FortiGate-6000 v5.6.6 special features and limitations
This section describes special features and limitations for FortiGate-6000 v5.6.6.
Remote console limitations
Some console input may not function as expected. For example, when remotely connecting to an FPC console using Telnet, when viewing the BIOS menu, pressing the H key to display BIOS menu help does not always work as expected.
Default management VDOM
By default the FortiGate-6000 configuration includes a management VDOM named mgmt-vdom.The ha1, ha2, mgmt1, mgmt2, and mgmt3 interfaces are in mgmt-vdom and all other interfaces are in the root VDOM. For the FortiGate-6000 system to operate normally, mgmt-vdom must always be the management VDOM. You also must not remove interfaces from this VDOM. You can change the IP addresses of the interfaces in mgmt-vdom, allow the required management services, and add routes as required for management traffic.
You have full control over the configurations of other FortiGate-6000 VDOMs.
Default Security Fabric configuration
The FortiGate-6000 uses the Security Fabric for communication and synchronization between the management board and FPCs. Changing the default Security Fabric configuration could disrupt this communication and affect system performance.
Default Security Fabric configuration:
config system csf
set status enable
set configuration-sync local
set management-ip 0.0.0.0
set management-port 0
end
For the FortiGate-6000 to operate normally, you must not change the Security Fabric configuration.
Maximum number of LAGs and interfaces per LAG
FortiGate-6000 systems support up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces. A FortiGate-6000 LAG can include up to 20 interfaces.
Firewall
TCP or UDP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal TCP timer (which is 3605 seconds) will timeout. If you encounter this problem you can use the following command to increase the TCP timer:
config system global
set dp-tcp-normal-timer <timer>
end
IP Multicast
IPv4 and IPv6 Multicast traffic is only sent to the primary FPC. This is controlled by the following configuration:
config load-balance flow-rule
edit 15
set status enable
set vlan 0
set ether-type ipv4
set src-addr-ipv4 0.0.0.0 0.0.0.0
set dst-addr-ipv4 224.0.0.0 240.0.0.0
set protocol any
set action forward
set forward-slot master
set priority 5
set comment "ipv4 multicast"
next
edit 16
set status enable
set vlan 0
set ether-type ipv6
set src-addr-ipv6 ::/0
set dst-addr-ipv6 ff00::/8
set protocol any
set action forward
set forward-slot master
set priority 5
set comment "ipv6 multicast"
end
High Availability
Only the HA1 and HA2 interfaces are used for the HA heartbeat communication. For information on how to set up HA heartbeat communication using the HA1 and HA2 interfaces, see Connect the HA1 and HA2 interfaces for HA heartbeat communication.
The following FortiOS HA features are not supported or are supported differently by FortiGate-6000 v5.6.6:
- Active-active HA is not supported.
- The range for the HA
group-id
is 0 to 15. - Failover logic for FortiGate-6000 v5.6.6 HA is the same as FGCP for other FortiGate clusters.
- HA heartbeat configuration is specific to FortiGate-6000 systems and differs from standard HA.
- FortiGate Session Life Support Protocol (FGSP) HA (also called standalone session synchronization) is not supported.
Use of the diagnose sys ha checksum cluster command not recommended
The FortiGate-6000 uses a custom FGCP HA implementation and the diagnose sys ha checksum cluster
command may show incorrect checksums so can't be used to check cluster synchronization. Instead you can log into the primary FIM of each FortiGate-6000 in the cluster and use the diagnose sys confsync showcsum
and compare the results.
FortiOS features that are not supported by FortiGate-6000 v5.6.6
The following mainstream FortiOS 5.6.6 features are not supported by the FortiGate-6000 v5.6.6:
- SD-WAN (because of known issues)
- Usage-based ECMP load balancing is not supported. If the
config system settings
v4-ecmp-mode
option is set tousage-based
, all traffic uses the first ECMP route instead of being load balanced among all ECMP routes. All other ECMP load balancing options are supported, includingsource-ip-based
,weight-based
, andsource-dest-ip-based
. - Policy learning mode
- HA dedicated management interfaces
- Hardware switch
- Switch controller
- WiFi controller
- IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6 features
- GRE tunneling is only supported after creating a load balance flow rule, for example:
config load-balance flow-rule
edit 0
set status enable
set vlan 0
set ether-type ip
set protocol gre
set action forward
set forward-slot master
set priority 3
end
- Only the FortiGate-6301F and the FortiGate-6501F support hard disk features such as WAN optimization, web caching, explicit proxy content caching, disk logging, and GUI-based packet sniffing.
- The FortiGate-6000 platform, including the FortiGate-6301F and the FortiGate-6501F does not support quarantining files to the internal hard disks. Instead you must set the quarantine function to quarantine files to FortiAnalyzer.
- The management interfaces (mgmt1-3) do not support device detection for the networks they are connected to.
- The FortiGate-6000 does not support configuring dedicated management interfaces using the
config system dedicated-mgmt
command or by enabling thededicated-to management
interface option.
IPsec VPN tunnels terminated by the FortiGate-6000
For a list of new FortiOS 5.6.6 FortiGate-6000 IPsec VPN features and a list of IPsec VPN features not supported by FortiOS 5.6.6 FortiGate-6000 IPsec VPN, see New IPsec VPN features.
SSL VPN
Sending all SSL VPN sessions to the primary (master) FPC is recommended. You can do this by:
- Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary FPC.
- Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPC.
Traffic shaping
You can only configure traffic shaping from the CLI. Each FPC applies traffic shaping quotas independently. Traffic is first load balanced to the FPCs and then traffic shaping is applied by the FPC to the traffic load balanced to it.This may result in traffic shaping allowing more traffic than expected.
DDoS quotas
Each FPC applies DDoS quotas independently. Traffic is first load balanced to the FPCs and then DDoS quotas are applied by the FPC to the traffic load balanced to it. This may result in DDoS quotas being less effective than expected.
FortiGuard web filtering and spam filtering
The FortiGate-6000 sends all FortiGuard web filtering and spam filtering rating queries through a management interface from the management VDOM.
Web filtering quotas
On a VDOM operating with the Inspection Mode set to Proxy, you can go to Security Profiles > Web Filter and set up Category Usage Quotas. Each FPC has its own quota, and the FortiGate-6000 applies quotas per FPC and not per the entire FortiGate-6000 system. This could result in quotas being exceeded if sessions for the same user are processed by different FPCs.
Log messages include a slot field
An additional "slot" field has been added to log messages to identify the FPC that generated the log.
Special notice for new deployment connectivity testing
Only the management board can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the Fortigate-6000, make sure to run execute ping
tests from the management board and not from an FPC. See Using data interfaces for management traffic for information about changes to this limitation.