requirements quickly and easily. l Increase bandwidth to web servers and use multiple ISPs without BGP4 management issues.

Increase Network Reliability

Businesses can no longer afford Internet downtime. FortiWAN provides fault tolerance for both inbound and outbound IP traffic to ensure a stable and dependable network. Even multiple link failures, while reducing available bandwidth, will not stop traffic. By using diverse media (fiber, copper, wireless) and multiple ISPs (Telco, Cableco, 4G), FortiWAN can deliver better than carrier-class “5-9’s” reliability.

FortiWAN can be deployed in High Availability mode with fully redundant hardware for increased reliability. Larger FortiWAN models also feature redundant power supplies for further protection from hardware failures.

Enable Cloud / Web 2.0 Applications

Traditional WAN Optimization products expect that all users connect only to Headquarters servers and Internet gateways over dedicated, symmetric leased lines, but that is already “yesterday’s” architecture. Today users want to mix HQ connectivity with direct Cloud access to Web 2.0 applications like email, collaborative documentation, ERP, CRM and online backup.

FortiWAN gives you the flexibility to customize your network, giving you complete control. Direct cloud-based applications to links optimized for them and reduce the bandwidth demand on expensive dedicated circuits. Combine access links and/or dedicated circuits into Virtual Private Line Tunnels that will support the fastest video streaming or video conferencing servers that Headquarters can offer.

FortiWAN is designed for easy deployment and rapid integration into any existing network topology.

Monitor Network Performance

FortiWAN provides comprehensive monitoring and reporting tools to ensure your network is running at peak efficiency. With the built-in storage and database, FortiWAN’s Reports function provides historical detail and reporting over longer periods of time, so that it not only allows management to react to network problems, but to plan network capacity, avoiding unnecessary expense while improving network performance.

FortiWAN is managed via a powerful Web User Interface. Configuration changes are instantly stored without the need to re-start the system. Configuration files can be backed-up and restored remotely. Traffic measurements, alarms, logs and other management data are stored for trend analysis and management overview.

FortiCore 2.0.0 Release Notes

Introduction

This document provides upgrade instructions and release information about FortiCore Version 2.0.0. Please review all sections in this document prior to upgrading your device.

Supported models

This release covers the following FortiCore models:

  • 3600E
  • 3700E
  • 3800E
  • 3805E

Summary of enhancements

FortiCore Version 2.0.0 includes the following new features:

  • OVSDB support for configuration
  • LAG for front panel ports

FortiCore features and capabilities are described in the FortiCore Admin Guide, available at the following location: http://docs.fortinet.com/forticore/admin-guides

 

 

Upgrade Information

Upgrading

FortiCore Version 2.0.0 supports upgrade from release 1.2.0. and downgrade from release 2.0.0 to 1.2.0.

To upgrade the firmware, follow these instructions from the dashboard page of the web-based admin tool:

  1. Download the desired firmware version from the Fortinet support site to your local hard drive.
  2. Click the update button next to the current firmware version.
  3. Select the firmware file and click OK.
  4. The system automatically loads the firmware and performs a system restart.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image

Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support                                                                                           SDN Gateway Support

Product Integration and Support

SDN Gateway Support

FortiCore supports any SDN Gateway that is compliant to OpenFlow version 1.3.

FortiCore product was tested primarily with the OpenDaylight SDN controller, provided by the Linux Foundation.

Web Browser Support

The FortiCore web-based administration interface supports the following browser versions:

l Mozilla Firefox version 36 l Google Chrome version 43

Other web browsers may function correctly, but are not supported by FortiCore.

FortiAP 5.4.2 Release Notes

Introduction

This document provides the following information for FortiAP version 5.4.2:

l Supported models l What’s new in FortiAP 5.4.2 l Upgrade Information l Product Integration and Support l Resolved Issues

For more information on upgrading your FortiAP device, see the Deploying Wireless Networks for FortiOS 5.4 guide in the Fortinet Document Library.

Supported models

FortiAP version 5.4.2 supports the following models:

Model support

Model Build
FAP-11C, FAP-14C, FAP-21D, FAP-24D, FAP-25D, FAP-112B,

FAP-112D, FAP-221B, FAP-221C, FAP-222B, FAP-222C,

FAP-223B, FAP-223C, FAP-224D, FAP-320B, FAP-320C,

FAP-321C, FAP-CAM-214B

0354

What’s new in FortiAP 5.4.2

The following is a list of new features and enhancements in FortiAP version 5.4.2:

  • Support for DFS channels on more FAP SKUs:
  • FAP-321C-S, l FAP-222C-K l FAP-221B-I, FAP-221C-I, FAP-222C-I, FAP-223C-I, FAP-320B-I, FAP-320C-I, FAP-321C-I
  • Support for 64-digit hexadecimal passphrase in WPA2-Personal SSID

The following features require FortiCloud 3.1.0:

  • OKC support for FortiCloud WPA2-Enterprise SSID with RADIUS authentication l Dynamic VLAN support for FortiCloud WPA2-Enterprise SSID l Support for time zone and day-light-saving settings from FortiCloud l During firmware upgrade, FAP can download firmware image from a HTTPS server as instructed by FortiCloud.

What’s new in FortiAP 5.4.2                                                                                                                Introduction

The following features require FortiGate running FortiOS 5.6.0:

  • PMF support for local-standalone SSID with WPA2-Personal/Enterprise security
  • New security option for CAPWAP data channel: IPsec VPN

Note: FAP-320B cannot support this feature due to its flash limit. l Support for QoS Profile (rate limits per SSID and per client IP) l Add “lease-time” setting to NAT-mode local-standalone VAP

6

Upgrade Information

Upgrading from FortiAP version 5.4.1

FortiAP 5.4.2 supports upgrading from 5.4.1.

Downgrading to previous firmware versions

FortiAP 5.4.2 does not support downgrading to previous firmware versions.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Supported Upgrade Paths

To view all previous FortiAP versions, build numbers, and their supported upgrade pathways, see the following Fortinet Cookbook link:

http://cookbook.fortinet.com/supported-upgrade-paths-fortiap/

Product Integration and Support

FortiAP 5.4.2 support

The following table lists FortiAP version 5.4.2 product integration and support information.

FortiAP 5.4.2 support

Web Browsers l     Microsoft Internet Explorer version 11 l Mozilla Firefox version 41 l Google Chrome version 47

l     Safari 8

Other web browsers may function correctly, but are not supported by Fortinet.

FortiOS 5.4.2 and later
FortiExplorer (Windows/MAC) 2.6.0 (model FAP-11C only)
FortiExplorer iOS 2.0.0 (models FAP-11C, 21D, 24D, 112D, 320B, and 320C only)

8

Resolved Issues

The following issues have been fixed in version 5.4.2. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID Description
206429 FAP WIDS function could not detect spoofed de-authentication attack to its operating SSID.
300277 The NAT setting in FAP was not cleared correctly when VAP configuration in FortiGate has localstandalone disabled. (FortiGate will have the fix in FortiOS 5.6.0.)
369467 In FortiCloud captive-portal SSID setup, Social Media login page might become inaccessible due to DNS load balancing or rotation.
375543 FAP reported excess event logs about operating channel and Tx Power on 2.4 GHz radio.
307852 In FAP GUI, FortiCloud Account field now allows up to 50 characters.
381375 BPDU frames got truncated by FAP LAN to tunnel SSID when CAPWAP-data is plain text.
381602 Country code “AUSTRALIA” should be supported by FAP with region code “N “.
390947 Country code “SAUDI ARABIA” should be supported by FAP with region code “E “.
382926 Country code “INDONESIA” now is supported by a new region code “F “.
380931 Schedule of local-standalone SSID did not work when FAP lost connection with FortiCloud.
374626 Memory usage of IP pool of DHCP server in NAT-mode local-standalone SSID has been improved.
369162 For dual-radio FAP platforms, when both radios have the same NAT-mode local-standalone SSID configured, they can use the same IP and subnet mask settings now.
379123 Local-standalone SSID can support pre-authentication now.
391677 FAP-320C had lower TX power than expected.
281684 FAP sometimes encountered “PN check failed” issue.
395016 FAP-320C-E 2.4GHz Radio had inconsistent TX power when configured 1 dBm.
395010 FAP-320C-E 5Ghz Radio TX power was stuck at 0 once cwWtpd was killed.
395244 Improvement. Now FAP sends WTP ID information packet to FortiPresence Server more frequently.

Resolved Issues

Bug ID Description
389205 FortiAP 5.4.2 is no longer vulnerable to the following CVE Reference: 2016-6308, 2016-6307, 2016-6306, 2016-6305, 2016-6304, 2016-6303, 2016-6302, 2016-2183, 2016-2182, 2016-2181, 2016-2180, 2016-2179, 2016-2178, 2016-2177.

Visit https://fortiguard.com/psirt for more information.

10

Known Issues

The following issues have been identified in version 5.4.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Bug ID Description
301726 Sniffer mode does not work on 802.11ac radios. Sniffer will be stuck in INIT(0) state and no packets will be captured.
300081 FortiAPs may encounter high CPU usage intermittently after a FortiGate wireless controller pushes a local-authentication virtual AP (VAP) configuration to them.
245323 Spectrum analysis may result in high CPU usage on some FortiAP models including the FAP221B, FAP-223B, and FAP-221C.
236312 Split-tunneling SSIDs do not support VLANs.

FortiHypervisor 1.0 Admin Guide

Introduction

The FortiHypervisor Hybrid Virtual Appliance enables rapid service deliver for enterprises and MSPs through the use of virtualization technology.  Built to deliver virtualized services as virtual network functions (VNFs), FortiHypervisor consolidates advanced networking and security services on a single device, eliminating the need for multiple CPE while enabling on-demand service delivery.

FortiHypervisor is available in both a software instance for install on generic x86 platforms and also on Fortinet SPU accelerated hybrid appliances.  A powerful Intel processor combined with SPU hardware acceleration delivers the high security performance that customers have come to expect from Fortinet. Ample storage and memory produce excellent compute, network and security performance for the most intensive tasks.

FortiHypervisor can run the wide range Fortinet VNFs delivering the greatest range of virtual functions in the industry but is also compatible with thirty party VMs in KVM format for the greatest flexibility.

Form-factors

FortiHypervisor is available in two form-factors to allowing customers to select the most appropriate solution for their requirements.

Appliance

FortiHypervisor comes in a range of physical appliances suitable for small office / retail deployments (vCPE) all the way up to the datacenter or MSP network core.  The models come with different performance ratings, amounts of Hard Drive space, RAM and network access ports.

Software

FortiHypervisor is available as a bare metal hypervisor ISO image which can be installed on selected whitebox hardware.

Any selected hardware should be validated against the supported hardware list and should meet the minimum hardware specification lists below.

Whilst a minimum specification is provided, consideration should be made towards the VMs which will be installed as these may have additional performance and resource requirements.

If unsure, please validate your hardware selection with Fortinet Support before proceeding.