Fortinet white logo
Fortinet white logo

FortiGate-6000 Handbook

FortiGate-6000 v5.6.6 special features and limitations

FortiGate-6000 v5.6.6 special features and limitations

This section describes special features and limitations for FortiGate-6000 v5.6.6.

Remote console limitations

Some console input may not function as expected. For example, when remotely connecting to an FPC console using Telnet, when viewing the BIOS menu, pressing the H key to display BIOS menu help does not always work as expected.

Default management VDOM

By default the FortiGate-6000 configuration includes a management VDOM named mgmt-vdom.The ha1, ha2, mgmt1, mgmt2, and mgmt3 interfaces are in mgmt-vdom and all other interfaces are in the root VDOM. For the FortiGate-6000 system to operate normally, mgmt-vdom must always be the management VDOM. You also must not remove interfaces from this VDOM. You can change the IP addresses of the interfaces in mgmt-vdom, allow the required management services, and add routes as required for management traffic.

You have full control over the configurations of other FortiGate-6000 VDOMs.

Default Security Fabric configuration

The FortiGate-6000 uses the Security Fabric for communication and synchronization between the management board and FPCs. Changing the default Security Fabric configuration could disrupt this communication and affect system performance.

Default Security Fabric configuration:

config system csf

set status enable

set configuration-sync local

set management-ip 0.0.0.0

set management-port 0

end

For the FortiGate-6000 to operate normally, you must not change the Security Fabric configuration.

Maximum number of LAGs and interfaces per LAG

FortiGate-6000 systems support up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces. A FortiGate-6000 LAG can include up to 20 interfaces.

Firewall

TCP or UDP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal TCP timer (which is 3605 seconds) will timeout. If you encounter this problem you can use the following command to increase the TCP timer:

config system global

set dp-tcp-normal-timer <timer>

end

IP Multicast

IPv4 and IPv6 Multicast traffic is only sent to the primary FPC. This is controlled by the following configuration:

config load-balance flow-rule

edit 15

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 224.0.0.0 240.0.0.0

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv4 multicast"

next

edit 16

set status enable

set vlan 0

set ether-type ipv6

set src-addr-ipv6 ::/0

set dst-addr-ipv6 ff00::/8

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv6 multicast"

end

High Availability

Only the HA1 and HA2 interfaces are used for the HA heartbeat communication. For information on how to set up HA heartbeat communication using the HA1 and HA2 interfaces, see Connect the HA1 and HA2 interfaces for HA heartbeat communication.

The following FortiOS HA features are not supported or are supported differently by FortiGate-6000 v5.6.6:

  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 15.
  • Failover logic for FortiGate-6000 v5.6.6 HA is the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate-6000 systems and differs from standard HA.
  • FortiGate Session Life Support Protocol (FGSP) HA (also called standalone session synchronization) is not supported.

Use of the diagnose sys ha checksum cluster command not recommended

The FortiGate-6000 uses a custom FGCP HA implementation and the diagnose sys ha checksum cluster command may show incorrect checksums so can't be used to check cluster synchronization. Instead you can log into the primary FIM of each FortiGate-6000 in the cluster and use the diagnose sys confsync showcsum and compare the results.

FortiOS features that are not supported by FortiGate-6000 v5.6.6

The following mainstream FortiOS 5.6.6 features are not supported by the FortiGate-6000 v5.6.6:

  • SD-WAN (because of known issues)
  • Usage-based ECMP load balancing is not supported. If the config system settings v4-ecmp-mode option is set to usage-based, all traffic uses the first ECMP route instead of being load balanced among all ECMP routes. All other ECMP load balancing options are supported, including source-ip-based, weight-based, and source-dest-ip-based.
  • Policy learning mode
  • HA dedicated management interfaces
  • Hardware switch
  • Switch controller
  • WiFi controller
  • IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6 features
  • GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ip

set protocol gre

set action forward

set forward-slot master

set priority 3

end

  • Only the FortiGate-6301F and the FortiGate-6501F support hard disk features such as WAN optimization, web caching, explicit proxy content caching, disk logging, and GUI-based packet sniffing.
  • The FortiGate-6000 platform, including the FortiGate-6301F and the FortiGate-6501F does not support quarantining files to the internal hard disks. Instead you must set the quarantine function to quarantine files to FortiAnalyzer.
  • The management interfaces (mgmt1-3) do not support device detection for the networks they are connected to.
  • The FortiGate-6000 does not support configuring dedicated management interfaces using the config system dedicated-mgmt command or by enabling the dedicated-to management interface option.

IPsec VPN tunnels terminated by the FortiGate-6000

For a list of new FortiOS 5.6.6 FortiGate-6000 IPsec VPN features and a list of IPsec VPN features not supported by FortiOS 5.6.6 FortiGate-6000 IPsec VPN, see New IPsec VPN features.

SSL VPN

Sending all SSL VPN sessions to the primary (master) FPC is recommended. You can do this by:

  • Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary FPC.
  • Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPC.

Traffic shaping

You can only configure traffic shaping from the CLI. Each FPC applies traffic shaping quotas independently. Traffic is first load balanced to the FPCs and then traffic shaping is applied by the FPC to the traffic load balanced to it.This may result in traffic shaping allowing more traffic than expected.

DDoS quotas

Each FPC applies DDoS quotas independently. Traffic is first load balanced to the FPCs and then DDoS quotas are applied by the FPC to the traffic load balanced to it. This may result in DDoS quotas being less effective than expected.

FortiGuard web filtering and spam filtering

The FortiGate-6000 sends all FortiGuard web filtering and spam filtering rating queries through a management interface from the management VDOM.

Web filtering quotas

On a VDOM operating with the Inspection Mode set to Proxy, you can go to Security Profiles > Web Filter and set up Category Usage Quotas. Each FPC has its own quota, and the FortiGate-6000 applies quotas per FPC and not per the entire FortiGate-6000 system. This could result in quotas being exceeded if sessions for the same user are processed by different FPCs.

Log messages include a slot field

An additional "slot" field has been added to log messages to identify the FPC that generated the log.

Special notice for new deployment connectivity testing

Only the management board can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the Fortigate-6000, make sure to run execute ping tests from the management board and not from an FPC. See Using data interfaces for management traffic for information about changes to this limitation.

FortiGate-6000 v5.6.6 special features and limitations

FortiGate-6000 v5.6.6 special features and limitations

This section describes special features and limitations for FortiGate-6000 v5.6.6.

Remote console limitations

Some console input may not function as expected. For example, when remotely connecting to an FPC console using Telnet, when viewing the BIOS menu, pressing the H key to display BIOS menu help does not always work as expected.

Default management VDOM

By default the FortiGate-6000 configuration includes a management VDOM named mgmt-vdom.The ha1, ha2, mgmt1, mgmt2, and mgmt3 interfaces are in mgmt-vdom and all other interfaces are in the root VDOM. For the FortiGate-6000 system to operate normally, mgmt-vdom must always be the management VDOM. You also must not remove interfaces from this VDOM. You can change the IP addresses of the interfaces in mgmt-vdom, allow the required management services, and add routes as required for management traffic.

You have full control over the configurations of other FortiGate-6000 VDOMs.

Default Security Fabric configuration

The FortiGate-6000 uses the Security Fabric for communication and synchronization between the management board and FPCs. Changing the default Security Fabric configuration could disrupt this communication and affect system performance.

Default Security Fabric configuration:

config system csf

set status enable

set configuration-sync local

set management-ip 0.0.0.0

set management-port 0

end

For the FortiGate-6000 to operate normally, you must not change the Security Fabric configuration.

Maximum number of LAGs and interfaces per LAG

FortiGate-6000 systems support up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces. A FortiGate-6000 LAG can include up to 20 interfaces.

Firewall

TCP or UDP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal TCP timer (which is 3605 seconds) will timeout. If you encounter this problem you can use the following command to increase the TCP timer:

config system global

set dp-tcp-normal-timer <timer>

end

IP Multicast

IPv4 and IPv6 Multicast traffic is only sent to the primary FPC. This is controlled by the following configuration:

config load-balance flow-rule

edit 15

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 224.0.0.0 240.0.0.0

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv4 multicast"

next

edit 16

set status enable

set vlan 0

set ether-type ipv6

set src-addr-ipv6 ::/0

set dst-addr-ipv6 ff00::/8

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv6 multicast"

end

High Availability

Only the HA1 and HA2 interfaces are used for the HA heartbeat communication. For information on how to set up HA heartbeat communication using the HA1 and HA2 interfaces, see Connect the HA1 and HA2 interfaces for HA heartbeat communication.

The following FortiOS HA features are not supported or are supported differently by FortiGate-6000 v5.6.6:

  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 15.
  • Failover logic for FortiGate-6000 v5.6.6 HA is the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate-6000 systems and differs from standard HA.
  • FortiGate Session Life Support Protocol (FGSP) HA (also called standalone session synchronization) is not supported.

Use of the diagnose sys ha checksum cluster command not recommended

The FortiGate-6000 uses a custom FGCP HA implementation and the diagnose sys ha checksum cluster command may show incorrect checksums so can't be used to check cluster synchronization. Instead you can log into the primary FIM of each FortiGate-6000 in the cluster and use the diagnose sys confsync showcsum and compare the results.

FortiOS features that are not supported by FortiGate-6000 v5.6.6

The following mainstream FortiOS 5.6.6 features are not supported by the FortiGate-6000 v5.6.6:

  • SD-WAN (because of known issues)
  • Usage-based ECMP load balancing is not supported. If the config system settings v4-ecmp-mode option is set to usage-based, all traffic uses the first ECMP route instead of being load balanced among all ECMP routes. All other ECMP load balancing options are supported, including source-ip-based, weight-based, and source-dest-ip-based.
  • Policy learning mode
  • HA dedicated management interfaces
  • Hardware switch
  • Switch controller
  • WiFi controller
  • IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6 features
  • GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ip

set protocol gre

set action forward

set forward-slot master

set priority 3

end

  • Only the FortiGate-6301F and the FortiGate-6501F support hard disk features such as WAN optimization, web caching, explicit proxy content caching, disk logging, and GUI-based packet sniffing.
  • The FortiGate-6000 platform, including the FortiGate-6301F and the FortiGate-6501F does not support quarantining files to the internal hard disks. Instead you must set the quarantine function to quarantine files to FortiAnalyzer.
  • The management interfaces (mgmt1-3) do not support device detection for the networks they are connected to.
  • The FortiGate-6000 does not support configuring dedicated management interfaces using the config system dedicated-mgmt command or by enabling the dedicated-to management interface option.

IPsec VPN tunnels terminated by the FortiGate-6000

For a list of new FortiOS 5.6.6 FortiGate-6000 IPsec VPN features and a list of IPsec VPN features not supported by FortiOS 5.6.6 FortiGate-6000 IPsec VPN, see New IPsec VPN features.

SSL VPN

Sending all SSL VPN sessions to the primary (master) FPC is recommended. You can do this by:

  • Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary FPC.
  • Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPC.

Traffic shaping

You can only configure traffic shaping from the CLI. Each FPC applies traffic shaping quotas independently. Traffic is first load balanced to the FPCs and then traffic shaping is applied by the FPC to the traffic load balanced to it.This may result in traffic shaping allowing more traffic than expected.

DDoS quotas

Each FPC applies DDoS quotas independently. Traffic is first load balanced to the FPCs and then DDoS quotas are applied by the FPC to the traffic load balanced to it. This may result in DDoS quotas being less effective than expected.

FortiGuard web filtering and spam filtering

The FortiGate-6000 sends all FortiGuard web filtering and spam filtering rating queries through a management interface from the management VDOM.

Web filtering quotas

On a VDOM operating with the Inspection Mode set to Proxy, you can go to Security Profiles > Web Filter and set up Category Usage Quotas. Each FPC has its own quota, and the FortiGate-6000 applies quotas per FPC and not per the entire FortiGate-6000 system. This could result in quotas being exceeded if sessions for the same user are processed by different FPCs.

Log messages include a slot field

An additional "slot" field has been added to log messages to identify the FPC that generated the log.

Special notice for new deployment connectivity testing

Only the management board can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the Fortigate-6000, make sure to run execute ping tests from the management board and not from an FPC. See Using data interfaces for management traffic for information about changes to this limitation.