Fortinet black logo

FortiGate-7000E Administration Guide

Home FortiGate / FortiOS 7.4.3 FortiGate-7000E Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5

FortiGate 7000E 7.4.3 incompatibilities and limitations

FortiGate 7000E 7.4.3 incompatibilities and limitations

FortiGate 7000E for FortiOS 7.4.3 has the following limitations and incompatibilities with FortiOS features:

Caution

The FortiGate 7000E uses the Fortinet Security Fabric for communication and synchronization between the FIMs and the FPMs and for normal GUI operation. By default, the Security Fabric is enabled and must remain enabled for normal operation.

Managing the FortiGate 7000E

Management is only possible through the MGMT1 to MGMT4 front panel management interfaces. By default the MGMT1 to MGMT4 interfaces of the FIMs in slot 1 and slot 2 are in a single static aggregate interface named mgmt with IP address 192.168.1.99. You manage the FortiGate 7000E by connecting any one of these eight interfaces to your network, opening a web browser and browsing to the management IP address. For a factory default configuration, browse to https://192.168.1.99.

Note The FortiGate-7030E has one FIM and the MGMT1 to MGMT4 interfaces of that module are the only interfaces in the aggregate interface.

Default management VDOM

By default the FortiGate 7000E configuration includes a management VDOM named mgmt-vdom. For the FortiGate 7000E system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM. You should also not add or remove interfaces from this VDOM.

You have full control over the configurations of other FortiGate 7000E VDOMs.

Maximum number of LAGs and interfaces per LAG

The FortiGate 7000E supports up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces and including the redundant interface that contains the mgmt1 to mgmt4 management interfaces. A FortiGate 7000E LAG can include up to 20 interfaces.

High availability

Only the M1 and M2 interfaces are used for the HA heartbeat communication. For information on how to set up HA heartbeat communication using the M1 and M2 interfaces, see Connect the M1 and M2 interfaces for HA heartbeat communication

The following FortiOS HA features are not supported or are supported differently by the FortiGate 7000E:

  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 31.
  • Failover logic for FortiGate 7000E HA is not the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate 7000E systems and differs from standard HA.
  • FortiGate 7000E HA does not support the route-wait and route-hold options for tuning route synchronization between FortiGate 7000Es.
  • VLAN monitoring using the config system ha-monitor command is not supported.

  • FortiGate 7000E HA does not support using the HA session-sync-dev option. Instead, session synchronization traffic uses the M1 and M2 interfaces, separating session sync traffic from data traffic.

Shelf manager module

It is not possible to access the shelf manager module (SMM) CLI using Telnet or SSH. Only console access is supported using the FortiGate 7000E chassis front panel console ports as described in the FortiGate 7000E system guide.

For monitoring purpose, IPMI over IP is supported on SMM Ethernet ports. See your FortiGate 7000E system guide for details.

FortiOS features not supported by FortiGate 7000E

The following mainstream FortiOS features are not supported by the FortiGate 7000E:

  • Hardware switch.

  • DLP archiving.

  • GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ip

set protocol gre

set action forward

set forward-slot master

set priority 3

end

  • Hard disk features including, WAN optimization, web caching, explicit proxy content caching, disk logging, and GUI-based packet sniffing.
  • The FortiGate 7000E platform only supports quarantining files to FortiAnalyzer.
  • The FortiGate 7000E does not support configuring dedicated management interfaces using the config system dedicated-mgmt command or by enabling the dedicated-to management interface option. The purpose of the dedicated management interface feature is to add a routing table just for management connections. This functionality is supported by the FortiGate 7000E management VDOM (mgmt-vdom) that has its own routing table and contains all of the FortiGate 7000E management interfaces.

  • The FortiOS session-ttl option never (which means no session timeout) is only supported if the dp-load-distribution-method is set to src-dst-ip-sport-dport (the default) or src-dst-ip and the firewall policy that accepts the session does not perform NAT. If any other load distribution method is used, or if NAT is enabled, the DP session timer will terminate the session according to the DP processor session timer. For more information about the never option, see No session timeout.

  • Enabling the system settings option tcp-session-without-syn and configuring a firewall policy to accept sessions without syn packets allows FortiOS to add entries to its session table for sessions that do not include SYN packets. These sessions can only be load balanced by the DP processor if the dp-load-distribution-method is set to src-dst-ip-sport-dport (default) or src-dst-ip. If any other load distribution method is used, the sessions will be dropped. As well, the DP processor cannot load balance these sessions if they are accepted by a firewall policy with NAT enabled.

  • The source-ip option for management services (for example, logging, SNMP, connecting to FortiSandbox) that use interfaces in the mgmt-vdom is not supported and has been removed from the CLI.

  • The config vpn ssl settings option tunnel-addr-assigned-method is now available again. This option had been removed from the CLI in a previous release because setting this option to first-available and configuring multiple IP pools can reduce FortiGate 7000E SSL VPN load balancing performance. However, some users may want the ability to use multiple IP pools for their SSL VPN configuration, even if performance is reduced. So the change has been reverted.

IPsec VPN tunnels terminated by the FortiGate 7000E

For a list of FortiGate 7000E IPsec VPN features and limitations, see IPsec VPN load balancing.

Traffic shaping and DDoS policies

Each FPM applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

FortiGuard web filtering and spam filtering queries

The FortiGate 7000E sends all FortiGuard web filtering and spam filtering rating queries through a management interface from the management VDOM.

Web filtering quotas

On a VDOM operating with the Inspection Mode set to Proxy, you can go to Security Profiles > Web Filter and set up Category Usage Quotas. Each FPM has its own quota, and the FortiGate 7000E applies quotas per FPM and not per the entire FortiGate 7000E system. This could result in quotas being exceeded if sessions for the same user are processed by different FPMs.

Special notice for new deployment connectivity testing

Only the primary FPM can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the FortiGate 7000E, make sure to run execute ping tests from the primary FPM CLI.

Displaying the process name associated with a process ID

You can use the following command to display the process name associated with a process ID (PID):

diagnose sys process nameof <pid>

Where <pid> is the process ID.

Previous
Next

FortiGate 7000E 7.4.3 incompatibilities and limitations

FortiGate 7000E for FortiOS 7.4.3 has the following limitations and incompatibilities with FortiOS features:

Caution

The FortiGate 7000E uses the Fortinet Security Fabric for communication and synchronization between the FIMs and the FPMs and for normal GUI operation. By default, the Security Fabric is enabled and must remain enabled for normal operation.

Managing the FortiGate 7000E

Management is only possible through the MGMT1 to MGMT4 front panel management interfaces. By default the MGMT1 to MGMT4 interfaces of the FIMs in slot 1 and slot 2 are in a single static aggregate interface named mgmt with IP address 192.168.1.99. You manage the FortiGate 7000E by connecting any one of these eight interfaces to your network, opening a web browser and browsing to the management IP address. For a factory default configuration, browse to https://192.168.1.99.

Note The FortiGate-7030E has one FIM and the MGMT1 to MGMT4 interfaces of that module are the only interfaces in the aggregate interface.

Default management VDOM

By default the FortiGate 7000E configuration includes a management VDOM named mgmt-vdom. For the FortiGate 7000E system to operate normally you should not change the configuration of this VDOM and this VDOM should always be the management VDOM. You should also not add or remove interfaces from this VDOM.

You have full control over the configurations of other FortiGate 7000E VDOMs.

Maximum number of LAGs and interfaces per LAG

The FortiGate 7000E supports up to 16 link aggregation groups (LAGs). This includes both normal link aggregation groups and redundant interfaces and including the redundant interface that contains the mgmt1 to mgmt4 management interfaces. A FortiGate 7000E LAG can include up to 20 interfaces.

High availability

Only the M1 and M2 interfaces are used for the HA heartbeat communication. For information on how to set up HA heartbeat communication using the M1 and M2 interfaces, see Connect the M1 and M2 interfaces for HA heartbeat communication

The following FortiOS HA features are not supported or are supported differently by the FortiGate 7000E:

  • Active-active HA is not supported.
  • The range for the HA group-id is 0 to 31.
  • Failover logic for FortiGate 7000E HA is not the same as FGCP for other FortiGate clusters.
  • HA heartbeat configuration is specific to FortiGate 7000E systems and differs from standard HA.
  • FortiGate 7000E HA does not support the route-wait and route-hold options for tuning route synchronization between FortiGate 7000Es.
  • VLAN monitoring using the config system ha-monitor command is not supported.

  • FortiGate 7000E HA does not support using the HA session-sync-dev option. Instead, session synchronization traffic uses the M1 and M2 interfaces, separating session sync traffic from data traffic.

Shelf manager module

It is not possible to access the shelf manager module (SMM) CLI using Telnet or SSH. Only console access is supported using the FortiGate 7000E chassis front panel console ports as described in the FortiGate 7000E system guide.

For monitoring purpose, IPMI over IP is supported on SMM Ethernet ports. See your FortiGate 7000E system guide for details.

FortiOS features not supported by FortiGate 7000E

The following mainstream FortiOS features are not supported by the FortiGate 7000E:

  • Hardware switch.

  • DLP archiving.

  • GRE tunneling is only supported after creating a load balance flow rule, for example:

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ip

set protocol gre

set action forward

set forward-slot master

set priority 3

end

  • Hard disk features including, WAN optimization, web caching, explicit proxy content caching, disk logging, and GUI-based packet sniffing.
  • The FortiGate 7000E platform only supports quarantining files to FortiAnalyzer.
  • The FortiGate 7000E does not support configuring dedicated management interfaces using the config system dedicated-mgmt command or by enabling the dedicated-to management interface option. The purpose of the dedicated management interface feature is to add a routing table just for management connections. This functionality is supported by the FortiGate 7000E management VDOM (mgmt-vdom) that has its own routing table and contains all of the FortiGate 7000E management interfaces.

  • The FortiOS session-ttl option never (which means no session timeout) is only supported if the dp-load-distribution-method is set to src-dst-ip-sport-dport (the default) or src-dst-ip and the firewall policy that accepts the session does not perform NAT. If any other load distribution method is used, or if NAT is enabled, the DP session timer will terminate the session according to the DP processor session timer. For more information about the never option, see No session timeout.

  • Enabling the system settings option tcp-session-without-syn and configuring a firewall policy to accept sessions without syn packets allows FortiOS to add entries to its session table for sessions that do not include SYN packets. These sessions can only be load balanced by the DP processor if the dp-load-distribution-method is set to src-dst-ip-sport-dport (default) or src-dst-ip. If any other load distribution method is used, the sessions will be dropped. As well, the DP processor cannot load balance these sessions if they are accepted by a firewall policy with NAT enabled.

  • The source-ip option for management services (for example, logging, SNMP, connecting to FortiSandbox) that use interfaces in the mgmt-vdom is not supported and has been removed from the CLI.

  • The config vpn ssl settings option tunnel-addr-assigned-method is now available again. This option had been removed from the CLI in a previous release because setting this option to first-available and configuring multiple IP pools can reduce FortiGate 7000E SSL VPN load balancing performance. However, some users may want the ability to use multiple IP pools for their SSL VPN configuration, even if performance is reduced. So the change has been reverted.

IPsec VPN tunnels terminated by the FortiGate 7000E

For a list of FortiGate 7000E IPsec VPN features and limitations, see IPsec VPN load balancing.

Traffic shaping and DDoS policies

Each FPM applies traffic shaping and DDoS quotas independently. Because of load-balancing, this may allow more traffic than expected.

FortiGuard web filtering and spam filtering queries

The FortiGate 7000E sends all FortiGuard web filtering and spam filtering rating queries through a management interface from the management VDOM.

Web filtering quotas

On a VDOM operating with the Inspection Mode set to Proxy, you can go to Security Profiles > Web Filter and set up Category Usage Quotas. Each FPM has its own quota, and the FortiGate 7000E applies quotas per FPM and not per the entire FortiGate 7000E system. This could result in quotas being exceeded if sessions for the same user are processed by different FPMs.

Special notice for new deployment connectivity testing

Only the primary FPM can successfully ping external IP addresses. During a new deployment, while performing connectivity testing from the FortiGate 7000E, make sure to run execute ping tests from the primary FPM CLI.

Displaying the process name associated with a process ID

You can use the following command to display the process name associated with a process ID (PID):

diagnose sys process nameof <pid>

Where <pid> is the process ID.

Previous
Next