Fortinet black logo

Administration Guide

Home FortiTester 7.1.0 Administration Guide

FAQ

7.1.0
7.4.0
7.3.2
7.3.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.0
Copy Link
Copy Doc ID 9217125a-7eda-11ec-a0d0-fa163e15d75b:807655
Download PDF

FAQ

Table of contents

  1. Does FortiTester VM supports SR-IOV?
  2. How do I replay large PCAPs in FortiTester?
  3. Can FortiTester run more than one case at a time?
  4. Does FortiTester support API?
  5. What are the supported hardware & port density?
  6. What are the limitations on CPU, RAM and Storage for different VM licenses?
  7. Where can I download the attack package?
  8. What are Test Centre model running conditions? Can they be different models?
  9. How can we reset FortiTester admin password? Is there a maintainer account like FortiGate?
  10. How do you calculate max bandwidth in TestCenter mode?
  11. SSL CPS VPN test - is there a way NOT to send the ping to FortiTester server side when starting the case?
  12. Why is the Trunk status of the device that connected to FortiTester down?
  13. How many MAX end points / unique IP's can FortiTester generate?
  14. How does FortiTester run offline?
  15. What is the difference between Connections per Second and Simulated Users?
Does FortiTester VM supports SR-IOV?

Yes. This was supported long time ago. FortiTester can utilize the NIC to perform faster input and output.

How do I replay large PCAPs in FortiTester?

You can consider using Attack Replay under Security Testing. See Starting an IPS Attack Replay test.

Please note the size of all the uploaded pcap files should not exceed 200 MB. You can upload more files by creating multiple Attack Replay cases and schedule to run them one after another.

As loading multiple 200MB files into memory, your FortiTester device might not have enough memory, e.g. FortiTester 2000E has 32 GB memory, FortiTester 3000E has 64 GB memory.

Can FortiTester run more than one case at a time?

No, FTS does not support more than one case at a time. However, you can schedule the test cases to run automatically one after another. See Scheduling cases.

Does FortiTester support API?

Yes, FortiTester has a very comprehensive REST API. Test cases can be created, launched and monitored using the API. See Using the REST API.

What are the supported hardware & port density?
  • FortiTester 2000D - 1x GE RJ45, 4x 10 GE SFP+, 120 GB SSD storage [EOL already]
  • FortiTester 2000E - 1x GE RJ45, 4x 10 GE SFP+, 1TB HDD Storage [Replacement of 2000D]
  • FortiTester 2500E - 1x GE RJ45, 4x 10 GE SFP+, 1TB HDD Storage
  • FortiTester 3000E - 1x GE RJ45, 2x 40 GE QSFP, 2 TB HDD storage
  • FortiTester 4000E - 1x GE RJ45, 1x 100 GE QSFP28, 2 TB HDD storage

  • FortiTester 100F-3x GE RJ45, 2x 1GE SFP,2x 10 GE SFP+, 1 TB HDD storage

  • FortiTester 100F, 2 x 10GE SFP+, 2 x GE SFP, 2 x GE RJ45, 1 x console RJ45 and 1 mgmt RJ45, 1 TB HDD

What are the limitations on CPU, RAM and Storage for different VM licenses?
  • FortiTester VM02 - 2 vCPU, 4GB RAM, 60GB Storage
  • FortiTester VM04 - 4 vCPU, 8GB RAM, 60GB Storage
  • FortiTester VM08 - 8 vCPU, 16GB RAM, 60GB Storage
  • FortiTester VM16 - 16 vCPU, 32GB RAM, 60GB Storage
  • FortiTester VM32 - 32 vCPU, 64GB RAM, 60GB Storage

Note: The Enterprise mix feature under Performance Testing > Mix Traffic is only available on FortiTester-VMs with VM16 or VM32 license.

Where can I download the attack package?

You can download it from Fortinet Support site. See Updating FortiGuard for more information.

What are Test Centre model running conditions? Can they be different models?

Yes, they can be different models, but based on the following conditions:

  • For all FortiTester-VMs they have to be properly licensed.
  • For all FortiTester-VMs, Center/Client must have the same vCPU number, VM type, port number.
  • Software - Center/Client must have the same major version number (e.g. 3.8.0 can run with 3.8.1 but NOT 3.7)
  • For 3000E, Center/Client must have the same fanout mode (e.g. 3000E can break out 2 x 40G into 8 x 10G)
  • Center/Client must be in the same group i.e.:
    • "2K": ["FTS_2000D", "FTS_2000E", "FTS_2500E"],
    • "3K": ["FTS_3000E"],
    • "4K": ["FTS_4000E"],
    • "VM": ["FTS_VM_KVM"],
    • "VM_ESXI": ["FTS_VM"],
    • "AWS": ["FTS_VM_AWS"],
    • "AWS_BYOL": ["FTS_VM_AWS_BYOL"],
    • "AZR_BYOL": ["FTS_VM_AZURE_BYOL"],
    • "OCI_BYOL": ["FTS_VM_OCI_BYOL"],
    • "GCP_BYOL": ["FTS_VM_GCP_BYOL"]
How can we reset FortiTester admin password? Is there a maintainer account like FortiGate?

FortiTester does have a maintainer account, can be used to change password, but you must connect FortiTester console port.

Please refer to the following steps

  1. Connect FortiTester console port.

  2. Reboot FortiTester then get the SN.

    FortiBootLoader

    • FortiTester-4000E (23:46-06.26.2017)
    • Ver:00010001

    FortiTester-4000E (17:33-08.28.2017)

    Ver:00010002

    Serial number:FTS4KET618000005

    Total RAM: 131072MB

    Boot up, boot device capacity: 1960MB.

    Press any key to display configuration menu...

  3. Login with maintainer user.

    After the FortiTester boots, a timpe period of only 300 seconds will be permitted to type in the username and password.

    The password is bcpb plus the serial number of the FortiTester. Example bcpbFTS4KET618000005.

    center237 login: maintainer

    Password:

    Welcome !

    For interactive help, Please type "?".

  4. Change admin user password.

    center237 # config system setting

    center237 (setting) #

    center237 (setting) # set admin-password fts@ftnt

    Reset password success

    center237 (setting) # end

    center237 #

See Setting Password for more information.

How do you calculate max bandwidth in TestCenter mode?

This is dependent on interfaces on FTS e.g. 10/40/100G and how much traffic it can generate. The example below is based on HTTP throughput.

SSL CPS VPN test - is there a way NOT to send the ping to FortiTester server side when starting the case? (if PING is not successful through the FG [requires another policy] SSLVPN case would not run.

Yes it's possible not to send the ping, by setting ping timeout to 0, as below:

Why is the Trunk status of the device that connected to FortiTester down?

The test configuration on FortiTester is only a test template without activating the configuration. The admin can pre-stage multiple test cases with different network configuration for individual port-based or bond-based testing.

Only when the tester runs a bond-based test will FortiTester activate the bond, then the status of the connected trunk or aggregate interface on FortiSwitch or Fortigate will also change to "up."

How many MAX end points / unique IP's can FortiTester generate?

Each Test case limitation is different. Take HTTP CPS for example:

There are a few concepts which are important to understand.

Subnet settings

These control how many subnets FortiTester will create with a virtual router. In an HTTP CPS case you can create up to 8 subnets, each with 4096 IPs each. For example, 8 subnets x 65,536 IPs = 524,288 unique IPs

Note:

  • However, in the testing selection, you can either choose SimUsers (max 1024) OR Connection per sec (max 9,999,999). The simple analogy is:

Sim users - FortiTester will send X number of runners from starting line to finish (to fetch something from finish line), the runners comes back with the objects, and start the run again (until test time finishes). DUT (e.g. FG) might hold up the users (runner).

Connections per second - FortiTester will send X number of runners per Y seconds (e.g. 100 runners per second). FortiTester does not care whether the users come back or not (result will be measured at the end). If the DUT allows them to return in time, that DUT can 'sustain' this CPS rate.

  • Understand that EACH IP, you can also use SOURCE PORT to distribution sessions. FortiTester will FIRST use unique IP's first BEFORE source port. Let's take a look at an extreme case:

FortiTester can use 1 IPs (controlled by subnet settings) and generate 55,535 (65,535 minus 10,000) connections to 1 destination, with use of source port. This settings can be found under client tab as below:

Therefore if both subnets and source port are configured (or left as default i.e. two subnets in certain models, higher end will have 4 subnets for default, and a source port of 10,000-65,535), FortiTester will distribute the sessions across the configured IP range and ports.

So to answer the original question: How many unique IP's can FortiTester generate?

The simple answer is: for HTTP CPS, FortiTester can generate 8 subnets x 65,536 IPs = 524,288 IPs on each end. However, the load, controlled by 'connections/secs' or simusers can be adjusted (or greater than the IP configured).

  • It was mentioned earlier for each case it's slightly different. To explain further:

For HTTP CPS - if you set subnet to /8 (i.e. more hosts), when you click save, FortiTester does NOT allow you to go over the maximum of 65,535 (this is the MAX IP per subnet for HTTP CPS).

But for HTTP CC (Concurrent session), a different test altogether, the max limitation of IP is 4,096. See error screenshot below (if your subnet/IP configured goes over the max value).

In the future we hope to document each case clearly for the maximum configured value.

How does FortiTester run offline?

There are a few scenarios to cover:

1. Without FortiManager

  • FortiTester VMs requires Internet for periodic license validation. Once it validates, if VM goes offline, the license will be valid for 3 days before it requires validation again (goes into trial mode if fails).
  • FortiTester appliances will work without internet; however, updates via internet are impacted (users can download updates manually via support website).
  • FortiTester has 'HTTPS proxy feature' to allow FortiTester to reach internet via proxy, as below:

Topology

To configure on FortiTester GUI, go to System > FortiGuard.

2a. With FortiManager (Online)

FortiManager v6.4.6+ and v7.0.1+ supports the following functions:

  • FortiTester license verification
  • FortiTester Update packages (malware / IPS / web protection updates)

Topology

To configure on FortiTester GUI, go to System > FortiGuard, then input FortiManager IP in FortiGuard IP address field.

2b. With FortiManager (offline)

Purpose

  • FMG01 to act as a licensing server (like FDS), enable web service on FortiManager interface
  • FMG02 to get the packages from online FDS, export the packages and import back into FortiManager 01
  • Users import license (from support.fortinet.com) into FMG01 to validate FortiTester

Topology

Tp enable service update, go to ADOM Fabric > System Settings > Network.

You must get entitlement from support.forinet.com if you use FortiManager OFFLINE mode.

Configure ONLINE mode on FMG01 (This FortiManager can reach the internet.)

Go to ADOM Fabric > FortiGuard > Settings.

Configure offline mode on FMG02 (This FortiManager cannot reach the internet.)

Go to ADOM Fabric > FortiGuard > Settings.

Import FortiTester entitlement into FMG02 (FortiManager that has no Internet access).

Export service package from an ONLINE FortiManager (FMG01).

Import the service package in FMG02 (OFFLINE FortiManager).

After it will show the FortiTester service package after import on FortiManager GUI

Configure FortiTester to use FortiManager 02 (offline FortiManager).

What is the difference between Connections per Second and Simulated Users?

The following analogy may be helpful:

Simulated Users - FortiTester will send X number of runners from starting line to finish (to fetch something from the finish line). The runner comes back with the objects, and starts the run again (until test time finishes). The DUT (e.g. FG) might or might not be able to hold up the users (runners).

Connections per Second - FortiTester will send X number of runners per Y seconds (e.g. 100 runners per second). FortiTester does not care whether the users come back or not (the result will be measured at the end). If the DUT allows them to return in time, that DUT can 'sustain' this CPS rate.

Previous
Next

FAQ

Table of contents

  1. Does FortiTester VM supports SR-IOV?
  2. How do I replay large PCAPs in FortiTester?
  3. Can FortiTester run more than one case at a time?
  4. Does FortiTester support API?
  5. What are the supported hardware & port density?
  6. What are the limitations on CPU, RAM and Storage for different VM licenses?
  7. Where can I download the attack package?
  8. What are Test Centre model running conditions? Can they be different models?
  9. How can we reset FortiTester admin password? Is there a maintainer account like FortiGate?
  10. How do you calculate max bandwidth in TestCenter mode?
  11. SSL CPS VPN test - is there a way NOT to send the ping to FortiTester server side when starting the case?
  12. Why is the Trunk status of the device that connected to FortiTester down?
  13. How many MAX end points / unique IP's can FortiTester generate?
  14. How does FortiTester run offline?
  15. What is the difference between Connections per Second and Simulated Users?
Does FortiTester VM supports SR-IOV?

Yes. This was supported long time ago. FortiTester can utilize the NIC to perform faster input and output.

How do I replay large PCAPs in FortiTester?

You can consider using Attack Replay under Security Testing. See Starting an IPS Attack Replay test.

Please note the size of all the uploaded pcap files should not exceed 200 MB. You can upload more files by creating multiple Attack Replay cases and schedule to run them one after another.

As loading multiple 200MB files into memory, your FortiTester device might not have enough memory, e.g. FortiTester 2000E has 32 GB memory, FortiTester 3000E has 64 GB memory.

Can FortiTester run more than one case at a time?

No, FTS does not support more than one case at a time. However, you can schedule the test cases to run automatically one after another. See Scheduling cases.

Does FortiTester support API?

Yes, FortiTester has a very comprehensive REST API. Test cases can be created, launched and monitored using the API. See Using the REST API.

What are the supported hardware & port density?
  • FortiTester 2000D - 1x GE RJ45, 4x 10 GE SFP+, 120 GB SSD storage [EOL already]
  • FortiTester 2000E - 1x GE RJ45, 4x 10 GE SFP+, 1TB HDD Storage [Replacement of 2000D]
  • FortiTester 2500E - 1x GE RJ45, 4x 10 GE SFP+, 1TB HDD Storage
  • FortiTester 3000E - 1x GE RJ45, 2x 40 GE QSFP, 2 TB HDD storage
  • FortiTester 4000E - 1x GE RJ45, 1x 100 GE QSFP28, 2 TB HDD storage

  • FortiTester 100F-3x GE RJ45, 2x 1GE SFP,2x 10 GE SFP+, 1 TB HDD storage

  • FortiTester 100F, 2 x 10GE SFP+, 2 x GE SFP, 2 x GE RJ45, 1 x console RJ45 and 1 mgmt RJ45, 1 TB HDD

What are the limitations on CPU, RAM and Storage for different VM licenses?
  • FortiTester VM02 - 2 vCPU, 4GB RAM, 60GB Storage
  • FortiTester VM04 - 4 vCPU, 8GB RAM, 60GB Storage
  • FortiTester VM08 - 8 vCPU, 16GB RAM, 60GB Storage
  • FortiTester VM16 - 16 vCPU, 32GB RAM, 60GB Storage
  • FortiTester VM32 - 32 vCPU, 64GB RAM, 60GB Storage

Note: The Enterprise mix feature under Performance Testing > Mix Traffic is only available on FortiTester-VMs with VM16 or VM32 license.

Where can I download the attack package?

You can download it from Fortinet Support site. See Updating FortiGuard for more information.

What are Test Centre model running conditions? Can they be different models?

Yes, they can be different models, but based on the following conditions:

  • For all FortiTester-VMs they have to be properly licensed.
  • For all FortiTester-VMs, Center/Client must have the same vCPU number, VM type, port number.
  • Software - Center/Client must have the same major version number (e.g. 3.8.0 can run with 3.8.1 but NOT 3.7)
  • For 3000E, Center/Client must have the same fanout mode (e.g. 3000E can break out 2 x 40G into 8 x 10G)
  • Center/Client must be in the same group i.e.:
    • "2K": ["FTS_2000D", "FTS_2000E", "FTS_2500E"],
    • "3K": ["FTS_3000E"],
    • "4K": ["FTS_4000E"],
    • "VM": ["FTS_VM_KVM"],
    • "VM_ESXI": ["FTS_VM"],
    • "AWS": ["FTS_VM_AWS"],
    • "AWS_BYOL": ["FTS_VM_AWS_BYOL"],
    • "AZR_BYOL": ["FTS_VM_AZURE_BYOL"],
    • "OCI_BYOL": ["FTS_VM_OCI_BYOL"],
    • "GCP_BYOL": ["FTS_VM_GCP_BYOL"]
How can we reset FortiTester admin password? Is there a maintainer account like FortiGate?

FortiTester does have a maintainer account, can be used to change password, but you must connect FortiTester console port.

Please refer to the following steps

  1. Connect FortiTester console port.

  2. Reboot FortiTester then get the SN.

    FortiBootLoader

    • FortiTester-4000E (23:46-06.26.2017)
    • Ver:00010001

    FortiTester-4000E (17:33-08.28.2017)

    Ver:00010002

    Serial number:FTS4KET618000005

    Total RAM: 131072MB

    Boot up, boot device capacity: 1960MB.

    Press any key to display configuration menu...

  3. Login with maintainer user.

    After the FortiTester boots, a timpe period of only 300 seconds will be permitted to type in the username and password.

    The password is bcpb plus the serial number of the FortiTester. Example bcpbFTS4KET618000005.

    center237 login: maintainer

    Password:

    Welcome !

    For interactive help, Please type "?".

  4. Change admin user password.

    center237 # config system setting

    center237 (setting) #

    center237 (setting) # set admin-password fts@ftnt

    Reset password success

    center237 (setting) # end

    center237 #

See Setting Password for more information.

How do you calculate max bandwidth in TestCenter mode?

This is dependent on interfaces on FTS e.g. 10/40/100G and how much traffic it can generate. The example below is based on HTTP throughput.

SSL CPS VPN test - is there a way NOT to send the ping to FortiTester server side when starting the case? (if PING is not successful through the FG [requires another policy] SSLVPN case would not run.

Yes it's possible not to send the ping, by setting ping timeout to 0, as below:

Why is the Trunk status of the device that connected to FortiTester down?

The test configuration on FortiTester is only a test template without activating the configuration. The admin can pre-stage multiple test cases with different network configuration for individual port-based or bond-based testing.

Only when the tester runs a bond-based test will FortiTester activate the bond, then the status of the connected trunk or aggregate interface on FortiSwitch or Fortigate will also change to "up."

How many MAX end points / unique IP's can FortiTester generate?

Each Test case limitation is different. Take HTTP CPS for example:

There are a few concepts which are important to understand.

Subnet settings

These control how many subnets FortiTester will create with a virtual router. In an HTTP CPS case you can create up to 8 subnets, each with 4096 IPs each. For example, 8 subnets x 65,536 IPs = 524,288 unique IPs

Note:

  • However, in the testing selection, you can either choose SimUsers (max 1024) OR Connection per sec (max 9,999,999). The simple analogy is:

Sim users - FortiTester will send X number of runners from starting line to finish (to fetch something from finish line), the runners comes back with the objects, and start the run again (until test time finishes). DUT (e.g. FG) might hold up the users (runner).

Connections per second - FortiTester will send X number of runners per Y seconds (e.g. 100 runners per second). FortiTester does not care whether the users come back or not (result will be measured at the end). If the DUT allows them to return in time, that DUT can 'sustain' this CPS rate.

  • Understand that EACH IP, you can also use SOURCE PORT to distribution sessions. FortiTester will FIRST use unique IP's first BEFORE source port. Let's take a look at an extreme case:

FortiTester can use 1 IPs (controlled by subnet settings) and generate 55,535 (65,535 minus 10,000) connections to 1 destination, with use of source port. This settings can be found under client tab as below:

Therefore if both subnets and source port are configured (or left as default i.e. two subnets in certain models, higher end will have 4 subnets for default, and a source port of 10,000-65,535), FortiTester will distribute the sessions across the configured IP range and ports.

So to answer the original question: How many unique IP's can FortiTester generate?

The simple answer is: for HTTP CPS, FortiTester can generate 8 subnets x 65,536 IPs = 524,288 IPs on each end. However, the load, controlled by 'connections/secs' or simusers can be adjusted (or greater than the IP configured).

  • It was mentioned earlier for each case it's slightly different. To explain further:

For HTTP CPS - if you set subnet to /8 (i.e. more hosts), when you click save, FortiTester does NOT allow you to go over the maximum of 65,535 (this is the MAX IP per subnet for HTTP CPS).

But for HTTP CC (Concurrent session), a different test altogether, the max limitation of IP is 4,096. See error screenshot below (if your subnet/IP configured goes over the max value).

In the future we hope to document each case clearly for the maximum configured value.

How does FortiTester run offline?

There are a few scenarios to cover:

1. Without FortiManager

  • FortiTester VMs requires Internet for periodic license validation. Once it validates, if VM goes offline, the license will be valid for 3 days before it requires validation again (goes into trial mode if fails).
  • FortiTester appliances will work without internet; however, updates via internet are impacted (users can download updates manually via support website).
  • FortiTester has 'HTTPS proxy feature' to allow FortiTester to reach internet via proxy, as below:

Topology

To configure on FortiTester GUI, go to System > FortiGuard.

2a. With FortiManager (Online)

FortiManager v6.4.6+ and v7.0.1+ supports the following functions:

  • FortiTester license verification
  • FortiTester Update packages (malware / IPS / web protection updates)

Topology

To configure on FortiTester GUI, go to System > FortiGuard, then input FortiManager IP in FortiGuard IP address field.

2b. With FortiManager (offline)

Purpose

  • FMG01 to act as a licensing server (like FDS), enable web service on FortiManager interface
  • FMG02 to get the packages from online FDS, export the packages and import back into FortiManager 01
  • Users import license (from support.fortinet.com) into FMG01 to validate FortiTester

Topology

Tp enable service update, go to ADOM Fabric > System Settings > Network.

You must get entitlement from support.forinet.com if you use FortiManager OFFLINE mode.

Configure ONLINE mode on FMG01 (This FortiManager can reach the internet.)

Go to ADOM Fabric > FortiGuard > Settings.

Configure offline mode on FMG02 (This FortiManager cannot reach the internet.)

Go to ADOM Fabric > FortiGuard > Settings.

Import FortiTester entitlement into FMG02 (FortiManager that has no Internet access).

Export service package from an ONLINE FortiManager (FMG01).

Import the service package in FMG02 (OFFLINE FortiManager).

After it will show the FortiTester service package after import on FortiManager GUI

Configure FortiTester to use FortiManager 02 (offline FortiManager).

What is the difference between Connections per Second and Simulated Users?

The following analogy may be helpful:

Simulated Users - FortiTester will send X number of runners from starting line to finish (to fetch something from the finish line). The runner comes back with the objects, and starts the run again (until test time finishes). The DUT (e.g. FG) might or might not be able to hold up the users (runners).

Connections per Second - FortiTester will send X number of runners per Y seconds (e.g. 100 runners per second). FortiTester does not care whether the users come back or not (the result will be measured at the end). If the DUT allows them to return in time, that DUT can 'sustain' this CPS rate.

Previous
Next