Fortinet white logo
Fortinet white logo

Special notices

Special notices

This section highlights some of the operational changes and other important features that administrators should be aware of for FortiGate-6000 and FortiGate-7000 5.6.11 Build 4279.

Default security fabric configuration

The FortiGate-6000 uses the Security Fabric for communication and synchronization between the management board and FPCs. The FortiGate-7000 uses the Security Fabric for communication and synchronization among FIMs and FPMs. Changing the default security fabric configuration could disrupt this communication and affect system performance.

Default Security Fabric configuration:

config system csf

set status enable

set configuration-sync local

set management-ip 0.0.0.0

set management-port 0

end

For the FortiGate-6000 and FortiGate-7000 to operate normally, you must not change the Security Fabric configuration.

Adding a flow rule to support DHCP relay

The FortiGate-6000 and FortGate-7000 default flow rules may not handle DHCP relay traffic correctly.

The default configuration includes the following flow rules for DHCP traffic:

config load-balance flow-rule

edit 7

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 68-68

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 server to client"

next

edit 8

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 68-68

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 client to server"

end

These flow rules handle traffic when the DHCP client sends requests to a DHCP server using port 68 and the DHCP server responds using port 67. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 67. If this DHCP relay traffic passes through the FortiGate-6000 or 7000 you must add a flow rule similar to the following to support port 67 DHCP traffic in both directions:

config load-balance flow-rule

edit 8

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 relay"

next

Limitations of installing FortiGate-6000 firmware from the BIOS after a reboot

Installing or upgrading FortiGate-6000 firmware from the BIOS installs firmware on and resets the configuration of the management board only. The FPCs will continue to operate with their current configuration and firmware build. The FortiGate-6000 system does not synchronize firmware upgrades performed from the BIOS.

See Installing FortiGate-6000 firmware from the BIOS after a reboot for detailed procedures for upgrading FortiGate-6000 firmware from the BIOS.

Limitations of installing FortiGate-7000 firmware from the BIOS after a reboot

Installing or upgrading FortiGate-7000 firmware from the BIOS installs firmware on and resets the configuration of the primary FIM only. The other FIM and the FPMs will continue to operate with their current configuration and firmware build. The FortiGate-7000 system does not synchronize firmware upgrades performed from the BIOS.

See Installing firmware on individual FIMs and FPMs for detailed procedures for upgrading FortiGate-6000 firmware from the BIOS.

Installing firmware on an individual FortiGate-6000 FPC

You may want to install firmware on an individual FPC to resolve a software-related problem with the FPC or if the FPC is not running the same firmware version as the management board. The following procedure describes how to transfer a new firmware image file to the FortiGate-6000 internal TFTP server and then install the firmware on an FPC.

  1. Copy the firmware image file to a TFTP server, FTP server, or USB key.

  2. To upload the firmware image file onto the FortiGate-6000 internal TFTP server, from the management board CLI, enter one of the following commands.

    • To upload the firmware image file from an FTP server:

      execute upload image ftp <image-file-and-path> <comment> <ftp-server-address> <username> <password>

    • To upload the firmware image file from a TFTP server:

      execute upload image tftp <image-file> <comment> <tftp-server-address>

    • To upload the firmware image file from a USB key:

      execute upload image usb <image-file-and-path> <comment>

  3. Enter the following command to install the firmware image file on to an FPC:

    execute load-balance update image <slot-number>

    where <slot-number> is the FPC slot number.

    This command uploads the firmware image to the FPC and the FPC restarts. When the FPC starts up, the configuration is reset to factory default settings and then synchronized by the management board. The FPC restarts again, rejoins the cluster, and is ready to process traffic.

  4. To verify that the configuration of the FPC has been synchronized, enter the diagnose sys confsync status | grep in_sy command. The command output below shows an example of the synchronization status of some of the FPCs in an HA cluster of two FortiGate-6301F devices. The field in_sync=1 indicates that the configuration of the FPC is synchronized.

    FPC6KFT018901327, Slave, uptime=615368.33, priority=19, slot_id=1:1, idx=1, flag=0x4, in_sync=1
    F6KF31T018900143, Master, uptime=615425.84, priority=1, slot_id=1:0, idx=0, flag=0x10, in_sync=1 
    FPC6KFT018901372, Slave, uptime=615319.63, priority=20, slot_id=1:2, idx=1, flag=0x4, in_sync=1
    F6KF31T018900143, Master, uptime=615425.84, priority=1, slot_id=1:0, idx=0, flag=0x10, in_sync=1
    FPC6KFT018901346, Slave, uptime=423.91, priority=21, slot_id=1:3, idx=1, flag=0x4, in_sync=1

    FPCs that are missing or that show in_sync=0 are not synchronized. To synchronize an FPC that is not synchronized, log into the CLI of the FPC and restart it using the execute reboot command. If this does not solve the problem, contact Fortinet Support at https://support.fortinet.com.

    The example output also shows that the uptime of the FPC in slot 3 is lower than the uptime of the other FPCs, indicating that the FPC in slot 3 has recently restarted.

    If you enter the diagnose sys confsync status | grep in_sy command before an FPC has completely restarted, it will not appear in the output. Also, the Security Fabric dashboard widget will temporarily show that it is not synchronized.

Installing firmware on an individual FortiGate-7000 FPM

Use the following procedure to upgrade the firmware running on an individual FPM. To perform the upgrade, you must enter a command from the primary FIM CLI to allow ELBC communication with the FPM. Then you can just log in to the FPM GUI or CLI and perform the firmware upgrade.

During this procedure, the FPM will not be able to process traffic. However, the other FPMs and the FIMs should continue to operate normally.

After verifying that the FPM is running the right firmware, you must log back into the primary FIM CLI and return the FPM to normal operation.

  1. Log in to the primary FIM CLI and enter the following command:

    diagnose load-balance switch set-compatible <slot> enable elbc

    Where <slot> is the number of the FortiGate-7000 slot containing the FPM to be upgraded.

  2. Log in to the FPM GUI or CLI using its special port number (for example, for the FPM in slot 3, browse to https://192.168.1.99:44303 to connect to the GUI) and perform a normal firmware upgrade of the FPM.

  3. After the FPM restarts, verify that the new firmware has been installed.

    You can do this from the FPM GUI dashboard or from the FPM CLI using the get system status command.

  4. Verify that the configuration has been synchronized. The following command output shows the sync status of a FortiGate-7040E. The field in_sync=1 indicates that the configurations of the FIMs and FPMs are synchronized.

    diagnose sys confsync status | grep in_sy
    FIM10E3E16000040, Slave, uptime=69346.99, priority=2, slot_id=1:2, idx=1, flag=0x0, in_sync=1
    FIM04E3E16000010, Master, uptime=69398.91, priority=1, slot_id=1:1, idx=0, flag=0x0, in_sync=1
    FPM20E3E17900217, Slave, uptime=387.74, priority=20, slot_id=1:4, idx=2, flag=0x64, in_sync=1
    FPM20E3E17900217, Slave, uptime=387.74, priority=20, slot_id=1:4, idx=2, flag=0x4, in_sync=1
    FIM04E3E16000010, Master, uptime=69398.91, priority=1, slot_id=1:1, idx=0, flag=0x0, in_sync=1
    FIM10E3E16000040, Slave, uptime=69346.99, priority=2, slot_id=1:2, idx=1, flag=0x0, in_sync=1
    FIM04E3E16000010, Master, uptime=69398.91, priority=1, slot_id=1:1, idx=0, flag=0x0, in_sync=1
    FIM10E3E16000040, Slave, uptime=69346.99, priority=2, slot_id=1:2, idx=1, flag=0x0, in_sync=1
    FPM20E3E17900217, Slave, uptime=387.74, priority=20, slot_id=1:4, idx=2, flag=0x64, in_sync=1

    FIMs and FPMs that are missing or that show in_sync=0 are not synchronized. To synchronize an FIM or FPM that is not synchronized, log into the CLI of the FIM or FPM and restart it using the execute reboot command. If this does not solve the problem, contact Fortinet Support at https://support.fortinet.com.

    The command output also shows that the uptime of the FPM in slot 4 is lower than the uptime of the other modules, indicating that the FPM in slot 4 has recently restarted.

    If you enter the diagnose sys confsync status | grep in_sy command before the FIM has completely restarted, it will not appear in the command output. As well, the Security Fabric dashboard widget will temporarily show that it is not synchronized.

  5. Once the FPM is operating normally, log back in to the primary FIM CLI and enter the following command to reset the FPM to normal operation:

    diagnose load-balance switch set-compatible <slot> disable

    Configuration synchronization errors will occur if you do not reset the FPM to normal operation.

SD-WAN is not supported

FortiGate-6000 and FortiGate-7000 Version 5.6.11 does not support SD-WAN because of the following known issues:

  • 524863, volume-based SD-WAN load balancing is not supported.
  • 510522, when a link in an SD-WAN goes down and comes up, duplicate default routes are created on the management board.
  • 510818, traffic from internal hosts is forwarded to destination servers even if SD-WAN health-checking determines that the server is down.
  • 510389, SD-WAN usage is not updated on the management board GUI.
  • 494019, SD-WAN monitor statistics are not updated on the management board GUI.
  • 511091, SD-WAN load balancing rules based on packet loss, jitter, or latency do not work correctly.

IPsec VPN features that are not supported

FortiOS 5.6 for FortiGate-6000 and FortiGate-7000 does not support the following IPsec VPN features:

  • Policy-based IPsec VPN is not supported. Only tunnel or interface mode IPsec VPN is supported.
  • Policy routes cannot be used for communication over IPsec VPN tunnels.
  • Remote networks with 0- to 15-bit netmasks are not supported. Remote networks with 16- to 32-bit netmasks are supported.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
  • Load-balancing IPsec VPN tunnels to multiple FPCs or FPMs.
  • IPsec SA synchronization between HA peers is not supported. After an HA failover, IPsec VPN tunnels have to be re-initialized.

Quarantine to disk not supported

The FortiGate-6000 platform, including the FortiGate-6301F and the FortiGate-6501F, and the FortiGate-7000 platform does not support quarantining files to the internal hard disks. Instead you must set the quarantine function to quarantine files to FortiAnalyzer.

Local out traffic is not sent to IPsec VPN interfaces

On most FortiGate platforms, an administrator can test an IPsec tunnel by opening the FortiGate CLI and pinging a remote host on the network at the other end of the IPsec VPN tunnel. This is not currently supported by the FortiGate-6000 and FortiGate-7000 platforms.

Special configuration required for SSL VPN

Using a FortiGate-6000 or a FortiGate-7000 as an SSL VPN server requires you to manually add an SSL VPN load balance flow rule to configure the FortiGate-6000 or FortiGate-7000 to send all SSL VPN sessions to the primary (master) FPC (FortiGate-6000) or the primary (master) FPM (FortiGate-7000). To match with the SSL VPN server traffic, the rule should include a destination port that matches the destination port of the SSL VPN server. A basic rule to allow SSL VPN traffic could be:

config load-balance flow-rule

edit 0

set status enable

set ether-type ipv4

set protocol tcp

set dst-l4port 443-443

set forward-slot master

set comment "ssl vpn server to primary worker"

next

end

This flow rule matches all sessions sent to port 443 (the default SSL VPN server listening port) and sends these sessions to the primary FPC. This should match all of your SSL VPN traffic if you are using the default SSL VPN server listening port (443). This flow rule also matches all other sessions using 443 as the destination port so all of this traffic is also sent to the primary FPC.

If you change the SSL VPN server listening port

If you have changed the SSL VPN server listening port to 10443, you can change the SSL VPN flow rule as follows. This example also sets the source interface to port12, which is the SSL VPN server interface, instead of adding the IP address of port12 to the configuration:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set src-interface port12

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

Adding the SSL VPN server IP address

You can add the IP address of the FortiGate-6000 interface that receives SSL VPN traffic to the SSL VPN flow rule to make sure that the flow rule only matches the traffic if SSL VPN clients connecting to the SSL VPN server. For example, if the IP address of the interface is 172.25.176.32 and the SSL VPN flow rule ID is 26:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set dst-addr-ipv4 172.25.176.32 255.255.255.255

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

This flow rule will now only match SSL VPN sessions with 172.25.176.32 as the destination address and send all of these sessions to the primary FPC or FPM.

Management traffic limitations

FortiGate-6000 and FortiGate-7000 platforms support management traffic over out of band (OOB) management interfaces only:

  • The FortiGate-6000 MGMT 1 to 3 interfaces on the FortiGate-6000.
  • The FortiGate-7000 mgmt static LAG interface on the FortiGate-7000 FIMs. The mgmt LAG includes the MGMT 1 to 4 interfaces and this LAG configuration should not be changed.

Using data interfaces for management traffic is currently not supported. The following command is available to allow management traffic over data interfaces in a VDOM, but this command is currently not recommended as the feature is still under development.

config vdom

edit <vdom-name>

config system settings

set motherboard-traffic-forwarding admin

end

Example FortiGate-6000 HA heartbeat switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging), but the switch should be able to forward the double-tagged frames. Fortinet recommends avoiding switches that strip out the inner tag. FortiSwitch D and E series can correctly forward double-tagged frames.

note icon This configuration is not required for FortiGate-6000 HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-6000 to use different VLAN IDs for the HA1 and HA2 HA heartbeat interfaces and then how to configure two ports on a Cisco switch to allow HA heartbeat packets.

note icon This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.
  1. On both FortiGate-6000s in the HA configuration, enter the following command to use different VLAN IDs for the HA1 and HA2 interfaces. The command sets the HA1 VLAN ID to 4091 and the HA2 VLAN ID to 4092:

    config system ha

    set hbdev "ha1" 50 "ha2" 100

    set hbdev-vlan-id 4091

    set hbdev-second-vlan-id 4092

    end

  2. Use the get system ha status command to confirm the VLAN IDs.

    get system ha status
    ...
    HBDEV stats:
     F6KF51T018900026(updated 4 seconds ago):
      ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=54995955/230020/0/0, tx=63988049/225267/0/0, vlan-id=4091
      ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=54995955/230020/0/0, tx=63988021/225267/0/0, vlan-id=4092
     F6KF51T018900022(updated 3 seconds ago):
      ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=61237440/230023/0/0, tx=57746989/225271/0/0, vlan-id=4091
      ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=61238907/230023/0/0, tx=57746989/225271/0/0, vlan-id=4092
    ...
  3. Configure the Cisco switch port that connects the HA1 interfaces to allow packets with a VLAN ID of 4091:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4091

  4. Configure the Cisco switch port that connects the HA2 interfaces to allow packets with a VLAN ID of 4092:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4092

Example FortiGate-7000 HA heartbeat switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging), but the switch should be able to forward the double-tagged frames. Fortinet recommends avoiding switches that strip out the inner tag. FortiSwitch D and E series can correctly forward double-tagged frames.

note icon This configuration is not required for FortiGate-7030E HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-7000 to use different VLAN IDs for the M1 and M2 HA heartbeat interfaces and then how to configure two ports on a Cisco switch to allow HA heartbeat packets.

note icon This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.
  1. On both FortiGate-7000s in the HA configuration, enter the following command to use different VLAN IDs for the M1 and M2 interfaces. The command sets the M1 VLAN ID to 4086 and the M2 VLAN ID to 4087:

    config system ha

    set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    end

  2. Use the get system ha status command to confirm the VLAN IDs.

    get system ha status
    ...
    HBDEV stats:
     FG74E83E16000015(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=579602089/2290683/0/0, tx=215982465/761929/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=577890866/2285570/0/0, tx=215966839/761871/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=579601846/2290682/0/0, tx=215982465/761929/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=577890651/2285569/0/0, tx=215966811/761871/0/0, vlan-id=4087
     FG74E83E16000016(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=598602425/2290687/0/0, tx=196974887/761899/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=596895956/2285588/0/0, tx=196965052/761864/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=598602154/2290686/0/0, tx=196974915/761899/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=596895685/2285587/0/0, tx=196965080/761864/0/0, vlan-id=4087
    ...
  3. Configure the Cisco switch port that connects the M1 interfaces to allow packets with a VLAN ID of 4086:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4086

  4. Configure the Cisco switch port that connects the M2 interfaces to allow packets with a VLAN ID of 4087:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4087

Default FortiGate-6000 and FortiGate-7000 configuration for traffic that cannot be load balanced

The default configure load-balance flow-rule command contains the recommended default flow rules that control how the FortiGate-6000 or 7000 handles traffic types that cannot be load balanced. Most of the flow rules in the default configuration are enabled and are intended to send common traffic types that cannot be load balanced to the primary FPC or FPM. FortiGate-6000 and 7000 for FortiOS 6.0.6 have the same default flow rules.

All of the default flow rules identify the traffic type using the options available in the command and direct matching traffic to the primary (or master) FPC or FPM (action set to forward and forward-slot set to master). The default flow rules also include a comment that identifies the traffic type.

The default configuration also includes disabled flow rules for Kerberos and PPTP traffic. Normally, you would only need to enable these flow rules if you know that your FortGate will be handling these types of traffic.

The CLI syntax below was created with the show full-configuration command.

config load-balance flow-rule
    edit 1
        set status disable
        set vlan 0
        set ether-type ip
        set protocol udp
        set src-l4port 88-88
        set dst-l4port 0-0
        set action forward
        set forward-slot master
        set priority 5
        set comment "kerberos src"
    next
    edit 2
        set status disable
        set vlan 0
        set ether-type ip
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 88-88
        set action forward
        set forward-slot master
        set priority 5
        set comment "kerberos dst"
    next
    edit 3
        set status enable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 179-179
        set dst-l4port 0-0
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "bgp src"
    next
    edit 4
        set status enable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 0-0
        set dst-l4port 179-179
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "bgp dst"
    next
    edit 5
        set status enable
        set vlan 0
        set ether-type ip
        set protocol udp
        set src-l4port 520-520
        set dst-l4port 520-520
        set action forward
        set forward-slot master
        set priority 5
        set comment "rip"
    next
    edit 6
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 521-521
        set dst-l4port 521-521
        set action forward
        set forward-slot master
        set priority 5
        set comment "ripng"
    next
    edit 7
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 67-67
        set dst-l4port 68-68
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv4 server to client"
    next
    edit 8
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 68-68
        set dst-l4port 67-67
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv4 client to server"
    next
    edit 9
        set status disable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 1723-1723
        set dst-l4port 0-0
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "pptp src"
    next
    edit 10
        set status disable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 0-0
        set dst-l4port 1723-1723
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "pptp dst"
    next
    edit 11
        set status enable
        set vlan 0
        set ether-type ip
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 3784-3784
        set action forward
        set forward-slot master
        set priority 5
        set comment "bfd control"
    next
    edit 12
        set status enable
        set vlan 0
        set ether-type ip
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 3785-3785
        set action forward
        set forward-slot master
        set priority 5
        set comment "bfd echo"
    next
    edit 13
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 547-547
        set dst-l4port 546-546
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 server to client"
    next
    edit 14
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 546-546
        set dst-l4port 547-547
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 client to server"
    next
    edit 15
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 224.0.0.0 240.0.0.0
        set protocol any
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 multicast"
    next
    edit 16
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ff00::/8
        set protocol any
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 multicast"
    next
    edit 17
        set status disable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 2123-2123
        set action forward
        set forward-slot master
        set priority 5
        set comment "gtp-c to master blade"
    next
    edit 18
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 ike"
    next
    edit 19
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 ike-natt dst"
    next
    edit 20
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol esp
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 esp"
    next
    edit 21
        set status disable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike"
    next
    edit 22
        set status disable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike-natt dst"
    next
    edit 23
        set status disable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol esp
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 esp"
    next
    edit 24
        set status enable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 0-0
        set dst-l4port 1000-1000
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "authd http to master blade"
    next
    edit 25
        set status enable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 0-0
        set dst-l4port 1003-1003
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "authd https to master blade"
    next
    edit 26
        set status enable
        set vlan 0
        set ether-type ip
        set protocol vrrp
        set action forward
        set forward-slot all
        set priority 6
        set comment "vrrp to all blades"
    next
end

Special notices

Special notices

This section highlights some of the operational changes and other important features that administrators should be aware of for FortiGate-6000 and FortiGate-7000 5.6.11 Build 4279.

Default security fabric configuration

The FortiGate-6000 uses the Security Fabric for communication and synchronization between the management board and FPCs. The FortiGate-7000 uses the Security Fabric for communication and synchronization among FIMs and FPMs. Changing the default security fabric configuration could disrupt this communication and affect system performance.

Default Security Fabric configuration:

config system csf

set status enable

set configuration-sync local

set management-ip 0.0.0.0

set management-port 0

end

For the FortiGate-6000 and FortiGate-7000 to operate normally, you must not change the Security Fabric configuration.

Adding a flow rule to support DHCP relay

The FortiGate-6000 and FortGate-7000 default flow rules may not handle DHCP relay traffic correctly.

The default configuration includes the following flow rules for DHCP traffic:

config load-balance flow-rule

edit 7

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 68-68

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 server to client"

next

edit 8

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 68-68

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 client to server"

end

These flow rules handle traffic when the DHCP client sends requests to a DHCP server using port 68 and the DHCP server responds using port 67. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 67. If this DHCP relay traffic passes through the FortiGate-6000 or 7000 you must add a flow rule similar to the following to support port 67 DHCP traffic in both directions:

config load-balance flow-rule

edit 8

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 relay"

next

Limitations of installing FortiGate-6000 firmware from the BIOS after a reboot

Installing or upgrading FortiGate-6000 firmware from the BIOS installs firmware on and resets the configuration of the management board only. The FPCs will continue to operate with their current configuration and firmware build. The FortiGate-6000 system does not synchronize firmware upgrades performed from the BIOS.

See Installing FortiGate-6000 firmware from the BIOS after a reboot for detailed procedures for upgrading FortiGate-6000 firmware from the BIOS.

Limitations of installing FortiGate-7000 firmware from the BIOS after a reboot

Installing or upgrading FortiGate-7000 firmware from the BIOS installs firmware on and resets the configuration of the primary FIM only. The other FIM and the FPMs will continue to operate with their current configuration and firmware build. The FortiGate-7000 system does not synchronize firmware upgrades performed from the BIOS.

See Installing firmware on individual FIMs and FPMs for detailed procedures for upgrading FortiGate-6000 firmware from the BIOS.

Installing firmware on an individual FortiGate-6000 FPC

You may want to install firmware on an individual FPC to resolve a software-related problem with the FPC or if the FPC is not running the same firmware version as the management board. The following procedure describes how to transfer a new firmware image file to the FortiGate-6000 internal TFTP server and then install the firmware on an FPC.

  1. Copy the firmware image file to a TFTP server, FTP server, or USB key.

  2. To upload the firmware image file onto the FortiGate-6000 internal TFTP server, from the management board CLI, enter one of the following commands.

    • To upload the firmware image file from an FTP server:

      execute upload image ftp <image-file-and-path> <comment> <ftp-server-address> <username> <password>

    • To upload the firmware image file from a TFTP server:

      execute upload image tftp <image-file> <comment> <tftp-server-address>

    • To upload the firmware image file from a USB key:

      execute upload image usb <image-file-and-path> <comment>

  3. Enter the following command to install the firmware image file on to an FPC:

    execute load-balance update image <slot-number>

    where <slot-number> is the FPC slot number.

    This command uploads the firmware image to the FPC and the FPC restarts. When the FPC starts up, the configuration is reset to factory default settings and then synchronized by the management board. The FPC restarts again, rejoins the cluster, and is ready to process traffic.

  4. To verify that the configuration of the FPC has been synchronized, enter the diagnose sys confsync status | grep in_sy command. The command output below shows an example of the synchronization status of some of the FPCs in an HA cluster of two FortiGate-6301F devices. The field in_sync=1 indicates that the configuration of the FPC is synchronized.

    FPC6KFT018901327, Slave, uptime=615368.33, priority=19, slot_id=1:1, idx=1, flag=0x4, in_sync=1
    F6KF31T018900143, Master, uptime=615425.84, priority=1, slot_id=1:0, idx=0, flag=0x10, in_sync=1 
    FPC6KFT018901372, Slave, uptime=615319.63, priority=20, slot_id=1:2, idx=1, flag=0x4, in_sync=1
    F6KF31T018900143, Master, uptime=615425.84, priority=1, slot_id=1:0, idx=0, flag=0x10, in_sync=1
    FPC6KFT018901346, Slave, uptime=423.91, priority=21, slot_id=1:3, idx=1, flag=0x4, in_sync=1

    FPCs that are missing or that show in_sync=0 are not synchronized. To synchronize an FPC that is not synchronized, log into the CLI of the FPC and restart it using the execute reboot command. If this does not solve the problem, contact Fortinet Support at https://support.fortinet.com.

    The example output also shows that the uptime of the FPC in slot 3 is lower than the uptime of the other FPCs, indicating that the FPC in slot 3 has recently restarted.

    If you enter the diagnose sys confsync status | grep in_sy command before an FPC has completely restarted, it will not appear in the output. Also, the Security Fabric dashboard widget will temporarily show that it is not synchronized.

Installing firmware on an individual FortiGate-7000 FPM

Use the following procedure to upgrade the firmware running on an individual FPM. To perform the upgrade, you must enter a command from the primary FIM CLI to allow ELBC communication with the FPM. Then you can just log in to the FPM GUI or CLI and perform the firmware upgrade.

During this procedure, the FPM will not be able to process traffic. However, the other FPMs and the FIMs should continue to operate normally.

After verifying that the FPM is running the right firmware, you must log back into the primary FIM CLI and return the FPM to normal operation.

  1. Log in to the primary FIM CLI and enter the following command:

    diagnose load-balance switch set-compatible <slot> enable elbc

    Where <slot> is the number of the FortiGate-7000 slot containing the FPM to be upgraded.

  2. Log in to the FPM GUI or CLI using its special port number (for example, for the FPM in slot 3, browse to https://192.168.1.99:44303 to connect to the GUI) and perform a normal firmware upgrade of the FPM.

  3. After the FPM restarts, verify that the new firmware has been installed.

    You can do this from the FPM GUI dashboard or from the FPM CLI using the get system status command.

  4. Verify that the configuration has been synchronized. The following command output shows the sync status of a FortiGate-7040E. The field in_sync=1 indicates that the configurations of the FIMs and FPMs are synchronized.

    diagnose sys confsync status | grep in_sy
    FIM10E3E16000040, Slave, uptime=69346.99, priority=2, slot_id=1:2, idx=1, flag=0x0, in_sync=1
    FIM04E3E16000010, Master, uptime=69398.91, priority=1, slot_id=1:1, idx=0, flag=0x0, in_sync=1
    FPM20E3E17900217, Slave, uptime=387.74, priority=20, slot_id=1:4, idx=2, flag=0x64, in_sync=1
    FPM20E3E17900217, Slave, uptime=387.74, priority=20, slot_id=1:4, idx=2, flag=0x4, in_sync=1
    FIM04E3E16000010, Master, uptime=69398.91, priority=1, slot_id=1:1, idx=0, flag=0x0, in_sync=1
    FIM10E3E16000040, Slave, uptime=69346.99, priority=2, slot_id=1:2, idx=1, flag=0x0, in_sync=1
    FIM04E3E16000010, Master, uptime=69398.91, priority=1, slot_id=1:1, idx=0, flag=0x0, in_sync=1
    FIM10E3E16000040, Slave, uptime=69346.99, priority=2, slot_id=1:2, idx=1, flag=0x0, in_sync=1
    FPM20E3E17900217, Slave, uptime=387.74, priority=20, slot_id=1:4, idx=2, flag=0x64, in_sync=1

    FIMs and FPMs that are missing or that show in_sync=0 are not synchronized. To synchronize an FIM or FPM that is not synchronized, log into the CLI of the FIM or FPM and restart it using the execute reboot command. If this does not solve the problem, contact Fortinet Support at https://support.fortinet.com.

    The command output also shows that the uptime of the FPM in slot 4 is lower than the uptime of the other modules, indicating that the FPM in slot 4 has recently restarted.

    If you enter the diagnose sys confsync status | grep in_sy command before the FIM has completely restarted, it will not appear in the command output. As well, the Security Fabric dashboard widget will temporarily show that it is not synchronized.

  5. Once the FPM is operating normally, log back in to the primary FIM CLI and enter the following command to reset the FPM to normal operation:

    diagnose load-balance switch set-compatible <slot> disable

    Configuration synchronization errors will occur if you do not reset the FPM to normal operation.

SD-WAN is not supported

FortiGate-6000 and FortiGate-7000 Version 5.6.11 does not support SD-WAN because of the following known issues:

  • 524863, volume-based SD-WAN load balancing is not supported.
  • 510522, when a link in an SD-WAN goes down and comes up, duplicate default routes are created on the management board.
  • 510818, traffic from internal hosts is forwarded to destination servers even if SD-WAN health-checking determines that the server is down.
  • 510389, SD-WAN usage is not updated on the management board GUI.
  • 494019, SD-WAN monitor statistics are not updated on the management board GUI.
  • 511091, SD-WAN load balancing rules based on packet loss, jitter, or latency do not work correctly.

IPsec VPN features that are not supported

FortiOS 5.6 for FortiGate-6000 and FortiGate-7000 does not support the following IPsec VPN features:

  • Policy-based IPsec VPN is not supported. Only tunnel or interface mode IPsec VPN is supported.
  • Policy routes cannot be used for communication over IPsec VPN tunnels.
  • Remote networks with 0- to 15-bit netmasks are not supported. Remote networks with 16- to 32-bit netmasks are supported.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6) is not supported.
  • Load-balancing IPsec VPN tunnels to multiple FPCs or FPMs.
  • IPsec SA synchronization between HA peers is not supported. After an HA failover, IPsec VPN tunnels have to be re-initialized.

Quarantine to disk not supported

The FortiGate-6000 platform, including the FortiGate-6301F and the FortiGate-6501F, and the FortiGate-7000 platform does not support quarantining files to the internal hard disks. Instead you must set the quarantine function to quarantine files to FortiAnalyzer.

Local out traffic is not sent to IPsec VPN interfaces

On most FortiGate platforms, an administrator can test an IPsec tunnel by opening the FortiGate CLI and pinging a remote host on the network at the other end of the IPsec VPN tunnel. This is not currently supported by the FortiGate-6000 and FortiGate-7000 platforms.

Special configuration required for SSL VPN

Using a FortiGate-6000 or a FortiGate-7000 as an SSL VPN server requires you to manually add an SSL VPN load balance flow rule to configure the FortiGate-6000 or FortiGate-7000 to send all SSL VPN sessions to the primary (master) FPC (FortiGate-6000) or the primary (master) FPM (FortiGate-7000). To match with the SSL VPN server traffic, the rule should include a destination port that matches the destination port of the SSL VPN server. A basic rule to allow SSL VPN traffic could be:

config load-balance flow-rule

edit 0

set status enable

set ether-type ipv4

set protocol tcp

set dst-l4port 443-443

set forward-slot master

set comment "ssl vpn server to primary worker"

next

end

This flow rule matches all sessions sent to port 443 (the default SSL VPN server listening port) and sends these sessions to the primary FPC. This should match all of your SSL VPN traffic if you are using the default SSL VPN server listening port (443). This flow rule also matches all other sessions using 443 as the destination port so all of this traffic is also sent to the primary FPC.

If you change the SSL VPN server listening port

If you have changed the SSL VPN server listening port to 10443, you can change the SSL VPN flow rule as follows. This example also sets the source interface to port12, which is the SSL VPN server interface, instead of adding the IP address of port12 to the configuration:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set src-interface port12

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

Adding the SSL VPN server IP address

You can add the IP address of the FortiGate-6000 interface that receives SSL VPN traffic to the SSL VPN flow rule to make sure that the flow rule only matches the traffic if SSL VPN clients connecting to the SSL VPN server. For example, if the IP address of the interface is 172.25.176.32 and the SSL VPN flow rule ID is 26:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set dst-addr-ipv4 172.25.176.32 255.255.255.255

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary worker"

end

This flow rule will now only match SSL VPN sessions with 172.25.176.32 as the destination address and send all of these sessions to the primary FPC or FPM.

Management traffic limitations

FortiGate-6000 and FortiGate-7000 platforms support management traffic over out of band (OOB) management interfaces only:

  • The FortiGate-6000 MGMT 1 to 3 interfaces on the FortiGate-6000.
  • The FortiGate-7000 mgmt static LAG interface on the FortiGate-7000 FIMs. The mgmt LAG includes the MGMT 1 to 4 interfaces and this LAG configuration should not be changed.

Using data interfaces for management traffic is currently not supported. The following command is available to allow management traffic over data interfaces in a VDOM, but this command is currently not recommended as the feature is still under development.

config vdom

edit <vdom-name>

config system settings

set motherboard-traffic-forwarding admin

end

Example FortiGate-6000 HA heartbeat switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging), but the switch should be able to forward the double-tagged frames. Fortinet recommends avoiding switches that strip out the inner tag. FortiSwitch D and E series can correctly forward double-tagged frames.

note icon This configuration is not required for FortiGate-6000 HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-6000 to use different VLAN IDs for the HA1 and HA2 HA heartbeat interfaces and then how to configure two ports on a Cisco switch to allow HA heartbeat packets.

note icon This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.
  1. On both FortiGate-6000s in the HA configuration, enter the following command to use different VLAN IDs for the HA1 and HA2 interfaces. The command sets the HA1 VLAN ID to 4091 and the HA2 VLAN ID to 4092:

    config system ha

    set hbdev "ha1" 50 "ha2" 100

    set hbdev-vlan-id 4091

    set hbdev-second-vlan-id 4092

    end

  2. Use the get system ha status command to confirm the VLAN IDs.

    get system ha status
    ...
    HBDEV stats:
     F6KF51T018900026(updated 4 seconds ago):
      ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=54995955/230020/0/0, tx=63988049/225267/0/0, vlan-id=4091
      ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=54995955/230020/0/0, tx=63988021/225267/0/0, vlan-id=4092
     F6KF51T018900022(updated 3 seconds ago):
      ha1: physical/10000full, up, rx-bytes/packets/dropped/errors=61237440/230023/0/0, tx=57746989/225271/0/0, vlan-id=4091
      ha2: physical/10000full, up, rx-bytes/packets/dropped/errors=61238907/230023/0/0, tx=57746989/225271/0/0, vlan-id=4092
    ...
  3. Configure the Cisco switch port that connects the HA1 interfaces to allow packets with a VLAN ID of 4091:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4091

  4. Configure the Cisco switch port that connects the HA2 interfaces to allow packets with a VLAN ID of 4092:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4092

Example FortiGate-7000 HA heartbeat switch configuration

The switch that you use for connecting HA heartbeat interfaces does not have to support IEEE 802.1ad (also known as Q-in-Q, double-tagging), but the switch should be able to forward the double-tagged frames. Fortinet recommends avoiding switches that strip out the inner tag. FortiSwitch D and E series can correctly forward double-tagged frames.

note icon This configuration is not required for FortiGate-7030E HA configurations if you have set up direct connections between the HA heartbeat interfaces.

This example shows how to configure a FortiGate-7000 to use different VLAN IDs for the M1 and M2 HA heartbeat interfaces and then how to configure two ports on a Cisco switch to allow HA heartbeat packets.

note icon This example sets the native VLAN ID for both switch ports to 777. You can use any VLAN ID as the native VLAN ID as long as the native VLAN ID is not the same as the allowed VLAN ID.
  1. On both FortiGate-7000s in the HA configuration, enter the following command to use different VLAN IDs for the M1 and M2 interfaces. The command sets the M1 VLAN ID to 4086 and the M2 VLAN ID to 4087:

    config system ha

    set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

    set hbdev-vlan-id 4086

    set hbdev-second-vlan-id 4087

    end

  2. Use the get system ha status command to confirm the VLAN IDs.

    get system ha status
    ...
    HBDEV stats:
     FG74E83E16000015(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=579602089/2290683/0/0, tx=215982465/761929/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=577890866/2285570/0/0, tx=215966839/761871/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=579601846/2290682/0/0, tx=215982465/761929/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=577890651/2285569/0/0, tx=215966811/761871/0/0, vlan-id=4087
     FG74E83E16000016(updated 1 seconds ago):
       1-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=598602425/2290687/0/0, tx=196974887/761899/0/0, vlan-id=4086
       2-M1: physical/10000full, up, rx-bytes/packets/dropped/errors=596895956/2285588/0/0, tx=196965052/761864/0/0, vlan-id=4086
       1-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=598602154/2290686/0/0, tx=196974915/761899/0/0, vlan-id=4087
       2-M2: physical/10000full, up, rx-bytes/packets/dropped/errors=596895685/2285587/0/0, tx=196965080/761864/0/0, vlan-id=4087
    ...
  3. Configure the Cisco switch port that connects the M1 interfaces to allow packets with a VLAN ID of 4086:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4086

  4. Configure the Cisco switch port that connects the M2 interfaces to allow packets with a VLAN ID of 4087:

    interface <name>

    switchport mode trunk

    switchport trunk native vlan 777

    switchport trunk allowed vlan 4087

Default FortiGate-6000 and FortiGate-7000 configuration for traffic that cannot be load balanced

The default configure load-balance flow-rule command contains the recommended default flow rules that control how the FortiGate-6000 or 7000 handles traffic types that cannot be load balanced. Most of the flow rules in the default configuration are enabled and are intended to send common traffic types that cannot be load balanced to the primary FPC or FPM. FortiGate-6000 and 7000 for FortiOS 6.0.6 have the same default flow rules.

All of the default flow rules identify the traffic type using the options available in the command and direct matching traffic to the primary (or master) FPC or FPM (action set to forward and forward-slot set to master). The default flow rules also include a comment that identifies the traffic type.

The default configuration also includes disabled flow rules for Kerberos and PPTP traffic. Normally, you would only need to enable these flow rules if you know that your FortGate will be handling these types of traffic.

The CLI syntax below was created with the show full-configuration command.

config load-balance flow-rule
    edit 1
        set status disable
        set vlan 0
        set ether-type ip
        set protocol udp
        set src-l4port 88-88
        set dst-l4port 0-0
        set action forward
        set forward-slot master
        set priority 5
        set comment "kerberos src"
    next
    edit 2
        set status disable
        set vlan 0
        set ether-type ip
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 88-88
        set action forward
        set forward-slot master
        set priority 5
        set comment "kerberos dst"
    next
    edit 3
        set status enable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 179-179
        set dst-l4port 0-0
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "bgp src"
    next
    edit 4
        set status enable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 0-0
        set dst-l4port 179-179
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "bgp dst"
    next
    edit 5
        set status enable
        set vlan 0
        set ether-type ip
        set protocol udp
        set src-l4port 520-520
        set dst-l4port 520-520
        set action forward
        set forward-slot master
        set priority 5
        set comment "rip"
    next
    edit 6
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 521-521
        set dst-l4port 521-521
        set action forward
        set forward-slot master
        set priority 5
        set comment "ripng"
    next
    edit 7
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 67-67
        set dst-l4port 68-68
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv4 server to client"
    next
    edit 8
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 68-68
        set dst-l4port 67-67
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv4 client to server"
    next
    edit 9
        set status disable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 1723-1723
        set dst-l4port 0-0
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "pptp src"
    next
    edit 10
        set status disable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 0-0
        set dst-l4port 1723-1723
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "pptp dst"
    next
    edit 11
        set status enable
        set vlan 0
        set ether-type ip
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 3784-3784
        set action forward
        set forward-slot master
        set priority 5
        set comment "bfd control"
    next
    edit 12
        set status enable
        set vlan 0
        set ether-type ip
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 3785-3785
        set action forward
        set forward-slot master
        set priority 5
        set comment "bfd echo"
    next
    edit 13
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 547-547
        set dst-l4port 546-546
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 server to client"
    next
    edit 14
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 546-546
        set dst-l4port 547-547
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 client to server"
    next
    edit 15
        set status enable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 224.0.0.0 240.0.0.0
        set protocol any
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 multicast"
    next
    edit 16
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ff00::/8
        set protocol any
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 multicast"
    next
    edit 17
        set status disable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 2123-2123
        set action forward
        set forward-slot master
        set priority 5
        set comment "gtp-c to master blade"
    next
    edit 18
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 ike"
    next
    edit 19
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 ike-natt dst"
    next
    edit 20
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol esp
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv6 esp"
    next
    edit 21
        set status disable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 500-500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike"
    next
    edit 22
        set status disable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol udp
        set src-l4port 0-0
        set dst-l4port 4500-4500
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 ike-natt dst"
    next
    edit 23
        set status disable
        set vlan 0
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 0.0.0.0 0.0.0.0
        set protocol esp
        set action forward
        set forward-slot master
        set priority 5
        set comment "ipv4 esp"
    next
    edit 24
        set status enable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 0-0
        set dst-l4port 1000-1000
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "authd http to master blade"
    next
    edit 25
        set status enable
        set vlan 0
        set ether-type ip
        set protocol tcp
        set src-l4port 0-0
        set dst-l4port 1003-1003
        set tcp-flag any
        set action forward
        set forward-slot master
        set priority 5
        set comment "authd https to master blade"
    next
    edit 26
        set status enable
        set vlan 0
        set ether-type ip
        set protocol vrrp
        set action forward
        set forward-slot all
        set priority 6
        set comment "vrrp to all blades"
    next
end