Fortinet black logo

FortiGate-7000E Handbook

FortiGate-7000 v6.0.9 special features and limitations

FortiGate-7000 v6.0.9 special features and limitations

This section describes special features and limitations for FortiGate-7000 v6.0.9.

Managing the FortiGate-7000

By default the MGMT1 to MGMT4 interfaces of the FIMs in slot 1 and slot 2 are in a single static aggregate interface named mgmt with IP address 192.168.1.99. You manage the FortiGate-7000 by connecting any one of these eight interfaces to your network, opening a web browser and browsing to the management IP address. For a factory default configuration, browse to https://192.168.1.99.

Note The FortiGate-7030E has one FIM and the MGMT1 to MGMT4 interfaces of that module are the only interfaces in the aggregate interface.

Default management VDOM

By default the FortiGate-7000 configuration includes a management VDOM named mgmt-vdom. For the FortiGate-7000 system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM. You should also not add or remove interfaces from this VDOM.

You have full control over the configurations of other FortiGate-7000 VDOMs.

Default Security Fabric configuration

Caution

The FortiGate-7000E uses the Fortinet Security Fabric for communication and synchronization between the FIMs and the FPMs and for normal GUI operation. By default, the Security Fabric is enabled and must remain enabled for normal operation.

Changing the default Security Fabric configuration could disrupt communication and affect system performance.

As of version 6.0.9 you can no longer change the status to disable.

Default Security Fabric configuration:

config system csf

set status enable

set configuration-sync local

set management-ip 0.0.0.0

set management-port 0

end

For the FortiGate-7000 to operate normally, you must not change the Security Fabric configuration.

Maximum number of LAGs and interfaces per LAG

FortiGate-7000 systems support up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces and including the redundant interface that contains the mgmt1 to mgmt4 management interfaces. A FortiGate-7000 LAG can include up to 20 interfaces.

Firewall

TCP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal TCP timer (which is 3605 seconds) should only be distributed to the master FPM using a flow rule. You can configure the distributed normal TCP timer using the following command:

config system global

set dp-tcp-normal-timer <timer>

end

UDP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal UDP timer should only be distributed to the primary FPM using a flow rule.

Enhanced MAC (EMAC) VLAN support

FortiOS 6.0.9 for FortiGate-7000 supports the media access control (MAC) virtual local area network (VLAN) feature. EMAC VLANs allow you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

For more information about EMAC VLAN support, see Enhanced MAC VLANs.

Use the following command to configure an EMAC VLAN:

config system interface

edit <interface-name>

set type emac-vlan

set vlan-id <VLAN-ID>

set interface <physical-interface>

end

FortiLink support limitations

The FortiGate-7000 has the following FortiLink support limitations:

  • The FIM in slot 1 (FIM-01) must be the primary FIM. FortiLink will not work if FIM-02 is the primary FIM.

    Note

    In an HA configuration, if the FIM in slot 1 of the primary FortiGate-7000 fails, the secondary FortiGate-7000 becomes the new primary FortiGate-7000 with a functioning FIM in slot 1 and FortiLink support continues after the failover.

  • FortiGate-7000 for FortiOS 6.0.9 does not support upgrading managed FortiSwitch firmware from the FortiOS Managed FortiSwitch GUI page. Instead you must use the FortiGate-7000 CLI or log into the managed FortiSwitch to upgrade managed FortiSwitch firmware.
  • You can use any FortiGate-7000 interface as the FortiLink. However, using the M1, M2, and management interfaces is not recommended.

IP multicast

IPv4 and IPv6 Multicast traffic is only sent to the primary FPM (usually the FPM in slot 3). This is controlled by the following configuration:

config load-balance flow-rule

edit 15

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 224.0.0.0 240.0.0.0

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv4 multicast"

next

edit 16

set status enable

set vlan 0

set ether-type ipv6

set src-addr-ipv6 ::/0

set dst-addr-ipv6 ff00::/8

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv6 multicast"

end

High availability

Only the M1 and M2 interfaces are used for the HA heartbeat communication. For information on how to set up HA heartbeat communication using the M1 and M2 interfaces, see Connect the M1 and M2 interfaces for HA heartbeat communication

The following FortiOS HA features are not supported or are supported differently by FortiGate-7000 v6.0.9:

  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 31.
  • Failover logic for FortiGate-7000 HA is not the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate-7000 systems and differs from standard HA.
  • FortiGate-7000 HA does not support the route-wait and route-hold options for tuning route synchronization between FortiGate-7000s.
  • VLAN monitoring using the config system ha-monitor command is not supported.

Shelf manager module

It is not possible to access SMM CLI using Telnet or SSH. Only console access is supported using the chassis front panel console ports as described in the FortiGate-7000 system guide.

For monitoring purpose, IPMI over IP is supported on SMM Ethernet ports. See your FortiGate-7000 system guide for details.

The source-ip option for management services

FortiGate-7000E SLBC does not support the source-ip option for management services (for example, logging, SNMP, connecting to FortiSandbox) that use interfaces in the mgmt-vdom. If you enable the source-ip option, communication will not work.

For example, when adding a host to an SNMP community, if you configure the source-ip option, the SNMP manager corresponding to this host will not receive traps from the FortiGate-7000E or be able to send SNMP queries to the FortiGate-7000E.

FortiOS features not supported by FortiGate-7000 v6.0.9

The following mainstream FortiOS 6.0.9 features are not supported by the FortiGate-7000 v6.0.9:

  • SD-WAN (because of known issues)
  • ECMP load balancing is not supported.
  • HA dedicated management interfaces
  • Hardware switch
  • WiFi controller
  • IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6 features
  • GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ip

set protocol gre

set action forward

set forward-slot master

set priority 3

end

  • Hard disk features including, WAN optimization, web caching, explicit proxy content caching, disk logging, and GUI-based packet sniffing.
  • The FortiGate-7000 platform only supports quarantining files to FortiAnalyzer.
  • Log messages should be sent only using the management aggregate interface
  • The FortiGate-7000 does not support configuring dedicated management interfaces using the config system dedicated-mgmt command or by enabling the dedicated-to management interface option. The purpose of the dedicated management interface feature is to add a routing table just for management connections. This functionality is supported by the FortiGate-7000 management VDOM (mgmt-vdom) that has its own routing table and contains all of the FortiGate-7000 management interfaces.
  • Enabling the system settings option tcp-session-without-syn and configuring a firewall policy to accept sessions without syn packets allows FortiOS to add entries to its session table for sessions that do not include SYN packets. These sessions can only be load balanced by the DP processor if the dp-load-distribution-method is set to src-dst-ip-sport-dport (default) or src-dst-ip. If any other load distribution method is used, the sessions will be dropped. As well, the DP processor cannot load balance these sessions if they are accepted by a firewall policy with NAT enabled.

IPsec VPN tunnels terminated by the FortiGate-7000

For a list of new FortiOS 6.0.9 FortiGate-7000 IPsec VPN features and a list of IPsec VPN features not supported by FortiOS 6.0.9 FortiGate-7000 IPsec VPN, see FortiGate-7000 IPsec VPN.

SSL VPN

Sending all SSL VPN sessions to the primary FPM is recommended. You can do this by:

  • Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary FPM.
  • Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPM.

For more information about FortiGate-7000 SSL VPN support, see SSL VPN load balancing.

Traffic shaping and DDoS policies

Each FPM applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

FortiGuard web filtering and spam filtering queries

The FortiGate-7000 sends all FortiGuard web filtering and spam filtering rating queries through a management interface from the management VDOM.

Web filtering quotas

On a VDOM operating with the Inspection Mode set to Proxy, you can go to Security Profiles > Web Filter and set up Category Usage Quotas. Each FPM has its own quota, and the FortiGate-7000 applies quotas per FPM and not per the entire FortiGate-7000 system. This could result in quotas being exceeded if sessions for the same user are processed by different FPMs.

Log messages include a slot field

An additional "slot" field has been added to log messages to identify the FPM that generated the log.

FortiOS Carrier

You have to apply a FortiOS Carrier license separately to each FIM and FPM to license a FortiGate-7000 for FortiOS Carrier.

Special notice for new deployment connectivity testing

Only the primary FPM can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the Fortigate-7000, make sure to run execute ping tests from the primary FPM CLI.

Display the process name associated with a process ID

You can use the following command to display the process name associated with a process ID (PID):

diagnose sys process nameof <pid>

Where <pid> is the process ID.

FortiGate-7000 v6.0.9 special features and limitations

This section describes special features and limitations for FortiGate-7000 v6.0.9.

Managing the FortiGate-7000

By default the MGMT1 to MGMT4 interfaces of the FIMs in slot 1 and slot 2 are in a single static aggregate interface named mgmt with IP address 192.168.1.99. You manage the FortiGate-7000 by connecting any one of these eight interfaces to your network, opening a web browser and browsing to the management IP address. For a factory default configuration, browse to https://192.168.1.99.

Note The FortiGate-7030E has one FIM and the MGMT1 to MGMT4 interfaces of that module are the only interfaces in the aggregate interface.

Default management VDOM

By default the FortiGate-7000 configuration includes a management VDOM named mgmt-vdom. For the FortiGate-7000 system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM. You should also not add or remove interfaces from this VDOM.

You have full control over the configurations of other FortiGate-7000 VDOMs.

Default Security Fabric configuration

Caution

The FortiGate-7000E uses the Fortinet Security Fabric for communication and synchronization between the FIMs and the FPMs and for normal GUI operation. By default, the Security Fabric is enabled and must remain enabled for normal operation.

Changing the default Security Fabric configuration could disrupt communication and affect system performance.

As of version 6.0.9 you can no longer change the status to disable.

Default Security Fabric configuration:

config system csf

set status enable

set configuration-sync local

set management-ip 0.0.0.0

set management-port 0

end

For the FortiGate-7000 to operate normally, you must not change the Security Fabric configuration.

Maximum number of LAGs and interfaces per LAG

FortiGate-7000 systems support up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces and including the redundant interface that contains the mgmt1 to mgmt4 management interfaces. A FortiGate-7000 LAG can include up to 20 interfaces.

Firewall

TCP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal TCP timer (which is 3605 seconds) should only be distributed to the master FPM using a flow rule. You can configure the distributed normal TCP timer using the following command:

config system global

set dp-tcp-normal-timer <timer>

end

UDP sessions with NAT enabled that are expected to be idle for more than the distributed processing normal UDP timer should only be distributed to the primary FPM using a flow rule.

Enhanced MAC (EMAC) VLAN support

FortiOS 6.0.9 for FortiGate-7000 supports the media access control (MAC) virtual local area network (VLAN) feature. EMAC VLANs allow you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

For more information about EMAC VLAN support, see Enhanced MAC VLANs.

Use the following command to configure an EMAC VLAN:

config system interface

edit <interface-name>

set type emac-vlan

set vlan-id <VLAN-ID>

set interface <physical-interface>

end

FortiLink support limitations

The FortiGate-7000 has the following FortiLink support limitations:

  • The FIM in slot 1 (FIM-01) must be the primary FIM. FortiLink will not work if FIM-02 is the primary FIM.

    Note

    In an HA configuration, if the FIM in slot 1 of the primary FortiGate-7000 fails, the secondary FortiGate-7000 becomes the new primary FortiGate-7000 with a functioning FIM in slot 1 and FortiLink support continues after the failover.

  • FortiGate-7000 for FortiOS 6.0.9 does not support upgrading managed FortiSwitch firmware from the FortiOS Managed FortiSwitch GUI page. Instead you must use the FortiGate-7000 CLI or log into the managed FortiSwitch to upgrade managed FortiSwitch firmware.
  • You can use any FortiGate-7000 interface as the FortiLink. However, using the M1, M2, and management interfaces is not recommended.

IP multicast

IPv4 and IPv6 Multicast traffic is only sent to the primary FPM (usually the FPM in slot 3). This is controlled by the following configuration:

config load-balance flow-rule

edit 15

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 224.0.0.0 240.0.0.0

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv4 multicast"

next

edit 16

set status enable

set vlan 0

set ether-type ipv6

set src-addr-ipv6 ::/0

set dst-addr-ipv6 ff00::/8

set protocol any

set action forward

set forward-slot master

set priority 5

set comment "ipv6 multicast"

end

High availability

Only the M1 and M2 interfaces are used for the HA heartbeat communication. For information on how to set up HA heartbeat communication using the M1 and M2 interfaces, see Connect the M1 and M2 interfaces for HA heartbeat communication

The following FortiOS HA features are not supported or are supported differently by FortiGate-7000 v6.0.9:

  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 31.
  • Failover logic for FortiGate-7000 HA is not the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate-7000 systems and differs from standard HA.
  • FortiGate-7000 HA does not support the route-wait and route-hold options for tuning route synchronization between FortiGate-7000s.
  • VLAN monitoring using the config system ha-monitor command is not supported.

Shelf manager module

It is not possible to access SMM CLI using Telnet or SSH. Only console access is supported using the chassis front panel console ports as described in the FortiGate-7000 system guide.

For monitoring purpose, IPMI over IP is supported on SMM Ethernet ports. See your FortiGate-7000 system guide for details.

The source-ip option for management services

FortiGate-7000E SLBC does not support the source-ip option for management services (for example, logging, SNMP, connecting to FortiSandbox) that use interfaces in the mgmt-vdom. If you enable the source-ip option, communication will not work.

For example, when adding a host to an SNMP community, if you configure the source-ip option, the SNMP manager corresponding to this host will not receive traps from the FortiGate-7000E or be able to send SNMP queries to the FortiGate-7000E.

FortiOS features not supported by FortiGate-7000 v6.0.9

The following mainstream FortiOS 6.0.9 features are not supported by the FortiGate-7000 v6.0.9:

  • SD-WAN (because of known issues)
  • ECMP load balancing is not supported.
  • HA dedicated management interfaces
  • Hardware switch
  • WiFi controller
  • IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6 features
  • GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ip

set protocol gre

set action forward

set forward-slot master

set priority 3

end

  • Hard disk features including, WAN optimization, web caching, explicit proxy content caching, disk logging, and GUI-based packet sniffing.
  • The FortiGate-7000 platform only supports quarantining files to FortiAnalyzer.
  • Log messages should be sent only using the management aggregate interface
  • The FortiGate-7000 does not support configuring dedicated management interfaces using the config system dedicated-mgmt command or by enabling the dedicated-to management interface option. The purpose of the dedicated management interface feature is to add a routing table just for management connections. This functionality is supported by the FortiGate-7000 management VDOM (mgmt-vdom) that has its own routing table and contains all of the FortiGate-7000 management interfaces.
  • Enabling the system settings option tcp-session-without-syn and configuring a firewall policy to accept sessions without syn packets allows FortiOS to add entries to its session table for sessions that do not include SYN packets. These sessions can only be load balanced by the DP processor if the dp-load-distribution-method is set to src-dst-ip-sport-dport (default) or src-dst-ip. If any other load distribution method is used, the sessions will be dropped. As well, the DP processor cannot load balance these sessions if they are accepted by a firewall policy with NAT enabled.

IPsec VPN tunnels terminated by the FortiGate-7000

For a list of new FortiOS 6.0.9 FortiGate-7000 IPsec VPN features and a list of IPsec VPN features not supported by FortiOS 6.0.9 FortiGate-7000 IPsec VPN, see FortiGate-7000 IPsec VPN.

SSL VPN

Sending all SSL VPN sessions to the primary FPM is recommended. You can do this by:

  • Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary FPM.
  • Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPM.

For more information about FortiGate-7000 SSL VPN support, see SSL VPN load balancing.

Traffic shaping and DDoS policies

Each FPM applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

FortiGuard web filtering and spam filtering queries

The FortiGate-7000 sends all FortiGuard web filtering and spam filtering rating queries through a management interface from the management VDOM.

Web filtering quotas

On a VDOM operating with the Inspection Mode set to Proxy, you can go to Security Profiles > Web Filter and set up Category Usage Quotas. Each FPM has its own quota, and the FortiGate-7000 applies quotas per FPM and not per the entire FortiGate-7000 system. This could result in quotas being exceeded if sessions for the same user are processed by different FPMs.

Log messages include a slot field

An additional "slot" field has been added to log messages to identify the FPM that generated the log.

FortiOS Carrier

You have to apply a FortiOS Carrier license separately to each FIM and FPM to license a FortiGate-7000 for FortiOS Carrier.

Special notice for new deployment connectivity testing

Only the primary FPM can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the Fortigate-7000, make sure to run execute ping tests from the primary FPM CLI.

Display the process name associated with a process ID

You can use the following command to display the process name associated with a process ID (PID):

diagnose sys process nameof <pid>

Where <pid> is the process ID.