Fortinet black logo

FortiGate-6000 Handbook

FortiGate-6000 v7.0.5 special features and limitations

FortiGate-6000 v7.0.5 special features and limitations

This section describes special features and limitations for FortiGate-6000 v7.0.5.

Caution

The FortiGate-6000 uses the Fortinet Security Fabric for communication and synchronization between the management board and the FPCs and for normal GUI operation. By default, the Security Fabric is enabled and must remain enabled for normal operation.

Remote console limitations

Some console input may not function as expected. For example, when remotely connecting to an FPC console using Telnet, when viewing the BIOS menu, pressing the H key to display BIOS menu help does not always work as expected.

Default management VDOM

By default the FortiGate-6000 configuration includes a management VDOM named mgmt-vdom. The ha1, ha2, mgmt1, mgmt2, and mgmt3 interfaces are in mgmt-vdom and all other interfaces are in the root VDOM. For the FortiGate-6000 system to operate normally, mgmt-vdom must always be the management VDOM. You also must not remove interfaces from this VDOM. You can change the IP addresses of the interfaces in mgmt-vdom, allow the required management services, and add routes as required for management traffic.

You have full control over the configurations of other FortiGate-6000 VDOMs.

Maximum number of LAGs and interfaces per LAG

FortiGate-6000 systems support up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces. A FortiGate-6000 LAG can include up to 20 interfaces.

Enhanced MAC (EMAC) VLAN support

FortiGate-6000 supports the media access control (MAC) virtual local area network (VLAN) feature. EMAC VLANs allow you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

For more information about EMAC VLAN support, see Enhanced MAC VLANs.

Use the following command to configure an EMAC VLAN:

config system interface

edit <interface-name>

set type emac-vlan

set vlan-id <VLAN-ID>

set interface <physical-interface>

end

IP Multicast

IPv4 and IPv6 Multicast traffic is only sent to the primary FPC. This is controlled by the following configuration:

config load-balance flow-rule

edit 15

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 224.0.0.0 240.0.0.0

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv4 multicast"

next

edit 16

set status enable

set vlan 0

set ether-type ipv6

set src-addr-ipv6 ::/0

set dst-addr-ipv6 ff00::/8

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv6 multicast"

end

High Availability

Only the HA1 and HA2 interfaces are used for the HA heartbeat communication. For information on how to set up HA heartbeat communication using the HA1 and HA2 interfaces, see Connect the HA1 and HA2 interfaces for HA heartbeat communication.

The following FortiOS HA features are not supported or are supported differently by FortiGate-6000:

  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 31.
  • Failover logic for FortiGate-6000 HA is the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate-6000 systems and differs from standard HA.
  • FortiGate-6000 HA does not support the route-wait and route-hold options for tuning route synchronization between FortiGate-6000s.
  • VLAN monitoring using the config system ha-monitor command is not supported.
  • FortiGate-6000 HA does not support using the HA session-sync-dev option. Instead, session synchronization traffic uses the HA1 and HA2 interfaces, separating session sync traffic from data traffic.

Virtual clustering

For information about virtual clustering limitations, see Limitations of FortiGate-6000 virtual clustering and Virtual clustering VLAN/VDOM limitation.

The source-ip option for management services

FortiGate-6000 SLBC does not support the source-ip option for management services (for example, logging, SNMP, connecting to FortiSandbox) that use interfaces in the mgmt-vdom. If you enable the source-ip option, communication will not work.

For example, when adding a host to an SNMP community, if you configure the source-ip option, the SNMP manager corresponding to this host will not receive traps from the FortiGate-6000 or be able to send SNMP queries to the FortiGate-6000.

FortiOS features that are not supported by FortiGate-6000 v7.0.5

The following mainstream FortiOS features are not supported by the FortiGate-6000:

  • Hardware switch
  • IPv6 clear text traffic over IPv4 or IPv6 IPsec tunnels terminated on the FortiGate-6000 is not supported. This limitation does not affect IPv4 clear text traffic over IPv4 or IPv6 IPsec tunnels terminated on the FortiGate-6000. This limitation also does not affect any pass through IPsec tunnel traffic that does not terminate on the FortiGate-6000.

  • GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ip

set protocol gre

set action forward

set forward-slot master

set priority 3

end

  • Only the FortiGate-6301F and the FortiGate-6501F support hard disk features such as disk logging, and GUI-based packet sniffing.
  • The FortiGate-6000 platform, including the FortiGate-6301F and the FortiGate-6501F does not support quarantining files to the internal hard disks. Instead you must set the quarantine function to quarantine files to FortiAnalyzer.
  • The management interfaces (mgmt1-3) do not support device detection for the networks they are connected to.
  • The FortiGate-6000 does not support configuring dedicated management interfaces using the config system dedicated-mgmt command or by enabling the dedicated-to management interface option. The purpose of the dedicated management interface feature is to add a routing table just for management connections. This functionality is supported by the FortiGate-6000 management VDOM (mgmt-vdom) that has its own routing table and contains all of the FortiGate-6000 management interfaces.
  • The FortiOS session-ttl option never (which means no session timeout) is only supported if the dp-load-distribution-method is set to src-dst-ip-sport-dport (the default) or src-dst-ip and the firewall policy that accepts the session does not perform NAT. If any other load distribution method is used, or if NAT is enabled, the DP session timer will terminate the session according to the DP processor session timer. For more information about the never option, see No session timeout.
  • Enabling the system settings option tcp-session-without-syn and configuring a firewall policy to accept sessions without syn packets allows FortiOS to add entries to its session table for sessions that do not include SYN packets. These sessions can only be load balanced by the DP processor if the dp-load-distribution-method is set to src-dst-ip-sport-dport (default) or src-dst-ip. If any other load distribution method is used, the sessions will be dropped. As well, the DP processor cannot load balance these sessions if they are accepted by a firewall policy with NAT enabled.

IPsec VPN tunnels terminated by the FortiGate-6000

For a list of IPsec VPN features not supported by FortiGate-6000, see FortiGate-6000 IPsec VPN.

SSL VPN

You can configure the FortiGate-6000 to load balance SSL VPN sessions terminated by the FortiGate-6000 to all FPCs. You can also disable SSL VPN load balancing and send all SSL VPN sessions terminated by the FortiGate-6000 to the primary FPC. For information about FortiGate-6000 SSL VPN support, see Setting up SSL VPN using flow rules.

Traffic shaping and DDoS policies

Each FPC applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

FortiGuard web filtering and spam filtering queries

The FortiGate-6000 sends all FortiGuard web filtering and spam filtering rating queries through a management interface from the mgmt-vdom VDOM.

Web filtering quotas

On a VDOM operating with the Inspection Mode set to Proxy, you can go to Security Profiles > Web Filter and set up Category Usage Quotas. Each FPC has its own quota, and the FortiGate-6000 applies quotas per FPC and not per the entire FortiGate-6000 system. This could result in quotas being exceeded if sessions for the same user are processed by different FPCs.

Log messages include a slot field

An additional "slot" field has been added to log messages to identify the FPC that generated the log.

Special notice for new deployment connectivity testing

Only the management board can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the Fortigate-6000, make sure to run execute ping tests from the management board and not from an FPC. See Using data interfaces for management traffic for information about changes to this limitation.

Display the process name associated with a process ID

You can use the following command to display the process name associated with a process ID (PID):

diagnose sys process nameof <pid>

Where <pid> is the process ID.

FortiGate-6000 v7.0.5 special features and limitations

This section describes special features and limitations for FortiGate-6000 v7.0.5.

Caution

The FortiGate-6000 uses the Fortinet Security Fabric for communication and synchronization between the management board and the FPCs and for normal GUI operation. By default, the Security Fabric is enabled and must remain enabled for normal operation.

Remote console limitations

Some console input may not function as expected. For example, when remotely connecting to an FPC console using Telnet, when viewing the BIOS menu, pressing the H key to display BIOS menu help does not always work as expected.

Default management VDOM

By default the FortiGate-6000 configuration includes a management VDOM named mgmt-vdom. The ha1, ha2, mgmt1, mgmt2, and mgmt3 interfaces are in mgmt-vdom and all other interfaces are in the root VDOM. For the FortiGate-6000 system to operate normally, mgmt-vdom must always be the management VDOM. You also must not remove interfaces from this VDOM. You can change the IP addresses of the interfaces in mgmt-vdom, allow the required management services, and add routes as required for management traffic.

You have full control over the configurations of other FortiGate-6000 VDOMs.

Maximum number of LAGs and interfaces per LAG

FortiGate-6000 systems support up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces. A FortiGate-6000 LAG can include up to 20 interfaces.

Enhanced MAC (EMAC) VLAN support

FortiGate-6000 supports the media access control (MAC) virtual local area network (VLAN) feature. EMAC VLANs allow you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

For more information about EMAC VLAN support, see Enhanced MAC VLANs.

Use the following command to configure an EMAC VLAN:

config system interface

edit <interface-name>

set type emac-vlan

set vlan-id <VLAN-ID>

set interface <physical-interface>

end

IP Multicast

IPv4 and IPv6 Multicast traffic is only sent to the primary FPC. This is controlled by the following configuration:

config load-balance flow-rule

edit 15

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 224.0.0.0 240.0.0.0

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv4 multicast"

next

edit 16

set status enable

set vlan 0

set ether-type ipv6

set src-addr-ipv6 ::/0

set dst-addr-ipv6 ff00::/8

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv6 multicast"

end

High Availability

Only the HA1 and HA2 interfaces are used for the HA heartbeat communication. For information on how to set up HA heartbeat communication using the HA1 and HA2 interfaces, see Connect the HA1 and HA2 interfaces for HA heartbeat communication.

The following FortiOS HA features are not supported or are supported differently by FortiGate-6000:

  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 31.
  • Failover logic for FortiGate-6000 HA is the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate-6000 systems and differs from standard HA.
  • FortiGate-6000 HA does not support the route-wait and route-hold options for tuning route synchronization between FortiGate-6000s.
  • VLAN monitoring using the config system ha-monitor command is not supported.
  • FortiGate-6000 HA does not support using the HA session-sync-dev option. Instead, session synchronization traffic uses the HA1 and HA2 interfaces, separating session sync traffic from data traffic.

Virtual clustering

For information about virtual clustering limitations, see Limitations of FortiGate-6000 virtual clustering and Virtual clustering VLAN/VDOM limitation.

The source-ip option for management services

FortiGate-6000 SLBC does not support the source-ip option for management services (for example, logging, SNMP, connecting to FortiSandbox) that use interfaces in the mgmt-vdom. If you enable the source-ip option, communication will not work.

For example, when adding a host to an SNMP community, if you configure the source-ip option, the SNMP manager corresponding to this host will not receive traps from the FortiGate-6000 or be able to send SNMP queries to the FortiGate-6000.

FortiOS features that are not supported by FortiGate-6000 v7.0.5

The following mainstream FortiOS features are not supported by the FortiGate-6000:

  • Hardware switch
  • IPv6 clear text traffic over IPv4 or IPv6 IPsec tunnels terminated on the FortiGate-6000 is not supported. This limitation does not affect IPv4 clear text traffic over IPv4 or IPv6 IPsec tunnels terminated on the FortiGate-6000. This limitation also does not affect any pass through IPsec tunnel traffic that does not terminate on the FortiGate-6000.

  • GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ip

set protocol gre

set action forward

set forward-slot master

set priority 3

end

  • Only the FortiGate-6301F and the FortiGate-6501F support hard disk features such as disk logging, and GUI-based packet sniffing.
  • The FortiGate-6000 platform, including the FortiGate-6301F and the FortiGate-6501F does not support quarantining files to the internal hard disks. Instead you must set the quarantine function to quarantine files to FortiAnalyzer.
  • The management interfaces (mgmt1-3) do not support device detection for the networks they are connected to.
  • The FortiGate-6000 does not support configuring dedicated management interfaces using the config system dedicated-mgmt command or by enabling the dedicated-to management interface option. The purpose of the dedicated management interface feature is to add a routing table just for management connections. This functionality is supported by the FortiGate-6000 management VDOM (mgmt-vdom) that has its own routing table and contains all of the FortiGate-6000 management interfaces.
  • The FortiOS session-ttl option never (which means no session timeout) is only supported if the dp-load-distribution-method is set to src-dst-ip-sport-dport (the default) or src-dst-ip and the firewall policy that accepts the session does not perform NAT. If any other load distribution method is used, or if NAT is enabled, the DP session timer will terminate the session according to the DP processor session timer. For more information about the never option, see No session timeout.
  • Enabling the system settings option tcp-session-without-syn and configuring a firewall policy to accept sessions without syn packets allows FortiOS to add entries to its session table for sessions that do not include SYN packets. These sessions can only be load balanced by the DP processor if the dp-load-distribution-method is set to src-dst-ip-sport-dport (default) or src-dst-ip. If any other load distribution method is used, the sessions will be dropped. As well, the DP processor cannot load balance these sessions if they are accepted by a firewall policy with NAT enabled.

IPsec VPN tunnels terminated by the FortiGate-6000

For a list of IPsec VPN features not supported by FortiGate-6000, see FortiGate-6000 IPsec VPN.

SSL VPN

You can configure the FortiGate-6000 to load balance SSL VPN sessions terminated by the FortiGate-6000 to all FPCs. You can also disable SSL VPN load balancing and send all SSL VPN sessions terminated by the FortiGate-6000 to the primary FPC. For information about FortiGate-6000 SSL VPN support, see Setting up SSL VPN using flow rules.

Traffic shaping and DDoS policies

Each FPC applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

FortiGuard web filtering and spam filtering queries

The FortiGate-6000 sends all FortiGuard web filtering and spam filtering rating queries through a management interface from the mgmt-vdom VDOM.

Web filtering quotas

On a VDOM operating with the Inspection Mode set to Proxy, you can go to Security Profiles > Web Filter and set up Category Usage Quotas. Each FPC has its own quota, and the FortiGate-6000 applies quotas per FPC and not per the entire FortiGate-6000 system. This could result in quotas being exceeded if sessions for the same user are processed by different FPCs.

Log messages include a slot field

An additional "slot" field has been added to log messages to identify the FPC that generated the log.

Special notice for new deployment connectivity testing

Only the management board can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the Fortigate-6000, make sure to run execute ping tests from the management board and not from an FPC. See Using data interfaces for management traffic for information about changes to this limitation.

Display the process name associated with a process ID

You can use the following command to display the process name associated with a process ID (PID):

diagnose sys process nameof <pid>

Where <pid> is the process ID.