Fortinet FortiWAN Administration Manual
FortiWANHandbook
VERSION 4.0.2
FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETVIDEOGUIDE
http://video.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
FORTIGATECOOKBOOK
http://cookbook.fortinet.com
FORTINETTRAININGSERVICES
http://www.fortinet.com/training
FORTIGUARDCENTER
http://www.fortiguard.com
ENDUSER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
April 29, 2015
FortiWAN 4.0.2 HandbookRevision 1
TABLEOFCONTENTS
Introduction 7
Product Benefits 7
Key Concepts and Product Features 9
Scope 10
What's new 12
Document enhancements 14
How to set up your FortiWAN 15
Registering your FortiWAN 15
Planning the network topology 15
WAN, LAN and DMZ 15
WAN link and WAN port 16
WAN types: Routing mode and Bridge mode 16
Near WAN 18
Public IP pass through (DMZ Transparent Mode) 19
Scenarios to deploy subnets 20
VLAN and port mapping 20
IPv6/IPv4 Dual Stack 21
FortiWAN in HA (High Availability) Mode 21
Web UI Overview 24
Using the web UI and the CLI 25
Using the web UI 26
Console Mode Commands 28
Configuring Network Interface (Network Setting) 32
Set DNS server for FortiWAN 32
Configurations for VLAN and Port Mapping 33
Configuring your WAN 35
Configurations for a WAN link in Routing Mode 36
Configurations for a WAN link in Bridge Mode: Multiple Static IP 43
Configurations for a WAN link in Bridge Mode: One Static IP 45
Configurations for a WAN link in Brideg Mode: PPPoE 47
Configurations for a WAN link in Bridge Mode: DHCP 48
LAN Private Subnet 49
WAN/DMZ Private Subnet 53
Deployment Scenarios for Various WAN Types 57
System Configurations 64
Summary 64
Optimum Route Detection 65
Port Speed/Duplex Settings 67
Backup Line Settings 67
IP Grouping 68
Service Grouping 69
Busyhour Settings 70
Diagnostic Tools 70
Setting the system time & date 73
Remote Assistance 73
Administration 74
Administrator and Monitor Password 74
RADIUS Authentication 74
Firmware Update 75
Configuration File 75
Maintenance 77
Web UI Port 77
License Control 79
Load Balancing & Fault Tolerance 80
WAN Link Fault Tolerance 80
Load Balancing Algorithms 80
Outbound Load Balancing and Failover (Auto Routing) 81
Inbound Load Balancing and Failover (Multihoming) 88
Tunnel Routing 102
Virtual Server & Server Load Balancing 111
WAN Link Health Detection 117
Optional Services 119
Firewall 119
NAT 122
Persistent Routing 125
Bandwidth Management 128
Connection Limit 135
Cache Redirect 136
Internal DNS 138
DNS Proxy 140
SNMP 141
IP MAC Mapping 142
Statistics 143
Traffic 143
Bandwidth 143
Persistent Routing 144
WAN Link Health Detection 145
Dynamic IP WAN Link 145
DHCP Lease Information 146
RIP & OSPF Status 146
Connection Limit 147
Virtual Server Status 147
FQDN 147
Tunnel Status 148
Tunnel Traffic 149
Log 150
View 150
Log Control 151
Log Notification 152
Enable Reports 153
Reports 155
Create a Report 156
Export and Email 157
Device Status 157
Bandwidth 157
CPU 158
Session 159
WAN Traffic 159
WAN Reliability 160
WAN Status 160
TR Reliability 160
TR Status 161
Bandwidth Usage 161
Inclass 162
Outclass 163
WAN 164
Services 165
Internal IP 166
Traffic Rate 167
Function Status 168
Connection Limit 168
Firewall 168
Virtual Server 169
Multihoming 169
Advanced Functions of Reports 170
Drill In 170
Custom Filter 174
Export 177
Report Email 178
Appendix A: Default Values 180
Introduction
Enterprises are increasingly relying on the internet for delivery of critical components for everyday business operations.
Any delays or interruptions in connectivity can easily result in reduced productivity, lost business opportunities and a
damaged reputation. Maintaining a reliable and efficient internet connection to ensure the operation of critical
applications is therefore key to the success of the enterprise.
FortiWAN intelligently balances internet and intranet traffic across multiple WAN connections, providing additional
low-cost incoming and outgoing bandwidth for the enterprise and substantially increased connection reliability.
FortiWAN is supported by a user-friendly UI and a flexible policy-based performance management system.
FortiWAN provides a unique solution that offers comprehensive multi-WAN management that keeps costs down as
well as keeping customers and users connected.
Product Benefits
FortiWAN is the most robust, cost-effective way to:
l Increase the performance of your:
l Internet access
l Public-to-Enterprise access
l Site-to-site private intranet
l Lower Operating Costs
l Increase your network reliability
l Enable Cloud / Web 2.0 Applications
l Monitor Network Performance
Increase Network Performance
FortiWAN increases network performance in three key areas:
l Access to Internet resources from the Enterprise
l Access to Enterprise resources from the Internet
l Creation of Enterprise Intranet connections between sites
FortiWAN intelligently aggregates multiple broadband and/or leased access lines to significantly increase Internet
access performance. FortiWAN makes reacting to network demands fast, flexible and inexpensive. FortiWAN
transforms underperforming networks into responsive, cost-effective and easy-to-manage business assets.
FortiWAN load balances Internet service requests from Enterprise users, optimally distributing traffic across all
available access links. FortiWAN’s 7 different Load Balancing algorithms provide the flexibility to maximize productivity
from any network scenario.
FortiWAN gives you high-performance inter-site connectivity without the need to lease expensive links such as T1 and
T3. FortiWAN aggregates multiple low-cost Internet access links to create site-to-site Virtual Private Line (VPL)
Tunnels for LAN-like performance between company locations. By using multiple carriers and media, reliability of
these VPL Tunnels can exceed that of traditional engineered carrier links.
7 FortiWAN Handbook
Fortinet Technologies Inc.
Product Benefits Introduction
Substantially Lower Operating Costs
Once bandwidth requirements exceed traditional asymmetrical Internet access services (like ADSL) there is a very high
jump in bandwidth cost to engineered, dedicated access facilities like DS-1/DS-3. Even Metro Ethernet is a large cost
increment where it is available. Adding shared Internet access links is substantially less expensive and delivery is
substantially faster.
Traditional point-to-point private lines for company intranets are still priced by distance and capacity. Replacing or
augmenting dedicated point-to-point services with Virtual Private Line Tunnels reduces costs substantially while
increasing available bandwidth and reliability.
FortiWAN makes low-cost network access links behave and perform like specially-engineered carrier services at a
fraction of the cost.
l Deploy DSL services and get DS-3/STM-1-like speed and reliability while waiting for the carrier to pull fiber.
l Add and remove bandwidth for seasonal requirements quickly and easily.
l Increase bandwidth to web servers and use multiple ISPs without BGP4 management issues.
Increase Network Reliability
Businesses can no longer afford Internet downtime. FortiWAN provides fault tolerance for both inbound and outbound
IP traffic to ensure a stable and dependable network. Even multiple link failures, while reducing available bandwidth,
will not stop traffic. By using diverse media (fiber, copper, wireless) and multiple ISPs (Telco, Cableco, 4G), FortiWAN
can deliver better than carrier-class “5-9’s” reliability.
FortiWAN can be deployed in High Availability mode with fully redundant hardware for increased reliability. Larger
FortiWAN models also feature redundant power supplies for further protection from hardware failures.
Enable Cloud / Web 2.0 Applications
Traditional WAN Optimization products expect that all users connect only to Headquarters servers and Internet
gateways over dedicated, symmetric leased lines, but that is already “yesterday’s” architecture. Today users want to
mix HQ connectivity with direct Cloud access to Web 2.0 applications like email, collaborative documentation, ERP,
CRM and online backup.
FortiWAN gives you the flexibility to customize your network, giving you complete control. Direct cloud-based
applications to links optimized for them and reduce the bandwidth demand on expensive dedicated circuits. Combine
access links and/or dedicated circuits into Virtual Private Line Tunnels that will support the fastest video streaming or
video conferencing servers that Headquarters can offer.
FortiWAN is designed for easy deployment and rapid integration into any existing network topology.
Monitor Network Performance
FortiWAN provides comprehensive monitoring and reporting tools to ensure your network is running at peak efficiency.
With the built-in storage and database, FortiWAN's Reports function provides historical detail and reporting over longer
periods of time, so that it not only allows management to react to network problems, but to plan network capacity,
avoiding unnecessary expense while improving network performance.
FortiWAN is managed via a powerful Web User Interface. Configuration changes are instantly stored without the need
to re-start the system. Configuration files can be backed-up and restored remotely. Traffic measurements, alarms,
logs and other management data are stored for trend analysis and management overview.
FortiWAN Handbook
Fortinet Technologies Inc.
8
Introduction Key Concepts and Product Features
Key Concepts and Product Features
WAN load balancing (WLB)
General speaking, load balancing are mechanisms (methods) for managing (distributing) workload across available
resources, such as servers, computers, network links, CPU or disk storage. The FortiWAN’s WAN load balancing aims
to distribute (route) WAN traffic across multiple network links. The major purposes are optimizing bandwidth usage,
maximizing transmission throughput and avoiding overload of any single network link. When we talk about WAN load
balancing, it always implies automatic traffic distribution across multiple network links. Different from general routing,
WAN load balancing involves algorithms, calculations and monitoring to dynamically determine the availability of
network links for network traffic distribution.
Installation
FortiWAN is an edge device that typically connects an internal local area network (LAN) with an external wide area
network (WAN) or the Internet. The physical network ports on FortiWAN are divided into WAN ports, LAN ports and
DMZ (Demilitarized Zone) ports, which are used to connect to the WAN or the Internet, subnets in LAN, and subnets in
DMZ respectively. Please refer to FortiWAN QuickStart Guides for the ports mapping for various models.
Bidirectional load balancing
Network date transmission passing through FortiWAN is bidirectional that are inbound and outbound. Network data
transmission contains session establish and packet transmission. An inbound session refers to the session which is
established from elsewhere (external) to the FortiWAN (internal), while an outbound session refers to the session
which is established from the FortiWAN (internal) to elsewhere (external). For example, a request from the internal
network to a HTTP server on the Internet means the first asking packet is outgoing to the external server, which is an
outbound session established. Inversely, a request from the external area to a HTTP server behind FortiWAN means
the first asking packet is incoming to the internal server, which is an inbound session established. No matter which
direction a session is established in, packets transmission might be bidirectional (depends on the transmission
protocol employed). FortiWAN is capable of balancing not only outbound but also inbound sessions and packets
across multiple network links.
Auto Routing (Outbound Load Balancing)
FortiWAN distributes traffic across as many as 50 WAN links, under control of load balancing algorithms. FortiWAN’s 7
advanced load balancing algorithms let you easily fine-tune how traffic is distributed across the available links. Each
deployment can be fully customized with the most flexible assignment of application traffic in the industry.
Multihoming (Inbound Load Balancing)
Many enterprises host servers for email, and other public access services. FortiWAN load balances incoming requests
and responses across multiple WAN Links to improve user response and network reliability. Load balancing algorithms
assure the enterprise that priority services are maintained and given appropriate upstream bandwidth.
Fall-back or Fail-over
FortiWAN detects local access link failures and end-to-end failures in the network and can either fall-back to remaining
WAN links or fail-over to redundant WAN links, if needed. Fall-back and Fail-over behavior is under complete control of
the administrator, with flexible rule definitions to meet any situation likely to occur. Links and routes are automatically
9 FortiWAN Handbook
Fortinet Technologies Inc.
Scope Introduction
recovered when performance returns to acceptable levels. Notifications will be sent automatically to administrators
when link or route problems occur.
Virtual Private Line Services (Tunnel Routing)
FortiWAN offers the most powerful and flexible multi-link VPN functionality in the industry. Inter-site Tunnels can be
created from fractional, full, multiple and fractions of multiple WAN links. Applications requiring large single-session
bandwidth such as VPN load balancing, video conferencing or WAN Optimization can use multiple links to build the
bandwidth needed. Multi-session traffic can share an appropriately-sized Tunnel. Tunnels have the same functionality
as single links, supporting Load Balancing, Fall-back, Failover and Health Detection within and between Tunnels.
Dynamic IP addresses and NAT pass through are supported for the VPL services deployments.
Virtual Servers (Server Load Balancing and High Availability)
FortiWAN supports simple server load balancing and server health detection for multiple servers offering the same
application. When service requests are distributed between servers, the servers that are slow or have failed are
avoided and/or recovered automatically. Performance parameters are controlled by the administrator.
Optimum Routing
FortiWAN continuously monitors the public Internet to select the shortest and fastest route for mission-critical
applications. Non-critical traffic can be routed away from the best links when prioritized traffic is present on the links or
traffic can be assigned permanently to different groups of WAN links.
Traffic Shaping (Bandwidth Management)
FortiWAN optimizes, guarantees performance or increase usable bandwidth for specified traffic by traffic classification
and rate limiting.
Firewall and Security
FortiWAN provides the stateful firewall, access control list and connection limit to protect FortiWAN unit, internal
network and services from malicious attacks.
Scope
This document describes how to set up your FortiWAN appliance. For first-time system deployment, the suggested
processes are:
Installation
l
Register your FortiWAN appliance before you start the installation. Please refer to the topic: [Register your
FortiWAM] for further information.
l Planning the network topology to introduce FortiWAN to current network. It requires a clear picture of your WAN link
types the ISP provides and how to use the available public IP addresses of a WAN link. The topic [Planning the
Network Topology] provides the sub-topics that are necessary concepts for planning your network topology.
l
Topic [Web UI Overview] and its sub-topics provide the instructions to connect and log into the Web management
interface. System time and account/password resetting might be performed for FortiWAN while the first-time login,
please refer to topics [Setting the System Time & Date] and [Administrator] for further information.
FortiWAN Handbook
Fortinet Technologies Inc.
10
Introduction Scope
l
For implementation of the network topology you planned, topic [Configuring Network Interface (Network Setting)]
and its sub-topics give the necessary information about the configurations of network deployments on Web UI.
FortiWAN's diagnostic tools is helpful for trouble shooting when configuring network, please refer to topic
[Diagnostic Tools] .
Functions
l After installing FortiWAN into your network, the next step is to configure the major features, load balancing and fail-
over, on FortiWAN. Topic [Load Balancing & Fault Tolerance] and its sub-topics contain the information about
performing FortiWAN's load balancing and failover mechanisms for incoming and outgoing traffic, virtual servers
and single-session services.
l
Topic [Optional Services] gives the information about configurations of FortiWAN's optional services, such as
Bandwidth Management, Firewall, Connection Limit, NAT, SNMP, Cache Redirect, and etc.
Monitoring
l After FortiWAN works a while, related traffic logs, statistics and report analysis might be required for monitor or
trouble shooting purposes. Topics [Logs], [Statistics] and [Reports] provide the information how to use those logs,
statistics and reports to improve management policies on FortiWAN.
11 FortiWAN Handbook
Fortinet Technologies Inc.
Scope What's new
What's new
The following features are new or changed since FortiWAN 4.0.0:
FortiWAN 4.0.2
Bug fixes only. Please refer to FortiWAN 4.0.2 Release Notes.
FortiWAN 4.0.1
FortiWAN introduces new hardware platforms FortiWAN 1000B and FortiWAN 3000B, and new FortiWAN 4.0.1
firmware based on the AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.1 is
substantially similar to AscenLink V7.2.3 with the additions noted below.
To assess the impact of deploying FortiWAN 4.0.1 on your network and processes, review the following new and
enhanced features.
l
Data Port Changes -
l FortiWAN 1000B supports 3 GE RJ45 ports and 4 GE SFP ports. Each port can be programmed
as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG
LAN or DMZ ports can be configured. Default LAN port is Port 6 and default DMZ port is Port 7.
l FortiWAN 3000B supports 8 GE RJ45 ports, 8 GE SFP ports and 8 10GE SFP+ ports. Each port
can be programmed as WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured.
2-link LACP/LAG LAN or DMZ ports can be configured. Default LAN port is Port 11 and default
DMZ port is Port 12.
l
HA Configuration Synchronization - Two FortiWAN appliances can be connected in active-passive
High Availability mode via an Ethernet cable between the systems' HA RJ-45 ports. HA will not
interoperate between AscenLink and FortiWAN and will not interoperate between different FortiWAN
models or the same model with different Throughput licenses. Model and Throughput must match.
l
HDD - FWN 1000B and FWN 3000B add internal 1TB HDDs for Reports data storage.
l
Hardware Support - FortiWAN 4.0.1 for FortiWAN supports FortiWAN 200B and FortiWAN 1000B.
AscenLink series models are not supported. Note that FortiWAN 4.0.1 does not support FortiWAN
3000B, please look forward to the sequential releases.
FortiWAN 4.0.0
FortiWAN introduces new hardware platform FortiWAN 200B and new FortiWAN 4.0.0 firmware based on the
AscenLink series of Link Load Balancing appliances already in the market. FortiWAN 4.0.0 is substantially similar to
AscenLink V7.2.2 with the additions noted below.
To assess the impact of deploying FortiWAN 4.0.0 on your network and processes, review the following new and
enhanced features.
l
Data Port Changes - FortiWAN 200B supports 5 GE RJ45 ports. Each port can be programmed as
WAN, LAN or DMZ. Redundant LAN and DMZ ports can be configured. 2-link LACP/LAG LAN or DMZ
ports can be configured. Default LAN port is Port4 and default DMZ port is Port 5.
FortiWAN Handbook
Fortinet Technologies Inc.
12
What's new Scope
l
HA Port Change - FortiWAN supports one GE RJ45 HA Port. This port must be direct-cabled via
Ethernet cable, to a second FWN unit HA port for HA operation. HA will not interoperate between
AscenLink and FortiWAN and will not interoperate between different FortiWAN models.
l
HDD - FWN 200B adds an internal 500BG HDD for Reports data storage. See below for more
information on Reports.
l
HA Configuration Synchronization - Two FWN 200B appliances can be connected in active-passive
High Availability mode via an Ethernet cable between the systems' HA RJ-45 ports.
l
New Functionality - FortiWAN 4.0.0 has the same functionality as AscenLink V7.2.2 PLUS the
addition of built-in Reports which is the equivalent functionality to the external LinkReport for AscenLink.
l
Reports - Reports captures and stores data on traffic and applications across all WAN links in the
system. Reports include connections, link and aggregate bandwidth, link and VPN reliability, and data
on Multi-Homing requests, Virtual Server (SLB) requests, and more. Reports can be viewed on-screen,
exported to PDF or CSV files or emailed immediately in PDF or CSV format.
l
GUI - FWN 4.0.0 adopts the Fortinet "look and feel".
l
Hardware Support - FortiWAN 4.0.0 for FortiWAN supports FortiWAN 200B. AscenLink series models
are not supported.
13 FortiWAN Handbook
Fortinet Technologies Inc.
Scope Document enhancements
Document enhancements
The following document content is enhanced or changed since FortiWAN 4.0.1:
FortiWAN 4.0.2
l
A note about the restrictions on duplicate configurations of group tunnel was added in Tunnel Routing.
l
Content was enhanced for Multihoming in sections "Prerequisites for Multihoming", "DNSSEC Support", "Enable
Backup", "Configurations", "Relay Mode"and "External Subdomain Record".
l
Content was changed and enhanced for WAN Link Health Detection and FortiWAN in HA (High Availability)
Mode.
FortiWAN 4.0.1
l The default username to login to Command Line Interface (Console Mode) was fixed from "administrator" to
"Administrator" in Using the web UI and the CLI and Appendix A: Default Values.
l
The reference for information on console command in Administration > Maintenance was fixed from "Appendix A:
Default Values" to "Console Mode Commands".
FortiWAN Handbook
Fortinet Technologies Inc.
14
How to set up your FortiWAN
These topics describe the tasks you perform to initially introduce a FortiWAN appliance to your network. These topics
contain the necessary information and instructions to plan network topology, using Web UI and Configure network
interfaces on FortiWAN. These topics introduce some key concepts for deploying FortiWAN, but you are assumed to
have and be familiar with the fundamental concepts related networking knowledge.
Registering your FortiWAN
Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site:
https://support.fortinet.com
Many Fortinet customer services such as firmware updates, technical support, and FortiGuard services
require product registration.
For more information, see the Fortinet Knowledge Base article Registration Frequently Asked Questions.
Planning the network topology
FortiWAN is the appliance designed to perform load balancing and fault tolerance between different networks. The
network environment that a FortiWAN is introducing into might be various, especially with multiple WAN links and
various WAN type. A plan of network topology before adding FortiWAN recklessly into current network would be
suggested to avoid damages.
WAN, LAN and DMZ
Wide Area Network
WAN (Wide Area Network) is the network that geographically covers a large area which consists of
telecommunications networks. It can be simply considered the Internet as well. An internal user can communicate with
the Internet via a telecommunications (called Internet Service Provider as well) network connected to FortiWAN’s WAN
ports. The transmission lines can be classified as xDSL, leased line (T1, E1 and etc.), ISDN, frame relay, cable
modem, FTTB, FTTH and etc.
Local Area Network
LAN (Local Area Network) is the computer networks within a small geographical area without leased
telecommunication lines involved. In this document, a LAN is considered as a private LAN which is a closed network to
WAN. FortiWAN plays the role routing communications between LAN and WAN.
Demilitarized Zone
DMZ (Demilitarized Zone) is a local subnetwork that is separated from LAN for security issues. A DMZ is used to locate
external-facing server farm which is accessible from an untrusted network (usually the Internet), but inaccessible to
15 FortiWAN Handbook
Fortinet Technologies Inc.
Planning the network topology How to set up your FortiWAN
LAN. FortiWAN provides physical ports for the DMZ purpose.
WAN link and WAN port
A WAN link is a link connect to the ISP for accessing the Internet from your internal network. A WAN link is configured
with informations provided by your ISP such as IP addresses, default gateway, network mask or username/password
(depend on the WAN link type you apply to the ISP). A WAN port on FortiWAN is a physical network interface. With the
deployment of VLAN on a WAN port (See "Configurations for VLAN and Port Mapping"), multiple WAN links can be
connected to one WAN port. The WAN Link field lists the WAN links by numbers, such as WAN link 1, WAN link 2,
WAN link 3 and so on. Select a WAN link from the list and start the configuration then.
See also
Configurations for VLAN and Port Mapping
WAN types: Routing mode and Bridge mode
It requires FortiWAN’s WAN ports connecting to ISP’s networks to access the Internet. According to the various
networks the ISP provides you, FortiWAN supports five types of networks to connect to the WAN ports.
l
Routing Mode (See "Configurations for a WAN link in Routing Mode")
l
Bridge Mode: One Static IP (See "Configurations for a WAN link in Bridge Mode: One Static IP")
l
Bridge Mode: Multiple Static IP (See "Configurations for a WAN link in Bridge Mode: Multiple Static IP")
l
Bridge Mode: PPPoE (See "Configurations for a WAN link in Brideg Mode: PPPoE")
l
Bridge Mode: DHCP Client (See "Configurations for a WAN link in Bridge Mode: DHCP")
To select appropriate WAN Type on FortiWAN, please identify the type of IP addresses that ISP provided you for
accessing Internet and recognize the way to deploy FortiWAN in current network infrastructure. Here are
considerations going to concern.
An ISP provides either static or dynamic IP addresses for accessing Internet according your application. PPPoE or
DHCP is the most common way for ISP to assign a dynamic IP address to clients. For the two applications, please
simply configure your WAN link on FortiWAN as Bridge Mode: PPPoE or Bridge Mode: DHCP Client.
As for static IP addresses, ISP provides for clients in different ways. Generally, you obtain static IP addresses from ISP
in three types:
An available subnet
For example, ISP provides an ADSL link with a subnet 203.69.118.8/29 contains five host addresses, one gateway
address, one broadcast address and one for subnet ID. The result of subnet mask calculation shows there are eight IP
addresses in the subnet in total, which matches the IP addresses you obtained. In this case, the gateway is located at
your ATU-R which routes packets to ISP’s network. In the other words, the ATU-R connects a subnet with FortiWAN
and another subnet with ISP’s central office terminal in routing mode. You are suggested to configure the WAN link as
Routing Mode on FortiWAN for this application.
FortiWAN Handbook
Fortinet Technologies Inc.
16
How to set up your FortiWAN Planning the network topology
A range of static IP addresses in a shared subnet
For example, ISP provides an ADSL link with an IP range 61.88.100.1 ~3 that netmask is 255.255.255.0 and default
gateway is 61.88.100.254. The result of subnet mask calculation shows there are 256 IP addresses in the subnet in
total, but only 3 IP addresses you are allocated. In this case, the default gateway is located in ISP’s network and your
ATU-R only transfers packets to the gateway. In the other words, you are allocated in the same subnet with the ISP’s
central office, and the ATU-R takes the action to connect the two network segments in the subnet. You are suggested
configure the WAN link as Bridge Mode: Multiple Static IP or Bridge Mode: One Static IP on FortiWAN for this
application.
17 FortiWAN Handbook
Fortinet Technologies Inc.
Planning the network topology How to set up your FortiWAN
See also
l
Configurations for a WAN link in Routing Mode
l
Configurations for a WAN link in Bridge Mode: One Static IP
l
Configurations for a WAN link in Bridge Mode: Multiple Static IP
l
Configurations for a WAN link in Brideg Mode: PPPoE
l
Configurations for a WAN link in Bridge Mode: DHCP
Near WAN
FortiWAN defines an area in WAN as near WAN, which traffic transferred in/from/to the area would not be counted to
the WAN links. That means traffic coming from or going to near WAN through a WAN port would not be controlled by
FortiWAN.
FortiWAN defines a near WAN for a WAN link in different ways between routing mode and bridge mode.
l In routing mode, the default gateway of a subnet deployed in WAN or in WAN and DMZ is near to FortiWAN.
Therefore, the area between the default gateway and FortiWAN is called near WAN. In the other words, FortiWAN
treats directly the subnet deployed on the WAN port as near WAN. The near WAN contains the default gateway.
l In bridge mode, the default gateway is located at ISP’s COT and the IP addresses allocated on FortiWAN are just a
small part of a subnet shared with others. Therefore, only the IP addresses deployed in WAN are treated as near
WAN (not include the remote gateway).
FortiWAN Handbook
Fortinet Technologies Inc.
18
How to set up your FortiWAN Planning the network topology
This is the reason FortiWAN separates WAN link configuration into different type: routing mode and bridge mode (See
"WAN types: Routing mode and Bridge mode"). If you configure a bridge-mode WAN link that ISP provides on
FortiWAN as Routing Mode and the bridge-mode WAN link might belong to a shared class C subnet, FortiWAN treats
the whole class C network as near WAN, traffic goes to or comes from the class C network would be ignored for
FortiWAN’s balancing, management and statistics functions. That would be a big mistake.
See also
WAN types: Routing mode and Bridge mode
Public IP pass through (DMZ Transparent Mode)
Public IP Pass through makes the physical Ethernet segments connected to WAN port and DMZ port become one
logical segment, which is implemented by Proxy ARP (for IPv4) and ND Proxy (for IPv6). Therefore, one IP subnetwork
can be deployed over the two segments and accessibility between WAN and DMZ is the action taken without NAT or
routing. Note public IP pass through is available when a WAN link is configured as Routing mode with the deployment
of subnet in WAN and DMZ, or Bridge mode: multiple static IP with IP addresses being deployed in WAN and DMZ.
For the WAN link that ISP provides multiple static IP addresses (no matter routing mode or bridge mode), it’s very
convenient to deploy some public IP addresses in DMZ for external-facing services.
In the topology below, the PC in DMZ has been assigned with a public IP 211.21.38.43, in the same IP range with
port1. Public IP Pass-through actually indicates port4 has been transparently connected to port1 (shown in dotted line).
Thus, the PC in DMZ takes port1's gateway as its own gateway.
Public IP Pass-through minimizes the adaptation to current network structure and requires no changes on the
configuration for servers while a FortiWAN is deployed into.
19 FortiWAN Handbook
Fortinet Technologies Inc.
Planning the network topology How to set up your FortiWAN
See also
l
WAN types: Routing mode and Bridge mode
l
Scenarios to deploy subnets
l
Configuring your WAN
Scenarios to deploy subnets
No matter an available subnet (routing mode) or an IP range of a shared subnet you obtain from ISP, you will need
making a plan how to deploy the multiple IP addresses.
To deploy the available subnet that ISP provides (routing mode) on FortiWAN, there are four different scenarios (be
called subnet types as well) for your options:
Subnet in WAN : Deploy the subnet in WAN.
Subnet in DMZ : Deploy the subnet in DMZ.
Subnet in WAN and DMZ : Deploy the subnet in both WAN and DMZ. FortiWAN’s Public IP Pass-
through function makes the two Ethernet segments in WAN and in DMZ one
IP subnetwork (See "Public IP Pass-through").
Subnet on Localhost : Deploy the whole subnet on localhost.
For cases of obtaining an IP range (bridge mode), the IP addresses could be allocated to:
IP(s) on Localhost : Allocate the IP addresses on localhost.
IP(s) in WAN : Allocate the IP addresses in WAN.
IP(s) in DMZ : Allocate the IP addresses in DMZ.
Static Routing Subnet
If there are subnets, which are called static routing subnets, connected to a basic subnet, it’s necessary to configure
the static routing for external accessing to the static routing subnets.
See also
l
WAN types: Routing mode and Bridge mode
l
Public IP Pass-through
l
Configuring your WAN
l
LAN Private Subnet
VLAN and port mapping
Customers can assign every physical port (except the HA port) to be a WAN port, LAN port or a DMZ port on demand,
which is called Port Mapping as well. The WAN ports, LAN ports and DMZ ports are actually physical ports on
FortiWAN Handbook
Fortinet Technologies Inc.
20
How to set up your FortiWAN Planning the network topology
FortiWAN, they are just not at the fixed positions. The port mapping will be reflected in related configurations.
FortiWAN supports IEEE 802.1Q (also known as VLAN Tagging), but it does not support Cisco’s ISL. Every physical
port (except the HA port) can be divided into several VLAN with a VLAN switch, and those virtual ports can be mapped
to WAN port, LAN port or DMZ port as well.
See also
Configurations for VLAN and Port Mapping
IPv6/IPv4 Dual Stack
FortiWAN supports deployment of IPv6/IPv4 Dual Stack in [Routing Mode], [Bridge Mode: One Static IP], [Bridge
Mode: Multiple Static IP] and [Bridge Mode: PPPoE]. For configuration of IPv6/IPv4 Dual Stack, please select
appropriate WAN Type (See "WAN types: Routing mode and Bridge mode") for the WAN link according to the IPv4
you are provided by ISP as mentioned previously, and configure for IPv4 and IPv6 at the WAN link together. Except a
WAN IPv6 subnet used to deploy for a WAN link, ISP might provide an extra LAN IPv6 subnet for deploying your LAN.
Depending on the demand, the LAN IPv6 subnet can be deployed as basic subnet in DMZ as well for the WAN link.
FortiWAN in HA (High Availability) Mode
Installing FortiWAN in HA mode
When two FortiWAN units work together, they can be configured to HA (High Availability) double-device backup mode.
This setup allows two FortiWAN units to server as backup for each other. The master is the main functioning unit,
while the slave is the backup unit in standby. An FortiWAN unit alone already has built-in fault tolerance mechanism.
All its OS and control applications are stored in Flash Memory, so sudden loss of electricity will not damage the
system. But when the network must provide non-stop service for mission-critical applications, the HA mode becomes a
must. With HA, FortiWAN serves a significant solution to accomplish network fault tolerance.
FortiWAN supports hot backup in HA by heartbeat mechanism. When both FortiWAN are on, one unit (the master)
performs operations, with the other (the slave) in standby. If the master fails for power failure or hardware failure
(including normal power off and system reboot), hot backup performs a switch-over to the slave (heartbeat detection
fails). This function logically promotes the slave to activate HA and to resume the role of the master. The failed master
unit will take the role of slave after it resumes from reboot. The HA hot-backup solution significantly limits the
downtime, and secures uninterrupted operation for critical applications.
Hot backup also implies data synchronization. FortiWAN HA performs system configurations synchronization between
the master and slave units. Applying configurations to the master unit from Web UI triggers a synchronization to the
slave unit. Besides, as long as the peer unit resumes as slave mode from system rebooting, the master also
synchronizes system configures with it. This mechanism guarantees the identical system configurations for the two
units.
In case that two units are insistent with firmware version, FortiWAN model and throughput license, only one unit takes
the role of master but the peer unit stay the booting status. A master unit cannot synchronize system configurations
with the unit that is in booting status. A message "Incompatible" is displayed for Peer Information in the Summary
page of the master's Web UI.
21 FortiWAN Handbook
Fortinet Technologies Inc.
Planning the network topology How to set up your FortiWAN
Setting Up HA
FortiWAN's double-device backup setup is easy to use. Simply connect the HA RJ-45ports on both FortiWAN units with
a Ethernet cable. Note that HA deployment requires identical firmware version, model and throughput license on the
two units.
Activating HA Mode
1. Install the master FortiWAN.
2. Connect the slave FortiWAN to the master with a Ethernet cable.
3. Switch on the slave.
After HA mode has been activated, the Master emits 4 beeps, and the Slave does 3. The status of the Slave is
displayed under [System] > [Summary] > [Peer Information] on the master's Web UI. Note that a slave's Web UI is not
available.
Once the master is down, the slave emits 1 beep and resumes the role of the master to keep network alive.
Switching on the two units together, then the unit with larger Up Time or Serial Number takes the role of master, while
the peer unit takes the role of slave.
Note: Ensure the cable is solidly plugged in both units. Otherwise, it may cause errors. After the master locates the
slave, system will activate HA mode.
Redundant LAN Port and/or redundant DMZ port: FortiWAN in HA mode
As illustrated in the topology below, two FortiWAN units work in HA mode, with one active and the other in standby.
Port1 and port2 acts as redundant LAN port for each other, putting the two units into hot backup mode. This mode
offers a significant solution against single point failure in LAN/DMZ (See "Configurations for VLAN and Port
Mapping").
FortiWAN Handbook
Fortinet Technologies Inc.
22
How to set up your FortiWAN Planning the network topology
High Availability (HA) Scenarios
Firmware Update Procedure in HA Deployment
The firmware update procedure in HA deployment differs from the non-HA (single unit) procedure:
1.
Log onto the master unit (unit A) as Administrator, go to [System]→[Summary] and double check and make sure
the peer device is under normal condition (See "Summary").
2. Execute the firmware update (See "Administrator"). Please wait as this may take a while.
3.
During the upgrade, do not turn off the system, unplug the power or repeatedly click the Submit button. The
message “Update succeeded” will appear after the upgrade is completed. System automatically reboots afterward
for the firmware to take effect.
4.
The slave unit (unit B) switches to be master while unit A rebooting. Note: The unit B will beep once.
5.
Log onto unit B Web UI. "Peer Information " might display "none" or "Booting". Then execute firmware update
procedure again.
6.
Make sure the firmware update steps are done and system reboots automatically.
7.
Unit A now switches to master while unit B rebooting.
8.
Login the unit A Web UI, go to [System] → [Summary], and make sure the system firmware is the latest version.
Also make sure the firmware is up to date on unit B.
Note: If there are abnormal behaviors in the DMZ or public IP servers, go to [System] → [Diagnostic Tools] →[ARP
Enforcement] and execute [Enforce] for troubleshooting. Also notice that if the Ethernet cable for HA between the
master and slave is removed or disconnected.
If abnormal behaviors appear consistently, please remove the network and HA cable, and perform the firmware update
procedure again to both system individually.Then reconnect them to the network as well as the HA deployment.
If repetitive errors occur during the firmware update process, DO NOT ever switch off the device and contact your
dealer for technical support.
HA Fallback to Single Unit Deployment
The steps to fallback to single unit deployment from HA are:
1.
Log onto Web UI via Administrator account. Go to [System] → [Summary]and double check and make sure the
peer device is under normal condition (See "Summary").
2.
Turn the Master off if the Master is to be removed. The Slave will take over the network immediately without
impacting services. If the Slave is to be removed, then simply turn the Slave off.
3.
Remove the device and the associated cables.
Steps of the Slave Take Over are:
1.
In the HA setup, the Master unit is in an active state and serving the network at the meanwhile the Slave unit is
monitoring the Master.
2.
In the case of unit failover (Hardware failure, Power failure, HA cable failure, etc), the Slave takes over the network
and beeps once when the switchover is completed. The switchover requires 15 seconds or so since negotiations
for states.
3.
The switched Master unit becomes the Slave unit in the HA deployment even it is repaired from failures. You can
power cycle the Master unit to have another switchover to the units.
23 FortiWAN Handbook
Fortinet Technologies Inc.
Web UI Overview How to set up your FortiWAN
See also
l
Summary
l
Configurations for VLAN and Port Mapping
l
Administrator
Web UI Overview
Once you log in, you will see the operating menu on FortiWAN Web UI. A navigation menu is located on the left side of
the web UI. The menu consists of six main functions: System, Service, Statistics, Log, Reports and Language.
Each function is divided into submenus. To expand a menu item, simply click it.To view the pages located within a
submenu, click the name of the page. [System/Summary] shown above indicates page contents are displayed of
[System] > [Summary], and [Administrator@125.227.251.80] indicates Administrator account log in from IP
125.227.251.80. Note that do not use your browser’s Back button to navigate, pages may not operate correctly.
l Apply: Click this button, to perform configurations or save configuration changes to memory. Before switching page,
remember to click [Apply]. Otherwise, changes will NOT be stored.
l Help: Click this button, to display online help for current page.
l Reload: Click this button, to reload page contents.
FortiWAN Handbook
Fortinet Technologies Inc.
24
How to set up your FortiWAN Web UI Overview
FortiWAN manages most of its rules/filters/policies with top-down evaluation method where the rules are prioritized in
descending order.
Click this button, to add a new rule below the current rule.
Click this button, to delete the rule.
Click this button, to move the rule up a row.
Click this button, to move the rule down a row.
Write a note for this rule.
The function is disabled.
The function is enabled.
Using the web UI and the CLI
Be aware that the position of LAN port may vary depending on models. FortiWAN-200B, for example, has five network
interfaces, with its fourth interface as LAN port and fifth as DMZ port.
Before setting up FortiWAN in your network, ensure the following are taken care of:
l Check network environment and make sure the following are ready before FortiWAN installation and setup: well-
structured network architecture, and proper IP allocation.
l Use cross-over to connect PC to FortiWAN LAN port instead of straight-through.
To connect to the web UI
Requires: Microsoft Internet Explorer 6, Mozilla Firefox 2.0, or Google Chrome 2.0 or newer.
l Using the Ethernet cable, connect LAN port (port 4) of the appliance to your computer.
l Switch on FortiWAN. It will emit 3 beeps, indicating the system is initialized and activated. Meanwhile, the LAN port
LED blinks, indicating a proper connection.
l By default, the LAN IP address is 192.168.0.1. Configure your computer to match the appliance’s default LAN
subnet. For example, on Windows 7, click the Start (Windows logo) menu to open it, and then click Control Panel.
Click Network and Sharing Center, Local Area Connection, and then the Properties button. Select Internet Protocol
Version 4 (TCP/IPv4), then click its Properties button. Select Use the following IP address, then change your
computer’s settings to:
l IP address: 192.168.0.2 (or 192.168.0.X)
l Subnet mask: 255.255.255.0
l To connect to FortiWAN’s web UI, start a web browser and go to https://192.168.0.1. (Remember to include the “s”
in https://.)
l Login to web UI with the default username/password combinations: Administrator/1234 or Monitor/5678 (case
sensitive).
25 FortiWAN Handbook
Fortinet Technologies Inc.
Web UI Overview How to set up your FortiWAN
Note:
1.
Make sure the proxy settings of the web browser are disabled. For example, open Internet Explorer and select
"Internet Option" on "Tools" menu. Click the "Connection" tab, "LAN settings" and open "Local Area Network
Settings" dialog box, then disable "Proxy server".
2.
Administrator has privileges to monitor and modify system parameters, while Monitor can monitor ONLY. It is
strong recommended that the passwords be changed ASAP, and store it in a safe and secure location.
3.
Only 1 Administrator can be logged in at one time. A 2nd Admin logging on will terminate the session of the 1st
login.
To connect to the CLI via serial console
Requires: Terminal emulator such as HyperTerminal, PuTTY, Tera Term, or a terminal server
l Using the console cable, connect the appliance’s console port to your terminal server or computer. On your
computer or terminal server, start the terminal emulator
l Use these settings:
l Bits per second: 9600
l Data bits: 8
l Parity: None
l Stop bits: 1
l Flow control: None
l Press Enter on your keyboard to connect to the CLI
l The default username/password is Administrator/fortiwan.
Note: FortiWAN CLI has limited functionality and cannot fully conigure the system. Normal configuration changes
should be done via the WebUI.
Using the web UI
FortiWAN's services (load balancing, fault tolerance and other optional services) are based on Policy and Filter.
Policies (or called Classes as well) are specified items indicating different actions for a service. Policies are applied to
different objects classified by the predefined filters. Basically, a object is classified by the combinations of When,
Source, Destination and TCP/UDP/ICMP Service. A filter contains the settings of those items When, Source,
Destination and Service, and also an associated Policy. Traffic that matches the filter will be applied to the specified
policy.
Configuration on When
This is for filtering traffic by different time period which is predefined in "Busyhour Settings".
Configuration on Source and Destination
This is for filtering the established sessions from/to specified source/destination. The options are:
IPv4/IPv6 Address : Matches sessions coming from or going to a single IPv4/IPv6 address. e.g.
192.168.1.4.
FortiWAN Handbook
Fortinet Technologies Inc.
26
How to set up your FortiWAN Web UI Overview
IPv4/IPv6 Range : Matches sessions coming from or going to a continuous range of IP addresses.
e.g. 192.168.1.10-192.168.1.20.
IPv4/IPv6 Subnet : Matches sessions coming from or going to a subnet.
e.g.192.168.1.0/255.255.255.0.
WAN : Matches sessions coming from or going to WAN.
LAN : Matches sessions coming from or going to LAN.
DMZ : Matches sessions coming from or going to DMZ.
Localhost : Matches sessions coming from or going to FortiWAN.
Any Address : Matches all sessions regardless of its source or destination.
FQDN : Matches sessions coming from or going to FQDN.
IP Grouping Name : Matches sessions coming from or going to the IP addresses that predefined in IP
groups (See "IP Grouping").
Configuration on Service
This is for filtering the established sessions running specified service. It contains some well-known services for options
and user-defined services (TCP@, UDP@ and Protocol#):
l FTP (21)
l SSH (22)
l TELNET (23)
l SMTP (25)
l DNS (53)
l GOPHER (70)
l FINGER (79)
l HTTP (80)
l POP3 (110)
l NNTP (119)
l NTP (123)
l IMAP (143)
l SNMP (161)
l BGP (179)
l WAIS (210)
l LDAP (389)
l HTTPS (443)
l IKE (500)
l RLOGIN (513)
l SYSLOG (514)
l RIP (520)
l UUCP (540)
27 FortiWAN Handbook
Fortinet Technologies Inc.
Web UI Overview How to set up your FortiWAN
l H323 (1720)
l RADIUS (1812)
l RADIUS-ACCT (1813)
l pcAnywhere-D (5631)
l pcAnywhere-S (5632)
l X-Windows (6000-6063)
l GRE
l ESP
l AH
l ICMP
l TCP@
l UDP@
l Protocol#
l Any
Console Mode Commands
This section provides further details on the Console mode commands. Before logging onto serial console via
HyperTerminal, please ensure the following settings are in place: Bits per second: 9600; Data bits: 8; Parity: None;
Stop bits: 1; Flow control: None.
help: Displays the help menu
help [COMMAND]
Show a list of console commands.
arping: Find the corresponding MAC address of an IP address
arping [HOST] [LINK] [INDEX]
Show the MAC address of an IP address. Host is the IP of the machine or domain name whose MAC address is of
interest. Link is the type of interface used, i.e. WAN, LAN and DMZ. If WAN is selected, please indicate the WAN port
number.
Example: "arping 192.168.2.100 lan" [enter] will send out an ARP packet from LAN port to query the MAC address of
the machine whose IP address is 192.168.2.100.
Note: If domain name is to be used in the HOST parameter, the DNS Server must be set in the Web UI [System]->
[Network Settings]->[DNS Server].
For more on ARP related error messages, please refer to other ARP materials.
disablefw: Disable firewall
disablefw
System will re-confirm, press [y] to proceed or [n] to cancel.
FortiWAN Handbook
Fortinet Technologies Inc.
28
How to set up your FortiWAN Web UI Overview
enforcearp: Force FortiWAN's surrounding machines to update their ARP tables
enforcearp
Sytem will send ARP packets to update their ARP tables. This is for cases where after the initial installation of
FortiWAN, machines or servers sitting in the DMZ are unable to be able to connect to the internet.
httpctl: Control web server for Web User Interface
httpctl [restart|showport|setport [PORT]]
System will restart the web server running on FortiWAN for the Web UI, or display the port number occupied by the
web server, or reset the specified port number to the web server.
logout: Exit Console mode
logout
Exit the Console mode. The system will re-confirm, press [y] to proceed or [n] to cancel.
ping: Test network connectivity
ping [HOST] [LINK] [IDX]
Ping a HOST machine to detect the current WAN link status. HOST is the machine/device to be pinged. The LINK
parameter can be WAN, LAN or DMZ. If the LINK is WAN then also specify the WAN port number.
Example: "ping www.hinet.net wan 1" [Enter] to ping www.hinet.net via WAN #1.
Note: If domain name is used in the HOST parameter, DNS Server must be set in the Web UI [System]->[Network
Settings]->[DNS Server] (See "Set DNS server for FortiWAN").
For more on ICMP related error messages please refer to other ICMP/PING materials.
reactivate Reset to factory default and base bandwidth grade.
reboot: Restart FortiWAN
reboot | reboot [-t [SECOND]]
Restart FortiWAN. Type "reboot -t X" [Enter] to restart the FortiWAN after X amount of seconds.
Example: :reboot -t 5" [Enter] to restart the system in 5 seconds.
resetconfig: Restore to factory defaults
resetconfig | resetconfig [IP ADDRESS/NETMASK]
System will re-confirm, press [y] to proceed or [n] to cancel.
Type “resetconfig [IP address/Netmask]” to specify IP configuration to LAN port from resetting system to factory
default. Example: command “resetconfig 10.10.10.1/255.255.255.0” resets system to factory default, and the IP
configuration of LAN port becomes to 10.10.10.1 / 255.255.255.0 after system comes back up. IP configuration of
LAN port returns to 192.168.0.1/255.255.255.0 if system is reset without specification. Note that resetting system with
specification on LAN port disables all the WAN links by default.
29 FortiWAN Handbook
Fortinet Technologies Inc.
Web UI Overview How to set up your FortiWAN
resetpasswd: Reset FortiWAN's Administrator and Monitor passwords to factory default
resetpasswd
System will re-confirm, press [y] to proceed or [n] to cancel.
setupport: Configure the transmission mode for all the FortiWAN port(s)
setupport [SHOW] | setupport change [INDEX] [SPEED] [MODE]
Type "setupport show" shows the current transmission modes for all the network ports.
Type "setupport change" [INDEX], then type "auto" [Enter] to change the index network port into AUTO mode.
Type "port-config change" [INDEX] [SPEED] [MODE] [Enter] to change the index network port into a specific
transmission mode.
INDEX: 1, 2, 3...
SPEED: 10, 100, 1000
MODE: half, full
Example: "setupport show" [Enter]
"setupport change 1 auto" [Enter]
"setupport change 2 100 full" [Enter]
Note:
Not all network devices support full 100M speed.
This command has no effect on fiber interface.
The INDEX is the port number of the FortiWAN port interface; exact number varies according to product models.
shownetwork: Show the current status of all the WAN links available
shownetwork
Display WAN Type, Bandwidth, IP(s) on Local/WAN/DMZ, Netmask, Gateway, and WAN/DMZ Port.
Example: "shownetwork" [Enter]
Note: This Console command can only show the current network status. This setting can be changed in the Web UI
under “Network Settings”.
showtrstat Display tunnel status
showtrstat [TR GROUP NAME]
Display the status of specified tunnel group.
sslcert: Set or unset SSL certificate for FortiWAN WebUI
sslcert show | sslcert set
Type “sslcert show” [Enter] to display current SSL certificate that FortiWAN WebUI is working with.
FortiWAN Handbook
Fortinet Technologies Inc.
30
Loading...