FortiGate-6000 Handbook

What's New
- What's new for FortiGate-6000 6.0.15
- What's new for FortiGate-6000 6.0.14
- What's new for FortiGate-6000 6.0.13
- What's new for FortiGate-6000 6.0.12
- What's new for FortiGate-6000 6.0.10
- What's new for FortiGate-6000 6.0.9
- What's new for FortiGate-6000 6.0.8
- What's new for FortiGate-6000 6.0.6
- What's new for FortiGate-6000 6.0.4
FortiGate-6000 overview
- Front panel interfaces
- FortiGate-6000 schematic
- Interface groups and changing data interface speeds
Getting started with FortiGate-6000
- Confirming startup status
- Restarting the FortiGate-6000
- Configuration synchronization
  - Confirming that FortiGate-6000 components are synchronized
  - Viewing more details about FortiGate-6000 synchronization
- FortiGate-6000 dashboard widgets
- Default VDOM configuration and configuring the management interfaces
- Using data interfaces for management traffic
- Setting the MTU for a data interface
- More management connections than expected for one device
- More ARP queries than expected for one device - potential issue on large WiFi networks
- Connecting to FPC CLIs using the console port
- Failover in a standalone FortiGate-6000
- Troubleshooting an FPC failure
- Restarting the FortiGate-6000
- Changing the FortiGate-6301F and 6501F log disk and RAID configuration
- Packet sniffing for FPC and management board packets
- Diagnose debug flow trace for FPC and management board activity
- NMI switch and NMI reset commands
- Showing how the DP3 processor will load balance a session
Managing individual FortiGate-6000 management boards and FPCs
- Special management port numbers
- HA mode special management port numbers
- Connecting to individual FPC consoles
- Connecting to individual FPC CLIs
- Connecting to individual FPC CLIs of the secondary FortiGate-6000 in an HA configuration
- Performing other operations on individual FPCs
Firmware upgrades
- Firmware upgrade basics
- Installing firmware on an individual FPC
- Installing firmware from the BIOS after a reboot
- Synchronizing the FPCs with the management board
Load balancing and flow rules
- Setting the load balancing method
- Flow rules for sessions that cannot be load balanced
- Determining the primary FPC
- SSL VPN load balancing
- FortiOS Carrier GTP load balancing
  - Optimizing NPU GTP performance
  - Enabling GTP load balancing
- ICMP load balancing
- Load balancing fragmented ICMP packets
- Adding flow rules to support DHCP relay
- Default configuration for traffic that cannot be load balanced
FortiGate-6000 IPsec VPN
- IPv4 and IPv6 IPsec VPN load balancing
- IPv6 IPsec VPN load balancing
- Configuring the FortiGate-6000 as a dialup IPsec VPN server
FortiGate-6000 high availability
- New HA features and changes
- Introduction to FortiGate-6000 FGCP HA
- Before you begin configuring HA
- Connect the HA1 and HA2 interfaces for HA heartbeat communication
  - Default HA heartbeat VLAN triple-tagging
  - HA heartbeat VLAN double-tagging
- Basic FortiGate-6000 HA configuration
- Confirming that the FortiGate-6000 HA cluster is synchronized
  - Viewing more details about HA cluster synchronization
- Primary FortiGate-6000 selection with override disabled (default)
- Primary FortiGate-6000 selection with override enabled
- Failover protection
- HA cluster firmware upgrades
- Distributed clustering
- Modifying heartbeat timing
- Changing how long routes stay in a cluster unit routing table
- Session failover (session-pickup)
- FortiGate-6000 FGSP
  - FGSP session synchronization options
  - Example FortiGate-6000 FGSP configuration
- Standalone configuration synchronization
- FortiGate-6000 VRRP HA
FortiLink support
ICAP support
SSL mirroring support
Configuring a FortiGate-6000 to operate in FIPS-CC mode
FortiGate-6000 v6.0.15 special features and limitations
FortiGate-6000 v6.0.14 special features and limitations
FortiGate-6000 v6.0.13 special features and limitations
FortiGate-6000 v6.0.12 special features and limitations
FortiGate-6000 v6.0.10 special features and limitations
FortiGate-6000 v6.0.9 special features and limitations
FortiGate-6000 v6.0.8 special features and limitations
FortiGate-6000 v6.0.6 special features and limitations
FortiGate-6000 v6.0.4 special features and limitations
FortiGate-6000 config CLI commands
FortiGate-6000 execute CLI commands
Change log

Home FortiGate-6000 6.0.15 FortiGate-6000 Handbook

6.0.15

HA heartbeat VLAN double-tagging

FortiGate-6000 HA supports HA heartbeat double-tagging to be compatible with third-party switches that do not support Fortinet's proprietary triple tagging format. HA heartbeat double-tagging has the following format:

TPID 0x8100 VLAN <vlan-id> (by default 999) + TPID 0x8100 VLAN 10/30 + ethernet packet

You can use the following commands to set the HA VLAN tagging mode to double-tagging, customize the outer TPID, and set the VLAN IDs for HA1 and HA2. Both FortiGates in the cluster must have the same VLAN tagging configuration.

config system ha

set ha-port-dtag-mode double-tagging

set ha-port-outer-tpid {0x8100 | 0x88a8 | 0x9100}

set hbdev-vlan-id <vlan>

set hbdev-second-vlan-id <vlan>

set ha-eth-type <ethertype>

end

Where:

ha-port-dtag-mode is set to double-tagging and the FortiGate-6000 uses the double-tagging format.

ha-port-outer-tipd sets the outer TPID to be compatible with the switch. The default outer TPID of 0x8100 is compatible with most third-party switches.

hbdev-vlan-id sets the outer VLAN ID used by HA1 interface heartbeat packets.

hbdev-second-vlan-id sets the outer VLAN ID used by HA2 interface heartbeat packets. The HA1 and HA2 interfaces must have different outer VLAN IDs if they are connected to the same switch.

ha-eth-type sets the HA heartbeat packet ethertype (default 8890) to be compatible with the switch.

Example double-tagging switch configuration

The following switch configuration is compatible with FortiGate-6000 HA heartbeat double tagging and with the default TPID of 0x8100.

The FortiGate-6000 HA heartbeat configuration is.

config system ha

set ha-port-dtag-mode double-tagging

set hbdev ha1 50 ha2 50

set hbdev-vlan-id 4091

set hbdev-second-vlan-id 4092

end

Example third-party switch configuration:

Switch interfaces 37 and 38 connect to the HA1 interfaces of both FortiGate-6000s.

interface Ethernet37

description **** FGT-6000F HA1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4091

switchport mode dot1q-tunnel

interface Ethernet38

description **** FGT-6000F HA1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4091

switchport mode dot1q-tunnel

Switch interfaces 39 and 40 connect to the HA2 interfaces of both FortiGate-6000s.

interface Ethernet39

description **** FGT-6000F HA2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4092

switchport mode dot1q-tunnel

interface Ethernet42

description **** FGT-6000F HA2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4092

switchport mode dot1q-tunnel