Starting an SSL-VPN tunnel CPS test

This test establishes a SSL-VPN tunnel connection and completes a full of HTTP transaction through it. It creates one HTTP(FTP) transaction per tunnel.

The tunnel is only established if configured in empty tunnel mode.

To start an SSL VPN CPS tunnel test:

Go to Cases > Performance Testing> VPN> > SSLVPN > CPS to display the test case summary page.
Click + Create New to display the Select case options dialog box.
Configure the Inner Traffic and click OK to continue.

Set the server network to Peer Network.

If Fortigate SSLVPN policy has disabled NAT mode, you need set the Internal IP assigned by Fortigate.

If Fortigate SSLVPN policy has enabled NAT mode, you need to set apeer IP.

Set Specifics for Load and Client. See the table below.

Set Inner protocol case Specifics >HTTPCPS.

Simulated Users

Number of simusers in a Tunnel.

SSL VPN tunnel CPS Test Case configuration

Settings	Guidelines
Basic Information
Name	Specify the case name, or just use the default. The name appears in the list of test cases.
Ping Server Timeout	If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600. Note: You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so.
Number of Samples	Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120.
Script Config	Select the script that will run before/after the test. To create a script, see Using script object templates.
Steady Duration	Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify.
Stopping Status in Second	The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes.
DUT Monitor	Select to monitor a FortiGate device under test (DUT). If selected, you can monitor the DUT from the DUT Monitor tab on the management interface. To create a DUT monitoring, see Using DUT monitoring.
Network Settings If you have selected a network config template, the network settings automatically inherit the configurations in the template. See Using network configuration templates for the description of network settings.
Load
Mode	Simuser: Simulated users. Simuser simulates a user processing through an Actions list one at a time. It allows you to determine the maximum number of concurrent users your device, infrastructure, or system can handle. Connections/second: This mode simulates TCP connections, each of them containing up to hundreds of transactions. It's useful to test how many concurrent connections can be handled by your device.
Simulated Users	Number of users to simulate.
Ramp Up Time	Time in seconds for traffic to ramp up when you start the test.
Ramp Down Time	Time in seconds for traffic to ramp down when you stop the test.
VPN Gateway Port	Specify the VPN gateway port number.
VPN Username	Enter the VPN username.
VPN Password	Enter the VPN password.
Tunnel mode	Select TCP or UDP.
Client Profile
Client Close Mode	Select the connection close method: 3Way_Fin or Reset.
Quiet Shutdown	Enable to apply safe shutdown procedure to SSL connections by sending SSL alert to the peer.
Available SSL Versions	Select SSL versions. TLSv1.3 and other SSL versions are mutually exclusive. This means you can’t select TLSv1.3 at the same time with other SSL versions.
SSL Ciphers	Select one or more SSL ciphers from the list.
Session Resumption	Disabled (turns off session resumption). Resume Session by Ticket: Select this option to simulate a client presenting a ticket to a TLS server, having originated from that server, for the purpose of resuming a TLS session. Resume Session by Session: Select this option to simulate a user attempting to use the same SSL Session ID, initially negotiated with the server. This option applies only to TLS v1 and TLS v1.2. It does not apply to TLS v1.3.
Enable Client Certificate	Enable the client authentication for HTTPS cases.
Piggyback Get Requests	If enabled, this means an acknowledgement is sent on the data frame, not in an individual frame.
Source Port Range	Specify a client port range. The valid range is 10,000 to 65,535, which is also the default.
IP Change Algorithm/Port Change Algorithm	Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly.
Client/Server TCP Options
TCP Receive Window	The receive window in which you want the TCP stack to send TCP segments. The receive window informs the peer how many bytes of data the stack is currently able to receive. The supplied value is used in all segments sent by the stack. The valid range is 0 to 65535.
Delayed Acks	Select to cause the TCP stack to implement the Delayed ACK strategy, which attempts to minimize the transmission of zero-payload ACK packets. Acknowledgments will be deferred and should be piggybacked on top of valid data packets. If successfully deferred, these acknowledgments are free, in the sense that they consume no additional bandwidth.
Delayed Ack Timeout	If you select Delayed ACKs, use this timeout value to specify the maximum time the TCP stack waits to defer ACK transmission. If this timer expires, the stack transmits a zero-payload acknowledgment.
Timestamps Option	Select to add a TCP time stamp to each TCP segment.
Enable Push Flag	Select to set the TCP PSH (push) flag in all TCP packets. This flag causes buffered data to be pushed to the receiving application. If deselected, the PSH flag is not set in any TCP packet.
SACK Option	Select to enable TCP Selective Acknowledgment Options(SACK).
Enable TCP Keepalive	Select to enable TCP Keep-alive Timer.
Keepalive Timeout	If you enable TCP Keepalive, use this timeout value to specify the maximum time to send your peer a keep-alive probe packet
Keepalive Probes	If you enable TCP Keepalive, use this value to specify the maximum probes to detect the broken connection.
Override Internal Timeout Calculation	Select to override the TCP stack calculation of the retransmission timeout value.
Retransmission Timeout	If you select Override Internal Timeout Calculation, use this value for the first transmission of a particular data or control packet; it is doubled for each subsequent retransmission.
Retries	The number of times a timed-out packet is retransmitted before aborting further retransmission. If the client does not receive a response after the configured number of retries have been attempted, the error is logged in the results. CSV file as a TCP timeout when a SYN or FIN is sent, and no SYN/ACK or FIN/ACK from the server is received.
Server Profile
Case Server Port	The server port where the test case traffic arrives.
Client Network
Network MTU	The maximum transmission unit size.
Tunnel Mode	Select TCP or UDP.
Server Network
Network MTU	The maximum transmission unit size.
Action
Request Page	Select System Pages with Fixed or Random File Name and Content.

Starting an SSL-VPN tunnel CPS test

This test establishes a SSL-VPN tunnel connection and completes a full of HTTP transaction through it. It creates one HTTP(FTP) transaction per tunnel.

The tunnel is only established if configured in empty tunnel mode.

To start an SSL VPN CPS tunnel test:

Go to Cases > Performance Testing> VPN> > SSLVPN > CPS to display the test case summary page.

Click + Create New to display the Select case options dialog box.

Configure the Inner Traffic and click OK to continue.

Set the server network to Peer Network.

If Fortigate SSLVPN policy has disabled NAT mode, you need set the Internal IP assigned by Fortigate.

If Fortigate SSLVPN policy has enabled NAT mode, you need to set apeer IP.

Set Specifics for Load and Client. See the table below.

Set Inner protocol case Specifics >HTTPCPS.

Simulated Users

Number of simusers in a Tunnel.

SSL VPN tunnel CPS Test Case configuration

Settings	Guidelines
Basic Information
Name	Specify the case name, or just use the default. The name appears in the list of test cases.
Ping Server Timeout	If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600. Note: You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so.
Number of Samples	Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120.
Script Config	Select the script that will run before/after the test. To create a script, see Using script object templates.
Steady Duration	Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify.
Stopping Status in Second	The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes.
DUT Monitor	Select to monitor a FortiGate device under test (DUT). If selected, you can monitor the DUT from the DUT Monitor tab on the management interface. To create a DUT monitoring, see Using DUT monitoring.
Network Settings If you have selected a network config template, the network settings automatically inherit the configurations in the template. See Using network configuration templates for the description of network settings.
Load
Mode	Simuser: Simulated users. Simuser simulates a user processing through an Actions list one at a time. It allows you to determine the maximum number of concurrent users your device, infrastructure, or system can handle. Connections/second: This mode simulates TCP connections, each of them containing up to hundreds of transactions. It's useful to test how many concurrent connections can be handled by your device.
Simulated Users	Number of users to simulate.
Ramp Up Time	Time in seconds for traffic to ramp up when you start the test.
Ramp Down Time	Time in seconds for traffic to ramp down when you stop the test.
VPN Gateway Port	Specify the VPN gateway port number.
VPN Username	Enter the VPN username.
VPN Password	Enter the VPN password.
Tunnel mode	Select TCP or UDP.
Client Profile
Client Close Mode	Select the connection close method: 3Way_Fin or Reset.
Quiet Shutdown	Enable to apply safe shutdown procedure to SSL connections by sending SSL alert to the peer.
Available SSL Versions	Select SSL versions. TLSv1.3 and other SSL versions are mutually exclusive. This means you can’t select TLSv1.3 at the same time with other SSL versions.
SSL Ciphers	Select one or more SSL ciphers from the list.
Session Resumption	Disabled (turns off session resumption). Resume Session by Ticket: Select this option to simulate a client presenting a ticket to a TLS server, having originated from that server, for the purpose of resuming a TLS session. Resume Session by Session: Select this option to simulate a user attempting to use the same SSL Session ID, initially negotiated with the server. This option applies only to TLS v1 and TLS v1.2. It does not apply to TLS v1.3.
Enable Client Certificate	Enable the client authentication for HTTPS cases.
Piggyback Get Requests	If enabled, this means an acknowledgement is sent on the data frame, not in an individual frame.
Source Port Range	Specify a client port range. The valid range is 10,000 to 65,535, which is also the default.
IP Change Algorithm/Port Change Algorithm	Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly.
Client/Server TCP Options
TCP Receive Window	The receive window in which you want the TCP stack to send TCP segments. The receive window informs the peer how many bytes of data the stack is currently able to receive. The supplied value is used in all segments sent by the stack. The valid range is 0 to 65535.
Delayed Acks	Select to cause the TCP stack to implement the Delayed ACK strategy, which attempts to minimize the transmission of zero-payload ACK packets. Acknowledgments will be deferred and should be piggybacked on top of valid data packets. If successfully deferred, these acknowledgments are free, in the sense that they consume no additional bandwidth.
Delayed Ack Timeout	If you select Delayed ACKs, use this timeout value to specify the maximum time the TCP stack waits to defer ACK transmission. If this timer expires, the stack transmits a zero-payload acknowledgment.
Timestamps Option	Select to add a TCP time stamp to each TCP segment.
Enable Push Flag	Select to set the TCP PSH (push) flag in all TCP packets. This flag causes buffered data to be pushed to the receiving application. If deselected, the PSH flag is not set in any TCP packet.
SACK Option	Select to enable TCP Selective Acknowledgment Options(SACK).
Enable TCP Keepalive	Select to enable TCP Keep-alive Timer.
Keepalive Timeout	If you enable TCP Keepalive, use this timeout value to specify the maximum time to send your peer a keep-alive probe packet
Keepalive Probes	If you enable TCP Keepalive, use this value to specify the maximum probes to detect the broken connection.
Override Internal Timeout Calculation	Select to override the TCP stack calculation of the retransmission timeout value.
Retransmission Timeout	If you select Override Internal Timeout Calculation, use this value for the first transmission of a particular data or control packet; it is doubled for each subsequent retransmission.
Retries	The number of times a timed-out packet is retransmitted before aborting further retransmission. If the client does not receive a response after the configured number of retries have been attempted, the error is logged in the results. CSV file as a TCP timeout when a SYN or FIN is sent, and no SYN/ACK or FIN/ACK from the server is received.
Server Profile
Case Server Port	The server port where the test case traffic arrives.
Client Network
Network MTU	The maximum transmission unit size.
Tunnel Mode	Select TCP or UDP.
Server Network
Network MTU	The maximum transmission unit size.
Action
Request Page	Select System Pages with Fixed or Random File Name and Content.

Settings

Guidelines

Basic Information

Name

Specify the case name, or just use the default. The name appears in the list of test cases.

Ping Server Timeout

If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.
Note: You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so.

Number of Samples

Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120.

Script Config

Select the script that will run before/after the test. To create a script, see Using script object templates.

Steady Duration

Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify.

Stopping Status in Second

The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes.

DUT Monitor

Select to monitor a FortiGate device under test (DUT). If selected, you can monitor the DUT from the DUT Monitor tab on the management interface. To create a DUT monitoring, see Using DUT monitoring.

Network Settings
If you have selected a network config template, the network settings automatically inherit the configurations in the template. See Using network configuration templates for the description of network settings.

Load

Mode

Simuser: Simulated users. Simuser simulates a user processing through an Actions list one at a time. It allows you to determine the maximum number of concurrent users your device, infrastructure, or system can handle.
Connections/second: This mode simulates TCP connections, each of them containing up to hundreds of transactions. It's useful to test how many concurrent connections can be handled by your device.

Simulated Users

Number of users to simulate.

Ramp Up Time

Time in seconds for traffic to ramp up when you start the test.

Ramp Down Time

Time in seconds for traffic to ramp down when you stop the test.

VPN Gateway Port

Specify the VPN gateway port number.

VPN Username

Enter the VPN username.

VPN Password

Enter the VPN password.

Tunnel mode

Select TCP or UDP.

Client Profile

Client Close Mode

Select the connection close method: 3Way_Fin or Reset.

Quiet Shutdown

Enable to apply safe shutdown procedure to SSL connections by sending SSL alert to the peer.

Available SSL Versions

Select SSL versions.

TLSv1.3 and other SSL versions are mutually exclusive. This means you can’t select TLSv1.3 at the same time with other SSL versions.

SSL Ciphers

Select one or more SSL ciphers from the list.

Session Resumption

Disabled (turns off session resumption).
Resume Session by Ticket: Select this option to simulate a client presenting a ticket to a TLS server, having originated from that server, for the purpose of resuming a TLS session.
Resume Session by Session: Select this option to simulate a user attempting to use the same SSL Session ID, initially negotiated with the server.

This option applies only to TLS v1 and TLS v1.2. It does not apply to TLS v1.3.

Enable Client Certificate

Enable the client authentication for HTTPS cases.

Piggyback Get Requests

If enabled, this means an acknowledgement is sent on the data frame, not in an individual frame.

Source Port Range

Specify a client port range. The valid range is 10,000 to 65,535, which is also the default.

IP Change Algorithm/Port Change Algorithm

Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly.

Client/Server TCP Options

TCP Receive Window

The receive window in which you want the TCP stack to send TCP segments. The receive window informs the peer how many bytes of data the stack is currently able to receive. The supplied value is used in all segments sent by the stack. The valid range is 0 to 65535.

Delayed Acks

Select to cause the TCP stack to implement the Delayed ACK strategy, which attempts to minimize the transmission of zero-payload ACK packets. Acknowledgments will be deferred and should be piggybacked on top of valid data packets. If successfully deferred, these acknowledgments are free, in the sense that they consume no additional bandwidth.

Delayed Ack Timeout

If you select Delayed ACKs, use this timeout value to specify the maximum time the TCP stack waits to defer ACK transmission. If this timer expires, the stack transmits a zero-payload acknowledgment.

Timestamps Option

Select to add a TCP time stamp to each TCP segment.

Enable Push Flag

Select to set the TCP PSH (push) flag in all TCP packets. This flag causes buffered data to be pushed to the receiving application. If deselected, the PSH flag is not set in any TCP packet.

SACK Option

Select to enable TCP Selective Acknowledgment Options(SACK).

Enable TCP Keepalive

Select to enable TCP Keep-alive Timer.

Keepalive Timeout

If you enable TCP Keepalive, use this timeout value to specify the maximum time to send your peer a keep-alive probe packet

Keepalive Probes

If you enable TCP Keepalive, use this value to specify the maximum probes to detect the broken connection.

Override Internal Timeout Calculation

Select to override the TCP stack calculation of the retransmission timeout value.

Retransmission Timeout

If you select Override Internal Timeout Calculation, use this value for the first transmission of a particular data or control packet; it is doubled for each subsequent retransmission.

Retries

The number of times a timed-out packet is retransmitted before aborting further retransmission. If the client does not receive a response after the configured number of retries have been attempted, the error is logged in the results. CSV file as a TCP timeout when a SYN or FIN is sent, and no SYN/ACK or FIN/ACK from the server is received.

Server Profile

Case Server Port

The server port where the test case traffic arrives.

Client Network

Network MTU

The maximum transmission unit size.

Tunnel Mode

Select TCP or UDP.

Server Network

Network MTU

The maximum transmission unit size.

Action

Request Page

Select System Pages with Fixed or Random File Name and Content.

Handbook

Starting an SSL-VPN tunnel CPS test

Starting an SSL-VPN tunnel CPS test

Starting an SSL-VPN tunnel CPS test