You are on page 1of 131

Advanced System Settings

FortiOS™ Handbook 4.0 MR2

Visit http://support.fortinet.com to register your FortiOS™ product. By registering you can


receive product updates, technical support, and FortiGuard services.
FortiOS™ Advanced System Settings
FortiOS Handbook 4.0 MR2
29 June 2010
01-420-127357-2010629
© Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.

Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Contents

Introduction 9
How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Example Network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Cautions, Notes and Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Typographical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
CLI command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . 15
Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . 17
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Fortinet Tools and Documentation CD . . . . . . . . . . . . . . . . . . . . . . . 18
Fortinet Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . 18
Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . . 18

Advanced Static routing 19


Static routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Routing and VDOMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
The default route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Routing table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Static routing security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Multipath routing and determining the best route . . . . . . . . . . . . . . . . . 27
Troubleshooting static routing . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Static routing tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
ECMP route failover and load balancing . . . . . . . . . . . . . . . . . . . . . . . . 34
Route priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Equal-Cost Multi-Path (ECMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Configuring spill-over or usage-based ECMP . . . . . . . . . . . . . . . . . . . 36
Configuring weighted static route load balancing . . . . . . . . . . . . . . . . . 38
Policy Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Adding a policy route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Moving a policy route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Transparent mode static routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 3
http://docs.fortinet.com/ • Feedback
Contents

Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Creating or editing a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Blocking intra-zone traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
IP pools and zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Zones in VDOMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Zones in transparent mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Virtual LANs 45
VLAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
What are VLANs? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
How VLANs work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
VLAN ID rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
VLAN switching and routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
VLANs in NAT/Route mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Configuring your FortiGate unit. . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Adding VLAN subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Configuring firewall policies and routing . . . . . . . . . . . . . . . . . . . . . . 55
Example VLAN configuration in NAT/Route mode . . . . . . . . . . . . . . . . . . . 56
Network topology and assumptions . . . . . . . . . . . . . . . . . . . . . . . . 56
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuring the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuring the VLAN switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Testing the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
VLANs in Transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
VLANs and Transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Example of VLANs in Transparent mode . . . . . . . . . . . . . . . . . . . . . 66
Troubleshooting VLAN problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Asymmetric routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Layer-2 and Arp traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Forward-domain solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
NetBIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
STP forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Too many VLAN interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


4 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Contents

IPv6 79
IPv6 overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Differences between IPv6 and IPv4 . . . . . . . . . . . . . . . . . . . . . . . . 79
IPv6 MTU. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
IPv6 address format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
IP address notation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Netmasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Address scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Address types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
IPv6 neighbor discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
FortiGate IPv6 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Configuring IPv6 interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Configuring IPv6 routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Configuring IPv6 firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configuring IPv6 over IPv4 tunneling . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring IPv6 IPSec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Transition from IPv4 to IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Configuring FortiOS to connect to an IPv6 tunnel provider. . . . . . . . . . . . . . . 92
Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Create a SIT-Tunnel Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Create a static IPv6 Route into the Tunnel-Interface. . . . . . . . . . . . . . . . 94
Assign your IPv6 Network to your FortiGate . . . . . . . . . . . . . . . . . . . . 94
Create a Firewall-Policy to allow Traffic from port1 to the Tunnel-Interface . . . . 95
Test the connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
IPv6 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
diag sniffer packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
diag debug flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
IPv6 specific diag commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Additional IPv6 resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

PPTP and L2TP 103


About FortiOS PPTP VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
How PPTP VPNs work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
FortiGate PPTP topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Infrastructure requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
FortiGate unit as a PPTP server . . . . . . . . . . . . . . . . . . . . . . . . . . 105
FortiGate unit forwards traffic to a PPTP server . . . . . . . . . . . . . . . . . . 105

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 5
http://docs.fortinet.com/ • Feedback
Contents

Configuring the FortiGate unit for PPTP VPN . . . . . . . . . . . . . . . . . . . . . 106


PPTP server configuration overview . . . . . . . . . . . . . . . . . . . . . . . . 106
PPTP pass through configuration overview . . . . . . . . . . . . . . . . . . . . 106
Configuring user authentication for PPTP clients . . . . . . . . . . . . . . . . . 106
Enabling PPTP and specifying the PPTP IP address range . . . . . . . . . . . . 107
Adding the firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Configuring the FortiGate unit for PPTP pass through . . . . . . . . . . . . . . . . . 109
Defining a virtual port-forwarding address . . . . . . . . . . . . . . . . . . . . . 109
Configuring a port-forwarding firewall policy . . . . . . . . . . . . . . . . . . . . 109
Adding the firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Monitoring PPTP sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Testing PPTP VPN connections . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Logging VPN events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Configuring L2TP VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Network topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
L2TP configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Authenticating L2TP clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Enabling L2TP and specifying an address range . . . . . . . . . . . . . . . . . 113
Defining firewall source and destination addresses . . . . . . . . . . . . . . . . 114
Adding the firewall policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Configuring a Linux client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Monitoring L2TP sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Testing L2TP VPN connections . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Logging L2TP VPN events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Session helpers 117


Viewing the session helper configuration. . . . . . . . . . . . . . . . . . . . . . . . 117
Changing the session helper configuration . . . . . . . . . . . . . . . . . . . . . . . 118
Changing the protocol or port that a session helper listens on. . . . . . . . . . . 118
Disabling a session helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
DCE-RPC session helper (dcerpc) . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
DNS session helpers (dns-tcp and dns-udp) . . . . . . . . . . . . . . . . . . . . . . 121
File transfer protocol (FTP) session helper (ftp) . . . . . . . . . . . . . . . . . . . . 121
H.245 session helpers (h245I and h245O) . . . . . . . . . . . . . . . . . . . . . . . 122
H.323 and RAS session helpers (h323 and ras) . . . . . . . . . . . . . . . . . . . . 122
Alternate H.323 gatekeepers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Media Gateway Controller Protocol (MGCP) session helper (mgcp) . . . . . . . . . . 122
ONC-RPC portmapper session helper (pmap) . . . . . . . . . . . . . . . . . . . . . 123
PPTP session helper for PPTP traffic (pptp) . . . . . . . . . . . . . . . . . . . . . . 123
Remote shell session helper (rsh) . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


6 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Contents

Real-Time Streaming Protocol (RTSP) session helper (rtsp) . . . . . . . . . . . . . 125


Session Initiation Protocol (SIP) session helper (sip) . . . . . . . . . . . . . . . . . 125
Trivial File Transfer Protocol (TFTP) session helper (tftp) . . . . . . . . . . . . . . . 126
Oracle TNS listener session helper (tns) . . . . . . . . . . . . . . . . . . . . . . . . 126

Index 127

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 7
http://docs.fortinet.com/ • Feedback
Contents

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


8 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Introduction
Advanced system settings includes a number of FortiOS topics and features including
networking, PPTP, and session helpers.
Networking in advanced system settings includes more advanced topics such as
advanced static routing, ECMP load balancing, zones, VLANs, and IPv6.
This chapter contains the following sections:
• How this guide is organized
• Document conventions
• Registering your Fortinet product
• Fortinet products End User License Agreement
• Training
• Documentation
• Customer service and technical support

How this guide is organized


This document contains detailed information about various aspects of FortiOS
configurations for networking, PPTP, and session helpers.
This FortiOS Handbook chapter contains the following sections:
Introduction (this chapter) briefly introduces FortiGate High Availability and this document.
Advanced Static routing covers advanced routing concepts, ECMP and load balancing,
static routing in Transparent mode, troubleshooting static routing, and zones.
Virtual LANs explains VLAN concepts, how VLANs are configured, provides an example
VLAN configuration, and some VLAN troubleshooting.
IPv6 explains what Internet protocol version 6 is, how it is configured in various parts of
the ForitGate unit interface, how to troubleshoot it, and an example of how to configure a
connection to an IPv6 tunnel broker.
PPTP and L2TP describes how to configure PPTP and L2TP VPNs as well as PPTP pass
through.
Session helpers explains what session helpers are, how they are configured, and explains
the different types of session helpers available.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 9
http://docs.fortinet.com/ • Feedback
How this guide is organized Introduction

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


10 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Document conventions

Document conventions
Fortinet technical documentation uses the conventions described below.

IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Most of the examples in this document use the following IP addressing:
• IP addresses are made up of A.B.C.D
• A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918.
• B - 168, or the branch / device / virtual device number.
• Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other.
• Device or virtual device - allows multiple FortiGate units in this address space
(VDOMs).
• Devices can be from x01 to x99.
• C - interface - FortiGate units can have up to 40 interfaces, potentially more than one
on the same subnet
• 001 - 099- physical address ports, and non -virtual interfaces
• 100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
• D - usage based addresses, this part is determined by what device is doing
• The following gives 16 reserved, 140 users, and 100 servers in the subnet.
• 001 - 009 - reserved for networking hardware, like routers, gateways, etc.
• 010 - 099 - DHCP range - users
• 100 - 109 - FortiGate devices - typically only use 100
• 110 - 199 - servers in general (see later for details)
• 200 - 249 - static range - users
• 250 - 255 - reserved (255 is broadcast, 000 not used)
• The D segment servers can be farther broken down into:
• 110 - 119 - Email servers
• 120 - 129 - Web servers
• 130 - 139 - Syslog servers
• 140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc)
• 150 - 159 - VoIP / SIP servers / managers
• 160 - 169 - FortiAnalyzers
• 170 - 179 - FortiManagers
• 180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.)
• 190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.)
• Fortinet products, non-FortiGate, are found from 160 - 189.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 11
http://docs.fortinet.com/ • Feedback
Document conventions

The following table shows some examples of how to choose an IP number for a device
based on the information given. For internal and dmz, it is assumed in this case there is
only one interface being used.

Table 1: Examples of the IP numbering

Location and device Internal Dmz External


Head Office, one FortiGate 10.011.101.100 10.011.201.100 172.20.120.191
Head Office, second FortiGate 10.012.101.100 10.012.201.100 172.20.120.192
Branch Office, one FortiGate 10.021.101.100 10.021.201.100 172.20.120.193
Office 7, one FortiGate with 9 10.079.101.100 10.079.101.100 172.20.120.194
VDOMs
Office 3, one FortiGate, web n/a 10.031.201.110 n/a
server
Bob in accounting on the 10.0.11.101.200 n/a n/a
corporate user network (dhcp)
at Head Office, one FortiGate
Router outside the FortiGate n/a n/a 172.20.120.195

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


12 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Document conventions

Example Network configuration


The network configuration shown in Figure 1 or variations on it is used for many of the
examples in this document. In this example, the 172.20.120.0 network is equivalent to the
Internet. The network consists of a head office and two branch offices.

Figure 1: Example network configuration

Head office

WLAN: 10.12.101.100
SSID: example.com
Password: supermarine
DHCP range: 10.12.101.200-249 FortiMail-100C
Port1: 10.11.101.110
Internal
FortiAnalyzer-100B Network

FortiWiFi-80CM Windows PC
INT: 10.11.101.101 10.11.101.10

Port2: 10.11.101.130 Linux PC


10.11.101.20

FortiGate-82C Port2: 10.11.101.102


Port2: 10.11.101.100

FortiGate-620B
Cluster
Port1:
172.20.120.130 Port1: 172.20.120.141
(sniffer mode)
Port2 and Port3
Port8 Linksys SRW2008
Old Lab
(mirror of Port2 and Port3) Port5
Port1
Branch office

WAN1: 172.20.120.122 Internal: 10.31.101.100


Internet

FortiGate-51B Windows PC
10.31.101.10
WAN1: 172.20.120.131
Branch office
FortiGate-111C

Switch: 10.21.101.100

Port1:
Cluster Engineering
10.21.101.101
Port1: 10.21.101.102 Network

FortiGate-5005FA2
Port1: 10.21.101.102 Port4:
FortiGate-3810A 10.22.101.100
Port1: FortiGate-5005FA2
10.21.101.160 Port1: 10.21.101.103
FortiSwitch-5003A
Port1: 10.21.101.161 FortiSwitch-5003A
Port1: 10.22.101.161
FortiManager-3000B FortiGate-5050SM
10.22.101.0
Port1: 10.21.101.104 FortiGate-5050SM
Port1: 10.22.101.104
Linux PC
10.21.101.10

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 13
http://docs.fortinet.com/ • Feedback
Document conventions

Cautions, Notes and Tips


Fortinet technical documentation uses the following guidance and styles for cautions,
notes and tips.

Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.

Note: Presents useful information, but usually focused on an alternative, optional method,
such as a shortcut, to perform a step.

Tip: Highlights useful additional information, often tailored to your workplace activity.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


14 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Document conventions

Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 2: Typographical conventions in Fortinet technical documentation

Convention Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input config system dns
set primary <address_ipv4>
end
CLI output FGT-602803030703 # get system settings
comments : (null)
opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by a third
party.
File content <HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiOS Handbook.

CLI command syntax conventions


This guide uses the following conventions to describe the syntax to use when entering
commands in the Command Line Interface (CLI).
Brackets, braces, and pipes are used to denote valid permutations of the syntax.
Constraint notations, such as <address_ipv4>, indicate which data types or string
patterns are acceptable value input.
Table 3: Command syntax notation
Convention Description
Square brackets [ ] A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and
its accompanying option, such as:
verbose 3

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 15
http://docs.fortinet.com/ • Feedback
Document conventions

Table 3: Command syntax notation (Continued)

Convention Description
Angle brackets < > A word constrained by data type.
To define acceptable input, the angled brackets contain a descriptive
name followed by an underscore ( _ ) and suffix that indicates the
valid data type. For example:
<retries_int>
indicates that you should enter a number of retries, such as 5.
Data types include:
• <xxx_name>: A name referring to another part of the
configuration, such as policy_A.
• <xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
• <xxx_pattern>: A regular expression or word with wild cards
that matches possible variations, such as *@example.com to
match all email addresses ending in @example.com.
• <xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
• <xxx_email>: An email address, such as
admin@mail.example.com.
• <xxx_url>: A uniform resource locator (URL) and its associated
protocol and host name prefix, which together form a uniform
resource identifier (URI), such as
http://www.fortinet./com/.
• <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
• <xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
• <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask
separated by a space, such as
192.168.1.99 255.255.255.0.
• <xxx_ipv4/mask>: A dotted decimal IPv4 address and
CIDR-notation netmask separated by a slash, such as such as
192.168.1.99/24.
• <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address,
such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
• <xxx_v6mask>: An IPv6 netmask, such as /96.
• <xxx_ipv6mask>: An IPv6 address and netmask separated by a
space.
• <xxx_str>: A string of characters that is not another data type,
such as P@ssw0rd. Strings containing spaces or special
characters must be surrounded in quotes or use escape
sequences.
• <xxx_int>: An integer number that is not another data type,
such as 15 for the number of minutes.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


16 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Registering your Fortinet product

Table 3: Command syntax notation (Continued)

Convention Description
Curly braces { } A word or series of words that is constrained to a set of options
delimited by either vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
Options Mutually exclusive options. For example:
delimited by {enable | disable}
vertical bars | indicates that you must enter either enable or disable, but must
not enter both.
Options Non-mutually exclusive options. For example:
delimited by {http https ping snmp ssh telnet}
spaces indicates that you may enter all or a subset of those options, in any
order, in a space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options,
instead of replacing it, or if the list is comma-delimited, the exception
will be noted.

Registering your Fortinet product


Before you begin configuring and customizing features, take a moment to register your
Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Center article Registration Frequently
Asked Questions.

Fortinet products End User License Agreement


See the Fortinet products End User License Agreement.

Training
Fortinet Training Services provides courses that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://campus.training.fortinet.com, or email training@fortinet.com.

Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Center.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 17
http://docs.fortinet.com/ • Feedback
Customer service and technical support

Fortinet Tools and Documentation CD


Many Fortinet publications are available on the Fortinet Tools and Documentation CD
shipped with your Fortinet product. The documents on this CD are current at shipping
time. For current versions of Fortinet documentation, visit the Fortinet Technical
Documentation web site, http://docs.fortinet.com.

Fortinet Knowledge Base


The Fortinet Knowledge Base provides additional Fortinet technical documentation, such
as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and
more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.

Comments on Fortinet technical documentation


Please send information about any errors or omissions in this or any Fortinet technical
document to techdoc@fortinet.com.

Customer service and technical support


Fortinet Technical Support provides services designed to make sure that your Fortinet
products install quickly, configure easily, and operate reliably in your network.
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Base article FortiGate
Troubleshooting Guide - Technical Support Requirements.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


18 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing
Advanced static routing includes features and concepts that are used in more complex
networks. Dynamic routing is not addressed in this section.
This section includes:
• Static routing concepts
• ECMP route failover and load balancing
• Policy Routing
• Transparent mode static routing
• Zones

Static routing concepts


While static routes are the basic form of routing, static routing can still be a complex topic.
There are a number of basic concepts that static routing is built upon that must be
understood before creating effective static routing networks.
This section includes:
• Routing and VDOMs
• The default route
• Routing table
• Static routing security
• Multipath routing and determining the best route
• Troubleshooting static routing
• Static routing tips

Routing and VDOMs


Routing on FortiGate units is configured per-VDOM. This means if VDOMs are enabled on
your FortiGate unit, you must enter a VDOM to do any routing configuration. This allows
each VDOM to operate independently of each other, with their own default routes and
routing configuration.

The current VDOM


In the bottom left corner of the web-based manager display, the current VDOM is
displayed. If you are not in a VDOM, Global is displayed.

Changing VDOMs
1 Go to the Current VDOM display.
2 Select the arrow next to the current VDOM.
3 Select Global or a VDOM from the list.
You will enter the selected VDOM or Global

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 19
http://docs.fortinet.com/ • Feedback
Static routing concepts Advanced Static routing

Tip: You only have access to multiple VDOMs if you are the super_admin administrator.
Other administrator accounts can only access one VDOM.

The default route


The default route is used if either there are no other routes in the routing table or if none of
the other routes apply to a destination. The default route can be considered the route of
last resort. Without a default route configured, network traffic that doesn’t match a known
route will be dropped.
Including the gateway in the default route gives all traffic a next-hop address to use when
leaving the local network. The gateway address is normally another router on the edge of
the local network. If this router is on the edge of your network, the gateway is typically an
address that your Internet service provider has given you.
All routers, including FortiGate units, are shipped with default routes in place. This allows
customers to set up and become operational more quickly. Beginner administrators can
use the default route settings until a more advanced configuration is warranted.
FortiGate units come with a default static route with an IPv4 address of 0.0.0.0, and an
administration distance of 10.

Routing table
When two computers are directly connected, there is no need for routing because each
computer knows exactly where to find the other computer. They communicate directly.
Networking computers allows many computers to communicate with each other. This
requires each computer to have an IP address to identify its location to the other
computers. This is much like a mailing address - you will not receive your postal mail at
home if you do not have an address for people to send mail to. The routing table on a
computer is much like an address book used to mail letters to people in that the routing
table maintains a list of how to reach computers. Routing tables may also include
information about the quality of service (QoS) of the route, and the interface associated
with the route if the device has multiple interfaces.
Routing tables are also used in unicast reverse path forwarding (uRPF). In uRPF, the
router not only looks up the destination information, but also the source information to
ensure that it exists. If there is no source to be found, then that packet is dropped because
the router assumes it to be an error or an attack on the network.
Looking at routing as delivering letters is more simple than reality. In reality, routers loose
power or have bad cabling, network equipment is moved without warning, and other such
events happen that prevent static routes from reaching their destinations. When any
changes such as these happen along a static route, traffic can no longer reach the
destination — the route goes down. Dynamic routing can address these changes to
ensure traffic still reaches its destination. The process of realizing there is a problem,
backtracking and finding a route that is operational is called convergence. If there is fast
convergence in a network, users won’t even know that re-routing is taking place.
The routing table for any device on the network has a limited size. For this reason, routes
that aren’t used are replaced by new routes. This method ensures the routing table is
always populated with the most current and most used routes—the routes that have the
best chance of being reused. Another method used to maintain the routing table’s size is if
a route in the table and a new route are to the same destination, one of the routes is
selected as the best route to that destination and the other route is discarded.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


20 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing Static routing concepts

Routing tables are also used in unicast reverse path forwarding (uRPF). In uRPF, the
router not only looks up the destination information, but also the source information to
ensure that it exists. If there is no source to be found, then that packet is dropped because
the router assumes it to be an error or an attack on the network.
The routing table is used to store routes that are learned. The routing table for any device
on the network has a limited size. For this reason, routes that aren’t used are replaced by
new routes. This method ensures the routing table is always populated with the most
current and most used routes — the routes that have the best chance of being reused.
Another method used to maintain the routing table’s size is if a route in the table and a
new route are to the same destination, one of the routes is selected as the best route to
that destination and the other route is discarded.
This section includes:
• Viewing the routing table in the web-based manager
• Viewing the routing table in the CLI
• Viewing the routing table with diagnose commands
• Searching the routing table

Viewing the routing table in the web-based manager


By default, all routes are displayed in the Routing Monitor list. The default static route is
defined as 0.0.0.0/0, which matches the destination IP address of “any/all” packets.
To display the routes in the routing table, go to Router > Monitor > Routing Monitor.
Table 4: Router Monitor list fields
IP version Select IPv4 or IPv6 routes. Fields displayed vary depending on which IP version is
selected.
Displayed only if IPv6 display is enabled on the web-based manager
Type Select one of the following route types to search the routing table and display routes
of the selected type only:
All — all routes recorded in the routing table.
Connected — all routes associated with direct connections to FortiGate unit
interfaces.
Static — the static routes that have been added to the routing table manually.
RIP — all routes learned through RIP.
RIPNG — displays all routes learned through RIP version 6 (which enables the
sharing of routes through IPv6 networks).
BGP — all routes learned through BGP.
OSPF — all routes learned through OSPF.
IS-IS — all routes learned through IS-IS.
OSPF6 — all routes learned through OSPF version 6 (which enables the sharing of
routes through IPv6 networks).
HA — RIP, OSPF, and BGP routes synchronized between the primary unit and the
subordinate units of a high availability (HA) cluster. HA routes are maintained on
subordinate units and are visible only if you are viewing the router monitor from a
virtual domain that is configured as a subordinate virtual domain in a virtual cluster.
For details about HA routing synchronization, see the FortiGate HA User Guide.
Network Enter an IP address and netmask (for example, 172.16.14.0/24) to search the
routing table and display routes that match the specified network.
Not displayed when IP version IPv6 is selected.
Gateway Enter an IP address and netmask (for example, 192.168.12.1/32) to search the
routing table and display routes that match the specified gateway.
Not displayed when IP version IPv6 is selected.
Apply Filter Select to search the entries in the routing table based on the specified search criteria
and display any matching routes.
Not displayed when IP version IPv6 is selected.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 21
http://docs.fortinet.com/ • Feedback
Static routing concepts Advanced Static routing

Table 4: Router Monitor list fields


Type The type values assigned to FortiGate unit routes (Static, Connected, RIP, OSPF, or
BGP).
Not displayed when IP version IPv6 is selected.
Subtype If applicable, the subtype classification assigned to OSPF routes.
An empty string implies an intra-area route. The destination is in an area to which the
FortiGate unit is connected.
OSPF inter area — the destination is in the OSPF AS, but the FortiGate unit is not
connected to that area.
External 1 — the destination is outside the OSPF AS. This is known as OSPF E1
type. The metric of a redistributed route is calculated by adding the external cost and
the OSPF cost together.
External 2 — the destination is outside the OSPF AS. This is known as OSPF E2
type. In this case, the metric of the redistributed route is equivalent to the external
cost only, expressed as an OSPF cost.
OSPF NSSA 1 — same as External 1, but the route was received through a not-so-
stubby area (NSSA).
OSPF NSSA 2 — same as External 2, but the route was received through a not-so-
stubby area.
Not displayed when IP version 6 is selected.
Network The IP addresses and network masks of destination networks that the FortiGate unit
can reach.
Distance The administrative distance associated with the route. A value of 0 means the route is
preferable compared to routes to the same destination.
Modifying this distance for dynamic routes is route distribution.
Metric The metric associated with the route type. The metric of a route influences how the
FortiGate unit dynamically adds it to the routing table. The following are types of
metrics and the protocols they are applied to.
Hop count — routes learned through RIP.
Relative cost — routes learned through OSPF.
Multi-Exit Discriminator (MED) — routes learned through BGP. However, several
attributes in addition to MED determine the best path to a destination network.
Gateway The IP addresses of gateways to the destination networks.
Interface The interface through which packets are forwarded to the gateway of the destination
network.
Up Time The total accumulated amount of time that a route learned through RIP, OSPF, or
BGP has been reachable.
Not displayed when IP version IPv6 is selected.

Viewing the routing table in the CLI


In the CLI, you can easily view the static routing table just as in the web-based manager or
you can view the full routing table.
When viewing the list of static routes using the CLI command get route static, it is
the configured static routes that are displayed. When viewing the routing table using the
CLI command get router info routing-table all, it is the entire routing table
information that is displayed including configured and learned routes of all types. The two
are different information in different formats.

Note: If VDOMs are enabled on your FortiGate unit, all routing related CLI commands must
be performed within a VDOM and not in the global context.

To view the routing table


# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


22 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing Static routing concepts

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2


E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default

S* 0.0.0.0/0 [10/0] via 192.168.183.254, port2


S 1.0.0.0/8 [10/0] via 192.168.183.254, port2
S 2.0.0.0/8 [10/0] via 192.168.183.254, port2
C 10.142.0.0/23 is directly connected, port3
B 10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m
C 192.168.182.0/23 is directly connected, port2

Examining an entry:
B 10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m
B BGP. The routing protocol used.
10.160.0.0/23 The destination of this route including netmask.
[20/0] 20 indicates and administrative distance of 20 out of a range of 0
to 255.
0 is an additional metric associated with this route, such as in
OSPF
10.142.0.74 The gateway, or next hop.
port3 The interface used by this route.
2d18h02m How old this route is, in this case almost three days old.

Viewing the routing table with diagnose commands


Diagnose commands can provide a wide variety of information about your FortiGate unit
that may otherwise be inaccessible. these commands generally provide extensive
information, but the output can be difficult to understand. You should only need to use
diagnose command when customer support tells you to do so during troubleshooting.
FortiOS documentation describes specific examples for using diagnose commands to
provide information that may be useful.
You can view the routing table using diagnostic commands. This has the benefits of being
able to be run from anywhere in the command line structure, and it is shorter. Also the
diagnose method will show localhost routes that the CLI and web-based methods will not
include.

To use diagnostic commands to view the routing table


# diag ip route list

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0-


>10.11.201.0/24 pref=10.11.201.4 gwy=0.0.0.0 dev=5(external1)

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0-


>172.20.120.0/24 pref=172.20.120.146 gwy=0.0.0.0 dev=6(internal)
The parts of the routing table entry are:

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 23
http://docs.fortinet.com/ • Feedback
Static routing concepts Advanced Static routing

tab table number. This will be either 254 (unicast) or 255 (multicast).
vf virtual domain of the firewall. This is the vdom index number. If
vdoms are not enabled, this number will be 0.
type type of routing connection. Valid values include:
• 0 - unspecific
• 1 - unicast
• 2 - local
• 3 - broadcast
• 4 - anycast
• 5 - multicast
• 6 - blackhole
• 7 - unreachable
• 8 - prohibited
proto type of installation. This indicates where the route came from. Valid
values include:
• 0 - unspecific
• 2 - kernel
• 11 - ZebOS routing module
• 14 - FortiOS
• 15 - HA
• 16 - authentication based
• 17 - HA1
prio priority of the route. Lower priorities are preferred.
->10.11.201.0/24 the IP address and subnet mask of the destination
(->x.x.x.x/mask)
pref preferred next hop along this route
gwy gateway - the IPv4 address of the gateway this route will use
dev outgoing interface index. This number is associated with the
interface for this route, and if VDOMs are enabled the VDOM
will be included here as well. If an interface alias is set for this
interface it will also be displayed here.

Searching the routing table


You can apply a filter to search the routing table and display certain routes only. For
example, you can display one or more static routes, connected routes, routes learned
through RIP, OSPF, or BGP, and routes associated with the network or gateway that you
specify.
If you want to search the routing table by route type and further limit the display according
to network or gateway, all of the values that you specify as search criteria must match
corresponding values in the same routing table entry in order for that entry to be displayed
— an implicit AND condition is applied to all of the search parameters you specify.
For example, if the FortiGate unit is connected to network 172.16.14.0/24 and you want to
display all directly connected routes to network 172.16.14.0/24, you must select
Connected from the Type list, type 172.16.14.0/24 in the Network field, and then select
Apply Filter to display the associated routing table entry or entries. Any entry that contains
the word “Connected” in its Type field and the specified value in the Gateway field will be
displayed.
In this example, you will apply a filter to search for an entry for static route to
10.10.10.10/24

To search the FortiGate unit routing table in the web-based manager


1 Go to Router > Monitor > Routing Monitor.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


24 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing Static routing concepts

2 From the Type list, select the type of route to display. In our example, select Static.
3 If you want to display routes to a specific network, type the IP address and netmask of
the network in the Networks field. In our example, enter 10.10.10.10/24.
4 If you want to display routes to a specific gateway, type the IP address of the gateway
in the Gateway field.
5 Select Apply Filter.

Note: All of the values that you specify as search criteria must match corresponding values
in the same routing table entry in order for that entry to be displayed.

To search the FortiGate unit routing table in the CLI


FGT # get router info routing-table details 10.10.10.10
Routing entry for 10.10.10.10/24
Known via "static", distance 10, metric 0, best

If there are multiple routes that match your filter, they will all be listed, with the best match
at the top of the list as indicated by the word best.

Building the routing table


In the factory default configuration, the FortiGate unit routing table contains a single static
default route. You can add routing information to the routing table by defining additional
static routes.
It is possible that the routing table is faced with several different routes to the same
destination — the IP addresses of the next-hop router specified in those routes or the
FortiGate interfaces associated with those routes may vary. In this situation, the “best”
route is selected from the table.
The FortiGate unit selects the “best” route for a packet by evaluating the information in the
routing table. The “best” route to a destination is typically associated with the shortest
distance between the FortiGate unit and the closest gateway, also known as a next-hop
router. In some cases, the next best route may be selected if the best route is unavailable.
The FortiGate unit installs the best available routes in the unit’s forwarding table, which is
a subset of the unit’s routing table. Packets are forwarded according to the information in
the forwarding table.

Static routing security


Securing the information on your company network is a top priority for network
administrators. Security is also required as the routing protocols used are internationally
known standards that typically provide little or no inherent security by themselves.
The two reasons for securing your network are the sensitive and proprietary information
on your network, and also your external bandwidth. Hackers not only can steal your
information, but they can also steal your bandwidth. Routing is a good low level way to
secure your network, even before UTM features are applied.
Routing provides security to your network in a number of ways including obscuring internal
network addresses with NAT and blackhole routing, using RPF to validate traffic sources,
and maintaining an access control list (ACL) to limit access to the network.
This section includes:
• Network Address Translation (NAT)

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 25
http://docs.fortinet.com/ • Feedback
Static routing concepts Advanced Static routing

• Access Control List (ACL)


• Blackhole Route
• Reverse path lookup

Network Address Translation (NAT)


Network address translation (NAT) is a method of changing the address traffic appears to
originate from. This practice is used to hide the IP address on company’s internal
networks, and helps prevent malicious attacks that use those specific addresses.
This is accomplished by the router connected to that local network changing all the IP
addresses to its externally connected IP address before sending the traffic out to the other
networks, such as the Internet. Incoming traffic uses the established sessions to
determine which traffic goes to which internal IP address. This also has the benefit of
requiring only the router to be very secure against external attacks, instead of the whole
internal network as would be the case without NAT. Securing one computer is much
cheaper and easier to maintain.
Configuring NAT on your FortiGate unit includes the following steps.
1 Configure your internal network. For example use the 10.11.101.0 subnet.
2 Connect your internal subnet to an interface on your FortiGate unit. For example use
port1.
3 Connect your external connection, for example an ISP gateway of 172.20.120.2, to
another interface on your Fortigate unit, for example port2.
4 Configure firewall policies to allow traffic between port1 and port2 on your FortiGate
unit, ensuring that the NAT feature is enabled.
The above steps show that traffic from your internal network will originate on the
10.11.101.0 subnet and pass on to the 172.20.120.0 network. The FortiGate unit moves
the traffic to the proper subnet. In doing that, the traffic appears to originate from the
FortiGate unit interface on that subnet — it does not appear to originate from where it
actually came from.
NAT “hides” the internal network from the external network. This provides security through
obscurity. If a hacker tries to directly access your network, they will find the Fortigate unit,
but will not know about your internal network. The hacker would have to get past the
security-hardened FortiGate unit to gain access to your internal network. NAT will not
prevent hacking attempts that piggy back on valid connections between the internal
network and the outside world. However other UTM security measures can deal with
these attempts.
Another security aspect of NAT is that many programs and services have problems with
NAT. Consider if someone on the Internet tries to initiate a chat with someone on the
internal network. The outsider only can access the FortiGate unit’s external interface
unless the firewall policy allows the traffic through to the internal network. If allowed in, the
proper internal user would respond to the chat. However if its not allowed, the request to
chat will be refused or time-out. This is accomplished in the firewall policy by allowing or
denying different protocols.

Access Control List (ACL)


An access control list (ACL) is a table of addresses that have permission to send and
receive data over a router’s interface or interfaces. The router maintains an ACL, and
when traffic comes in on a particular interface it is buffered, while the router looks up in the
ACL if that traffic is allowed over that port or not. If it is allowed on that incoming interface,
then the next step is to check the ACL for the destination interface. If the traffic passes that

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


26 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing Static routing concepts

check as well the buffered traffic is delivered to its accentuation. If either of those steps fail
the ACL check, the traffic is dropped and an error message may be sent to the sender.
The ACL ensures that traffic follows expected paths, and any unexpected traffic is not
delivered. This stops many network attacks. However, to be effective the ACL must be
kept up to date —when employees or computers are removed from the internal network
their IP addresses must also be removed from the ACL. For more information on the ACL,
see the router chapter of the FortiGate CLI Reference.

Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like /dev/null in
Linux programming.
Blackhole routes are used to dispose of packets instead of responding to suspicious
inquiries. This provides added security since the originator will not discover any
information from the target network.
Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in
use, traffic to those addresses (traffic which may be valid or malicious) can be directed to
a blackhole for added security and to reduce traffic on the subnet.
The loopback interface, a virtual interface that does not forward traffic, was added to
enable easier configuration of blackhole routing. Similar to a normal interface, this
loopback interface has fewer parameters to configure, and all traffic sent to it stops there.
Since it cannot have hardware connection or link status problems, it is always available,
making it useful for other dynamic routing roles. Once configured, you can use a loopback
interface in firewall policies, routing, and other places that refer to interfaces. You
configure this feature only from the CLI. For more information, see the system chapter of
the FortiGate CLI Reference.

Reverse path lookup


Whenever a packet arrives at one of the FortiGate unit’s interfaces, the unit determines
whether the packet was received on a legitimate interface by doing a reverse lookup using
the source IP address in the packet header. This is also called anti-spoofing. If the
FortiGate unit cannot communicate with the computer at the source IP address through
the interface on which the packet was received, the FortiGate unit drops the packet as it is
likely a hacking attempt.
If the destination address can be matched to a local address (and the local configuration
permits delivery), the FortiGate unit delivers the packet to the local network. If the packet
is destined for another network, the Fortigate unit forwards the packet to a next-hop router
according to a policy route and the information stored in the FortiGate forwarding table.

Multipath routing and determining the best route


Multipath routing occurs when more than one entry to the same destination is present in
the routing table. When multipath routing happens, the FortiGate unit may have several
possible destinations for an incoming packet, forcing the FortiGate unit to decide which
next-hop is the best one.
It should be noted that some IP addresses will be rejected by routing protocols. These are
called Martian addresses. They are typically IP addresses that are invalid and not routable
because they have been assigned an address by a misconfigured system, or are spoofed
addresses.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 27
http://docs.fortinet.com/ • Feedback
Static routing concepts Advanced Static routing

Two methods to manually resolve multiple routes to the same destination are to lower the
administrative distance of one route or to set the priority of both routes. For the FortiGate
unit to select a primary (preferred) route, manually lower the administrative distance
associated with one of the possible routes. Setting the priority on the routes is a FortiGate
unit feature and may not be supported by non-Fortinet routers.
Administrative distance is based on the expected reliability of a given route. It is
determined through a combination of the number of hops from the source and the protocol
used. A hop is when traffic moves from one router to the next. More hops from the source
means more possible points of failure. The administrative distance can be from 1 to 255,
with lower numbers being preferred. A distance of 255 is seen as infinite and will not be
installed in the routing table.
Here is an example to illustrate how administration distance works — if there are two
possible routes traffic can take between two destinations with administration distances of
5 (always up) and 31 (sometimes not available), the traffic will use the route with an
administrative distance of 5. If for some reasons the preferred route (admin distance of 5)
is not available, the other route will be used as a backup.
Different routing protocols have different default administrative distances. These different
administrative distances are based on a number of factors of each protocol such as
reliability, speed, and so on. The default administrative distances for any of these routing
protocols are configurable.
Table 5: Default administrative distances for routing protocols and connections

Routing Default administrative


protocol distance
Direct physical 1
connection
Static 10
EBGP 20
OSPF 110
RIP 120
IBGP 200

Another method to determine the best route is to manually change the priority of both
routes in question. If the next-hop administrative distances of two routes on the FortiGate
unit are equal, it may not be clear which route the packet will take. Manually configuring
the priority for each of those routes will make it clear which next-hop will be used in the
case of a tie. The priority for a route can only be set from the CLI. Lower priorities are
preferred. Priority is a Fortinet value that may or may not be present in other brands of
routers.
All entries in the routing table are associated with an administrative distance. If the routing
table contains several entries that point to the same destination (the entries may have
different gateways or interface associations), the FortiGate unit compares the
administrative distances of those entries first, selects the entries having the lowest
distances, and installs them as routes in the FortiGate unit forwarding table. As a result,
the FortiGate unit forwarding table contains only those routes having the lowest distances
to every possible destination. While only static routing uses administrative distance as its
routing metric, other routing protocols such as RIP can use metrics that are similar to
administrative distance.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


28 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing Static routing concepts

Troubleshooting static routing


When there are problems with your network that you believe to be static routing related,
there are a few basic tools available to locate the problem.
These tools include:
• Ping
• Traceroute
• Examine routing table contents
• Examine the firewall session list

Ping
The ping command sends a very small packet to the destination, and waits for a response.
The response has a timer that may expire, indicating the destination is unreachable. The
behavior of ping is very much like a sonar ping from a submarine, where the command
gets its name.
Ping is part of Layer-3 on the OSI Networking Model. Ping sends Internet Control
Message Protocol (ICMP) “echo request” packets to the destination, and listens for “echo
response” packets in reply. However, many public networks block ICMP packets because
ping can be used in a denial of service (DoS) attack (such as Ping of Death or a smurf
attack), or by an attacker to find active locations on the network. By default, FortiGate units
have ping enabled and broadcast-forward is disabled on the external interface.

What ping can tell you


Beyond the basic connectivity information, ping can tell you the amount of packet loss (if
any), how long it takes the packet to make the round trip, and the variation in that time
from packet to packet.
If there is no packet loss detected, your basic network connectivity is OK.
If there is some packet loss detected, you should investigate:
• possible ECMP, split horizon, network loops
• cabling to ensure no loose connections

If there is total packet loss, you should investigate:


• hardware - ensure cabling is correct, and all equipment between the two locations is
accounted for
• addresses and routes - ensure all IP addresses and routing information along the route
is configured as expected
• firewalls - ensure all firewalls are set to allow PING to pass through

How to use ping


Ping syntax is the same for nearly every type of system on a network.

To ping from a Windows PC


1 Go to a DOS prompt. Typically you go to Start > Run, enter cmd, and select OK.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 29
http://docs.fortinet.com/ • Feedback
Static routing concepts Advanced Static routing

2 Enter ping 10.11.101.100 to ping the internal interface of the FortiGate unit with
four packets. If your FortiGate unit is configured with a different IP address use it
instead.
Other ping options include:
• -t to send packets until you press “Control-C”
• -a to resolve addresses to domain names where possible
• -n X to send X ping packets and stop
Output appears as:
C:\>ping 10.11.101.101

Pinging 10.11.101.101 with 32 bytes of data:


Reply from 10.11.101.101: bytes=32 time=10ms TTL=255
Reply from 10.11.101.101: bytes=32 time<1ms TTL=255
Reply from 10.11.101.101: bytes=32 time=1ms TTL=255
Reply from 10.11.101.101: bytes=32 time=1ms TTL=255

Ping statistics for 10.11.101.101:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 10ms, Average = 3ms

To ping from a Linux PC


1 Go to a command line prompt.
2 Enter “/bin/etc/ping 10.11.101.101”.

Output appears as:

To ping from a FortiGate unit


1 Connect to the CLI either through telnet or through the CLI widget on the web-based
manager dashboard.
2 Enter exec ping 10.11.101.101 to send 5 ping packets to the destination. There
are no options.
Output appears as:
Head_Office_620b # exec ping 10.11.101.101
PING 10.11.101.101 (10.11.101.101): 56 data bytes
64 bytes from 10.11.101.101: icmp_seq=0 ttl=255 time=0.3 ms
64 bytes from 10.11.101.101: icmp_seq=1 ttl=255 time=0.2 ms
64 bytes from 10.11.101.101: icmp_seq=2 ttl=255 time=0.2 ms
64 bytes from 10.11.101.101: icmp_seq=3 ttl=255 time=0.2 ms
64 bytes from 10.11.101.101: icmp_seq=4 ttl=255 time=0.2 ms

--- 10.11.101.101 ping statistics ---


5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.3 ms

Traceroute
Where ping will only tell you if it reached its destination and came back successfully,
traceroute will show each step of its journey to its destination and how long each step
takes. If ping finds an outage between two points, traceroute can be used to locate exactly
where the problem is.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


30 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing Static routing concepts

What is traceroute
Traceroute works by sending ICMP packets to test each hop along the route. It will send
out three packets, and then increase the time to live (TTL) setting by one each time. This
effectively allows the packets to go one hop farther along the route. This is the reason why
most traceroute commands display their maximum hop count before they start tracing the
route — that is the maximum number of steps it will take before declaring the destination
unreachable. Also the TTL setting may result in steps along the route timing out due to
slow responses. There are many possible reasons for this to occur.
Traceroute by default uses UDP datagrams with destination ports numbered from 33434
to 33534. The traceroute utility usually has an option to specify use of ICMP echo request
(type 8) instead, as used by the Windows tracert utility. If you have a firewall and if you
want traceroute to work from both machines (Unix-like systems and Windows) you will
need to allow both protocols inbound through your FortiGate firewall policies (UDP with
ports from 33434 to 33534 and ICMP type 8).

How do you use traceroute


The traceroute command varies slightly between operating systems. Note that in MS
Windows the command name is shortened to “tracert”. Also note that your output will
list different domain names and IP addresses along your route.

To use traceroute on an MS Windows PC


1 Go to a DOS prompt. Typically you go to Start > Run, enter “cmd” and select OK.
2 Enter “tracert fortinet.com” to trace the route from the PC to the Fortinet
website.
Output will appear as:
C:\>tracert fortinet.com

Tracing route to fortinet.com [208.70.202.225]


over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 172.20.120.2
2 66 ms 24 ms 31 ms 209-87-254-xxx.storm.ca [209.87.254.221]
3 52 ms 22 ms 18 ms core-2-g0-0-1104.storm.ca [209.87.239.129]
4 43 ms 36 ms 27 ms core-3-g0-0-1185.storm.ca [209.87.239.222]
5 46 ms 21 ms 16 ms te3-x.1156.mpd01.cogentco.com [38.104.158.69]
6 25 ms 45 ms 53 ms te8-7.mpd01.cogentco.com [154.54.27.249]
7 89 ms 70 ms 36 ms te3-x.mpd01.cogentco.com [154.54.6.206]
8 55 ms 77 ms 58 ms sl-st30-chi-.sprintlink.net [144.232.9.69]
9 53 ms 58 ms 46 ms sl-0-3-3-x.sprintlink.net [144.232.19.181]
10 82 ms 90 ms 75 ms sl-x-12-0-1.sprintlink.net [144.232.20.61]
11 122 ms 123 ms 132 ms sl-0-x-0-3.sprintlink.net [144.232.18.150]
12 129 ms 119 ms 139 ms 144.232.20.7
13 172 ms 164 ms 243 ms sl-321313-0.sprintlink.net [144.223.243.58]
14 99 ms 94 ms 93 ms 203.78.181.18
15 108 ms 102 ms 89 ms 203.78.176.2
16 98 ms 95 ms 97 ms 208.70.202.225

Trace complete.

The first, or leftmost column, is the hop count, which cannot go over 30 hops.
The second, third, and fourth columns are how long each of the three packets takes to
reach this stage of the route. These values are in milliseconds and normally vary quite a
bit. Typically a value of “<1ms” indicates a local connection.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 31
http://docs.fortinet.com/ • Feedback
Static routing concepts Advanced Static routing

The fifth, or rightmost column, is the domain name of that device and its IP address or
possibly just the IP address.

To perform a traceroute on a Linux PC


1 Go to a command line prompt.
2 Enter “/bin/etc/traceroute fortinet.com”.
The Linux traceroute output is very similar to the MS Windows traceroute output.

Examine routing table contents


The first place to look for information is the routing table.
The routing table is where all the currently used routes are stored for both static and
dynamic protocols. If a route is in the routing table, it saves the time and resources of a
lookup. If a route isn’t used for a while and a new route needs to be added, the oldest least
used route is bumped if the routing table is full. This ensures the most recently used routes
stay in the table. Note that if your FortiGate unit is in Transparent mode, you are unable to
perform this step.
If the FortiGate is running in NAT mode, verify that all desired routes are in the routing
table: local subnets, default routes, specific static routes, and dynamic routing protocols.
To check the routing table in the web-based manager, use the Routing Monitor — go to
System > Routing > Monitor. In the CLI, use the command get router routing-
table all. For more information on routing tables, see “Routing table” on page 20.

Examine the firewall session list


One further step is to examine the firewall session list. When examining the firewall
session list in the CLI, filters may be used to reduce the output. In the web-based
manager, the filters are part of the interface.

To examine the firewall session list in the web-based manager


1 Go to System > Status > Dashboard > Top Sessions.
2 Select Detach, and then Details.
3 Expand the session window to full screen to display the information.
4 Change filters, view associated firewall policy, column ordering, and so on to analyze
the sessions in the table.
5 Select the delete icon to terminate the session.

To examine the firewall session list in the CLI


In the CLI, you need to first set up the filter and then list the sessions. This will allow you to
only see sessions that are important to you. In the following examples the first pair of
commands creates a filter to see all sessions with a source of PC1. The second pair of
commands creates a filter to see all sessions with a destination of PC1.

FGT# diag sys session filter src PC1


FGT# diag sys session list
or
FGT# diag sys session filter dst PC1
FGT# diag sys session list

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


32 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing Static routing concepts

To clear all sessions corresponding to a filter


FGT# diag sys session filter dst PC1
FGT# diag sys session clear

Static routing tips


When your network goes beyond basic static routing, here are some tips to help you plan
and manage your static routing.

Always configure a default route


The first thing configured on a router on your network should be the default route. And
where possible the default routes should point to either one or very few gateways. This
makes it easier to locate and correct problems in the network. By comparison, if one router
uses a second router as its gateway which uses a fourth for its gateway and so on, one
failure in that chain will appear as an outage for all the devices downstream. By using one
or very few addresses as gateways, if there is an outage on the network it will either be
very localized or network-wide — either is easy to troubleshoot.

Have a updated network plan


A network plan lists different subnets, user groups, and different servers. Essentially is
puts all your resources on the network, and shows how the parts of your network are
connected. Keeping your plan updated will also help you troubleshoot problems more
quickly when they arise.
The Fortinet Technical Documentation team has an example network configuration that is
used for example networks in FortiOS documentation. It is outlined in the Introduction and
includes a network diagram.
A network plan helps your static routing by eliminating potential bottlenecks, and helping
troubleshoot any routing problems that come up.

Plan for expansion


No network remains the same size. At some time, all networks grow. If you take future
growth into account, there will be less disruption to your existing network when that growth
happens. For example allocating a block of addresses for servers can easily prevent
having to re-assign IP addresses to multiple servers due to a new server.
With static routing, if you group parts of your network properly you can easily use network
masks to address each part of your network separately. This will reduce the amount of
administration required both to maintain the routing, and to troubleshoot any problems.

Configure as much security as possible


Securing your network through static routing methods is a good low level method to
defend both your important information and your network bandwidth. Simply implementing
NAT is a big step. Using black hole routing for unused addresses helps too. Configuring
and using ACL is good too. All three features limit access to the people who should be
using your network.
If you have these routing security features in place from the beginning, they will not be
noticed by your users as they would be noticed if implemented at a future date.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 33
http://docs.fortinet.com/ • Feedback
ECMP route failover and load balancing Advanced Static routing

ECMP route failover and load balancing


Equal Cost Multi-Path (ECMP) load balancing, and failover are methods that extend the
basic static routing. They allow you to use your network bandwidth more effectively and
will less down time than if you just used basic static routing alone.
The concepts in this section include:
• Route priority
• Equal-Cost Multi-Path (ECMP)
• Configuring spill-over or usage-based ECMP
• Configuring weighted static route load balancing

Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing preference.
Priority is a Fortinet value that may or may not be present in other brands of routers.
You can only configure the priority field through the CLI. Priority values can range from 0
to 255. The route with the lowest value in the priority field is considered the best route, and
it is also the primary route.
For example, use the following command to change the priority of a route to 5 for a route
to the address 10.10.10.1 on the port1 interface.
config router static
edit 1
set device port1
set gateway 10.10.10.10
set dst 10.10.10.1
set priority 5
end
If there are other routes at priority 10, this route will be preferred. If there are routes at
priority less than 5, those other routes will be preferred instead.
In summary, because you can use the CLI to specify which sequence numbers or priority
field settings to use when defining static routes, you can prioritize routes to the same
destination according to their priority field settings. For a static route to be the preferred
route, you must create the route using the config router static CLI command and
specify a low priority for the route. If two routes have the same administrative distance and
the same priority, then they are equal cost multipath (ECMP) routes.
Since this means there is more than one route to the same destination, it can be confusing
which route or routes to install and use. However, if you have enabled load balancing with
ECMP routes, then different sessions will resolve this problem by using different routes to
the same address.

Equal-Cost Multi-Path (ECMP)


FortiOS uses equal-cost multi-path (ECMP) to distribute traffic to the same destination
such as the Internet or another network. Using ECMP you can add multiple routes to the
destination and give each of those routes the same distance and priority.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


34 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing ECMP route failover and load balancing

Note: If multiple routes to the same destination have the same priority but different
distances, the route with the lowest distance is used. If multiple routes to the same
destination have the same distance but different priorities, the route with the lowest priority
is used. Distance takes precedence over priority. If multiple routes to the same destination
have different distances and different priorities, the route with the lowest distance is always
used even if it has the highest priority.

Using ECMP, if more than one ECMP route is available you can configure how the
FortiGate unit selects the route to be used for a communication session. If only one ECMP
route is available (for example, because an interface cannot process traffic because
interface status detection does not receive a reply from the configured server) then all
traffic uses this route.
Previous versions of FortiOS provided source IP-based load balancing for ECMP routes,
but now FortiOS includes three configuration options for ECMP route failover and load
balancing:

Source based (also The FortiGate unit load balances sessions among ECMP routes
called source IP based on the source IP address of the sessions to be load
based) balanced. This is the default load balancing method. No
configuration changes are required to support source IP load
balancing.
Weighted (also called The FortiGate unit load balances sessions among ECMP routes
weight-based) based on weights added to ECMP routes. More traffic is directed
to routes with higher weights.
After selecting weight-based you must add weights to static
routes.
Spill-over (also called The FortiGate unit distributes sessions among ECMP routes
usage-based) based on how busy the FortiGate interfaces added to the routes
are.
After selecting spill-over you add route Spillover Thresholds to
interfaces added to ECMP routes. The FortiGate unit sends all
ECMP-routed sessions to the lowest numbered interface until the
bandwidth being processed by this interface reaches its spillover
threshold. The FortiGate unit then spills additional sessions over
to the next lowest numbered interface.
The Spillover Thresholds range is 0-2097000 KBps.

You can configure only one of these ECMP route failover and load balancing methods in a
single VDOM. If your FortiGate unit is configured for multiple VDOM operation, each
VDOM can have its own ECMP route failover and load balancing configuration.

To configure the ECMP route failover and load balancing method from the
web-based manager
1 Go to Router > Static > Static Route.
2 Set ECMP Route failover & Load Balance Method to source based, weighted, or
spill-over.
3 Select Apply.

To configure the ECMP route failover and load balancing method from the CLI
Enter the following command:
config system settings
set v4-ecmp-mode {source-ip-based | usage-based |
weight-based}
end

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 35
http://docs.fortinet.com/ • Feedback
ECMP route failover and load balancing Advanced Static routing

ECMP routing of simultaneous sessions to the same destination IP


address
When the FortiGate unit selects an ECMP route for a session, a route cache is created
that matches the route with the destination IP address of the session. All new sessions to
the same destination IP address use the same route until the route is flushed from the
cache. Routes are flushed from the cache after a period of time when no new sessions to
the destination IP address are received.
The route cache improves FortiGate unit routing performance by reducing how often the
FortiGate unit looks up routes in the routing table.
If the FortiGate unit receives a large number of sessions with the same destination IP
address, because all of these sessions will be processed by the same route, it may appear
that sessions are not distributed according to the ECMP route failover and load balancing
configuration.

Configuring spill-over or usage-based ECMP


Spill-over or usage-based ECMP routes new sessions to interfaces that have not reached
a configured bandwidth limit (called the Spillover Threshold or a route-spillover threshold).
To configure spill-over or usage-based ECMP routing, you enable spill-over ECMP, add
ECMP routes, and add a Spillover Threshold to the interfaces used by the ECMP routes.
Set the Spillover Thresholds to limit the amount of bandwidth processed by each interface.
With spill-over ECMP routing configured, the FortiGate unit routes new sessions to an
interface used by an ECMP route until that interface reaches its Spillover Threshold. Then,
when the threshold of that interface is reached, new sessions are routed to one of the
other interfaces used by the ECMP routes.

To add Spillover Thresholds to interfaces from the web-based manager


Use the following steps to enable usage based ECMP routing, add Spillover Thresholds to
FortiGate interfaces port3 and port4, and then to configure EMCP routes with device set to
port3 and port4.
1 Go to Router > Static > Static Route.
2 Set ECMP Route failover & Load Balance Method to usage-based.
3 Go to Router > Static > Static Route.
4 Add ECMP routes for port3 and port4.

Destination IP/Mask 192.168.20.0/24


Device port3
Gateway 172.20.130.3
Distance 10

Destination IP/Mask 192.168.20.0/24


Device port4
Gateway 172.20.140.4
Distance 10

5 Go to System > Network > Interface.


6 Edit port3 and port4 and add the following spillover-thresholds:

Interface port3
Spillover Threshold (KBps) 100

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


36 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing ECMP route failover and load balancing

Interface port4
Spillover Threshold (KBps) 200

Detailed description of how spill-over ECMP selects routes


When you add ECMP routes they are added to the routing table in the order displayed by
the routing monitor or by the get router info routing-table static command.
This order is independent of the configured bandwidth limit.
The FortiGate unit selects an ECMP route for a new session by finding the first route in the
routing table that sends the session out a FortiGate unit interface that is not processing
more traffic that its configured route spill-over limit.

Note: A new session to a destination IP address that already has an entry in the routing
cache is routed using the route already added to the cache for that destination address.
See “ECMP routing of simultaneous sessions to the same destination IP address” on
page 36.

For example, consider a FortiGate unit with interfaces port3 and port4 both connected to
the Internet through different ISPs. ECMP routing is set to usage-based and route
spillover for to 100 KBps for port3 and 200 KBps for port4. Two ECMP default routes are
added, one for port3 and one for port4.
If the route to port3 is higher in the routing table than the route to port4, the FortiGate unit
sends all default route sessions out port3 until port3 is processing 10Mbps of data. When
port3 reaches its configured bandwidth limit, the FortiGate unit sends all default route
sessions out port4. When the bandwidth usage of port3 falls below 10Mbps, the FortiGate
again sends all default route sessions out port3.
New sessions to designating IP addresses that are already in the routing cache; however,
use the cached routes. This means that even of port3 is exceeding its bandwidth limit, new
sessions can continue to be sent out port3 if their destination addresses are already in the
routing cache. As a result, new sessions are sent out port4 only if port3 exceeds its
bandwidth limit and if the routing cache does not contain a route for the destination IP
address of the new session.
Also, the switch over to port4 does not occur as soon as port3 exceeds its bandwidth limit.
Bandwidth usage has to exceed the limit for a period of time before the switch over takes
place. If port3 bandwidth usage drops below the bandwidth limit during this time period,
sessions are not switched over to port4. This delay reduces route flapping.
FortiGate usage-based ECMP routing is not actually load balancing, since routes are not
distributed evenly among FortiGate interfaces. Depending on traffic volumes, most traffic
would usually be processed by the first interface with only spillover traffic being processed
by other interfaces.
If you are configuring usage-based ECMP in most cases you should add spillover
thresholds to all of the interfaces with ECMP routes. The default spillover threshold is 0
which means no bandwidth limiting. If any interface has a spillover threshold of 0, no
sessions will be routed to interfaces lower in the list unless the interface goes down or is
disconnected. An interface can go down if Detect interface status for Gateway Load
Balancing does not receive a response from the configured server.

Determining of an interface has exceeded its Spillover Threshold


You can use the diagnose netlink dstmac list CLI command to determine if an
interface is exceeding its Spillover Threshold. If the command displays over_bps=1 the
interface is exceeding its threshold. If over_bps=0 the interface has not exceeded its
threshold.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 37
http://docs.fortinet.com/ • Feedback
ECMP route failover and load balancing Advanced Static routing

Configuring weighted static route load balancing


Configure weighted load balancing to control how the FortiGate unit distributes sessions
among ECMP routes by adding weights for each route. Add higher weights to routes that
you want to load balance more sessions to.
With the ECMP load balancing method set to weighted, the FortiGate unit distributes
sessions with different destination IPs by generating a random value to determine the
route to select. The probability of selecting one route over another is based on the weight
value of each route. Routes with higher weights are more likely to be selected.
Large numbers of sessions are evenly distributed among ECMP routes according to the
route weight values. If all weights are the same, sessions are distributed evenly. The
distribution of a small number of sessions; however, may not be even. For example, its
possible that if there are two ECMP routes with the same weight; two sessions to different
IP addresses could use the same route. On the other hand, 10,000 sessions with different
destination IPs should be load balanced evenly between two routes with equal rates. The
distribution could be 5000:5000 or 50001:4999. Also, 10 000 sessions with different
destination IP addresses should be load balanced as 3333:6667 if the weights for the two
routes are 100 and 200.
Weights only affect how routes are selected for sessions to new destination IP addresses.
New sessions to IP addresses already in the routing cache are routed using the route for
the session already in the cache. So in practice sessions will not always be distributed
according to the routing weight distribution.

To add weights to static routes from the web-based manager


1 Go to Router > Static > Static Route.
2 Set ECMP Route failover & Load Balance Method to weighted.
3 Go to Router > Static > Static Route.
4 Add new or edit static routes and add weights to them.
The following example shows two ECMP routes with weights added.

Destination IP/Mask 192.168.20.0/24


Device port1
Gateway 172.20.110.1
Distance 10
Weight 100

Destination IP/Mask 192.168.20.0/24


Device port2
Gateway 172.20.120.2
Distance 10
Weight 200

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


38 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing Policy Routing

Policy Routing
Policy routing allows you to redirect traffic away from a static route. This can be useful if
you want to route certain types of network traffic differently. You can use incoming traffic’s
protocol, source address or interface, destination address, or port number to determine
where to send the traffic. For example, generally network traffic would go to the router of a
subnet, but you might want to direct SMTP or POP3 traffic directly to the mail server on
that subnet.
If you have configured the FortiGate unit with routing policies and a packet arrives at the
FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to
match the packet with a policy. If a match is found and the policy contains enough
information to route the packet (a minimum of the IP address of the next-hop router and
the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet
using the information in the policy. If no policy route matches the packet, the FortiGate unit
routes the packet using the routing table.

Note: Most policy settings are optional, so a matching policy alone might not provide
enough information for forwarding the packet. The FortiGate unit may refer to the routing
table in an attempt to match the information in the packet header with a route in the routing
table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit
looks up the IP address of the next-hop router in the routing table. This situation could
happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want
or are unable to specify the IP address of the next-hop router.

Policy route options define which attributes of a incoming packet cause policy routing to
occur. If the attributes of a packet match all the specified conditions, the FortiGate unit
routes the packet through the specified interface to the specified gateway.
Table 6 shows the policy route list belonging to a FortiGate unit that has interfaces named
external and internal. The names of the interfaces on your FortiGate unit may be
different.
To edit an existing policy route, see “Adding a policy route” on page 39.
Table 6: Policy Routing list fields
Create New Add a policy route. See “Adding a policy route” on page 39.
# The ID numbers of configured route policies. These numbers are sequential
unless policies have been moved within the table.
Incoming The interfaces on which packets subjected to route policies are received.
Outgoing The interfaces through which policy routed packets are routed.
Source The IP source addresses and network masks that cause policy routing to occur.
Destination The IP destination addresses and network masks that cause policy routing to
occur.
Delete icon Delete a policy route.
Edit icon Edit a policy route.
Move To icon After selecting this icon, enter the destination position in the window that
appears, and select OK.
For more information, see “Moving a policy route” on page 41.

Adding a policy route


To add a policy route, go to Router > Static > Policy Route and select Create New.
For more information on Type of Service, see “Type of Service” on page 40.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 39
http://docs.fortinet.com/ • Feedback
Policy Routing Advanced Static routing

Table 7 shows the New Routing Policy dialog box belonging to a FortiGate unit that has
interfaces named external and internal. The names of the interfaces on your
FortiGate unit may be different.
Table 7: New Routing Policy fields
Protocol To perform policy routing based on the value in the protocol field of the
packet, enter the protocol number to match. The Internet Protocol Number is
found in the IP packet header. RFC 5237 describes protocol numbers and
you can find a list of the assigned protocol numbers here. The range is from 0
to 255. A value of 0 disables the feature.
Tip: Commonly used Protocol settings include 6 to route TCP sessions, 17
for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for
multicast sessions.
For protocols other than 6 and 17, the port number is ignored.
Incoming Interface Select the name of the interface through which incoming packets subjected to
the policy are received.
Source Address / To perform policy routing based on the IP source address of the packet, type
Mask the source address and network mask to match. A value of
0.0.0.0/0.0.0.0 disables the feature.
Destination To perform policy routing based on the IP destination address of the packet,
Address / Mask type the destination address and network mask to match. A value of
0.0.0.0/0.0.0.0 disables the feature.
Destination Ports To perform policy routing based on the port on which the packet is received,
type the same port number in the From and To fields. To apply policy routing
to a range of ports, type the starting port number in the From field and the
ending port number in the To field. A value of 0 disables this feature.
The Destination Ports fields are only used for TCP and UDP protocols. The
ports are skipped over for all other protocols.
Type of Service Use a two digit hexadecimal bit pattern to match the service, or use a two digit
hexadecimal bit mask to mask out. For more information, see “Type of
Service” on page 40.
Outgoing Interface Select the name of the interface through which packets affected by the policy
will be routed.
Gateway Address Type the IP address of the next-hop router that the FortiGate unit can access
through the specified interface. A value of 0.0.0.0 is not valid.

Example policy route


Configure the following policy route to send all FTP traffic received at port1 out the
port10 interface and to a next hop router at IP address 172.20.120.23. To route FTP
traffic set protocol to 6 (for TCP) and set both of the destination ports to 21, the FTP port.

Protocol 6
Incoming interface port1
Source address / mask 0.0.0.0/0.0.0.0
Destination address / mask 0.0.0.0/0.0.0.0
Destination Ports From 21 to 21
Type of Service bit pattern: 00 (hex) bit mask: 00 (hex)
Outgoing interface port10
Gateway Address 172.20.120.23

Type of Service
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how
the IP datagram should be delivered, with such qualities as delay, priority, reliability, and
minimum cost.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


40 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing Policy Routing

Each quality helps gateways determine the best way to route datagrams. A router
maintains a ToS value for each route in its routing table. The lowest priority TOS is 0, the
highest is 7 - when bits 3, 4, and 5 are all set to 1. The router tries to match the TOS of the
datagram to the TOS on one of the possible routes to the destination. If there is no match,
the datagram is sent over a zero TOS route.
Using increased quality may increase the cost of delivery because better performance
may consume limited network resources. For more information, see RFC 791 and RFC
1349.
Table 8: The role of each bit in the IP header TOS 8-bit field

bits 0, 1, 2 Precedence Some networks treat high precedence traffic as more important
traffic. Precedence should only be used within a network, and
can be used differently in each network. Typically you do not
care about these bits.
bit 3 Delay When set to 1, this bit indicates low delay is a priority. This is
useful for such services as VoIP where delays degrade the
quality of the sound.
bit 4 Throughput When set to 1, this bit indicates high throughput is a priority.
This is useful for services that require lots of bandwidth such
as video conferencing.
bit 5 Reliability When set to 1, this bit indicates high reliability is a priority. This
is useful when a service must always be available such as with
DNS servers.
bit 6 Cost When set to 1, this bit indicates low cost is a priority. Generally
there is a higher delivery cost associated with enabling bits 3,4,
or 5, and bit 6 indicates to use the lowest cost route.
bit 7 Reserved for Not used at this time.
future use

For example, if you want to assign low delay, and high reliability, say for a VoIP application
where delays are unacceptable, you would use a bit pattern of xxx1x1xx where an ‘x’
indicates that bit can be any value. Since all bits are not set, this is a good use for the bit
mask; if the mask is set to 0x14, it will match any TOS packets that are set to low delay
and high reliability.

Moving a policy route


A routing policy is added to the bottom of the routing table when it is created. If you prefer
to use one policy over another, you may want to move it to a different location in the
routing policy table.
The option to use one of two routes happens when both routes are a match, for example
172.20.0.0/255.255.0.0 and 172.20.120.0/255.255.255.0. If both of these
routes are in the policy table, both can match a route to 172.20.120.112 but you
consider the second one as a better match. In that case the best match route should be
positioned before the other route in the policy table.
In the case of two matches in the routing table, alternating sessions will use both routes in
a load balancing configuration. You can also manually assign priorities to routes. For two
matches in the routing table, the priority will determine which route is used. This feature is
available only through the CLI. For details, see the FortiGate CLI Reference.
To change the position of a policy route in the table, go to Router > Static > Policy Route
and select Move To for the policy route you want to move.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 41
http://docs.fortinet.com/ • Feedback
Transparent mode static routing Advanced Static routing

Before/After Select Before to place the selected Policy Route before the indicated route.
Select After to place it following the indicated route.
Policy route ID Enter the Policy route ID of the route in the Policy route table to move the
selected route before or after.

Transparent mode static routing


FortiOS operating modes allow you to change the configuration of your FortiGate unit
depending on the role it needs to fill in your network.
NAT/Route operating mode is the standard mode where all interfaces are accessed
individually, and traffic can be routed between ports to travel from one network to another.
In transparent operating mode, all physical interfaces act like one interface. The FortiGate
unit essentially becomes a bridge — traffic coming in over any interface is broadcast back
out over all the interfaces on the FortiGate unit.
In transparent mode, there is no entry for routing at the main level of the menu on the web-
based manager display as there is in NAT/Route mode. Routing is instead accessed
through the network menu option.
To view the routing table in transparent mode, go to Network > Routing Table.
When viewing or creating a static route entry in transparent mode there are only three
fields available.

Destination IP/Mask The destination of the traffic being routed. The first entry is
attempted first for a match, then the next, and so on until a match
is found or the last entry is reached. If no match is found, the traffic
will not be routed.
Use 0.0.0.0 to match all traffic destinations. This is the default
route.
Gateway Specifies the next hop for the traffic. Generally the gateway is the
address of a router on the edge of your network.
Priority The priority is used if there is more than one match for a route.
This allows multiple routes to be used, with one preferred. If the
preferred route is unavailable the other routes can be used
instead.
Valid range of priority can be from 0 to 4 294 967 295.
If more than one route matches and they have the same priority it
becomes an ECMP situation and traffic is shared among those
routes. See “Route priority” on page 34.

When configuring routing on a FortiGate unit in transparent mode, remember that all
interfaces must be connected to the same subnet. That means all traffic will be coming
from and leaving on the same subnet. This is important because it limits your static routing
options to only the gateways attached to this subnet. For example, if you only have one
router connecting your network to the Internet then all static routing on the FortiGate unit
will use that gateway. For this reason static routing on FortiGate units in transparent mode
may be a bit different, but it is not as complex as routing in NAT/Route mode.

Zones
Zones allow you to group interfaces into zones to simplify firewall policy creation. By
grouping interfaces into a zone, you can add one set of firewall policies for the zone
instead of adding separate policies for each interface — what address groups do for
addresses in firewall policies, zones do for interfaces. Once you add interfaces to a zone
you cannot configure policies for the single interfaces, only for the entire zone.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


42 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Advanced Static routing Zones

You can add all types of interfaces to a zone (physical, VLAN, switch, and so on) and a
zone can consist of any combination of interface types. You can add zones, rename and
edit zones, and delete zones from the zone list. When you add a zone, you select the
names of the interfaces to add to the zone.
This section includes:
• Creating or editing a zone
• Blocking intra-zone traffic
• IP pools and zones
• Zones in VDOMs
• Zones in transparent mode

Creating or editing a zone


To view the zone list, go to Network > Zones. If VDOMs are enabled, ensure you are in the
correct VDOM first.

To create or edit a zone


1 If VDOMs are enabled, select the VDOM from the Current VDOM list.
Note: The VDOM must have at least two physical or virtual interfaces assigned to it.
2 Go to Network > Zone.
3 Select Create New.
4 Enter the Zone Name, enable Block intra-zone traffic if desired, and select the
interfaces to include in this zone.
5 Select OK.

Blocking intra-zone traffic


Apart from grouping interfaces to allow them to be treated as one in a firewall policy, the
other feature of zones is the ability to block intra-zone traffic. This prevents traffic between
interfaces within the zone.
For example a FortiGate unit has an accounting department on one interface, sales
department on another interface, and marketing on a third interface. The office has a
common Internet policy, so all three interfaces can be grouped into a zone for easier
firewall policy management. However, the types of traffic for each department is very
different and it is potentially dangerous to the company for accounting information to be
accessed by other departments. In this case blocking intra-zone traffic would protect the
accounting data and not require extra firewall policies to accomplish it.
From this example you can see that blocking the intra-zone traffic can also be
accomplished with firewall policies. However, this method is much more complex and time
consuming especially if all traffic can be blocked. The firewall method must be used if
some traffic will be allowed but not other traffic.
The benefits of blocking intra-zone traffic are:
• it automatically applies to all interfaces in the zone
• you don’t have to update one or more firewall policies
• it offloads work from the firewall which saves resources

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 43
http://docs.fortinet.com/ • Feedback
Zones Advanced Static routing

IP pools and zones


You cannot use IP pools when using zones. An IP pool can only be associated with an
interface.

Zones in VDOMs
Zones are configured in virtual domains (VDOMs). If you have added multiple VDOMs to
your FortiGate unit configuration, make sure you are configuring the correct VDOM before
adding or editing zones. Zones do not appear on the Global level Network menu.

Zones in transparent mode


Up to this point, everything about zones only applies to NAT/Route operating mode. In
NAT/Route mode there are many interfaces making it easy to create zones.
In Transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide
services such as antivirus scanning, web filtering, spam filtering and intrusion protection to
traffic. There are some limitations in Transparent mode in that you cannot use SSL VPN,
PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic.
In transparent mode you can still select interfaces for a zone, but applying firewall policies
to them is problematic since all interfaces are on the same subnet, and any interfaces not
in the zone will spread the traffic the firewall policies would be trying to limit.
VLANs can still be grouped into zones so that firewall policies can be applied only to
VLANs. In Transparent mode, packets can not move between different VLANs — they are
limited to VLAN trunks which enter and leave the FortiGate unit with the same VLAN ID
tag.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


44 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs
Virtual Local Area Networks (VLANs) multiply the capabilities of your FortiGate unit, and
can also provide added network security. All FortiGate models support VLANs.
This section includes:
• VLAN overview
• VLANs in NAT/Route mode
• VLANs in Transparent mode
• Troubleshooting VLAN problems

VLAN overview
Virtual LANs (VLANs) use ID tags to logically separate devices on a network into smaller
broadcast domains. These smaller domains forward packets only to devices that are part
of that VLAN domain. This reduces traffic and increases network security.
This section answers some common questions about VLANs:
• What are VLANs?
• How VLANs work
• VLAN ID rules
• VLAN switching and routing

What are VLANs?


A Local Area Network (LAN) is a group of connected computers and devices that are
arranged into network broadcast domains. A LAN broadcast domain includes all the
computers that receive a packet broadcast from any computer in that broadcast domain. A
switch will automatically forward the packets to all of its ports; in contrast, routers do not
automatically forward network broadcast packets. This means routers separate broadcast
domains. If a network has only switches and no routers, that network is considered one
broadcast domain, no matter how large or small it is. Smaller broadcast domains are more
efficient because fewer devices receive unnecessary packets. They are more secure as
well because a hacker reading traffic on the network will have access to only a small
portion of the network instead of the entire network’s traffic.
Virtual LANs (VLANs) use ID tags to logically separate a LAN into smaller broadcast
domains. Each VLAN is its own broadcast domain. Smaller broadcast domains reduce
traffic and increase network security. The IEEE 802.1Q standard defines VLANs. All layer-
2 and layer-3 devices along a route must be 802.1Q-compliant to support VLANs along
that route. For more information, see “VLAN switching and routing” on page 47 and “VLAN
layer-3 routing” on page 49.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 45
http://docs.fortinet.com/ • Feedback
VLAN overview Virtual LANs

How VLANs work


VLANs reduce the size of the broadcast domains by only forwarding packets to interfaces
that are part of that VLAN or part of a VLAN trunk link. Trunk links form switch-to-switch or
switch-to-router connections, and forward traffic for all VLANs. This enables a VLAN to
include devices that are part of the same broadcast domain, but physically distant from
each other.
VLAN ID tags consist of a 4-byte frame extension that switches and routers apply to every
packet sent and received in the VLAN. Workstations and desktop computers, which are
commonly originators or destinations of network traffic, are not an active part of the VLAN
process—all the VLAN tagging and tag removal is done after the packet has left the
computer. For more information, see “VLAN ID rules” on page 46.
Any FortiGate unit without VDOMs enabled can have a maximum of 255 interfaces in
Transparent operating mode. The same is true for any single VDOM. In NAT/Route
operating mode, the number can range from 255 to 8192 interfaces per VDOM, depending
on the FortiGate model. These numbers include VLANs, other virtual interfaces, and
physical interfaces. To have more than 255 interfaces configured in Transparent operating
mode, you need to configure multiple VDOMs that enable you to divide the total number of
interfaces over all the VDOMs.
One example of an application of VLANs is a company’s accounting department.
Accounting computers may be located at both main and branch offices. However,
accounting computers need to communicate with each other frequently and require
increased security. VLANs allow the accounting network traffic to be sent only to
accounting computers and to connect accounting computers in different locations as if
they were on the same physical subnet.

Note: This guide uses the term packet to refer to both layer-2 frames and layer-3 packets.

VLAN ID rules
Layer-2 switches and layer-3 devices add VLAN ID tags to the traffic as it arrives and
remove them before they deliver the traffic to its final destination. Devices such as PCs
and servers on the network do not require any special configuration for VLANs.
On a layer-2 switch, you can have only one VLAN subinterface per physical interface,
unless that interface is configured as a trunk link. Trunk links can transport traffic for
multiple VLANs to other parts of the network.
On a FortiGate unit, you can add multiple VLANs to the same physical interface. However,
VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID
or have IP addresses on the same subnet. You can add VLAN subinterfaces with the
same VLAN ID to different physical interfaces.
Twelve bits of the 4-byte VLAN tag are reserved for the VLAN ID number. Valid VLAN ID
numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.
Creating VLAN subinterfaces with the same VLAN ID does not create any internal
connection between them. For example a VLAN ID of 300 on port1 and VLAN ID of 300 on
port2 are allowed, but they are not connected. Their relationship is the same as between
any two FortiGate network interfaces.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


46 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs VLAN overview

VLAN switching and routing


VLAN switching takes place on the OSI model layer-2, just like other network switching.
VLAN routing takes place on the OSI model layer-3. The difference between them is that
during VLAN switching, VLAN packets are simply forwarded to their destination. This is
different from VLAN routing where devices can open the VLAN packets and change their
VLAN ID tags to route the packets to a new destination. See “VLAN layer-2 switching” on
page 47, and “VLAN layer-3 routing” on page 49

VLAN layer-2 switching


Ethernet switches are layer-2 devices, and generally are 802.1Q compliant. Layer 2 refers
to the second layer of the seven layer Open Systems Interconnect (OSI) basic networking
model—the Data Link layer. FortiGate units act as layer-2 switches or bridges when they
are in Transparent mode—the units simply tag and forward the VLAN traffic or receive and
remove the tags from the packets. A layer-2 device does not inspect incoming packets or
change their contents; it only adds or removes tags and routes the packet.
A VLAN can have any number of physical interfaces assigned to it. Multiple VLANs can be
assigned to the same physical interface. Typically two or more physical interfaces are
assigned to a VLAN, one for incoming and one for outgoing traffic. Multiple VLANs can be
configured on one FortiGate unit, including trunk links.

Layer-2 VLAN example


To better understand VLAN operation, let’s look at what happens to a data frame on a
network that uses VLANs.
The network topology consists of two 8-port switches that are configured to support
VLANs on a network. Both switches are connected through port 8 using an 802.1Q trunk
link. Subnet 1 is connected to switch A, and subnet 2 is connected to switch B. The ports
on the switches are configured as follows.
Table 9: How ports and VLANs are used on Switch A and B

Switch Ports VLAN


A 1-4 100
A 5-7 200
A&B 8 Trunk link
B 4-5 100
B 6 200

Let's follow the steps a data frame follows when it is sent from a computer on subnet 1 that
is part of VLAN 100. In this example, switch A is connected to the Branch Office and
switch B to the Main Office.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 47
http://docs.fortinet.com/ • Feedback
VLAN overview Virtual LANs

1 A computer on port 1 of switch A sends a data frame over the network.

Switch A Switch B
802.1Q trunk link
Ports 1 - 4 Port 8 Port 8 Ports 4, 5

Frame Ports 5 - 7

Port 1 Port 5

VLAN 200 VLAN 200 VLAN 100


VLAN 100

Branch Office Main Office

2 Switch A tags the data frame with a VLAN 100 ID tag upon arrival because port 1 is
part of VLAN 100.
3 Switch A forwards the tagged data frame to the other VLAN 100 ports—ports 2 through
4. Switch A also forwards the data frame to the 802.1Q trunk link (port 8) so other parts
of the network that may contain VLAN 100 groups will receive VLAN 100 traffic.
This data frame is not forwarded to the other ports on switch A because they are not part
of VLAN 100. This increases security and decreases network traffic.

Switch A Switch B
802.1Q trunk link
Ports 1 - 4 Port 8 Port 8 Ports 4, 5

Ports 5 - 7

Port 1 Frame
 Port 5 Frame with
VLAN ID tag

VLAN 200 VLAN 200 VLAN 100


VLAN 100

Branch Office Main Office

4 Switch B receives the data frame over the trunk link (port 8).
5 Because there are VLAN 100 ports on switch B (ports 4 and 5), the data frame is
forwarded to those ports. As with switch A, the data frame is not delivered to VLAN
200.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


48 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs VLAN overview

If there were no VLAN 100 ports on switch B, the switch would not forward the data frame
and it would stop there.

Switch A Switch B
Ports 1 - 4 802.1Q trunk link Ports 4, 5
Port 8 Port 8

Ports 5 - 7


Frame
Port 1 Port 5

VLAN 200 VLAN 200 VLAN 100


VLAN 100

Branch Office Main Office

6 The switch removes the VLAN 100 ID tag before it forwards the data frame to an end
destination.
The sending and receiving computers are not aware of any VLAN tagging on the data
frames that are being transmitted. When any computer receives that data frame, it
appears as a normal data frame.

VLAN layer-3 routing


Routers are layer-3 devices. Layer 3 refers to the third layer of the OSI networking
model—the Network layer. FortiGate units in NAT/Route mode act as layer-3 devices. As
with layer 2, FortiGate units acting as layer-3 devices are 802.1Q-compliant.
The main difference between layer-2 and layer-3 devices is how they process VLAN tags.
Layer-2 switches just add, read and remove the tags. They do not alter the tags or do any
other high-level actions. Layer-3 routers not only add, read and remove tags but also
analyze the data frame and its contents. This analysis allows layer-3 routers to change the
VLAN tag if it is appropriate and send the data frame out on a different VLAN.
In a layer-3 environment, the 802.1Q-compliant router receives the data frame and
assigns a VLAN ID. The router then forwards the data frame to other members of the
same VLAN broadcast domain. The broadcast domain can include local ports, layer-2
devices and layer-3 devices such as routers and firewalls. When a layer-3 device receives
the data frame, the device removes the VLAN tag and examines its contents to decide
what to do with the data frame. The layer-3 device considers:
• source and destination addresses
• protocol
• port number.
The data frame may be forwarded to another VLAN, sent to a regular non-VLAN-tagged
network or just forwarded to the same VLAN as a layer-2 switch would do. Or, the data
frame may be discarded if the proper firewall policy has been configured to do so.

Layer-3 VLAN example


In the following example, switch A is connected to the Branch Office subnet, the same as
subnet 1 in the layer-2 example. In the Main Office subnet, VLAN 300 is on port 5 of switch
B. The FortiGate unit is connected to switch B on port 1 and the trunk link connects the
FortiGate unit’s port 3 to switch A. The other ports on switch B are unassigned.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 49
http://docs.fortinet.com/ • Feedback
VLAN overview Virtual LANs

This example explains how traffic can change VLANs—originating on VLAN 100 and
arriving at a destination on VLAN 300. Layer-2 switches alone cannot accomplish this, but
a layer-3 router can.
1 The VLAN 100 computer at the Branch Office sends the data frame to switch A, where
the VLAN 100 tag is added.

Switch A FortiGate unit


Port 8 802.1Q trunk link Port 3
Frame Ports 1-4

Ports 5 - 7 Port 1
Port 1 Port 5 VLAN 300

Port 1
Port 5

Switch B
VLAN 200 VLAN 200 VLAN 300

Branch Office Main Office

2 Switch A forwards the tagged data frame to the FortiGate unit over the 802.1Q trunk
link, and to the VLAN 100 interfaces on Switch A.
Up to this point everything is the same as in the layer-2 example.

Switch A FortiGate unit


Ports 1 - 4 Port 8 802.1Q trunk link Port 3

Ports 5 - 7
 Frame
Port 1
VLAN 300
Port 1

Port 1
Port 5

Switch B
VLAN 100 VLAN 200 VLAN 300

Branch Office Main Office

3 The FortiGate unit removes the VLAN 100 tag, and inspects the content of the data
frame. The FortiGate unit uses the content to select the correct firewall policy and
routing options.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


50 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs VLANs in NAT/Route mode

4 The FortiGate unit’s firewall policy allows the data frame to go to VLAN 300 in this
example. The data frame will be sent to all VLAN 300 interfaces, but in the example
there is only one—port 1 on the FortiGate unit. Before the data frame leaves, the
FortiGate unit adds the VLAN ID 300 tag to the data frame.
This is the step that layer 2 cannot do. Only layer 3 can retag a data frame as a
different VLAN.

Switch A FortiGate unit


Ports 1 - 4 Port 8 802.1Q trunk link Port 3

Ports 5 - 7
Port 1
VLAN 300
Frame
Port 1

Port 1
Port 5

Switch B
VLAN 100 VLAN 200 VLAN 300

Branch Office Main Office

5 Switch B receives the data frame, and removes the VLAN ID 300 tag, because this is
the last hop, and forwards the data frame to the computer on port 5.

Switch A FortiGate unit


Ports 1 - 4 Port 8 802.1Q trunk link Port 3

Ports 5 - 7
Port 1
VLAN 300
Port 1

Port 1
Port 5

Switch B
VLAN 100 VLAN 200 VLAN 300
Frame

Branch Office Main Office

In this example, a data frame arrived at the FortiGate unit tagged as VLAN 100. After
checking its content, the FortiGate unit retagged the data frame for VLAN 300. It is this
change from VLAN 100 to VLAN 300 that requires a layer-3 routing device, in this case
the FortiGate unit. Layer-2 switches cannot perform this change.

VLANs in NAT/Route mode


In NAT/Route mode the FortiGate unit functions as a layer-3 device. In this mode, the unit
controls the flow of packets between VLANs, but can also remove VLAN tags from
incoming VLAN packets. The FortiGate unit can also forward untagged packets to other
networks, such as the Internet.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 51
http://docs.fortinet.com/ • Feedback
VLANs in NAT/Route mode Virtual LANs

In NAT/Route mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-
compliant switches, or routers. The trunk link transports VLAN-tagged packets between
physical subnets or networks. When you add VLAN sub-interfaces to the FortiGate unit
physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk
link. The FortiGate unit directs packets with VLAN IDs to sub-interfaces with matching IDs.
You can define VLAN sub-interfaces on all FortiGate physical interfaces. However, if
multiple virtual domains are configured on the FortiGate unit, you will have access to only
the physical interfaces on your virtual domain. The FortiGate unit can tag packets leaving
on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a
different VLAN tag to outgoing packets.
Normally in VLAN configurations, the FortiGate unit's internal interface is connected to a
VLAN trunk, and the external interface connects to an Internet router that is not configured
for VLANs. In this configuration the FortiGate unit can apply different policies for traffic on
each VLAN interface connected to the internal interface, which results in less network
traffic and better security.
This section includes:
• Configuring your FortiGate unit
• Example VLAN configuration in NAT/Route mode

Configuring your FortiGate unit


In NAT/Route mode, you can access the FortiGate unit's web-based manager (GUI) with a
supported web browser that connects to a FortiGate unit interface. The interface must be
configured for administrative access. Use HTTPS to access the address of the interface.
All FortiGate units have administrative access enabled by default on the default interface.
On the FortiGate-800 the default interface is the internal interface. For the examples
presented in this chapter, the default interface has an address of 192.168.1.99.
For more information, see the Quick Start Guide or the Installation Guide that came with
your FortiGate unit.
Configuring your FortiGate unit for VLANs includes:
• Adding VLAN subinterfaces
• Configuring firewall policies and routing

Adding VLAN subinterfaces


A VLAN subinterface, sometimes called a VLAN, is a virtual interface on a physical
interface. The subinterface allows routing of VLAN tagged packets using that physical
interface, but it is separate from any other traffic on the physical interface.
Adding a VLAN subinterface includes configuring the
• Physical interface
• IP address and netmask
• VLAN ID
• VDOM

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


52 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs VLANs in NAT/Route mode

Physical interface
The term VLAN subinterface correctly implies the VLAN interface is not a complete
interface by itself. You add a VLAN subinterface to the physical interface that receives
VLAN-tagged packets. The physical interface can belong to a different VDOM than the
VLAN, but it must be connected to a network route that is configured for this VLAN.
Without that route, the VLAN will not be connected to the network, and VLAN traffic will not
be able to access this interface. The traffic on the VLAN is separate from any other traffic
on the physical interface.
When you are working with interfaces on your FortiGate unit, we recommend checking the
Column Settings on the Interface display to make sure the information you need is
displayed. Besides customizing this display, you can also re-order the columns to focus on
the important information for each interface. When working with VLANs, it is useful to
position the VLAN ID column close to the IP address. If you are working with VDOMs,
including the Virtual Domain column as well will help you troubleshoot problems more
quickly. To view the Interface display, go to System > Network.

IP address and netmask


FortiGate unit interfaces cannot have overlapping IP addresses—the IP addresses of all
interfaces must be on different subnets. This rule applies to both physical interfaces and to
virtual interfaces such as VLAN subinterfaces. Each VLAN subinterface must be
configured with its own IP address and netmask pair. This rule helps prevent a broadcast
storm or other similar network problems.

Note: If you are unable to change your existing configurations to prevent IP overlap, enter
the CLI command config system global and set ip-overlap enable to allow IP
address overlap. If you enter this command, multiple VLAN interfaces can have an IP
address that is part of a subnet used by another interface. This command is recommended
for advanced users only.

VLAN ID
The VLAN ID is part of the VLAN tag added to the packets by VLAN switches and routers.
The VLAN ID is a number between 1 and 4094 that allow groups of IP addresses with the
same VLAN ID to be associated together. VLAN ID 0 is used only for high priority frames,
and 4095 is reserved.
All devices along a route must support the VLAN ID of the traffic along that route.
Otherwise, the traffic will be discarded before reaching its destination. For example, if your
computer is part of VLAN_100 and a co-worker on a different floor of your building is also
on the same VLAN_100, you can communicate with each other over VLAN_100, only if all
the switches and routers support VLANs and are configured to pass along VLAN_100
traffic properly. Otherwise, any traffic you send your co-worker will be blocked or not
delivered.

VDOM
If VDOMs are enabled, each VLAN subinterface must belong to a VDOM. This rule also
applies for physical interfaces.

Note: Interface-related CLI commands require a VDOM to be specified, regardless of


whether the FortiGate unit has VDOMs enabled.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 53
http://docs.fortinet.com/ • Feedback
VLANs in NAT/Route mode Virtual LANs

VLAN subinterfaces on separate VDOMs cannot communicate directly with each other. In
this situation, the VLAN traffic must exit the FortiGate unit and re-enter the unit again,
passing through firewalls in both directions. This situation is the same for physical
interfaces.
A VLAN subinterface can belong to a different VDOM than the physical interface it is part
of. This is because the traffic on the VLAN is handled separately from the other traffic on
that interface. This is one of the main strengths of VLANs.
The following procedure will add a VLAN subinterface called VLAN_100 to the FortiGate
internal interface with a VLAN ID of 100. It will have an IP address and netmask of
172.100.1.1/255.255.255.0, and allow HTTPS, PING, and TELNET administrative
access. Note that in the CLI, you must enter “set type vlan” before setting the vlanid,
and that the allowaccess protocols are lower case.

To add a VLAN subinterface in NAT/Route mode - web-based manager


1 If <<Global appears in the left menu, select it to enter global configuration.
2 Go to System > Network > Interface.
3 Select Create New to add a VLAN subinterface.
4 Enter the following:

VLAN Name VLAN_100


Type VLAN
Interface internal
VLAN ID 100
Addressing Mode Manual
IP/Netmask 172.100.1.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET

5 Select OK.
To view the new VLAN subinterface, select the expand arrow next to the parent
physical interface (the internal interface). This will expand the display to show all VLAN
subinterfaces on this physical interface. If there is no expand arrow displayed, there
are no subinterfaces configured on that physical interface.
For each VLAN, the list displays the name of the VLAN, and, depending on column
settings, its IP address, the Administrative access you selected for it, the VLAN ID
number, and which VDOM it belongs to if VDOMs are enabled.

To add a VLAN subinterface in NAT/Route mode - CLI


config system interface
edit VLAN_100
set interface internal
set type vlan
set vlanid 100
set ip 172.100.1.1 255.255.255.0
set allowaccess https ping telnet
next
end

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


54 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs VLANs in NAT/Route mode

Configuring firewall policies and routing


Once you have created a VLAN subinterface on the FortiGate unit, you need to configure
firewall policies and routing for that VLAN. Without these, the FortiGate unit will not pass
VLAN traffic to its intended destination.
Firewall policies direct traffic through the FortiGate unit between interfaces. Routing
directs traffic across the network.
This section includes the following topics:
• Configuring firewall policies
• Configuring routing

Configuring firewall policies


Firewall policies permit communication between the FortiGate unit’s network interfaces
based on source and destination IP addresses. Without firewall policies, traffic will not
pass through the FortiGate unit. Firewall policies also allow you to limit communication at
particular times and limit services to specific protocols. Interfaces that communicate with
the VLAN interface need firewall policies to permit traffic to pass between them and the
VLAN interface.
Each VLAN needs a firewall policy for each of the following connections the VLAN will be
using:
• from this VLAN to an external network
• from an external network to this VLAN
• from this VLAN to another VLAN in the same virtual domain on the FortiGate unit
• from another VLAN to this VLAN in the same virtual domain on the FortiGate unit.
The packets on each VLAN are subject to antivirus scans and other UTM measures as
they pass through the FortiGate unit.
For more information on firewall policies, see the firewall chapter of the FortiGate
Administration Guide.

Configuring routing
As a minimum, you need to configure a default static route to a gateway with access to an
external network for outbound packets. In more complex cases, you will have to configure
different static or dynamic routes based on packet source and destination addresses.
As with firewalls, you need to configure routes for VLAN traffic. VLANs need routing and a
gateway configured to send and receive packets outside their local subnet just as physical
interfaces do. The type of routing you configure, static or dynamic, will depend on the
routing used by the subnet and interfaces you are connecting to. Dynamic routing can be
routing information protocol (RIP), border gateway protocol (BGP), open shortest path first
(OSPF), or multicast.
If you enable SSH, PING, TELNET, HTTPS and HTTP on the VLAN, you can use those
protocols to troubleshoot your routing and test that it is properly configured. Enabling
logging on the interfaces and using CLI diag commands such as diag sniff packet
<interface_name> can also help locate any possible configuration or hardware issues.
Routing and logging are explained in the FortiGate Administration Guide and the
FortiGate CLI Reference.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 55
http://docs.fortinet.com/ • Feedback
Example VLAN configuration in NAT/Route mode Virtual LANs

Example VLAN configuration in NAT/Route mode


In this example two different internal VLAN networks share one interface on the FortiGate
unit, and share the connection to the Internet.
This configuration could apply to two departments in a single company, or to different
companies. The main point is that the networks can keep their traffic separate while
sharing one FortiGate interface.
This section includes the following topics:
• Network topology and assumptions
• General configuration steps
• Configuring the FortiGate unit
• Configuring the VLAN switch
• Testing the configuration

Network topology and assumptions


There are two different internal network VLANs in this example. VLAN_100 is on the
10.1.1.0/255.255.255.0 subnet, and VLAN_200 is on the 10.1.2.0/255.255.255.0 subnet.
These VLANs are connected to the VLAN switch, such as a Cisco 2950 Catalyst switch.
The FortiGate internal interface connects to the VLAN switch through an 802.1Q trunk.
The internal interface has an IP address of 192.168.110.126 and is configured with two
VLAN subinterfaces (VLAN_100 and VLAN_200). The external interface has an IP
address of 172.16.21.2 and connects to the Internet. The external interface has no VLAN
subinterfaces on it.
Figure 2 shows the configuration for this example.

Figure 2: FortiGate unit with VLANs in NAT/Route mode

Internet

Untagged
packets
External
172.16.21.2

Internal
192.168.110.126
802.1Q trunk
Fa 0/24

Fa 0/3 Fa 0/9
VL AN 100 VL AN 200
VLAN Switch

VL AN 100 Network VL AN 200 Network


10.1.1.0 10.1.2.0

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


56 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs Example VLAN configuration in NAT/Route mode

When the VLAN switch receives packets from VLAN_100 and VLAN_200, it applies VLAN
ID tags and forwards the packets of each VLAN both to local ports and to the FortiGate
unit across the trunk link. The FortiGate unit has policies that allow traffic to flow between
the VLANs, and from the VLANs to the external network.
This section describes how to configure a FortiGate-800 unit and a Cisco Catalyst 2950
switch for this example network topology. The Cisco configuration commands used in this
section are IOS commands.
It is assumed that both the FortiGate-800 and the Cisco 2950 switch are installed and
connected and that basic configuration has been completed. On the switch, you will need
to be able to access the CLI to enter commands. Refer to the manual for your FortiGate
model as well as the manual for the switch you select for more information.
It is also assumed that no VDOMs are enabled.
This section includes the following topics:
• Configuring the FortiGate unit
• Configuring the VLAN switch
• Testing the configuration

General configuration steps


The following steps provide an overview of configuring and testing the hardware used in
this example. For best results in this configuration, follow the procedures in the order
given. Also, note that if you perform any additional actions between procedures, your
configuration may have different results.
1 Configuring the FortiGate unit
• Configuring the external interface
• Adding two VLAN subinterfaces to the internal network interface
• Adding firewall addresses and address ranges for the internal and external
networks
• Adding firewall policies to allow:
• the VLAN networks to access each other
• the VLAN networks to access the external network.
2 Configuring the VLAN switch
3 Testing the configuration.

Configuring the FortiGate unit


Configuring the FortiGate unit includes:
• Configuring the external interface
• Adding VLAN subinterfaces
• Adding the firewall addresses
• Adding the firewall policies

Configuring the external interface


The FortiGate unit’s external interface will provide access to the Internet for all internal
networks, including the two VLANs.

To configure the external interface - web-based manager


1 Go to System > Network > Interface.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 57
http://docs.fortinet.com/ • Feedback
Example VLAN configuration in NAT/Route mode Virtual LANs

2 Select Edit for the external interface.


3 Enter the following information and select OK:

Addressing mode Manual


IP/Netmask 172.16.21.2/255.255.255.0

To configure the external interface - CLI


config system interface
edit external
set mode static
set ip 172.16.21.2 255.255.255.0
end

Adding VLAN subinterfaces


This step creates the VLANs on the FortiGate unit internal physical interface. The IP
address of the internal interface does not matter to us, as long as it does not overlap with
the subnets of the VLAN subinterfaces we are configuring on it.
The rest of this example shows how to configure the VLAN behavior on the FortiGate unit,
configure the switches to direct VLAN traffic the same as the FortiGate unit, and test that
the configuration is correct.
Adding VLAN subinterfaces can be completed through the web-based manager, or the
CLI.

To add VLAN subinterfaces - web-based manager


1 Go to System > Network > Interface.
2 Select Create New.
3 Enter the following information and select OK:

Name VLAN_100
Interface internal
VLAN ID 100
Addressing mode Manual
IP/Netmask 10.1.1.1/255.255.255.0
Administrative HTTPS, PING, TELNET
Access

4 Select Create New.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


58 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs Example VLAN configuration in NAT/Route mode

5 Enter the following information and select OK:

Name VLAN_200
Interface internal
VLAN ID 200
Addressing mode Manual
IP/Netmask 10.1.2.1/255.255.255.0
Administrative HTTPS, PING, TELNET
Access

To add VLAN subinterfaces - CLI


config system interface
edit VLAN_100
set vdom root
set interface internal
set type vlan
set vlanid 100
set mode static
set ip 10.1.1.1 255.255.255.0
set allowaccess https ping telnet
next
edit VLAN_200
set vdom root
set interface internal
set type vlan
set vlanid 200
set mode static
set ip 10.1.2.1 255.255.255.0
set allowaccess https ping telnet
end

Adding the firewall addresses


You need to define the addresses of the VLAN subnets for use in firewall policies. The
FortiGate unit provides one default address, “all”, that you can use when a firewall policy
applies to all addresses as a source or destination of a packet. However, using “all” is less
secure and should be avoided when possible.
In this example, the “_Net” part of the address name indicates a range of addresses
instead of a unique address. When choosing firewall address names, keep them
informative and unique.

To add the firewall addresses - web-based manager


1 Go to Firewall > Address.
2 Select Create New.
3 Enter the following information and select OK:

Address Name VLAN_100_Net


Type Subnet / IP Range
Subnet / IP Range 10.1.1.0/255.255.255.0

4 Select Create New.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 59
http://docs.fortinet.com/ • Feedback
Example VLAN configuration in NAT/Route mode Virtual LANs

5 Enter the following information and select OK:

Address Name VLAN_200_Net


Type Subnet / IP Range
Subnet / IP Range 10.1.2.0/255.255.255.0

To add the firewall addresses - CLI


config firewall address
edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
end

Adding the firewall policies


Once you have assigned addresses to the VLANs, you need to configure firewall policies
for them to allow valid packets to pass from one VLAN to another and to the Internet.
Note: You can customize the Firewall Policy display by including some or all columns, and
customize the column order onscreen. Due to this feature, firewall policy screenshots may
not appear the same as on your screen.

If you do not want to allow all services on a VLAN, you can create a firewall policy for each
service you want to allow. This example allows all services.

To add the firewall policies - web-based manager


1 Go to Firewall > Policy.
2 Select Create New.
3 Enter the following information and select OK:

Source Interface/Zone VLAN_100


Source Address VLAN_100_Net
Destination Interface/Zone VLAN_200
Destination Address VLAN_200_Net
Schedule Always
Service ANY
Action ACCEPT
Enable NAT Enable

4 Select Create New.


5 Enter the following information and select OK:

Source Interface/Zone VLAN_200


Source Address VLAN_200_Net
Destination Interface/Zone VLAN_100
Destination Address VLAN_100_Net
Schedule Always

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


60 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs Example VLAN configuration in NAT/Route mode

Service ANY
Action ACCEPT
Enable NAT Enable
6 Select Create New.
7 Enter the following information and select OK:

Source Interface/Zone VLAN_100


Source Address VLAN_100_Net
Destination Interface/Zone external
Destination Address all
Schedule Always
Service ANY
Action ACCEPT
Enable NAT Enable

8 Select Create New.


9 Enter the following information and select OK:

Source Interface/Zone VLAN_200


Source Address VLAN_200_Net
Destination Interface/Zone external
Destination Address all
Schedule Always
Service ANY
Action ACCEPT
Enable NAT Enable

To add the firewall policies - CLI


config firewall policy
edit 1
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf VLAN_200
set dstaddr VLAN_200_Net
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 2
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf VLAN_100
set dstaddr VLAN_100_Net
set schedule always
set service ANY
set action accept
set nat enable

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 61
http://docs.fortinet.com/ • Feedback
Example VLAN configuration in NAT/Route mode Virtual LANs

set status enable


next
edit 3
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf external
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
next
edit 4
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf external
set dstaddr all
set schedule always
set service ANY
set action accept
set nat enable
set status enable
end

Configuring the VLAN switch


On the Cisco Catalyst 2950 Catalyst VLAN switch, you need to define VLANs 100 and 200
in the VLAN database, and then add a configuration file to define the VLAN subinterfaces
and the 802.1Q trunk interface.
One method to configure a Cisco switch is to connect over a serial connection to the
console port on the switch, and enter the commands at the CLI. Another method is to
designate one interface on the switch as the management interface and use a web
browser to connect to the switch’s graphical interface. For details on connecting and
configuring your Cisco switch, refer to the installation and configuration manuals for the
switch.
The switch used in this example is a Cisco Catalyst 2950 switch. The commands used are
IOS commands. Refer to the switch manual for help with these commands.

To configure the VLAN subinterfaces and the trunk interfaces


Add this file to the Cisco switch:
!
interface FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/9
switchport access vlan 200
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


62 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs VLANs in Transparent mode

Port 0/3 VLAN ID 100


Port 0/9 VLAN ID 200
Port 0/24 802.1Q trunk

Note: To complete the setup, configure devices on VLAN_100 and VLAN_200 with default
gateways. The default gateway for VLAN_100 is the FortiGate VLAN_100 subinterface.
The default gateway for VLAN_200 is the FortiGate VLAN_200 subinterface.

Testing the configuration


See alsoUse diagnostic commands, such as tracert, to test traffic routed through the
FortiGate unit and the Cisco switch.

Testing traffic from VLAN_100 to VLAN_200


In this example, a route is traced between the two internal networks. The route target is a
host on VLAN_200.
Access a command prompt on a Windows computer on the VLAN_100 network, and enter
the following command:
C:\>tracert 10.1.2.2
Tracing route to 10.1.2.2 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 10.1.1.1
2 <10 ms <10 ms <10 ms 10.1.2.2
Trace complete.

Testing traffic from VLAN_200 to the external network


In this example, a route is traced from an internal network to the external network. The
route target is the external network interface of the FortiGate-800 unit.
From VLAN_200, access a command prompt and enter this command:
C:\>tracert 172.16.21.2
Tracing route to 172.16.21.2 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 10.1.2.1
2 <10 ms <10 ms <10 ms 172.16.21.2
Trace complete.

VLANs in Transparent mode


In Transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide
services such as antivirus scanning, web filtering, spam filtering and intrusion protection to
traffic. There are some limitations in Transparent mode in that you cannot use SSL VPN,
PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in Transparent
mode apply to IEEE 802.1Q VLAN trunks passing through the unit.
This section includes the following sections:
• VLANs and Transparent mode
• Example of VLANs in Transparent mode

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 63
http://docs.fortinet.com/ • Feedback
VLANs in Transparent mode Virtual LANs

VLANs and Transparent mode


You can insert the FortiGate unit operating in Transparent mode into the VLAN trunk
without making changes to your network. In a typical configuration, the FortiGate unit
internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router
connected to internal network VLANs. The FortiGate unit external interface forwards
VLAN-tagged packets through another VLAN trunk to an external VLAN switch or router
and on to external networks such as the Internet. You can configure the unit to apply
different policies for traffic on each VLAN in the trunk.
To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the
same VLAN ID, one to the internal interface and the other to the external interface. You
then create a firewall policy to permit packets to flow from the internal VLAN interface to
the external VLAN interface. If required, you create another firewall policy to permit
packets to flow from the external VLAN interface to the internal VLAN interface. Typically
in Transparent mode, you do not permit packets to move between different VLANs.
Network protection features, such as spam filtering, web filtering and anti-virus scanning,
are applied through the protection profile specified in each firewall policy, enabling very
detailed control over traffic.
When the FortiGate unit receives a VLAN-tagged packet at a physical interface, it directs
the packet to the VLAN subinterface with the matching VLAN ID. The VLAN tag is
removed from the packet, and the FortiGate unit then applies firewall policies using the
same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through
a VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the
packet is sent to the corresponding physical interface. For a configuration example, see
“Example of VLANs in Transparent mode” on page 66.
There are two essential steps to configure your FortiGate unit to work with VLANs in
Transparent mode:
• Adding VLAN subinterfaces
• Creating firewall policies.
You can also configure the protection profiles that manage antivirus scanning, web filtering
and spam filtering. Protection profiles are covered in the FortiGate Administration Guide.
In Transparent mode, you can access the FortiGate web-based manager by connecting to
an interface configured for administrative access and using HTTPS to access the
management IP address. On the FortiGate-800, the model used for examples in this
guide, administrative access is enabled by default on the internal interface and the default
management IP address is 10.10.10.1.

Adding VLAN subinterfaces


The VLAN ID of each VLAN subinterface must match the VLAN ID added by the
IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and
4094, with 0 being used only for high priority frames and 4095 being reserved. You add
VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.
For this example, we are creating a VLAN called internal_v225 on the internal interface,
with a VLAN ID of 225. Administrative access is enabled for HTTPS and SSH. VDOMs are
not enabled.

To add VLAN subinterfaces in Transparent mode - web-based manager


1 Go to System > Network > Interface.
2 Select Create New.
3 Enter the following information and select OK.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


64 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs VLANs in Transparent mode

Name internal_v225
Type VLAN
Interface internal
VLAN ID 225
Ping Server not enabled
Administrative Enable HTTPS, and SSH. These are very secure
Access access methods.
Description VLAN 225 on internal interface

The FortiGate unit adds the new subinterface to the interface that you selected.
Repeat steps 2 and 3 to add additional VLANs. You will need to change the VLAN ID,
Name, and possibly Interface when adding additional VLANs.

To add VLAN subinterfaces in Transparent mode - CLI


config system interface
edit internal_v225
set interface internal
set vlanid 225
set allowaccess HTTPS SSH
set description “VLAN 225 on internal interface”
set vdom root
next
end

Creating firewall policies


Firewall policies permit communication between the FortiGate unit’s network interfaces
based on source and destination IP addresses. Optionally, you can limit communication to
particular times and services.
In Transparent mode, the FortiGate unit performs antivirus and antispam scanning on
each VLAN’s packets as they pass through the unit. You need firewall policies to permit
packets to pass from the VLAN interface where they enter the unit to the VLAN interface
where they exit the unit. If there are no firewall policies configured, no packets will be
allowed to pass from one interface to another.

To add firewall policies for VLAN subinterfaces - web based manager


1 Go to Firewall > Address.
2 Select Create New to add firewall addresses that match the source and destination IP
addresses of VLAN packets.
3 Go to Firewall > Policy.
4 Select Create New.
5 From the Source Interface/Zone list, select the VLAN interface where packets enter the
unit.
6 From the Destination Interface/Zone list, select the VLAN interface where packets exit
the unit.
7 Select the Source and Destination Address names that you added in step 2.
8 Select Protection Profile, and select the profile from the list.
9 Configure other settings as required.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 65
http://docs.fortinet.com/ • Feedback
VLANs in Transparent mode Virtual LANs

10 Select OK.

To add firewall policies for VLAN subinterfaces - CLI


config firewall address
edit incoming_VLAN_address
set associated-interface <incoming_VLAN_interface>
set type ipmask
set subnet <IPv4_address_mask)
next
edit outgoing_VLAN_address
set associated-interface <outgoing_VLAN_interface>
set type ipmask
set subnet <IPv4_address_mask>
next
end
config firewall policy
edit <unused_policy_number>
set srcintf <VLAN_number>
set srcaddr incoming_VLAN_address
set destintf <VLAN_number>
set destaddr outgoing_VLAN_address
set service <protocol_to_allow_on VLAN>
set action ACCEPT
set profile-status enable
set profile <selected_profile>
next
end
end

Example of VLANs in Transparent mode


In this example, the FortiGate unit is operating in Transparent mode and is configured with
two VLANs—one with an ID of 100 and the other with ID 200. The internal and external
physical interfaces each have two VLAN subinterfaces, one for VLAN_100 and one for
VLAN_200.
This section includes the following topics:
• Network topology and assumptions
• General configuration steps
• Configuring the FortiGate unit
• Configuring the Cisco switch and router
• Testing the configuration

Network topology and assumptions


The network topology for this example is straightforward, with two internal networks
entering the FortiGate unit on one physical interface, and leaving on another physical
interface.
The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the
internal VLAN_200 network is 10.200.0.0/255.255.0.0.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


66 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs VLANs in Transparent mode

The internal networks are connected to a Cisco 2950 VLAN switch, which combines traffic
from the two VLANs onto one physical interface—the FortiGate unit internal interface. The
VLAN traffic leaves the FortiGate unit on the external network interface, goes on to the
VLAN switch, and on to the Internet. When the FortiGate units receives a tagged packet, it
directs it from the incoming VLAN subinterface to the outgoing VLAN subinterface for that
VLAN.
This section describes how to configure a FortiGate-800 unit, Cisco switch, and Cisco
router in the network topology shown in Figure 3.

Figure 3: VLAN Transparent network topology

Internet

VLAN router
10.100.0.1
10.200.0.1

802.1Q trunk
VLAN 1,2
External

in Transparent mode
Internal
802.1Q trunk
VL AN 1,2

Fa0/24

Fa0/3 Fa0/9
VLAN
switch
VL AN 100 VLAN 200

10.100.0.0 10.200.0.0

General configuration steps


The following steps summarize the configuration for this example. For best results, follow
the procedures in the order given. Also, note that if you perform any additional actions
between procedures, your configuration may have different results.
1 Configuring the FortiGate unit includes
• Adding VLAN subinterfaces
• Adding the firewall policies
2 Configuring the Cisco switch and router

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 67
http://docs.fortinet.com/ • Feedback
VLANs in Transparent mode Virtual LANs

3 Testing the configuration

Configuring the FortiGate unit


The FortiGate unit must be configured with the VLAN subinterfaces and the proper firewall
policies to enable traffic to flow through the FortiGate unit.
This section includes the following topics:
• Adding VLAN subinterfaces
• Adding the firewall policies

Adding VLAN subinterfaces


For each VLAN, you need to create a VLAN subinterface on the internal interface and
another one on the external interface, both with the same VLAN ID.

To add VLAN subinterfaces - web-based manager


1 Go to System > Network > Interface.
2 Select Create New.
3 Enter the following information and select OK:

Name VLAN_100_int
Interface internal
VLAN ID 100

4 Select Create New.


5 Enter the following information and select OK:

Name VLAN_100_ext
Interface external
VLAN ID 100

6 Select Create New.


7 Enter the following information and select OK:

Name VLAN_200_int
Interface internal
VLAN ID 200

8 Select Create New.


9 Enter the following information and select OK:

Name VLAN_200_ext
Interface external
VLAN ID 200

To add VLAN subinterfaces - CLI


config system interface
edit VLAN_100_int
set status down
set type vlan
set interface internal
set vlanid 100

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


68 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs VLANs in Transparent mode

next
edit VLAN_100_ext
set status down
set type vlan
set interface external
set vlanid 100
next
edit VLAN_200_int
set status down
set type vlan
set interface internal
set vlanid 200
next
edit VLAN_200_ext
set status down
set type vlan
set interface external
set vlanid 200
end

Adding the firewall policies


Firewall policies allow packets to travel between the VLAN_100_int interface and the
VLAN_100_ext interface. Two policies are required—one for each direction of traffic. The
same is required between the VLAN_200_int interface and the VLAN_200_ext interface,
for a total of four required firewall policies.

To add the firewall policies - web-based manager


1 Go to Firewall > Policy.
2 Select Create New.
3 Enter the following information and select OK:

Source Interface/Zone VLAN_100_int


Source Address all
Destination Interface/Zone VLAN_100_ext
Destination Address all
Schedule Always
Service ANY
Action ACCEPT

4 Select Create New.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 69
http://docs.fortinet.com/ • Feedback
VLANs in Transparent mode Virtual LANs

5 Enter the following information and select OK:

Source Interface/Zone VLAN_100_ext


Source Address all
Destination Interface/Zone VLAN_100_int
Destination Address all
Schedule Always
Service ANY
Action ACCEPT

6 Go to Firewall > Policy.


7 Select Create New.
8 Enter the following information and select OK:

Source Interface/Zone VLAN_200_int


Source Address all
Destination Interface/Zone VLAN_200_ext
Destination Address all
Schedule Always
Service ANY
Action ACCEPT
Enable NAT enable

9 Select Create New.


10 Enter the following information and select OK:

Source Interface/Zone VLAN_200_ext


Source Address all
Destination Interface/Zone VLAN_200_int
Destination Address all
Schedule Always
Service ANY
Action ACCEPT

To add the firewall policies - CLI


config firewall policy
edit 1
set srcintf VLAN_100_int
set srcaddr all
set dstintf VLAN_100_ext
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 2
set srcintf VLAN_100_ext
set srcaddr all
set dstintf VLAN_100_int

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


70 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs VLANs in Transparent mode

set dstaddr all


set action accept
set schedule always
set service ANY
next
edit 3
set srcintf VLAN_200_int
set srcaddr all
set dstintf VLAN_200_ext
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 4
set srcintf VLAN_200_ext
set srcaddr all
set dstintf VLAN_200_int
set dstaddr all
set action accept
set schedule always
set service ANY
end

Configuring the Cisco switch and router


This example includes configuration for the Cisco Catalyst 2900 ethernet switch, and for
the Cisco Multiservice 2620 ethernet router. If you have access to a different VLAN
enabled switch or VLAN router you can use them instead, however their configuration is
not included in this document.
This section includes the following topics:
• Configuring the Cisco switch
• Configuring the Cisco router

Configuring the Cisco switch


On the VLAN switch, you need to define VLAN_100 and VLAN_200 in the VLAN database
and then add a configuration file to define the VLAN subinterfaces and the 802.1Q trunk
interface.
Add this file to the Cisco switch:
interface FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/9
switchport access vlan 200
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 71
http://docs.fortinet.com/ • Feedback
Troubleshooting VLAN problems Virtual LANs

Port 0/3 VLAN ID 100


Port 0/9 VLAN ID 200
Port 0/24 802.1Q trunk

Configuring the Cisco router


You need to add a configuration file to the Cisco Multiservice 2620 ethernet router. The file
defines the VLAN subinterfaces and the 802.1Q trunk interface on the router. The 802.1Q
trunk is the physical interface on the router.
The IP address for each VLAN on the router is the gateway for that VLAN. For example,
all devices on the internal VLAN_100 network will have 10.100.0.1 as their gateway.
Add this file to the Cisco router:
!
interface FastEthernet0/0
!
interface FastEthernet0/0.1
encapsulation dot1Q 100
ip address 10.100.0.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 200
ip address 10.200.0.1 255.255.255.0
!
The router has the following configuration:

Port 0/0.1 VLAN ID 100


Port 0/0.2 VLAN ID 200
Port 0/0 802.1Q trunk

Testing the configuration


Use diagnostic network commands such as traceroute (tracert) and ping to test traffic
routed through the network.

Testing traffic from VLAN_100 to VLAN_200


In this example, a route is traced between the two internal networks. The route target is a
host on VLAN_200. The Windows traceroute command tracert is used.
From VLAN_100, access a Windows command prompt and enter this command:
C:\>tracert 10.1.2.2
Tracing route to 10.1.2.2 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 10.1.1.1
2 <10 ms <10 ms <10 ms 10.1.2.2
Trace complete.

Troubleshooting VLAN problems


Several problems can occur with your VLANs. Since VLANs are interfaces with IP
addresses, they behave as interfaces and can have similar problems with similar solutions
such as ping, traceroute, packet sniffing, and diag debug. For more information on these
basic troubleshooting methods, see “Troubleshooting static routing” on page 29.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


72 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs Troubleshooting VLAN problems

However some problems are more specific to VLANs. This chapter provides solutions to
these problems, under the following topics:
• Asymmetric routing
• Layer-2 and Arp traffic
• NetBIOS
• STP forwarding
• Too many VLAN interfaces

Asymmetric routing
You might discover unexpectedly that hosts on some networks are unable to reach certain
other networks. This occurs when request and response packets follow different paths. If
the FortiGate unit recognizes the response packets, but not the requests, it blocks the
packets as invalid. Also, if the FortiGate unit recognizes the same packets repeated on
multiple interfaces, it blocks the session as a potential attack.
This is asymmetric routing. By default, the FortiGate unit blocks packets or drops the
session when this happens. You can configure the FortiGate unit to permit asymmetric
routing by using the following CLI command:
config vdom
edit <vdom_name>
config system settings
set asymroute enable
end
end
If VDOMs are enabled, this command is per VDOM—you must set it for each VDOM that
has the problem.
If this solves your blocked traffic problem, you know that asymmetric routing is the cause.
But allowing asymmetric routing is not the best solution, because it reduces the security of
your network.
For a long-term solution, it is better to change your routing configuration or change how
your FortiGate unit connects to your network. The Asymmetric Routing and Other
FortiGate Layer-2 Installation Issues technical note provides detailed examples of
asymmetric routing situations and possible solutions.
Caution: If you enable asymmetric routing, antivirus and intrusion prevention systems will
not be effective. Your FortiGate unit will be unaware of connections and treat each packet
individually. It will become a stateless firewall.

Layer-2 and Arp traffic


By default, FortiGate units do not pass layer-2 traffic. If there are layer-2 protocols such as
IPX, PPTP or L2TP in use on your network, you need to configure your FortiGate unit
interfaces to pass these protocols without blocking. Another type of layer-2 traffic is ARP
traffic. For more information on ARP traffic, see “ARP traffic” on page 74.
You can allow these layer-2 protocols using the CLI command:
config vdom
edit <vdom_name>
config system interface
edit <name_str>
set l2forward enable
end
end

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 73
http://docs.fortinet.com/ • Feedback
Troubleshooting VLAN problems Virtual LANs

where <name_str> is the name of an interface.


If VDOMs are enabled, this command is per VDOM—you must set it for each VDOM that
has the problem.
If you enable layer-2 traffic, you may experience a problem if packets are allowed to
repeatedly loop through the network. This repeated looping, very similar to a broadcast
storm, happens when you have more than one layer-2 path to a destination—traffic may
overflow and bring your network to a halt. You can break the loop by enabling Spanning
Tree Protocol (STP) on your network’s switches and routers. For more information, see
“STP forwarding” on page 77.

ARP traffic
Address Resolution Protocol (ARP) packets are vital to communication on a network, and
ARP support is enabled on FortiGate unit interfaces by default. Normally you want ARP
packets to pass through the FortiGate unit, especially if it is sitting between a client and a
server or between a client and a router.
ARP traffic can cause problems, especially in Transparent mode where ARP packets
arriving on one interface are sent to all other interfaces including VLAN subinterfaces.
Some layer-2 switches become unstable when they detect the same MAC address
originating on more than one switch interface or from more than one VLAN. This instability
can occur if the layer-2 switch does not maintain separate MAC address tables for each
VLAN. Unstable switches may reset and cause network traffic to slow down considerably.

Multiple VDOMs solution


By default, physical interfaces are in the root domain. If you do not configure any of your
VLANs in the root VDOM, it will not matter how many interfaces are in the root VDOM.
The multiple VDOMs solution is to configure multiple VDOMs on the FortiGate unit, one
for each VLAN. In this solution, you configure one inbound and one outbound VLAN
interface in each VDOM. ARP packets are not forwarded between VDOMs. This
configuration limits the VLANs in a VDOM and correspondingly reduces the administration
needed per VDOM.
As a result of this configuration, the switches do not receive multiple ARP packets with
duplicate MACs. Instead, the switches receive ARP packets with different VLAN IDs and
different MACs. Your switches are stable.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


74 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs Troubleshooting VLAN problems

However, you should not use the multiple VDOMs solution under any of the following
conditions:
• you have more VLANs than licensed VDOMs
• you do not have enough physical interfaces
• your configuration needs VLAN grouping.
Instead, use one of two possible solutions, depending on which operation mode you are
using:
• In NAT/Route mode, you can use the vlan forward CLI command.
• In Transparent mode, you can use the forward-domain CLI command. But you still
need to be careful in some rare configurations.

Vlanforward solution
If you are using NAT/Route mode, the solution is to use the vlanforward CLI command
for the interface in question. By default, this command is enabled and will forward VLAN
traffic to all VLANs on this interface. When disabled, each VLAN on this physical interface
can send traffic only to the same VLAN—there is no ”cross-talk” between VLANs, and
ARP packets are forced to take one path along the network which prevents the multiple
paths problem.
In the following example, vlanforward is disabled on port1. All VLANs configured on
port1 will be separate and will not forward any traffic to each other.
config system interface
edit port1
set vlanforward disable
end

Forward-domain solution
If you are using Transparent mode, the solution is to use the forward-domain CLI
command. This command tags VLAN traffic as belonging to a particular collision group,
and only VLANs tagged as part of that collision group receive that traffic—it is like an
additional set of VLANs. By default, all interfaces and VLANs are part of forward-domain
collision group 0.
The many benefits of this solution include reduced administration, the need for fewer
physical interfaces, and the availability of more flexible network solutions.
In the following example, forward-domain collision group 340 includes VLAN 340 traffic on
port1 and untagged traffic on port2. Forward-domain collision group 341 includes VLAN
341 traffic on port1 and untagged traffic on port3. All other interfaces are part of forward-
domain collision group 0 by default. This configuration separates VLANs 340 and 341
from each other on port1, and prevents the ARP packet problems from before.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 75
http://docs.fortinet.com/ • Feedback
Troubleshooting VLAN problems Virtual LANs

Use these CLI commands:


config system interface
edit port1
next
edit port2
set forward_domain 340
next
edit port3
set forward_domain 341
next
edit port1-340
set forward_domain 340
set interface port1
set vlanid 340
next
edit port1-341
set forward_domain 341
set interface port1
set vlanid 341
end
You may experience connection issues with layer-2 traffic, such as ping, if your network
configuration has:
• packets going through the FortiGate unit in Transparent mode more than once
• more than one forwarding domain (such as incoming on one forwarding domain and
outgoing on another)
• IPS and AV enabled.
In releases prior to FortiOS v3.0 MR5, packets could go through IPS and AV checks each
time they passed through the FortiGate unit. In FortiOS v3.0 MR5 this problem was fixed.
Now IPS and AV is applied the first time packets go through the FortiGate unit, but not on
subsequent passes. Only applying IPS and AV to this first pass fixes the network layer-2-
related connection issues.
There is a more detailed discussion of this issue in the Asymmetric Routing and Other
FortiGate Layer-2 Installation Issues technical note.

NetBIOS
Computers running Microsoft Windows operating systems that are connected through a
network rely on a WINS server to resolve host names to IP addresses. The hosts
communicate with the WINS server by using the NetBIOS protocol.
To support this type of network, you need to enable the forwarding of NetBIOS requests to
a WINS server. The following example will forward NetBIOS requests on the internal
interface for the WINS server located at an IP address of 192.168.111.222.
config system interface
edit internal
set netbios_forward enable
set wins-ip 192.168.111.222
end
These commands apply only in NAT/Route mode. If VDOMs are enabled, these
commands are per VDOM—you must set them for each VDOM that has the problem.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


76 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Virtual LANs Troubleshooting VLAN problems

STP forwarding
The FortiGate unit does not participate in the Spanning Tree Protocol (STP). STP is an
IEEE 802.1 protocol that ensures there are no layer-2 loops on the network. Loops are
created when there is more than one route for traffic to take and that traffic is broadcast
back to the original switch. This loop floods the network with traffic, reducing available
bandwidth to nothing.
If you use your FortiGate unit in a network topology that relies on STP for network loop
protection, you need to make changes to your FortiGate configuration. Otherwise, STP
recognizes your FortiGate unit as a blocked link and forwards the data to another path. By
default, your FortiGate unit blocks STP as well as other non-IP protocol traffic.
Using the CLI, you can enable forwarding of STP and other layer-2 protocols through the
interface. In this example, layer-2 forwarding is enabled on the external interface:
config system interface
edit external
set l2forward enable
set stpforward enable
end
By substituting different commands for stpforward enable, you can also allow layer-2
protocols such as IPX, PPTP or L2TP to be used on the network. For more information,
see “Layer-2 and Arp traffic” on page 73.

Too many VLAN interfaces


Any virtual domain can have a maximum of 255 interfaces in Transparent mode. This
includes VLANs, other virtual interfaces, and physical interfaces. NAT/Route mode
supports from 255 to 8192 depending on the FortiGate model. This total number of
interfaces includes VLANs, other virtual interfaces, and physical interfaces.
Your FortiGate unit may allow you to configure more interfaces than this. However, if you
configure more than 255 interfaces, your system will become unstable and, over time, will
not work properly. As all interfaces are used, they will overflow the routing table that stores
the interface information, and connections will fail. When you try to add more interfaces,
an error message will state that the maximum limit has already been reached.
If you see this error message, chances are you already have too many VLANs on your
system and your routing has become unstable. To verify, delete a VLAN and try to add it
back. If you have too many, you will not be able to add it back on to the system. In this
case, you will need to remove enough interfaces (including VLANs) so that the total
number of interfaces drops to 255 or less. After doing this, you should also reboot your
FortiGate unit to clean up its memory and buffers, or you will continue to experience
unstable behavior.
To configure more than 255 interfaces on your FortiGate unit in Transparent mode, you
have to configure multiple VDOMs, each with many VLANs. However, if you want to
create more than the default 10 VDOMs (or a maximum of 2550 interfaces), you must buy
a license for additional VDOMs. Only FortiGate models 3000 and higher support more
than 10 VDOMs.
With these extra licenses, you can configure up to 500 VDOMs, with each VDOM
containing up to 255 VLANs in Transparent mode. This is a theoretical maximum of over
127 500 interfaces. However, system resources will quickly get used up before reaching
that theoretical maximum. To achieve the maximum number of VDOMs, you need to have
top-end hardware with the most resources possible.
In NAT/Route mode, if you have a top-end model, the maximum interfaces per VDOM can
be as high as 8192, enough for all the VLANs in your configuration.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 77
http://docs.fortinet.com/ • Feedback
Troubleshooting VLAN problems Virtual LANs

Note: Your FortiGate unit has limited resources, such as CPU load and memory, that are
divided between all configured VDOMs. When running 250 or more VDOMs, you cannot
run Unified Threat Management (UTM) features such as proxies, web filtering, or
antivirus—your FortiGate unit can only provide basic firewall functionality.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


78 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6
Internet Protocol version 6 (IPv6) is an Internet Layer protocol for packet-switched
internetworks that has been designed to provide several advantages over Internet
Protocol version 4 (IPv4). The Internet Engineering Task Force (IETF) has designated
IPv6 as the successor of IPv4 for general use on the Internet. Both IPv6 and IPv4 define
network layer protocol (how data is sent from one computer to another over packet-
switched networks), but IPv6 has a much larger address space than IPv4 — it can provide
billions more unique IP addresses.
This section includes:
• IPv6 overview
• FortiGate IPv6 configuration
• Transition from IPv4 to IPv6
• Configuring FortiOS to connect to an IPv6 tunnel provider
• IPv6 Troubleshooting
• Additional IPv6 resources

IPv6 overview
IP version 6 handles issues that weren't around decades ago when IPv4 was created —
running out of IP addresses, fair distributing of IP addresses, built-in quality of service
(QoS) features, better multimedia support, and improved handling of fragmentation. A
bigger address space, bigger default packet size, and more optional header extensions
provide these features with flexibility to customize them to any needs.
IPv6 has 128-bit addresses compared to IPv4's 32-bit addresses, effectively eliminating
address exhaustion. This new very large address space will likely make network address
translation (NAT) a thing of the past since IPv6 provides more than a billion IP addresses
for each person on Earth. All hardware and software network components must support
this new address size — an upgrade that may take a while to complete and will force IPv6
and IPv4 to work side-by-side during the transition period. During that time FortiOS and its
equal support IPv4 and IPv6 will ensure a smooth transition for networks.
This section includes:
• Differences between IPv6 and IPv4
• IPv6 MTU
• IPv6 address format
• IP address notation
• Netmasks
• Address scopes
• Address types
• IPv6 neighbor discovery

Differences between IPv6 and IPv4


The following list outlines the differences between IPv6 to IPv4.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 79
http://docs.fortinet.com/ • Feedback
IPv6 overview IPv6

Larger address IPv4 addresses are 32 bits long while IPv6 addresses are 128 bits
space long. This increase supports 2128 addresses, or more than ten billion
billion billion times as many addresses as IPv4 (232). IPv6 enables
more levels of addressing hierarchy and simplifies auto-configuration
of IP addresses. The IPv6 addressing scheme eliminates the need for
Network Address Translation (NAT) that causes networking problems
due to the end-to-end nature of the Internet, such as hiding multiple
hosts behind a pool of IP addresses.
Simplified The IPv6 header format either drops or makes optional certain IPv4
header formats header fields. This limits the bandwidth cost of the IPv6 header - even
though the IPv6 addresses are four times longer than the IPv4
addresses, the IPv6 header is only twice the size of the IPv4 header.
Improved Changes in the way IP header options are encoded and allows for
support for IP more efficient forwarding and less stringent limits on the length of
header options options. The changes also provide greater flexibility for introducing
new options in the future.
Prioritization The IPv6 packet header contains a new Flow Label field that allows
of packet the sender to request special handling, such as “real-time service” or
delivery using non-default quality of service. The Flow Label field replaces Service
flow labeling Type field in IPv4.
Supported IPv6 extensions support authentication, data integrity, and (optional)
authentication data confidentiality.

IPv6 addresses are assigned to interfaces rather than nodes, thereby recognizing that a
node can have more than one interface, and you can assign more than one IPv6 address
to an interface. In addition, the larger address space in IPv6 addresses allows flexibility in
allocating addresses and routing traffic, and simplifies some aspects of address
assignment and renumbering when changing Internet service providers.
With IPv4, complex Classless Inter-Domain Routing (CIDR) techniques were developed to
make the best use of the small address space. CIDR facilitates routing by allowing blocks
of addresses to be grouped together into a single routing table entry. With IPv4,
renumbering an existing network for a new connectivity provider with different routing
prefixes is a major effort (see RFC 2071, Network Renumbering Overview: Why would I
want it and what is it anyway? and RFC 2072, Router Renumbering Guide). With IPv6,
however, it is possible to renumber an entire network ad hoc by changing the prefix in a
few routers, as the host identifiers are decoupled from the subnet identifiers and the
network provider's routing prefix.
The size of each subnet in IPv6 is 264 addresses (64 bits), which is the square of the size
of the entire IPv4 Internet. The actual address space utilized by IPv6 applications will most
likely be small in IPv6, but both network management and routing will be more efficient.

IPv6 MTU
Maximum Transmission Unit (MTU) refers to the size (in bytes) of the largest packet or
frame that a given layer of a communications protocol can pass onwards. A higher MTU
brings higher bandwidth efficiency. IPv6 requires an MTU of at least 1280 bytes. With
encapsulations (for example, tunneling), an MTU of 1500 or more is recommended. For
more information, see RFC-2640, Internationalization of the File Transfer Protocol.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


80 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6 IPv6 overview

IPv6 address format


The IPv6 address is 128 bits long and consists of eight, 16-bit fields. Each field is
separated by a colon and must contain a hexadecimal number. In Figure 4, an X
represents each field.
The IPv6 address is made up of two logical parts:
• 64-bit (sub)network prefix
• 64-bit host
The (sub)network prefix part contains the site prefix (first three fields, 48 bits) and the
subnet ID (next two fields, 16-bits), for a total of 64-bits. The information contained in
these fields is used for routing IPv6 packets. The (sub)network prefix defines the site
topology to a router by specifying the specific link to which the subnet has been assigned.
The site prefix details the public topology allocated (usually by an Internet Service
Provider, ISP) to your site. The subnet ID details the private topology (or site topology) to a
router that you assign to your site when you configure your IPv6 network.
The host part consists of the interface ID (or token) which is 64-bits in length and must be
unique within the subnet. The length of the interface ID allows for the mapping of existing
48-bit MAC addresses currently used by many local area network (LAN) technologies
such as Ethernet, and the mapping of 64-bit MAC addresses of IEEE 1394 (FireWire) and
other future LAN technologies. The host is either configured automatically from the MAC
address of the interface, or is manually configured.

Figure 4: IPv6 Address Format

IP address notation
IPv6 addresses are normally written as eight groups of 4 hexadecimal digits each,
separated by a colon, for example:
2001:db8:3c4d:0d82:1725:6a2f:0370:6234
is a valid IPv6 address.
There are several ways to shorten the presentation of an IPv6 address. Most IPv6
addresses do not occupy all of the possible 128 bits. This results in fields that are
“padded” with zeros or contain only zeros. If a 4-digit group is 0000, it may be replaced
with two colons (::), for example:
2001:db8:3c4d:0000:1725:6a2f:0370:6234
is the same IPv6 address as:
2001:db8:3c4d::1725:6a2f:0370:6234
Leading zeroes in a group may be omitted, for example (in the address above):

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 81
http://docs.fortinet.com/ • Feedback
IPv6 overview IPv6

2001:db8:3c4d::1725:6a2f:370:6234
The double colon (::) must only be used once in an IP address, as multiple occurrences
lead to ambiguity in the address translation.
The following examples of shortened IP address presentations all resolve to the same
address.
19a4:0478:0000:0000:0000:0000:1a57:ac9e
19a4:0478:0000:0000:0000::1a57:ac9e
19a4:478:0:0:0:0:1a57:ac9e
19a4:478:0:0::1a57:ac9e
19a4:478::0:0:1a57:ac9e
19a4:478::1a57:ac9e
All of these address presentations are valid and represent the same address.
For IPv4-compatible or IPv4-mapped IPv6 addresses (see “Address types” on page 82),
you can enter the IPv4 portion using either hexadecimal or dotted decimal, but the
FortiGate CLI always shows the IPv4 portion in dotted decimal format. For all other IPv6
addresses, the CLI accepts and displays only hexadecimal.

Netmasks
As with IP addresses, hexadecimal notation replaces the dotted decimal notation of IPv4.
IPv4 Classless Inter-Domain Routing (CIDR) notation can also be used. This notation
appends a slash (“/”) to the IP address, followed by the number of bits in the network
portion of the address.
Table 10: IPv6 address notation

IP Address 3ffe:ffff:1011:f101:0210:a4ff:fee3:9566
Netmask ffff:ffff:ffff:ffff:0000:0000:0000:0000
Network 3ffe:ffff:1011:f101:0000:0000:0000:0000
CIDR IP/Netmask 3ffe:ffff:1011:f101:0210:a4ff:fee3:9566/64

Address scopes
Address scopes define the region where an address may be defined as a unique identifier
of an interface. The regions are: local link (link-local), site network (site-local), and global
network. Each IPv6 address can only belong to one zone that corresponds to its scope.

Address types
IPv6 addresses are classified into three groups - Unicast, Multicast, and Anycast.

Unicast
Identifies an interface of an individual node. Packets sent to a unicast address are sent to
that specific interface. Unicast IPv6 addresses can have a scope reflected in more specific
address names - global unicast address, link-local address, and unique local unicast
address. For more information, see “Global (Unicast)” on page 84, “Link-local (Unicast)”
on page 84, and “Site-local (Unicast)” on page 84.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


82 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6 IPv6 overview

Multicast
Assigned to a group of interfaces that typically belong to different nodes. A packet that is
sent to a multicast address is delivered to all interfaces identified by the address. Multicast
addresses begin with the first octet one (1) bit. The four least significant bits of the second
address octet identify the address scope or the span over which the multicast address is
propagated. IPv6 multicast addresses have functionally replaced IPv4 broadcast
addresses.

Anycast
Assigned to a group of interfaces usually belonging to different nodes. A packet sent to an
anycast address is delivered to just one of the member interfaces, typically the ‘nearest’
according to the router protocols’ choice of distance. They cannot be identified easily as
their structure is the same as a normal unicast address, differ only by being injected into
the routing protocol at multiple points in the network. When a unicast address is assigned
to more than one interface (making it an anycast address), the address assigned to the
nodes must be configured in such as way as to indicate that it is an anycast address.
Interfaces configured for IPv6 must have at least one link-local unicast address and
additional ones for site-local or global addressing. Link-local addresses are often used in
network address autoconfiguration where no external source of network addressing
information is available.

Special addresses
The following are IPv6 special addresses:
• Unspecified
• Loopback
For more information about IPv6 addresses, see RFC 3513, Internet Protocol version 6
(IPv6) Addressing Architecture.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 83
http://docs.fortinet.com/ • Feedback
IPv6 overview IPv6

Table 11: IPv6 addresses with prefix information

Address Type IPv6 notation Details


Prefix/prefix length
Unspecified ::/128 Indicates the absence of an address, so must
never be assigned to any node. Must not be
used as a source address for IPv6 router,
destination address of IPv6 packets, or in IPv6
routing headers.
Equivalent to 0.0.0.0 in IPv4.
Loopback ::1/128 Used as a node to send an IPv6 packet to itself.
Seen as link-local unicast address of a virtual
interface (loopback interface) to an imaginary
link that goes nowhere. Must never be assigned
to a physical interface, or as the source address
of IPv6 packets that are sent outside of the
single node. IPv6 destination address of
loopback should not be sent outside a single
node, and never forwarded by an IPv6 router.
Equivalent to 127.0.0.1 in IPv4.
IPv4-compatible ::/96 Lowest 32 bits can be in IPv6 hexadecimal or
IPv4 dotted decimal format.
IPv4-mapped ::FFFF/96 Lowest 32 bits can be in IPv6 hexadecimal or
IPv4 dotted decimal format.
6to4 2002::/16 Used for communication between two nodes
running both IPv4 and IPv6 over the Internet.
Formed by combining the IPv6 prefix with the
32-bits of the public IPv4 address of the node,
creating a 48-bit address prefix.
Multicast ::FF00/8 For more information, see “Multicast” on
page 83.
Anycast All prefixes except For more information, see “Anycast” on page 83.
those listed above
Link-local FE80::/10 Used for addressing on a single link for
(Unicast) automatic address configuration, neighbor
discovery, or when no routers are present.
Routers must not forward packets with link-local
source or destination addresses.
Site-local FEC0::/10 Used for addressing inside of a site without
(Unicast) needing a global prefix.
Routers must not forward packets with site-local
source or destination addresses outside of the
site.
Global (Unicast) all other prefixes Equivalent to public IPv4 addresses. Globally
routable and reachable on the IPv6 internet.
Addresses are designed to be summarized or
aggregated to create an efficient router
infrastructure.

IPv6 neighbor discovery


IPv6 Neighbor Discovery (ND) is a set of messages and processes that determine
relationships between neighboring nodes. Neighboring nodes are on the same link. The
IPv6 ND protocol replaces the IPv4 protocols Address Resolution Protocol (ARP), Internet
Control Message Protocol (ICMPv4), Router Discovery (RDISC), and ICMP Redirect, and
provides additional functionality. The IPv6 ND protocol facilitates the autoconfiguration of
IPv6 addresses. Autoconfiguration is the ability of an IPv6 host to automatically generate
its own IPv6 address, making address administration easier and less time-consuming.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


84 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6 FortiGate IPv6 configuration

Hosts use ND to:


• discover addresses, address prefixes, and other configuration parameters
• discover neighboring routers.
Routers use ND to:
• advertise their presence, host configuration parameters, and on-link prefixes
• inform hosts of ‘better’ next-hop address to forward packets for a specified destination.
Nodes use ND to:
• resolve link-layer address of a neighboring node to which an IPv6 packet is being
forwarded and determine whether the link-layer address of a neighboring node has
altered
• determine whether IPv6 packets can be sent to and received from a neighbor
• automatically configure IPv6 addresses for its interfaces.
To facilitate neighbor discovery, routers periodically send messages advertising their
availability. This communication includes lists of the address prefixes for destinations
available on each router’s interfaces.
ND defines five different Internet Control Message Protocol (ICMP) packet types: a pair of
Neighbor Solicitation and Neighbor Advertisement messages, a pair of Router Solicitation
and Router Advertisement messages, and a Redirect message.
A Neighbor Solicitation is sent by a node to determine the link-layer address of a neighbor,
or to verify that a neighbor is still reachable via a cached link-layer address. Also used for
Duplicate Address Detection (how a node determines that an address it wants to use is
not already in use by another node). The Neighbor Advertisement message is a response
to a Neighbor Solicitation message. A node may also announce a link-layer address
change by sending unsolicited Neighbor Advertisements.
A host may send a Router Solicitation when an interface becomes enabled, requesting
routers to generate a Router Advertisement immediately rather than at their next
scheduled time.
Routers advertise their presence together with various link and Internet parameters
according to a specific schedule or in response to a Router Solicitation message. A Router
Advertisement contains prefixes used for on-link determination and/or address
configuration, a suggested hop limit value, etc.
The Redirect message is used by routers to inform hosts of a better first-hop for a
destination.
For more information, see RFC 2461, Neighbor Discovery for IP Version 6 (IPv6).

FortiGate IPv6 configuration


FortiGate units support both IPv4 and IPv6 using a dual stack architecture. Dual stack
means that there is complete support for both protocols simultaneously.
Before configuring IPv6 using the web-based manager, you must first turn on IPv6 display.
Once enabled, network address fields will have the option of being either IPv4 or IPv6, or
both will be displayed.

To enable IPv6 display in the web-based manager


1 If VDOMs are enabled, go to the Current VDOM display on the lower left and select
Global.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 85
http://docs.fortinet.com/ • Feedback
FortiGate IPv6 configuration IPv6

2 Go to System > Admin > Settings.


3 Under Display Settings, enable IPv6 Support on GUI.

Configuring IPv6 on FortiGate units includes:


• Configuring IPv6 interfaces
• Configuring IPv6 routing
• Configuring IPv6 firewall policies
• Configuring IPv6 over IPv4 tunneling
• Configuring IPv6 IPSec VPNs

Configuring IPv6 interfaces


The dual stack architecture is most obvious when configuring IPv6 on interfaces on your
FortiGate unit.

IPv6 interfaces - web-based manager


In the Addressing mode section of the Create New or Edit screen, there are two fields
instead of just one. Without IPv6 enabled, there is only the IP/Netmask field for IPv4
addresses. With IPv6 enabled, there is an additional field called IPv6 Address.
With both addresses configured for an interface, that interface will accept both IPv4 and
IPv6 traffic. Each protocol will be handled differently, depending on the firewall policies
and routing in place for it. This allows traffic from IPv6 to be sent to other IPv6 devices,
and IPv4 traffic to be sent only to other IPv4 devices. This separation of the traffic is
required because if IPv6 traffic is sent to devices that don’t support it, that traffic will not
reach its destination.
Once the IPv6 address is configured, you need to set IPv6 Administrative Access.
Otherwise you will not have administrative access over this interface if you are using IPv6
to connect.

IPv6 interfaces - CLI


In the CLI, there are a number of IPv6 specific interface settings. These are found as part
of the config system interface command under config ipv6.
In the CLI there are many more settings available, although many are optional. The
settings that are required or recommended are bolded.
config system interface
edit <interface_string>
config ipv6
set ip6-address <ipv6_addr>
set ip6-allowaccess <http https ping ssh telnet>
set ip6-link-mtu <bytes_int>
set ip6-send-adv <enable | disable>
set autoconf <enable | disable>
set ip6-default-life <seconds_int>
set ip6-hop-limit <count_int>
set ip6-manage-flag <enable | disable>
set ip6-max-interval <integer>
set ip6-min-interval <integer>
set ip6-other-flag <enable | disable>
set ip6-reachable-time <integer>
set ip6-retrans-time <integer>

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


86 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6 FortiGate IPv6 configuration

config ip6-extra-addr
edit <ipv6_addr>
end

config ip6-prefix-list
set autonomous-flag <enable | disable>
set onlink-flag <enable | disable>
set preferred-life-time <integer>
set valid-life-time <integer>
end
end
next
end
config ipv6
ip6-address Assigns an IPv6 address to this interface.
<ipv6_addr> This field is required for IPv6 configuration.
ip6-allowaccess Assigns administrative access types to this IPv6 interface.
<http https ping If no access types are defined, administrator accounts cannot access
ssh telnet> the FortiGate unit through this IPv6 address.
Note: Http, ping, and telnet are unsecure and should only be used if
required. Otherwise disable them for higher security.
ip6-link-mtu Specify the Maximum Transmission Unit (MTU) size for IPv6 traffic
<bytes_int> on this interface. The minimum MTU for IPv6 is 1280 bytes much
larger than the IPv4 minimum of 576.
Set ip6-link-mtu to the smallest supported size IPv6 packet
along the route the packet will travel. Larger MTUs are more efficient.
set ip6-send-adv Sets FortiGate to autoadvertise it's Router capabilities so “Stateless
<enable | disable> Autoconfiguration” of LAN Clients, such as OSX, will work.

For more information on any commands not explained here, see the corresponding
command in the FortiGate CLI Reference.

Configuring IPv6 routing


IPv6 routing is supported in both static and dynamic routing. The main difference from a
configuration point of view is the difference in addresses.
This section includes:
• Static routing
• Dynamic routing

Static routing
Static routing for IPv6 is essentially the same as with IPv4. From a configuration point of
view, the only difference is the type of addresses used.
When both IPv4 and IPv6 static routes are configured, they are displayed under two
separate headings on the static routing page - Route and IPv6 Route. Use the arrows next
to each heading to expand or minimize that list of routes.

IPv6 static routing - web-based manager


To configure IPv6 static routes
1 If VDOMs are enabled, enter the VDOM.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 87
http://docs.fortinet.com/ • Feedback
FortiGate IPv6 configuration IPv6

2 Go to Router > Static.


3 Select arrow to expand Create New menu.
4 Select IPv6 Route.
5 Enter Destination IP/Mask, Device, Gateway, Distance, and Priority as with normal
static routing using IPv6 addresses.
6 Select OK.

IPv6 static routing - CLI


config vdom
edit <vdom_name>
config router static6
edit 1
set dst <ipv6_addr>
set gateway <ipv6_addr>
set device <interface>
set priority <integer>
next
end
end

Dynamic routing
As with static routing, the dynamic routing protocols all have IPv6 versions. Both IPv4 and
IPv6 dynamic routing can be running at the same time due to the dual stack architecture of
the FortiGate unit.
IPv6 dynamic routing must be configured using CLI commands.
Table 12: Dynamic routing protocols, IPv6 versions, CLI command, and RFCs

Dynamic IPv6 CLI command IPv6 RFC


Routing
RIP RIP next config router ripng RFC 2080
generation
(RIPng)
BGP BGP4+ config router bgp RFC 2545
All parts of bgp that include IP addresses and RFC
have IPv4 and IPv6 versions. 2858
OSPF OSPFv3 config rotuer ospf6 RFC 2740

For more information on dynamic routing and IPv6, see the corresponding command in
the FortiGate CLI Reference.

Configuring IPv6 firewall policies


Maintaining security for both types of traffic will be crucial to the success of IPv6 and
mixed networks. Malware and network threats are independent of IPv4 or IPv6, so it is
critical that IPv6 solutions provide the same level of security as IPv4 solutions.
Using IPv6 firewall policies, FortiOS provides full UTM protection for IPv6 traffic. All
antivirus, intrusion protection (IPS), web filtering, FortiGuard Web Filtering, email filtering,
FortiGuard Email Filtering, data leak prevention (DLP), application control, and VoIP
protection features can be enabled in IPv6 firewall policies using normal FortiOS UTM
profiles for each UTM feature. This protection is transparent to IPv6 Users.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


88 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6 FortiGate IPv6 configuration

Full UTM support for IPv6 makes the transitional mixed network phase easier, because
the level of security of transitional networks is extended to both IP protocols. Future
releases of FortiOS will extend IPv6 support even further.
Auto detect Protocol (Value 0) in the Protocol Options does not work well when used in an
IPv6 Firewall Policy.
For Proxy features such as URL-Filtering, AntiVirus, Data-Leak-Prevention or File filter
you must specify a Port for HTTP in Protocol Options.
To make IPS and Application-Control work you have to create a separate Interface Policy
through the CLI.
config firewall interface-policy6
edit 1
set interface port2
set srcaddr6 all
set dstaddr6 all
set service6 ANY
set application-list-status enable
set application-list monitor-all
set ips-sensor-status enable
set ips-sensor all_default
next
end
Note: srcaddr6, dstaddr6, application-list, and ips-sensor each has to refer to a configured object.
The objects used in the above example are all default values.

Configuring IPv6 over IPv4 tunneling


IPv6 over IPv4 tunneling can only be configured in the CLI using the sit-tunnel command.
When you configure an IPv6-over-IPv4 tunnel, you are creating a virtual interface that can
be used in configurations just like any other virtual interface such as VLANs.
The name of the command sit-tunnel comes from Simple Internet Transition (SIT)
tunneling. For the period while IPv6 hosts and routers co-exist with IPv4, a number of
transition mechanisms are needed to enable IPv6-only hosts to reach IPv4 services and to
allow isolated IPv6 hosts and networks to reach the IPv6 Internet over the IPv4
infrastructure.
These techniques, collectively called Simple Internet Transition, include:
• dual-stack IP implementations for interoperating hosts and routers
• embedding IPv4 addresses in IPv6 addresses
• IPv6-over-IPv4 tunneling mechanisms
• IPv4/IPv6 header translation

The syntax for the IPv6 over IPv4 tunneling CLI command is:
config system sit-tunnel
edit <name_string>
set destination <ipv4_addr>
set interface <interface_string>
set ip6 <ipv6_addr>
set source <ipv4_addr>
next
end

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 89
http://docs.fortinet.com/ • Feedback
FortiGate IPv6 configuration IPv6

<name_string> This will be the name of the tunnel, and appear in the network
interface list. It should be descriptive such as my_ip6_tunnel.
The maximum length allowed is 15 characters.
destination This is the tunnel broker’s IPv4 server address. It is one of the two
<ipv4_addr> ends of the tunnel.

interface This interface is the interface the tunnel piggy backs on. Generally
<interface_string> this should be the external interface of the FortiGate unit.
This setting is optional if you don’t have a fixed IP address from
your ISP.
ip6 <ipv6_addr>
source <ipv4_addr> This is the FortiGate unit end of the tunnel. It is just like any other
FortiGate unit interface address.
If this address is DHCP-based, it will change. In that case you
should ensure the netmask covers the possible range of
addresses. It is possible to use 0.0.0.0 to cover all possible
addresses if you have a DDNS or PPoE connection where the
address changes.

Once the IPv6-toIPv4 tunnel is configured, you need to enable some extra settings on the
interface.

Configuring IPv6 IPSec VPNs


The FortiGate unit supports route-based IPv6 IPsec, but not policy-based.
Where both the gateways and the protected networks use IPv6 addresses, sometimes
called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You
can combine IPv6 and IPv4 addressing in an auto-keyed VPN in the following ways:

IPv4 over IPv6 The VPN gateways have IPv6 addresses.


The protected networks have IPv4 addresses. The phase 2 configurations at
either end use IPv4 selectors.
IPv6 over IPv4 The VPN gateways have IPv4 addresses.
The protected networks use IPv6 addresses. The phase 2 configurations at
either end use IPv6 selectors.

Compared with IPv4 IPsec VPN functionality, there are some limitations:
• Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
This is because FortiOS 3.0 does not support IPv6 DNS.
• You cannot use RSA certificates in which the common name (cn) is a domain name
that resolves to an IPv6 address. This is because FortiOS 3.0 does not support IPv6
DNS.
• DHCP over IPsec is not supported, because FortiOS 3.0 does not support IPv6 DHCP.
• Selectors cannot be firewall address names. Only IP address, address range and
subnet are supported.
• Redundant IPv6 tunnels are not supported.

Certificates
On a VPN with IPv6 phase 1 configuration, you can authenticate using VPN certificates in
which the common name (cn) is an IPv6 address. The cn-type keyword of the user
peer command has an option, ipv6, to support this.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


90 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6 FortiGate IPv6 configuration

Configuring IPv6 IPsec VPNs


Configuration of an IPv6 IPsec VPN follows the same sequence as for an IPv4 route-
based VPN: phase 1 settings, phase 2 settings, firewall policies and routing.
To access IPv6 functionality through the web-based manager, go to System Admin >
Settings and enable IPv6 Support on GUI.

Phase 1 configuration
In the web-based manager, you define the Phase 1 as IPv6 in the Advanced settings.
Enable the IPv6 Version check box. You can then enter an IPv6 address for the remote
gateway.
In the CLI, you define an IPsec phase 1 configuration as IPv6 by setting ip-version
to 6. Its default value is 4. Then, the local-gw and remote-gw keywords are hidden
and the corresponding local-gw6 and remote-gw6 keywords are available. The values
for local-gw6 and remote-gw6 must be IPv6 addresses. For example:
config vpn ipsec phase1-interface
edit tunnel6
set ip-version 6
set remote-gw6 0:123:4567::1234
set interface port3
set proposal 3des-md5
end

Phase 2 configuration
To create an IPv6 IPsec phase 2 configuration in the web-based manager, you need to
define IPv6 selectors in the Advanced settings. Change the default “0.0.0.0/0” address for
Source address and Destination address to the IPv6 value “::/0”. If needed, enter specific
IPv6 addresses, address ranges or subnet addresses in these fields.
In the CLI, set src-addr-type and dst-addr-type to ip6, range6 or subnet6 to
specify IPv6 selectors. By default, zero selectors are entered, “::/0” for the subnet6
address type, for example. The simplest IPv6 phase 2 configuration looks like this:
config vpn ipsec phase2-interface
edit tunnel6_p2
set phase1name tunnel6
set proposal 3des-md5
set src-addr-type subnet6
set dst-addr-type subnet6
end

Firewall policies
To complete the VPN configuration, you need a firewall policy in each direction to permit
traffic between the protected network’s port and the IPsec interface. You need IPv6
policies unless the VPN is IPv4 over IPv6.

Routing
Appropriate routing is needed for both the IPsec packets and the encapsulated traffic
within them. You need a route, which could be the default route, to the remote VPN
gateway via the appropriate interface. You also need a route to the remote protected
network via the IPsec interface.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 91
http://docs.fortinet.com/ • Feedback
Transition from IPv4 to IPv6 IPv6

To create a static route in the web-based manager, go to Router > Static. Select the drop-
down arrow on the Create New button and select IPv6 Route. Enter the information and
select OK. In the CLI, use the router static6 command. For example, where the
remote network is fec0:0000:0000:0004::/64 and the IPsec interface is toB:
config router static6
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toB
set dst fec0:0000:0000:0004::/64
next
end
If the VPN is IPV4 over IPv6, the route to the remote protected network is an IPv4 route. If
the VPN is IPv6 over IPv4, the route to the remote VPN gateway is an IPv4 route.

Transition from IPv4 to IPv6


If the Internet is to take full advantage of the benefits of IPv6, there must be a period of
transition to enable IPv6-only hosts to reach IPv4 services and to allow isolated IPv6 hosts
and networks to reach the IPv6 Internet over the IPv4 infrastructure.
RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers and RFC 2185, Routing
Aspects of IPv6 Transition define several mechanisms to ensure that IPv6 hosts and
routers maintain interoperability with the existing IPv4 infrastructure, and facilitate a
gradual transition that does not impact the functionality of the Internet. The mechanisms,
known collectively as Simple Internet Transition (SIT), include:
• dual-stack IP implementations for hosts and routers that must interoperate between
IPv4 and IPv6
• embedding of IPv4 addresses in IPv6 addresses. IPv6 hosts are assigned addresses
that are interoperable with IPv4, and IPv4 host addresses are mapped to IPv6
• IPv6-over-IPv4 tunneling mechanisms to encapsulate IPv6 packets within IPv4
headers to carry them over IPv4 infrastructure
• IPv4/IPv6 header translation, used when implementation of IPv6 is well-advanced and
few IPv4 systems remain.
FortiGate units are dual IP layer IPv6/IPv4 nodes and they support IPv6 over IPv4
tunneling.
For more information, see RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers
and RFC 2185, Routing Aspects of IPv6 Transition.

Configuring FortiOS to connect to an IPv6 tunnel provider


If an organization with a mixed network uses an Internet service provider that does not
support IPv6, they can use an IPv6 tunnel broker to connect to IPv6 addresses on the
Internet. FortiOS supports IPv6 tunnelling over service provider IPv4 networks to tunnel
brokers. The tunnel broker extracts the IPv6 packets from the tunnel and routes them to
their IPv6 destination.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


92 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6 Configuring FortiOS to connect to an IPv6 tunnel provider

The internal network is running IPv6. The FortiGate unit creates an IPv6-over-IPv4 tunnel
to the IPv6 tunnel broker. From the tunnel broker, your network can access IPv6
addresses on the Internet.
In this example the internal network is small and directly connected to the FortiGate unit —
there is no need for routing on the internal network since everything is connected and on
the same subnet.

Assumptions
• Before configuring your FortiGate unit for IPv6-over-IPv4 tunneling, you need to
choose an IPv6 tunnel broker and get their information. For this example, Hurricane
Electric (http://he.net) will be used.
• The addresses used in this example are for example use only.
• VDOMs are not enabled.
• The tunnel broker IPv4 address is 78.35.24.124.
• The tunnel broker IPv6 end of the tunnel is 2001:4dd0:ff00:15e::1/64
• The FortiGate unit external IPv4 address is 172.20.120.17.
• The FortiGate unit IPv6 address of the tunnel is 2001:4dd0:ff00:15e::2/64.
• port1 of the FortiGate unit is connected to the internal network.
• port2 of the FortiGate unit is connected to the external network (Internet).

Figure 5: Connecting to an IPv6 tunnel broker

IPv6 Internal
Network

Internet
Internet
IPv6
IPv6-over
IPv4 tunnel IPv6 tunnel
broker

Steps to connect to an IPv6 tunnel broker


1 Create a SIT-Tunnel Interface
2 Create a static IPv6 Route into the Tunnel-Interface
3 Assign your IPv6 Network to your FortiGate
4 Create a Firewall-Policy to allow Traffic from LAN to the Tunnel-Interface
5 Test the connection

Create a SIT-Tunnel Interface


Creating the SIT-tunnel creates a virtual interface in the form of a tunnel, much like a VPN
tunnel. The end points of the tunnel are the FortiGate unit and the tunnel broker’s server
addresses.
In our example, the external address of the FortiGate unit is DHCP-based and may
change to any value on that subnet, so the source address allows for that.
config system sit-tunnel

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 93
http://docs.fortinet.com/ • Feedback
Configuring FortiOS to connect to an IPv6 tunnel provider IPv6

edit HE_ip6_broker
set destination 78.35.24.124
set interface port2
set ip6 2001:4dd0:ff00:15e::2/64
set source 172.20.120.0
next
end
For more information on the sit-tunnel CLI command, see “Configuring IPv6 over IPv4
tunneling” on page 89 or the FortiGate CLI Reference.
Now that the tunnel exists, some additional interface commands are required. Such as
enabling ping6 for troubleshooting.
config system interface
edit HE_ip6_broker
config ipv6
set ip6-allowaccess ping
end
next
end

Create a static IPv6 Route into the Tunnel-Interface


With the tunnel up and the firewall policies in place, all that remains is to add a default
route for IPv6 traffic to go over the tunnel. As there will only be one static routing entry,
there is no need for a priority. This may change in the future if other routes are added.
config router static6
edit 1
set device HE_ip6_broker
next
end

Assign your IPv6 Network to your FortiGate


This step assigns an IPv6 address to the internal interface on the FortiGate unit. That way
all IPv6 traffic entering on this interface will be routed to the tunnel. Systems with
addresses within this prefix are reachable on the subnet in question without help from a
router, so the onlink-flag is enabled. Hosts can create an address for themselves by
combining this prefix with an interface identifier, so the autonomous-flag is enabled.
config system interface
edit port1
config ipv6
set ip6-address 2001:4dd0:ff42:72::1/64
set ip6-allowaccess ping https ssh
config ip6-prefix-list
edit 2001:4dd0:ff42:72::/64
set autonomous-flag enable
set onlink-flag enable
set preferred-life-time 3600
set ip6-send-adv enable
next
end
next
end

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


94 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6 IPv6 Troubleshooting

At this point any PCs on your internal network that are set to auto-configure, should have
their addresses. To test this you can ping6 from the PC to the FortiGate unit. See “IPv6
ping description” on page 96.

Create a Firewall-Policy to allow Traffic from port1 to the Tunnel-Interface


With the tunnel configured, it will appear as an interface in the Network interface list. That
means the next step is to add a firewall policies to allow traffic to and from the tunnel.
config firewall policy6
edit 2
set srcintf port1
set dstintf HE_ip6_broker
set srcaddr "::/0"
set dstaddr "::/0"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
next
end

Test the connection


To test the tunnel, try to connect to an external IPv6 address such as
http://ipv6.google.com.
If you want to see the path the IPv6 traffic takes, do a traceroute from a PC on the internal
network to an external address. You will see the traffic enter the FortiGate unit, enter the
tunnel, pass through the tunnel broker server, and on out over the Internet.
If you are entering an IPv6 address into your web browser, you have to type:
https://[2001:4dd0:ff42:72::1]. The square brackets are to discriminate
between the address part and a port, like in
https://[2001:4dd0:ff42:72::1]:8080

IPv6 Troubleshooting
There are a number of troubleshooting methods that can be used with IPv6 issues.
This section includes:
• ping6
• diag sniffer packet
• diag debug flow
• IPv6 specific diag commands

ping6
The main method of troubleshooting IPv6 traffic is using the IPv6 version of ping.
You can use the IPv6 ping command to:
• Send an ICMP echo request packet to the IPv6 address that you specify.
• Specify a source interface other than the one from which the probe originates by using
the source interface keywords.
• Specify a source IP address other than the one from which the probe originates by
using the source address keywords

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 95
http://docs.fortinet.com/ • Feedback
IPv6 Troubleshooting IPv6

You can specify the following options:

packetCount Number of packets to send to the destination IPv6 address. If


you specify a zero, echo requests packets are sent indefinitely.
data-pattern Sets the type of bits contained in the packet to all ones, all
zeros, a random mixture of ones and zeros, or a specific
hexadecimal data pattern that can range from 0x0 to
0xFFFFFFFF. The default is all zeros.
extended Set the interface type and specifier of a destination address on
header the system that is configured for external loopback; the
attributes command succeeds only if the specified interface is configured
for external loopback.
sweep interval Specifies the change in the size of subsequent ping packets
while sweeping across a range of sizes. For example, you can
configure the sweep interval to sweep across the range of
packets from 100 bytes to 1000 bytes in increments specified by
the sweep interval. By default, the system increments packets
by one byte; for example, it sends 100, 101, 102, 103, ... 1000. If
the sweep interval is 5, the system sends 100, 105, 110, 115, ...
1000.
sweep sizes Enables you to vary the sizes of the echo packets being sent.
Used to determine the minimum sizes of the MTUs configured
on the nodes along the path to the destination address. This
reduces packet fragmentation, which contributes to performance
problems. The default is to not sweep (all packets are the same
size).
timeout Sets the number of seconds to wait for an ICMP echo reply
packet before the connection attempt times out.
hop limit Sets the time-to-live hop count in the range 1-255; the default is
255.

The following characters may appear in the display after the ping command is issued:
! - reply received
. - timed out while waiting for a reply
? - unknown packet type
A - admin unreachable
b - packet too big
H - host unreachable
N - network unreachable
P - port unreachable
p - parameter problem
S - source beyond scope
t - hop limit expired (TTL expired)

IPv6 ping description


Ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP
ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams (''pings'') have
an IP and ICMP header, followed by a struct timeval and then an arbitrary number of ''pad''
bytes used to fill out the packet.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


96 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6 IPv6 Troubleshooting

IPv6 ping options

-a Audible ping.
-A Adaptive ping. Interpacket interval adapts to round-trip time, so
effectively no more than one (or more, if preload is set) unanswered
probe is present in the network. Minimal interval is 200msec for any
user other than administrator. On networks with low rtt this mode is
essentially equivalent to flood mode.
-b Allow pinging of a broadcast address.
-B Do not allow ping to change source address of probes. The address is
bound to one selected when the ping starts.
-c count Stop after sending count ECHO_REQUEST packets. With deadline
option, ping waits for count ECHO_REPLY packets, until the timeout
expires.
-d Set the SO_DEBUG option on the socket being used.
This socket option is not used by a Linux kernel.
-F flow label Allocate and set 20 bit flow label on echo request packets (only ping6).
If value is zero, kernel allocates random flow label.
-f Flood ping. For every ECHO_REQUEST sent a period ''.'' is displayed,
while for ever ECHO_REPLY received a backspace is displayed. This
provides a rapid display of how many packets are being dropped. If
interval is not specified, it is set to zero and packets are output as fast
as they come back or one hundred times per second, whichever is
faster. Only the administrator may use this option with zero interval.
-i interval Wait a specified interval of seconds between sending each packet. The
default is 1 second between each packet, or no wait in flood mode.
Only an administrator can set the interval to a value of less than 0.2
seconds.
-I interface Set source address to specified interface address. Argument may be
address numeric IP address or name of device. This option is required when you
ping an IPv6 link-local address.
-l preload If preload is specified, ping sends this number of packets that are not
waiting for a reply. Only the administrator may select a preload of more
than 3.
-L Suppress loopback of multicast packets. This flag only applies if the
ping destination is a multicast address.
-n Numeric output only. No attempt will be made to look up symbolic
names for host addresses.
-p pattern You may specify up to 16 ''pad'' bytes to fill out the packet you send.
This is useful for diagnosing data-dependent problems in a network.
For example, -p ff will cause the sent packet to be filled with all ones.
-Q tos Set Quality of Service -related bits in ICMP datagrams. tos can be
either decimal or hex number. Traditionally (RFC1349), these have
been interpreted as: 0 for reserved (currently being redefined as
congestion control), 1-4 for Type of Service and 5-7 for Precedence.
Possible settings for Type of Service are: minimal cost: 0x02, reliability:
0x04, throughput: 0x08, low delay: 0x10. Multiple TOS bits should not
be set simultaneously. Possible settings for special Precedence range
from priority (0x20) to net control (0xe0). You must be root
(CAP_NET_ADMIN capability) to use Critical or higher precedence
value. You cannot set bit 0x01 (reserved) unless ECN has been
enabled in the kernel. In RFC 2474, these fields has been redefined as
8-bit Differentiated Services (DS), consisting of: bits 0-1 of separate
data (ECN will be used, here), and bits 2-7 of Differentiated Services
Codepoint (DSCP).
-q Quiet output. Nothing is displayed except the summary lines at startup
time and when finished

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 97
http://docs.fortinet.com/ • Feedback
IPv6 Troubleshooting IPv6

-R Record route. (IPv4 only) Includes the RECORD_ROUTE option in the


ECHO_REQUEST packet and displays the route buffer on returned
packets. Note that the IP header is only large enough for nine such
routes. Many hosts ignore or discard this option.
-r Bypass the normal routing tables and send directly to a host on an
attached interface. If the host is not on a directly-attached network, an
error is returned. This option can be used to ping a local host through
an interface that has no route through it provided the option -I is also
used.
-s packetsize Specifies the number of data bytes to be sent. The default is 56, which
translates into 64 ICMP data bytes when combined with the 8 bytes of
ICMP header data.
-S sndbuf Set socket sndbuf (send buffer). If not specified, it is selected to buffer
not more than one packet.
-t ttl Set the IP Time to Live.
-T timestamp Set special IP timestamp options. May be either tsonly (only
option timestamps), tsandaddr (timestamps and addresses) or tsprespec
host1 [host2 [host3 [host4]]] (timestamp prespecified hops).
-M hint Select Path MTU Discovery strategy. hint may be either do (prohibit
fragmentation, even local one), want (do PMTU discovery, fragment
locally when packet size is large), or don’t (do not set DF flag).
-U Print full user-to-user latency (the old behavior). Normally ping prints
network round trip time, which can be different f.e. due to DNS failures.
-v Verbose output.
-V Show version and exit.
-w deadline Specify a timeout, in seconds, before ping exits regardless of how many
packets have been sent or received. In this case ping does not stop
after count packet are sent, it waits either for deadline expire or until
count probes are answered or for some error notification from network.
-W timeout Time to wait for a response, in seconds. The option affects only timeout
in absence of any responses, otherwise ping waits for two RTTs.

Examples
How to ping a global V6 address with a 1400 byte packet from FortiGate CLI:
Exec ping6 –s 1400 2001:480:332::10
How to ping Multicast group from Ping6 command on FortiGate CLI ( -I and port name
must be specified for CLI ping6 command to ping v6 multicast group):
Exec ping6 –I port1 ff02::1
How to ping localnet v6 address from FortiGate CLI:
Exec ping6 FE80:0:0:0:213:e8ff:fe9e:ccf7
This address would normally be written as FE80::213:e8ff:fe9e:ccf7.

diag sniffer packet


The FortiOS built in packet sniffer also works for IPv6. Here some examples using an
IPv6-over-IPv4 tunnel called test6.
# diag sniff pack test6 'none' 4
interfaces=[test6]
filters=[]
pcap_lookupnet: test6: no IPv4 address assigned
34.258651 test6 -- 2001:4dd0:ff00:15d::2 -> 2001:4dd0:ff00:15d::1:
icmp6: echo request seq 1

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


98 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6 IPv6 Troubleshooting

34.324658 test6 -- 2001:4dd0:ff00:15d::1 -> 2001:4dd0:ff00:15d::2:


icmp6: echo reply seq 1
35.268581 test6 -- 2001:4dd0:ff00:15d::2 -> 2001:4dd0:ff00:15d::1:
icmp6: echo request seq 2
35.334230 test6 -- 2001:4dd0:ff00:15d::1 -> 2001:4dd0:ff00:15d::2:
icmp6: echo reply seq

# diag sniff pack any 'ip6 and tcp port 80' 4 10


interfaces=[any]
filters=[ip6 and tcp port 80]
1 LAN in 2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037 ->
2a00:1450:8007::63.80: syn 2298823882
2 test6 out 2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037 ->
2a00:1450:8007::63.80: syn 2298823882
3 test6 in 2a00:1450:8007::63.80 ->
2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037: syn 4218782319
ack
4 LAN out 2a00:1450:8007::63.80 ->
2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037: syn 4218782319
ack
5 LAN in 2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037 ->
2a00:1450:8007::63.80: ack 4218782320
6 test6 out 2001:4dd0:ff42:72:21b:63ff:fe08:e071.53037 ->
2a00:1450:8007::63.80: ack 4218782320

diag debug flow


The diag debug flow command is the same for IPv6 or IPv4. The output format is the
same, but the command is only slightly different in that it uses filter6 and an IPv6
address.

To enable diag debug flow for IPv6 - CLI


# diag debug enable
# diag debug flow show console enable
# diag debug flow show func enable
# diag debug flow filter6 addr 2001:4dd0:ff42:12::24
# diag debug flow trace start6

IPv6 specific diag commands


To list all the sit-tunnels that are configured:
diagnose ipv6 sit-tunnel list
total tunnel = 1:
devname=test6 devindex=4 ifindex=22 saddr=0.0.0.0
daddr=88.25.29.134 proto=41 vfid=0000 ref=2

To list all the IPv6 routes:


# diagnose ipv6 route list
vf=0 type=02 protocol=unspec flag=00200001 oif=8(root)
dst:::1/128 gwy::: prio=0
vf=0 type=02 protocol=unspec flag=00200001 oif=8(root)
dst:2001:4dd0:ff00:75d::2/128 gwy::: prio=0

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 99
http://docs.fortinet.com/ • Feedback
Additional IPv6 resources IPv6

vf=0 type=01 protocol=kernel flag=00240021 oif=22(sixxs)


dst:2001:4dd0:ff00:75d::/64 gwy::: prio=100
vf=0 type=02 protocol=unspec flag=00200001 oif=8(root)
dst:2001:4dd0:ff42:68::1/128 gwy::: prio=0
vf=0 type=01 protocol=kernel flag=01040001 oif=19(LAN)
dst:2001:4dd0:ff42:68:225:ff:feee:5314/128
gwy:2001:4dd0:ff42:68:225:ff:feee:5314 prio=0
.....

Some other IPv6 diag commands include:

diagnose ipv6 neighbor- Add, delete, flush, or list the IPv6 ARP table or ARP table entry.
cache
diagnose sys session6 Clear, filter, full-stat, list, stat IPv6 sessions.
tree diagnose ipv6 View all the diagnose IPv6 commands.

Additional IPv6 resources


There are many RFCs available regarding IPv6. The following table lists the major IPv6
articles and their Internet Engineering Task Force (IETF) web locations.

Table 13: Additional IPv6 resources


RFC Subject Location
RFC 1933, Transition Describes IPv4 compatibility http://www.ietf.org/rfc/rfc1933
Mechanisms for IPv6 Hosts mechanisms that can be
and Routers implemented by IPv6 hosts and
routers
RFC 2185, Routing Provides an overview of the http://www.ietf.org/rfc/rfc2185
Aspects of IPv6 Transition routing aspects of the IPv6
transition
RFC 2373, IP Version 6 Defines the addressing http://www.ietf.org/rfc/rfc2373
Addressing Architecture architecture of the IP Version 6
protocol [IPV6]
RFC 2402, IP Describes functionality and http://www.ietf.org/rfc/rfc2402
Authentication Header implementation of IP
Authentication Headers (AH)
RFC 2460, Internet Describes functionality, http://www.ietf.org/rfc/rfc2460
Protocol, Version 6 (IPv6) configuration of IP version 6
Specification (IPv6) and differences from
IPv4.
RFC 2461, Neighbor Describes the features and http://www.ietf.org/rfc/rfc2461
Discovery for IP Version 6 functions of IPv6 Neighbor
(IPv6) Discovery protocol
RFC 2462, IPv6 Stateless Specifies the steps a host takes http://www.ietf.org/rfc/rfc2462
Address Autoconfiguration in deciding how to
autoconfigure its interfaces in
IPv6
RFC 2893, Transition Specifies IPv4 compatibility http://www.ietf.org/rfc/rfc2893
Mechanisms for IPv6 Hosts mechanisms that can be
and Routers implemented by IPv6 hosts and
routers
RFC 3306, Unicast-Prefix- Describes the format and types http://www.ietf.org/rfc/rfc3306
Based IPv6 Multicast of Ipv6 multicast addresses
Addresses

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


100 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
IPv6 Additional IPv6 resources

Table 13: Additional IPv6 resources


RFC 3484, Default Describes the algorithms used http://www.ietf.org/rfc/rfc3484
Address Selection for in IPv6 default address
Internet protocol version 6 selection
(IPv6)
RFC 3513, Internet Contains details about the types http://www.ietf.org/rfc/rfc3513
Protocol version 6 (IPv6) of IPv6 addresses and includes
Addressing Architecture examples
RFC 3587, IPv6 Global Defines the standard format for http://www.ietf.org/rfc/rfc3587
Unicast Address Format IPv6 unicast addresses

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 101
http://docs.fortinet.com/ • Feedback
Additional IPv6 resources IPv6

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


102 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
PPTP and L2TP
This section describes how to configure PPTP and L2TP VPNs as well as PPTP
passthrough. This section contains the following sections:
• About FortiOS PPTP VPNs
• How PPTP VPNs work
• FortiGate PPTP topologies
• Configuring the FortiGate unit for PPTP VPN
• Configuring the FortiGate unit for PPTP pass through
• Monitoring PPTP sessions
• Configuring L2TP VPNs
• L2TP configuration overview
• Adding the firewall policy

About FortiOS PPTP VPNs


A virtual private network (VPN) is a way to use a public network, such as the Internet, to
provide remote offices or individual users with secure access to private networks. For
example, a company that has two offices in different cities, each with its own private
network, can use a VPN to create a secure tunnel between the offices. Similarly,
telecommuters can use VPN clients to access private data resources securely from a
remote location.
With FortiOS’S built-in VPN capabilities, small home offices, medium-sized businesses,
enterprises, and service providers can ensure the confidentiality and integrity of data
transmitted over the Internet. FortiOS provides enhanced authentication, strong
encryption, and restricted access to company network resources and services.
FortiOS supportS the Point-to-Point Tunneling Protocol (PPTP), which enables
interoperability between FortiGate units and Windows or Linux PPTP clients. Because
FortiGate units support industry standard PPTP VPN technologies, you can configure a
PPTP VPN between a FortiGate unit and most third-party PPTP VPN peers.

How PPTP VPNs work


A virtual private network (VPN) is a way to use a public network, such as the Internet, to
provide remote offices or individual users with secure access to private networks. The
Point-to-Point Tunneling Protocol allows you to create a VPN between a remote client and
your internal network. Because it is a Windows standard, PPTP does not require third-
party software on the client computer. As long as the Internet Service Provider (ISP)
supports PPTP on its servers, you can create a secure connection by making relatively
simple configuration changes to the client computer and the FortiGate unit.
PPTP uses Point-to-Point (PPP) protocol authentication protocols so that standard PPP
software can operate on tunneled PPP links. PPTP packages data in PPP packets and
then encapsulates the PPP packets within IP packets for transmission through a VPN
tunnel.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 103
http://docs.fortinet.com/ • Feedback
How PPTP VPNs work PPTP and L2TP

When the FortiGate unit acts as a PPTP server, a PPTP session and tunnel is created as
soon as the PPTP client connects to the FortiGate unit. More than one PPTP session can
be supported on the same tunnel. FortiGate units support PAP, CHAP, and plain text
authentication. PPTP clients are authenticated as members of a user group.
Traffic from one PPTP peer is encrypted using PPP before it is encapsulated using
Generic Routing Encapsulation (GRE) and routed to the other PPTP peer through an ISP
network. PPP packets from the remote client are addressed to a computer on the private
network behind the FortiGate unit. PPTP packets from the remote client are addressed to
the public interface of the FortiGate unit. See Figure 6 on page 104.

Caution: PPTP control channel messages are not authenticated, and their integrity is not
protected. Furthermore, encapsulated PPP packets are not cryptographically protected and
may be read or modified unless appropriate encryption software such as Secure Shell
(SSH) or Secure File Transfer Protocol (SFTP) is used to transfer data after the tunnel has
been established.
As an alternative, you can use encryption software such as Microsoft Point-to-
Point Encryption (MPPE) to secure the channel. MPPE is built into Windows
clients and can be installed on Linux clients. FortiGate units support MPPE.

Figure 6: Packet encapsulation

In Figure 6, traffic from the remote client is addressed to a computer on the network
behind the FortiGate unit. When the PPTP tunnel is established, packets from the remote
client are encapsulated and addressed to the FortiGate unit. The FortiGate unit forwards
disassembled packets to the computer on the internal network.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


104 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
PPTP and L2TP FortiGate PPTP topologies

When the remote PPTP client connects, the FortiGate unit assigns an IP address from a
reserved range of IP addresses to the client PPTP interface. The PPTP client uses the
assigned IP address as its source address for the duration of the connection.
When the FortiGate unit receives a PPTP packet, the unit disassembles the PPTP packet
and forwards the packet to the correct computer on the internal network. The firewall
policy and protection profiles on the FortiGate unit ensure that inbound traffic is screened
and processed securely.

Note: PPTP clients must be authenticated before a tunnel is established. The


authentication process relies on FortiGate user group definitions, which can optionally use
established authentication mechanisms such as RADIUS or LDAP to authenticate PPTP
clients. All PPTP clients are challenged when a connection attempt is made.

FortiGate PPTP topologies


In a PPTP configuration, the FortiGate unit can act as a PPTP server or forward PPTP
packets to a PPTP server.

Infrastructure requirements
• The FortiGate unit operates in NAT/Route mode and has a static public IP address.
• The dialup client ISP account supports PPP connections with dynamically assigned IP
addresses and if the ISP runs a PPTP server, the server must be configured to forward
PPTP packets to the FortiGate unit.
The PPTP client includes PPP support (with MPPE if encryption is required).

FortiGate unit as a PPTP server


In the most common Internet scenario, the PPTP client connects to an ISP that offers PPP
connections with dynamically-assigned IP addresses. The ISP forwards PPTP packets to
the Internet, where they are routed to the FortiGate unit.

Figure 7: FortiGate unit as a PPTP server

FortiGate unit forwards traffic to a PPTP server


You may also configure the FortiGate unit to forward PPTP packets to a PPTP server on
the network behind the FortiGate unit.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 105
http://docs.fortinet.com/ • Feedback
Configuring the FortiGate unit for PPTP VPN PPTP and L2TP

Figure 8: FortiGate unit forwards traffic to PPTP server

Configuring the FortiGate unit for PPTP VPN


This section includes the following topics:
• PPTP server configuration overview
• PPTP pass through configuration overview
• Configuring user authentication for PPTP clients
• Configuring the FortiGate unit for PPTP pass through

PPTP server configuration overview


If the FortiGate unit will act as a PPTP server, perform the following tasks in the order
given:
• Configure user authentication for PPTP clients. See “Configuring user authentication
for PPTP clients” on page 106, “Configuring a user account” on page 107, and
“Configuring a user group” on page 107.
• Enable PPTP on the FortiGate unit, specify the range of addresses that can be
assigned to PPTP clients when they connect, and configuring the firewall policy. See
“Enabling PPTP and specifying the PPTP IP address range” on page 107 and “Adding
the firewall policy” on page 108.

PPTP pass through configuration overview


To arrange for PPTP packets to pass through the FortiGate unit to an external PPTP
server, perform the following tasks in the order given:
• Configure user authentication for PPTP clients. See “Configuring user authentication
for PPTP clients” on page 106, “Configuring a user account” on page 107, and
“Configuring a user group” on page 107.
• Enable PPTP on the FortiGate unit and specify the range of addresses that can be
assigned to PPTP clients when they connect. See “Enabling PPTP and specifying the
PPTP IP address range” on page 107.
• Configure PPTP pass through on the FortiGate unit. See “Configuring the FortiGate
unit for PPTP pass through” on page 109.

Configuring user authentication for PPTP clients


To enable authentication for PPTP clients, you must create user accounts and a user
group to identify the PPTP clients that need access to the network behind the FortiGate
unit. Within the user group, you must add a user for each PPTP client.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


106 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
PPTP and L2TP Configuring the FortiGate unit for PPTP VPN

You can choose to use a plain text password for authentication or forward authentication
requests to an external RADIUS, LDAP, or TACACS+ server. If password protection will be
provided through a RADIUS, LDAP, or TACACS+ server, you must configure the FortiGate
unit to forward authentication requests to the authentication server.

Configuring a user account


To add a Local user, go to User > User > User, select Create New, and enter or select the
following:

User Name A name that identifies the user.


Disable Select to prevent this user from authenticating.
Password Select to authenticate this user using a password stored on the
FortiGate unit and then enter the password. The password should be at
least six characters.
LDAP Select to authenticate this user using a password stored on an LDAP
server. Select the LDAP server from the list.
RADIUS Select to authenticate this user using a password stored on a RADIUS
server. Select the RADIUS server from the list.
TACACS+ Select to authenticate this user using a password stored on a TACACS
server. Select the TACACS+ server from the list.

Configuring a user group


To add a new user group, go to User > User Group > User Group, select Create New, and
enter or select the following according to user group type:

Name Enter the name of the user group.


Type Firewall
Members The list of Local users, RADIUS servers, LDAP servers,
TACACS+ servers, Directory Service users/user groups, or
PKI users that belong to the user group.

Enabling PPTP and specifying the PPTP IP address range


The PPTP address range specifies the range of addresses reserved for remote PPTP
clients. When a PPTP client connects to the FortiGate unit, the client is assigned an IP
address from this range. Afterward, the FortiGate unit uses the assigned address to
communicate with the PPTP client.
The address range that you reserve can be associated with private or routable IP
addresses. If you specify a private address range that matches a network behind the
FortiGate unit, the assigned address will make the PPTP client appear to be part of the
internal network.
PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address
range is the range of addresses reserved for remote PPTP clients. When the remote
PPTP client establishes a connection, the FortiGate unit assigns an IP address from the
reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP
address from the PPTP user group. If you use the PPTP user group, you must also define
the FortiGate end of the tunnel by entering the IP address of the unit in Local IP (web-
based manager) or local-ip (CLI). The PPTP client uses the assigned IP address as its
source address for the duration of the connection.
To enable PPTP and specify the PPTP address range or specify the IP address for the
peer’s remote IP on the PPTP client side, go to the customized screen in the web-based
manager, select the required options, and then select Apply.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 107
http://docs.fortinet.com/ • Feedback
Configuring the FortiGate unit for PPTP VPN PPTP and L2TP

Note: The start and end IPs in the PPTP address range must be in the same 24-bit
subnet, e.g. 192.168.1.1 - 192.168.1.254.

config vpn pptp


set eip <address_ipv4>
set ip-mode {range | usrgrp}
set local-ip <address_localip>
set sip <address_ipv4>
set status {disable | enable}
set usrgrp <group_name>
end
Variables Description
eip <address_ipv4> The ending address of the PPTP address range.
ip-mode Enable to have the PPTP client retrieve the IP address from the
{range | usrgrp} PPTP user group or select an IP address from the pre-configured IP
address range.
local-ip PPTP server IP address from the PPTP user group.
<address_localip>
sip <address_ipv4> The starting address of the PPTP IP address range.
status Enable or disable PPTP VPN.
{disable | enable}
usrgrp <group_name> This keyword is available when status is set to enable.
Enter the name of the user group for authenticating PPTP clients. The
user group must be added to the FortiGate configuration before it can
be specified here.
eip <address_ipv4> The ending address of the PPTP address range.
ip-mode Enable to have the PPTP client retrieve the IP address from the
{range | usrgrp} PPTP user group or select an IP address from the pre-configured IP
address range.

Adding the firewall policy


The firewall policy specifies the source and destination addresses that can generate traffic
inside the PPTP tunnel and defines the scope of services permitted through the tunnel. If a
selection of services are required, define a service group.
To define the traffic and services permitted inside the PPTP tunnel, go to Firewall > Policy
> Policy, select Create New and enter the following information in particular:

Source Interface/Zone
Select the FortiGate interface to the Internet.
Address Name
Select the name that corresponds to the range of addresses that
you reserved for PPTP clients (for example, Ext_PPTPrange).
Destination Interface/Zone
Select the FortiGate interface to the internal (private) network.
Address Name
Select the name that corresponds to the IP addresses behind the
FortiGate unit (for example, Int_PPTPaccess).
Service
Select ANY, or if selected services are required instead, select the
service group that you defined previously.
Action
Select ACCEPT.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


108 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
PPTP and L2TP Configuring the FortiGate unit for PPTP pass through

Note: Do not select identity-based policy, as this will cause the PPTP access to fail.
Authentication is configured in the PPTP configuration setup.

Configuring the FortiGate unit for PPTP pass through


To forward PPTP packets to a PPTP server on the network behind the FortiGate unit, you
perform the following configuration tasks on the FortiGate unit:
• Define a virtual IP address that points to the PPTP server. The FortiGate unit will
forward PPTP packets to the address you specify.
• Create a firewall policy that allows incoming PPTP packets to pass through to the
PPTP server.

Note: The address range is the external (public) ip address range which requires access to
the internal PPTP server through the FortiGate virtual port-forwarding firewall.
IP addresses used in this document are fictional and follow the technical documentation
guidelines specific to Fortinet. Real external IP addresses are not used.

Defining a virtual port-forwarding address


The IP address refers to the PPTP server host. The FortiGate unit will answer ARP
requests for the IP address that you specify.
To define a virtual port-forwarding address for PPTP pass through, go to Firewall >
Virtual IP > Virtual IP, select Create New and enter the following:

Name Enter a name to identify the virtual IP address (for example,


PPTP_server).
External Interface Select the FortiGate interface on which packets destined for
the PPTP server arrive. The IP address is bound to this
interface for the purpose of proxying ARP requests, for example,
wan2.
External IP Address/ Enter the IP address of the FortiGate interface to the Internet.
Range
Mapped IP Address/ Enter the IP address of the PPTP server.
Range
Port Forwarding Select Port Forwarding to forward packets to the PPTP server.
Protocol Select TCP.
External Service Port Enter 1723 (TCP port 1723 is the PPTP port).
Map to Port Enter 1723.

Configuring a port-forwarding firewall policy


To create a port-forwarding firewall policy for PPTP pass through, go to Firewall > Address
> Address, select Create New and enter the following:

Address Name Enter a name to identify the range of external addresses that you
reserved for PPTP clients (for example, External_PPTP).
Type Select the type of address: Subnet/IP Range.
Subnet/IP Range Enter the IP address range reserved for PPTP clients separated by a
hyphen (for example, 10.3.3.[1-10]).
Interface Select the interface to the internet.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 109
http://docs.fortinet.com/ • Feedback
Monitoring PPTP sessions PPTP and L2TP

Adding the firewall policy


To add the firewall policy, go to Firewall > Policy > Policy, select Create New and enter the
following:

Source Interface/Zone
Select the FortiGate interface to the Internet.
Address Name
Select the name that corresponds to the range of addresses that
you reserved for external PPTP clients (for example,
External_PPTP).
Destination Interface/Zone
Select the FortiGate interface to the PPTP server.
Address Name
Select the name that corresponds to the virtual IP address that
you defined for the PPTP server (for example, PPTP_server).
Service
Select PPTP
Action
Select ACCEPT.

Monitoring PPTP sessions


You can display a list of all active sessions and view activity by port number. By default,
port 1723 is used for PPTP VPN-related communications.

To view the list of active sessions


1 Go to System > Status.
2 In the Statistics section, select Details on the Sessions line.

Testing PPTP VPN connections


To confirm that a PPTP VPN between a local network and a dialup client has been
configured correctly, at the dialup client, issue a ping command to test the connection to
the local network. The PPTP VPN tunnel initializes when the dialup client attempts to
connect.

Logging VPN events


You can configure the FortiGate unit to log VPN events. For PPTP VPNs, connection
events and tunnel status (up/down) are logged.

To log VPN events


1 Go to Log&Report > Log Config > Log Setting.
2 Enable the storage of log messages to one or more of the following locations:
3 Select Apply.

To filter VPN events


1 Go to Log&Report > Log Config > Event Log.
2 Select Enable, and then select L2TP/PPTP/PPPoE service event.
3 Select Apply.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


110 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
PPTP and L2TP Configuring L2TP VPNs

To view event logs


1 Go to Log&Report > Log Access > Memory.
2 If the option is available from the Log Type list, select the log file from disk or memory.

Configuring L2TP VPNs


This section describes how to configure a FortiGate unit to establish a Layer Two
Tunneling Protocol (L2TP) tunnel with a remote dialup client. The FortiGate
implementation of L2TP enables a remote dialup client to establish an L2TP tunnel with
the FortiGate unit directly.
According to RFC 2661, an Access Concentrator (LAC) can establish an L2TP tunnel with
an L2TP Network Server (LNS). In a typical scenario, the LAC is managed by an ISP and
located on the ISP premises; the LNS is the gateway to a private network. When a remote
dialup client connects to the Internet through the ISP, the ISP uses a local database to
establish the identity of the caller and determine whether the caller needs access to an
LNS through an L2TP tunnel. If the services registered to the caller indicate that an L2TP
connection to the LNS is required, the ISP LAC attempts to establish an L2TP tunnel with
the LNS.
A FortiGate unit can be configured to act as an LNS. The FortiGate implementation of
L2TP enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit
directly, bypassing any LAC managed by an ISP. The ISP must configure its network
access server to forward L2TP traffic from the remote client to the FortiGate unit directly
whenever the remote client requires an L2TP connection to the FortiGate unit.
When the FortiGate unit acts as an LNS, an L2TP session and tunnel is created as soon
as the remote client connects to the FortiGate unit. The FortiGate unit assigns an IP
address to the client from a reserved range of IP addresses. The remote client uses the
assigned IP address as its source address for the duration of the connection.
More than one L2TP session can be supported on the same tunnel. FortiGate units can be
configured to authenticate remote clients using a plain text user name and password, or
authentication can be forwarded to an external RADIUS or LDAP server. L2TP clients are
authenticated as members of a user group.
Caution: FortiGate units support L2TP with Microsoft Point-to-Point Encryption (MPPE)
encryption only. Later implementations of Microsoft L2TP for Windows use IPSec and
require certificates for authentication and encryption. If you want to use Microsoft L2TP with
IPSec to connect to a FortiGate unit, the IPSec and certificate elements must be disabled
on the remote client.

Traffic from the remote client must be encrypted using MPPE before it is encapsulated and
routed to the FortiGate unit. Packets originating at the remote client are addressed to a
computer on the private network behind the FortiGate unit. Encapsulated packets are
addressed to the public interface of the FortiGate unit. See Figure 9.
When the FortiGate unit receives an L2TP packet, the unit disassembles the packet and
forwards the packet to the correct computer on the internal network. The firewall policy
and protection profiles on the FortiGate unit ensure that inbound traffic is screened and
processed securely.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 111
http://docs.fortinet.com/ • Feedback
Configuring L2TP VPNs PPTP and L2TP

Figure 9: L2TP encapsulation


L2TP packets
Destination 172.16.30.1
3 1
3 1
2 2 Internet

Traffic destination
is 192.168.20.2

L2TP packets
Destination 172.16.30.1

3 1
2

172.16.30.1

1 3
2

Traffic destination FortiGate_1


is 192.168.20.2

192.168.20.2

Note: Fortinet units cannot deliver non-IP traffic such as Frame Relay or ATM frames
encapsulated in L2TP packets — FortiGate units support the IPv4 and IPv6 addressing
you cannot
schemes only.

Network topology
The remote client connects to an ISP that determines whether the client requires an L2TP
connection to the FortiGate unit. If an L2TP connection is required, the connection request
is forwarded to the FortiGate unit directly.

Figure 10: Example L2TP configuration

Internal
network Remote_Client_1

Internet
Remote_Client_2

FortiGate_1
Remote_Client_3

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


112 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
PPTP and L2TP L2TP configuration overview

L2TP infrastructure requirements


• The FortiGate unit must be operating in NAT/Route mode and have a static public IP
address.
• The ISP must configure its network access server to forward L2TP traffic from remote
clients to the FortiGate unit directly.
• The remote client must not generate non-IP traffic (Frame Relay or ATM frames).
• The remote client includes L2TP support with MPPE encryption. If the remote client
includes Microsoft L2TP with IPSec, the IPSec and certificate components must be
disabled.

L2TP configuration overview


To configure a FortiGate unit to act as an LNS, you perform the following tasks on the
FortiGate unit:
• Create an L2TP user group containing one user for each remote client. See
“Authenticating L2TP clients” on page 113.
• Enable L2TP on the FortiGate unit and specify the range of addresses that can be
assigned to remote clients when they connect. See “Enabling L2TP and specifying an
address range” on page 113.
• Define firewall source and destination addresses to indicate where packets transported
through the L2TP tunnel will originate and be delivered. See “Defining firewall source
and destination addresses” on page 114.
• Create the firewall policy and define the scope of permitted services between the
source and destination addresses. “Adding the firewall policy” on page 108.
• Configure the remote clients. For example, see “Configuring a Linux client” on
page 115.

Authenticating L2TP clients


L2TP clients must be authenticated before a tunnel is established. The authentication
process relies on FortiGate user group definitions, which can optionally use established
authentication mechanisms such as RADIUS or LDAP to authenticate L2TP clients. All
L2TP clients are challenged when a connection attempt is made.
To enable authentication, you must create user accounts and a user group to identify the
L2TP clients that need access to the network behind the FortiGate unit.
You can choose to use a plain text password for authentication or forward authentication
requests to an external RADIUS or LDAP server. If password protection will be provided
through a RADIUS or LDAP server, you must configure the FortiGate unit to forward
authentication requests to the authentication server.

Enabling L2TP and specifying an address range


The L2TP address range specifies the range of addresses reserved for remote clients.
When a remote client connects to the FortiGate unit, the client is assigned an IP address
from this range. Afterward, the FortiGate unit uses the assigned address to communicate
with the remote client.
The address range that you reserve can be associated with private or routable IP
addresses. If you specify a private address range that matches a network behind the
FortiGate unit, the assigned address will make the remote client appear to be part of the
internal network.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 113
http://docs.fortinet.com/ • Feedback
Adding the firewall policy PPTP and L2TP

To enable L2TP and specify the L2TP address range, use the config vpn l2tp CLI
command.
The following example shows how to enable L2TP and set the L2TP address range using
a starting address of 192.168.10.80 and an ending address of 192.168.10.100 for
an existing group of L2TP users named L2TP_users:
config vpn l2tp
set sip 192.168.10.80
set eip 192.168.10.100
set status enable
set usrgrp L2TP_users
end

Defining firewall source and destination addresses


Before you define the firewall policy, you must define the source and destination
addresses of packets that are to be transported through the L2TP tunnel:
• For the source address, enter the range of addresses that you reserved for remote
L2TP clients (for example 192.168.10.[80-100]).
• For the destination address, enter the IP addresses of the computers that the L2TP
clients need to access on the private network behind the FortiGate unit (for example,
172.16.5.0/24 for a subnet, or 172.16.5.1 for a server or host, or
192.168.10.[10-15] for an IP address range).

To define the firewall source address


1 Go to Firewall > Address and select Create New.
2 In the Address Name field, type a name that represents the range of addresses that
you reserved for remote clients (for example, Ext_L2TPrange).
3 In Type, select Subnet / IP Range.
4 In the Subnet / IP Range field, type the corresponding IP address range.
5 In Interface, select the FortiGate interface that connects to the clients.
This is usually the interface that connects to the Internet.
6 Select OK.

To define the firewall destination address


1 Go to Firewall > Address and select Create New.
2 In the Address Name field, type a name that represents a range of IP addresses on the
network behind the FortiGate unit (for example, Int_L2TPaccess).
3 In Type, select Subnet / IP Range.
4 In the Subnet / IP Range field, type the corresponding IP address range.
5 In Interface, select the FortiGate interface that connects to the network behind the
FortiGate unit.
6 Select OK.

Adding the firewall policy


The firewall policy specifies the source and destination addresses that can generate traffic
inside the L2TP tunnel and defines the scope of services permitted through the tunnel. If a
selection of services are required, define a service group.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


114 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
PPTP and L2TP Adding the firewall policy

To define the traffic and services permitted inside the L2TP tunnel
1 Go to Firewall > Policy and select Create New.
2 Enter these settings in particular:

Source Interface/Zone Select the FortiGate interface to the Internet.


Source Address Select the name that corresponds to the range of addresses that
you reserved for L2TP clients (for example, Ext_L2TPrange).
Destination Interface/Zone Select the FortiGate interface to the internal (private) network.
Destination Address Select the name that corresponds to the IP addresses behind
the FortiGate unit (for example, Int_L2TPaccess).
Service Select ANY, or if selected services are required instead, select
the service group that you defined previously.
Action Select ACCEPT.

3 You may enable NAT, a protection profile, and/or event logging, or select Enable
Identity Based Policy to add authentication or shape traffic. See the “Firewall Policy”
chapter of the FortiGate Administration Guide.
4 Select OK.

Configuring a Linux client


The following procedure outlines how to install L2TP client software and run an L2TP
tunnel on a Linux computer. Obtain an L2TP client package that meets your requirements
(for example, rp-l2tp). If needed to encrypt traffic, obtain L2TP client software that
supports encryption using MPPE.
To establish an L2TP tunnel with a FortiGate unit that has been set up to accept L2TP
connections, you can obtain and install the client software following these general
guidelines:
1 If encryption is required but MPPE support is not already present in the kernel,
download and install an MPPE kernel module and reboot your computer.
2 Download and install the L2TP client package.
3 Configure an L2TP connection to run the L2TP program.
4 Configure routes to determine whether all or some of your network traffic will be sent
through the tunnel. You must define a route to the remote network over the L2TP link
and a host route to the FortiGate unit.
5 Run l2tpd to start the tunnel.
Follow the software supplier’s documentation to complete the steps.
To configure the system, you need to know the public IP address of the FortiGate unit, and
the user name and password that has been set up on the FortiGate unit to authenticate
L2TP clients. Contact the FortiGate administrator if required to obtain this information.

Monitoring L2TP sessions


You can display a list of all active sessions and view activity by port number. By default,
port 1701 is used for L2TP VPN-related communications.
If required, active sessions can be stopped from this view. For more information, see the
“System Status” chapter of the FortiGate Administration Guide.

To view the list of active sessions


1 Go to System > Status.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 115
http://docs.fortinet.com/ • Feedback
Adding the firewall policy PPTP and L2TP

2 In the Top Sessions widget, select Details.

Testing L2TP VPN connections


To confirm that a VPN between a local network and a dialup client has been configured
correctly, at the dialup client, issue a ping command to test the connection to the local
network. The VPN tunnel initializes when the dialup client attempts to connect.

Logging L2TP VPN events


You can configure the FortiGate unit to log VPN events. For L2TP VPNs, connection
events and tunnel status (up/down) are logged.

To log VPN events


1 Go to Log&Report > Log Config > Log Setting.
2 Enable the storage of log messages to one or more locations:
3 Select Apply.

To filter VPN events


1 Go to Log&Report > Log Config > Event Log.
2 Select Enable, and then select L2TP/PPTP/PPPoE service event.
3 Select Apply.

To view event logs


1 Go to Log&Report > Log Access.
2 If the option is available from the Log Type list, select the log file from disk or memory.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


116 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Session helpers
The FortiOS firewall can analyze by most TCP/IP protocol traffic by comparing packet
header information to firewall policies. This comparison determines whether to accept or
deny the packet and the session that the packet belongs to.
Some protocols include information in the packet body (or payload) that must be analyzed
to successfully process sessions for this protocol. For example, the SIP VoIP protocol
uses TCP control packets with a standard destination port to set up SIP calls. But the
packets that carry the actual conversation can use a variety of UDP protocols with a
variety of source and destination port numbers. The information about the protocols and
port numbers used for a SIP call is contained in the body of the SIP TCP control packets.
To successfully process SIP VoIP calls, FortiOS must be able to extract information from
the body of the SIP packet and use this information to allow the voice-carrying packets
through the firewall.
FortiOS uses session helpers to analyze the data in the packet bodies of some protocols
and adjust the firewall to allow those protocols to send packets through the firewall. This
section describes:
• Viewing the session helper configuration
• Changing the session helper configuration
• DCE-RPC session helper (dcerpc)
• DNS session helpers (dns-tcp and dns-udp)
• File transfer protocol (FTP) session helper (ftp)
• H.245 session helpers (h245I and h245O)
• H.323 and RAS session helpers (h323 and ras)
• Media Gateway Controller Protocol (MGCP) session helper (mgcp)
• ONC-RPC portmapper session helper (pmap)
• PPTP session helper for PPTP traffic (pptp)
• Remote shell session helper (rsh)
• Real-Time Streaming Protocol (RTSP) session helper (rtsp)
• Session Initiation Protocol (SIP) session helper (sip)
• Trivial File Transfer Protocol (TFTP) session helper (tftp)
• Oracle TNS listener session helper (tns)

Viewing the session helper configuration


You can view the session helpers enabled on your FortiGate unit from the CLI using the
following command. The following output shows the first two session helpers. The number
of session helpers can vary to around 20.
show system session-helper
config system session-helper
edit 1
set name pptp
set port 1723

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 117
http://docs.fortinet.com/ • Feedback
Changing the session helper configuration Session helpers

set protocol 6
end
next
set name h323
set port 1720
set protocol 6
next
end
.
.
.
The configuration for each session helper includes the name of the session helper and the
port and protocol number on which the session helper listens for sessions. Session
helpers listed on protocol number 6 (TCP) or 17 (UDP). For a complete list of protocol
numbers see: Assigned Internet Protocol Numbers.
For example, the output above shows that FortiOS listens for PPTP packets on TCP port
1723 and H.323 packets on port TCP port 1720.
If a session helper listens on more than one port or protocol the more than one entry for
the session helper appears in the config system session-helper list. For example,
the pmap session helper appears twice because it listens on TCP port 111 and UDP port
111. The rsh session helper appears twice because it listens on TCP ports 514 and 512.

Changing the session helper configuration


Normally you will not need to change the configuration of the session helpers. However in
some cases you may need to do the following:

Changing the protocol or port that a session helper listens on


Most session helpers are configured to listen for their sessions on the port and protocol
that they typically use. If your FortiGate unit receives sessions that should be handled by a
session helper on a non-standard port or protocol you can use the following procedure to
change the port and protocol used by a session helper.

To change the port that the pmap session helper listens on to TCP port 112
The following example shows how to change the port that the pmap session helper listens
on for Sun RPC portmapper TCP sessions. By default pmap listens on TCP port 111.
1 Begin by confirming that the TCP pmap session helper entry is 11 in the session-helper
list:
show system session-helper 11
config system session-helper
edit 11
set name pmap
set port 111
set protocol 6
next
end
2 Enter the following command to change the TCP port to 112.
config system session-helper
edit 11
set port 112

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


118 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Session helpers Changing the session helper configuration

end
3 The pmap session helper also listens on UDP port 111. Confirm that the UDP pmap
session helper entry is 12 in the session-helper list:
show system session-helper 12
config system session-helper
edit 12
set name pmap
set port 111
set protocol 17
next
end
4 Enter the following command to change the UDP port to 112.
config system session-helper
edit 12
set port 112
end
end

To change the protocol that the h323 session helper listens on


Use the following command to set the h323 session helper to listen for ports on the UDP
protocol:
1 Confirm that the h323 session helper entry is 2 in the session-helper list:
show system session-helper 2
config system session-helper
edit 2
set name h323
set port 1720
set protocol 6
next
end
2 Enter the following command to change the protocol to UDP.
config system session-helper
edit 2
set protocol 17
end
end

To configure a session helper to listen on a new port and protocol


If a session helper listens on more than one port or protocol, then multiple entries for the
session helper must be added to the session helper list, one for each port and protocol
combination. For example, the rtsp session helper listens on TCP ports 554, 7070, and
8554 so there are three rtsp entries in the session-helper list. If your FortiGate unit
receives rtsp packets on a different TCP port (for example, 6677) you can use the
following command to configure the rtsp session helper to listen on TCP port 6677.
config system session-helper
edit 0
set name rtsp
set port 6677
set protocol 6
end

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 119
http://docs.fortinet.com/ • Feedback
Changing the session helper configuration Session helpers

Disabling a session helper


In some cases you may need to disable a session helper. Disabling a session helper just
means removing it from the session-helper list so that the session helper is not listening
on a port. You can completely disable a session helper by deleting all of its entries from
the session helper list. If there are multiple entries for a session helper on the list you can
delete one of the entries to prevent the session helper from listening on that port.

To disable the mgcp session helper from listening on UDP port 2427
1 Enter the following command to find the mgcp session helper entry that listens on UDP
port 2427:
show system session-helper
.
.
.
edit 19
set name mgcp
set port 2427
set protocol 17
next
.
.
.
2 Enter the following command to delete session-helper list entry number 19 to disable
the mgcp session helper from listening on UDP port 2427:
config system session-helper
delete 19

To completely disable the mgcp session helper


By default the mgcp session helper listens on UDP ports 2427 and 2727. The previous
procedure shows how to disable the mgcp protocol from listening on port 2427. The
following procedure completely disables the mgcp session helper by also disabling it from
listening on UDP port 2727.
1 Enter the following command to find the mgcp session helper entry that listens on UDP
port 2727:
show system session-helper
.
.
.
edit 20
set name mgcp
set port 2727
set protocol 17
next
.
.
.
2 Enter the following command to delete session-helper list entry number 20 to disable
the mgcp session helper from listening on UDP port 2727:
config system session-helper
delete 20

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


120 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Session helpers DCE-RPC session helper (dcerpc)

DCE-RPC session helper (dcerpc)


Distributed Computing Environment Remote Procedure Call (DCE-RPC) provides a way
for a program running on one host to call procedures in a program running on another
host. DCE-RPC (also called MS RPC for Microsoft RPC) is similar to ONC-RPC. Because
of the large number of RPC services, the transport address of an RPC service is
dynamically negotiated based on the service program's universal unique identifier (UUID).
The Endpoint Mapper (EPM) binding protocol in FortiOS maps the specific UUID to a
transport address.
To accept DCE-RPC sessions you must add a firewall policy with service set to any or to
the DEC-RPC pre-defined service (which listens on TCP and UDP ports 135). The dcerpc
session helper also listens on TCP and UDP ports 135.
The session allows FortiOS to handle DCE-RPC dynamic transport address negotiation
and to ensure UUID-based firewall policy enforcement. You can define a firewall policy to
permit all RPC requests or to permit by specific UUID number.
In addition, because a TCP segment in a DCE-RPC stream might be fragmented, it might
not include an intact RPC PDU. This fragmentation occurs in the RPC layer; so FortiOS
does not support parsing a fragmented packets.

DNS session helpers (dns-tcp and dns-udp)


FortiOS includes two DNS session helpers, dns-tcp, a session helper for DNS over TCP,
and dns-udp, a session helper for DNS over UDP. The DNS session helpers monitor DNS
query and reply packets and close sessions if the DNS flag indicates the packet is a reply
message.
To accept DNS sessions you must add a firewall policy with service set to any or to the
DNS pre-defined service (which listens on TCP and UDP ports 35). The dns-udp session
helper also listens on UDP port 53. By default the dns-tcp session helper is disabled. If
needed you can use the following command to enable the dns-tcp session helper to listen
for DNS sessions on TCP port 53:
config system session-helper
edit 0
set name dns-tcp
set port 53
set protocol 6
end

File transfer protocol (FTP) session helper (ftp)


The FTP session helper monitors PORT, PASV and 227 commands and NATs the IP
addresses and port numbers in the body of the FTP packets and opens ports on the
FortiGate unit as required.
To accept FTP sessions you must add a firewall policy with service set to any or to the
FTP, FTP_Put, and FTP_GET pre-defined services (which all listen on TCP port 21).

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 121
http://docs.fortinet.com/ • Feedback
H.245 session helpers (h245I and h245O) Session helpers

H.245 session helpers (h245I and h245O)


H.245 is a control channel protocol used for H.323 and other similar communication
sessions. H.245 sessions transmit non-telephone signals. H.245 sessions carry
information needed for multimedia communication, such as encryption, flow control jitter
management and others.
FortiOS includes two H.245 sessions helpers, h245I which is for H.245 call in and h245O
which is for H.245 call out sessions. There is no standard port for H.245. By default the
H.245 sessions helpers are disabled. You can enable them as you would any other
session helper. When you enable them, you should specify the port and protocol on which
the FortiGate unit receives H.245 sessions.

H.323 and RAS session helpers (h323 and ras)


The H.323 session helper supports secure H.323 voice over IP (VoIP) sessions between
terminal endpoints such as IP phones and multimedia devices. In H.323 VoIP networks,
gatekeeper devices manage call registration, admission, and call status for VoIP calls. The
FortiOS h323 session helper supports gatekeepers installed on two different networks or
on the same network.
To accept H.323 sessions you must add a firewall policy with service set to any or to the
H323 pre-defined service (which listens on TCP port numbers 1720 and 1503 and on UDP
port number 1719). The h323 session helper listens on TCP port 1720.
The ras session helper is used with the h323 session helper for H.323 Registration,
Admission, and Status (RAS) services. The ras session helper listens on UDP port 1719.

Alternate H.323 gatekeepers


The h323 session helper supports using H.323 alternate gatekeepers. All the H.323 end
points must register with a gatekeeper through the Registration, Admission, and Status
(RAS) protocol before they make calls. During the registration process, the primary
gatekeeper sends Gatekeeper Confirm (GCF) and Registration Confirm (RCF) messages
to the H.323 end points that contain the list of available alternate gatekeepers.
The alternate gatekeeper provides redundancy and scalability for the H.323 end points. If
the primary gatekeeper fails the H.323 end points that have registered with that
gatekeeper are automatically registered with the alternate gatekeeper. To use the H.323
alternate gatekeeper, you need to configure firewall policies that allow H.323 end points to
reach the alternate gatekeeper.

Media Gateway Controller Protocol (MGCP) session helper (mgcp)


The Media Gateway Control Protocol (MGCP) is a text-based application layer protocol
used for VoIP call setup and control. MGCP uses a master-slave call control architecture
in which the media gateway controller uses a call agent to maintain call control
intelligence, while the media gateways perform the instructions of the call agent.
To accept MGCP sessions you must add a firewall policy with service set to any or to the
MGCP pre-defined service (which listens on UDP port numbers 2427 and 2727). The
h323 session helper also listens on UDP port numbers 2427 and 2727.
The MGCP session helper does the following:
• VoIP signalling payload inspection. The payload of the incoming VoIP signalling packet
is inspected and malformed packets are blocked.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


122 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Session helpers ONC-RPC portmapper session helper (pmap)

• Signaling packet body inspection. The payload of the incoming MGCP signaling packet
is inspected according to RFC 3435. Malformed packets are blocked.
• Stateful processing of MGCP sessions. State machines are invoked to process the
parsed information. Any out-of-state or out-of-transaction packet is identified and
properly handled.
• MGCP Network Address Translation (NAT). Embedded IP addresses and ports in
packet bodies is properly translated based on current routing information and network
topology, and is replaced with the translated IP address and port number, if necessary.
• Manages pinholes for VoIP traffic. To keep the VoIP network secure, the IP address
and port information used for media or signalling is identified by the session helper,
and pinholes are dynamically created and closed during call setup.

ONC-RPC portmapper session helper (pmap)


Open Network Computing Remote Procedure Call (ONC-RPC) is a widely deployed
remote procedure call system. Also called Sun RPC, ONC-RPC allows a program running
on one host to call a program running on another. The transport address of an ONC-RPC
service is dynamically negotiated based on the service's program number and version
number. Several binding protocols are defined for mapping the RPC program number and
version number to a transport address.
To accept ONC-RPC sessions you must add a firewall policy with service set to any or to
the ONC-RPC pre-defined service (which listens on TCP and UDP port number 111). The
RPC portmapper session helper (called pmap) handles the dynamic transport address
negotiation mechanisms of ONC-RPC.

PPTP session helper for PPTP traffic (pptp)


The PPTP session help supports port address translation (PAT) for PPTP traffic. PPTP
provides IP security at the Network Layer. PPTP consists of a control session and a data
tunnel. The control session runs over TCP and helps in establishing and disconnecting the
data tunnel. The data tunnel handles encapsulated Point-to-Point Protocol (PPP) packets
carried over IP.
To accept PPTP sessions that pass through the FortiGate unit you must add a firewall
policy with service set to any or to the PPTP pre-defined service (which listens on IP port
47 and TCP port 1723). The pptp session helper listens on TCP port 1723.
PPTP uses TCP port 1723 for control sessions and Generic Routing Encapsulation (GRE)
(IP protocol 47) for tunneling the encapsulated PPP data. The GRE traffic carries no port
number, making it difficult to distinguish between two clients with the same public IP
address. PPTP uses the source IP address and the Call ID field in the GRE header to
identify a tunnel. When multiple clients sharing the same IP address establish tunnels with
the same PPTP server, they may get the same Call ID. The call ID value can be translated
in both the control message and the data traffic, but only when the client is in a private
network and the server is in a public network.
PPTP clients can either directly connect to the Internet or dial into a network access server
to reach the Internet. A FortiGate unit that protects PPTP clients can translate the clients’
private IP addresses to a pool of public IP addresses using NAT port translation (NAT-PT).
Because the GRE traffic carries no port number for address translation, the pptp session
helper treats the Call ID field as a port number as a way of distinguishing multiple clients.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 123
http://docs.fortinet.com/ • Feedback
Remote shell session helper (rsh) Session helpers

After the PPTP establishing a TCP connection with the PPTP server, the client sends a
start control connection request message to establish a control connection. The server
replies with a start control connection reply message. The client then sends a request to
establish a call and sends an outgoing call request message. FortiOS assigns a Call ID
(bytes 12-13 of the control message) that is unique to each PPTP tunnel. The server
replies with an outgoing call reply message that carries its own Call ID in bytes 12-13 and
the client’s call ID in bytes 14-15. The pptp session helper parses the control connection
messages for the Call ID to identify the call to which a specific PPP packet belongs. The
session helper also identifies an outgoing call request message using the control
message type field (bytes 8-9) with the value 7. When the session helper receives this
message, it parses the control message for the call ID field (bytes 12-13). FortiOS
translates the call ID so that it is unique across multiple calls from the same translated
client IP. After receiving outgoing call response message, the session helper holds this
message and opens a port that accepts GRE traffic that the PPTP server sends. An
outgoing call request message contains the following parts:
• The protocol used for the outgoing call request message (usually GRE)
• Source IP address (PPTP server IP)
• Destination IP address (translated client IP)
• Destination port number (translated client call ID)
The session helper identifies an outgoing call reply message using the control message
type field (bytes 8-9) with the value 8. The session helper parses these control messages
for the call ID field (bytes 12-13) and the client’s call ID (bytes 14-15). The session helper
then uses the client’s call ID value to find the mapping created for the other direction, and
then opens a pinhole to accept the GRE traffic that the client sends. An outgoing call reply
message contains the following parts:
• Protocol used for the outgoing call reply message (usually GRE)
• Source IP address (PPTP client IP)
• Destination IP address (PPTP server IP)
• Destination port number (PPTP server Call ID)
Each port that the session opens creates a session for data traffic arriving in that direction.
The session helper opens the following two data sessions for each tunnel:
• Traffic from the PPTP client to the server, using the server’s call ID as the destination
port
• Traffic from the PPTP server to the client, using the client’s translated call ID as the
destination port
The default timeout value of the control connection is 30 minutes. The session helper
closes the pinhole when the data session exceeds the timeout value or is idle for an
extended period.

Remote shell session helper (rsh)


Using the remote shell program (RSH), authenticated users can run shell commands on
remote hosts. RSH sessions most often use TCP port 514. To accept RSH sessions you
must add a firewall policy with service set to any or to the RSH pre-defined service (which
listens on TCP port number 514).

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


124 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Session helpers Real-Time Streaming Protocol (RTSP) session helper (rtsp)

FortiOS automatically invokes the rsh session helper to process all RSH sessions on TCP
port 514. The rsh session helper opens ports required for the RSH service to operate
through a FortiGate unit running NAT/Route or Transparent and supports port translation
of RSH traffic.

Real-Time Streaming Protocol (RTSP) session helper (rtsp)


The Real-Time Streaming Protocol (RTSP) is an application layer protocol often used by
SIP to control the delivery of multiple synchronized multimedia streams, for example,
related audio and video streams. Although RTSP is capable of delivering the data streams
itself it is usually used like a network remote control for multimedia servers. The protocol is
intended for selecting delivery channels (like UDP, multicast UDP, and TCP) and for
selecting a delivery mechanism based on the Real-Time Protocol (RTP). RTSP may also
use the SIP Session Description Protocol (SDP) as a means of providing information to
clients for aggregate control of a presentation consisting of streams from one or more
servers, and non-aggregate control of a presentation consisting of multiple streams from a
single server.
To accept RTSP sessions you must add a firewall policy with service set to any or to the
RTSP pre-defined service (which listens on TCP ports 554, 770, and 8554 and on UDP
port 554). The rtsp session helper listens on TCP ports 554, 770, and 8554.
The rtsp session help is required because RTSP uses dynamically assigned port numbers
that are communicated in the packet body when end points establish a control connection.
The session helper keeps track of the port numbers and opens pinholes as required. In
Network Address Translation (NAT) mode, the session helper translates IP addresses and
port numbers as necessary.
In a typical RTSP session the client starts the session (for example, when the user selects
the Play button on a media player application) and establishes a TCP connection to the
RTSP server on port 554. The client then sends an OPTIONS message to find out what
audio and video features the server supports. The server responds to the OPTIONS
message by specifying the name and version of the server, and a session identifier, for
example, 24256-1.
The client then sends the DESCRIBE message with the URL of the actual media file the
client wants to play. The server responds to the DESCRIBE message with a description of
the media in the form of SDP code. The client then sends the SETUP message, which
specifies the transport mechanisms acceptable to the client for streamed media, for
example RTP/RTCP or RDT, and the ports on which it receives the media.
In a NAT configuration the rtsp session helper keeps track of these ports and addresses
translates them as necessary. The server responds to the SETUP message and selects
one of the transport protocols. When both client and server agree on a mechanism for
media transport the client sends the PLAY message, and the server begins streaming the
media.

Session Initiation Protocol (SIP) session helper (sip)


The sip session helper is described in VoIP Solutions: SIP.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 125
http://docs.fortinet.com/ • Feedback
Trivial File Transfer Protocol (TFTP) session helper (tftp) Session helpers

Trivial File Transfer Protocol (TFTP) session helper (tftp)


To accept TFTP sessions you must add a firewall policy with service set to any or to the
TFTP pre-defined service (which listens on UDP port number 69). The TFTP session
helper also listens on UTP port number 69.
TFTP initiates transfers on UDP port 69, but the actual data transfer ports are selected by
the server and client during initialization of the connection. The tftp session helper reads
the transfer ports selected by the TFTP client and server during negotiation and opens
these ports on the firewall so that the TFTP data transfer can be completed. When the
transfer is complete the tftp session helper closes the open ports.

Oracle TNS listener session helper (tns)


The Oracle Transparent Network Substrate (TNS) listener listens on port TCP port 1521
for network requests to be passed to a database instance. The Oracle TNS listener
session helper (tns) listens for TNS sessions on TCP port 1521. TNS is a foundation
technology built into the Oracle Net foundation layer and used by SQLNET.

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


126 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Index
Numerics diagnostics
tracert, 63
802.1Q, 45, 49, 52 disabling, 120
Distributed Computing Environment Remote Procedure Call
A (DCE-RPC), 121
adding, configuring or defining DNS, 121
policy route, 39 dns-tcp
Address, 74 session helper, 121
Address Name dns-udp
firewall address, 109 session helper, 121
Address Resolution Protocol (ARP), 74 document conventions
administrative distance, 27, 28 CLI syntax, 15
anti-spoofing, 27 documentation, 17
commenting on, 18
AntiVirus, 89
conventions, 11
Application-Control, 89 Fortinet, 17
asymmetric routing, 77 duplicate MAC, 74
authenticating
L2TP clients, 113
PPTP clients, 106
E
authentication server, external ECMP, 27
for L2TP, 113 eip
for PPTP, 105 vpn pptp, 108
Endpoint Mapper (EPM), 121
B Equal Cost Multipath (ECMP), 27
bandwidth cost, 80 example
VLAN NAT/route, 56
BGP, IPv6, 88
BGP4+, 88
blackhole route, 27
F
border gateway protocol (BGP). See routing, BGP FAQ, 18
broadcast domains, 45 FC 2071, 80
broadcast storm, 74 File transfer protocol (FTP), 121
firewall
C stateless, 73
firewall address, 59
certification, 17 address name, 109
CHAP, 104 IP range/subnet, 109
Cisco subnet, 109
router configuration, 57, 72 VLAN example, 59
switch configuration, 57, 62, 71 firewall IP addresses
Classless Inter-Domain Routing (CIDR), 80, 82 defining L2TP, 114
CLI syntax conventions, 15 firewall policy
comments, documentation, 18 defining L2TP, 114
conventions, 11 defining PPTP, 108
customer service, 18 VLAN, 55
VLAN example, 60
D VLAN Transparent, 65, 69
FortiGate documentation
Data-Leak-Prevention, 89 commenting on, 18
DCE-RPC, 121 FortiGuard
dcerps Antivirus, 17
session helper, 121 services, 17
default route, 55 Fortinet
VLAN, 55 Knowledge Center, 18

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 127
http://docs.fortinet.com/ • Feedback
Index

Technical Documentation, 17 IPv6 IPsec configurations


Technical Documentation, conventions, 11 certificates, 90
Technical Support, 18 configuration, 91
Technical Support, registering with, 17 firewall policies, 91
Technical Support, web site, 17 phase 1, 91
Training Services, 17 phase 2, 91
Fortinet customer service, 18 routing, 91
Fortinet documentation, 17 IPX, layer-2 forwarding, 73, 77
Fortinet Knowledge Center, 18
K
G Knowledge Center, 18
Generic Routing Encapsulation (GRE), 104
glossary, 18 L
L2TP, 73, 77
H L2TP VPN
H.245, 122 authentication method, 113
H.323, 118 configuration steps, 113
h245I enabling, 113
session helper, 122 firewall IP addresses, defining, 114
firewall policy, defining, 114
H323, 122
infrastructure requirements, 113
h323 network configuration, 112
session helper, 122 restrictions, 112
HA VIP address range, 113
router monitor, 21 layer-2, 46, 47, 49, 51
routes, 21 example, 47
how-to, 18 forwarding, 73
HTTP, 55 frames, 46
HTTPS, 55 layer-3, 49
packets, 46
I LDAP server, external
for L2TP, 113
ID tag, 46, 49
for PPTP, 105
IEEE 1394 (FireWire), 81
loopback interface, 27
IEEE 802.1Q, 45, 49
interface
802.1Q trunk, 52, 62
M
external, VLAN NAT/Route example, 57 MAC address, 75
loopback, 27 Martian addresses, 27
maximum number, 46, 77 Maximum Transmission Unit (MTU), 80, 87
VLAN subinterface, 52, 56, 58, 62 memory, 78
Internet Control Message Protocol (ICMP), 29, 85 MGCP, 122
Internet Engineering Task Force (IETF), 79, 100 session helper, 122
introduction Microsoft Point-to-Point Encryption (MPPE), 104
Fortinet documentation, 17 Microsoft Windows, 76
IP address MS RPC, 121
private network, 11
multicast. See routing, multicast
IP address, overlapping, 53
Multipath routing, 27
IP port 47, 123
IP range/subnet
firewall address, 109
N
IPv6 NAT port translation (NAT-PT), 123
dual stack, 92 NAT/Route
dynamic routing, 88 VLAN example, 56, 58
firewall policies, 88 NetBIOS, for Windows networks, 76
interfaces, 86 Network Address Translation (NAT), 80
Neighbor Discovery (ND), 84 network instability, 74
static routing, 87
network topology
troubleshooting, 95
L2TP VPN, 112
tunnel provider example, 92
PPTP VPN, 105
tunneling, 92
not-so-stubby area (NSSA), 22

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


128 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Index

O ospf e1/e2, 22
registering
ONC-RPC, 121, 123 with Fortinet Technical Support, 17
open shortest path first (OSPF). See routing, OSPF Registration, Admission, and Status (RAS), 122
Open Systems Interconnect (OSI), 47 remote client
OSI Networking Model, 29 L2TP VPN, 115
ospf remote shell, 124
e1, 22 reverse path lookup, 27
e2, 22 RFC
NSSA, 22 1349, 41
OSPF, IPv6, 88 1918, 11
OSPFv3, 88 2080, 88
2185, 92
P 2545, 88
2640, 80
packets 2740, 88
layer-3 routing, 49 2858, 88
VLAN-tagged, 53 2893, 92
PAP, 104 5237, 40
PING, 55 791, 41
pmap IPv6 list, 100
session helper, 123 RIP next generation (RIPng), 88
Point-to-Point (PPP), 103 RIP, IPv6, 88
Point-to-Point Tunneling Protocol (PPTP), 103 router monitor
policy route HA, 21
moving in list, 41 Router Solicitation message, 85
port routing
session helper, 118 administrative distance, 28
PPTP, 73, 77, 123 asymmetric, 77
VPN, 103 BGP, 55
pptp blackhole, 27
session helper, 123 ECMP, 27
PPTP server loopback interface, 27
external, 109 multicast, 55
PPTP VPN OSPF, 55
authentication method, 106 RIP, 55
configuration steps, 106 routing table, searching, 24
configuring pass through, 106, 109 STP, 77
enabling, 107 viewing information, 21
firewall policy, defining, 108 routing information protocol (RIP). See routing, RIP
FortiGate implementation, 103 routing policy
infrastructure requirements, 105 protocol number, 40
network configuration, 105 routing, default, 55
VIP address range, 107 rsh
PPTP, layer-2 forwarding, 73 session helper, 124
product registration, 17 RTSP, 125
protocol rtsp
session helper, 118 session helper, 125

Q S
quality of service (QoS), 79 session helper, 117, 120, 121, 122, 123, 124, 125, 126
changing the configuration, 118
R dcerpc, 121
DNS, 121
RADIUS server, external H.245, 122
for L2TP, 113 h245O, 122
for PPTP, 105 h323, 122
RAS, 122 mgcp, 122
ras pmap, 123
session helper, 122 port, 118
Redirect message, 85 pptp, 123
redistributed routes protocol, 118

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 129
http://docs.fortinet.com/ • Feedback
Index

ras, 122 tracert, 63


rsh, 124 Training Services, 17
rtsp, 125 Transparent
sip, 125 firewall policy, 65, 69
tftp, 126 VDOM example, 68, 71, 72
tns, 126 VLAN example, 66
viewing, 117 Transparent mode, 44, 63
session-helper, 117 VLAN subinterface, 64
Simple Internet Transition (SIT), 89 troubleshooting
SIP, 125 firewall session list, 32
sip routing table, 32
session helper, 125 trunk interface, 52, 62
vpn pptp, 108 trunk links, 47
Spanning Tree Protocol (STP), 74, 77 tunnel provider, IPv6, 92
Spill-over, 36 tunneling, IPv6, 92
SQLNET Type of service (TOS), 40
session helper, 126
SSH, 55 U
stateless firewall, 73
static route UDP
adding policy, 39 port 111, 118
administrative distance, 27 port 135, 121
moving in list, 41 port 1719, 122
policy list, 39 port 2427, 122
table priority, 34 port 2727, 122
table sequence, 34 unicast reverse path forwarding (uRPF), 20
status Unified Threat Management (UTM), 78
vpn pptp, 108 universal unique identifier (UUID), 121
STP, forwarding, 77 URL-Filtering, 89
subinterface usage-based ECMP, 36
VLAN NAT/Route, 52 usrgrp
subnet vpn pptp, 108
firewall address, 109
system V
session-helper, 117
VDOM
limited resources, 78
T maximum interfaces, 46, 77
TCP Transparent mode, 44, 63
port 111, 118 VIP address
port 135, 121 L2TP clients, 113
port 1720, 118 PPTP clients, 107
port 1723, 118, 123 virtual private network (VPN), 103
port 21, 121 VLAN
port 512, 118 application, 46
port 514, 118 firewall policy, 55
technical maximum number, 46, 77
documentation, 17 subinterface, 52, 56, 58, 62
documentation conventions, 11 tagged packets, 53
notes, 18 Transparent mode, 44, 63
support, 18 VLAN ID, 49
technical support, 18 range, 46
TELNET, 55 tag, 46
testing VLAN subinterface
VDOM Transparent, 72 Transparent mode, 64
VLAN, 63 VDOM Transparent example, 68
TFTP, 126 VLAN NAT/Route example, 58
tftp VoIP, 122
session helper, 126 VPN
TNS, 126 general steps for configuring L2TP, 113
tns general steps for configuring PPTP, 106
session helper, 126 PPTP, 103

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


130 01-420-127357-2010629
http://docs.fortinet.com/ • Feedback
Index

W enabling NetBIOS, 76
WINS, 76
Windows networks

FortiOS™ Handbook 4.0 MR2 Advanced System Settings


01-420-127357-2010629 131
http://docs.fortinet.com/ • Feedback