Fortinet black logo

FortiGate-7000 Release Notes

Home FortiGate-7000 5.4.9 FortiGate-7000 Release Notes
5.4.9
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.6.6
5.4.9
5.4.5
5.4.3

Special notices

Special notices

This section highlights some of the operational changes that administrators should be aware of for FortiGate-7000 5.4.9 build 8110.

Limitations of installing FortiGate-6000 firmware from the BIOS after a reboot

A common method for resetting the configuration of a FortiGate involves installing firmware by restarting the FortiGate, interrupting the boot process, and using BIOS prompts to download a firmware image from a TFTP server. This process is also considered the best way to reset the configuration of your FortiGate.

Installing or upgrading FortiGate-6000 firmware in this way installs firmware on and resets the configuration of the management board only. The FPCs will continue to operate with their current configuration and firmware build. The FortiGate-6000 system does not synchronize firmware upgrades performed from the BIOS.

To also reset the FPCs, after installing firmware from the BIOS on the management board, install the same firmware image from the GUI or from the CLI using the execute restore image command. This operation synchronizes the same firmware build and reset configuration to the FPCs.

You could also manually install firmware on each individual FPC from the BIOS after a reboot but this manual process will not be more effective than installing the firmware for a second time on the management board to trigger synchronization to the FPCs.

Special configuration required for SSL VPN

Using a FortiGate-6000 as an SSL VPN server requires you to manually add an SSL VPN load balance flow rule to configure the FortiGate-6000 to send all SSL VPN sessions to the primary (master) FPC. To match with the SSL VPN server traffic, the rule should include a destination port that matches the destination port of the SSL VPN server. A basic rule to allow SSL VPN traffic could be:

config load-balance flow-rule

edit 0

set status enable

set ether-type ipv4

set protocol tcp

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary FPC"

next

end

This flow rule matches all sessions sent to port 10443 (the default SSL VPN server listening port) and sends these sessions to the primary FPC. This should match all of your SSL VPN traffic if you are using the default SSL VPN server listening port (10443). This flow rule also matches all other sessions using 10443 as the destination port so all of this traffic is also sent to the primary FPC.

Adding the SSL VPN server IP address

You can add the IP address of the FortiGate-6000 interface that receives SSL VPN traffic to the SSL VPN flow rule to make sure that the flow rule only matches SSL VPN server settings. For example, if the IP address of the interface is 172.25.176.32 and the SSL VPN flow rule ID is 26:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set dst-addr-ipv4 172.25.176.32 255.255.255.0

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary FPC"

next

end

This flow rule will now only match SSL VPN sessions with 172.25.176.32 as the destination address and send all of these sessions to the primary FPC.

If you change the SSL VPN server listening port

If you have changed the SSL VPN server listening port to 20443, you can change the SSL VPN flow rule as follows. This example also sets the source interface to port12, which is the SSL VPN server interfaces, instead of adding the IP address of port12 to the configuration:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set src-interface port12

set dst-l4port 20443-20443

set forward-slot master

set comment "ssl vpn server to primary FPC"

next

end

IPsec VPN phase 2 selectors

FortiGate-7000 IPsec VPNs require phase 2 selectors. The phase 2 selectors specify the IP addresses and netmasks of the source and destination subnets of the VPN. The phase 2 selectors are mandatory on the FortiGate-7000 and are used to make sure that all IPsec VPN traffic is sent to the primary (master) FPM.

Use the following command to add phase 2 selectors.

config vpn ipsec phase2-interface

edit "to_fgt2"

set phase1name <name>

set src-subnet <IP> <netmask>

set dst-subnet <IP> <netmask>

end

Where

src-subnet the subnet protected by the FortiGate that you are configuring and from which users connect to the destination subnet.

dst-subnet the destination subnet behind the remote IPsec VPN endpoint.

Example basic IPsec VPN phase 2 configuration

In a simple configuration such as the one below with an IPsec VPN between two remote subnets you can add the phase 2 selectors by adding the subnets to the phase 2 configuration as shown.

Enter the following command to add the source and destination subnets phase 2 selectors to the FortiGate-7000 IPsec VPN Phase 2 configuration.

config vpn ipsec phase2-interface

edit "to_fgt2"So

set phase1name "to_fgt2"

set src-subnet 172.16.1.0 255.255.255.0

set dst-subnet 172.16.2.0 255.255.255.0

end

Example multiple subnet IPsec VPN phase 2 configuration

In a more complex configuration, such as the one below with a total of 5 subnets you still need to use the phase 2 selectors to add all of the subnets to the Phase 2 configuration. In this case you can create a firewall address for each subnet, add the addresses to address groups, and add the address groups to the phase 2 selectors.

Enter the following commands to create firewall addresses for each subnet.

config firewall address

edit "local_subnet_1"

set subnet 4.2.1.0 255.255.255.0

next

edit "local_subnet_2"

set subnet 4.2.2.0 255.255.255.0

next

edit "remote_subnet_3"

set subnet 4.2.3.0 255.255.255.0

next

edit "remote_subnet_4"

set subnet 4.2.4.0 255.255.255.0

next

edit "remote_subnet_5"

set subnet 4.2.5.0 255.255.255.0

end

And then put the five firewall addresses into two firewall address groups.

config firewall addrgrp

edit "local_group"

set member "local_subnet_1" "local_subnet_2"

next

edit "remote_group"

set member "remote_subnet_3" "remote_subnet_4" "remote_subnet_5"

end

Now, use the firewall address groups in the Phase 2 configuration:

config vpn ipsec phase2-interface

edit "to-fgt2"

set phase1name "to-fgt2"

set src-addr-type name

set dst-addr-type name

set src-name "local_group"

set dst-name "remote_group"

end

Recommended configuration for traffic that cannot be load balanced

The following flow rules are recommended to handle common forms of traffic that cannot be load balanced. These flow rules send GPRS (port 2123), SSL VPN, IPv4 and IPv6 IPsec VPN, ICMP and ICMPv6 traffic to the primary (or master) FPM.

The CLI syntax below just shows the configuration changes. All other options are set to their defaults. For example, the flow rule option that controls the FPM slot that sessions are sent to is forward-slot and in all cases below forward-slot is set to its default setting of master. This setting sends matching sessions to the primary (or master) FPM.

config load-balance flow-rule

edit 20

set status enable

set ether-type ipv4

set protocol udp

set dst-l4port 2123-2123

next

edit 21

set status enable

set ether-type ip

set protocol tcp

set dst-l4port 10443-10443

set comment "ssl vpn to the primary FPM"

next

edit 22

set status enable

set ether-type ipv4

set protocol udp

set src-l4port 500-500

set dst-l4port 500-500

set comment "ipv4 ike"

next

edit 23

set status enable

set ether-type ipv4

set protocol udp

set src-l4port 4500-4500

set comment "ipv4 ike-natt src"

next

edit 24

set status enable

set ether-type ipv4

set protocol udp

set dst-l4port 4500-4500

set comment "ipv4 ike-natt dst"

next

edit 25

set status enable

set ether-type ipv4

set protocol esp

set comment "ipv4 esp"

next

edit 26

set status enable

set ether-type ipv6

set protocol udp

set src-l4port 500-500

set dst-l4port 500-500

set comment "ipv6 ike"

next

edit 27

set status enable

set ether-type ipv6

set protocol udp

set src-l4port 4500-4500

set comment "ipv6 ike-natt src"

next

edit 28

set status enable

set ether-type ipv6

set protocol udp

set dst-l4port 4500-4500

set comment "ipv6 ike-natt dst"

next

edit 29

set status enable

set ether-type ipv6

set protocol esp

set comment "ipv6 esp"

next

edit 30

set ether-type ipv4

set protocol icmp

set comment "icmp"

next

edit 31

set status enable

set ether-type ipv6

set protocol icmpv6

set comment "icmpv6"

next

edit 32

set ether-type ipv6

set protocol 41

end

Previous
Next

Special notices

This section highlights some of the operational changes that administrators should be aware of for FortiGate-7000 5.4.9 build 8110.

Limitations of installing FortiGate-6000 firmware from the BIOS after a reboot

A common method for resetting the configuration of a FortiGate involves installing firmware by restarting the FortiGate, interrupting the boot process, and using BIOS prompts to download a firmware image from a TFTP server. This process is also considered the best way to reset the configuration of your FortiGate.

Installing or upgrading FortiGate-6000 firmware in this way installs firmware on and resets the configuration of the management board only. The FPCs will continue to operate with their current configuration and firmware build. The FortiGate-6000 system does not synchronize firmware upgrades performed from the BIOS.

To also reset the FPCs, after installing firmware from the BIOS on the management board, install the same firmware image from the GUI or from the CLI using the execute restore image command. This operation synchronizes the same firmware build and reset configuration to the FPCs.

You could also manually install firmware on each individual FPC from the BIOS after a reboot but this manual process will not be more effective than installing the firmware for a second time on the management board to trigger synchronization to the FPCs.

Special configuration required for SSL VPN

Using a FortiGate-6000 as an SSL VPN server requires you to manually add an SSL VPN load balance flow rule to configure the FortiGate-6000 to send all SSL VPN sessions to the primary (master) FPC. To match with the SSL VPN server traffic, the rule should include a destination port that matches the destination port of the SSL VPN server. A basic rule to allow SSL VPN traffic could be:

config load-balance flow-rule

edit 0

set status enable

set ether-type ipv4

set protocol tcp

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary FPC"

next

end

This flow rule matches all sessions sent to port 10443 (the default SSL VPN server listening port) and sends these sessions to the primary FPC. This should match all of your SSL VPN traffic if you are using the default SSL VPN server listening port (10443). This flow rule also matches all other sessions using 10443 as the destination port so all of this traffic is also sent to the primary FPC.

Adding the SSL VPN server IP address

You can add the IP address of the FortiGate-6000 interface that receives SSL VPN traffic to the SSL VPN flow rule to make sure that the flow rule only matches SSL VPN server settings. For example, if the IP address of the interface is 172.25.176.32 and the SSL VPN flow rule ID is 26:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set dst-addr-ipv4 172.25.176.32 255.255.255.0

set dst-l4port 10443-10443

set forward-slot master

set comment "ssl vpn server to primary FPC"

next

end

This flow rule will now only match SSL VPN sessions with 172.25.176.32 as the destination address and send all of these sessions to the primary FPC.

If you change the SSL VPN server listening port

If you have changed the SSL VPN server listening port to 20443, you can change the SSL VPN flow rule as follows. This example also sets the source interface to port12, which is the SSL VPN server interfaces, instead of adding the IP address of port12 to the configuration:

config load-balance flow-rule

edit 26

set status enable

set ether-type ipv4

set protocol tcp

set src-interface port12

set dst-l4port 20443-20443

set forward-slot master

set comment "ssl vpn server to primary FPC"

next

end

IPsec VPN phase 2 selectors

FortiGate-7000 IPsec VPNs require phase 2 selectors. The phase 2 selectors specify the IP addresses and netmasks of the source and destination subnets of the VPN. The phase 2 selectors are mandatory on the FortiGate-7000 and are used to make sure that all IPsec VPN traffic is sent to the primary (master) FPM.

Use the following command to add phase 2 selectors.

config vpn ipsec phase2-interface

edit "to_fgt2"

set phase1name <name>

set src-subnet <IP> <netmask>

set dst-subnet <IP> <netmask>

end

Where

src-subnet the subnet protected by the FortiGate that you are configuring and from which users connect to the destination subnet.

dst-subnet the destination subnet behind the remote IPsec VPN endpoint.

Example basic IPsec VPN phase 2 configuration

In a simple configuration such as the one below with an IPsec VPN between two remote subnets you can add the phase 2 selectors by adding the subnets to the phase 2 configuration as shown.

Enter the following command to add the source and destination subnets phase 2 selectors to the FortiGate-7000 IPsec VPN Phase 2 configuration.

config vpn ipsec phase2-interface

edit "to_fgt2"So

set phase1name "to_fgt2"

set src-subnet 172.16.1.0 255.255.255.0

set dst-subnet 172.16.2.0 255.255.255.0

end

Example multiple subnet IPsec VPN phase 2 configuration

In a more complex configuration, such as the one below with a total of 5 subnets you still need to use the phase 2 selectors to add all of the subnets to the Phase 2 configuration. In this case you can create a firewall address for each subnet, add the addresses to address groups, and add the address groups to the phase 2 selectors.

Enter the following commands to create firewall addresses for each subnet.

config firewall address

edit "local_subnet_1"

set subnet 4.2.1.0 255.255.255.0

next

edit "local_subnet_2"

set subnet 4.2.2.0 255.255.255.0

next

edit "remote_subnet_3"

set subnet 4.2.3.0 255.255.255.0

next

edit "remote_subnet_4"

set subnet 4.2.4.0 255.255.255.0

next

edit "remote_subnet_5"

set subnet 4.2.5.0 255.255.255.0

end

And then put the five firewall addresses into two firewall address groups.

config firewall addrgrp

edit "local_group"

set member "local_subnet_1" "local_subnet_2"

next

edit "remote_group"

set member "remote_subnet_3" "remote_subnet_4" "remote_subnet_5"

end

Now, use the firewall address groups in the Phase 2 configuration:

config vpn ipsec phase2-interface

edit "to-fgt2"

set phase1name "to-fgt2"

set src-addr-type name

set dst-addr-type name

set src-name "local_group"

set dst-name "remote_group"

end

Recommended configuration for traffic that cannot be load balanced

The following flow rules are recommended to handle common forms of traffic that cannot be load balanced. These flow rules send GPRS (port 2123), SSL VPN, IPv4 and IPv6 IPsec VPN, ICMP and ICMPv6 traffic to the primary (or master) FPM.

The CLI syntax below just shows the configuration changes. All other options are set to their defaults. For example, the flow rule option that controls the FPM slot that sessions are sent to is forward-slot and in all cases below forward-slot is set to its default setting of master. This setting sends matching sessions to the primary (or master) FPM.

config load-balance flow-rule

edit 20

set status enable

set ether-type ipv4

set protocol udp

set dst-l4port 2123-2123

next

edit 21

set status enable

set ether-type ip

set protocol tcp

set dst-l4port 10443-10443

set comment "ssl vpn to the primary FPM"

next

edit 22

set status enable

set ether-type ipv4

set protocol udp

set src-l4port 500-500

set dst-l4port 500-500

set comment "ipv4 ike"

next

edit 23

set status enable

set ether-type ipv4

set protocol udp

set src-l4port 4500-4500

set comment "ipv4 ike-natt src"

next

edit 24

set status enable

set ether-type ipv4

set protocol udp

set dst-l4port 4500-4500

set comment "ipv4 ike-natt dst"

next

edit 25

set status enable

set ether-type ipv4

set protocol esp

set comment "ipv4 esp"

next

edit 26

set status enable

set ether-type ipv6

set protocol udp

set src-l4port 500-500

set dst-l4port 500-500

set comment "ipv6 ike"

next

edit 27

set status enable

set ether-type ipv6

set protocol udp

set src-l4port 4500-4500

set comment "ipv6 ike-natt src"

next

edit 28

set status enable

set ether-type ipv6

set protocol udp

set dst-l4port 4500-4500

set comment "ipv6 ike-natt dst"

next

edit 29

set status enable

set ether-type ipv6

set protocol esp

set comment "ipv6 esp"

next

edit 30

set ether-type ipv4

set protocol icmp

set comment "icmp"

next

edit 31

set status enable

set ether-type ipv6

set protocol icmpv6

set comment "icmpv6"

next

edit 32

set ether-type ipv6

set protocol 41

end

Previous
Next