Fortinet black logo

FortiGate-7000 Handbook

Home FortiGate-7000 5.4.9 FortiGate-7000 Handbook

FortiGate-7000 v5.4.9 special features and limitations

5.4.9
6.2.3
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.9
Copy Link
Copy Doc ID 13098487-2a56-11e9-94bf-00505692583a:739021
Download PDF

FortiGate-7000 v5.4.9 special features and limitations

This section describes special features and limitations for FortiGate-7000 v5.4.9.

Managing the FortiGate-7000

Management is only possible through the MGMT1 to MGMT4 front panel management interfaces. By default the MGMT1 to MGMT4 interfaces of the FIMs in slot 1 and slot 2 are in a single static aggregate interface named mgmt with IP address 192.168.1.99. You manage the FortiGate-7000 by connecting any one of these eight interfaces to your network, opening a web browser and browsing to https://192.168.1.99.

Note The FortiGate-7030E has one FIM and the MGMT1 to MGMT4 interfaces of that module are the only ones in the aggregate interface.

Default management VDOM

By default the FortiGate-7000 configuration includes a management VDOM named dmgmt-vdom. For the FortiGate-7000 system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM. You should also not add or remove interfaces from this VDOM.

You have full control over the configurations of other FortiGate-7000 VDOMs.

Maximum number of LAGs

FortiGate-7000 systems support up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces and including the redundant interface that contains the M1 to M4 management interfaces.

Firewall

TCP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal TCP timer (which is 3605 seconds) should only be distributed to the master FPM using a flow rule. You can configure the distributed normal TCP timer using the following command:

config system global

set dp-tcp-normal-timer <timer>

end

UDP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal UDP timer should only be distributed to the primary FPM using a flow rule.

IP multicast

IPv4 and IPv6 Multicast traffic is only sent to the primary FPM (usually the FPM in slot 3). This is controlled by the following configuration:

config load-balance flow-rule

edit 18

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 224.0.0.0 240.0.0.0

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv4 multicast"

next

edit 19

set status enable

set vlan 0

set ether-type ipv6

set src-addr-ipv6 ::/0

set dst-addr-ipv6 ff00::/8

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv6 multicast"

end

High availability

Only the M1 and M2 interfaces are used for the HA heartbeat communication.

If you use the same switch for both M1 and M2, separate the M1 and M2 traffic on the switch and set the heartbeat traffic on the M1 and M2 Interfaces to have different VLAN IDs. For example, use the following command to set the heartbeat traffic on M1 to use VLAN ID 777 and the heartbeat traffic on M2 to use VLAN ID 888:

config system ha

set hbdev-vlan-id 777

set hbdev-second-vlan-id 888

end

If you don't set different VLAN IDs for the M1 and M2 heartbeat packets, q-in-q must be enabled on the switch.

The following FortiOS HA features are not supported or are supported differently by FortiGate-7000 v5.4.5:

  • Remote IP monitoring (configured with the option pingserver-monitor-interface and related settings) is not supported.
  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 14.
  • Failover logic for FortiGate-7000 v5.4.5 HA is not the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate-7000 systems and differs from standard HA.
  • FortiGate Session Life Support Protocol (FGSP) HA (also called standalone session synchronization) is not supported.
  • FortiGate-7000 HA does not support the route-ttl, route-wait, and route-hold options for tuning route synchronization between FortiGate-7000s.

Shelf manager module

It is not possible to access SMM CLI using Telnet or SSH. Only console access is supported using the chassis front panel console ports as described in the FortiGate-7000 system guide.

For monitoring purpose, IPMI over IP is supported on SMM Ethernet ports. See your FortiGate-7000 system guide for details.

FortiOS features not supported by FortiGate-7000 v5.4.9

The following mainstream FortiOS 5.4.5 features are not supported by the FortiGate-7000 v5.4.9:

  • Hardware switch
  • Usage-based ECMP load balancing is not supported. If the config system settings v4-ecmp-mode option is set to usage-based, all traffic uses the first ECMP route instead of being load balanced among all ECMP routes. All other ECMP load balancing options are supported, including source-ip-based, weight-based, and source-dest-ip-based.
  • Switch controller
  • WiFi controller
  • WAN load balancing (SD-WAN)
  • IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6 features

  • GRE tunneling is only supported after creating a load balance flow rule, for example:

    config load-balance flow-rule

    edit 0

    set status enable

    set vlan 0

    set ether-type ip

    set protocol gre

    set action forward

    set forward-slot master

    set priority 3

    end

  • Hard disk features including, WAN optimization, web caching, explicit proxy content caching, disk logging, and GUI-based packet sniffing.
  • The FortiGate-7000 platform only supports quarantining files to FortiAnalyzer.
  • Log messages should be sent only using the management aggregate interface

IPsec VPN tunnels terminated by the FortiGate-7000

For a list of new FortiOS 5.4 FortiGate-7000 IPsec VPN features and a list of IPsec VPN features not supported by FortiOS 5.4 FortiGate-7000 IPsec VPN, see FortiGate-7000 IPsec VPN.

SSL VPN

Sending all SSL VPN sessions to the primary FPM is recommended. You can do this by:

  • Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary FPM.
  • Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPM.

Traffic shaping and DDoS policies

Each FPM applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

Sniffer mode (one-arm sniffer)

One-arm sniffer mode is only supported after creating a load balance flow rule to direct sniffer traffic to a specific FPM.

FortiGuard web filtering

All FortiGuard rating queries are sent through management aggregate interface from the management VDOM (named dmgmt-vdom).

Log messages include a slot field

An additional "slot" field has been added to log messages to identify the FPM that generated the log.

FortiOS Carrier

You have to apply a FortiOS Carrier license separately to each FIM and FPM to license a FortiGate-7000 chassis for FortiOS Carrier.

Special notice for new deployment connectivity testing

Only the primary FPM can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the Fortigate-7000, make sure to run execute ping tests from the primary FPM CLI.

Dedicated management interfaces not supported

The FortiGate-7000 does not support configuring dedicated management interfaces using the config system dedicated-mgmt command.

Previous
Next

FortiGate-7000 v5.4.9 special features and limitations

This section describes special features and limitations for FortiGate-7000 v5.4.9.

Managing the FortiGate-7000

Management is only possible through the MGMT1 to MGMT4 front panel management interfaces. By default the MGMT1 to MGMT4 interfaces of the FIMs in slot 1 and slot 2 are in a single static aggregate interface named mgmt with IP address 192.168.1.99. You manage the FortiGate-7000 by connecting any one of these eight interfaces to your network, opening a web browser and browsing to https://192.168.1.99.

Note The FortiGate-7030E has one FIM and the MGMT1 to MGMT4 interfaces of that module are the only ones in the aggregate interface.

Default management VDOM

By default the FortiGate-7000 configuration includes a management VDOM named dmgmt-vdom. For the FortiGate-7000 system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM. You should also not add or remove interfaces from this VDOM.

You have full control over the configurations of other FortiGate-7000 VDOMs.

Maximum number of LAGs

FortiGate-7000 systems support up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces and including the redundant interface that contains the M1 to M4 management interfaces.

Firewall

TCP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal TCP timer (which is 3605 seconds) should only be distributed to the master FPM using a flow rule. You can configure the distributed normal TCP timer using the following command:

config system global

set dp-tcp-normal-timer <timer>

end

UDP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal UDP timer should only be distributed to the primary FPM using a flow rule.

IP multicast

IPv4 and IPv6 Multicast traffic is only sent to the primary FPM (usually the FPM in slot 3). This is controlled by the following configuration:

config load-balance flow-rule

edit 18

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 224.0.0.0 240.0.0.0

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv4 multicast"

next

edit 19

set status enable

set vlan 0

set ether-type ipv6

set src-addr-ipv6 ::/0

set dst-addr-ipv6 ff00::/8

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv6 multicast"

end

High availability

Only the M1 and M2 interfaces are used for the HA heartbeat communication.

If you use the same switch for both M1 and M2, separate the M1 and M2 traffic on the switch and set the heartbeat traffic on the M1 and M2 Interfaces to have different VLAN IDs. For example, use the following command to set the heartbeat traffic on M1 to use VLAN ID 777 and the heartbeat traffic on M2 to use VLAN ID 888:

config system ha

set hbdev-vlan-id 777

set hbdev-second-vlan-id 888

end

If you don't set different VLAN IDs for the M1 and M2 heartbeat packets, q-in-q must be enabled on the switch.

The following FortiOS HA features are not supported or are supported differently by FortiGate-7000 v5.4.5:

  • Remote IP monitoring (configured with the option pingserver-monitor-interface and related settings) is not supported.
  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 14.
  • Failover logic for FortiGate-7000 v5.4.5 HA is not the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate-7000 systems and differs from standard HA.
  • FortiGate Session Life Support Protocol (FGSP) HA (also called standalone session synchronization) is not supported.
  • FortiGate-7000 HA does not support the route-ttl, route-wait, and route-hold options for tuning route synchronization between FortiGate-7000s.

Shelf manager module

It is not possible to access SMM CLI using Telnet or SSH. Only console access is supported using the chassis front panel console ports as described in the FortiGate-7000 system guide.

For monitoring purpose, IPMI over IP is supported on SMM Ethernet ports. See your FortiGate-7000 system guide for details.

FortiOS features not supported by FortiGate-7000 v5.4.9

The following mainstream FortiOS 5.4.5 features are not supported by the FortiGate-7000 v5.4.9:

  • Hardware switch
  • Usage-based ECMP load balancing is not supported. If the config system settings v4-ecmp-mode option is set to usage-based, all traffic uses the first ECMP route instead of being load balanced among all ECMP routes. All other ECMP load balancing options are supported, including source-ip-based, weight-based, and source-dest-ip-based.
  • Switch controller
  • WiFi controller
  • WAN load balancing (SD-WAN)
  • IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6 features

  • GRE tunneling is only supported after creating a load balance flow rule, for example:

    config load-balance flow-rule

    edit 0

    set status enable

    set vlan 0

    set ether-type ip

    set protocol gre

    set action forward

    set forward-slot master

    set priority 3

    end

  • Hard disk features including, WAN optimization, web caching, explicit proxy content caching, disk logging, and GUI-based packet sniffing.
  • The FortiGate-7000 platform only supports quarantining files to FortiAnalyzer.
  • Log messages should be sent only using the management aggregate interface

IPsec VPN tunnels terminated by the FortiGate-7000

For a list of new FortiOS 5.4 FortiGate-7000 IPsec VPN features and a list of IPsec VPN features not supported by FortiOS 5.4 FortiGate-7000 IPsec VPN, see FortiGate-7000 IPsec VPN.

SSL VPN

Sending all SSL VPN sessions to the primary FPM is recommended. You can do this by:

  • Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary FPM.
  • Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPM.

Traffic shaping and DDoS policies

Each FPM applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

Sniffer mode (one-arm sniffer)

One-arm sniffer mode is only supported after creating a load balance flow rule to direct sniffer traffic to a specific FPM.

FortiGuard web filtering

All FortiGuard rating queries are sent through management aggregate interface from the management VDOM (named dmgmt-vdom).

Log messages include a slot field

An additional "slot" field has been added to log messages to identify the FPM that generated the log.

FortiOS Carrier

You have to apply a FortiOS Carrier license separately to each FIM and FPM to license a FortiGate-7000 chassis for FortiOS Carrier.

Special notice for new deployment connectivity testing

Only the primary FPM can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the Fortigate-7000, make sure to run execute ping tests from the primary FPM CLI.

Dedicated management interfaces not supported

The FortiGate-7000 does not support configuring dedicated management interfaces using the config system dedicated-mgmt command.

Previous
Next