Fortinet black logo

FortiGate-7000F Handbook

Home FortiGate-7000 7.0.12 FortiGate-7000F Handbook
7.0.12
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.2.16
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6

FortiGate-7000F v7.0.12 special features and limitations

FortiGate-7000F v7.0.12 special features and limitations

This section describes special features and limitations for FortiGate-7000F 7.0.12.

Caution

The FortiGate-7000F uses the Fortinet Security Fabric for communication and synchronization between the FIMs and the FPMs and for normal GUI operation. By default, the Security Fabric is enabled and must remain enabled for normal operation.

SDN connector support

FortiGate-7000 FortiOS 7.0.12 supports the following SDN connectors:

  • Cisco Application Centric Infrastructure (ACI)
  • Amazon Web Services (AWS)
  • Microsoft Azure
  • VMware NSX
  • VMware ESXi
  • Kubernetes
  • Oracle Cloud Infrastructure (OCI)
  • OpenStack (Horizon)

These SDN connectors communicate with their public or private clouds through the mgmt-vdom VDOM and may require routing in this VDOM to support this communication. Also, in some scenarios, these SDN connectors may not be able to correctly retrieve dynamic firewall addresses.

Default management VDOM

By default the FortiGate-7000 configuration includes a management VDOM named mgmt-vdom. For the FortiGate-7000F system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM. You should also not add or remove interfaces from this VDOM.

You have full control over the configurations of other FortiGate-7000F VDOMs.

Maximum number of LAGs and interfaces per LAG

FortiGate-7000F systems support up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces. A FortiGate-7000F LAG can include up to 20 interfaces.

Enhanced MAC (EMAC) VLAN support

FortiGate-7000F supports the media access control (MAC) virtual local area network (VLAN) feature. EMAC VLANs allow you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

For more information about EMAC VLAN support, see Enhanced MAC VLANs.

Use the following command to configure an EMAC VLAN:

config system interface

edit <interface-name>

set type emac-vlan

set vlan-id <VLAN-ID>

set interface <physical-interface>

end

High availability

You can use the M1 to M4 interfaces for HA heartbeat communication.

The following FortiOS HA features are not supported or are supported differently by FortiGate-7000F:

  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 255.
  • Failover logic for FortiGate-7000F HA is not the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate-7000F systems and differs from standard HA.
  • FortiGate-7000F HA does not support the route-wait and route-hold options for tuning route synchronization between FortiGate-7000Fs.
  • VLAN monitoring using the config system ha-monitor command is not supported.

Virtual clustering

For information about virtual clustering limitations, see Limitations of FortiGate-7000F virtual clustering and Virtual clustering VLAN/VDOM limitation.

ZTNA support

The FortiGate-7000F supports Zero Trust Network Access (ZTNA) features. No special configuration is required to support ZTNA. For more information about ZTNA, see Zero Trust Network Access.

DLP fingerprinting support

The FortiGate-7000F supports DLP fingerprinting. No special configuration is required to support DLP fingerprinting. For more information about DLP fingerprinting, see DLP fingerprinting.

DLP archiving is not supported by FortiGate-7000F for FortiOS 7.0.12.

Shelf manager module

It is not possible to access SMM CLI using Telnet or SSH. Only console access is supported using the chassis front panel console ports as described in the FortiGate-7000F system guide.

FortiOS features not supported by FortiGate-7000F v7.0.12

The following mainstream FortiOS features are not supported by the FortiGate-7000F:

  • Hardware switch.

  • Because the FortiGate-7000F uses NP7 processors for load balancing, the FortiGate-7000F supports IPv6 clear text traffic over IPv4 or IPv6 IPsec tunnels terminated on the FortiGate-7000F.

  • GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ip

set protocol gre

set action forward

set forward-slot master

set priority 3

end

  • EMAC VLANs are not supported.
  • The FortiGate-7000 does not support configuring dedicated management interfaces using the config system dedicated-mgmt command or by enabling the dedicated-to management interface option. The purpose of the dedicated management interface feature is to add a routing table just for management connections. This functionality is supported by the FortiGate-7000 management VDOM (mgmt-vdom) that has its own routing table and contains all of the FortiGate-7000 management interfaces.
  • Enabling the system settings option tcp-session-without-syn and configuring a firewall policy to accept sessions without syn packets allows FortiOS to add entries to its session table for sessions that do not include SYN packets. These sessions can only be load balanced by the NP7 processors if the dp-load-distribution-method is set to src-dst-ip-sport-dport (default) or src-dst-ip. If any other load distribution method is used, the sessions will be dropped. As well, the NP7 processors cannot load balance these sessions if they are accepted by a firewall policy with NAT enabled.
  • The source-ip option for management services (for example, logging, SNMP, connecting to FortiSandbox) that use interfaces in the mgmt-vdom is not supported and has been removed from the CLI.

  • The config vpn ssl settings option tunnel-addr-assigned-method is now available again. This option had been removed from the CLI in a previous release because setting this option to first-available and configuring multiple IP pools can reduce FortiGate-7000F SSL VPN load balancing performance. However, some users may want the ability to use multiple IP pools for their SSL VPN configuration, even if performance is reduced. So the change has been reverted.

IPsec VPN

For a list of IPsec VPN features supported by FortiGate-7000F, see FortiGate-7000F IPsec VPN.

SSL VPN

Sending all SSL VPN sessions to the primary FPM is recommended. You can do this by:

  • Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary FPM.
  • Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPM.

For more information about FortiGate-7000F SSL VPN support, see SSL VPN load balancing.

Traffic shaping and DDoS policies

Each FPM applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

FortiGuard web filtering and spam filtering queries

The FortiGate-7000F sends all FortiGuard web filtering and spam filtering rating queries through a management interface from the management VDOM.

Web filtering quotas

On a VDOM operating with the Inspection Mode set to Proxy, you can go to Security Profiles > Web Filter and set up Category Usage Quotas. Each FPM has its own quota, and the FortiGate-7000F applies quotas per FPM and not per the entire FortiGate-7000F system. This could result in quotas being exceeded if sessions for the same user are processed by different FPMs.

Log messages no longer include a slot field

FortiGate-7000 log messages no longer include information in the slot field. Instead, slot information is now always contained in the message field.

Special notice for new deployment connectivity testing

Only the primary FPM can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the FortiGate-7000F, make sure to run execute ping tests from the primary FPM CLI.

Display the process name associated with a process ID

You can use the following command to display the process name associated with a process ID (PID):

diagnose sys process nameof <pid>

Where <pid> is the process ID.

Previous
Next

FortiGate-7000F v7.0.12 special features and limitations

This section describes special features and limitations for FortiGate-7000F 7.0.12.

Caution

The FortiGate-7000F uses the Fortinet Security Fabric for communication and synchronization between the FIMs and the FPMs and for normal GUI operation. By default, the Security Fabric is enabled and must remain enabled for normal operation.

SDN connector support

FortiGate-7000 FortiOS 7.0.12 supports the following SDN connectors:

  • Cisco Application Centric Infrastructure (ACI)
  • Amazon Web Services (AWS)
  • Microsoft Azure
  • VMware NSX
  • VMware ESXi
  • Kubernetes
  • Oracle Cloud Infrastructure (OCI)
  • OpenStack (Horizon)

These SDN connectors communicate with their public or private clouds through the mgmt-vdom VDOM and may require routing in this VDOM to support this communication. Also, in some scenarios, these SDN connectors may not be able to correctly retrieve dynamic firewall addresses.

Default management VDOM

By default the FortiGate-7000 configuration includes a management VDOM named mgmt-vdom. For the FortiGate-7000F system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM. You should also not add or remove interfaces from this VDOM.

You have full control over the configurations of other FortiGate-7000F VDOMs.

Maximum number of LAGs and interfaces per LAG

FortiGate-7000F systems support up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces. A FortiGate-7000F LAG can include up to 20 interfaces.

Enhanced MAC (EMAC) VLAN support

FortiGate-7000F supports the media access control (MAC) virtual local area network (VLAN) feature. EMAC VLANs allow you to configure multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

For more information about EMAC VLAN support, see Enhanced MAC VLANs.

Use the following command to configure an EMAC VLAN:

config system interface

edit <interface-name>

set type emac-vlan

set vlan-id <VLAN-ID>

set interface <physical-interface>

end

High availability

You can use the M1 to M4 interfaces for HA heartbeat communication.

The following FortiOS HA features are not supported or are supported differently by FortiGate-7000F:

  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 255.
  • Failover logic for FortiGate-7000F HA is not the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate-7000F systems and differs from standard HA.
  • FortiGate-7000F HA does not support the route-wait and route-hold options for tuning route synchronization between FortiGate-7000Fs.
  • VLAN monitoring using the config system ha-monitor command is not supported.

Virtual clustering

For information about virtual clustering limitations, see Limitations of FortiGate-7000F virtual clustering and Virtual clustering VLAN/VDOM limitation.

ZTNA support

The FortiGate-7000F supports Zero Trust Network Access (ZTNA) features. No special configuration is required to support ZTNA. For more information about ZTNA, see Zero Trust Network Access.

DLP fingerprinting support

The FortiGate-7000F supports DLP fingerprinting. No special configuration is required to support DLP fingerprinting. For more information about DLP fingerprinting, see DLP fingerprinting.

DLP archiving is not supported by FortiGate-7000F for FortiOS 7.0.12.

Shelf manager module

It is not possible to access SMM CLI using Telnet or SSH. Only console access is supported using the chassis front panel console ports as described in the FortiGate-7000F system guide.

FortiOS features not supported by FortiGate-7000F v7.0.12

The following mainstream FortiOS features are not supported by the FortiGate-7000F:

  • Hardware switch.

  • Because the FortiGate-7000F uses NP7 processors for load balancing, the FortiGate-7000F supports IPv6 clear text traffic over IPv4 or IPv6 IPsec tunnels terminated on the FortiGate-7000F.

  • GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ip

set protocol gre

set action forward

set forward-slot master

set priority 3

end

  • EMAC VLANs are not supported.
  • The FortiGate-7000 does not support configuring dedicated management interfaces using the config system dedicated-mgmt command or by enabling the dedicated-to management interface option. The purpose of the dedicated management interface feature is to add a routing table just for management connections. This functionality is supported by the FortiGate-7000 management VDOM (mgmt-vdom) that has its own routing table and contains all of the FortiGate-7000 management interfaces.
  • Enabling the system settings option tcp-session-without-syn and configuring a firewall policy to accept sessions without syn packets allows FortiOS to add entries to its session table for sessions that do not include SYN packets. These sessions can only be load balanced by the NP7 processors if the dp-load-distribution-method is set to src-dst-ip-sport-dport (default) or src-dst-ip. If any other load distribution method is used, the sessions will be dropped. As well, the NP7 processors cannot load balance these sessions if they are accepted by a firewall policy with NAT enabled.
  • The source-ip option for management services (for example, logging, SNMP, connecting to FortiSandbox) that use interfaces in the mgmt-vdom is not supported and has been removed from the CLI.

  • The config vpn ssl settings option tunnel-addr-assigned-method is now available again. This option had been removed from the CLI in a previous release because setting this option to first-available and configuring multiple IP pools can reduce FortiGate-7000F SSL VPN load balancing performance. However, some users may want the ability to use multiple IP pools for their SSL VPN configuration, even if performance is reduced. So the change has been reverted.

IPsec VPN

For a list of IPsec VPN features supported by FortiGate-7000F, see FortiGate-7000F IPsec VPN.

SSL VPN

Sending all SSL VPN sessions to the primary FPM is recommended. You can do this by:

  • Creating a flow rule that sends all sessions that use the SSL VPN destination port and IP address to the primary FPM.
  • Creating flow rules that send all sessions that use the SSL VPN IP pool addresses to the primary FPM.

For more information about FortiGate-7000F SSL VPN support, see SSL VPN load balancing.

Traffic shaping and DDoS policies

Each FPM applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

FortiGuard web filtering and spam filtering queries

The FortiGate-7000F sends all FortiGuard web filtering and spam filtering rating queries through a management interface from the management VDOM.

Web filtering quotas

On a VDOM operating with the Inspection Mode set to Proxy, you can go to Security Profiles > Web Filter and set up Category Usage Quotas. Each FPM has its own quota, and the FortiGate-7000F applies quotas per FPM and not per the entire FortiGate-7000F system. This could result in quotas being exceeded if sessions for the same user are processed by different FPMs.

Log messages no longer include a slot field

FortiGate-7000 log messages no longer include information in the slot field. Instead, slot information is now always contained in the message field.

Special notice for new deployment connectivity testing

Only the primary FPM can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the FortiGate-7000F, make sure to run execute ping tests from the primary FPM CLI.

Display the process name associated with a process ID

You can use the following command to display the process name associated with a process ID (PID):

diagnose sys process nameof <pid>

Where <pid> is the process ID.

Previous
Next