Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate-7000 Release Notes

    Home FortiGate-7000 5.4.9 FortiGate-7000 Release Notes
    5.4.9
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.10
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.10
    6.4.8
    6.4.6
    6.4.2
    6.2.16
    6.2.15
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.10
    6.0.9
    6.0.8
    6.0.6
    6.0.4
    5.6.14
    5.6.12
    5.6.11
    5.6.7
    5.6.6
    5.4.9
    5.4.5
    5.4.3

    Special notices

    Special notices

    This section highlights some of the operational changes that administrators should be aware of for FortiGate-7000 5.4.9 build 8110.

    Limitations of installing FortiGate-6000 firmware from the BIOS after a reboot

    A common method for resetting the configuration of a FortiGate involves installing firmware by restarting the FortiGate, interrupting the boot process, and using BIOS prompts to download a firmware image from a TFTP server. This process is also considered the best way to reset the configuration of your FortiGate.

    Installing or upgrading FortiGate-6000 firmware in this way installs firmware on and resets the configuration of the management board only. The FPCs will continue to operate with their current configuration and firmware build. The FortiGate-6000 system does not synchronize firmware upgrades performed from the BIOS.

    To also reset the FPCs, after installing firmware from the BIOS on the management board, install the same firmware image from the GUI or from the CLI using the execute restore image command. This operation synchronizes the same firmware build and reset configuration to the FPCs.

    You could also manually install firmware on each individual FPC from the BIOS after a reboot but this manual process will not be more effective than installing the firmware for a second time on the management board to trigger synchronization to the FPCs.

    Special configuration required for SSL VPN

    Using a FortiGate-6000 as an SSL VPN server requires you to manually add an SSL VPN load balance flow rule to configure the FortiGate-6000 to send all SSL VPN sessions to the primary (master) FPC. To match with the SSL VPN server traffic, the rule should include a destination port that matches the destination port of the SSL VPN server. A basic rule to allow SSL VPN traffic could be:

    config load-balance flow-rule

    edit 0

    set status enable

    set ether-type ipv4

    set protocol tcp

    set dst-l4port 10443-10443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    next

    end

    This flow rule matches all sessions sent to port 10443 (the default SSL VPN server listening port) and sends these sessions to the primary FPC. This should match all of your SSL VPN traffic if you are using the default SSL VPN server listening port (10443). This flow rule also matches all other sessions using 10443 as the destination port so all of this traffic is also sent to the primary FPC.

    Adding the SSL VPN server IP address

    You can add the IP address of the FortiGate-6000 interface that receives SSL VPN traffic to the SSL VPN flow rule to make sure that the flow rule only matches SSL VPN server settings. For example, if the IP address of the interface is 172.25.176.32 and the SSL VPN flow rule ID is 26:

    config load-balance flow-rule

    edit 26

    set status enable

    set ether-type ipv4

    set protocol tcp

    set dst-addr-ipv4 172.25.176.32 255.255.255.0

    set dst-l4port 10443-10443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    next

    end

    This flow rule will now only match SSL VPN sessions with 172.25.176.32 as the destination address and send all of these sessions to the primary FPC.

    If you change the SSL VPN server listening port

    If you have changed the SSL VPN server listening port to 20443, you can change the SSL VPN flow rule as follows. This example also sets the source interface to port12, which is the SSL VPN server interfaces, instead of adding the IP address of port12 to the configuration:

    config load-balance flow-rule

    edit 26

    set status enable

    set ether-type ipv4

    set protocol tcp

    set src-interface port12

    set dst-l4port 20443-20443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    next

    end

    IPsec VPN phase 2 selectors

    FortiGate-7000 IPsec VPNs require phase 2 selectors. The phase 2 selectors specify the IP addresses and netmasks of the source and destination subnets of the VPN. The phase 2 selectors are mandatory on the FortiGate-7000 and are used to make sure that all IPsec VPN traffic is sent to the primary (master) FPM.

    Use the following command to add phase 2 selectors.

    config vpn ipsec phase2-interface

    edit "to_fgt2"

    set phase1name <name>

    set src-subnet <IP> <netmask>

    set dst-subnet <IP> <netmask>

    end

    Where

    src-subnet the subnet protected by the FortiGate that you are configuring and from which users connect to the destination subnet.

    dst-subnet the destination subnet behind the remote IPsec VPN endpoint.

    Example basic IPsec VPN phase 2 configuration

    In a simple configuration such as the one below with an IPsec VPN between two remote subnets you can add the phase 2 selectors by adding the subnets to the phase 2 configuration as shown.

    Enter the following command to add the source and destination subnets phase 2 selectors to the FortiGate-7000 IPsec VPN Phase 2 configuration.

    config vpn ipsec phase2-interface

    edit "to_fgt2"So

    set phase1name "to_fgt2"

    set src-subnet 172.16.1.0 255.255.255.0

    set dst-subnet 172.16.2.0 255.255.255.0

    end

    Example multiple subnet IPsec VPN phase 2 configuration

    In a more complex configuration, such as the one below with a total of 5 subnets you still need to use the phase 2 selectors to add all of the subnets to the Phase 2 configuration. In this case you can create a firewall address for each subnet, add the addresses to address groups, and add the address groups to the phase 2 selectors.

    Enter the following commands to create firewall addresses for each subnet.

    config firewall address

    edit "local_subnet_1"

    set subnet 4.2.1.0 255.255.255.0

    next

    edit "local_subnet_2"

    set subnet 4.2.2.0 255.255.255.0

    next

    edit "remote_subnet_3"

    set subnet 4.2.3.0 255.255.255.0

    next

    edit "remote_subnet_4"

    set subnet 4.2.4.0 255.255.255.0

    next

    edit "remote_subnet_5"

    set subnet 4.2.5.0 255.255.255.0

    end

    And then put the five firewall addresses into two firewall address groups.

    config firewall addrgrp

    edit "local_group"

    set member "local_subnet_1" "local_subnet_2"

    next

    edit "remote_group"

    set member "remote_subnet_3" "remote_subnet_4" "remote_subnet_5"

    end

    Now, use the firewall address groups in the Phase 2 configuration:

    config vpn ipsec phase2-interface

    edit "to-fgt2"

    set phase1name "to-fgt2"

    set src-addr-type name

    set dst-addr-type name

    set src-name "local_group"

    set dst-name "remote_group"

    end

    Recommended configuration for traffic that cannot be load balanced

    The following flow rules are recommended to handle common forms of traffic that cannot be load balanced. These flow rules send GPRS (port 2123), SSL VPN, IPv4 and IPv6 IPsec VPN, ICMP and ICMPv6 traffic to the primary (or master) FPM.

    The CLI syntax below just shows the configuration changes. All other options are set to their defaults. For example, the flow rule option that controls the FPM slot that sessions are sent to is forward-slot and in all cases below forward-slot is set to its default setting of master. This setting sends matching sessions to the primary (or master) FPM.

    config load-balance flow-rule

    edit 20

    set status enable

    set ether-type ipv4

    set protocol udp

    set dst-l4port 2123-2123

    next

    edit 21

    set status enable

    set ether-type ip

    set protocol tcp

    set dst-l4port 10443-10443

    set comment "ssl vpn to the primary FPM"

    next

    edit 22

    set status enable

    set ether-type ipv4

    set protocol udp

    set src-l4port 500-500

    set dst-l4port 500-500

    set comment "ipv4 ike"

    next

    edit 23

    set status enable

    set ether-type ipv4

    set protocol udp

    set src-l4port 4500-4500

    set comment "ipv4 ike-natt src"

    next

    edit 24

    set status enable

    set ether-type ipv4

    set protocol udp

    set dst-l4port 4500-4500

    set comment "ipv4 ike-natt dst"

    next

    edit 25

    set status enable

    set ether-type ipv4

    set protocol esp

    set comment "ipv4 esp"

    next

    edit 26

    set status enable

    set ether-type ipv6

    set protocol udp

    set src-l4port 500-500

    set dst-l4port 500-500

    set comment "ipv6 ike"

    next

    edit 27

    set status enable

    set ether-type ipv6

    set protocol udp

    set src-l4port 4500-4500

    set comment "ipv6 ike-natt src"

    next

    edit 28

    set status enable

    set ether-type ipv6

    set protocol udp

    set dst-l4port 4500-4500

    set comment "ipv6 ike-natt dst"

    next

    edit 29

    set status enable

    set ether-type ipv6

    set protocol esp

    set comment "ipv6 esp"

    next

    edit 30

    set ether-type ipv4

    set protocol icmp

    set comment "icmp"

    next

    edit 31

    set status enable

    set ether-type ipv6

    set protocol icmpv6

    set comment "icmpv6"

    next

    edit 32

    set ether-type ipv6

    set protocol 41

    end

    Previous
    Next

    Special notices

    Special notices

    This section highlights some of the operational changes that administrators should be aware of for FortiGate-7000 5.4.9 build 8110.

    Limitations of installing FortiGate-6000 firmware from the BIOS after a reboot

    A common method for resetting the configuration of a FortiGate involves installing firmware by restarting the FortiGate, interrupting the boot process, and using BIOS prompts to download a firmware image from a TFTP server. This process is also considered the best way to reset the configuration of your FortiGate.

    Installing or upgrading FortiGate-6000 firmware in this way installs firmware on and resets the configuration of the management board only. The FPCs will continue to operate with their current configuration and firmware build. The FortiGate-6000 system does not synchronize firmware upgrades performed from the BIOS.

    To also reset the FPCs, after installing firmware from the BIOS on the management board, install the same firmware image from the GUI or from the CLI using the execute restore image command. This operation synchronizes the same firmware build and reset configuration to the FPCs.

    You could also manually install firmware on each individual FPC from the BIOS after a reboot but this manual process will not be more effective than installing the firmware for a second time on the management board to trigger synchronization to the FPCs.

    Special configuration required for SSL VPN

    Using a FortiGate-6000 as an SSL VPN server requires you to manually add an SSL VPN load balance flow rule to configure the FortiGate-6000 to send all SSL VPN sessions to the primary (master) FPC. To match with the SSL VPN server traffic, the rule should include a destination port that matches the destination port of the SSL VPN server. A basic rule to allow SSL VPN traffic could be:

    config load-balance flow-rule

    edit 0

    set status enable

    set ether-type ipv4

    set protocol tcp

    set dst-l4port 10443-10443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    next

    end

    This flow rule matches all sessions sent to port 10443 (the default SSL VPN server listening port) and sends these sessions to the primary FPC. This should match all of your SSL VPN traffic if you are using the default SSL VPN server listening port (10443). This flow rule also matches all other sessions using 10443 as the destination port so all of this traffic is also sent to the primary FPC.

    Adding the SSL VPN server IP address

    You can add the IP address of the FortiGate-6000 interface that receives SSL VPN traffic to the SSL VPN flow rule to make sure that the flow rule only matches SSL VPN server settings. For example, if the IP address of the interface is 172.25.176.32 and the SSL VPN flow rule ID is 26:

    config load-balance flow-rule

    edit 26

    set status enable

    set ether-type ipv4

    set protocol tcp

    set dst-addr-ipv4 172.25.176.32 255.255.255.0

    set dst-l4port 10443-10443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    next

    end

    This flow rule will now only match SSL VPN sessions with 172.25.176.32 as the destination address and send all of these sessions to the primary FPC.

    If you change the SSL VPN server listening port

    If you have changed the SSL VPN server listening port to 20443, you can change the SSL VPN flow rule as follows. This example also sets the source interface to port12, which is the SSL VPN server interfaces, instead of adding the IP address of port12 to the configuration:

    config load-balance flow-rule

    edit 26

    set status enable

    set ether-type ipv4

    set protocol tcp

    set src-interface port12

    set dst-l4port 20443-20443

    set forward-slot master

    set comment "ssl vpn server to primary FPC"

    next

    end

    IPsec VPN phase 2 selectors

    FortiGate-7000 IPsec VPNs require phase 2 selectors. The phase 2 selectors specify the IP addresses and netmasks of the source and destination subnets of the VPN. The phase 2 selectors are mandatory on the FortiGate-7000 and are used to make sure that all IPsec VPN traffic is sent to the primary (master) FPM.

    Use the following command to add phase 2 selectors.

    config vpn ipsec phase2-interface

    edit "to_fgt2"

    set phase1name <name>

    set src-subnet <IP> <netmask>

    set dst-subnet <IP> <netmask>

    end

    Where

    src-subnet the subnet protected by the FortiGate that you are configuring and from which users connect to the destination subnet.

    dst-subnet the destination subnet behind the remote IPsec VPN endpoint.

    Example basic IPsec VPN phase 2 configuration

    In a simple configuration such as the one below with an IPsec VPN between two remote subnets you can add the phase 2 selectors by adding the subnets to the phase 2 configuration as shown.

    Enter the following command to add the source and destination subnets phase 2 selectors to the FortiGate-7000 IPsec VPN Phase 2 configuration.

    config vpn ipsec phase2-interface

    edit "to_fgt2"So

    set phase1name "to_fgt2"

    set src-subnet 172.16.1.0 255.255.255.0

    set dst-subnet 172.16.2.0 255.255.255.0

    end

    Example multiple subnet IPsec VPN phase 2 configuration

    In a more complex configuration, such as the one below with a total of 5 subnets you still need to use the phase 2 selectors to add all of the subnets to the Phase 2 configuration. In this case you can create a firewall address for each subnet, add the addresses to address groups, and add the address groups to the phase 2 selectors.

    Enter the following commands to create firewall addresses for each subnet.

    config firewall address

    edit "local_subnet_1"

    set subnet 4.2.1.0 255.255.255.0

    next

    edit "local_subnet_2"

    set subnet 4.2.2.0 255.255.255.0

    next

    edit "remote_subnet_3"

    set subnet 4.2.3.0 255.255.255.0

    next

    edit "remote_subnet_4"

    set subnet 4.2.4.0 255.255.255.0

    next

    edit "remote_subnet_5"

    set subnet 4.2.5.0 255.255.255.0

    end

    And then put the five firewall addresses into two firewall address groups.

    config firewall addrgrp

    edit "local_group"

    set member "local_subnet_1" "local_subnet_2"

    next

    edit "remote_group"

    set member "remote_subnet_3" "remote_subnet_4" "remote_subnet_5"

    end

    Now, use the firewall address groups in the Phase 2 configuration:

    config vpn ipsec phase2-interface

    edit "to-fgt2"

    set phase1name "to-fgt2"

    set src-addr-type name

    set dst-addr-type name

    set src-name "local_group"

    set dst-name "remote_group"

    end

    Recommended configuration for traffic that cannot be load balanced

    The following flow rules are recommended to handle common forms of traffic that cannot be load balanced. These flow rules send GPRS (port 2123), SSL VPN, IPv4 and IPv6 IPsec VPN, ICMP and ICMPv6 traffic to the primary (or master) FPM.

    The CLI syntax below just shows the configuration changes. All other options are set to their defaults. For example, the flow rule option that controls the FPM slot that sessions are sent to is forward-slot and in all cases below forward-slot is set to its default setting of master. This setting sends matching sessions to the primary (or master) FPM.

    config load-balance flow-rule

    edit 20

    set status enable

    set ether-type ipv4

    set protocol udp

    set dst-l4port 2123-2123

    next

    edit 21

    set status enable

    set ether-type ip

    set protocol tcp

    set dst-l4port 10443-10443

    set comment "ssl vpn to the primary FPM"

    next

    edit 22

    set status enable

    set ether-type ipv4

    set protocol udp

    set src-l4port 500-500

    set dst-l4port 500-500

    set comment "ipv4 ike"

    next

    edit 23

    set status enable

    set ether-type ipv4

    set protocol udp

    set src-l4port 4500-4500

    set comment "ipv4 ike-natt src"

    next

    edit 24

    set status enable

    set ether-type ipv4

    set protocol udp

    set dst-l4port 4500-4500

    set comment "ipv4 ike-natt dst"

    next

    edit 25

    set status enable

    set ether-type ipv4

    set protocol esp

    set comment "ipv4 esp"

    next

    edit 26

    set status enable

    set ether-type ipv6

    set protocol udp

    set src-l4port 500-500

    set dst-l4port 500-500

    set comment "ipv6 ike"

    next

    edit 27

    set status enable

    set ether-type ipv6

    set protocol udp

    set src-l4port 4500-4500

    set comment "ipv6 ike-natt src"

    next

    edit 28

    set status enable

    set ether-type ipv6

    set protocol udp

    set dst-l4port 4500-4500

    set comment "ipv6 ike-natt dst"

    next

    edit 29

    set status enable

    set ether-type ipv6

    set protocol esp

    set comment "ipv6 esp"

    next

    edit 30

    set ether-type ipv4

    set protocol icmp

    set comment "icmp"

    next

    edit 31

    set status enable

    set ether-type ipv6

    set protocol icmpv6

    set comment "icmpv6"

    next

    edit 32

    set ether-type ipv6

    set protocol 41

    end

    Previous
    Next