Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-7000 Handbook

Download PDF
Copy Link

What's new for FortiGate-7000 5.6.6

Version 5.6.6 enhancements include adding FortiOS 5.6.6 to the FortiGate-7000 platform. This release also includes bug fixes and improvements and the following new features.

  • Support for FortiOS 5.6.6 and most 5.6.6 features including FortiOS 5.6.6 GUI features.
  • You can configure new Resource Usage dashboard widgets to show CPU use, log rate, memory use, session creation rate, and the number of active sessions for individual FIMs, the management plane, the data plan and the security fabric.
  • The Security Fabric dashboard widget shows high level status and configuration information for all of the FPMs.
  • The Sensor Information dashboard widget displays temperature information and allows you to drill down for information about individual temperature sensors.
  • DP2 firmware upgrade
  • VRRP support.
  • The management VDOM is now named mgmt-vdom (was dmgmt-vdom).
  • The diagnose sniffer packet command now shows the name of the FPM that processed the packet.
  • You can now use the execute ping and execute traceroute commands from an FIM CLI to an external destination.
  • FIMs directly query LDAP/FSSO/RADIUS servers. These queries no longer have to go through the management VDOM.
  • The Route Monitor displays accurate routing information.
  • SNMP integration improvements including new MIBs.
  • The following FortiOS 5.6.6 features are not supported:
    • SD-WAN
    • Some IPsec VPN features
    • Policy learning mode
    • HA dedicated management interfaces

New IPsec VPN features

FortiOS 5.6.6 includes the following IPsec VPN improvements:

  • Including a phase 2 selector is no longer mandatory.
  • Dynamic routing (RIP, OSPF, BGP) is supported over IPsec VPN tunnels.

IPsec VPN features supported by FortiOS 5.6.6 for FortiGate-7000

FortiOS 5.6.6 for FortiGate-7000 supports the following IPsec VPN features.

  • Interface-based IPsec VPN (also called route-based IPsec VPN).
  • Static routes can point IPsec VPN interfaces.
  • Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels.
  • Remote networks with 16- to 32-bit netmasks.
  • IPsec VPN tunnels must terminate on the primary FPM (the ELBC master).
  • Site-to-Site IPsec VPN.
  • Dialup IPsec VPN. The FortiGate-7000 can be the dialup server or client.
  • IPv4 clear-text traffic (IPv4 over IPv4 or IPv4 over IPv6)

IPsec VPN features not supported by FortiOS 5.6.6 for FortiGate-7000

FortiOS 5.6.6 for FortiGate-7000 does not support the following IPsec VPN features.

  • Policy-based IPsec VPN.
  • Policy routes for VPN traffic.
  • Remote networks with 0- to 15-bit netmasks.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6).
  • Load-balancing IPsec VPN tunnels to multiple FPMs.
  • IPsec SA synchronization between both FortiGate-7000s in an HA configuration.

New High Availability features and changes

Configuring FortiGate-7000 HA has been simplified for FortiOS 5.6.6. To set up HA, you no longer have to configure HA settings for both of the FIMs in a FortiGate-7000. Instead, you configure HA settings on the primary FIM and this configuration is synchronized to the other FIM.

As well, FortiGate-7000 HA is configured and operates more like standard FGCP HA. The link failure threshold concept that was part of FortiGate-7000 for FortiOS 5.4 has been removed and board failover tolerance has been simplified. As well, primary unit selection has been simplified to be more like FGCP primary unit selection.

FortiOS 5.6.6 also includes the following new features and changes:

  • The System > HA GUI page now appears and can be used to configure most HA settings.
  • You can configure HA interface monitoring (or port monitoring) to detect link failures.
  • You can configure HA remote link failover (also called remote IP monitoring) to detect remote link failures using the following options:
    • Enable remote IP monitoring with the pingserver-monitor-interface option.
    • Set the remote IP monitoring failover threshold with the pingserver-failover-threshold option.
    • Force the cluster to negotiate after a remote IP monitoring failover with the pingserver-slave-force-reset option.
    • Adjust the time to wait in minutes before renegotiating after a remote IP monitoring failover with the pingserver-flip-timeout option.
  • You can use the get system ha status command to display HA status. The diagnose sys ha status command is no longer available.
  • The diagnose sys ha force-slave-state command is no longer available. To force the primary FortiGate-7000 into a secondary (or slave) state you can use the diagnose sys ha reset-uptime command.
  • The HA link-failure-threshold option has been removed.
  • The board-failover-tolerance option has been simplified and determines how the cluster responds to failed FIMs.

What's new for FortiGate-7000 5.6.6

Version 5.6.6 enhancements include adding FortiOS 5.6.6 to the FortiGate-7000 platform. This release also includes bug fixes and improvements and the following new features.

  • Support for FortiOS 5.6.6 and most 5.6.6 features including FortiOS 5.6.6 GUI features.
  • You can configure new Resource Usage dashboard widgets to show CPU use, log rate, memory use, session creation rate, and the number of active sessions for individual FIMs, the management plane, the data plan and the security fabric.
  • The Security Fabric dashboard widget shows high level status and configuration information for all of the FPMs.
  • The Sensor Information dashboard widget displays temperature information and allows you to drill down for information about individual temperature sensors.
  • DP2 firmware upgrade
  • VRRP support.
  • The management VDOM is now named mgmt-vdom (was dmgmt-vdom).
  • The diagnose sniffer packet command now shows the name of the FPM that processed the packet.
  • You can now use the execute ping and execute traceroute commands from an FIM CLI to an external destination.
  • FIMs directly query LDAP/FSSO/RADIUS servers. These queries no longer have to go through the management VDOM.
  • The Route Monitor displays accurate routing information.
  • SNMP integration improvements including new MIBs.
  • The following FortiOS 5.6.6 features are not supported:
    • SD-WAN
    • Some IPsec VPN features
    • Policy learning mode
    • HA dedicated management interfaces

New IPsec VPN features

FortiOS 5.6.6 includes the following IPsec VPN improvements:

  • Including a phase 2 selector is no longer mandatory.
  • Dynamic routing (RIP, OSPF, BGP) is supported over IPsec VPN tunnels.

IPsec VPN features supported by FortiOS 5.6.6 for FortiGate-7000

FortiOS 5.6.6 for FortiGate-7000 supports the following IPsec VPN features.

  • Interface-based IPsec VPN (also called route-based IPsec VPN).
  • Static routes can point IPsec VPN interfaces.
  • Dynamic routing (RIP, OSPF, BGP) over IPsec VPN tunnels.
  • Remote networks with 16- to 32-bit netmasks.
  • IPsec VPN tunnels must terminate on the primary FPM (the ELBC master).
  • Site-to-Site IPsec VPN.
  • Dialup IPsec VPN. The FortiGate-7000 can be the dialup server or client.
  • IPv4 clear-text traffic (IPv4 over IPv4 or IPv4 over IPv6)

IPsec VPN features not supported by FortiOS 5.6.6 for FortiGate-7000

FortiOS 5.6.6 for FortiGate-7000 does not support the following IPsec VPN features.

  • Policy-based IPsec VPN.
  • Policy routes for VPN traffic.
  • Remote networks with 0- to 15-bit netmasks.
  • IPv6 clear-text traffic (IPv6 over IPv4 or IPv6 over IPv6).
  • Load-balancing IPsec VPN tunnels to multiple FPMs.
  • IPsec SA synchronization between both FortiGate-7000s in an HA configuration.

New High Availability features and changes

Configuring FortiGate-7000 HA has been simplified for FortiOS 5.6.6. To set up HA, you no longer have to configure HA settings for both of the FIMs in a FortiGate-7000. Instead, you configure HA settings on the primary FIM and this configuration is synchronized to the other FIM.

As well, FortiGate-7000 HA is configured and operates more like standard FGCP HA. The link failure threshold concept that was part of FortiGate-7000 for FortiOS 5.4 has been removed and board failover tolerance has been simplified. As well, primary unit selection has been simplified to be more like FGCP primary unit selection.

FortiOS 5.6.6 also includes the following new features and changes:

  • The System > HA GUI page now appears and can be used to configure most HA settings.
  • You can configure HA interface monitoring (or port monitoring) to detect link failures.
  • You can configure HA remote link failover (also called remote IP monitoring) to detect remote link failures using the following options:
    • Enable remote IP monitoring with the pingserver-monitor-interface option.
    • Set the remote IP monitoring failover threshold with the pingserver-failover-threshold option.
    • Force the cluster to negotiate after a remote IP monitoring failover with the pingserver-slave-force-reset option.
    • Adjust the time to wait in minutes before renegotiating after a remote IP monitoring failover with the pingserver-flip-timeout option.
  • You can use the get system ha status command to display HA status. The diagnose sys ha status command is no longer available.
  • The diagnose sys ha force-slave-state command is no longer available. To force the primary FortiGate-7000 into a secondary (or slave) state you can use the diagnose sys ha reset-uptime command.
  • The HA link-failure-threshold option has been removed.
  • The board-failover-tolerance option has been simplified and determines how the cluster responds to failed FIMs.