Fortinet white logo
Fortinet white logo

FortiGate-7000 Handbook

Introduction

Introduction

This document describes what you need to know to get started using a FortiGate-7000 product. Also included are details about CLI commands that are specific to FortiGate-7000 products.

This FortiOS Handbook chapter contains the following sections:

FortiGate-7000 overview provides a quick overview of FortiGate-7000 components.

Getting started with FortiGate-7000 describes how to get started with managing and configuring your FortiGate-7000 product.

Operating a FortiGate-7000 describes some FortiGate-7000 general operating procedures.

FortiGate-7000 IPsec VPN describes FortiGate-7000-specific IPsec VPN considerations.

High availability describes how to set up FortiGate-7000 high availability.

FortiGate-7000 v5.4.9 special features and limitations describes some special limitations of FortiGate-7000 running FortiOS v5.4.9.

FortiGate-7000 v5.4.5 special features and limitations describes some special limitations of FortiGate-7000 running FortiOS v5.4.5.

FortiGate-7000 v5.4.3 special features and limitations describes some special limitations of FortiGate-7000 running FortiOS v5.4.3.

FortiGate-7000 load balancing commands describes FortiGate-7000 load balancing CLI commands.

What's new in for FortiGate-7000 v5.4.9 build 8110

Version 5.4.9 enhancements mainly consisted of adding FortiOS 5.4.9 to the FortiGate-7000 platform. This release also includes bug fixes and improvements and one additional new feature.

Brief logging mode

Brief logging mode, a carrier grade NAT (CGN) feature, removes some fields from log messages to reduce log message size. Smaller log messages reduces disk space usage and also reduces remote logging network bandwidth usage. Brief logging mode is useful if your FortiGate-7000 system generates a large amount of log messages.

Use the following command to enable brief logging mode for all logging:

config log setting

set brief-traffic-format enable

end

What's new in for FortiGate-7000 v5.4.5 build 8047

The following new features have been added to FortiGate-7000 v5.4.5.

The maximum value for user groups has been increased to 5,000 (460857)

On a FortiGate-7000, you can now configure up to 5,000 user groups.

Log field extension policy-name and meta-field (461783 455441)

An option to include the policy name field has been added to traffic logs (log-policy-name). An option to add a meta-field tag to all logs has also been added (custom-field and custom-log-fields; see below). This meta-field could be used to identify the FortiGate sending the logs, for example:

config log setting

set log-policy-name enable

end

config log custom-field

edit "cust-field"

set name "MyFortiGate"

set value "111"

end

config log setting

set custom-log-fields "cust-field"

end

M1 and M2 interfaces can use different VLANs for heartbeat traffic (408386)

The M1 and M2 interfaces can be configured to use different VLANs for HA heartbeat traffic. Normally you would separate the M1 and M2 traffic. In that case you don't have to change their VLAN IDs. But if the M1 and M2 interfaces are connected to the same switch and you can't separate their traffic, or if you can't use the default VLAN IDs you can set a different VLAN ID for each interface.

Use the following command set the M1 and M2 interfaces to use different VLANs:

config system ha

set hbdev M1/M2

set hbdev-vlan-id 991

set hbdev-second-vlan-id 992

end

For this configuration to work the hbdev-vlan-id has to be changed. You cannot use the default value of 999.

GTP load balancing

GTP load balancing is supported for FortiGate-7000 configurations licensed for FortiOS Carrier. You can use the following command to enable GTP load balancing. This command is only available after you have licensed the FortiGate-7000 for FortiOS Carrier.

config load-balance setting

set gtp-load-balance enable

end

FSSO user authentication synchronization

FSSO user authentication is synchronized to all FPMs. Users authenticated through FSSO no longer have to re-authenticate when load balancing distributes their session to a different FPM.

HA link failure threshold changes (422264 )

The link failure threshold is now determined based on the all FIMs in a chassis. This means that the chassis with the fewest active links will become the backup chassis.

FortiGate-7000s running FortiOS v5.4.5 can be configured as dialup IPsec VPN servers

The following shows how to setup a dialup IPsec VPN configuration where the FortiGate-7000 running v5.4.5 acts as a dialup IPsec VPN server.

Configure the phase1, set type to dynamic.

config vpn ipsec phase1-interface

edit dialup-server

set type dynamic

set interface "v0020"

set peertype any

set psksecret < password>

end

Configure the phase 2, to support dialup IPsec VPN, set the destination subnet to 0.0.0.0 0.0.0.0.

config vpn ipsec phase2-interface

edit dialup-server

set phase1name dialup-server

set src-subnet 4.2.0.0 255.255.0.0

set dst-subnet 0.0.0.0 0.0.0.0

end

To configure the remote FortiGate as a dialup IPsec VPN client

The dialup IPsec VPN client should advertise its local subnet(s) using the phase 2 src-subnet option.

Note If there are multiple local subnets create a phase 2 for each one. Each phase 2 only advertises one local subnet to the dialup IPsec VPN server. If more than one local subnet is added to the phase 2, only the first one is advertised to the server.

Dialup client configuration:

config vpn ipsec phase1-interface

edit "to-fgt7k"

set interface "v0020"

set peertype any

set remote-gw 1.2.0.1

set psksecret <password>

end

config vpn ipsec phase2-interface

edit "to-fgt7k"

set phase1name "to-fgt7k"

set src-subnet 4.2.6.0 255.255.255.0

set dst-subnet 4.2.0.0 255.255.0.0

next

edit "to-fgt7k-2"

set phase1name "to-fgt7k"

set src-subnet 4.2.7.0 255.255.255.0

set dst-subnet 4.2.0.0 255.255.0.0

end

Introduction

Introduction

This document describes what you need to know to get started using a FortiGate-7000 product. Also included are details about CLI commands that are specific to FortiGate-7000 products.

This FortiOS Handbook chapter contains the following sections:

FortiGate-7000 overview provides a quick overview of FortiGate-7000 components.

Getting started with FortiGate-7000 describes how to get started with managing and configuring your FortiGate-7000 product.

Operating a FortiGate-7000 describes some FortiGate-7000 general operating procedures.

FortiGate-7000 IPsec VPN describes FortiGate-7000-specific IPsec VPN considerations.

High availability describes how to set up FortiGate-7000 high availability.

FortiGate-7000 v5.4.9 special features and limitations describes some special limitations of FortiGate-7000 running FortiOS v5.4.9.

FortiGate-7000 v5.4.5 special features and limitations describes some special limitations of FortiGate-7000 running FortiOS v5.4.5.

FortiGate-7000 v5.4.3 special features and limitations describes some special limitations of FortiGate-7000 running FortiOS v5.4.3.

FortiGate-7000 load balancing commands describes FortiGate-7000 load balancing CLI commands.

What's new in for FortiGate-7000 v5.4.9 build 8110

Version 5.4.9 enhancements mainly consisted of adding FortiOS 5.4.9 to the FortiGate-7000 platform. This release also includes bug fixes and improvements and one additional new feature.

Brief logging mode

Brief logging mode, a carrier grade NAT (CGN) feature, removes some fields from log messages to reduce log message size. Smaller log messages reduces disk space usage and also reduces remote logging network bandwidth usage. Brief logging mode is useful if your FortiGate-7000 system generates a large amount of log messages.

Use the following command to enable brief logging mode for all logging:

config log setting

set brief-traffic-format enable

end

What's new in for FortiGate-7000 v5.4.5 build 8047

The following new features have been added to FortiGate-7000 v5.4.5.

The maximum value for user groups has been increased to 5,000 (460857)

On a FortiGate-7000, you can now configure up to 5,000 user groups.

Log field extension policy-name and meta-field (461783 455441)

An option to include the policy name field has been added to traffic logs (log-policy-name). An option to add a meta-field tag to all logs has also been added (custom-field and custom-log-fields; see below). This meta-field could be used to identify the FortiGate sending the logs, for example:

config log setting

set log-policy-name enable

end

config log custom-field

edit "cust-field"

set name "MyFortiGate"

set value "111"

end

config log setting

set custom-log-fields "cust-field"

end

M1 and M2 interfaces can use different VLANs for heartbeat traffic (408386)

The M1 and M2 interfaces can be configured to use different VLANs for HA heartbeat traffic. Normally you would separate the M1 and M2 traffic. In that case you don't have to change their VLAN IDs. But if the M1 and M2 interfaces are connected to the same switch and you can't separate their traffic, or if you can't use the default VLAN IDs you can set a different VLAN ID for each interface.

Use the following command set the M1 and M2 interfaces to use different VLANs:

config system ha

set hbdev M1/M2

set hbdev-vlan-id 991

set hbdev-second-vlan-id 992

end

For this configuration to work the hbdev-vlan-id has to be changed. You cannot use the default value of 999.

GTP load balancing

GTP load balancing is supported for FortiGate-7000 configurations licensed for FortiOS Carrier. You can use the following command to enable GTP load balancing. This command is only available after you have licensed the FortiGate-7000 for FortiOS Carrier.

config load-balance setting

set gtp-load-balance enable

end

FSSO user authentication synchronization

FSSO user authentication is synchronized to all FPMs. Users authenticated through FSSO no longer have to re-authenticate when load balancing distributes their session to a different FPM.

HA link failure threshold changes (422264 )

The link failure threshold is now determined based on the all FIMs in a chassis. This means that the chassis with the fewest active links will become the backup chassis.

FortiGate-7000s running FortiOS v5.4.5 can be configured as dialup IPsec VPN servers

The following shows how to setup a dialup IPsec VPN configuration where the FortiGate-7000 running v5.4.5 acts as a dialup IPsec VPN server.

Configure the phase1, set type to dynamic.

config vpn ipsec phase1-interface

edit dialup-server

set type dynamic

set interface "v0020"

set peertype any

set psksecret < password>

end

Configure the phase 2, to support dialup IPsec VPN, set the destination subnet to 0.0.0.0 0.0.0.0.

config vpn ipsec phase2-interface

edit dialup-server

set phase1name dialup-server

set src-subnet 4.2.0.0 255.255.0.0

set dst-subnet 0.0.0.0 0.0.0.0

end

To configure the remote FortiGate as a dialup IPsec VPN client

The dialup IPsec VPN client should advertise its local subnet(s) using the phase 2 src-subnet option.

Note If there are multiple local subnets create a phase 2 for each one. Each phase 2 only advertises one local subnet to the dialup IPsec VPN server. If more than one local subnet is added to the phase 2, only the first one is advertised to the server.

Dialup client configuration:

config vpn ipsec phase1-interface

edit "to-fgt7k"

set interface "v0020"

set peertype any

set remote-gw 1.2.0.1

set psksecret <password>

end

config vpn ipsec phase2-interface

edit "to-fgt7k"

set phase1name "to-fgt7k"

set src-subnet 4.2.6.0 255.255.255.0

set dst-subnet 4.2.0.0 255.255.0.0

next

edit "to-fgt7k-2"

set phase1name "to-fgt7k"

set src-subnet 4.2.7.0 255.255.255.0

set dst-subnet 4.2.0.0 255.255.0.0

end