Fortinet black logo

Hyperscale Firewall Guide

Hyperscale firewall 7.0.7 incompatibilities and limitations

Hyperscale firewall 7.0.7 incompatibilities and limitations

Hyperscale firewall for FortiOS 7.0.7 has the following limitations and incompatibilities with FortiOS features:

  • Proxy or flow based inspection is not supported. You cannot include security profiles in hyperscale firewall policies.
  • Single-sign-on authentication including FSSO and RSSO is not supported. Other types of authentication are supported.
  • IPsec VPN is not supported. You cannot create hyperscale firewall policies where one of the interfaces is an IPsec VPN interface.
  • Hyperscale firewall VDOMs do not support Central NAT.
  • Hyperscale firewall VDOMs do not support profile-based NGFW firewall policies.
  • Hyperscale firewall VDOMs must be NAT mode VDOMs. Hyperscale firewall features are not supported for transparent mode VDOMs.

  • Hyperscale firewall VDOMs do not support traffic shaping policies or profiles. Only outbandwidth traffic shaping is supported for hyperscale firewall VDOMs.

  • Traffic shaping with queuing using the NP7 QTM module is not compatible with carrier-grade NAT and hyperscale firewall features. See NP7 traffic shaping.
  • Hyperscale firewall VDOMs do not support traffic that requires session helpers or ALGs (for example, FTP, TFTP, SIP, MGCP, H.323, PPTP, L2TP, ICMP Error/IP-options, PMAP, TNS, DCE-RPC, RAS, and RSH).

  • Active-Active FGCP HA and FGSP do not support HA hardware session synchronization. Active-passive FGCP HA and virtual clustering do support FGCP HA hardware session synchronization.
  • Asymmetric sessions are not supported.
  • ECMP usage-based load balancing is not supported. Traffic is not directed to routes with lower spillover-thresholds.
  • The Sessions dashboard widget does not display hyperscale firewall sessions.
  • Interface device identification should not be enabled on interfaces that send or receive hyperscale firewall traffic.
  • The proxy action is not supported for DoS policy anomalies when your FortiGate is licensed for hyperscale firewall features. When you activate a hyperscale firewall license, the proxy option is removed from the CLI of both hyperscale VDOMs and normal VDOMs.

  • During normal operation, UDP sessions from protocols that use FortiOS session helpers are processed by the CPU. After an FGCP HA failover, when the UDP session helper sessions are re-established, they will not be identified as session helper sessions and instead will be offloaded to the NP7 processors.

  • When operating an FGCP HA cluster with session synchronization enabled, some of the sessions accepted by an IPv4 or a NAT64 hyperscale firewall policy with an overload IP pool may not be synchronized to the secondary FortiGate. Some sessions are not synchronized because of resource conflicts and retries. The session loss rate depends on the percentage of resource retries during session setup. You can reduce the session loss by making sure the IP pool has as many IP addresses and ports as possible.

  • The following options are not supported for IPv4 firewall VIPs (configured with the config firewall vip command) in hyperscale firewall VDOMs: src-filter, service, nat44, nat46, nat-source-vip, arp-reply, portforward, and srcintf-filter.

  • The following options are not supported for port forwarding IPv6 firewall VIPs (configured with the config firewall vip6 command) in hyperscale firewall VDOMs: src-filter, nat-source-vip, arp-reply, portforward, nat66, and nat64.

    Note

    Even though the arp-reply CLI option is not supported for IPv4 and IPv6 firewall VIPs, responding to ARP requests for IP addresses in a virtual IP is supported. What is not supported is using the arp-reply option to disable responding to an ARP request.

Hyperscale firewall 7.0.7 incompatibilities and limitations

Hyperscale firewall for FortiOS 7.0.7 has the following limitations and incompatibilities with FortiOS features:

  • Proxy or flow based inspection is not supported. You cannot include security profiles in hyperscale firewall policies.
  • Single-sign-on authentication including FSSO and RSSO is not supported. Other types of authentication are supported.
  • IPsec VPN is not supported. You cannot create hyperscale firewall policies where one of the interfaces is an IPsec VPN interface.
  • Hyperscale firewall VDOMs do not support Central NAT.
  • Hyperscale firewall VDOMs do not support profile-based NGFW firewall policies.
  • Hyperscale firewall VDOMs must be NAT mode VDOMs. Hyperscale firewall features are not supported for transparent mode VDOMs.

  • Hyperscale firewall VDOMs do not support traffic shaping policies or profiles. Only outbandwidth traffic shaping is supported for hyperscale firewall VDOMs.

  • Traffic shaping with queuing using the NP7 QTM module is not compatible with carrier-grade NAT and hyperscale firewall features. See NP7 traffic shaping.
  • Hyperscale firewall VDOMs do not support traffic that requires session helpers or ALGs (for example, FTP, TFTP, SIP, MGCP, H.323, PPTP, L2TP, ICMP Error/IP-options, PMAP, TNS, DCE-RPC, RAS, and RSH).

  • Active-Active FGCP HA and FGSP do not support HA hardware session synchronization. Active-passive FGCP HA and virtual clustering do support FGCP HA hardware session synchronization.
  • Asymmetric sessions are not supported.
  • ECMP usage-based load balancing is not supported. Traffic is not directed to routes with lower spillover-thresholds.
  • The Sessions dashboard widget does not display hyperscale firewall sessions.
  • Interface device identification should not be enabled on interfaces that send or receive hyperscale firewall traffic.
  • The proxy action is not supported for DoS policy anomalies when your FortiGate is licensed for hyperscale firewall features. When you activate a hyperscale firewall license, the proxy option is removed from the CLI of both hyperscale VDOMs and normal VDOMs.

  • During normal operation, UDP sessions from protocols that use FortiOS session helpers are processed by the CPU. After an FGCP HA failover, when the UDP session helper sessions are re-established, they will not be identified as session helper sessions and instead will be offloaded to the NP7 processors.

  • When operating an FGCP HA cluster with session synchronization enabled, some of the sessions accepted by an IPv4 or a NAT64 hyperscale firewall policy with an overload IP pool may not be synchronized to the secondary FortiGate. Some sessions are not synchronized because of resource conflicts and retries. The session loss rate depends on the percentage of resource retries during session setup. You can reduce the session loss by making sure the IP pool has as many IP addresses and ports as possible.

  • The following options are not supported for IPv4 firewall VIPs (configured with the config firewall vip command) in hyperscale firewall VDOMs: src-filter, service, nat44, nat46, nat-source-vip, arp-reply, portforward, and srcintf-filter.

  • The following options are not supported for port forwarding IPv6 firewall VIPs (configured with the config firewall vip6 command) in hyperscale firewall VDOMs: src-filter, nat-source-vip, arp-reply, portforward, nat66, and nat64.

    Note

    Even though the arp-reply CLI option is not supported for IPv4 and IPv6 firewall VIPs, responding to ARP requests for IP addresses in a virtual IP is supported. What is not supported is using the arp-reply option to disable responding to an ARP request.