FortiGate-7000E Handbook

What's New
- What's new for FortiGate-7000 6.0.13
- What's new for FortiGate-7000 6.0.12
- What's new for FortiGate-7000 6.0.10
- What's new for FortiGate-7000 6.0.9
- What's new for FortiGate-7000 6.0.8
- What's new for FortiGate-7000 6.0.6
- What's new for FortiGate-7000 6.0.4
FortiGate-7000 overview
- FortiGate-7060E
- FortiGate-7040E
- FortiGate-7030E
- FIM-7901E interface module
- FIM-7904E interface module
- FIM-7910E interface module
- FIM-7920E interface module
- FPM-7620E processing module
- FPM-7630E processing module
Getting started with FortiGate-7000
- Multi VDOM mode
- Confirming startup status
- Configuration synchronization
  - Confirming that the FortiGate-7000 is synchronized
  - Viewing more details about FortiGate-7000 synchronization
- FortiGate-7000 dashboard widgets
- Setting up management connections
  - Adding a password to the admin administrator account
- Using data interfaces for management traffic
- Setting the MTU for a data interface
- More management connections than expected for one device
- More ARP queries than expected for one device - potential issue on large WiFi networks
- Replacing a failed FPM or FIM
- Resolving FIM or FPM boot device I/O errors
  - Formatting an FIM boot device and installing new firmware
  - Formatting an FPM boot device and installing new firmware
- Connecting to module CLIs using the System Management Module
- Failover in a standalone FortiGate-7000
- Changing data interface network settings
- Resetting to factory defaults
- Restarting the FortiGate-7000
- Packet sniffing for FIM and FPM packets
- Diagnose debug flow trace for FPM and FIM activity
- Showing how the DP2 processor will load balance a session
Managing individual FortiGate-7000 FIMs and FPMs
- Special management port numbers
- HA mode special management port numbers
- Managing individual FIMs and FPMs from the CLI
- Connecting to individual FIM and FPM CLIs of the secondary FortiGate-7000 in an HA configuration
Firmware upgrades
- Firmware upgrade basics
- Verifying that a firmware upgrade is successful
- Installing firmware on individual FIMs or FPMs
  - Upgrading the firmware on an individual FIM
  - Upgrading the firmware on an individual FPM
- Installing FIM firmware from the BIOS after a reboot
- Installing FPM firmware from the BIOS after a reboot
- Synchronizing FIMs and FPMs after upgrading the primary FIM firmware from the BIOS
Load balancing and flow rules
- Setting the load balancing method
- Flow rules for sessions that cannot be load balanced
- Determining the primary FPM
- SSL VPN load balancing
- FortiOS Carrier GTP load balancing
  - Optimizing NPU GTP performance
  - Enabling GTP load balancing
- ICMP load balancing
- Load balancing fragmented ICMP packets
- Adding flow rules to support DHCP relay
- Default configuration for traffic that cannot be load balanced
FortiGate-7000 IPsec VPN
- IPsec VPN load balancing
- Troubleshooting
FortiGate-7000 high availability
- New HA features and changes
- Introduction to FortiGate-7000 FGCP HA
- Before you begin configuring HA
- Connect the M1 and M2 interfaces for HA heartbeat communication
  - Default HA heartbeat VLAN triple-tagging
  - HA heartbeat VLAN double-tagging
- Basic FortiGate-7000 HA configuration
- Confirming that the FortiGate-7000 HA cluster is synchronized
  - Viewing more details about HA cluster synchronization
- Setting up HA management connections
- Primary FortiGate-7000 selection with override disabled (default)
- Primary FortiGate-7000 selection with override enabled
- Failover protection
  - Device failure
  - FIM failure
  - Link failure
  - FPM failure
  - Session failover
  - Primary FortiGate-7000 recovery
- HA cluster firmware upgrades
- Distributed clustering
- Modifying heartbeat timing
- Changing how long routes stay in a cluster unit routing table
- Session failover (session-pickup)
- Primary FortiGate-7000 selection
- Primary FortiGate-7000 selection and override
- Link failover (port monitoring or interface monitoring)
- Remote link failover
- FortiGate-7000 FGSP
  - FGSP session synchronization options
  - Example FortiGate-7000 FGSP configuration
- Standalone configuration synchronization
- FortiGate-7000 VRRP HA
FortiLink support
ICAP support
SSL mirroring support
FortiGate-7000 v6.0.13 special features and limitations
FortiGate-7000 v6.0.12 special features and limitations
FortiGate-7000 v6.0.10 special features and limitations
FortiGate-7000 v6.0.9 special features and limitations
FortiGate-7000 v6.0.8 special features and limitations
FortiGate-7000 v6.0.6 special features and limitations
FortiGate-7000 v6.0.4 special features and limitations
FortiGate-7000 config CLI commands
FortiGate-7000 execute CLI commands
Change log

Home FortiGate-7000 6.0.13 FortiGate-7000E Handbook

6.0.13

HA heartbeat VLAN double-tagging

FortiGate-7000 HA supports HA heartbeat double-tagging to be compatible with third-party switches that do not support Fortinet's proprietary triple tagging format. HA heartbeat double-tagging has the following format:

TPID 0x8100 VLAN <vlan-id> (by default 999) + TPID 0x8100 VLAN 10/30 + ethernet packet

You can use the following commands to set the HA VLAN tagging mode to double-tagging, customize the outer TPID, and set the VLAN IDs for M1 and M2. Both FortiGates in the cluster must have the same VLAN tagging configuration.

config system ha

set ha-port-dtag-mode double-tagging

set ha-port-outer-tpid {0x8100 | 0x88a8 | 0x9100}

set hbdev-vlan-id <vlan>

set hbdev-second-vlan-id <vlan>

set ha-eth-type <ethertype>

end

Where:

ha-port-dtag-mode is set to double-tagging and the FortiGate-7000 uses the double-tagging format.

ha-port-outer-tipd sets the outer TPID to be compatible with the switch. The default outer TPID of 0x8100 is compatible with most third-party switches.

hbdev-vlan-id sets the outer VLAN ID used by M1 interface heartbeat packets.

hbdev-second-vlan-id sets the outer VLAN ID used by M2 interface heartbeat packets. The M1 and M2 interfaces must have different outer VLAN IDs if they are connected to the same switch.

ha-eth-type sets the HA heartbeat packet ethertype (default 8890) to be compatible with the switch.

Example double-tagging switch configuration

The following switch configuration is compatible with FortiGate-7040E HA heartbeat double tagging and with the default TPID of 0x8100.

The FortiGate-7040E HA heartbeat configuration is.

config system ha

set ha-port-dtag-mode double-tagging

set hbdev "1-M1" 50 "2-M1" 50 "1-M2" 50 "2-M2" 50

set hbdev-vlan-id 4086

set hbdev-second-vlan-id 4087

end

Example third-party switch configuration:

Switch interfaces 37 to 40 connect to the M1 interfaces of the FIMs in both FortiGate-7040E chassis.

interface Ethernet37

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

interface Ethernet38

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

interface Ethernet39

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

interface Ethernet40

description **** FGT-7000E M1 HA HB ****

speed forced 10000full

switchport access vlan 660

switchport trunk native vlan 4086

switchport mode dot1q-tunnel

Switch interfaces 41 to 44 connect to the M2 interfaces of the FIMs in both FortiGate-7040E chassis.

interface Ethernet41

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

interface Ethernet42

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

interface Ethernet43

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel

interface Ethernet44

description **** FGT-7000E M2 HA HB ****

mtu 9214

speed forced 10000full

no error-correction encoding

switchport access vlan 770

switchport trunk native vlan 4087

switchport mode dot1q-tunnel