100% found this document useful (1 vote)
804 views716 pages

FortiOS-7 2 1-Administration - Guide

This document provides an overview and instructions for administering FortiGate devices. It includes sections on getting started with the GUI and CLI, basic administration tasks, dashboards and monitors, and configuring the network. Specifically, it covers connecting to devices, GUI navigation, CLI commands, registration, backups, interfaces, DNS, proxies, DHCP, and more. Links are provided to additional Fortinet documentation, training, and support resources.

Uploaded by

daniel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
804 views716 pages

FortiOS-7 2 1-Administration - Guide

This document provides an overview and instructions for administering FortiGate devices. It includes sections on getting started with the GUI and CLI, basic administration tasks, dashboards and monitors, and configuring the network. Specifically, it covers connecting to devices, GUI navigation, CLI commands, registration, backups, interfaces, DNS, proxies, DHCP, and more. Links are provided to additional Fortinet documentation, training, and support resources.

Uploaded by

daniel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 716

Administration Guide

FortiOS 7.2.1
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE


https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT


https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM


https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT


https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

August 26, 2022


FortiOS 7.2.1 Administration Guide
01-721-791905-20220826
TABLE OF CONTENTS

Change Log 20
Getting started 21
Differences between models 21
Low encryption models 21
Using the GUI 21
Connecting using a web browser 22
Menus 22
Tables 23
Entering values 25
GUI-based global search 27
Loading artifacts from a CDN 28
Using the CLI 28
Connecting to the CLI 28
CLI basics 31
Command syntax 37
Subcommands 40
Permissions 42
FortiExplorer management 42
Getting started with FortiExplorer 43
Connecting FortiExplorer to a FortiGate with WiFi 46
Configure FortiGate with FortiExplorer using BLE 47
Running a security rating 50
Upgrading to FortiExplorer Pro 51
Basic administration 51
Basic configuration 52
Registration 54
FortiCare and FortiGate Cloud login 59
Transfer a device to another FortiCloud account 61
Configuration backups 64
Deregistering a FortiGate 73
LEDs 75
Alarm levels 79
Troubleshooting your installation 79
Dashboards and Monitors 82
Using dashboards 82
Using widgets 83
Widgets 85
Viewing device dashboards in the Security Fabric 87
Creating a fabric system and license dashboard 88
Example 88
Dashboards 89
Resetting the default dashboard template 90
Status dashboard 90
Security dashboard 92

FortiOS 7.2.1 Administration Guide 3


Fortinet Inc.
Network dashboard 94
Users & Devices 102
WiFi dashboard 106
Monitors 112
Non-FortiView monitors 112
FortiView monitors 112
FortiView monitors and widgets 113
Adding FortiView monitors 114
Using the FortiView interface 117
Enabling FortiView from devices 120
FortiView sources 122
FortiView Sessions 123
FortiView Top Source and Top Destination Firewall Objects monitors 125
Viewing top websites and sources by category 127
Cloud application view 130
Network 141
Interfaces 141
Interface settings 143
Physical interface 168
VLAN 169
Aggregation and redundancy 185
Loopback interface 189
Software switch 189
Hardware switch 191
Zone 195
Virtual wire pair 197
Enhanced MAC VLAN 201
VXLAN 204
DNS 208
Important DNS CLI commands 209
DNS domain list 210
FortiGate DNS server 212
DDNS 214
DNS latency information 218
DNS over TLS and HTTPS 220
DNS troubleshooting 224
Explicit and transparent proxies 226
Explicit web proxy 226
FTP proxy 230
Transparent proxy 232
Proxy policy addresses 234
Proxy policy security profiles 241
Explicit proxy authentication 245
Transparent web proxy forwarding 251
Upstream proxy authentication in transparent proxy mode 255
Multiple dynamic header count 257
Restricted SaaS access 259
Explicit proxy and FortiSandbox Cloud 268

FortiOS 7.2.1 Administration Guide 4


Fortinet Inc.
Proxy chaining 270
WAN optimization SSL proxy chaining 275
Agentless NTLM authentication for web proxy 283
Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers 286
Learn client IP addresses 287
Explicit proxy authentication over HTTPS 288
mTLS client certificate authentication 290
CORS protocol in explicit web proxy when using session-based, cookie-enabled, and
captive portal-enabled SAML authentication 296
DHCP server 299
Configure a DHCP server on an interface 299
Configure a DHCP relay on an interface 300
Configure a DHCP server and relay on an interface 301
DHCP options 302
IP address assignment with relay agent information option 303
DHCP client options 305
VCI pattern matching for DHCP assignment 306
Static routing 308
Routing concepts 308
Policy routes 320
Equal cost multi-path 323
Dual internet connections 327
Dynamic routing 332
RIP 333
OSPF 353
BGP 370
BFD 403
Routing objects 412
Multicast 421
Multicast routing and PIM support 422
Configuring multicast forwarding 422
FortiExtender 425
WAN extension mode 426
LAN extension mode 426
Adding a FortiExtender 426
Direct IP support for LTE/4G 428
Sample LTE interface 429
Limitations 430
LLDP reception 431
Virtual routing and forwarding 434
Implementing VRF 434
VRF routing support 435
Route leaking between VRFs with BGP 440
Route leaking between multiple VRFs 442
VRF with IPv6 452
IBGP and EBGP support in VRF 456
Support cross-VRF local-in and local-out traffic for local services 458
NetFlow 460

FortiOS 7.2.1 Administration Guide 5


Fortinet Inc.
Verification and troubleshooting 462
NetFlow templates 462
NetFlow on FortiExtender and tunnel interfaces 474
sFlow 478
Configuring sFlow 478
Link monitor 481
Link monitor with route updates 481
Enable or disable updating policy routes when link health monitor fails 483
Add weight setting on each link health monitor server 485
SLA link monitoring for dynamic IPsec and SSL VPN tunnels 488
IPv6 491
IPv6 tunneling 491
IPv6 tunnel inherits MTU based on physical interface 493
Configuring IPv4 over IPv6 DS-Lite service 495
FortiGate LAN extension 500
Diagnostics 505
Using the packet capture tool 505
Using the debug flow tool 509
SD-WAN 514
SD-WAN overview 514
SD-WAN components and design principles 514
SD-WAN designs and architectures 517
SD-WAN quick start 518
Configuring the SD-WAN interface 519
Adding a static route 520
Selecting the implicit SD-WAN algorithm 520
Configuring firewall policies for SD-WAN 521
Link monitoring and failover 521
Results 523
Configuring SD-WAN in the CLI 526
SD-WAN zones 528
Specify an SD-WAN zone in static routes and SD-WAN rules 532
Performance SLA 537
Link health monitor 537
Factory default health checks 540
Health check options 542
Link monitoring example 545
SLA targets example 546
Passive WAN health measurement 547
Passive health-check measurement by internet service and application 553
Health check packet DSCP marker support 556
Manual interface speedtest 557
Scheduled interface speedtest 558
Monitor performance SLA 559
SLA monitoring using the REST API 562
Mean opinion score calculation and logging in performance SLA health checks 566
Embedded SD-WAN SLA information in ICMP probes 568
SD-WAN rules 576

FortiOS 7.2.1 Administration Guide 6


Fortinet Inc.
Overview 576
Implicit rule 584
Automatic strategy 588
Manual strategy 589
Best quality strategy 590
Lowest cost (SLA) strategy 594
Maximize bandwidth (SLA) strategy 597
Use MAC addresses in SD-WAN rules and policy routes 600
SD-WAN traffic shaping and QoS 601
SDN dynamic connector addresses in SD-WAN rules 606
Application steering using SD-WAN rules 608
DSCP tag-based traffic steering in SD-WAN 621
ECMP support for the longest match in SD-WAN rule matching 628
Override quality comparisons in SD-WAN longest match rule matching 630
Use an application category as an SD-WAN rule destination 633
Advanced routing 637
Local out traffic 637
Using BGP tags with SD-WAN rules 643
BGP multiple path support 646
Controlling traffic with BGP route mapping and service rules 648
Applying BGP route-map to multiple BGP neighbors 655
Using multiple members per SD-WAN neighbor configuration 661
VPN overlay 667
ADVPN and shortcut paths 667
SD-WAN monitor on ADVPN shortcuts 680
Hold down time to support SD-WAN service strategies 681
SD-WAN integration with OCVPN 683
Adaptive Forward Error Correction 690
Dual VPN tunnel wizard 694
Duplicate packets on other zone members 695
Duplicate packets based on SD-WAN rules 698
Speed tests run from the hub to the spokes in dial-up IPsec tunnels 699
Interface based QoS on individual child tunnels based on speed test results 706
Use SSL VPN interfaces in zones 709
SD-WAN in large scale deployments 713
Advanced configuration 724
SD-WAN with FGCP HA 724
Configuring SD-WAN in an HA cluster using internal hardware switches 731
SD-WAN configuration portability 734
SD-WAN segmentation over a single overlay 740
Copying the DSCP value from the session original direction to its reply direction 755
SD-WAN cloud on-ramp 759
Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM 760
Configuring the VPN overlay between the HQ FortiGate and AWS native VPN
gateway 764
Configuring the VIP to access the remote servers 768
Configuring the SD-WAN to steer traffic between the overlays 770
Verifying the traffic 774
Troubleshooting SD-WAN 780

FortiOS 7.2.1 Administration Guide 7


Fortinet Inc.
Tracking SD-WAN sessions 781
Understanding SD-WAN related logs 781
SD-WAN related diagnose commands 784
SD-WAN bandwidth monitoring service 788
Using SNMP to monitor health check 791
Policy and Objects 795
Policies 795
Firewall policy 796
NGFW policy 809
Local-in policy 825
DoS policy 827
Access control lists 834
Interface policies 835
Source NAT 836
Destination NAT 852
Examples and policy actions 870
Objects 907
Address group exclusions 908
MAC addressed-based policies 909
ISDB well-known MAC address list 911
Dynamic policy — fabric devices 912
FSSO dynamic address subtype 914
ClearPass integration for dynamic address objects 918
Group address objects synchronized from FortiManager 921
Using wildcard FQDN addresses in firewall policies 923
Configure FQDN-based VIPs 925
IPv6 geography-based addresses 926
Array structure for address objects 928
IPv6 MAC addresses and usage in firewall policies 930
FortiNAC tag dynamic address 932
Allow empty address groups 935
Remove overlap check for VIPs 935
VIP groups 936
Internet Services 937
Protocol options 955
Log oversized files 955
RPC over HTTP 955
Protocol port mapping 955
Common options 956
Web options 957
Email options 957
Traffic shaping 957
Configuration methods 958
Traffic shaping policy 959
Traffic shaping policies 960
Traffic shaping profiles 964
Traffic shapers 974
Global traffic prioritization 986

FortiOS 7.2.1 Administration Guide 8


Fortinet Inc.
DSCP matching and DSCP marking 989
Examples 993
Zero Trust Network Access 1009
Zero Trust Network Access introduction 1010
Basic ZTNA configuration 1013
Establish device identity and trust context with FortiClient EMS 1021
SSL certificate based authentication 1025
ZTNA configuration examples 1027
Migrating from SSL VPN to ZTNA 1120
ZTNA scalability support for up to 50 thousand concurrent endpoints 1127
ZTNA troubleshooting and debugging 1129
Security Profiles 1135
Inspection modes 1135
Flow mode inspection (default mode) 1136
Proxy mode inspection 1136
Inspection mode feature comparison 1138
Antivirus 1140
Protocol comparison between antivirus inspection modes 1141
Other antivirus differences between inspection modes 1141
AI-based malware detection 1141
Proxy mode stream-based scanning 1142
Databases 1145
Content disarm and reconstruction 1146
FortiGuard outbreak prevention 1148
External malware block list 1150
Malware threat feed from EMS 1153
Checking flow antivirus statistics 1156
CIFS support 1158
Using FortiSandbox post-transfer scanning with antivirus 1163
Using FortiSandbox inline scanning with antivirus 1165
Using FortiNDR inline scanning with antivirus 1175
Web filter 1179
URL filter 1180
FortiGuard filter 1185
Credential phishing prevention 1191
Additional antiphishing settings 1194
Usage quota 1197
Web content filter 1199
Advanced filters 1 1202
Advanced filters 2 1205
Web filter statistics 1209
URL certificate blocklist 1210
Websense Integrated Services Protocol 1211
Inspecting HTTP3 traffic 1212
Video filter 1213
Filtering based on FortiGuard categories 1214
Filtering based on YouTube channel 1218
DNS filter 1223

FortiOS 7.2.1 Administration Guide 9


Fortinet Inc.
DNS filter behavior in proxy mode 1224
FortiGuard DNS rating service 1224
Configuring a DNS filter profile 1225
FortiGuard category-based DNS domain filtering 1228
Botnet C&C domain blocking 1231
DNS safe search 1234
Local domain filter 1236
DNS translation 1241
Applying DNS filter to FortiGate DNS server 1244
DNS inspection with DoT and DoH 1245
Troubleshooting for DNS filter 1248
Application control 1251
Basic category filters and overrides 1252
Excluding signatures in application control profiles 1255
Port enforcement check 1257
Protocol enforcement 1257
SSL-based application detection over decrypted traffic in a sandwich topology 1259
Matching multiple parameters on application control signatures 1260
Application signature dissector for DNP3 1263
Intrusion prevention 1263
Signature-based defense 1265
IPS configuration options 1268
IPS signature filter options 1272
IPS with botnet C&C IP blocking 1276
IPS signatures for the industrial security service 1280
IPS sensor for IEC 61850 MMS protocol 1281
SCTP filtering capabilities 1283
File filter 1285
Logs 1288
Supported file types 1290
Email filter 1292
Protocol comparison between email filter inspection modes 1292
Local-based filters 1293
FortiGuard-based filters 1300
Third-party-based filters 1302
Filtering order 1302
Protocols and actions 1304
Configuring webmail filtering 1305
Data leak prevention 1306
Protocol comparison between DLP inspection modes 1307
Logging and blocking files by file name 1307
Basic DLP settings 1307
DLP fingerprinting 1314
VoIP solutions 1319
General use cases 1319
NAT46 and NAT64 for SIP ALG 1323
SIP message inspection and filtering 1331
SIP pinholes 1333

FortiOS 7.2.1 Administration Guide 10


Fortinet Inc.
SIP over TLS 1335
Voice VLAN auto-assignment 1336
Scanning MSRP traffic 1338
ICAP 1342
ICAP configuration example 1343
ICAP response filtering 1345
Secure ICAP clients 1347
Web application firewall 1348
Protecting a server running web applications 1349
SSL & SSH Inspection 1351
Certificate inspection 1351
Deep inspection 1353
Protecting an SSL server 1356
Handling SSL offloaded traffic from an external decryption device 1357
SSH traffic file scanning 1359
Redirect to WAD after handshake completion 1360
HTTP/2 support in proxy mode SSL inspection 1361
Define multiple certificates in an SSL profile in replace mode 1362
Disabling the FortiGuard IP address rating 1364
Custom signatures 1365
Application groups in traffic shaping policies 1365
Blocking applications with custom signatures 1369
Filters for application control groups 1371
Overrides 1374
Web rating override 1375
Web profile override 1380
VPN 1385
IPsec VPNs 1385
General IPsec VPN configuration 1385
Site-to-site VPN 1415
Remote access 1468
Aggregate and redundant VPN 1512
Overlay Controller VPN (OCVPN) 1556
ADVPN 1587
Other VPN topics 1621
VPN IPsec troubleshooting 1666
SSL VPN 1674
SSL VPN best practices 1674
SSL VPN quick start 1677
SSL VPN tunnel mode 1684
SSL VPN web mode 1693
SSL VPN authentication 1710
SSL VPN to IPsec VPN 1800
SSL VPN protocols 1807
Configuring OS and host check 1809
FortiGate as SSL VPN Client 1815
Dual stack IPv4 and IPv6 support for SSL VPN 1824
Disable the clipboard in SSL VPN web mode RDP connections 1835

FortiOS 7.2.1 Administration Guide 11


Fortinet Inc.
SSL VPN IP address assignments 1840
SSL VPN troubleshooting 1842
User & Authentication 1845
Endpoint control and compliance 1845
Per-policy disclaimer messages 1845
Compliance 1848
FortiGuard distribution of updated Apple certificates 1850
Integrate user information from EMS and Exchange connectors in the user store 1851
User definition and groups 1854
Users 1854
User groups 1856
Retail environment guest access 1863
User and user group timeouts 1866
LDAP servers 1867
Configuring an LDAP server 1867
Enabling Active Directory recursive search 1869
Configuring LDAP dial-in using a member attribute 1870
Configuring wildcard admin accounts 1871
Configuring least privileges for LDAP admin account authentication in Active
Directory 1872
Tracking users in each Active Directory LDAP group 1873
Tracking rolling historical records of LDAP user logins 1876
Configuring client certificate authentication on the LDAP server 1879
RADIUS servers 1882
Configuring a RADIUS server 1883
Using multiple RADIUS servers 1884
RADIUS AVPs and VSAs 1887
Restricting RADIUS user groups to match selective users on the RADIUS server 1889
Configuring RADIUS SSO authentication 1890
RSA ACE (SecurID) servers 1896
Support for Okta RADIUS attributes filter-Id and class 1900
Sending multiple RADIUS attribute values in a single RADIUS Access-Request 1902
Traffic shaping based on dynamic RADIUS VSAs 1903
RADIUS Termination-Action AVP in wired and wireless scenarios 1910
TACACS+ servers 1914
SAML 1916
Outbound firewall authentication for a SAML user 1916
SAML SP for VPN authentication 1917
Using a browser as an external user-agent for SAML authentication in an SSL VPN
connection 1919
SAML authentication in a proxy policy 1923
Configuring SAML SSO in the GUI 1927
Outbound firewall authentication with Azure AD as a SAML IdP 1933
Authentication settings 1944
FortiTokens 1946
FortiToken Mobile quick start 1947
FortiToken Cloud 1955
Registering hard tokens 1955

FortiOS 7.2.1 Administration Guide 12


Fortinet Inc.
Managing FortiTokens 1957
FortiToken Mobile Push 1959
Synchronizing LDAP Active Directory users to FortiToken Cloud using the two-
factor filter 1961
Troubleshooting and diagnosis 1964
Configuring the maximum log in attempts and lockout period 1967
PKI 1968
Configuring a PKI user 1968
Configuring firewall authentication 1972
Creating a locally authenticated user account 1973
Creating a RADIUS-authenticated user account 1973
Creating an FSSO user group 1974
Creating a firewall user group 1976
Defining policy addresses 1976
Creating security policies 1977
FSSO 1978
FSSO polling connector agent installation 1981
FSSO using Syslog as source 1984
Configuring the FSSO timeout when the collector agent connection fails 1986
Authentication policy extensions 1988
Configuring the FortiGate to act as an 802.1X supplicant 1989
Example 1990
Include usernames in logs 1991
Install and configure FSSO Agent 1992
Configure the FortiGate 1994
Log, monitor, and report examples 1996
Wireless configuration 2000
Switch Controller 2001
System 2002
Basic system settings 2002
Advanced system settings 2002
Operating modes 2003
Administrators 2005
Local authentication 2005
Remote authentication for administrators 2006
Administrator account options 2009
REST API administrator 2011
SSO administrators 2013
FortiCloud SSO 2013
Password policy 2015
Public key SSH access 2016
Restricting SSH and Telnet jump host capabilities 2018
Remote administrators with TACACS VSA attributes 2019
Administrator profiles 2023
super_admin profile 2023
Creating customized profiles 2024
Edit profiles 2024

FortiOS 7.2.1 Administration Guide 13


Fortinet Inc.
Delete profiles 2025
Fabric Management 2025
About firmware installations 2026
Firmware maturity levels 2027
Upgrading individual device firmware 2029
Upgrading individual device firmware by following the upgrade path (federated
update) 2030
Upgrading all device firmware 2032
Upgrading all device firmware by following the upgrade path (federated update) 2034
Enabling automatic firmware updates 2037
Authorizing devices 2039
Firmware upgrade notifications 2041
Downloading a firmware image 2042
Testing a firmware version 2044
Installing firmware from system reboot 2045
Restoring from a USB drive 2047
Using controlled upgrades 2047
Downgrading individual device firmware 2048
Settings 2049
Default administrator password 2050
Changing the host name 2051
Setting the system time 2052
Configuring ports 2055
Setting the idle timeout time 2056
Setting the password policy 2057
Changing the view settings 2057
Setting the administrator password retries and lockout time 2058
TLS configuration 2058
Controlling return path with auxiliary session 2059
Email alerts 2063
Using configuration save mode 2067
Trusted platform module support 2068
Configuring the persistency for a banned IP list 2070
Using the default certificate for HTTPS administrative access 2072
Virtual Domains 2076
VDOM overview 2076
General configurations 2081
Inter-VDOM routing configuration example: Internet access 2089
Inter-VDOM routing configuration example: Partial-mesh VDOMs 2098
High Availability 2112
FortiGate Clustering Protocol (FGCP) 2112
FortiGate Session Life Support Protocol (FGSP) 2112
VRRP 2113
FGCP 2113
FGSP 2166
Standalone configuration synchronization 2213
VRRP 2218
SNMP 2230
Interface access 2230

FortiOS 7.2.1 Administration Guide 14


Fortinet Inc.
MIB files 2230
SNMP agent 2231
SNMP v1/v2c communities 2232
SNMP v3 users 2233
Access control for SNMP 2235
Important SNMP traps 2237
SNMP traps and query for monitoring DHCP pool 2238
Replacement messages 2239
Modifying replacement messages 2240
Replacement message images 2241
Replacement message groups 2243
FortiGuard 2246
Configuring FortiGuard updates 2247
Configuring a proxy server for FortiGuard updates 2248
Manual updates 2248
Automatic updates 2250
Scheduled updates 2251
Sending malware statistics to FortiGuard 2252
Update server location 2253
Filtering 2254
Online security tools 2255
FortiGuard anycast and third-party SSL validation 2255
Using FortiManager as a local FortiGuard server 2258
Cloud service communication statistics 2259
IoT detection service 2261
FortiAP query to FortiGuard IoT service to determine device details 2264
FortiGate Cloud / FDN communication through an explicit proxy 2264
FDS-only ISDB package in firmware images 2266
Licensing in air-gap environments 2267
Feature visibility 2269
Certificates 2269
Uploading a certificate using the GUI 2270
Uploading a certificate using the CLI 2273
Uploading a certificate using an API 2275
Procuring and importing a signed SSL certificate 2279
Microsoft CA deep packet inspection 2282
ACME certificate support 2287
Administrative access using certificates 2291
Creating certificates with XCA 2292
Configuration scripts 2299
Workspace mode 2299
Custom languages 2301
RAID 2302
FortiGate encryption algorithm cipher suites 2305
HTTPS access 2306
SSH access 2306
SSL VPN 2308
Using APIs 2311

FortiOS 7.2.1 Administration Guide 15


Fortinet Inc.
Token-based authentication 2311
Making an API call to retrieve information from the FortiGate 2311
Fortinet Security Fabric 2315
Security Fabric settings and usage 2315
Components 2316
Configuring the root FortiGate and downstream FortiGates 2319
Configuring FortiAnalyzer 2326
Configuring FortiGate Cloud 2328
Configuring FortiAnalyzer Cloud service 2332
Configuring FortiManager 2336
Configuring FortiManager Cloud service 2338
Configuring Sandboxing 2339
Configuring FortiClient EMS 2345
Synchronizing FortiClient ZTNA tags 2358
Configuring FortiNAC 2361
Configuring FortiAP and FortiSwitch 2363
Configuring FortiMail 2364
Configuring FortiNDR 2366
Configuring FortiDeceptor 2370
Configuring FortiWeb 2373
Configuring FortiTester 2375
Configuring FortiMonitor 2378
Configuring FortiVoice 2380
Using the Security Fabric 2384
Deploying the Security Fabric 2399
Deploying the Security Fabric in a multi-VDOM environment 2407
Synchronizing objects across the Security Fabric 2412
Security Fabric over IPsec VPN 2420
Leveraging LLDP to simplify Security Fabric negotiation 2425
Configuring the Security Fabric with SAML 2428
Configuring single-sign-on in the Security Fabric 2429
CLI commands for SAML SSO 2435
SAML SSO with pre-authorized FortiGates 2436
Navigating between Security Fabric members with SSO 2437
Integrating FortiAnalyzer management using SAML SSO 2439
Integrating FortiManager management using SAML SSO 2443
Advanced option - FortiGate SP changes 2445
Security rating 2446
Security rating notifications 2448
Security rating check scheduling 2453
Opt out of ranking 2453
Logging the security rating 2453
Multi VDOM mode 2454
Security Fabric score 2455
Automation stitches 2456
Creating automation stitches 2456
Triggers 2470
Actions 2491

FortiOS 7.2.1 Administration Guide 16


Fortinet Inc.
Public and private SDN connectors 2549
Getting started with public and private SDN connectors 2550
AliCloud SDN connector using access key 2554
AWS SDN connector using certificates 2556
Azure SDN connector using service principal 2562
Cisco ACI SDN connector using a standalone connector 2563
ClearPass endpoint connector via FortiManager 2565
GCP SDN connector using service account 2568
IBM Cloud SDN connector using API keys 2570
Kubernetes (K8s) SDN connectors 2574
Nuage SDN connector using server credentials 2590
Nutanix SDN connector using server credentials 2592
OCI SDN connector using certificates 2594
OpenStack SDN connector using node credentials 2596
SAP SDN connector 2600
VMware ESXi SDN connector using server credentials 2603
VMware NSX-T Manager SDN connector using NSX-T Manager credentials 2605
Multiple concurrent SDN connectors 2608
Filter lookup in SDN connectors 2612
Support for wildcard SDN connectors in filter configurations 2614
Endpoint/Identity connectors 2616
Fortinet single sign-on agent 2616
Poll Active Directory server 2617
Symantec endpoint connector 2618
RADIUS single sign-on agent 2624
Exchange Server connector 2627
Threat feeds 2630
External resources file format 2631
Configuring a threat feed 2632
Viewing the update history 2638
EMS threat feed 2638
External blocklist policy 2638
External blocklist authentication 2640
External blocklist file hashes 2640
External resources for DNS filter 2642
Threat feed connectors per VDOM 2646
STIX format for external threat feeds 2650
Monitoring the Security Fabric using FortiExplorer for Apple TV 2652
NOC and SOC example 2653
Troubleshooting 2663
Viewing a summary of all connected FortiGates in a Security Fabric 2664
Diagnosing automation stitches 2666
Log and Report 2670
Viewing event logs 2670
System Events log page 2673
Security Events log page 2678
Log settings and targets 2681
Configuring logs in the CLI 2684

FortiOS 7.2.1 Administration Guide 17


Fortinet Inc.
Email alerts 2686
Threat weight 2686
Logging to FortiAnalyzer 2687
FortiAnalyzer Reports page in the GUI 2688
FortiAnalyzer log caching 2690
Sending traffic logs to FortiAnalyzer Cloud 2692
Configuring multiple FortiAnalyzers (or syslog servers) per VDOM 2695
Configuring multiple FortiAnalyzers on a FortiGate in multi-VDOM mode 2696
Advanced and specialized logging 2699
Logs for the execution of CLI commands 2699
Log buffer on FortiGates with an SSD disk 2700
Source and destination UUID logging 2703
Configuring and debugging the free-style filter 2705
Logging the signal-to-noise ratio and signal strength per client 2707
RSSO information for authenticated destination users in logs 2709
Destination user information in UTM logs 2712
Sample logs by log type 2716
Troubleshooting 2737
Log-related diagnose commands 2738
Backing up log files or dumping log messages 2743
SNMP OID for logs that failed to send 2745
VM 2749
Amazon Web Services 2749
Microsoft Azure 2749
Google Cloud Platform 2749
Oracle OCI 2749
AliCloud 2750
Private cloud 2750
VM license 2750
Uploading a license file 2751
VM license types 2751
Consuming a new vCPU 2753
CLI troubleshooting 2753
Permanent trial mode for FortiGate-VM 2755
Adding VDOMs with FortiGate v-series 2758
Terraform: FortiOS as a provider 2761
Troubleshooting 2765
PF and VF SR-IOV driver and virtual SPU support 2765
Using OCI IMDSv2 2767
FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs 2769
Hyperscale firewall 2772
Troubleshooting 2773
Troubleshooting methodologies 2774
Verify user permissions 2774
Establish a baseline 2774
Create a troubleshooting plan 2776

FortiOS 7.2.1 Administration Guide 18


Fortinet Inc.
Troubleshooting scenarios 2777
Checking the system date and time 2778
Checking the hardware connections 2779
Checking FortiOS network settings 2780
Troubleshooting CPU and network resources 2783
Troubleshooting high CPU usage 2784
Checking the modem status 2788
Running ping and traceroute 2789
Checking the logs 2792
Verifying routing table contents in NAT mode 2793
Verifying the correct route is being used 2794
Verifying the correct firewall policy is being used 2794
Checking the bridging information in transparent mode 2795
Checking wireless information 2796
Performing a sniffer trace or packet capture 2797
Debugging the packet flow 2798
Testing a proxy operation 2801
Displaying detail Hardware NIC information 2802
Performing a traffic trace 2804
Using a session table 2805
Finding object dependencies 2808
Diagnosing NPU-based interfaces 2809
Identifying the XAUI link used for a specific traffic stream 2810
Date and time settings 2811
Running the TAC report 2811
Using the process monitor 2812
Other commands 2814
ARP table 2814
IP address 2816
FortiGuard troubleshooting 2817
Verifying connectivity to FortiGuard 2817
Troubleshooting process for FortiGuard updates 2818
FortiGuard server settings 2818
View open and in use ports 2820
Additional resources 2821
Technical documentation 2821
Fortinet video library 2821
Release notes 2821
Fortinet Community 2821
Fortinet training services online campus 2821
Fortinet Support 2822

FortiOS 7.2.1 Administration Guide 19


Fortinet Inc.
Change Log

Date Change Description

2022-08-04 Initial release.

2022-08-10 Updated Troubleshooting BGP on page 399, ADVPN and shortcut paths on page 667, and
Configuration backups on page 64.

2022-08-11 Added Routing objects on page 412.


Updated Configuring client certificate authentication on the LDAP server on page 1879.

2022-08-18 Added Using APIs on page 2311, SSL VPN web mode on page 1693, Web portal
configurations on page 1694, and SSL VPN bookmarks on page 1698.

2022-08-19 Updated Configuration backups on page 64, Uploading a certificate using the GUI on page
2270, Uploading a certificate using the CLI on page 2273, and VXLAN over IPsec using a
VXLAN tunnel endpoint on page 1644.

2022-08-23 Added Central DNAT on page 867 and Hyperscale firewall on page 2772.
Updated Local domain filter on page 1236.

2022-08-25 Updated Configuration backups on page 64 and FortiGate encryption algorithm cipher suites
on page 2305.

2022-08-26 Updated DSCP tag-based traffic steering in SD-WAN on page 621.

FortiOS 7.2.1 Administration Guide 20


Fortinet Inc.
Getting started

This section explains how to get started with a FortiGate.

Differences between models

Not all FortiGates have the same features, particularly entry-level models (models 30 to 90). A number of features on
these models are only available in the CLI.

Consult your model's QuickStart Guide, hardware manual, or the Feature / Platform Matrix for
further information about features that vary by model.

FortiGate models differ principally by the names used and the features available:
l Naming conventions may vary between FortiGate models. For example, on some models the hardware switch
interface used for the local area network is called lan, while on other units it is called internal.
l Certain features are not available on all models. Additionally, a particular feature may be available only through the
CLI on some models, while that same feature may be viewed in the GUI on other models.
If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System > Feature
Visibility and confirm that the feature is enabled. For more information, see Feature visibility on page 2269.

Low encryption models

Some FortiGate models support a low encryption (LENC) license. With an LENC license, FortiGate devices are
considered low encryption models and are identified by LENC, for example FG-100E-LENC.
LENC models cannot use or inspect high encryption protocols, such as 3DES and AES. LENC models only use 56-bit
DES encryption to work with SSL VPN and IPsec VPN, and they are unable to perform SSL inspection.
For a list of FortiGate models that support an LENC license, see FortiGate LENC Models.

Using the GUI

This section presents an introduction to the graphical user interface (GUI) on your FortiGate.
The following topics are included in this section:
l Connecting using a web browser
l Menus
l Tables

FortiOS 7.2.1 Administration Guide 21


Fortinet Inc.
Getting started

l Entering values
l GUI-based global search
l Loading artifacts from a CDN on page 28
For information about using the dashboards, see Dashboards and Monitors on page 82.

Connecting using a web browser

In order to connect to the GUI using a web browser, an interface must be configured to allow administrative access over
HTTPS or over both HTTPS and HTTP. By default, an interface has already been set up that allows HTTPS access with
the IP address 192.168.1.99.
Browse to https://192.168.1.99 and enter your username and password. If you have not changed the admin account’s
password, use the default user name, admin, and leave the password field blank.
The GUI will now display in your browser, and you will be required to provide a password for the administrator account.

To use a different interface to access the GUI:

1. Go to Network > Interfaces and edit the interface you wish to use for access. Take note of its assigned IP address.
2. In Administrative Access, select HTTPS, and any other protocol you require. You can also select HTTP, although
this is not recommended as the connection will be less secure.
3. Click OK.
4. Browse to the IP address using your chosen protocol.
The GUI will now be displayed in your browser.

Menus

If you believe your FortiGate model supports a menu that does not appear in the GUI, go to
System > Feature Visibility and ensure the feature is enabled. For more information, see
Feature visibility on page 2269.

The GUI contains the following main menus, which provide access to configuration options for most FortiOS features:

Dashboard The dashboard displays various widgets that display important system
information and allow you to configure some system options.
For more information, see Dashboards and Monitors on page 82.

Network Options for networking, including configuring system interfaces and routing
options.
For more information, see Network on page 141.

Policy & Objects Configure firewall policies, protocol options, and supporting content for policies,
including schedules, firewall addresses, and traffic shapers.
For more information, see Policy and Objects on page 795.

Security Profiles Configure your FortiGate's security features, including Antivirus, Web Filter, and
Application Control.

FortiOS 7.2.1 Administration Guide 22


Fortinet Inc.
Getting started

For more information, see Security Profiles on page 1135.

VPN Configure options for IPsec and SSL virtual private networks (VPNs).
For more information, see IPsec VPNs on page 1385 and SSL VPN on page
1674.

User & Authentication Configure user accounts, groups, and authentication methods, including external
authentication and single sign-on (SSO).

WiFi & Switch Controller Configure the unit to act as a wireless network controller, managing the wireless
Access Point (AP) functionality of FortiWiFi and FortiAP units.
On certain FortiGate models, this menu has additional features allowing for
FortiSwitch units to be managed by the FortiGate.
For more information, see Wireless configuration on page 2000 and Switch
Controller on page 2001.

System Configure system settings, such as administrators, HA, FortiGuard, and


certificates.
For more information, see System on page 2002.

Security Fabric Access the physical topology, logical topology, automation, and settings of the
Fortinet Security Fabric.
For more information, see Fortinet Security Fabric on page 2315.

Log & Report Configure logging and alert email as well as reports.
For more information, see Log and Report on page 2670.

Tables

Many GUI pages contain tables of information that can be filtered and customized to display specific information in a
specific way. Some tables allow content to be edited directly on that table, or rows to be copied and pasted.

Navigation

Some tables contain information and lists that span multiple pages. Navigation controls will be available at the bottom of
the page.

Filters

Filters are used to locate a specific set of information or content in a table. They can be particularly useful for locating
specific log entries. The filtering options vary, depending on the type of information in the log.
Depending on the table content, filters can be applied using the filter bar, using a column filter, or based on a cell's
content. Some tables allow filtering based on regular expressions.
Administrators with read and write access can define filters. Multiple filters can be applied at one time.

FortiOS 7.2.1 Administration Guide 23


Fortinet Inc.
Getting started

To manually create a filter:

1. Click Add Filter at the top of the table. A list of the fields available for filtering is shown.
2. Select the field to filter by.
3. Enter the value to filter by, adding modifiers as needed.
4. Press Enter to apply the filter.

To create a column filter:

1. Click the filter icon on the right side of the column header
2. Choose a filter type from the available options.
3. Enter the filter text, or select from the available values.
4. Click Apply.

To create a filter based on a cell's content:

1. Right click on a cell in the table.


2. Select a filtering option from the menu.

Column settings

Columns can be rearranged, resized, and added or removed from tables.

To add or remove columns:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Select columns to add or remove.
3. Click Apply.

To rearrange the columns in a table:

1. Click and drag the column header.

To resize a column:

1. Click and drag the right border of the column header.

To resize a column to fit its contents:

1. Click the dots or filter icon on the right side of the column header and select Resize to Contents.

To resize all of the columns in a table to fit their content:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Click Best Fit All Columns.

FortiOS 7.2.1 Administration Guide 24


Fortinet Inc.
Getting started

To reset a table to its default view:

1. Right a column header, or click the gear icon on the left side of the header row that appears when hovering the
cursor over the headers.
2. Click Reset Table.
Resetting a table does not remove filters.

Editing objects

In some tables, parts of a configuration can be edited directly in the table. For example, security profiles can be added to
an existing firewall policy by clicking the edit icon in a cell in the Security Profiles column.

Copying rows

In some tables, rows can be copied and pasted using the right-click menu. For example, a policy can be duplicated by
copying and pasting it.

Entering values

Numerous fields in the GUI and CLI require text strings or numbers to be entered when configuring the FortiGate. When
entering values in the GUI, you will be prevented from entering invalid characters, and a warning message will be shown
explaining what values are not allowed. If invalid values are entered in a CLI command, the setting will be rejected when
you apply it.
l Text strings on page 25
l Numbers on page 26

Text strings

Text strings are used to name entities in the FortiGate configuration. For example, the name of a firewall address,
administrator, or interface are all text strings.
The following characters cannot be used in text strings, as they present cross-site scripting (XSS) vulnerabilities:
l “ - double quotes
l ' - single quote
l > - greater than
l < - less than
Most GUI text fields prevent XSS vulnerable characters from being added.

VDOM names and hostnames can only use numbers (0-9), letters (a-z and A-Z), dashes, and
underscores.

The tree CLI command can be used to view the number of characters allowed in a name field. For example, entering
the following commands show that a firewall address name can contain up to 80 characters, while its FQDN can contain
256 characters:

FortiOS 7.2.1 Administration Guide 25


Fortinet Inc.
Getting started

tree firewall address


-- [address] --*name (80)
|- uuid
|- subnet
|- type
|- sub-type
|- clearpass-spt
|- [macaddr] --*macaddr (128)
|- start-ip
|- end-ip
|- fqdn (256)
|- country (3)
|- wildcard-fqdn (256)
|- cache-ttl (0,86400)
|- wildcard
|- sdn (36)
|- [fsso-group] --*name (512)
|- interface (36)
|- tenant (36)
|- organization (36)
|- epg-name (256)
|- subnet-name (256)
|- sdn-tag (16)
|- policy-group (16)
|- obj-tag (256)
|- obj-type
|- tag-detection-level (16)
|- tag-type (64)
|- dirty
|- comment
|- associated-interface (36)
|- color (0,32)
|- filter
|- sdn-addr-type
|- node-ip-only
|- obj-id
|- [list] --*ip (36)
|- obj-id (128)
+- net-id (128)
|- [tagging] --*name (64)
|- category (64)
+- [tags] --*name (80)
|- allow-routing
+- fabric-object

Numbers

Numbers are used to set sizes, rated, addresses, port numbers, priorities, and other such numeric values. They can be
entered as a series of digits (without commas or spaces), in a dotted decimal format (such as IP addresses), or
separated by colons (such as MAC addresses). Most numeric values use base 10 numbers, while some use
hexadecimal values.
Most GUI and CLI fields prevent invalid numbers from being entered. The CLI help text includes information about the
range of values allowed for applicable settings.

FortiOS 7.2.1 Administration Guide 26


Fortinet Inc.
Getting started

GUI-based global search

The global search option in the GUI allows users to search for keywords appearing in objects and navigation menus to
quickly access the object and configuration page. Click the magnifying glass icon in the top-left corner of the banner to
access the global search.
The global search includes the following features:
l Keep a history of frequent and recent searches
l Sort results alphabetically by increasing or decreasing order, and relevance by search weight
l Search by category
l Search in Security Fabric members (accessed by the Security Fabric members dropdown menu in the banner)

Examples

In this example, searching for the word ZTNA yields the following results:
l Firewall policy object 9, which contains ZTNA in the property value, Name. The name of the policy is ZTNA-TCP.
l ZTNA server object ZTNA-webserver, which contains ZTNA in the property value, Name.
l ZTNA navigation menu item under Policy & Objects > ZTNA.
Since CMDB objects have a higher search weight (50) than navigation objects (20), the navigation menu result appears
at the bottom.

In this example, searching for the address 10.88.0.1 yields the following results:
l Address object EMS that has a subnet of 10.88.0.1/32, which matches the search term.
l Virtual IP object Telemetry-VIP that has a mapped IP range of 10.88.0.1, which matches the search term.
l Address objects all, FIREWALL_AUTH_PORTAL_ADDRESS, and FABRIC_DEVICE that have IP subnets of
0.0.0.0/0, which the searched term falls into.
l Address group object All_Grp that contains members addresses that have IP subnets of 0.0.0.0/0, which the
searched term falls into.
Sorting by Relevance will display address objects that are more closely matched at the top (10.88.0.1), and more loosely
matched at the bottom ( 0.0.0.0).

FortiOS 7.2.1 Administration Guide 27


Fortinet Inc.
Getting started

Loading artifacts from a CDN

To improve GUI performance, loading static GUI artifacts cached in CDN (content delivery network) servers closer to the
user instead of the FortiGate can be enabled. This allows the GUI to load more quickly with less latency for
administrators who are accessing the FortiGate remotely. Upon failure, the files fall back to loading from the FortiGate.
The CDN is only used after successful administrator logins.

To configure loading static GUI files from a CDN:

config system global


set gui-cdn-usage {enable | disable}
end

Using the CLI

The Command Line Interface (CLI) can be used in lieu of the GUI to configure the FortiGate. Some settings are not
available in the GUI, and can only be accessed using the CLI.
This section briefly explains basic CLI usage. For more information about the CLI, see the FortiOS CLI Reference.
l Connecting to the CLI on page 28
l CLI basics on page 31
l Command syntax on page 37
l Subcommands on page 40
l Permissions on page 42

Connecting to the CLI

You can connect to the CLI using a direct console connection, SSH, the FortiExplorer app on your iOS device, or the CLI
console in the GUI.
You can access the CLI outside of the GUI in three ways:

FortiOS 7.2.1 Administration Guide 28


Fortinet Inc.
Getting started

l Console connection: Connect your computer directly to the console port of your FortiGate.
l SSH access: Connect your computer through any network interface attached to one of the network ports on your
FortiGate.
l FortiExplorer: Connect your device to the FortiExplorer app on your iOS device to configure, manage, and monitor
your FortiGate. See FortiExplorer management on page 42 for details.
To open a CLI console, click the _> icon in the top right corner of the GUI. The console opens on top of the GUI. It can be
minimized and multiple consoles can be opened.
To edit policies and objects directly in the CLI, right-click on the element and select Edit in CLI.

Console connection

A direct console connection to the CLI is created by directly connecting your management computer or console to the
FortiGate using its DB-9 or RJ-45 console port.
Direct console access to the FortiGate may be required if:
l You are installing the FortiGate for the first time and it is not configured to connect to your network.
l You are restoring the firmware using a boot interrupt. Network access to the CLI will not be available until after the
boot process has completed, making direct console access the only option.
To connect to the FortiGate console, you need:
l A console cable to connect the console port on the FortiGate to a communications port on the computer. Depending
on your device, this is one of:
l null modem cable (DB-9 to DB-9)

l DB-9 to RJ-45 cable (a DB-9-to-USB adapter can be used)

l USB to RJ-45 cable

l A computer with an available communications port


l Terminal emulation software

To connect to the CLI using a direct console connection:

1. Using the console cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your
management computer.
2. Start a terminal emulation program on the management computer, select the COM port, and use the following
settings:

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

3. Press Enter on the keyboard to connect to the CLI.


4. Log in to the CLI using your username and password (default: admin and no password).
You can now enter CLI commands, including configuring access to the CLI through SSH.

FortiOS 7.2.1 Administration Guide 29


Fortinet Inc.
Getting started

SSH access

SSH access to the CLI is accomplished by connecting your computer to the FortiGate using one of its network ports. You
can either connect directly, using a peer connection between the two, or through any intermediary network.

If you do not want to use an SSH client and you have access to the GUI, you can access the
CLI through the network using the CLI console in the GUI.

SSH must be enabled on the network interface that is associated with the physical network port that is used.
If your computer is not connected either directly or through a switch to the FortiGate, you must also configure the
FortiGate with a static route to a router that can forward packets from the FortiGate to the computer. This can be done
using a local console connection, or in the GUI.
To connect to the FortiGate CLI using SSH, you need:
l A computer with an available serial communications (COM) port and RJ-45 port
l An appropriate console cable
l Terminal emulation software
l A network cable
l Prior configuration of the operating mode, network interface, and static route.

To enable SSH access to the CLI using a local console connection:

1. Using the network cable, connect the FortiGate unit’s port either directly to your computer’s network port, or to a
network through which your computer can reach the FortiGate.
2. Note the number of the physical network port.
3. Using direct console connection, connect and log into the CLI.
4. Enter the following command:
config system interface
edit <interface_str>
append allowaccess ssh
next
end

Where <interface_str> is the name of the network interface associated with the physical network port, such as
port1.
5. Confirm the configuration using the following command to show the interface’s settings:
show system interface <interface_str>

For example:
show system interface port1
config system interface
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh
set type hard-switch
set stp enable
set role lan

FortiOS 7.2.1 Administration Guide 30


Fortinet Inc.
Getting started

set snmp-index 6
next
end

Connecting using SSH

Once the FortiGate is configured to accept SSH connections, use an SSH client on your management computer to
connect to the CLI.
The following instructions use PuTTy. The steps may vary in other terminal emulators.

To connect to the CLI using SSH:

1. On your management computer, start PuTTy.


2. In the Host Name (or IP address) field, enter the IP address of the network interface that you are connected to and
that has SSH access enabled.
3. Set the port number to 22, if it is not set automatically.
4. Select SSH for the Connection type.
5. Click Open. The SSH client connect to the FortiGate.
The SSH client may display a warning if this is the first time that you are connecting to the FortiGate and its SSH key
is not yet recognized by the SSH client, or if you previously connected to the FortiGate using a different IP address
or SSH key. This is normal if the management computer is connected directly to the FortiGate with no network hosts
in between.
6. Click Yes to accept the FortiGate's SSH key.
The CLI displays the log in prompt.
7. Enter a valid administrator account name, such as admin, then press Enter.
8. Enter the administrator account password, then press Enter.
The CLI console shows the command prompt (FortiGate hostname followed by a #). You can now enter
CLI commands.

If three incorrect log in or password attempts occur in a row, you will be disconnected. If this
occurs, wait for one minute, then reconnect and attempt to log in again.

CLI basics

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.

Help

Press the question mark (?) key to display command help and complete commands.
l Press the question mark (?) key at the command prompt to display a list of the commands available and a
description of each command.
l Enter a command followed by a space and press the question mark (?) key to display a list of the options available
for that command and a description of each option.
l Enter a command followed by an option and press the question mark (?) key to display a list of additional options
available for that command option combination and a description of each option.

FortiOS 7.2.1 Administration Guide 31


Fortinet Inc.
Getting started

l Enter a question mark after entering a portion of a command to see a list of valid complete commands and their
descriptions. If there is only one valid command, it will be automatically filled in.

Shortcuts and key commands

Shortcut key Action

? List valid complete or subsequent commands.


If multiple commands can complete the command, they are listed with their
descriptions.

Tab Complete the word with the next available match.


Press multiple times to cycle through available matches.

Up arrow or Ctrl + P Recall the previous command.


Command memory is limited to the current session.

Down arrow, or Ctrl + N Recall the next command.

Left or Right arrow Move the cursor left or right within the command line.

Ctrl + A Move the cursor to the beginning of the command line.

Ctrl + E Move the cursor to the end of the command line.

Ctrl + B Move the cursor backwards one word.

Ctrl + F Move the cursor forwards one word.

Ctrl + D Delete the current character.

Ctrl + C Abort current interactive commands, such as when entering multiple lines.
If you are not currently within an interactive command such as config or edit,
this closes the CLI connection.

\ then Enter Continue typing a command on the next line for a multiline command.
For each line that you want to continue, terminate it with a backslash ( \ ). To
complete the command, enter a space instead of a backslash, and then press
Enter.

Command tree

Enter tree to display the CLI command tree. To capture the full output, connect to your device using a terminal
emulation program and capture the output to a log file. For some commands, use the tree command to view all
available variables and subcommands.

Command abbreviation

You can abbreviate words in the command line to their smallest number of non-ambiguous characters.
For example, the command get system status could be abbreviated to g sy stat.

FortiOS 7.2.1 Administration Guide 32


Fortinet Inc.
Getting started

Adding and removing options from lists

When configuring a list, the set command will remove the previous configuration.
For example, if a user group currently includes members A, B, and C, the command set member D will remove
members A, B, and C. To avoid removing the existing members from the group, the command set members A B C D
must be used.
To avoid this issue, the following commands are available:

append Add an option to an existing list.


For example, append member D adds user D to the user group without removing any of the
existing members.

select Clear all of the options except for those specified.


For example, select member B removes all member from the group except for member B.

unselect Remove an option from an existing list.


For example, unselect member C removes only member C from the group, without
affecting the other members.

Environment variables

The following environment variables are support by the CLI. Variable names are case-sensitive.

$USERFROM The management access type (ssh, jsconsole, and so on) and the IPv4 address of the
administrator that configured the item.

$USERNAME The account name of the administrator that configured the item.

$SerialNum The serial number of the FortiGate.

For example, to set a FortiGate device's host name to its serial number, use the following CLI command:
config system global
set hostname $SerialNum
end

Special characters

The following characters cannot be used in most CLI commands: <, >, (, ), #, ', and "
If one of those characters, or a space, needs to be entered as part of a string, it can be entered by using a special
command, enclosing the entire string in quotes, or preceding it with an escape character (backslash, \).
To enter a question mark (?) or a tab, Ctrl + V or Ctrl + Shift + - must be entered first.

Question marks and tabs cannot be copied into the CLI Console or some SSH clients. They
must be typed in.

FortiOS 7.2.1 Administration Guide 33


Fortinet Inc.
Getting started

Character Keys

? Ctrl + V or Ctrl + Shift + - then ?

Tab Ctrl + V then Tab

Space Enclose the string in single or double quotation marks: "Security


(as part of a string value, not to end the string) Administrator" or 'Security Administrator'.
Precede the space with a backslash: Security\ Administrator.

' \'
(as part of a string value, not to begin or end
the string)

" \"
(as part of a string value, not to begin or end
the string)

\ \\

Using grep to filter command output

The get, show, and diagnose commands can produce large amounts of output. The grep command can be used to
filter the output so that it only shows the required information.
The grep command is based on the standard UNIX grep, used for searching text output based on regular expressions.
For example, the following command displays the MAC address of the internal interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr 00:09:0f:cb:c2:75

The following command will display all TCP sessions that are in the session list, including the session list line number in
the output:
get system session list | grep -n tcp

The following command will display all of the lines in the HTTP replacement message that contain URL or url:
show system replacemsg http | grep -i url

The following options can also be used:


-A <num> After

-B <num> Before

-C <num> Context

The -f option is available to support contextual output, in order to show the complete configuration. The following
example shows the difference in the output when -f is used versus when it is not used:

Without -f: With -f:


show | grep ldap-group1 show | grep -f ldap-group1
edit "ldap-group1" config user group
set groups "ldap-group1" edit "ldap-group1"

FortiOS 7.2.1 Administration Guide 34


Fortinet Inc.
Getting started

set member "pc40-LDAP"


next
end
config firewall policy
edit 2
set srcintf "port31"
set dstintf "port32"
set srcaddr "all"
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set groups "ldap-group1"
set dstaddr "all"
set service "ALL"
next
end
next
end

Language support and regular expressions

Characters such as ñ and é, symbols, and ideographs are sometimes acceptable input. Support varies depending on the
type of item that is being configured. CLI commands, objects, field names, and options must use their exact ASCII
characters, but some items with arbitrary names or values can be input using your language of choice. To use other
languages in those cases, the correct encoding must be used.
Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings into UTF-8 before it is stored.
If your input method encodes some characters differently than in UTF-8, configured items may not display or operate as
expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular
expression using a different encoding, or if an HTTP client sends a request in a different encoding, matches may not be
what is expected.
For example, with Shift-JIS, backslashes could be inadvertently interpreted as the symbol for the Japanese yen ( ¥ ), and
vice versa. A regular expression intended to match HTTP requests containing monetary values with a yen symbol may
not work it if the symbol is entered using the wrong encoding.
For best results:
l use UTF-8 encoding, or
l use only characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters
that are encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS, and other encoding
methods, or
l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.

FortiOS 7.2.1 Administration Guide 35


Fortinet Inc.
Getting started

HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary
based on the client’s operating system or input language. If the client's encoding method
cannot be predicted, you might only be able to match the parts of the request that are in
English, as the values for English characters tend to be encoded identically, regardless of the
encoding method.

If the FortiGate is configured to use an encoding method other than UTF-8, the management computer's language may
need to be changed, including the web browse and terminal emulator. If the FortiGate is configured using non-ASCII
characters, all the systems that interact with the FortiGate must also support the same encoding method. If possible, the
same encoding method should be used throughout the configuration to avoid needing to change the language settings
on the management computer.
The GUI and CLI client normally interpret output as encoded using UTF-8. If they do not, configured items may not
display correctly. Exceptions include items such as regular expression that may be configured using other encodings to
match the encoding of HTTP requests that the FortiGate receives.

To enter non-ASCII characters in a terminal emulator:

1. On the management computer, start the terminal client.


2. Configure the client to send and receive characters using UTF-8 encoding.
Support for sending and receiving international characters varies by terminal client.
3. Log in to the FortiGate.
4. At the command prompt, type your command and press Enter.
Words that use encoded characters may need to be enclosed in single quotes ( ' ).
Depending on your terminal client’s language support, you may need to interpret the characters into character
codes before pressing Enter. For example, you might need to enter: edit '\743\601\613\743\601\652'
5. The CLI displays the command and its output.

Screen paging

By default, the CLI will pause after displaying each page worth of text when a command has multiple pages of output.
this can be useful when viewing lengthy outputs that might exceed the buffer of terminal emulator.
When the display pauses and shows --More--, you can:
l Press Enter to show the next line,
l Press Q to stop showing results and return to the command prompt,
l Press an arrow key, Insert, Home, Delete, End, Page Up, or Page Down to show the next few pages,
l Press any other key to show the next page, or
l Wait for about 30 seconds for the console to truncate the output and return to the command prompt.
When pausing the screen is disabled, press Ctrl + C to stop the output and log out of the FortiGate.

To disable pausing the CLI output:

config system console


set output standard
end

FortiOS 7.2.1 Administration Guide 36


Fortinet Inc.
Getting started

To enable pausing the CLI output:

config system console


set output more
end

Changing the baud rate

The baud rate of the local console connection can be changed from its default value of 9600.

To change the baud rate:

config system console


set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
end

Editing the configuration file

The FortiGate configuration file can be edited on an external host by backing up the configuration, editing the
configuration file, and then restoring the configuration to the FortiGate.
Editing the configuration file can save time is many changes need to be made, particularly if the plain text editor that you
are using provides features such as batch changes.

To edit the configuration file:

1. Backup the configuration. See Configuration backups on page 64 for details.


2. Open the configuration file in a plain text editor that supports UNIX-style line endings.
3. Edit the file as needed.

Do not edit the first line of the configuration file.


This line contains information about the firmware version and FortiGate model. If you
change the model number, the FortiGate will reject the configuration when you attempt to
restore it.

4. Restore the modified configuration to the FortiGate. See Configuration backups on page 64 for details.
The FortiGate downloads the configuration file and checks that the model information is correct. If it is correct, the
configuration file is loaded and each line is checked for errors. If a command is invalid, that command is ignored. If
the configuration file is valid, the FortiGate restarts and loads the downloaded configuration.

Command syntax

When entering a command, the CLI console requires that you use valid syntax and conform to expected input
constraints. It rejects invalid commands. Indentation is used to indicate the levels of nested commands.
Each command line consists of a command word, usually followed by configuration data or a specific item that the
command uses or affects.

FortiOS 7.2.1 Administration Guide 37


Fortinet Inc.
Getting started

Notation

Brackets, vertical bars, and spaces are used to denote valid syntax. Constraint notations, such as <address_ipv4>,
indicate which data types or string patterns are acceptable value input.
All syntax uses the following conventions:

Angle brackets < > Indicate a variable of the specified data type.

Curly brackets { } Indicate that a variable or variables are mandatory.

Square brackets [ ] Indicate that the variable or variables are optional.


For example:
show system interface [<name_str>]
To show the settings for all interfaces, you can enter show system interface
To show the settings for the Port1 interface, you can enter show system interface
port1.

Vertical bar | A vertical bar separates alternative, mutually exclusive options.


For example:
set protocol {ftp | sftp}
You can enter either set protocol ftp or set protocol sftp.

Space A space separates non-mutually exclusive options.


For example:
set allowaccess {ping https ssh snmp http fgfm radius-acct probe-
response capwap ftm}
You can enter any of the following:
set allowaccess ping
set allowaccess https ping ssh
set allowaccess http https snmp ssh ping
In most cases, to make changes to lists that contain options separated by spaces, you need to
retype the entire list, including all the options that you want to apply and excluding all the
options that you want to remove.

Optional values and ranges

Any eld that is optional will use square-brackets. The overall config command will still be valid whether or not the option
is configured.
Square-brackets can be used is to show that multiple options can be set, even intermixed with ranges. The following
example shows a eld that can be set to either a specic value or range, or multiple instances:
config firewall service custom
set iprange <range1> [<range2> <range3> ...]
end

next

The next command is used to maintain a hierarchy and flow to CLI commands. It is at the same indentation level as the
preceding edit command, to mark where a table entry finishes.

FortiOS 7.2.1 Administration Guide 38


Fortinet Inc.
Getting started

The following example shows the next command used in the subcommand entries:

After configuring table entry <2> then entering next, the <2> table entry is saved and the console returns to the
entries prompt:

You can now create more table entries as needed, or enter end to save the table and return to the filepattern table
element prompt.

end

The end command is used to maintain a hierarchy and flow to CLI commands.
The following example shows the same command and subcommand as the next command example, except end has
been entered instead of next after the subcommand:

Entering end will save the <2> table entry and the table, and exit the entries subcommand entirely. The console
returns to the filepattern table element prompt:

FortiOS 7.2.1 Administration Guide 39


Fortinet Inc.
Getting started

Subcommands

Subcommands are available from within the scope of some commands. When you enter a subcommand level, the
command prompt changes to indicate the name of the current command scope. For example, after entering:
config system admin

the command prompt becomes:


(admin)#

Applicable subcommands are available until you exit the command, or descend an additional level into another
subcommand. Subcommand scope is indicated by indentation.
For example, the edit subcommand is only available in commands that affects tables, and the next subcommand is
available only in the edit subcommand:
config system interface
edit port1
set status up
next
end

The available subcommands vary by command. From a command prompt under the config command, subcommands
that affect tables and fields could be available.

Table subcommands

edit <table_row> Create or edit a table value.


In objects such as security policies, <table_row> is a sequence number. To
create a new table entry without accidentally editing an existing entry, enter edit
0. The CLI will confirm that creation of entry 0, but will assign the next unused
number when the entry is saved after entering end or next.
For example, to create a new firewall policy, enter the following commands:
config firewall policy
edit 0
....
next
end
To edit an existing policy, enter the following commands:
config firewall policy
edit 27
....
next
end
The edit subcommand changes the command prompt to the name of the table
value that is being edited.

delete <table_row> Delete a table value.


For example, to delete firewall policy 30, enter the following commands:
config firewall policy
delete 30
end

FortiOS 7.2.1 Administration Guide 40


Fortinet Inc.
Getting started

purge Clear all table values.


The purge command cannot be undone. To restore purged table values, the
configuration must be restored from a backup.

move Move an ordered table value.


In the firewall policy table, this equivalent to dragging a policy into a new position.
It does not change the policy's ID number.
For example, to move policy 27 to policy 30, enter the following commands:
config firewall policy
move 27 to 30
end
The move subcommand is only available in tables where the order of the table
entries matters.

clone <table_row> to <table_ Make a clone of a table entry.


row> For example, to create firewall policy 30 as a clone of policy 27, enter the following
commands:
config firewall policy
clone 27 to 30
end
The clone subcommand may not be available for all tables.

rename <table_row> to Rename a table entry.


<table_row> For example to rename an administrator from Flank to Frank, enter the following
commands:
config system admin
rename Flank to Frank
end
The rename subcommand is only available in tables where the entries can be
renamed.

get List the current table entries.


For example, to view the existing firewall policy table entries, enter the following
commands:
config firewall policy
get

show Show the configuration. Only table entries that are not set to default values are
shown.

end Save the configuration and exit the current config command.

Purging the system interface or system admin tables does not reset default table
values. This can result in being unable to connect to or log in to the FortiGate, requiring the
FortiGate to be formatted and restored.

Field subcommands

set <field> <value> Modify the value of a field.

FortiOS 7.2.1 Administration Guide 41


Fortinet Inc.
Getting started

For example, the command set fsso enable sets the fsso field to the value
enable.

unset Set the field to its default value.

select Clear all of the options except for those specified.


For example, if a group contains members A, B, C, and D, to remove all members
except for B, use the command select member B.

unselect Remove an option from an existing list.


For example, if a group contains members A, B, C, and D, to remove only member
B, use the command unselect member B.

append Add an option to an existing multi-option table value.

clear Clear all the options from a multi-option table value.

get List the configuration of the current table entry, including default and customized
values.

show Show the configuration. Only values that are not set to default values are shown.

next Save changes to the table entry and exit the edit command so that you can
configure the next table entry.

abort Exit the command without saving.

end Save the configuration and exit the current config command.

Permissions

Administrator (or access) profiles control what CLI commands an administrator can access by assigning read, write, or
no access to each area of FortiOS. For information, see Administrator profiles on page 2023.
Read access is required to view configurations. Write access is required to make configuration changes. Depending on
your account's profile, you may not have access to all CLI commands. To have access to all CLI commands, an
administrator account with the super_admin profile must be used, such as the admin account.
Accounts assigned the super_admin profile are similar to the root administrator account. They have full permission to
view and change all FortiGate configuration options, including viewing and changing other administrator accounts.
To increase account security, set strong passwords for all administrator accounts, and change the passwords regularly.

FortiExplorer management

FortiExplorer for iOS is a user-friendly application that helps you to rapidly provision, deploy, and monitor Security Fabric
components from your iOS device.

FortiOS 7.2.1 Administration Guide 42


Fortinet Inc.
Getting started

FortiExplorer for iOS requires iOS 10.0 or later and is compatible with iPhone, iPad, and Apple TV. It is supported by
FortiOS 5.6 and later, and is available on the App Store for iOS devices.

FortiExplorer is also available for support on Android on the Google Play Store. Steps for
configuring FortiExplorer for Android may differ from what is included in the guide.

Advanced features are available with the purchase of FortiExplorer Pro. Paid features include the ability to add more
than two devices, and firmware upgrades for devices with active licenses.
Up to six members can use this app with 'Family Sharing' enabled in the App Store.

Firmware upload requires a valid firmware license. Users can download firmware for models
with a valid support contract.

Getting started with FortiExplorer

If your FortiGate is accessible on a wireless network, you can connect to it using FortiExplorer provided that your
iOS device is on the same network. See Connecting FortiExplorer to a FortiGate with WiFi. If your 200F series or 80F
series FortiGate is in close proximity, you can connect to it using FortiExplorer using Bluetooth Low Energy (BLE). See
Configure FortiGate with FortiExplorer using BLE on page 47. Otherwise, you will need to physically connect your iOS
device to the FortiGate using a USB cable.

To connect and configure a FortiGate with FortiExplorer using a USB connection:

1. Connect your iOS device to your FortiGate USB A port. If prompted on your iOS device, Trust this computer.
2. Open FortiExplorer and select your FortiGate from the FortiGate Devices list . A blue USB icon will indicate that you
are connected over a USB connection.

FortiOS 7.2.1 Administration Guide 43


Fortinet Inc.
Getting started

3. On the Login screen, select USB.


4. Enter the default Username (admin) and leave the Password field blank.
5. Optionally, select Remember Password.
6. Tap Done when you are ready.
FortiExplorer opens the FortiGate management interface to the Device Status page:

7. Go to Network > Interfaces and configure the WAN interface or interfaces.


8. The wan1 interface Address mode is set to DHCP by default. Set it to Manual and enter its Address, Netmask, and
Default Gateway, and then Apply your changes.

9. Optionally, configure Administrative Access to allow HTTPS access. This will allow administrators to access the
FortiGate GUI using a web browser.

FortiOS 7.2.1 Administration Guide 44


Fortinet Inc.
Getting started

10. Go to Network > Interfaces and configure the local network (internal) interface.
11. Set the Address mode as before and configure Administrative Access if required.
12. Configure a DHCP Server for the internal network subnet.

13. Return to the internal interface using the < button at the top of the screen.
14. Go to Network > Static Routes and configure the static route to the gateway.

15. Go to Policy & Objects > Firewall Policy and edit the Internet access policy. Enter a Name for the policy, enable the
required Security Profiles, configure Logging Options, then tap OK.

FortiOS 7.2.1 Administration Guide 45


Fortinet Inc.
Getting started

Connecting FortiExplorer to a FortiGate with WiFi

You can wirelessly connect to the FortiGate if your iOS device and the FortiGate are both connected to the same
wireless network.

FortiOS 7.2.1 Administration Guide 46


Fortinet Inc.
Getting started

To connect and configure a FortiGate with FortiExplorer wirelessly:

1. Open the FortiExplorer app and tap Add on the Devices page.
2. On the Add Device By page, tap HTTPS.

3. Enter the Host information, Username, and Password.


4. If required, change the default Port number, and optionally enable Remember Password.

5. Tap Done.
6. If the FortiGate device identity cannot be verified, tap Connect at the prompt.
FortiExplorer opens the FortiGate management interface to the Device Status page.

Configure FortiGate with FortiExplorer using BLE

FortiGate 200F series and 80F series devices can be initially configured in FortiExplorer using Bluetooth Low Energy
(BLE).

FortiOS 7.2.1 Administration Guide 47


Fortinet Inc.
Getting started

The state of the status LED on the device shows if BLE is enabled. See the device QuickStart guides for more
information about LED states: FortiGate 200F Series QuickStart Guide and FortiGate 80F Series QuickStart Guide.

When the status LED is flashing green, pressing and holding the reset button for five seconds
or longer will reset the device to factory default settings.

BLE is enabled or disabled in the following scenarios after the FortiGate boots up:
l In factory default settings:
l After the FortiGate has finished booting up (when the console login prompt is shown), the status LED will be
flashing amber or red to indicate that BLE is enabled.
l If the FortiGate is configured without using BLE, BLE will immediately be disabled and the status LED will turn
solid green.
l If the FortiGate is configured using BLE, the LED will continue flashing until the configuring device disconnects
from BLE, after which BLE is disabled and the status LED turns sold green.
l Not in factory default configuration:
l One minute after the FortiGate has finished booting up (when the console login prompt is shown), the status
LED will turn solid green. Press and hold the reset button for one second. The status LED will start flashing to
indicate that BLE is enabled.
l If no BLE connection is made with the FortiGate, BLE will be disabled after one minute and the status LED will
turn solid green.
l If the FortiGate is configured without using BLE, BLE will immediately be disabled and the status LED will turn
solid green.
l If the FortiGate is configured using BLE, the LED will continue flashing until the configuring device disconnects
from BLE, after which BLE is disabled and the status LED turns sold green.

To enable BLE for one minute when the FortiGate is running and not in factory default configuration:

# diagnose bluetooth enable 1

To connect to and configure a FortiGate with FortiExplorer using BLE:

1. Ensure that BLE is enabled on the FortiGate device.


2. Enable Bluetooth on your iOS device and open the FortiExplorer app.
If the app has detected the FortiGate device, the device's serial number will be shown.

FortiOS 7.2.1 Administration Guide 48


Fortinet Inc.
Getting started

3. Log into the FortiGate in the app using the default credentials: admin and no password.
4. If this is the first time logging into the device, set a password.
5. Optionally, register with FortiCare.
6. Configure the FortiGate, including the WAN and internal interfaces, static routes, and other required settings.

FortiOS 7.2.1 Administration Guide 49


Fortinet Inc.
Getting started

After configuring the FortiGate and disconnecting, BLE is disabled.

To check the status of BLE on the FortiGate:

diagnose hardware test ble

diagnose bluetooth status

diagnose bluetooth get_bt_version

diagnose bluetooth clean_bt_mode

Running a security rating

After configuring your network, run a security rating check to identify vulnerabilities and highlight best practices that
could improve your network's security and performance.
Go to Security Fabric > Security Rating and follow the steps to determine the score. See Security rating on page 2446 for
more information.

FortiOS 7.2.1 Administration Guide 50


Fortinet Inc.
Getting started

Upgrading to FortiExplorer Pro

FortiExplorer Pro allows you to add unlimited devices, and download firmware images for devices with active licenses.

To upgrade to FortiExplorer Pro:

1. In FortiExplorer, go to Settings.
2. Tap Manage Subscription.
3. Follow the on-screen prompts.

Basic administration

This section contains information about basic FortiGate administration that you can do after you installing the unit in your
network.
l Basic configuration on page 52
l Registration on page 54
l FortiCare and FortiGate Cloud login on page 59
l Transfer a device to another FortiCloud account on page 61
l Configuration backups on page 64
l Deregistering a FortiGate on page 73

FortiOS 7.2.1 Administration Guide 51


Fortinet Inc.
Getting started

Basic configuration

This topic will help you configure a few basic settings on the FortiGate as described in the Using the GUI on page 21 and
Using the CLI on page 28 sections, including:
l Configuring an interface on page 52
l Configuring the hostname on page 52
l Configuring the default route on page 53
l Ensuring internet and FortiGuard connectivity on page 53
l Using the default certificate for HTTPS administrative access on page 53

Configuring an interface

It is unlikely the default interface configuration will be appropriate for your environment and typically requires some effort
of the administrator to use these settings, such as being physically near the FortiGate to establish a serial connection.
Therefore, the first step is to configure an interface that can be used to complete the FortiGate configuration.

To configure an interface in the GUI:

1. Go to Network > Interfaces. Select an interface and click Edit.


2. Enter an Alias.
3. In the Address section, enter the IP/Netmask.
4. In Administrative Access section, select the access options as needed (such as PING, HTTPS, and SSH).
5. Optionally, enable DHCP Server and configure as needed.
6. Click OK.

To configure an interface in the CLI:

config system interface


edit "port2"
set ip 203.0.113.99 255.255.255.0
set allowaccess ping https ssh
set alias "Management"
next
end

Configuring the hostname

Setting the FortiGate’s hostname assists with identifying the device, and it is especially useful when managing multiple
FortiGates. Choose a meaningful hostname as it is used in the CLI console, SNMP system name, device name for
FortiGate Cloud, and to identify a member of an HA cluster.

To configure the hostname in the GUI:

1. Go to System > Settings.


2. Enter a name in the Host name field.
3. Click Apply.

FortiOS 7.2.1 Administration Guide 52


Fortinet Inc.
Getting started

To configure the hostname in the CLI:

config system global


set hostname 200F_YVR
end

Configuring the default route

Setting the default route enables basic routing to allow the FortiGate to return traffic to sources that are not directly
connected. The gateway address should be your existing router or L3 switch that the FortiGate is connected to. If you are
directly connecting to the FortiGate, you may choose your endpoint’s IP address as the gateway address. Set the
interface to be the interface the gateway is connected to.

To configure the default route in the GUI:

1. Go to Network > Static Routes and click Create New.


2. Leave the destination subnet as 0.0.0.0/0.0.0.0. This is known as a default route, since it would match any IPv4
address.
3. Enter the Gateway Address.
4. Select an Interface.
5. Click OK.

To configure the default route in the CLI:

config router static


edit 0
set gateway 192.168.1.254
set device port1
next
end

Ensuring internet and FortiGuard connectivity

This step is not necessary for the configuration; however, it is necessary in order to keep your FortiGate up to date
against the latest threats. Updates are provided to FortiGates that are registered and make a request to the FortiGuard
network to verify if there are any more recent definitions.
Use execute ping <domain.tld> to ensure the DNS resolution is able to resolve the following FortiGuard servers:
l fds1.fortinet.com
l service.fortiguard.net
l update.fortiguard.net
You also need to ensure the necessary ports are permitted outbound in the event your FortiGate is behind a filtering
device. Refer to the Ports and Protocols document for more information.

Using the default certificate for HTTPS administrative access

By default, the FortiGate uses the Fortinet_GUI_Server certificate for HTTPS administrative access. Administrators
should download the CA certificate and install it on their PC to avoid warnings in their browser. See Using the default

FortiOS 7.2.1 Administration Guide 53


Fortinet Inc.
Getting started

certificate for HTTPS administrative access on page 2072 for more information.

Registration

The FortiGate, and then its service contract, must be registered to have full access to Fortinet Customer Service and
Support, and FortiGuard services. The FortiGate can be registered in either the FortiGate GUI or the FortiCloud support
portal. The service contract can be registered from the FortiCloud support portal.

The service contract number is needed to complete registrations on the FortiCloud support
portal. You can find this 12-digit number in the email that contains your service registration
document (sent from [email protected]) in the service entitlement summary.

To register your FortiGate in the GUI:

1. Connect to the FortiGate GUI. A dialog box appears, which indicates the steps you should take to complete the
setup of your FortiGate. These steps include:
a. Specify Hostname
b. Change Your Password
c. Dashboard Setup
d. Upgrade Firmware
If you completed the Basic configuration on page 52, the hostname and password steps are already marked as
complete (checkmark). If you chose to deploy the latest firmware, the Upgrade Firmware step is marked as
complete.
2. Click Begin to complete the dashboard setup. Two options appear (Optimal and Comprehensive).

3. Select the desired setting and click OK. The Dashboard > Status page opens. Note that the licenses are grayed out
because the device or virtual machine is not registered.
4. Go to System > FortiGuard and click Enter Registration Code.

5. Enter the contract registration code from your service registration document.
6. Click OK.

To register the FortiGate on the FortiCloud support portal:

1. Go to support.fortinet.com and log in using your FortiCloud account credentials. If you do not have an account, click
Register to create one.
2. In the left-side menu, click Register Product.

FortiOS 7.2.1 Administration Guide 54


Fortinet Inc.
Getting started

3. Enter the product serial number or license certificate number for a VM, select an end user type, then click Next.

4. Enter the Support Contract number and FortiCloud Key (optionally, enter a product description), then click Next.

5. Review the product entitlement information, select the checkbox to accept the terms, then click Confirm.

FortiOS 7.2.1 Administration Guide 55


Fortinet Inc.
Getting started

6. Go to Products > Product List. The FortiGate is now visible in the product list.

FortiCare Register button

The FortiCare Register button is displayed in the GUI on various Fabric and device related pages and widgets available
for FortiGates.
There are two methods to access the Register button:
l Right-click on a device in a topology.
Security Fabric > Physical Topology page:

FortiOS 7.2.1 Administration Guide 56


Fortinet Inc.
Getting started

l Hover over a device to display the tooltip.


Security Fabric > Logical Topology page:

System > HA page:

FortiOS 7.2.1 Administration Guide 57


Fortinet Inc.
Getting started

The Register button is also accessible from tooltips for devices on the Managed FortiAPs and
Managed FortiSwitches pages.

Clicking Register opens the Device Registration pane. If a device is already registered, the pane still opens and displays
the device information.

Primary and secondary HA members can be registered to FortiCare at the same time from the primary unit by using the
Register button. The secondary unit will register through the HA proxy. In this example, a HA member is registered from
the Physical Topology page.

To register a HA member to FortiCare:

1. On the primary unit, go to Security Fabric > Physical Topology.


2. Hover over the HA member and click Register. The Device Registration pane opens.
3. Select the device and click Register.
4. Enter the required FortiCloud account information (password, country or region, reseller) and click Submit.
5. Once the registration is complete, click Close.

FortiOS 7.2.1 Administration Guide 58


Fortinet Inc.
Getting started

FortiCare and FortiGate Cloud login

With FortiCloud, FortiOS supports a unified login to FortiCare and FortiGate Cloud. The FortiGate Cloud setup is a
subset of the FortiCare setup.
l If the FortiGate is not registered, activating FortiGate Cloud will force you to register with FortiCare.
l If a FortiGate is registered in FortiCare using a FortiCloud account, then only that FortiCloud account can be used to
activate FortiGate Cloud.
l If a different FortiCloud account was already used to activate FortiGate Cloud, then a notification asking you to
migrate to FortiCloud is shown in the GUI after upgrading FortiOS.
The CLI can be used to activate FortiGate Cloud without registration, or with a different FortiCloud account.

To activate FortiGate Cloud and register with FortiCare at the same time:

1. Go to Dashboard > Status.


2. In the FortiGate Cloud widget, click Not Activated > Activate.
You must register with FortiCare before activating FortiGate Cloud.

3. Enter your FortiCare Email address and Password.


4. Select your Country/Region, Reseller, and End-user type.
5. Enable Sign in to FortiGate Cloud using the same account.
6. Click OK.

To activate FortiGate Cloud on an already registered FortiGate:

1. Go to Dashboard > Status.


2. In the FortiGate Cloud widget, click Not Activated > Activate.

FortiOS 7.2.1 Administration Guide 59


Fortinet Inc.
Getting started

3. Enter the password for the account that was used to register the FortiGate.

4. Click OK.
The FortiGate Cloud widget now shows the activated FortiCloud account.

To migrate from the activated FortiGate Cloud account to the registered FortiCloud account:

1. Go to System > FortiGuard.


2. In the FortiCare Support row, click Actions > Transfer FortiGate to Another Account.

3. Enter the Password of the current FortiCloud account.

FortiOS 7.2.1 Administration Guide 60


Fortinet Inc.
Getting started

4. Enter the target FortiCloud Account name and Password, then click Next.
5. Review the information in the From and To fields, then click Transfer.

To activate FortiGate Cloud using an account that is not used for registration:

1. Enter the following with the credentials for the account being used to activate FortiGate Cloud:
# execute fortiguard-log login <account_id> <password>

2. Check the account type:


# diagnose fdsm contract-controller-update
Protocol=2.0|Response=202|Firmware=FAZ-4K-FW-2.50-
100|SerialNumber=FAMS000000000000|Persistent=false|ResponseItem=HomeServer:172.16.95.151
:443*AlterServer:172.16.95.151:443*Contract:20200408*NextRequest:86400*UploadConfig:Fals
e*ManagementMode:Local*ManagementID:737941253*AccountType:multitenancy

Result=Success

A FortiCloud account that is not used for the support portal account cannot be used to register
FortiGate. Attempting to activate FortiGate Cloud with this type of account will fail.

Transfer a device to another FortiCloud account

Master account users can transfer a device from one FortiCloud/FortiCare account to another. Users can transfer a
device up to three times within a twelve-month time period. If more transfers are required within the twelve-month time
period, contact Technical Support to request the transfer.

Requirements:

To transfer an account, you must:


l Have access to the FortiGate, as well as both the FortiCloud and FortiCare accounts.
l Be a master account user.
To verify if you are the master account user, log in to support.fortinet.com. Click the username, then select My
Account.

FortiOS 7.2.1 Administration Guide 61


Fortinet Inc.
Getting started

The Account Profile page opens.

To transfer an account in the GUI:

1. Go to Dashboard > Status.


2. In the Licenses widget, click the FortiCare Support link, then click Transfer FortiGate to Another Account.

You can also transfer an account from System > FortiGuard.

FortiOS 7.2.1 Administration Guide 62


Fortinet Inc.
Getting started

3. In the Current FortiCloud Account fields, enter the username and password for the current account. In the Target
FortiCloud Account fields, enter the new username and password.
4. Click Next.

5. Review the information, then click Transfer.

After the transfer is complete, the new the FortiCloud account is displayed in the Licenses widget.

FortiOS 7.2.1 Administration Guide 63


Fortinet Inc.
Getting started

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you back up the configuration. In some
cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase
the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup
can be used to restore it.
You can use the GUI or CLI to back up the configuration in FortiOS or YAML format. You have the option to save the
configuration file in FortiOS format to various locations including the local PC, USB key, FTP, and TFTP server. FTP and
TFTP are only configurable through the CLI. In YAML format, configuration files can be backed up or restored on an
FTP or TFTP server through the CLI.
This topic includes the following information:
l Backing up and restoring configurations from the GUI on page 64
l Backing up and restoring configurations from the CLI on page 67
l Configuration revision on page 71
l Restore factory defaults on page 72
l Secure file copy on page 73

Backing up and restoring configurations from the GUI

Configurations can be backed up using the GUI to your PC or a USB disk.

Field Description

Scope When the FortiGate is in multi-vdom mode and a user is logged in as a global
administrator.

Backup to You can choose where to save the configuration backup file.
l Local PC: Save the configuration file to your PC.

l USB Disk: Save the configuration file to an external USB disk. This option is
not available if there is no USB drive inserted in the USB port.
You can also back up to FortiManager using the CLI.

File format The configuration file can be saved in FortiOS or YAML format.

Password mask Use password masking when sending a configuration file to a third party. When
password masking is enabled, passwords and secrets will be replaced in the
configuration file with FortinetPasswordMask.

Encryption Enable Encryption to encrypt the configuration file. A configuration file cannot be
restored on the FortiGate without a set password. Encryption must be enabled on
the backup file to back up VPN certificates.

To back up the configuration in FortiOS format using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
2. Direct the backup to your Local PC or to a USB Disk.

FortiOS 7.2.1 Administration Guide 64


Fortinet Inc.
Getting started

3. Enable Encryption.

This is recommended to secure your backup configurations and prevent unauthorized


parties from reloading your configuration.

4. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
5. Click OK.
6. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will
have a .conf extension.

To back up the configuration in YAML format using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
2. Direct the backup to your Local PC or to a USB Disk.
3. Select YAML for the File format.
4. Click OK.

When backing up a configuration that will be shared with a third party, such as Fortinet Inc. Support, passwords and
secrets should be obfuscated from the configuration to avoid information being unintentionally leaked. Password
masking can be completed in the Backup System Configuration page and in the CLI. When password masking is
enabled, passwords and secrets will be replaced in the configuration file with FortinetPasswordMask.

To mask passwords in the GUI:

1. Click on the username in the upper right-hand corner of the screen and select Configuration > Backup.
2. Select YAML as the File format.
3. Enable Password mask. A warning message is displayed.

4. Click OK. The configuration file is saved to your computer with passwords and secrets obfuscated.

The following is an example of output with password masking enabled:


config system admin
edit "1"
set accprofile "prof_admin"
set vdom "root"
set password FortinetPasswordMask
next
end
config vpn ipsec phase1-interface
edit "vpn-1"

FortiOS 7.2.1 Administration Guide 65


Fortinet Inc.
Getting started

set interface "port1"


set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: vpn-1 (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 172.16.200.55
set psksecret FortinetPasswordMask
next
end
config wireless-controller vap
edit "ssid-1"
set passphrase FortinetPasswordMask
set schedule "always"
next
end

Restoring configuration files from the GUI

Configuration files can be used to restore the FortiGate to a previous configuration in the Restore System Configuration
page.

To restore the FortiGate configuration using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
2. Identify the source of the configuration file to be restored: your Local PC or a USB Disk.
The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the
FortiManager using the CLI.
3. Select the File format as FortiOS or YAML.
4. Click Upload, locate the configuration file, and click Open.
5. Enter the password if required.
6. Click OK.
When restoring a configuration file that has password masking enabled, obfuscated passwords and secrets will be
restored with the password mask.

Restoring the FortiGate with a configuration with passwords obfuscated is not recommended.

To restore an obfuscated YAML configuration using the GUI:

1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
2. Select YAML as the File format.
3. Click Upload. The File Explorer is displayed.
4. Navigate to the configuration file and click Open.

FortiOS 7.2.1 Administration Guide 66


Fortinet Inc.
Getting started

5. (Optional) Enter the file password in the Password field.


6. Click OK. The Confirm pane is displayed with a warning.

7. Toggle the acknowledgment.


8. Click OK.

Backing up and restoring configurations from the CLI

Configuration backups in the CLI are performed using the execute backup commands and can be backed up in
FortiOS and YAML format.
Configuration files can be backed up to various locations depending on the command:
l flash: Backup the configuration file to the flash drive.
l ftp: Backup the configuration file to an FTP server.
l management-station: Backup the configuration file to a management station, such as FortiManager or FortiGate
Cloud.
l sftp: Backup the configuration file to a SFTP server.
l tftp: Backup the configuration file to a TFTP server.
l usb: Backup the configuration file to an external USB drive.
l usb-mode: Backup the configuration file for USB mode.

Command Description
# execute backup config Back up the configuration in FortiOS format.
Backup your configuration file to:
l flash

l ftp
l management-station
l sftp
l tftp
l usb
l usb-mode

# execute backup full- Backup the configuration, including backups of default configuration settings.
config Backup your configuration file to:

FortiOS 7.2.1 Administration Guide 67


Fortinet Inc.
Getting started

Command Description
l ftp
l sftp
l tftp
l usb
l usb-mode

# execute backup yaml- Backup the configuration in YAML format.


config Backup your configuration file to:
l ftp

l tftp

# execute backup Backup the configuration with passwords and secrets obfuscated.
obfuscated-config Backup your configuration file to:
l flash

l ftp
l management-station
l sftp
l tftp
l usb

# execute backup Backup the configuration (including default configuration settings) with passwords
obfuscated-full-config and secrets obfuscated.
Backup your configuration file to:
l ftp

l sftp
l tftp
l usb

# execute backup Backup the configuration in YAML format with passwords and secrets obfuscated.
obfuscated-yaml-config Backup your configuration file to:
l ftp

l tftp

To back up the configuration in FortiOS format using the CLI:

For FTP, note that port number, username are optional depending on the FTP site:
# execute backup config ftp <backup_filename> <ftp_server>[<:ftp_port>] [<user_name>]
[<password>] [<backup_password>]

or for TFTP:
# execute backup config tftp <backup_filename> <tftp_servers> [<backup_password>]

or for SFTP:
# execute backup config sftp <backup_filename> <sftp_server>[<:sftp_port>] <user> <password>
[<backup_password>]

or:

FortiOS 7.2.1 Administration Guide 68


Fortinet Inc.
Getting started

# execute backup config management-station <comment>

or:
# execute backup config usb <backup_filename> [<backup_password>]

Use the same commands to backup a VDOM configuration by first entering the commands:
config vdom
edit <vdom_name>

To back up the configuration in YAML format using the CLI:

# execute backup yaml-config {ftp | tftp} <filename> <server> [username] [password]

For example:
# execute backup yaml-config tftp 301E.yaml 172.16.200.55
Please wait...
Connect to tftp server 172.16.200.55 ...
#
Send config file to tftp server OK.

Configuration files can be configured with obfuscated passwords and secrets to not unintentionally leak information
when sharing configuration files with third parties.

To mask passwords in a configuration backup in the CLI:

# execute backup obfuscated-config {flash | ftp | management-station | sftp | tftp | usb}

To mask passwords in the full configuration backup in the CLI:

# execute backup obfuscated-full-config {ftp | sftp | tftp | usb}

To mask passwords in a configuration backup with YAML formatting in the CLI:

# execute backup obfuscated-yaml-config {ftp | tftp}

If a configuration is being backed up on a server, server information must be included with the
command. Other information that may be required with an execute backup command
includes file names, passwords, and comments.

Restoring configuration files from the CLI

Configuration files can be used to restore the FortiGate using the CLI.

Command Description
# execute restore config Restore a configuration that is in FortiOS format.
Configurations can be loaded from:
l flash: Load the configuration file from flash to firewall.

l ftp: Load the configuration file from an FTP server.

l management-station: Load the configuration from a management

FortiOS 7.2.1 Administration Guide 69


Fortinet Inc.
Getting started

Command Description

station.
l tftp: Load the configuration from from a TFTP server.
l usb: Load the configuration file from an external USB disk to firewall.
l usb-mode: Load the configuration file from an external USB disk and reboot.
# execute restore yaml- Restore a configuration that is in YAML format.
config Configurations can be loaded from:
l ftp: Load the configuration file from an FTP server.

l tftp: Load the configuration from from a TFTP server.

To restore the FortiGate configuration in FortiOS format using the CLI:

For FTP, note that port number, username are optional depending on the FTP site:
# execute restore config ftp <backup_filename> <ftp_server>[<:port>] [<user_name>]
[<password>] [<backup_password>]

or for TFTP:
# execute restore config tftp <backup_filename> <tftp_server> [<backup_password>]

For restoring the configuration from FortiManager or FortiGate Cloud:


# execute restore config management-station normal <revision ID>

or:
# execute restore config usb <backup_filename> [<backup_password>]

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has
been restored.

To restore configuration files in YAML format:

# execute restore yaml-config {ftp | tftp} <filename> <server> [username] [password]

For example:
# execute restore yaml-config ftp 301E-1.yaml 172.16.200.55 root sys@qa123456
This operation will overwrite the current setting and could possibly reboot the system!
Do you want to continue? (y/n) y
Please wait...
Connect to ftp server 172.16.200.55 ...
Get config file from ftp server OK.
File check OK.
#
The system is going down NOW !!

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

FortiOS 7.2.1 Administration Guide 70


Fortinet Inc.
Getting started

Error message Reason and Solution

Configuration file error This error occurs when attempting to upload a configuration file that is
incompatible with the device. This may be due to the configuration file being for a
different model or being saved from a different version of firmware.
Solution: Upload a configuration file that is for the correct model of FortiGate
device and the correct version of the firmware.

Invalid password When the configuration file is saved, it can be protected by a password. The
password entered during the upload process is not matching the one associated
with the configuration file.
Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher.
Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this
feature. Typically, configuration backup to local drive is not available on lower-end models.

Central management server

The central management server can either be a FortiManager unit or FortiGate Cloud.
If central management is not configured on your FortiGate unit, a message appears instructing you to either
l Enable central management, or
l Obtain a valid license.

To enable central management from the GUI:

1. Go to Security Fabric > Fabric Connectors.


2. Double-click the FortiManager card.
3. Set status to Enabled and select one of the options for FortiManager Type.
4. Click OK to apply.

To enable central management from the CLI:

config system central-management


set type {fortimanager | fortiguard}
set mode backup
set fmg <IP address>
end

To backup to the management server:

# execute backup config management-station <comment>

To view a backed up revision:

# execute restore config management-station normal 0

FortiOS 7.2.1 Administration Guide 71


Fortinet Inc.
Getting started

To restore a backed up revision:

# execute restore config management-station normal <revision ID>

Backing up to a local disk

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved
revisions of those backed-up configurations appears.
Configuration backup occurs by default with firmware upgrades but can also be configured to occur every time you log
out.

To configure configuration backup when logging out:

config system global


set revision-backup-on-logout enable
end

To manually force backup:

# execute backup config flash <comment>

Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and
selecting Configuration > Revisions.

To view a list of revisions backed up to the disk from the CLI:

# execute revision list config

To restore a configuration from the CLI:

# execute restore config flash <revision ID>

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There
are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box
configuration.
You can reset the device with the following CLI command:
# execute factoryreset

When prompted, type y to confirm the reset.


Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration with the
following command:
# execute factoryreset2

FortiOS 7.2.1 Administration Guide 72


Fortinet Inc.
Getting started

Secure file copy

You can also back up and restore your configuration using Secure File Copy (SCP). See How to download a FortiGate
configuration file and upload firmware file using secure file copy (SCP).
You enable SCP support using the following command:
config system global
set admin-scp enable
end

For more information about this command and about SCP support, see config system global.

Deregistering a FortiGate

An administrator can deregister a FortiGate, if the device has been registered for three or more years, using the GUI or
CLI, without having to contact FortiCare administration. After the device is deregistered, all associated contracts are also
deregistered, and all of the administrator's information is wiped.

To deregister the FortiGate in the GUI:

1. Go to Dashboard > Status.


2. In the License widget, click FortiGate Support and select Deregister FortiGate.

The FortiCare Deregistration pane opens.

FortiOS 7.2.1 Administration Guide 73


Fortinet Inc.
Getting started

3. Enter your password then click Next.


4. Confirm the FortiGate deregistration then click Submit.

If the FortiGate has been registered for less then three years, the deregistration will fail.

To deregister the FortiGate in the CLI:

# diagnose forticare direct-registration product-deregister <accountID> <password>

If the FortiGate has been registered for less then three years, the deregistration will fail:

FortiOS 7.2.1 Administration Guide 74


Fortinet Inc.
Getting started

forticare_product_deregister:1335: Failed to get response (rc = 0, http_code = 403)


Unit deregistration unsuccessful.

LEDs

Check your device's QuickStart guide for specific LED information: FortiGate QuickStart
Guides.

The following faceplates show where the LEDs are typically found on FortiGate models:

LED State Description

Green The unit is on

Logo Blue The FortiWiFi unit is on

Off The unit is off

Green The unit is on and/or both power supplies are functioning

Amber One power supply is functioning

Flashing Amber Power supply failure


Power (PWR)
Red The unit is on, but only one power supply is functional

Flashing Red Power failure

Off The unit is off

FortiOS 7.2.1 Administration Guide 75


Fortinet Inc.
Getting started

LED State Description

Green Normal

Flashing Green Booting up

Amber Major or minor alarm

Status (STA) Flashing Amber BLE is on

Red Major alarm

Flashing Red BLE is on

Off The unit is off

Amber Bypass Port Pair is active


Bypass (BYP)
Off Bypass Port Pair is off

Red Major alarm

Alarm Amber Minor alarm

Off No alarms

Green Operating in an HA cluster

HA Amber or Red HA failover

Off HA disabled

Green, Amber, or Red Maximum PoE power allocated


Max PoE
Off PoE power available or normal

Green Power delivered

PoE Flashing Green Error or PoE device requesting power

Off No PoE device connected or no power delivered

Green SVC is on

SVC Flashing Green SVC activity

Off SVC is off

Green 3G / 4G service is on

3G / 4G Flashing Green 3G / 4G activity

Off 3G / 4G service is off

Green WiFi connected

WiFi Flashing Green WiFi activity

Off WiFi is off

FortiOS 7.2.1 Administration Guide 76


Fortinet Inc.
Getting started

LED State Description

Green Power supply operating normally

Power detected, but power supply not providing power or


Flashing Green
is in standby mode

Power output is off, there is a power supply error, or there


Amber
is no input power but the redundant supply is on
Power Supply
Power supply error or warning events, or the power
Flashing Amber
supply should be replaced

Red Cord unplugged or power lost

Flashing Red Power supply warning events

Off Power not detected

Green Standby rail and main output on

Power Supply OK Flashing Green Standby rail and main output off

Off Error or no AC power input

Amber Main output or fan error detected

Power Supply Fail Flashing Amber Power supply warning event detected

Off No errors or no power

Green Input voltage within normal range

Power Supply Input Flashing Green Over or under voltage warning

Off No input power

Green Output voltage normal

Flashing Green Standby mode

Power Supply Output Amber Critical error

Flashing Amber Warning

Off No output

Green Fan(s) operating normally

Flashing Green Fan switching/initialization in progress

Amber Fan failure


Fan Fan error, RPM too low or too high, or both fan sets have
Red
at least one alert

Flashing Red One fan set has at least one alert

Off Fan error or fan is off

FortiOS 7.2.1 Administration Guide 77


Fortinet Inc.
Getting started

Port LEDs

LED State Description

Green Connected at 1 Gbps

Flashing Green Transmitting and receiving data at 1 Gbps

Ethernet Amber Connected at 10/100 Mbps

Flashing Amber Transmitting and receiving data at 10/100 Mbps

Off No link established

Green Connected

Ethernet Link/Activity Flashing Green Transmitting data

Off No link established

Green Connected at 1 Gbps

Ethernet Speed Amber Connected at 100 Mbps

Off Not connected or connected at 10 Mbps

Green Connected

Ethernet 10G Link/Activity Flashing Green Transmitting data

Off No link established

Green Connected at 10 Gbps

Ethernet 10G Speed Amber Connected at 5 Gbps, 2.5 Gbps, or 1 Gbps

Off Not connected or connected at 100 Mbps

Green PoE power on or PoE device receiving power

PoE Amber Providing power

Red Connected but not powered

Off PoE power off or no device receiving power

Green Connected at 1 Gbps

SFP Flashing Green Data activity

Off No link established

Green Connected at 10 Gbps or 1 Gbps

SFP+ Flashing Green Data activity

Off No link established

FortiOS 7.2.1 Administration Guide 78


Fortinet Inc.
Getting started

LED State Description

Green Connected at 25 Gbps, 10 Gbps, or 1 Gbps

SFP28 Flashing Green Data activity

Off No link established

Green Connected at 100 Gbps or 40 Gbps

QSFP28 Flashing Green Data activity

Off No link established

Alarm levels

Minor alarm

Also called an IPMI non-critical (NC) alarm, it indicates a temperature or power level outside of the normal operating
range that is not considered a problem. For a minor temperature alarm, the system could respond by increasing the fan
speed. A non-critical threshold can be an upper non-critical (UNC) threshold (for example, a high temperature or a high
power level) or a lower non-critical (LNC) threshold (for example, a low power level).

Major alarm

Also called an IPMI critical or critical recoverable (CR) alarm, it indicates that the system is unable to correct the cause of
the alarm, and that intervention is required. For example, the cooling system cannot provide enough cooling to reduce
the temperature. It can also mean that the conditions are approaching the outside limit of the allowed operating range. A
critical threshold can also be an upper critical (UC) threshold (such as a high temperature or high power level) or a lower
critical (LC) threshold (such as a low power level).

Critical alarm

Also called an IPMI non-recoverable (NR) alarm, it indicates that the system has detected a temperature or power level
that is outside of the allowed operating range and physical damage is possible.

Troubleshooting your installation

If your FortiGate does not function as desired after installation, try the following troubleshooting tips:
1. Check for equipment issues
Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for
information about connecting your FortiGate to the network.
2. Check the physical network connections
Check the cables used for all physical connections to ensure that they are fully connected and do not appear
damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that
device.

FortiOS 7.2.1 Administration Guide 79


Fortinet Inc.
Getting started

3. Verify that you can connect to the internal IP address of the FortiGate
Connect to the GUI from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the
internal interface IP address; for example, ping 192.168.1.99. If you cannot connect to the internal interface,
verify the IP configuration of the PC. If you can ping the interface but can't connect to the GUI, check the settings for
administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS
has been enabled for Administrative Access on the interface.
4. Check the FortiGate interface configurations
Check the configuration of the FortiGate interface connected to the internal network (under Network > Interfaces)
and check that Addressing mode is set to the correct mode.
5. Verify the security policy configuration
Go to Policy & Objects > Firewall Policy and verify that the internal interface to Internet-facing interface security
policy has been added and is located near the top of the policy list. Check the Active Sessions column to ensure that
traffic has been processed (if this column does not appear, right-click on the table header and select Active
Sessions). If you are using NAT mode, check the configuration of the policy to make sure that NAT is enabled and
that Use Outgoing Interface Address is selected.
6. Verify the static routing configuration
Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify
that the default route appears in the list as a static route. Along with the default route, you should see two routes
shown as Connected, one for each connected FortiGate interface.
7. Verify that you can connect to the Internet-facing interface’s IP address
Ping the IP address of the Internet-facing interface of your FortiGate. If you cannot connect to the interface, the
FortiGate is not allowing sessions from the internal interface to Internet-facing interface. Verify that PING has been
enabled for Administrative Access on the interface.
8. Verify that you can connect to the gateway provided by your ISP
Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact
your ISP to verify that you are using the correct gateway.
9. Verify that you can communicate from the FortiGate to the Internet
Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute
traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.
10. Verify the DNS configurations of the FortiGate and the PCs
Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping
www.fortinet.com.
If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that
the DNS server IP addresses are present and correct.
11. Confirm that the FortiGate can connect to the FortiGuard network
Once the FortiGate is on your network, you should confirm that it can reach the FortiGuard network. First, check the
License Information widget to make sure that the status of all FortiGuard services matches the services that you
have purchased. Go to System > FortiGuard, and, in the Filtering section, click Test Connectivity. After a minute, the
GUI should indicate a successful connection. Verify that your FortiGate can resolve and reach FortiGuard at
service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the
connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of
FortiGuard IP gateways you can connect to, as well as the following information:
l Weight: Based on the difference in time zone between the FortiGate and this server
l RTT: Return trip time
l Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
l TZ: Server time zone
l Curr Lost: Current number of consecutive lost packets
l Total Lost: Total number of lost packets

FortiOS 7.2.1 Administration Guide 80


Fortinet Inc.
Getting started

12. Consider changing the MAC address of your external interface


Some ISPs do not want the MAC address of the device connecting to their network cable to change. If you have
added a FortiGate to your network, you may have to change the MAC address of the Internet-facing interface using
the following CLI command:
config system interface
edit <interface>
set macaddr <xx:xx:xx:xx:xx:xx>
end
end
13. Check the FortiGate bridge table (transparent mode)
When a FortiGate is in transparent mode, the unit acts like a bridge sending all incoming traffic out on the other
interfaces. The bridge is between interfaces on the FortiGate unit. Each bridge listed is a link between interfaces.
Where traffic is flowing between interfaces, you expect to find bridges listed. If you are having connectivity issues
and there are no bridges listed, that is a likely cause. Check for the MAC address of the interface or device in
question. To list the existing bridge instances on the FortiGate, use the following CLI command:
diagnose netlink brctl name host root.b
show bridge control interface root.b host.
fdb: size=2048, used=25, num=25, depth=1
Bridge root.b host table
port no device devname mac addr ttl attributes
3 4 wan1 00:09:0f:cb:c2:77 88
3 4 wan1 00:26:2d:24:b7:d3 0
3 4 wan1 00:13:72:38:72:21 98
4 3 internal 00:1a:a0:2f:bc:c6 6
1 6 dmz 00:09:0f:dc:90:69 0 Local Static
3 4 wan1 c4:2c:03:0d:3a:38 81
3 4 wan1 00:09:0f:15:05:46 89
3 4 wan1 c4:2c:03:1d:1b:10 0
2 5 wan2 00:09:0f:dc:90:68 0 Local Static
14. Use FortiExplorer if you cannot connect to the FortiGate over Ethernet
If you cannot connect to the FortiGate GUI or CLI, you may be able to connect using FortiExplorer. Refer to the
QuickStart Guide or see the section on FortiExplorer for more details.
15. Either reset the FortiGate to factory defaults or contact Fortinet Support for assistance
To reset the FortiGate to factory defaults, use the CLI command execute factoryreset. When prompted, type
y to confirm the reset.
If you require further assistance, visit the Fortinet Support website.

FortiOS 7.2.1 Administration Guide 81


Fortinet Inc.
Dashboards and Monitors

FortiOS includes predefined dashboards so administrators can easily monitor device inventory, security threats, traffic,
and network health. You can customize the appearance of a default dashboard to display data pertinent to your Security
Fabric or combine widgets to create custom dashboards. Many dashboards also allow you to switch views between
fabric devices.
Each dashboard contains a set of widgets that allow you to view drilldown data and take actions to prevent threats. Use
widgets to perform tasks such as viewing device inventory, creating and deleting DHCP reservations, and disconnecting
dial-up users. You can add or remove widgets in a dashboard or save a widget as a standalone monitor.
Monitors display information in both text and visual format. Use monitors to change views, search for items, view
drilldown information, or perform actions such as quarantining an IP address. FortiView monitors for the top categories
are located below the dashboards. All of the available widgets can be added to the tree menu as a monitor.

Using dashboards

You can combine widgets to create custom dashboards. You can also use the dropdown in the tree menu to switch to
another device in the Security Fabric.

To create a new dashboard:

1. Under Dashboard, click the Add Dashboard button. The Add Dashboard window opens.

2. Enter a name in the Name field and click OK. The new dashboard opens.

FortiOS 7.2.1 Administration Guide 82


Fortinet Inc.
Dashboards and Monitors

To add a widget to a dashboard:

1. In the tree menu, select a dashboard.


2. In the banner, click Add Widget. The Add Dashboard Widget pane opens.
3. Click the Add button next to the widget. You can use the Search field to search for a widget. Enable Show More to
view more widgets in a category.
4. Configure the widget settings, then click Add Widget.
5. Click Close.
6. (Optional) Click and drag the widget to the desired location in the dashboard.

To edit a dashboard:

1. Click the Actions menu next to the dashboard and selectEdit Dashboard.

2. Edit the dashboard and click OK.

To delete a dashboard:

1. Click the Actions menu next to the dashboard and select Delete Dashboard.

2. Click Delete Dashboard . The Confirm dialog opens.


3. Click OK.

You cannot delete the Status dashboard.

To switch to another device in the Security Fabric:

1. In the tree menu, click the device name and select a fabric device from dropdown.

Using widgets

You can convert a widget to a standalone monitor, change the view type, configure tables, and filter data.

FortiOS 7.2.1 Administration Guide 83


Fortinet Inc.
Dashboards and Monitors

To save a dashboard widget as a monitor:

1. Hover over the widget and click Expand to full screen.

Full screen mode is not supported in all widgets.

2. In the widget, click Save as Monitor. The Add Monitor window opens.

3. (Optional) Enter a new name for the monitor in the Name field.
4. Click OK.

To view the widget settings:

1. Click the menu dropdown at the right side of the widget and select Settings.

2. Configure the widget settings and click OK.

The settings will vary depending on the widget.

To configure a table in the widget:

1. Hover over the left side of the table header and click Configure Table.

FortiOS 7.2.1 Administration Guide 84


Fortinet Inc.
Dashboards and Monitors

2. Configure the table options:

Option Description

Best Fit All Columns Resizes all of the columns in a table to fit their content.

Reset Table Resets the table to the default view.

Select Columns Adds or removes columns from the view.

3. Click Apply.

To filter or configure a column in a table:

1. Hover over a column heading, and click Filter/Configure Column.

2. Configure the column options.

Option Description

Resize to Contents Resizes the column to fit the content.

Group by this Column Groups the table rows by the contents in the selected column.

3. Click Apply.
4. To filter a column, enter a value in the Filter field, and click Apply.

Filtering is not supported in all widgets.

Widgets

Dashboards are created per VDOM when VDOM mode is enabled.For information about VDOM mode, see Virtual
Domains on page 2076.

Some dashboards and widgets are not available in Multi-VDOM mode.

The following table lists the available widgets in VDOM mode:

Category Widgets

FortiView l FortiView Application Bandwidth FortiView

FortiOS 7.2.1 Administration Guide 85


Fortinet Inc.
Dashboards and Monitors

Category Widgets
l Applications FortiView Cloud Applications
l FortiView Destination Interfaces FortiView
l Destination Owners FortiView Destinations
l FortiView Policies FortiView Sessions
l FortiView Source Interfaces FortiView
l Sources FortiView VPN FortiView Web
l Categories FortiView Countries/Regions
l FortiView Destination Firewall Objects
l FortiView Interface Pairs FortiView Search
l Phrases FortiView Servers FortiView Source
l Firewall Objects FortiView Sources - WAN
l FortiView Traffic Shaping

Security Fabric l Fabric Device


l FortiGate Cloud
l Security Fabric Status

Network l DHCP
l Interface Bandwidth
l IP Pool Utilization
l IPsec
l Routing
l SD-WAN
l SSL-VPN
l Top IP Pools by Assigned IPs

The Interface Bandwidth widget can monitor a maximum of 25 interfaces.

System l Administrators
l Botnet Activity
l HA Status
l License Status
l System Information
l Top System Events
l Virtual Machine

Resource Usage l CPU Usage


l Disk Usage
l Log Rate Memory Usage
l Session Rate
l Sessions

Security l Advanced Threat Protection Statistics


l Compromised Hosts

FortiOS 7.2.1 Administration Guide 86


Fortinet Inc.
Dashboards and Monitors

Category Widgets
l FortiClient Detected Vulnerabilities
l GTP Tunnel Rate
l GTP Tunnels
l Host Scan Summary
l Quarantine
l Top Endpoint Vulnerabilities
l Top Failed Authentication
l Top FortiSandbox Files
l Top Threats
l Top Threats - WAN

User & l Device Inventory


Authentication l Firewall Users
l FortiClient
l FortiGuard Quota
l FortiSwitch NAC VLANs
l Top Admin Logins
l Top Vulnerable Endpoint Devices
l Top Cloud Users

WiFi l Channel Utilization


l Clients By FortiAP
l FortiAP Status
l Historical Clients
l Interfering SSIDs
l Login Failures
l Rogue APs
l Signal Strength
l Top WiFi Clients

Viewing device dashboards in the Security Fabric

Use the device dropdown to view the dashboards in downstream fabric devices. You can also create dedicated device
dashboards or log in and configure fabric devices.
To view the dashboards in fabric devices, click the device dropdown at the left side of the page, and select a device from
the list.

FortiOS 7.2.1 Administration Guide 87


Fortinet Inc.
Dashboards and Monitors

The device dropdown is available in the Status, Security, Network, Users & Devices, and WiFi
dashboards. You can also enable the dropdown when you create a dashboard.

To log in to or configure a fabric device, hover over the device name until the device dialog opens and then select Login
or Configure.

Creating a fabric system and license dashboard

Create a dashboard summary page to monitor all the fabric devices in a single view. You can use this dashboard to
monitor aspects of the devices such as system information, VPN and routing.

Example

The following image is an example of a Fabric System & License dashboard to monitor the System Information,
Licenses, and Memory usage for Branch_Office_01 and Branch_Office_02.

FortiOS 7.2.1 Administration Guide 88


Fortinet Inc.
Dashboards and Monitors

To create a system dashboard:

1. Click the Add Dashboard button. The Add Dashboard window opens.

2. In the Name field, enter a name such as Fabric System & Licenses, and click OK. The new dashboard appears.
3. In the banner, click Add Widget. The Add Dashboard Widget window opens. You can use the Search field to search
for a specific widget (for example, License Status, System Information, and Memory Usage).
4. Click the Add button next to widget. The Add Dashboard Widget window opens.
5. In the Fabric member area, select Specify and select a device in the Security Fabric.

6. Click Add Widget. The widget is added to the dashboard.


Repeat this step for all the devices you want to view in the dashboard.
7. (Optional) Arrange the widgets in the dashboard by fabric device.

Dashboards

A dashboard is a collection of widgets that show the status of your devices, network, and Security Fabric at a glance.
Widgets are condensed monitors that display a summary of the key details about your FortiGate pertaining to routing,
VPN, DHCP, devices, users, quarantine, and wireless connections.
The following dashboards are included in the dashboard templates:

Dashboard Default Template Use these widgets to:

Status l Comprehensive l View the device serial number, licenses, and administrators
l Optimal l View the status of devices in the security fabric
l Monitor CPU and Memory usage
l Monitor IPv4 and IPv6 sessions
l View VMs and Cloud devices

Security l Optimal l View compromised hosts and host scan summary


l View top threats and vulnerabilities

Network l Optimal l Monitor DHCP clients


l Monitor IPsec VPN connections
l Monitor current routing table
l Monitor SD-WAN status
l Monitor SSL-VPN connections

FortiOS 7.2.1 Administration Guide 89


Fortinet Inc.
Dashboards and Monitors

Dashboard Default Template Use these widgets to:

Users & Devices l Optimal l View users and devices connected to the network
l Identify threats from individual users and devices
l View FortiGuard and FortiClient data
l Monitor traffic bandwidth over time

WiFi l Comprehensive l View FortiAP status, channel utilization, and clients


l Optimal l View login failures and signal strength
l View the number of WiFi clients

Resetting the default dashboard template

You can use the GUI to change the default dashboard template. The Optimal template contains a set of popular default
dashboards and FortiView monitors. The Comprehensive template contains a set of default dashboards as well as all of
the FortiView monitors.

Resetting the default template will delete any custom dashboards and monitors, and reset the
widget settings.

To reset all dashboards:

1. Click the Actions menu next to Add Dashboard or Add Monitor and click Reset All Dashboards. The Dashboard
Setup window opens.

2. Select Optimal or Comprehensive and click OK.

Status dashboard

The Status dashboard provides an overview of your FortiGate device and the devices in your Security Fabric. If your
FortiGate is a Virtual Machine, information about the Virtual Machine is also displayed in the dashboard.

FortiOS 7.2.1 Administration Guide 90


Fortinet Inc.
Dashboards and Monitors

Updating system information

The System Information widget contains links to the Settings module where you can update the System Time, Uptime,
and WAN IP.
A notification will appear in the Firmware field when a new version of FortiOS is released. Click Update firmware in
System > Firmware to view the available versions and update FortiOS.

Viewing fabric devices

The Security Fabric widget provides a visual overview of the devices connected to the fabric and their connection status.
Hover of a device icon to view more information about the device.
Click a device in the fabric to:
l View the device in the physical or logical topology
l Register, configure, deauthorize, or log in to the device
l Open Diagnostics and Tools
l View the FortiClient Monitor
These options will vary depending on the device.
Click Expand & Pin hidden content to view all the devices in the fabric at once.

FortiOS 7.2.1 Administration Guide 91


Fortinet Inc.
Dashboards and Monitors

Viewing administrators

The Administrators widget displays the active administrators and their access interface. Click the username to view the
Active Administrator Sessions monitor. You can use the monitor to end an administrator's session.

Resource widgets

The resource widgets show the current usage statistics for CPU, Memory, and Sessions.
Click the CPU monitor to show the per core CPU usage.

You can switch between IPv4, IPv6, or IPv4+IPv6 in the Sessions monitor.

Security dashboard

The widgets in the Security dashboard provide a snapshot of the current threats and vulnerabilities targeting your
Security Fabric.

FortiOS 7.2.1 Administration Guide 92


Fortinet Inc.
Dashboards and Monitors

The Security dashboard contains the following widgets:

Widget Description

Compromised Hosts by Shows the session information for a compromised host. See Viewing session
Verdict information for a compromised host on page 93.

Top Threats by Threat Level Shows the top traffic sessions aggregated by threat.
You can expand the widget to view drilldown information about the Threat, Threat
Category, Threat Level, Threat Score and Sessions.

FortiClient Detected Shows a summary of vulnerabilities detected by FortiClient. FortiClient must be


Vulnerablities enabled.

Host Scan Summary Shows a summary of hosts scanned.


Hover over a color in the chart to view the number of hosts by category. Click the
chart to view the FortiClient Monitor or Device Inventory monitor.

Top Vulnerable Endpoint Shows a summary devices aggregated by vulnerabilities.


Devices by Detected Expand the widget to view drilldown information about the Device, Source and
Vulnerabilities Detected Vulnerablities.

Viewing session information for a compromised host

You can use the Compromised Hosts by Verdict widget to view the session information for a compromised host.

To view session information for a compromised host in the GUI:

1. Go to Dashboard > Security and expand the Compromised Hosts by Verdict widget.

2. Double-click a compromised host to view the session information. You can also right-click a compromised host, and
select View Sessions.

FortiOS 7.2.1 Administration Guide 93


Fortinet Inc.
Dashboards and Monitors

3. Double-click a session, or right-click the session and select View Sessions to view the information.

Network dashboard

The widgets in the Network dashboard show information related to networking for this FortiGate and other devices
connected to your Security Fabric. Use this dashboard to monitor the status of Routing, DHCP, SD-WAN, IPsec and SSL
VPN tunnels. All of the widgets in the Network dashboard can be expanded to full screen and saved as a monitor.
The Network dashboard contains the following widgets:

Widget Description

Static & Dynamic Routing Shows the static and dynamic routes currently active in your routing table. The
widget also includes policy routes, BGP neighbors and paths, and OSPF
neighbors.
See Static & Dynamic Routing monitor on page 95.

DHCP Shows the addresses leased out by FortiGate's DHCP servers. See DHCP
monitor on page 98.

SD-WAN Shows a summary of the SD-WAN status, including ADVPN shortcut information.

IPsec Shows the connection statuses of your IPsec VPN site to site and dial-up tunnels.
See IPsec monitor on page 99.

SSL-VPN Shows a summary of remote active users and the connection mode. See SSL-
VPN monitor on page 101.

FortiOS 7.2.1 Administration Guide 94


Fortinet Inc.
Dashboards and Monitors

Widget Description

IP Pool Utilization Shows IP pool utilization.

Static & Dynamic Routing monitor

The Static & Dynamic Routing Monitor displays the routing table on the FortiGate, including all static and dynamic
routing protocols in IPv4 and IPv6. You can also use this monitor to view policy routes, BGP neighbors and paths, and
OSPF neighbors.

To view the routing monitor in the GUI:

1. Go to Dashboard > Network.


2. Hover over the Routing widget, and click Expand to Full Screen. The Routing monitor is displayed.
3. To view neighbors and paths, click the monitors dropdown at the top of the page.
BGP Neighbors

BGP Paths

FortiOS 7.2.1 Administration Guide 95


Fortinet Inc.
Dashboards and Monitors

IPv6 BGP Paths

OSPF Neighbors

4. To filter the Interfaces and Type columns:


a. Click the Static & Dynamic tab.
b. Hover over the column heading, and click the Filter/Configure Column icon.

c. Click Group By This Column, then click Apply.

FortiOS 7.2.1 Administration Guide 96


Fortinet Inc.
Dashboards and Monitors

5. (Optional) Click Save as Monitor to save the widget as monitor.

To look up a route in the GUI:

1. Click Route Lookup.


2. Enter an IP address in the Destination field, then click Search. The matching route is highlighted on the Routing
monitor.

To view the routing table in the CLI:

# get route info routing-table all

Sample output:
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0


S* 0.0.0.0/0 [1/0] via 10.0.10.1, To-HQ-A
[1/0] via 10.0.12.1, To-HQ-MPLS
[1/0] via 10.10.11.1, To-HQ-B
[1/0] via 10.100.67.1, port1
[1/0] via 10.100.67.9, port2
C 10.0.10.0/24 is directly connected, To-HQ-A
C 10.0.10.2/32 is directly connected, To-HQ-A
C 10.0.11.0/24 is directly connected, To-HQ-B
C 10.0.11.2/32 is directly connected, To-HQ-B
C 10.0.12.0/24 is directly connected, To-HQ-MPLS
C 10.0.12.2/32 is directly connected, To-HQ-MPLS
C 10.1.0.0/24 is directly connected, port3
C 10.1.0.2/32 is directly connected, port3
C 10.1.0.3/32 is directly connected, port3
C 10.1.100.0/24 is directly connected, vsw.port6

To look up a firewall route in the CLI:

# diagnose firewall proute list

Sample output:
list route policy info(vf=root):

id=0x7f450002 vwl_service=2(BusinessCritialCloudApp) vwl_mbr_seq=4 5 3 dscp_tag=0xff 0xff


flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=3
(port1) oif=4(port2) oif=18(To-HQ-MPLS)
source(1): 0.0.0.0-255.255.255.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(4): Microsoft.Office.365(4294837472,0,0,0, 33182) Microsoft.Office.Online
(4294837475,0,0,0, 16177) Salesforce(4294837976,0,0,0, 16920) GoToMeeting
(4294836966,0,0,0, 16354)
hit_count=0 last_used=2020-03-30 10:50:18

FortiOS 7.2.1 Administration Guide 97


Fortinet Inc.
Dashboards and Monitors

id=0x7f450003 vwl_service=3(NonBusinessCriticalCloudApp) vwl_mbr_seq=4 5 dscp_tag=0xff 0xff


flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=3
(port1) oif=4(port2)
source(1): 0.0.0.0-255.255.255.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(2): Facebook(4294836806,0,0,0, 15832) Twitter(4294838278,0,0,0, 16001)
hit_count=0 last_used=2020-03-30 10:50:18

id=0x7f450004 vwl_service=4(Ping-Policy) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0


tos=0x00 tos_mask=0x00 protocol=1 sport=0:65535 iif=0 dport=1-65535 oif=16(To-HQ-A)
oif=17(To-HQ-B)

To view neighbors and paths

DHCP monitor

The DHCP monitor shows all the addresses leased out by FortiGate's DHCP servers. You can use the monitor to revoke
an address for a device, or create, edit, and delete address reservations.

To view the DHCP monitor:

1. Go to Dashboard > Network.


2. Hover over the DHCP widget, and click Expand to Full Screen.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

To revoke a lease:

1. Select a device in the table.


2. In the toolbar, click Revoke, or right-click the device, and click Revoke Lease(s). The Confirm page is displayed.
3. Click OK.

A confirmation window opens only if there is an associated address reservation. If there is no


address, the lease will be removed immediately upon clicking Revoke.

FortiOS 7.2.1 Administration Guide 98


Fortinet Inc.
Dashboards and Monitors

To create a DHCP reservation:

1. Select a server in the table.


2. In the toolbar, click Reservation, or right-click the device and click Create DHCP Reservation. The Create New
DHCP Reservation page is displayed.
3. Configure the DHCP reservation settings.

4. Click OK.

To view top sources by bytes:

1. Right-click a device in the table and click Show in FortiView. The FortiView Sources by Bytes widget is displayed.

To view the DHCP lease list in the CLI:

# execute dhcp lease-list

IPsec monitor

The IPsec monitor displays all connected Site to Site VPN, Dial-up VPNs, and ADVPN shortcut tunnel information. You
can use the monitor to bring a phase 2 tunnel up or down or disconnect dial-up users. A notification appears in the
monitor when users have not enabled two-factor authentication.

To view the IPsec monitor in the GUI:

1. Go to Dashboard > Network.


2. Hover over the IPsec widget, and click Expand to Full Screen. A warning appears when an unauthenticated user is
detected.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

3. Hover over a record in the table. A tooltip displays the Phase 1 and Phase 2 interfaces. A warning appears next to a
user who has not enabled two-factor authentication.

FortiOS 7.2.1 Administration Guide 99


Fortinet Inc.
Dashboards and Monitors

To reset statistics:

1. Select a tunnel in the table.


2. In the toolbar, click Reset Statistics or right-click the tunnel, and click Reset Statistics. The Confirm dialog is
displayed.
3. Click OK.

To bring a tunnel up:

1. Select a tunnel in the table.


2. Click Bring Up, or right-click the tunnel, and click Bring Up. The Confirm dialog is displayed.
3. Click OK.

To bring a tunnel down:

1. Select a tunnel in the table.


2. Click Bring Down, or right-click the tunnel, and click Bring Down. The Confirm dialog is displayed.
3. Click OK.

To locate a tunnel on the VPN Map:

1. Select a tunnel in the table.


2. Click Locate on VPN Map, or right-click the tunnel, and click Locate on VPN Map. The VPN Location Map is
displayed.

To view the IPsec monitor in the CLI:

# diagnose vpn tunnel list

Sample output:
list all ipsec tunnel in vd 0
------------------------------------------------------
name=fct-dialup ver=1 serial=4 10.100.67.5:0->0.0.0.0:0 tun_id=0.0.0.0 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc
accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=0 refcnt=12 ilast=5545 olast=5545 ad=/0


stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0
------------------------------------------------------
name=To-HQ-MPLS ver=2 serial=3 192.168.0.14:0->192.168.0.1:0 tun_id=19.168.0.1 dst_mtu=1500
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev
frag-rfc accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=22 ilast=0 olast=0 ad=/0


stat: rxp=66693 txp=29183 rxb=33487128 txb=1908427
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=To-HQ-MPLS proto=0 sa=1 ref=6 serial=1 adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=32203 type=00 soft=0 mtu=1438 expire=266/0B replaywin=2048

FortiOS 7.2.1 Administration Guide 100


Fortinet Inc.
Dashboards and Monitors

seqno=2c5e esn=0 replaywin_lastseq=00002ea3 itn=0 qat=0 hash_search_len=1


life: type=01 bytes=0/0 timeout=1773/1800
dec: spi=700c9198 esp=aes key=16 ebd04605de6148c8a92ced48b30930fa
ah=sha1 key=20 5f0201f67d7c714a046025a1df41d40376437f6a
enc: spi=5aaccc20 esp=aes key=16 13d5d4b46e5e9c42eef509f2d9879188
ah=sha1 key=20 2dde67ef7a2a78b622d9a7ec6d75ad3c55d241e1
dec:pkts/bytes=11938/5226964, enc:pkts/bytes=11357/1312184

SSL-VPN monitor

The SSL-VPN monitor displays remote user logins and active connections. You can use the monitor to disconnect a
specific connection. The monitor will notify you when VPN users have not enabled two-factor authentication.

To view the SSL-VPN monitor in the GUI:

1. Go Dashboard > Network.


2. Hover over the SSL-VPN widget, and click Expand to Full Screen.The Duration and Connection Summary charts
are displayed at the top of the monitor.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

To disconnect a user:

1. Select a user in the table.


2. In the table, right-click the user, and click End Session. The Confirm window opens.
3. Click OK.

FortiOS 7.2.1 Administration Guide 101


Fortinet Inc.
Dashboards and Monitors

To monitor SSL-VPN users in the CLI:

# get vpn ssl monitor

Sample output
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS in/out
0 amitchell TAC 1(1) 296 10.100.64.101 3838502/11077721 0/0
1 mmiles Dev 1(1) 292 10.100.64.101 4302506/11167442 0/0

SSL VPN sessions:


Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP

Users & Devices

The Users & Devices dashboard shows the current status of users and devices connected to your network. All of the
widgets can be expanded to view as monitor. In monitor view, you can create firewall addresses, deauthenticate a user,
or remove a device from the network.
The User & Devices dashboard contains the following widgets:

Widget Description

Device Inventory Shows a summary of the hardware and software that is connected to the network.
See Device inventory on page 102.

FortiClient Shows a summary of the FortiClient endpoints.

Firewall Users Shows a summary of the users logged into the network.

Quarantine Shows a summary of quarantined devices.

FortiSwitch NAC VLANs Shows a summary of VLANs assigned to devices by FortiSwitch NAC policies.

Device inventory

You can enable device detection to allow FortiOS to monitor your networks and gather information about devices
operating on those networks, including:
l MAC address
l IP address
l Operating system
l Hostname
l Username
l Endpoint tags
l When FortiOS detected the device and on which interface
You can enable device detection separately on each interface in Network > Interfaces.
Device detection is intended for devices directly connected to your LAN and DMZ ports. The widget is only available
when your Interface Role is LAN, DMZ or Undefined. It is not available when the role is WAN.

FortiOS 7.2.1 Administration Guide 102


Fortinet Inc.
Dashboards and Monitors

You can also manually add devices to Device Inventory to ensure that a device with multiple interfaces displays as a
single device.

To view the device inventory monitor:

1. Go to Dashboard > Users & Devices.


If you are using the Comprehensive dashboard template, go to Dashboard > Device Inventory Monitor.
2. Hover over the Device Inventory widget, and click Expand to Full Screen. The Device Inventory monitor is
displayed.

To filter or configure a column in the table, hover over the column heading, and click
Filter/Configure Column. See Device inventory and filtering on page 103.

Device inventory and filtering

The Device Inventory widget contains a series of summary charts that provide an overview of the hardware, operating
system, status, and interfaces. You can use these clickable charts to simplify filtering among your devices.

To view the device inventory and apply a filter:

1. Go to Dashboard > Users & Devices.


If you are using the Comprehensive dashboard template, go to Dashboard > Device Inventory Monitor. See .
2. Hover over the Device Inventory widget, and click Expand to Full Screen. The Device Inventory monitor is
displayed.
3. To filter the order of the charts by operating system, click the dropdown in the top menu bar and select Software OS.
4. To filter a chart, click an item in the legend or chart area. The table displays the filter results.

FortiOS 7.2.1 Administration Guide 103


Fortinet Inc.
Dashboards and Monitors

5. To combine filters, hover over a column heading and click Filter/Configure Column.

6. Click the filter icon in the top-right corner of the chart to remove the filter.

Filter examples

To filter all offline devices:

1. In the Status chart, click Offline in the legend or on the chart itself.

To filter all devices discovered on port3:

1. In the Interfaces chart, click port3.

Adding MAC-based addresses to devices

Assets detected by device detection appear in the Device Inventory widget. You can manage policies around devices by
adding a new device object (MAC-based address) to a device. Once you add the MAC-based address, the device can be
used in address groups or directly in policies.

To add a MAC-based address to a device:

1. Go to Dashboard > Users & Devices.


If you are using the Comprehensive dashboard template, go to Dashboard > Device Inventory Monitor. See .

FortiOS 7.2.1 Administration Guide 104


Fortinet Inc.
Dashboards and Monitors

2. Hover over the Device Inventory widget, and click Expand to Full Screen. The Device Inventory monitor is
displayed.
3. Click a device, then click Firewall Device Address. The New Address dialog is displayed.

4. In the Name field, give the device a descriptive name so that it is easy to in the Device column.
5. Configure the MAC Address.

6. Click OK, then refresh the page. The MAC address icon appears in the Address column next to the device name.

Firewall Users monitor

The Firewall Users monitor displays all firewall users currently logged in. You can use the monitor to diagnose user-
related logons or to highlight and deauthenticate a user.

FortiOS 7.2.1 Administration Guide 105


Fortinet Inc.
Dashboards and Monitors

To view the firewall monitor:

1. Go to Dashboard > Users & Devices.


If you are using the Comprehensive dashboard template, go to Dashboard > Firewall User Monitor. See .
2. Hover over the Firewall Users widget, and click Expand to Full Screen.
3. To show FSSO logons, click Show all FSSO Logons at the top right of the page.

To filter or configure a column in the table, hover over the column heading and click
Filter/Configure Column.

To deauthenticate a user:

1. Go to Dashboard > Users & Devices.


2. Hover over the Firewall Users widget, and click Expand to Full Screen.
3. (Optional) Use the Search field to search for a specific user.
4. In the toolbar, click Deauthenticate, or right-click the user, and click Deauthenticate. The Confirm dialog is
displayed.
5. Click OK.

To view firewall users in the CLI:

# diagnose firewall auth list

WiFi dashboard

The WiFi dashboard provides an overview of your WiFi network's performance, including FortiAP status, channel
utilization, WiFi clients and associated information, login failures, and signal strength.

FortiOS 7.2.1 Administration Guide 106


Fortinet Inc.
Dashboards and Monitors

To access the WiFi dashboard, go to Dashboard > WiFi.

The WiFi dashboard can be customized per your requirements. To learn more about using and modifying dashboards
and widgets, see Dashboards and Monitors on page 82.
This section describes the following monitors available for the WiFi Dashboard:
l FortiAP Status monitor on page 107
l Clients by FortiAP monitor on page 109

FortiAP Status monitor

The FortiAP Status monitor displays the status and the channel utilization of the radios of FortiAP devices connected to a
FortiGate. It also provides access to tools to diagnose and analyze connected APs.

To view the FortiAP Status monitor:

1. Go to Dashboard > WiFi.


2. Hover over the FortiAP Status widget, and click Expand to Full Screen. The FortiAP Status monitor opens.

FortiOS 7.2.1 Administration Guide 107


Fortinet Inc.
Dashboards and Monitors

3. (Optional) Click Save as Monitor to save the widget as monitor.

To view the Diagnostics and Tools menu:

1. Right-click an Access Point in the table, and click Diagnostics and Tools. The Diagnostics and Tools dialog opens.

2. To monitor and analyze the FortiAP device, click on the tabs in the Diagnostics and Tools dialog, such as Clients,
Spectrum Analysis, VLAN Probe, and so on.

FortiOS 7.2.1 Administration Guide 108


Fortinet Inc.
Dashboards and Monitors

The Diagnostics and Tools dialog is similar to the device dialog from WiFi & Switch Controller > Managed FortiAPs. To
learn more about the various tabs and their functions, see Spectrum analysis of FortiAP E models, VLAN probe report,
and Standardize wireless health metrics.

Clients by FortiAP monitor

The Clients by FortiAP monitor allows you to view detailed information about the health of individual WiFi connections in
the network. It also provides access to tools to diagnose and analyze connected wireless devices.

To view the Clients by FortiAP monitor:

1. Go to Dashboard > WiFi.


2. Hover over the Clients by FortiAP widget, and click Expand to Full Screen. The Clients by FortiAP monitor opens.
3. (Optional) Click Save as Monitor to save the widget as monitor.

To view the summary page for a wireless client:

1. Right-click a client in the table and select Diagnostics and Tools. The Diagnostics and Tools - <device> page is
displayed.

FortiOS 7.2.1 Administration Guide 109


Fortinet Inc.
Dashboards and Monitors

2. (Optional) Click Quarantine to quarantine the client,


3. (Optional) Click Disassociate to disassociate the client.

Health status

The Status section displays the overall health for the wireless connection. The overall health of the connection is:
l Good if the value range for all three conditions are Good
l Fair or poor if one of the three conditions is Fair or Poor respectively.

Condition Value Range

Signal Strength l Good > -56dBm


l -56dBm > Fair > -75dBm
l Poor < -75dBm

Signal Strength/Noise l Good > 39dBm


l 20dBm < Fair < 39dBm
l Poor < 20dBm

Band l Good = 5G band


l Fair = 2.4G band

The summary page also has the following FortiView tabs:

FortiOS 7.2.1 Administration Guide 110


Fortinet Inc.
Dashboards and Monitors

l Performance

l Applications

l Destinations

FortiOS 7.2.1 Administration Guide 111


Fortinet Inc.
Dashboards and Monitors

l Policies

l Logs

Monitors

FortiGate supports both FortiView and Non-FortiView monitors. FortiView monitors are driven by traffic information
captured from logs and real-time data. Non-FortiView monitors capture information from various real-time state tables on
the FortiGate.

Non-FortiView monitors

Non-FortiView monitors capture information on various state tables, such as the routes in the routing table, devices in
the device inventory, DHCP leases in the DHCP lease table, connected VPNs, clients logged into the wireless network,
and much more. These monitors are useful when troubleshooting the current state of the FortiGate, and to identify
whether certain objects are in the state table or not. For more information, see Dashboards on page 89.

FortiView monitors

FortiView is the FortiOS log view tool and comprehensive monitoring system for your network. FortiView integrates real-
time and historical data into a single view on your FortiGate. It can log and monitor network threats, keep track of
administration activities, and more.
Use FortiView monitors to investigate traffic activity such as user uploads and downloads, or videos watched on
YouTube. You can view the traffic on the whole network by user group or by individual. FortiView displays the
information in both text and visual format, giving you an overall picture of your network traffic activity so that you can
quickly decide on actionable items.
FortiView is integrated with many UTM functions. For example, you can quarantine an IP address directly in FortiView or
create custom devices and addresses from a FortiView entry.

FortiOS 7.2.1 Administration Guide 112


Fortinet Inc.
Dashboards and Monitors

The logging range and depth will depend on the FortiGate model.

The Optimal template contains a set of popular default dashboards and FortiView monitors. The Comprehensive
template contains a set of default dashboards as well as all of the FortiView monitors. See Dashboards on page 89.

Template Monitors

Optimal l FortiView Sources


l FortiView Destinations
l FortiView Applications
l FortiView Web Sites
l FortiView Policies
l FortiView Sessions

Comprehensive l FortiView Sources


l FortiView Destinations
l FortiView Applications
l FortiView Web Sites
l FortiView Threats
l FortiView Compromised Hosts
l FortiView Policies
l FortiView Sessions
l Device Inventory Monitor
l Routing Monitor
l DHCP Monitor
l SD-WAN Monitor
l FortiGuard Quota Monitor
l IPsec Monitor
l SSL-VPN Monitor
l Firewall User Monitor
l Quarantine Monitor
l FortiClient Monitor
l FortiAP Clients Monitor
l Rogue APs Monitor

FortiView monitors and widgets

FortiView monitors are available in the tree menu under Dashboards. The menu contains several default monitors for the
top categories. Additional FortiView monitors are available as widgets that can be added to the dashboards. You can
also add FortiView monitors directly to the tree menu with the Add (+) button.

FortiOS 7.2.1 Administration Guide 113


Fortinet Inc.
Dashboards and Monitors

Core FortiView monitors

The following default monitors are available in the tree menu:

Dashboard Usage

FortiView Sources Displays Top Sources by traffic volume and drilldown by Source.

FortiView Destinations Displays Top Destinations by traffic volume and drilldown by Destination.

FortiView Applications Displays Top Applications by traffic volume and drilldown by Application.

FortiView Web Sites Displays Top Websites by session count and drilldown by Domain.

FortiView Policies Displays Top Policies by traffic volume and drilldown by Policy number

FortiView Sessions Displays Top Sessions by traffic source and can be used to end sessions.

Usage is based on default settings. The pages may be customized further and sorted by other fields.

You can quarantine a host and ban an IP from all of the core FortiView monitors.

Adding FortiView monitors

Non-core FortiView monitors are available in the Add monitor pane. You can add a FortiView widget to a dashboard or
the tree menu as a monitor.

FortiOS 7.2.1 Administration Guide 114


Fortinet Inc.
Dashboards and Monitors

To add a monitor to the tree menu:

1. In the tree menu, under the monitors section, click Add Monitor (+). The Add Monitor window opens.

2. Click Add next to a monitor. You can use the Search field to search for a specific monitor.
3. In the FortiGate area, select All FortiGates or Specify to select a FortiGate device in the security fabric.
4. (Optional) In the Data Source area, select Specify and select a source device.
5. From the Time Period dropdown, select the time period. This option is not available in all monitors.
6. In the Visualization area, select Table View or Bubble Chart.
7. From the Sort By dropdown, select the sorting method.
8. Click Add Monitor. The monitor is added to the tree menu.

Monitors by category

Usage is based on the default settings. The monitors may be customized further and sorted by other fields.

LANDMARK

Widget Sort by Usage

Applications Bytes/Sessions/Bandwidth/Packets Displays top applications and drilldown by


application.

Application Bytes/Bandwidth Displays bandwidth for top applications and


Bandwidth drilldown by application.

Cloud Applications Bytes/Sessions/Files(Up/Down) Displays top cloud applications and drilldown


by application.

Cloud Users Bytes/Sessions/Files(Up/Down) Displays top cloud users and drilldown by


cloud user.

Compromised Hosts Verdict Displays compromised hosts and drilldown


by source.

Countries/Regions Bytes/Sessions/Bandwidth/Packets Displays top countries/regions and drilldown


by countries/regions.

Destination Firewall Bytes/Sessions/Bandwidth/Packets Displays top destination firewall objects and


Objects drilldown by destination objects.

Destination Owners Bytes/Sessions/Bandwidth/Packets Displays top destination owners and


drilldown by destination.

Destinations Bytes/Sessions/Bandwidth/Packets Displays top destinations and drilldown by


destination.

FortiOS 7.2.1 Administration Guide 115


Fortinet Inc.
Dashboards and Monitors

Widget Sort by Usage

Search Phrases Count Displays top search phrases and drilldown


by search phrase.

Source Firewall Bytes/Sessions/Bandwidth/Packets Displays top search phrases and drilldown


Objects by source object.

Sources Bytes/Sessions/Bandwidth/Packets Displays top sources and drilldown by


source.

Threats Threat level/Threat Score/Sessions Displays top threats and drilldown by threat.

Traffic Shaping Dropped Displays top traffic shaping and drilldown by


Bytes/Bytes/Sessions/Bandwidth/Packets shaper.

Web Categories Bytes/Sessions/Bandwidth/Packets Displays top web categories and drilldown


by category.

Web Sites Bytes/Sessions/Bandwidth/Packets Displays top web sites and drilldown by


domain.

WiFi Clients Bytes/Sessions Displays top WiFi clients and drilldown by


source.

WAN

Widget Sort by Usage

Servers Bytes/Sessions/Bandwidth/Packets Displays top servers and drilldown by server address.

Sources Bytes/Sessions/Bandwidth/Packets Displays top sources and drilldown by device.

Threats Threat Level/Threat Score/Sessions Displays top threats and drilldown by threat.

All Segments

Widget Sort by Usage

Admin Logins Configuration Changes/Logins/Failed Displays top admin logins by username.


Logins

Destination Bytes/Sessions/Bandwidth/Packets Displays top destination interfaces by destination


Interfaces interface.

Endpoint Severity Displays top endpoint vulnerabilities by vulnerability


Vulnerabilities name.

Failed Failed Attempts Displays top failed authentications by failed


Authentication authentication source.

FortiSandbox Submitted Displays top FortiSandbox files by file name.


Files

FortiOS 7.2.1 Administration Guide 116


Fortinet Inc.
Dashboards and Monitors

Widget Sort by Usage

Interface Pairs Bytes/Sessions/Bandwidth/Packets Displays top interface pairs by source interface.

Policies Bytes/Sessions/Bandwidth/Packets Displays top policies by policy.

Source Interfaces Bytes/Sessions/Bandwidth/Packets Displays top source interfaces by source interface.

System Events Level/Events Displays top system events by event name.

VPN Connections/Bytes Displays top VPN connections by user.

Vulnerable Detected Vulnerabilities Displays top vulnerable endpoint devices by device.


Endpoint Devices

A maximum of 25 interfaces can be monitored at one time on a device.

Using the FortiView interface

Use the FortiView interface to customize the view and visualizations within a monitor to find the information you are
looking for. The tools in the top menu bar allow you to change the time display, refresh or customize the data source, and
filter the results. You can also right-click a table in the monitor to view drilldown information for an item.

Real-time and historical charts

Use the Time Display dropdown to select the time period to display on the current monitor. Time display options vary
depending on the monitor and can include real-time information (now) and historical information (1 hour, 24 hours, and 7
days).

Disk logging or remote logging must be enabled to view historical information.

You can create a custom time range by selecting an area in table with your cursor.

The icon next to the time period identifies the data source (FortiGate Disk, FortiAnalyzer, or FortiGate Cloud). You can
hover over the icon to see a description of the device.

FortiOS 7.2.1 Administration Guide 117


Fortinet Inc.
Dashboards and Monitors

Data source

FortiView gathers information from a variety of data sources. If there are no log disk or remote logging configured, the
data will be drawn from the FortiGate's session table, and the Time Period is set to Now.

Other data sources that can be configured are:


l FortiGates (disk)
l FortiAnalyzer
l FortiGate Cloud

When Data Source is set to Best Available Device, FortiAnalyzer is selected when available,
then FortiGate Cloud, and then FortiGate Disk.

Drilldown information

Double-click or right-click an entry in a FortiView monitor and select Drill Down to Details to view additional details about
the selected traffic activity. Click the Back icon in the toolbar to return to the previous view.
You can group drilldown information into different drilldown views. For example, you can group the drilldown information
in the FortiView Destinations monitor by Sources, Applications, Threats, Policies, and Sessions.

Double-click an entry to view the logs in Sessions view. Double-click a session to view the logs.

FortiOS 7.2.1 Administration Guide 118


Fortinet Inc.
Dashboards and Monitors

Graph l The graph shows the bytes sent/received in the time frame. real time does not include a
chart.
l Users can customize the time frame by selecting a time period within the graph.

Summary of l Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total
for the time period.
l Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or
FortiAP.
l Can ban IP addresses, adds the source IP address into the quarantine list.

Tabs l Drilling down entries in any of these tabs (except sessions tab) will take you to the
underlying traffic log in the sessions tab.
l Applications shows a list of the applications attributed to the source IP. This can include
scanned applications (using Application Control in a firewall policy or unscanned
applications.
config log gui-display
set fortiview-unscanned-apps enable
end
l Destinations shows destinations grouped by IP address/FQDN.
l Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, Web
Filter, Application Control, etc.
l Web Sites contains the websites which were detected either with webfilter, or through
FQDN in traffic logs.
l Web Categories groups entries into their categories as dictated by the Web Filter
Database.
l Policies groups the entries into which polices they passed through or were blocked by.
l Sessions shows the underlying logs (historical) or sessions (real time). Drilldowns from
other tabs end up showing the underlying log located in this tab.
l Search Phrases shows entries of search phrases on search engines captured by a Web
Filter UTM profile, with deep inspection enabled in firewall policy.
l More information can be shown in a tooltip while hovering over these entries.

To view matching logs or download a log, click the Security tab in the Log Details .

FortiOS 7.2.1 Administration Guide 119


Fortinet Inc.
Dashboards and Monitors

Enabling FortiView from devices

You can enable FortiView from SSD disk, FortiAnalyzer and FortiGate Cloud.

FortiView from disk

FortiView from disk is available on all FortiGates with an SSD disk.

Restrictions

Model Supported view

Desktop models (100 series) Five minutes and one hour


with SSD

Medium models with SSD Up to 24 hours

Large models (1500D and Up to seven days


above) with SSD To enable seven days view:
config log setting
set fortiview-weekly-data enable
end

Configuration

A firewall policy needs to be in place with traffic logging enabled. For optimal operation with FortiView, internal interface
roles should be clearly defined as LAN. DMZ and internet facing or external interface roles should be defined as WAN.

To configure logging to disk:

config log disk setting


set status enable
end

To include sniffer traffic and local-deny traffic when FortiView from Disk:

config report setting


set report-source forward-traffic sniffer-traffic local-deny-traffic
end

FortiOS 7.2.1 Administration Guide 120


Fortinet Inc.
Dashboards and Monitors

This feature is only supported through the CLI.

Troubleshooting

Use execute report flush-cache and execute report recreate-db to clear up any irregularities that may
be caused by upgrading or cache issues.

Traffic logs

To view traffic logs from disk:

1. Go to Log & Report, and select either the Forward Traffic, Local Traffic, or Sniffer Traffic views.
2. In the top menu bar, click Log location and select Disk.

FortiView from FortiAnalyzer

Connect FortiGate to a FortiAnalyzer to increase the functionality of FortiView. Adding a FortiAnalyzer is useful when
adding monitors such as the Compromised Hosts. FortiAnalyzer also allows you to view historical information for up to
seven days.

Requirements
l A FortiGate or FortiOS
l A compatible FortiAnalyzer (see Compatibility with FortiOS)
To configure logging to the FortiAnalyzer, see Configuring FortiAnalyzer on page 2326

To enable FortiView from FortiAnalyzer:

1. Go to Dashboard > FortiView Sources.


2. Select a time range other than Now from the dropdown list to view historical data.
3. In top menu, click the dropdown, and select Settings. The Edit Dashboard Widget dialog is displayed.
a. In the Data Source area, click Specify.
b. From the dropdown, select FortiAnalyzer, and click OK.

All the historical information now comes from the FortiAnalyzer.

When Data Source is set to Best Available Device, FortiAnalyzer is selected when
available, then FortiGate Cloud, and then FortiGate Disk.

FortiOS 7.2.1 Administration Guide 121


Fortinet Inc.
Dashboards and Monitors

FortiView from FortiGate Cloud

This function requires a FortiGate that is registered and logged into a compatible FortiGate Cloud. When using FortiGate
Cloud, the Time Period can be set to up to 24 hours.
To configure logging to FortiGate Cloud, see Configuring FortiGate Cloud on page 2328.

To enable FortiView with log source as FortiGate Cloud:

1. Go to Dashboard > FortiView Sources.


2. In the top menu, click the dropdown, and select Settings. The Edit Dashboard Widget window opens.
a. In the Data Source area, click Specify.
b. From the dropdown, select FortiGate Cloud, then click OK.

You can select FortiGate Cloud as the data source for all available FortiView pages and
widgets.

FortiView sources

The FortiView Sources monitor displays top sources sorted by Bytes, Sessions or Threat Score. The information can be
displayed in real time or historical views. You can use the monitor to create or edit a firewall device address or IP address
definitions, and temporarily or permanently ban IPs.

To add a firewall device address:

1. In the Device column, hover over the device MAC address. An information window opens.

2. Click Firewall Device Address. The New Address dialog opens.


3. Configure the address settings, and click Return.

Use the Name field to assign a descriptive name to a device so it is easier to find it in the
Device column. After you finish configuring the device, refresh the page to see the new
name in the monitor.

FortiOS 7.2.1 Administration Guide 122


Fortinet Inc.
Dashboards and Monitors

To add a firewall IP address:

1. In the Device column, hover over the device MAC address. An information window opens.

2. Click Firewall IP Address. The New Address window opens.


3. Configure the address settings, and click Return.

Use the Name field to assign a descriptive name to a device so it is easier to find it in the
Device column. After you finish configuring the device, refresh the page to see the new
name in the monitor.

To ban an IP address:

1. In the Device column, hover over the device MAC address. An information window opens.

2. Click Ban IP . The Ban IP dialog is displayed.


3. Configure the ban IP settings, and click OK.

FortiView Sessions

The FortiView Sessions monitor displays Top Sessions by traffic source and can be used to end sessions.
To view the FortiView Sessions dashboard, go to Dashboard > FortiView Sessions.

FortiOS 7.2.1 Administration Guide 123


Fortinet Inc.
Dashboards and Monitors

The session table displayed on the FortiView Sessions monitor is useful when verifying open connections. For example,
if you have a web browser open to browse the Fortinet website, you would expect a session entry from your computer on
port 80 to the IP address for the Fortinet website. You can also use a session table to investigate why there are too many
sessions for FortiOS to process.
You can filter the sessions displayed in the session table by setting up the available filtering options.

To filter sessions in the session table:

1. Click on the Add Filter button at the top of the session table.

2. Select the required filtering option. The session table updates to the filter selection.

3. You may add one or more filters depending upon your requirements. To add more filters, repeat the above steps for
a different set of filters.

FortiOS 7.2.1 Administration Guide 124


Fortinet Inc.
Dashboards and Monitors

You can be very specific with how you use filters and target sessions based on different filter combinations. For example,
you may want to view all sessions from a device with a particular IP by adding the Source IP filter. Similarly, you may
need to target all the sessions having a particular Destination IP and Destination Port, and so on.
You may also view the session data in the CLI.

To view session data using the CLI:

# diagnose sys session list

The session table output in the CLI is very large. You can use the supported filters in the CLI to show only the data you
need.

To view session data with filters using the CLI:

# diagnose sys session filter <option>

See to learn more about using the supported filters in the CLI.
You may also decide to end a particular session or all sessions for administrative purposes.

To end sessions from the GUI:

1. Select the session you want to end. To select multiple sessions, hold the Ctrl or Shift key on your keyboard while
clicking the sessions.

2. Right-click on the selected sessions, click on End Session(s) or End All Sessions.

3. Click OK in the confirmation dialog.

FortiView Top Source and Top Destination Firewall Objects monitors

The FortiView Source Firewall Objects and FortiView Destination Firewall Objects monitors leverage UUID to resolve
firewall object address names for improved usability.

Requirements

To have a historical Firewall Objects-based view, address objects' UUIDs need to be logged.

To enable address object UUID logging in the CLI:

config system global


set log-uuid-address enable

FortiOS 7.2.1 Administration Guide 125


Fortinet Inc.
Dashboards and Monitors

end

To add a firewall object monitor in the GUI:

1. Click Add Monitor. The Add Monitor window opens.

2. In the Search field, type Destination Firewall Objects and click the Add button next to the dashboard name.
3. In the FortiGate area, select the FortiGate(s) from the dropdown.
4. In the Data Source area, select Best Available Device or Specify. For information, see Using the FortiView interface
on page 117.
5. From the Time Period dropdown, select the time period. Select now for real-time information, or (1 hour, 24 hours,
and 7 days) for historical information.
6. In the Visualization area, select Table View or Bubble Chart.
7. From the Sort By dropdown, select Bytes, Sessions, Bandwidth, or Packets.
8. Click Add Monitor. The monitor is added to the tree menu.

To drill down Firewall Objects:

1. Open the FortiView Source Firewall Objects or FortiView Destination Firewall Objects monitor.
2. Right-click on any Source or Destination Object and click Drill Down to Details.

3. Click the tabs to sort the sessions by Application, Destinations, Web Sites, or Policies.

4. To view signatures, click the entry in the Category column.

5. To views sessions, right-click an entry and click View Sessions, or click the Sessions tab.
6. To end a session, right-click an entry in the Sessions tab and select End Sessions or End All Sessions.

FortiOS 7.2.1 Administration Guide 126


Fortinet Inc.
Dashboards and Monitors

Viewing top websites and sources by category

You can use FortiGuard web categories to populate the category fields in various FortiView monitors such as FortiView
Web Categories, FortiView Websites or FortiView Sources. To view the categories in a monitor, the web filter profile
must be configured to at least monitor for a FortiGuard category based on a web filter and applied to a firewall policy for
outbound traffic.

To verify the web filter profile is monitor-only:

1. Go to Security Profiles > Web Filter.


2. Double-click a web filter that is applied to an outbound traffic firewall policy. The Edit Web Filter Profile window
opens.
3. Ensure FortiGuard category based filter is enabled.
In the image below, the General Interest - Business categories are monitor-only.

To create a Web categories monitor:

1. Click Add Monitor. The Add Monitor window opens.

2. In the Search field, type FortiView Web Categories and click the Add button next to the monitor name.
3. In the FortiGate area, select the FortiGate(s) from the dropdown.
4. In the Data Source area, click Best Available Device or Specify to select a device in the security fabric.
5. From the Time Period dropdown, select a time period greater than Now.
6. From the Sort By dropdown, select Bytes, Sessions, Bandwidth, or Packets.
7. Click Add Monitor. The widget is added to the tree menu.

FortiOS 7.2.1 Administration Guide 127


Fortinet Inc.
Dashboards and Monitors

Viewing the web filter category

The web filter category name appears in the Category column of the dashboard.

Click an entry in the table. The category name appears at the top of the Summary of box.

Click the Web Sites tab. The category name appears in the Category column.

FortiOS 7.2.1 Administration Guide 128


Fortinet Inc.
Dashboards and Monitors

Click the Sessions tab. The category name appears in the Category Description column.

The category name also appears in the Category column in the FortiView Websites and FortiView Sources monitors.

FortiOS 7.2.1 Administration Guide 129


Fortinet Inc.
Dashboards and Monitors

Cloud application view

To see different cloud application views, set up the following:


l A FortiGate having a relative firewall policy with the Application Control security profile.
l A FortiGate with log data from the local disk or FortiAnalyzer.
l Optional but highly recommended: SSL Inspection set to deep-inspection on relative firewall policies.

Viewing cloud applications

Cloud applications

All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_
File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep
information in the network packets.

To view cloud applications:

1. Go to Security Profiles > Application Control.


2. Select a relative Application Control profile used by the firewall policy and click Edit.
3. On the Edit Application Sensor page, click View Application Signatures.
4. Hover over a column heading or the Application Signature bar. In the right gutter area, click the filter icon to filter the
applications.

FortiOS 7.2.1 Administration Guide 130


Fortinet Inc.
Dashboards and Monitors

Cloud applications have a cloud icon beside them.


The lock icon indicates that the application requires SSL deep inspection.

5. Hover over an item to see its details.


This example shows Gmail_Attachment.Download, a cloud application signature based sensor which requires SSL
deep inspection. If any local network user behind the firewall logs into Gmail and downloads a Gmail attachment,
that activity is logged.

Applications with cloud behavior

Applications with cloud behavior is a superset of cloud applications.


Some applications do not require SSL deep inspection, such as Facebook, Gmail, and YouTube. This means that if any
traffic trigger application sensors for these applications, there is a FortiView cloud application view for that traffic.
Other applications require SSL deep inspection, such as Gmail attachment, Facebook_Workplace, and so on.

FortiOS 7.2.1 Administration Guide 131


Fortinet Inc.
Dashboards and Monitors

To view applications with cloud behavior:

1. In the Application Signature page, ensure the Behavior column is displayed. If necessary, add the Behavior column.
a. Hover over the left side of the table column headings to display the Configure Table icon.
b. Click Configure Table and select Behavior.
c. Click Apply.

2. Click the filter icon in the Behavior column and select Cloud to filter by Cloud. Then click Apply.

3. The Application Signature page displays all applications with cloud behavior.

FortiOS 7.2.1 Administration Guide 132


Fortinet Inc.
Dashboards and Monitors

4. Use the Search box to search for applications. For example, you can search for youtube.

5. Hover over an item to see its details.


This example shows an application sensor with no lock icon which means that this application sensor does not
require SSL deep inspection. If any local network user behind the firewall tries to navigate to the YouTube website,
that activity is logged.

Configuring the Cloud Applications monitor

On the Edit Application Sensor page in the Categories section, the eye icon next to a category means that category is
monitored and logged.

FortiOS 7.2.1 Administration Guide 133


Fortinet Inc.
Dashboards and Monitors

To add the Cloud Applications monitor in the GUI:

1. Click Add Monitor. The Add monitor window opens.

2. In the Search field, enter FortiView Cloud Applications and click the Add button next to the monitor.
3. In the FortiGate area, select the FortiGate(s) from the dropdown.
4. In the Data Source area, click Best Available Device or Specify to select a device in the security fabric.
5. From the Time Period dropdown, select a time period greater than Now.
6. From the Sort By dropdown, select Bytes, Sessions, or Files (Up/Down).
7. Click Add Monitor. The monitor is added to the tree menu.
8. Open the monitor. If SSL deep inspection is enabled on the relative firewall, then the monitor shows the additional
details that are logged, such as Files (Up/Down) and Videos Played.
l For YouTube, the Videos Played column is triggered by the YouTube_Video.Play cloud application sensor.
This shows the number of local network users who logged into YouTube and played YouTube videos.
l For Dropbox, the Files (Up/Down) column is triggered by Dropbox_File.Download and Dropbox_File.Upload
cloud application sensors. This shows the number of local network users who logged into Dropbox and
uploaded or downloaded files.

FortiOS 7.2.1 Administration Guide 134


Fortinet Inc.
Dashboards and Monitors

Using the Cloud Applications monitor

To see additional information in the Cloud Applications monitor:

1. In the tree menu, click the FortiView Cloud Applications monitor to open it.

2. For details about a specific entry, double-click the entry or right-click the entry and select Drill Down to Details.
3. To see all the sessions for an application, click Sessions.
In this example, the Application Name column shows all applications related to YouTube.

FortiOS 7.2.1 Administration Guide 135


Fortinet Inc.
Dashboards and Monitors

4. To view log details, double-click a session to display the Log Details pane.
Sessions monitored by SSL deep inspection (in this example, Youtube_Video.Play) captured deep information such
as Application User, Application Details, and so on. The Log Details pane also shows additional deep information
such as application ID, Message, and so on.
Sessions not monitored by SSL deep inspection (YouTube) did not capture the deep information.

5. To display a specific time period, select and drag in the timeline graph to display only the data for that time period.

Top application: YouTube example

Monitoring network traffic with SSL deep inspection

This example describes how to monitor network traffic for YouTube using FortiView Applications view with SSL deep
inspection.

To monitor network traffic with SSL deep inspection:

1. Create a firewall policy with the following settings:


l Application Control is enabled.

l SSL Inspection is set to deep-inspection.

FortiOS 7.2.1 Administration Guide 136


Fortinet Inc.
Dashboards and Monitors

l Log Allowed Traffic is set to All Sessions.

2. Go to Security Profiles > Application Control.


3. Select a relative Application Control profile used by the firewall policy and click Edit.
4. Because YouTube cloud applications are categorized into Video/Audio, ensure the Video/Audio category is
monitored. Monitored categories are indicate by an eye icon.
5. Click View Application Signatures and hover over YouTube cloud applications to view detailed information about
YouTube application sensors.
6. Expand YouTube to view the Application Signatures associated with the application.

Application Signature Description Application


ID

YouTube_Video.Access An attempt to access a video on YouTube. 16420

YouTube_Channel.ID An attempt to access a video on a specific channel on 44956


YouTube.

YouTube_Comment.Posting An attempt to post comments on YouTube. 31076

YouTube_HD.Streaming An attempt to watch HD videos on YouTube. 33104

YouTube_Messenger An attempt to access messenger on YouTube. 47858

YouTube_Video.Play An attempt to download and play a video from YouTube. 38569

YouTube_Video.Upload An attempt to upload a video to YouTube. 22564

YouTube An attempt to access YouTube. 31077


This application sensor does not depend on SSL deep
inspection so it does not have a cloud or lock icon.

YouTube_Channel.Access An attempt to access a video on a specific channel on 41598


YouTube.

To view the application signature description, click the ID link in the information window.

7. On the test PC, log into YouTube and play some videos.
8. On the FortiGate, go to Log & Report > Security Events and look for log entries for browsing and playing YouTube
videos in the Application Control card.

FortiOS 7.2.1 Administration Guide 137


Fortinet Inc.
Dashboards and Monitors

In this example, note the Application User and Application Details. Also note that the Application Control ID is 38569
showing that this entry was triggered by the application sensor YouTube_Video.Play.

9. Go to Dashboard > FortiView Applications.


10. In the FortiView Applications monitor, double-click YouTube to view the drilldown information.
11. Select the Sessions tab to see all the entries for the videos played. Check the sessions for YouTube_Video.Play
with the ID 38569.

Monitoring network traffic without SSL deep inspection

This example describes how to monitor network traffic for YouTube using FortiView cloud application view without SSL
deep inspection.

To monitor network traffic without SSL deep inspection:

1. Create a firewall policy with the following settings.


l Application Control is enabled.

l SSL Inspection is set to certificate-inspection.

FortiOS 7.2.1 Administration Guide 138


Fortinet Inc.
Dashboards and Monitors

l Log Allowed Traffic is set to All Sessions.

2. On the test PC, log into YouTube and play some videos.
3. On the FortiGate, go to Log & Report > Security Events and look for log entries for browsing and playing YouTube
videos in the Application Control card.
In this example, the log shows only applications with the name YouTube. The log cannot show YouTube application
sensors which rely on SSL deep inspection.

4. Go to Dashboard > FortiView Applications.


The FortiView Application by Bytes monitor shows the YouTube cloud application without the video played
information that requires SSL deep inspection.

FortiOS 7.2.1 Administration Guide 139


Fortinet Inc.
Dashboards and Monitors

5. Double-click YouTube and click the Sessions tab.


These sessions were triggered by the application sensor YouTube with the ID 31077. This is the application sensor
with cloud behavior which does not rely on SSL deep inspection.

FortiOS 7.2.1 Administration Guide 140


Fortinet Inc.
Network

The following topics provide information about network settings:


l Interfaces on page 141
l DNS on page 208
l Explicit and transparent proxies on page 226
l SD-WAN on page 514
l DHCP server on page 299
l Static routing on page 308
l Dynamic routing on page 332
l Multicast on page 421
l FortiExtender on page 425
l Direct IP support for LTE/4G on page 428
l LLDP reception on page 431
l Virtual routing and forwarding on page 434
l NetFlow on page 460
l sFlow on page 478
l Link monitor on page 481
l IPv6 on page 491
l FortiGate LAN extension on page 500
l Diagnostics on page 505

Interfaces

Physical and virtual interfaces allow traffic to flow between internal networks, and between the internet and internal
networks. FortiOS has options for configuring interfaces and groups of sub-networks that can scale as your organization
grows. The following table lists commonly used interface types.

Interface type Description

Physical A physical interface can be connected to with either Ethernet or optical cables.
Depending on the FortiGate model, there is a varying number of Ethernet or
optical physical interfaces. Some FortiGates have a grouping of interfaces labeled
as lan that have a built-in switch functionality.
See Physical interface on page 168 for more information.

VLAN A virtual local area network (VLAN) logically divides a local area network (LAN)
into distinct broadcast domains using IEEE 802.1Q VLAN tags. A VLAN interface
supports VLAN tagging and is associated with a physical interface that can be
connected to a device, such as a switch or a router that supports these tags.
VLANs can be used on a FortiGate in NAT or transparent mode, and the
FortiGate functions differently depending on the operation mode

FortiOS 7.2.1 Administration Guide 141


Fortinet Inc.
Network

Interface type Description

See VLAN on page 169 for more information.

Aggregate An aggregate interface uses a link aggregation method to combine multiple


physical interfaces to increase throughput and to provide redundancy. FortiOS
supports a link aggregation (LAG) interface using the Link Aggregation Control
Protocol (LACP) based on IEEE 802.3ad.
See Aggregation and redundancy on page 185 for more information.

Redundant A redundant interface combines multiple physical interfaces where traffic only
uses one of the interfaces at a time. Its primary purpose is to provide redundancy.
This interface is typically used with a fully-meshed HA configuration.
See Aggregation and redundancy on page 185 for more information.

Loopback A loopback interface is a logical interface that is always up because it has no


physical link dependency, and the attached subnet is always present in the
routing table. It can be accessed through several physical or VLAN interfaces.
See Loopback interface on page 189 for more information.

Software switch A software switch is a virtual switch interface implemented in firmware that allows
member interfaces to be added to it. Devices connected to member interfaces
communicate on the same subnet, and packets are processed by the FortiGate’s
CPU. A software switch supports adding a wireless SSID as a member interface.
See Software switch on page 189 for more information.

Hardware switch A hardware switch is a virtual switch interface implemented at the hardware level
that allows member interfaces to be added to it. Devices connected to member
interfaces communicate on the same subnet. A hardware switch relies on specific
hardware to optimize processing and supports the Spanning Tree Protocol (STP).
See Hardware switch on page 191 for more information.

Zone A zone is a logical group containing one or more physical or virtual interfaces.
Grouping interfaces in zones can simplify firewall policy configurations.
See Zone on page 195 for more information.

Virtual wire pair A virtual wire pair (VWP) is an interface that acts like a virtual wire consisting of
two interfaces, with an interface at each of the wire. No IP addressing is
configured on a VWP, and communication is restricted between the two interfaces
using firewall policies.
See Virtual wire pair on page 197 for more information.

FortiExtender WAN extension A FortiExtender WAN extension is a managed interface that allows a connected
FortiExtender to provide WAN connectivity to the FortiGate.
See FortiExtender on page 425 for more information.

FortiExtender LAN extension A FortiExtender LAN extension is a managed interface that allows a connected
FortiExtender to provide LAN connectivity to the FortiGate.
See FortiExtender on page 425 for more information.

FortiOS 7.2.1 Administration Guide 142


Fortinet Inc.
Network

Interface type Description

Enhanced MAC VLAN An enhanced media access control (MAC) VLAN, or EMAC VLAN, interface
allows a physical interface to be virtually subdivided into multiple virtual interfaces
with different MAC addresses. In FortiOS, the EMAC VLAN functionality acts like
a bridge.
See Enhanced MAC VLAN on page 201 for more information.

VXLAN A Virtual Extensible LAN (VXLAN) interface encapsulates layer 2 Ethernet frames
within layer 3 IP packets and is used for cloud and data center networks.
See VXLAN on page 204 for more information.

Tunnel A tunnel virtual interface is used for IPsec interface-based or GRE tunnels and are
created when configuring IPsec VPN and GRE tunnels, respectively. The tunnel
interface can be configured with IP addresses on both sides of the tunnel since
this is a requirement when using a tunnel interface with a dynamic routing
protocol.
See OSPF with IPsec VPN for network redundancy on page 1516, GRE over
IPsec on page 1431, and Cisco GRE-over-IPsec VPN on page 1462 for more
information.

WiFi SSID A WiFi SSID interface is used to control wireless network user access to a
wireless local radio on a FortiWiFi or to a wireless access point using a FortiAP.
The SSID is created using the WiFi & Switch Controller > SSIDs page, and it
appears in the Network > Interfaces page once it is created.
See Defining a wireless network interface (SSID) in the FortiWiFi and FortiAP
Configuration Guide for more information.

VDOM link A VDOM link allows VDOMs to communicate internally without using additional
physical interfaces.
See Inter-VDOM routing for more information.

Interface settings

Administrators can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different
options for configuring interfaces when FortiGate is in NAT mode or transparent mode.
The available options will vary depending on feature visibility, licensing, device model, and other factors. The following
list is not comprehensive.

To configure an interface in the GUI:

1. Go to Network > Interfaces.


2. Click Create New > Interface.
3. Configure the interface fields:

Interface Name Physical interface names cannot be changed.

FortiOS 7.2.1 Administration Guide 143


Fortinet Inc.
Network

Alias Enter an alternate name for a physical interface on the FortiGate unit. This
field appears when you edit an existing physical interface. The alias does not
appear in logs.
The maximum length of the alias is 25 characters.

Type The configuration type for the interface, such as VLAN, Software Switch.
802.3ad Aggregate, and others.

Interface This field is available when Type is set to VLAN.


Select the name of the physical interface that you want to add a VLAN
interface to. Once created, the VLAN interface is listed below its physical
interface in the Interface list.
You cannot change the physical interface of a VLAN interface.

VLAN ID This field is available when Type is set to VLAN.


Enter the VLAN ID. The VLAN ID can be any number between 1 and 4094 and
must match the VLAN ID added by the IEEE 802.1Q-compliant router or
switch that is connected to the VLAN subinterface.
The VLAN ID can be edited after the interface is added.

VRF ID Virtual Routing and Forwarding (VRF) allows multiple routing table instances
to coexist on the same router. One or more interface can have a VRF, and
packets are only forwarded between interfaces with the dame VRF.

Virtual Domain Select the virtual domain to add the interface to.
Only administrator accounts with the super_admin profile can change the
Virtual Domain.

Interface Members This section can have different formats depending on the Type.
Members can be selected for some interface types:
l Software Switch or Hardware Switch: Specify the physical and wireless

interfaces joined into the switch.


l 802.3ad Aggregate or Redundant Interface: This field includes the
available and selected interface lists.

Role Set the role setting for the interface. Different settings will be shown or hidden
when editing an interface depending on the role:
l LAN: Used to connected to a local network of endpoints. It is default role

for new interfaces.


l WAN: Used to connected to the internet. When WAN is selected, the

Estimated bandwidth setting is available, and the following settings are


not: DHCP server, Create address object matching subnet, Device
detection, Security mode, One-arm sniffer, Dedicate to extension/fortiap
modes, and Admission Control.and will show Estimated Bandwidth
settings.
l DMZ: Used to connected to the DMZ. When selected, DHCP server and

Security mode are not available.


l Undefined: The interface has no specific role. When selected, Create

address object matching subnet is not available.

Estimated bandwidth The estimated WAN bandwidth.

FortiOS 7.2.1 Administration Guide 144


Fortinet Inc.
Network

The values can be entered manually, or saved from a speed test executed on
the interface. The values can be used in SD-WAN rules that use the Maximize
Bandwidth or Best Quality strategy.

Traffic mode This option is only available when Type is WiFi SSD.
l Tunnel: Tunnel to wireless controller

l Bridge: Local bridge with FortiAP's interface


l Mesh: Mesh downlink

Address

Addressing mode Select the addressing mode for the interface.


l Manual: Add an IP address and netmask for the interface. If IPv6

configuration is enabled, you can add both an IPv4 and an IPv6 address.
l DHCP: Get the interface IP address and other network settings from a

DHCP server.
l Auto-managed by IPAM: Assign subnets to prevent duplicate

IP addresses from overlapping within the same Security Fabric. See


Configure IPAM locally on the FortiGate on page 149.
l PPPoE: Get the interface IP address and other network settings from a

PPPoE server. This option is only available on the low-end FortiGate


models.
l One-Arm Sniffer: Set the interface as a sniffer port so it can be used to

detect attacks. See One-arm sniffer on page 157.

IP/Netmask If Addressing Mode is set to Manual, enter an IPv4 address and subnet mask
for the interface. FortiGate interfaces cannot have multiple IP addresses on
the same subnet.

IPv6 addressing mode Select the addressing mode for the interface:
l Manual: Add an IP address and netmask for the interface.

l DHCP: Get the interface IP address and other network settings from a
DHCP server.
l Delegated: Select an IPv6 upstream interface that has DHCPv6 prefix
delegation enabled, and enter an IPv6 subnet if needed. The interface will
get the IPv6 prefix from the upstream DHCPv6 server that is connected to
the IPv6 upstream interface, and form the IPv6 address with the subnet
configured on the interface.

IPv6 Address/Prefix If Addressing Mode is set to Manual and IPv6 support is enabled, enter an
IPv6 address and subnet mask for the interface. A single interface can have an
IPv4 address, IPv6 address, or both.

Auto configure IPv6 address Automatically configure an IPv6 address using Stateless Address Auto-
configuration (SLAAC).
This option is available when IPv6 addressing mode is set to Manual.

DHCPv6 prefix delegation Enable/disable DHCPv6 prefix delegation, which can be used to delegate IPv6
prefixes from an upstream DHCPv6 server to another interface or downstream
device.

FortiOS 7.2.1 Administration Guide 145


Fortinet Inc.
Network

When enabled, there is an option to enable a DHCPv6 prefix hint that helps the
DHCPv6 server provide the desired prefix.

Create address object This option is available when Role is set to LAN or DMZ.
matching subnet Enable this option to automatically create an address object that matches the
interface subnet.

Secondary IP Address Add additional IPv4 addresses to this interface.

Administrative Access

IPv4 Administrative Access Select the types of administrative access permitted for IPv4 connections to this
interface. See Configure administrative access to interfaces on page 147.

IPv6 Administrative Access Select the types of administrative access permitted for IPv6 connections to this
interface. See Configure administrative access to interfaces on page 147.

DHCP Server Enable a DHCP server for the interface. See DHCP server on page 299.

Stateless Address Auto- Enable to provide IPv6 addresses to connected devices using SLAAC.
configuration (SLAAC)

DHCPv6 Server Select to enable a DHCPv6 server for the interface.


When enabled, you can configure DNS service settings: Delegated (delegate
the DNS received from the upstream server), Same as System DNS, or
Specify (up to four servers).
You can also enable Stateful serverto configure the DHCPv6 server to be
stateful. Manually enter the IP range, or use Delegated mode to delegate IP
prefixes from an upstream DHCPv6 server connected to the upstream
interface.

Network

Device Detection Enable/disable passively gathering device identity information about the
devices on the network that are connected to this interface.

Security Mode Enable/disable captive portal authentication for this interface. After enabling
captive portal authentication, you can configure the authentication portal, user
and group access, custom portal messages, exempt sources and
destinations/services, and redirect after captive portal.

DSL Settings

Physical mode Set to ADSL or VDSL.

Transfer mode Set to PTM or ATM.


If the Transfer mode is set to ATM, the Virtual channel identification, Virtual
path identification, ATM protocol, and MUX type can be configured.

Traffic Shaping

Outbound shaping profile Enable/disable traffic shaping on the interface. This allows you to enforce
bandwidth limits on individual interfaces. See Interface-based traffic shaping
profile on page 993 for more information.

Miscellaneous

FortiOS 7.2.1 Administration Guide 146


Fortinet Inc.
Network

Comments Enter a description of the interface of up to 255 characters.

Status Enable/disable the interface.


l Enabled: The interface is active and can accept network traffic.

l Disabled: The interface is not active and cannot accept traffic.

4. Click OK.

To configure an interface in the CLI:

config system interface


edit <name>
set vdom <VDOM_name>
set mode {static | dhcp | pppoe}
set ip <IP_address/netmask>
set security-mode {none | captive-portal | 802.1X}
set egress-shaping-profile <profile>
set device-identification {enable | disable}
set allowaccess {ping https ssh http snmp telnet fgfm radius-acct probe-response
fabric ftm}
set eap-supplicant {enable | disable}
set eap-method {peap | tls}
set eap-identity <identity>
set eap-password <password>
set eap-ca-cert <CA_cert>
set eap-user-cert <user_cert>
set secondary-IP enable
config secondaryip
edit 1
set ip 9.1.1.2 255.255.255.0
set allowaccess ping https ssh snmp http
next
end
next
end

Configure administrative access to interfaces

You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure
access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing
interfaces that you don't want them to access, such as public-facing ports.
As a best practice, you should configure administrative access when you're setting the IP address for a port.

To configure administrative access to interfaces in the GUI:

1. Go to Network > Interfaces.


2. Create or edit an interface.
3. In the Administrative Access section, select which protocols to enable for IPv4 and IPv6 Administrative Access.

Speed Test Allow this interface to listen to speed test sender requests.
To allow the FortiGate to be configured as speed test server, configure the following:

FortiOS 7.2.1 Administration Guide 147


Fortinet Inc.
Network

config system global


set speedtest-server {enable | disable}
end

For more detail, see Speed tests run from the hub to the spokes in dial-up IPsec
tunnels on page 699.

HTTPS Allow secure HTTPS connections to the FortiGate GUI through this interface. If
configured, this option is enabled automatically.

HTTP Allow HTTP connections to the FortiGate GUI through this interface. This option can
only be enabled if HTTPS is already enabled.

PING The interface responds to pings. Use this setting to verify your installation and for
testing.

FMG-Access Allow FortiManager authorization automatically during the communication


exchanges between FortiManager and FortiGate devices.

SSH Allow SSH connections to the CLI through this interface.

SNMP Allow a remote SNMP manager to request SNMP information by connecting to this
interface.

FTM Allow FortiToken Mobile Push (FTM) access.

RADIUS Accounting Allow RADIUS accounting information on this interface.

Security Fabric Allow Security Fabric access. This enables FortiTelemetry and CAPWAP.
Connection

FEC implementations on 10G, 25G, 40G, and 100G interfaces

Only supported FEC (forward error correction) implementations are allowed to be configured on 10G, 25G, 40G, and
100G interfaces based on the speed that is selected.
l For 1000M, 10G, or 40G interfaces, FEC is not supported and the option is disabled.
l For 25G and 100G interfaces, FEC is automatically set to cl91-rs-fec by default.

To configure an interface for FEC:

config system interface


edit <name>
set speed {10000full | 1000full | 100Gauto | 100Gfull | 25000auto | 25000full |
40000full}
set mediatype {sr4 | lr4 | cr4}
set forward-error-correction {disable | cl91-rs-fec | cl74-fc-fec}
next
end

FortiOS 7.2.1 Administration Guide 148


Fortinet Inc.
Network

speed {10000full | Set the interface speed:


1000full | 100Gauto l 10000full: 10G full-duplex
| 100Gfull |
l 1000full: 1000M full-duplex
25000auto |
25000full | l 100Gauto: 100G auto-negotiation

40000full} l 100Gfull: 100G full-duplex

l 25000auto: 25G auto-negotiation

l 25000full: 25G full-duplex

l 40000full: 40G full-duplex

mediatype {sr4 | lr4 | Set the media type to use:


cr4} l sr4: short-range transceiver (4-lane)

l lr4: long-range transceiver (4-lane)

l cr4: copper transceiver (4-lane)

forward-error-correction Set the forward error correction type:


{disable | cl91-rs- l disable: disable forward error correction
fec | cl74-fc-fec}
l cl91-rs-fec: Reed-Solomon (FEC CL91)

l cl74-fc-fec: Firecode (FEC CL74)

To change the interface speed from 40G to 100G:

config system interface


edit port26
set speed 100Gfull
next
end

The speed/mediatype/FEC of port26 will be changed from 40000full/sr4/disable to


100Gfull/sr4/cl91-rs-fec.
Do you want to continue? (y/n) y

Since the speed changed to 1000G, the mediatype setting automatically changes to sr4, and the forward-error-
correction setting automatically changes to cl91-rs-fec. When the speed was 40G, the forward-error-
correction setting was disabled.

Configure IPAM locally on the FortiGate

IPAM (IP address management) is available locally on the FortiGate. A standalone FortiGate, or a Fabric root in the
Security Fabric, can act as the IPAM server. Interfaces configured to be auto-managed by IPAM will receive an address
from the IPAM server's address/subnet pool. DHCP Server is automatically enabled in the GUI, and the address range is
populated by IPAM. Users can customize the address pool subnet and the size of a subnet that an interface can request.
IPAM can be configured on the Network > IPAM page using the IPAM Settings, IPAM Rules, and IPAM Interfaces tabs.

FortiOS 7.2.1 Administration Guide 149


Fortinet Inc.
Network

To configure IPAM settings:

config system ipam


set pool-subnet <class IP and netmask>
set status {enable | disable}
config pools
edit <pool_name>
set subnet <IP address/netmask>
next
end
config rules
edit <rule_name>
set device {<FortiGate_serial_number> | *}
set interface {<name> | *}
set pool <pool_name>
next
end
end

pool-subnet <class IP and Set the IPAM pool subnet, class A or class B subnet.
netmask>
status {enable | disable} Enable/disable IP address management services.
config pools Set the subnet for the IP pool.
config rules Set the device, interface, and IP pool for IPAM rules.

In previous FortiOS versions, the set fortiipam-integration option was configured under config system
global.
The following options are available for allocating the subnet size:
config system interface
set managed-subnetwork-size {32 | 64 | 128 | 256 |512 | 1024 | 2048 | 4096 | 8192 |
16384 | 32768 | 65536}
end

FortiOS 7.2.1 Administration Guide 150


Fortinet Inc.
Network

Example

In this example, FGT_AA is the Security Fabric root with IPAM enabled. FGT_BB and FGT_CC are downstream Fabric
devices and retrieve IPAM information from FGT_AA. The Fabric interface on all FortiGates is port2. FGT_AA acts as
the DHCP server, and FGT_BB acts as the DHCP client.

To configure IPAM locally in the Security Fabric:

1. On the root FortiGate, go to Network > Interfaces and edit port3.


2. For Addressing Mode, select Auto-Managed by IPAM. DHCP Server is automatically enabled.

3. In this example, IPAM is not enabled yet. Click Enable IPAM. The Subnets Managed by IPAM pane opens.

FortiOS 7.2.1 Administration Guide 151


Fortinet Inc.
Network

4. Select Enabled, enter the Pool subnet (only class A and B are allowed) and click OK. The root FortiGate is now the
IPAM server in the Security Fabric.

The following is configured in the backend:


config system interface
edit "port3"
set vdom "root"
set ip 172.31.0.1 255.255.0.0
set type physical
set device-identification enable
set snmp-index 5
set ip-managed-by-fortiipam enable
end
next
end

config system ipam


set status enable
end

IPAM is managing a 172.31.0.0/16 network and assigned port3 a /24 network by default.
The IP/Netmask field in the Address section has been automatically assigned a class C IP by IPAM. The Address
range and Netmask fields in the DHCP Server section have also been automatically configured by IPAM.

FortiOS 7.2.1 Administration Guide 152


Fortinet Inc.
Network

5. Click OK.
6. Log in to FGT-BB and set the Addressing Mode of port4 to Auto-Managed by IPAM. The subnet assigned from the
pool on the root is 172.31.1.1/24.
7. Log in to FG_CC and set the Addressing Mode of port34 to Auto-Managed by IPAM. The subnet assigned from the
pool on the root is 172.31.2.1/24.

Any interface on a downstream FortiGate can be managed by the IPAM server. The interface
does not have to be directly connected to the Fabric root FortiGate.

To edit the IPAM subnet:

1. Go to Network > IPAM > IPAM Settings.


2. Edit the pool subnet if needed.

FortiOS 7.2.1 Administration Guide 153


Fortinet Inc.
Network

3. Click OK.
On downstream FortiGates, the settings on the Network > IPAM > IPAM Settings tab cannot be changed if IPAM is
enabled on the root FortiGate.

Go to Network > IPAM > IPAM Interfaces to view the subnet allocations (port34, port3, and
port3) and DHCP lease information. On FGT_BB, port3 is a DHCP client and the DHCP server
interface (FGT_AA port3) is managed by IPAM, so it is displayed in the Manually Configured
section.

IPAM conflict markers

The IPAM Interfaces tab displays conflict markers when there are IP pool IP address conflicts with manually configured
IP addresses. Administrators can use the Edit Interface dialog to manually resolve the conflict.

To resolve conflicts in the GUI:

1. Go to Network > IPAM > IPAM Interfaces.


2. Hover your mouse over the conflict marker. The conflict marker information is displayed.

3. Click Edit Interface. The Edit Interface pane opens.

FortiOS 7.2.1 Administration Guide 154


Fortinet Inc.
Network

4. Enter a new IP address and netmask in the IP/Netmask field.


5. Click OK. A confirmation message is displayed.
6. Click OK.

Diagnostics

Use the following commands to view IPAM related diagnostics.

To view the largest available subnet size:

# diagnose sys ipam largest-available-subnet


Largest available subnet is a /17.

To verify IPAM allocation information:

# diagnose sys ipam dump-ipams-entries


IPAM Entries: (sn, vdom, interface, subnet/mask, flag)
F140EP4Q17000000 root port34 172.31.2.1/24 0
FG5H1E5818900001 root port3 172.31.0.1/24 0
FG5H1E5818900002 root port4 172.31.1.1/24 0
FG5H1E5818900003 root port3 172.31.0.2/24 1

To verify the available subnets:

# diagnose sys ipam dump-ipams-free-subnets


IPAM free subnets: (subnet/mask)
172.31.3.0/24
172.31.4.0/22
172.31.8.0/21
172.31.16.0/20
172.31.32.0/19
172.31.64.0/18
172.31.128.0/17

FortiOS 7.2.1 Administration Guide 155


Fortinet Inc.
Network

To remove a device from IPAM in the Security Fabric:

# diagnose sys ipam delete-device-from-ipams F140EP4Q17000000


Successfully removed device F140EP4Q17000000 from ipam

Interface MTU packet size

Changing the maximum transmission unit (MTU) on FortiGate interfaces changes the size of transmitted packets. Most
FortiGate device's physical interfaces support jumbo frames that are up to 9216 bytes, but some only support 9000 or
9204 bytes.
To avoid fragmentation, the MTU should be the same as the smallest MTU in all of the networks between the FortiGate
and the destination. If the packets sent by the FortiGate are larger than the smallest MTU, then they are fragmented,
slowing down the transmission. Packets with the DF flag set in the IPv4 header are dropped and not fragmented .
On many network and endpoint devices, the path MTU is used to determine the smallest MTU and to transmit packets
within that size.
l ASIC accelerated FortiGate interfaces, such as NP6, NP7, and SOC4 (np6xlite), support MTU sizes up to 9216
bytes.
l FortiGate VMs can have varying maximum MTU sizes, depending on the underlying interface and driver.
l Virtual interfaces, such as VLAN interfaces, inherit their MTU size from their parent interface.

To verify the supported MTU size:

config system interface


edit <interface>
set mtu-override enable
set mtu <integer>
next
end

To change the MTU size:

config system interface


edit <interface>
set mtu-override enable
set mtu <max bytes>
next
end

Maximum MTU size on a path

To manually test the maximum MTU size on a path, you can use the ping command on a Windows computer.
For example, you can send ICMP packets of a specific size with a DF flag, and iterate through increasing sizes until the
ping fails.
l The -f option specifies the Do not Fragment (DF) flag.
l The -l option specifies the length, in bytes, of the Data field in the echo Request messages. This does not include
the 8 bytes for the ICMP header and 20 bytes for the IP header. Therefore, if the maximum MTU is 1500 bytes, then
the maximum supported data size is: 1500 - 8 - 20 = 1472 bytes.

FortiOS 7.2.1 Administration Guide 156


Fortinet Inc.
Network

To determine the maximum MTU size on a path:

1. In Windows command prompt, try a likely MTU size:


>ping 4.2.2.1 -l 1472 -f
Pinging 4.2.2.1 with 1472 bytes of data:
Reply from 4.2.2.1: bytes=1472 time=41ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=42ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=103ms TTL=52
Reply from 4.2.2.1: bytes=1472 time=38ms TTL=52

Ping statistics for 4.2.2.1:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 38ms, Maximum = 103ms, Average = 56ms

2. Increase the size and try the ping again:


>ping 4.2.2.1 -l 1473 -f
Pinging 4.2.2.1 with 1473 bytes of data:
Request timed out.

Ping statistics for 4.2.2.1:


Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

The second test fails, so the maximum MTU size on the path is 1472 bytes + 8-byte ICMP header + 20-byte IP
header = 1500 bytes

Maximum segment size

The TCP maximum segment size (MSS) is the maximum amount of data that can be sent in a TCP segment. The MSS is
the MTU size of the interface minus the 20 byte IP header and 20 byte TCP header. By reducing the TCP MSS, you can
effectively reduce the MTU size of the packet.
The TCP MSS can be configured in a firewall policy (see Configurations in the CLI on page 802), or directly on an
interface.

To configure the MSS on an interface:

config system interface


edit "wan2"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm
set type physical
set tcp-mss 1448
set role wan
next
end

One-arm sniffer

You can use a one-arm sniffer to configure a physical interface as a one-arm intrusion detection system (IDS). Traffic
sent to the interface is examined for matches to the configured security profile. The matches are logged, and then all
received traffic is dropped. Sniffing only reports on attacks; it does not deny or influence traffic.

FortiOS 7.2.1 Administration Guide 157


Fortinet Inc.
Network

You can also use the one-arm sniffer to configure the FortiGate to operate as an IDS appliance to sniff network traffic for
attacks without actually processing the packets. To configure a one-arm IDS, enable sniffer mode on a physical interface
and connect the interface to the SPAN port of a switch or a dedicated network tab that can replicate the traffic to the
FortiGate.
If the one-arm sniffer option is not available, this means the interface is in use. Ensure that the interface is not selected in
any firewall policies, routes, virtual IPs, or other features where a physical interface is specified. The option also does not
appear if the role is set to WAN. Ensure the role is set to LAN, DMZ, or undefined.
The following table lists some of the one-arm sniffer settings you can configure:

Field Description

Security Profiles The following profiles are configurable in the GUI and CLI:
l Antivirus

l Web filter

l Application control

l IPS

l File filter

The following profiles are only configurable in the CLI:


l Email filter

l DLP

l IPS DoS

CPU usage and packet loss

Traffic scanned on the one-arm sniffer interface is processed by the CPU, even if there is an SPU, such as NPU or CP,
present. The one-arm sniffer may cause higher CPU usage and perform at a lower level than traditional inline scanning,
which uses NTurbo or CP to accelerate traffic when present.
The absence of high CPU usage does not indicate the absence of packet loss. Packet loss may occur due to the
capacity of the TAP devices hitting maximum traffic volume during mirroring, or on the FortiGate when the kernel buffer
size is exceeded and it is unable to handle bursts of traffic.

Example configuration

The following example shows how to configure a file filter profile that blocks PDF and RAR files used in a one-arm sniffer
policy.

To configure a one-arm sniffer policy in the GUI:

1. Go to Network > Interfaces and double-click a physical interface to edit it.


2. For Role, select either LAN, DMZ, or Undefined.
3. For Addressing Mode, select One-Arm Sniffer.

FortiOS 7.2.1 Administration Guide 158


Fortinet Inc.
Network

4. In the Security Profiles section, enable File Filter and click Edit. The Edit File Filter Profile pane opens.
5. In the Rules table, click Create New.

FortiOS 7.2.1 Administration Guide 159


Fortinet Inc.
Network

6. Configure the rule:


a. For File types, click the + and select pdf and rar.
b. For Action, select Block.
c. Click OK to save the rule.
7. Click OK to save the file filter profile.

FortiOS 7.2.1 Administration Guide 160


Fortinet Inc.
Network

8. Click OK to save the interface settings.


9. Go to Log & Report > Security Events to view the File Filter logs.

To configure a one-arm sniffer policy in the CLI:

1. Configure the interface:


config system interface
edit "s1"
set vdom "root"
set ips-sniffer-mode enable
set type physical
set role undefined
set snmp-index 31
next
end

2. Configure the file filter profile:


config file-filter profile
edit "sniffer-profile"
set comment "File type inspection."
config rules
edit "1"
set protocol http ftp smtp imap pop3 cifs

FortiOS 7.2.1 Administration Guide 161


Fortinet Inc.
Network

set action block


set file-type "pdf" "rar"
next
end
next
end

3. Configure the firewall sniffer policy:


config firewall sniffer
edit 1
set interface "s1"
set file-filter-profile-status enable
set file-filter-profile "sniffer-profile"
next
end

4. View the log:


# execute log filter category 19
# execute log display
1 logs found.
1 logs returned.

1: date=2020-12-29 time=09:14:46 eventtime=1609262086871379250 tz="-0800"


logid="1900064000" type="utm" subtype="file-filter" eventtype="file-filter"
level="warning" vd="root" policyid=1 sessionid=792 srcip=172.16.200.55 srcport=20
srcintf="s1" srcintfrole="undefined" dstip=10.1.100.11 dstport=56745 dstintf="s1"
dstintfrole="undefined" proto=6 service="FTP" profile="sniffer-profile"
direction="outgoing" action="blocked" filtername="1" filename="hello.pdf" filesize=9539
filetype="pdf" msg="File was blocked by file filter."

Interface migration wizard

The Integrate Interface option on the Network > Interfaces page helps migrate a physical port into another interface or
interface type such as aggregate, software switch, redundant, zone, or SD-WAN zone. The FortiGate will migrate object
references either by replacing the existing instance with the new interface, or deleting the existing instance based on the
user's choice. Users can also change the VLAN ID of existing VLAN sub-interface or FortiSwitch VLANs.

The interface migration wizard does not support turning an aggregate, software switch,
redundant, zone, or SD-WAN zone interface back into a physical interface.

Integrating an interface

In this example, a DHCP server interface is integrated into a newly created redundant interface, which transfers the
DHCP server to a redundant interface.

To integrate an interface:

1. Go to Network > Interfaces and select an interface in the list.


2. Click Integrate Interface. The wizard opens.

FortiOS 7.2.1 Administration Guide 162


Fortinet Inc.
Network

Alternatively, select an interface in the list. Then right-click and select Integrate Interface.

3. Select Migrate to Interface and click Next.

4. Select Create an Interface. Enter a name (rd1) and set the Type to Redundant.

5. Click Next. The References sections lists the associated services with options to Replace Instance or Delete Entry.
6. For the DHCP server Action, select Replace Instance and click Create.

FortiOS 7.2.1 Administration Guide 163


Fortinet Inc.
Network

7. The migration occurs automatically and the statuses for the object and reference change to Updated entry. Click
Close.

Changing the VLAN ID

In this example, the VLAN ID of InternalVLAN is changed from 11 to 22.

To change the VLAN ID:

1. Go to Network > Interfaces and edit an existing interface.


2. Beside the VLAN ID field, click Edit. The Update VLAN ID window opens.

3. Enter the new ID (22) and click Next.

FortiOS 7.2.1 Administration Guide 164


Fortinet Inc.
Network

4. Verify the changes, then click Update and OK.

5. The target object status changes to Updated entry. Click Close.

In the interface settings, the ID displays as 22.

FortiOS 7.2.1 Administration Guide 165


Fortinet Inc.
Network

Captive portals

A captive portal is used to enforce authentication before web resources can be accessed. Until a user authenticates
successfully, any HTTP request returns the authentication page. After successfully authenticating, a user can access the
requested URL and other web resources, as permitted by policies. The captive portal can also be configured to only
allow access to members of specific user groups.
Captive portals can be hosted on the FortiGate or an external authentication server. They can be configured on any
network interface, including VLAN and WiFi interfaces. On a WiFi interface, the access point appears open, and the
client can connect to access point with no security credentials, but then sees the captive portal authentication page. See
Captive Portal Security, in the FortiWiFi and FortiAP Configuration Guide for more information.
All users on the interface are required to authenticate. Exemption lists can be created for devices that are unable to
authenticate, such as a printer that requires access to the internet for firmware upgrades.

To configure a captive portal in the GUI:

1. Go to Network > Interfaces and edit the interface that the users connect to. The interface Role must be LAN or
Undefined.
2. Enable Security mode.

3. Configure the following settings, then click OK.

Authentication Portal Configure the location of the portal:


l Local: the portal is hosted on the FortiGate unit.

FortiOS 7.2.1 Administration Guide 166


Fortinet Inc.
Network

l External: enter the FQDN or IP address of external portal.

User access Select if the portal applies to all users, or selected user groups:
l Restricted to Groups: restrict access to the selected user groups. The

Login page is shown when a user tries to log in to the captive portal.
l Allow all: all users can log in, but access will be defined by relevant
policies. The Disclaimer page is shown when a user tried to log in to the
captive portal.

Customize portal messages Enable to use custom portal pages, then select a replacement message
group. See Custom captive portal pages on page 168.

Exempt sources Select sources that are exempt from the captive portal.
Each exemption is added as a rule in an automatically generated exemption
list.

Exempt Select destinations and services that are exempt from the captive portal.
destinations/services Each exemption is added as a rule in an automatically generated exemption
list.

Redirect after Captive Portal Configure website redirection after successful captive portal authentication:
l Original Request: redirect to the initially browsed to URL .

l Specific URL: redirect to the specified URL.

To configure a captive portal in the CLI:

1. If required, create a security exemption list:


config user security-exempt-list
edit <list>
config rule
edit 1
set srcaddr <source(s)>
set dstaddr <source(s)>
set service <service(s)>
next
edit 2
set srcaddr <source(s)>
set dstaddr <source(s)>
set service <service(s)>
next
end
next
end

2. Configure captive portal authentication on the interface:


config system interface
edit <interface>
set security-mode {none | captive-portal}
set security-external-web <string>
set replacemsg-override-group <group>
set security-redirect-url <string>
set security-exempt-list <list>
set security-groups <group(s)>

FortiOS 7.2.1 Administration Guide 167


Fortinet Inc.
Network

next
end

Custom captive portal pages

Portal pages are HTML files that can be customized to meet user requirements.
Most of the text and some of the HTML in the message can be changed. Tags are enclosed by double percent signs
(%%); most of them should not be changed because they might carry information that the FortiGate unit needs. For
information about customizing replacement messages, see Modifying replacement messages on page 2240.
The images on the pages can be replaced. For example, your organization's logo can replace the Fortinet logo. For
information about uploading and using new images in replacement messages, see Replacement message images on
page 2241.
The following pages are used by captive portals:

Login Page Requests user credentials.


The %%QUESTION%% tag provides the Please enter the required information to
continue. text.
This page is shown to users that are trying to log in when User access is set to
Restricted to Groups.

Login Failed Page Reports that incorrect credentials were entered, and requests correct credentials.
The %%FAILED_MESSAGE%% tag provides the Firewall authentication failed.
Please try again. text.

Disclaimer Page A statement of the legal responsibilities of the user and the host organization that
the user must agree to before proceeding. This page is shown users that are
trying to log in when User access is set to Allow all.

Declined Disclaimer Page Shown if the user does not agree to the statement on the Disclaimer page. Access
is denied until the user agrees to the disclaimer.

Physical interface

A FortiGate has several physical interfaces that can connect to Ethernet or optical cables. Depending on the FortiGate
model, it can have a varying combination of Ethernet, small form-factor pluggable (SFP), and enhanced small form-
factor pluggable (SFP+) interfaces.
The port names, as labeled on the FortiGate, appear in the interfaces list on the Network > Interfaces page. Hover the
cursor over a port to view information, such as the name and the IP address.
Refer to Configuring an interface for basic GUI and CLI configuration steps.

Displaying transceiver status information for SFP and SFP+ interfaces

Transceiver status information for SFP and SFP+ interfaces installed on the FortiGate can be displayed in the GUI and
CLI. For example, the type, vendor name, part number, serial number, and port name. The CLI output includes additional
information that can be useful for diagnosing transmission problems, such as the temperature, voltage, and optical
transmission power.

FortiOS 7.2.1 Administration Guide 168


Fortinet Inc.
Network

To view transceiver status information in the GUI:

1. Go to Network > Interfaces. The Transceiver column is visible in the table, which displays the transceiver vendor
name and part number.
2. Hover the cursor over a transceiver to view more information.

To view transceiver status information in the CLI:

# get system interface transceiver


Interface port9 - SFP/SFP+
Vendor Name : FINISAR CORP.
Part No. : FCLF-8521-3
Serial No. : PMS***
Interface port10 - Transceiver is not detected.
Interface port11 - SFP/SFP+
Vendor Name : QNC
Part No. : LCP-1250RJ3SRQN
Serial No. : QNDT****
Interface port12 - SFP/SFP+
Vendor Name : QNC
Part No. : LCP-1250RJ3SRQN
Serial No. : QNDT****
Interface s1 - SFP/SFP+
Vendor Name : JDSU
Part No. : PLRXPLSCS4322N
Serial No. : CB26U****
Interface s2 - SFP/SFP+
Vendor Name : JDSU
Part No. : PLRXPLSCS4321N
Serial No. : C825U****
Interface vw1 - Transceiver is not detected.
Interface vw2 - Transceiver is not detected.
Interface x1 - SFP/SFP+
Vendor Name : Fortinet
Part No. : LCP-10GRJ3SRFN
Serial No. : 19090910****
Interface x2 - Transceiver is not detected.
Optical Optical Optical
SFP/SFP+ Temperature Voltage Tx Bias Tx Power Rx Power
Interface (Celsius) (Volts) (mA) (dBm) (dBm)
------------ ------------ ------------ ------------ ------------ ------------
port9 N/A N/A N/A N/A N/A
port11 N/A N/A N/A N/A N/A
port12 N/A N/A N/A N/A N/A
s1 38.3 3.35 6.80 -2.3 -3.2
s2 42.1 3.34 7.21 -2.3 -3.0
x1 N/A N/A N/A N/A N/A
++ : high alarm, + : high warning, - : low warning, -- : low alarm, ? : suspect.

VLAN

Virtual local area networks (VLANs) multiply the capabilities of your FortiGate and can also provide added network
security. VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller

FortiOS 7.2.1 Administration Guide 169


Fortinet Inc.
Network

domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network
security.

VLANs in NAT mode

In NAT mode, the FortiGate unit functions as a layer-3 device. In this mode, the FortiGate unit controls the flow of
packets between VLANs and can also remove VLAN tags from incoming VLAN packets. The FortiGate unit can also
forward untagged packets to other networks such as the Internet.
In NAT mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-compliant switches or routers. The trunk
link transports VLAN-tagged packets between physical subnets or networks. When you add VLAN subinterfaces to the
FortiGate's physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate
unit directs packets with VLAN IDs to subinterfaces with matching IDs.
You can define VLAN subinterfaces on all FortiGate physical interfaces. However, if multiple virtual domains are
configured on the FortiGate unit, you only have access to the physical interfaces on your virtual domain. The FortiGate
unit can tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a
different VLAN tag to outgoing packets.
Normally in VLAN configurations, the FortiGate unit's internal interface is connected to a VLAN trunk, and the external
interface connects to an Internet router that is not configured for VLANs. In this configuration, the FortiGate unit can
apply different policies for traffic on each VLAN interface connected to the internal interface, which results in less
network traffic and better security.

Sample topology

In this example, two different internal VLAN networks share one interface on the FortiGate unit and share the connection
to the Internet. This example shows that two networks can have separate traffic streams while sharing a single interface.
This configuration can apply to two departments in a single company or to different companies.
There are two different internal network VLANs in this example. VLAN_100 is on the 10.1.1.0/255.255.255.0 subnet, and
VLAN_200 is on the 10.1.2.0/255.255.255.0 subnet. These VLANs are connected to the VLAN switch.
The FortiGate internal interface connects to the VLAN switch through an 802.1Q trunk. The internal interface has an IP
address of 192.168.110.126 and is configured with two VLAN subinterfaces (VLAN_100 and VLAN_200). The external
interface has an IP address of 172.16.21.2 and connects to the Internet. The external interface has no VLAN
subinterfaces.
When the VLAN switch receives packets from VLAN_100 and VLAN_200, it applies VLAN ID tags and forwards the
packets of each VLAN both to local ports and to the FortiGate unit across the trunk link. The FortiGate unit has policies
that allow traffic to flow between the VLANs, and from the VLANs to the external network.

FortiOS 7.2.1 Administration Guide 170


Fortinet Inc.
Network

Sample configuration

In this example, both the FortiGate unit and the Cisco 2950 switch are installed and connected and basic configuration
has been completed. On the switch, you need access to the CLI to enter commands. No VDOMs are enabled in this
example.
General configuration steps include:
1. Configure the external interface.
2. Add two VLAN subinterfaces to the internal network interface.
3. Add firewall addresses and address ranges for the internal and external networks.
4. Add security policies to allow:
l the VLAN networks to access each other.

l the VLAN networks to access the external network.

To configure the external interface:

config system interface


edit external
set mode static
set ip 172.16.21.2 255.255.255.0
next
end

To add VLAN subinterfaces:

config system interface


edit VLAN_100
set vdom root
set interface internal
set type vlan

FortiOS 7.2.1 Administration Guide 171


Fortinet Inc.
Network

set vlanid 100


set mode static
set ip 10.1.1.1 255.255.255.0
set allowaccess https ping
next
edit VLAN_200
set vdom root
set interface internal
set type vlan
set vlanid 200
set mode static
set ip 10.1.2.1 255.255.255.0
set allowaccess https ping
next
end

To add the firewall addresses:

config firewall address


edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
next
end

To add security policies:

Policies 1 and 2 do not need NAT enabled, but policies 3 and 4 do need NAT enabled.
config firewall policy
edit 1
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf VLAN_200
set dstaddr VLAN_200_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 2
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf VLAN_100
set dstaddr VLAN_100_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next

FortiOS 7.2.1 Administration Guide 172


Fortinet Inc.
Network

edit 3
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
edit 4
set srcintf VLAN_200
set srcaddr VLAN_200_Net
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
end

VLANs in transparent mode

In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide services such as antivirus
scanning, web filtering, spam filtering, and intrusion protection to traffic. Some limitations of transparent mode is that you
cannot use SSL VPN, PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent mode
apply to IEEE 802.1Q VLAN trunks passing through the unit.
You can insert the FortiGate unit operating in transparent mode into the VLAN trunk without making changes to your
network. In a typical configuration, the FortiGate unit internal interface accepts VLAN packets on a VLAN trunk from a
VLAN switch or router connected to internal network VLANs. The FortiGate external interface forwards VLAN-tagged
packets through another VLAN trunk to an external VLAN switch or router and on to external networks such as the
Internet. You can configure the unit to apply different policies for traffic on each VLAN in the trunk.
To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the same VLAN ID, one to the
internal interface and the other to the external interface. You then create a security policy to permit packets to flow from
the internal VLAN interface to the external VLAN interface. If required, create another security policy to permit packets to
flow from the external VLAN interface to the internal VLAN interface. Typically in transparent mode, you do not permit
packets to move between different VLANs. Network protection features such as spam filtering, web filtering, and anti-
virus scanning, are applied through the UTM profiles specified in each security policy, enabling very detailed control over
traffic.
When the FortiGate unit receives a VLAN-tagged packet on a physical interface, it directs the packet to the VLAN
subinterface with the matching VLAN ID. The VLAN tag is removed from the packet and the FortiGate unit then applies
security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through a
VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding
physical interface.

FortiOS 7.2.1 Administration Guide 173


Fortinet Inc.
Network

Sample topology

In this example, the FortiGate unit is operating in transparent mode and is configured with two VLANs: one with an ID of
100 and the other with ID 200. The internal and external physical interfaces each have two VLAN subinterfaces, one for
VLAN_100 and one for VLAN_200.
The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the internal VLAN_200 network is
10.200.0.0/255.255.0.0.
The internal networks are connected to a Cisco 2950 VLAN switch which combines traffic from the two VLANs onto one
in the FortiGate unit's internal interface. The VLAN traffic leaves the FortiGate unit on the external network interface,
goes on to the VLAN switch, and on to the Internet. When the FortiGate units receives a tagged packet, it directs it from
the incoming VLAN subinterface to the outgoing VLAN subinterface for that VLAN.
In this example, we create a VLAN subinterface on the internal interface and another one on the external interface, both
with the same VLAN ID. Then we create security policies that allow packets to travel between the VLAN_100_int
interface and the VLAN_100_ext interface. Two policies are required: one for each direction of traffic. The same is
required between the VLAN_200_int interface and the VLAN_200_ext interface, for a total of four security policies.

Sample configuration

There are two main steps to configure your FortiGate unit to work with VLANs in transparent mode:
1. Add VLAN subinterfaces.
2. Add security policies.
You can also configure the protection profiles that manage antivirus scanning, web filtering, and spam filtering.

To add VLAN subinterfaces:

config system interface


edit VLAN_100_int
set type vlan

FortiOS 7.2.1 Administration Guide 174


Fortinet Inc.
Network

set interface internal


set vlanid 100
next
edit VLAN_100_ext
set type vlan
set interface external
set vlanid 100
next
edit VLAN_200_int
set type vlan
set interface internal
set vlanid 200
next
edit VLAN_200_ext
set type vlan
set interface external
set vlanid 200
next
end

To add security policies:

config firewall policy


edit 1
set srcintf VLAN_100_int
set srcaddr all
set dstintf VLAN_100_ext
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 2
set srcintf VLAN_100_ext
set srcaddr all
set dstintf VLAN_100_int
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 3
set srcintf VLAN_200_int
set srcaddr all
set dstintf VLAN_200_ext
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 4
set srcintf VLAN_200_ext
set srcaddr all
set dstintf VLAN_200_int
set dstaddr all
set action accept

FortiOS 7.2.1 Administration Guide 175


Fortinet Inc.
Network

set schedule always


set service ALL
next
end

Virtual VLAN switch

The hardware switch ports on FortiGate models that support virtual VLAN switches can be used as a layer 2 switch.
Virtual VLAN switch mode allows 802.1Q VLANs to be assigned to ports, and the configuration of one interface as a
trunk port.
The following FortiGate series are supported in FortiOS 7.2: 60F, 80F, 100E, 100F, 140E, 200F, 300E, 400E, and
1100E.
The virtual-switch-vlan option must be enabled in the CLI to configure VLAN switch mode from the GUI or CLI.

To enable VLAN switches:

config system global


set virtual-switch-vlan enable
end

After this setting is enabled, any previously configured hardware switches will appear in the Network > Interfaces page
under VLAN Switch.

To enable VLAN switch mode in the GUI:

1. Go to System > Settings.


2. In the View Settings section, enable VLAN switch mode.
3. Click Apply.

Basic configurations

Hardware switch ports can be configured as either a VLAN switch port or a trunk port. The available interfaces and
allowable VLAN IDs that can be used depend on the FortiGate model. It is recommended to remove ports from the
default VLAN switch before you begin configurations.

To create a new VLAN and assign ports in the GUI:

1. Go to Network > Interfaces and click Create New > Interface.


2. Enter a name and configure the following:
a. Set the Type to VLAN Switch.
b. Enter a VLAN ID.
c. Click the + and add the Interface Members.
d. Configure the Address and Administrative Access settings as needed.
3. Click OK.

FortiOS 7.2.1 Administration Guide 176


Fortinet Inc.
Network

To create a new VLAN and assign ports in the CLI:

1. Configure the VLAN:


config system virtual-switch
edit "VLAN10"
set physical-switch "sw0"
set vlan 10
config port
edit "internal1"
next
edit "internal2"
next
end
next
end

2. Configure the VLAN switch interface addressing:


config system interface
edit "VLAN10"
set vdom "root"
set ip 192.168.10.99 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type hard-switch
next
end

To designate an interface as a trunk port:

config system interface


edit internal5
set trunk enable
next
end

Example 1: HA using a VLAN switch

In this example, two FortiGates in an HA cluster are connected to two ISP routers. Instead of connecting to external L2
switches, each FortiGate connects to each ISP router on the same hardware switch port on the same VLAN. A trunk port
connects the two FortiGates to deliver the 802.1Q tagged traffic to the other. A full mesh between the FortiGate cluster
and the ISP routers is achieved where no single point of failure will cause traffic disruptions.

FortiOS 7.2.1 Administration Guide 177


Fortinet Inc.
Network

This example assumes that the HA settings are already configured. The interface and VLAN switch settings are identical
between cluster members and synchronized. See HA using a hardware switch to replace a physical switch on page 2139
for a similar example that does not use a VLAN switch.

To configure the VLAN switches:

1. Configure the ISP interfaces with the corresponding VLAN IDs:


config system virtual-switch
edit "ISP1"
set physical-switch "sw0"
set vlan 2951
config port
edit "port1"
next
end
next
edit "ISP2"
set physical-switch "sw0"
set vlan 2952
config port
edit "port2"
next
end
next
end

2. Configure the VLAN switch interface addressing:


config system interface
edit "ISP1"
set vdom "root"
set ip 192.168.10.99 255.255.255.0
set allowaccess ping
set type hard-switch
next
edit "ISP2"
set vdom "root"

FortiOS 7.2.1 Administration Guide 178


Fortinet Inc.
Network

set ip 192.168.20.99 255.255.255.0


set allowaccess ping
set type hard-switch
next
end

3. Designate port15 as the trunk port:


config system interface
edit port15
set trunk enable
next
end

4. Configure firewall policies to allow outgoing traffic on the ISP1 and ISP2 interfaces:
config firewall policy
edit 1
set srcintf "port11"
set dstintf "ISP1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set srcintf "port11"
set dstintf "ISP2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

Example 2: LAN extension

In this example, two hardware switch ports are assigned VLAN10, and two ports are assigned VLAN20 on FortiGate B.
The wan2 interface is designated as the trunk port, and is connected to the upstream FortiGate A. The corresponding
VLAN subinterfaces VLAN10 and VLAN20 on the upstream FortiGate allow further access to other networks.

FortiOS 7.2.1 Administration Guide 179


Fortinet Inc.
Network

The available interfaces and VLAN IDs varies between FortiGate models. The FortiGate B in
this example is a 60F model.

To configure FortiGate B:

1. Configure the VLAN interfaces:


config system virtual-switch
edit "VLAN10"
set physical-switch "sw0"
set vlan 10
config port
edit "internal1"
next
edit "internal2"
next
end
next
edit "VLAN20"
set physical-switch "sw0"
set vlan 20
config port
edit "internal3"
next
edit "internal4"
next
end
next
end

2. Configure the VLAN switch interface addressing:


config system interface
edit "VLAN10"
set vdom "root"
set ip 192.168.10.99 255.255.255.0
set allowaccess ping https ssh snmp http fgfm

FortiOS 7.2.1 Administration Guide 180


Fortinet Inc.
Network

set type hard-switch


next
edit "VLAN20"
set vdom "root"
set ip 192.168.20.99 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type hard-switch
next
end

3. Designate wan2 as the trunk port:


config system interface
edit wan2
set trunk enable
next
end

To configure FortiGate A:

1. Configure the VLAN subinterfaces:


config system interface
edit "VLAN10"
set ip 192.168.10.98 255.255.255.0
set allowaccess ping https ssh
set role lan
set interface "dmz"
set vlanid 10
next
edit "VLAN20"
set ip 192.168.20.98 255.255.255.0
set allowaccess ping https ssh
set role lan
set interface "dmz"
set vlanid 20
next
end

2. Configure the DHCP server on VLAN10:


config system dhcp server
edit 0
set dns-service default
set default-gateway 192.168.10.98
set netmask 255.255.255.0
set interface "VLAN10 "
config ip-range
edit 1
set start-ip 192.168.10.100
set end-ip 192.168.10.254
next
end
set timezone-option default
next
end

FortiOS 7.2.1 Administration Guide 181


Fortinet Inc.
Network

3. Configure firewall policies that allow traffic from the VLAN10 and VLAN20 interfaces to the internet:
config firewall policy
edit 0
set name "VLAN10-out"
set srcintf "VLAN10"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 0
set name "VLAN20-out"
set srcintf "VLAN20"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

To test the connection:

1. Connect a PC to internal1 on FortiGate B.


2. Verify that it receives an IP address from FortiGate A’s DHCP server.
3. From the PC, ping FortiGate B on 192.168.10.99.
4. Ping FortiGate A on 192.168.10.98.
5. Connect to the internet. Traffic is allowed by the VLAN10-out policy.

QinQ 802.1Q in 802.1ad

QinQ (802.1ad) allows multiple VLAN tags to be inserted into a single frame, and can be configured on supported
FortiGate devices.
In this example, the customer connects to a provider that uses 802.1ad double-tagging to separate their customer
VLANs. The FortiGate connecting to the provider double-tags its frames with an outer provider-tag (S-Tag) and an inner
customer-tag (C-Tag).

The customer identifies itself with the provider-tag (S-Tag) 232 and uses the customer-tag (C-Tag) 444 for traffic to its
VLAN.

FortiOS 7.2.1 Administration Guide 182


Fortinet Inc.
Network

To configure the interfaces:

1. Configure the interface to the provider that uses the outer tag (S-Tag):
config system interface
edit "vlan-8021ad"
set vdom "root"
set vlan-protocol 8021ad
set device-identification enable
set role lan
set snmp-index 47
set interface "PORT"
set vlanid 232
next
end

2. Configure a dynamic VLAN interface that uses the inner tag (C-Tag):
config system interface
edit "DVLAN"
set vdom "vdom1"
set device-identification enable
set role lan
set snmp-index 48
set interface "vlan-8021ad"
set vlanid 444
next
end

QinQ 802.1Q in 802.1Q

QinQ (802.1Q in 802.1Q) is supported for FortiGate VM models, where multiple VLAN tags can be inserted into a single
frame.

In this example, the FortiGate VM is connected to a provider vSwitch and then a customer switch. The FortiGate
encapsulates the frame with an outer 802.1Q tag of VLAN 100 and an inner 802.1Q tag of VLAN 200; port5 is used as
the physical port. The provider vSwitch strips the outer tag and forwards traffic to the appropriate customer. Then the
customer switch strips the inner tag and forwards the packet to the appropriate customer VLAN.

FortiOS 7.2.1 Administration Guide 183


Fortinet Inc.
Network

To configure the interfaces:

1. Configure the interface to the provider that uses the outer tag:
config system interface
edit "vlan-8021q"
set vdom "root"
set device-identification enable
set role lan
set interface "port5"
set vlan-protocol 8021q
set vlanid 100
next
end

2. Configure the interface to the provider that uses the inner tag:
config system interface
edit "vlan-qinq8021q"
set vdom "root"
set ip 1.1.1.71 255.255.255.0
set allowaccess ping https ssh snmp http
set device-identification enable
set role lan
set interface "vlan-8021q"
set vlanid 200
next
end

To verify the traffic:

1. From the FortiGate, ping 1.1.1.72:


# execute ping 1.1.1.72
PING 1.1.1.72 (1.1.1.72): 56 data bytes
64 bytes from 1.1.1.72: icmp_seq=0 ttl=255 time=0.2 ms
64 bytes from 1.1.1.72: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 1.1.1.72: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 1.1.1.72: icmp_seq=3 ttl=255 time=0.1 ms
^C
--- 1.1.1.72 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms

2. Verify the packet capture frame header output captured from the FortiGate's port5:
Frame 2: 106 bytes on wire (848 bits), 106 bytes captured (848 bits)
Ethernet II, Src: VMware_93:ae:8f (00:50:56:93:ae:8f), Dst: VMware_93:e3:72
(00:50:56:93:e3:72)
Destination: VMware_93:e3:72 (00:50:56:93:e3:72)
Source: VMware_93:ae:8f (00:50:56:93:ae:8f)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = DEI: Ineligible
.... 0000 0110 0100 = ID: 100
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 200

FortiOS 7.2.1 Administration Guide 184


Fortinet Inc.
Network

000. .... .... .... = Priority: Best Effort (default) (0)


...0 .... .... .... = DEI: Ineligible
.... 0000 1100 1000 = ID: 200
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 1.1.1.71, Dst: 1.1.1.72
Internet Control Message Protocol

The outer tag (first tag) is an 802.1Q tag with VLAN ID 100. The inner tag (second tag) is also an 802.1Q tag with
VLAN ID 200.

Aggregation and redundancy

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated
(combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred
automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.
This feature is similar to redundant interfaces. The major difference is a redundant interface group only uses one link at a
time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).
An interface is available to be an aggregate interface if:
l It is a physical interface and not a VLAN interface or subinterface.
l It is not already part of an aggregate or redundant interface.
l It is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs.
l It does not have an IP address and is not configured for DHCP or PPPoE.
l It is not referenced in any security policy, VIP, IP Pool, or multicast policy.
l It is not an HA heartbeat interface.
l It is not one of the FortiGate-5000 series backplane interfaces.
When an interface is included in an aggregate interface, it is not listed on the Network > Interfaces page. Interfaces still
appear in the CLI although configuration for those interfaces do not take affect. You cannot configure the interface
individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.

Example configuration

This example creates an aggregate interface on a FortiGate-140D POE using ports 3-5 with an internal IP address of
10.1.1.123, as well as the administrative access to HTTPS and SSH.

To create an aggregate interface in the GUI:

1. Go to Network > Interfaces and select Create New > Interface.


2. Set Name to aggregate.
3. Set Type to 802.3ad Aggregate.
4. Set Interface members to port4, port5, and port6.
5. Set Addressing mode to Manual.
6. Set IP/Netmask to 10.1.1.123/24.
7. For Administrative Access, select HTTPS and SSH.
8. Click OK.

FortiOS 7.2.1 Administration Guide 185


Fortinet Inc.
Network

To create an aggregate interface in the CLI:

config system interface


edit "aggregate"
set vdom "root"
set ip 10.1.1.123 255.255.255.0
set allowaccess https ssh
set type aggregate
set member "port4" "port5" "port6"
set snmp-index 45
next
end

Redundancy

In a redundant interface, traffic only goes over one interface at any time. This differs from an aggregated interface where
traffic goes over all interfaces for increased bandwidth. This difference means redundant interfaces can have more
robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.
An interface is available to be in a redundant interface if:
l It is a physical interface and not a VLAN interface.
l It is not already part of an aggregated or redundant interface.
l It is in the same VDOM as the redundant interface.
l It does not have an IP address and is not configured for DHCP or PPPoE.
l It has no DHCP server or relay configured on it.
l It does not have any VLAN subinterfaces.
l It is not referenced in any security policy, VIP, or multicast policy.
l It is not monitored by HA.
l It is not one of the FortiGate-5000 series backplane interfaces.
When an interface is included in a redundant interface, it is not listed on the Network > Interfaces page. You cannot
configure the interface individually and it is not available for inclusion in security policies, VIPs, or routing.

Example configuration

To create a redundant interface in the GUI:

1. Go to Network > Interfaces and select Create New > Interface.


2. Set Name to redundant.
3. Set Type to Redundant Interface.
4. Set Interface members to port4, port5, and port6.
5. Set Addressing mode to Manual.
6. Set IP/Netmask to 10.13.101.100/24.
7. For Administrative Access, select HTTPS and SSH.
8. Click OK.

To create a redundant interface in the CLI:

config system interface


edit "redundant"

FortiOS 7.2.1 Administration Guide 186


Fortinet Inc.
Network

set vdom "root"


set ip 10.13.101.100 255.255.255.0
set allowaccess https http
set type redundant
set member "port4" "port5" "port6"
set snmp-index 9
next
end

Enhanced hashing for LAG member selection

FortiGate models that have an internal switch that supports modifying the distribution algorithm can use enhanced
hashing to help distribute traffic evenly, or load balance, across links on the Link Aggregation (LAG) interface.
The enhanced hashing algorithm is based on a 5-tuple of the IP protocol, source IP address, destination IP address,
source port, and destination port.
Different computation methods allow for more variation in the load balancing distribution, in case one algorithm does not
distribute traffic evenly between links across different XAUIs. The available methods are:

xor16 Use the XOR operator to make a 16 bit hash.

xor8 Use the XOR operator to make an 8 bit hash.

xor4 Use the XOR operator to make a 4 bit hash.

crc16 Use the CRC-16-CCITT polynomial to make a 16 bit hash.

The following NP6 non-service FortiGate models support this feature: 1200D, 1500D,
1500DT, 3000D, 3100D, 3200D, 3700D, and 5001D.

To configure the enhanced hashing:

config system npu


set lag-out-port-select {enable | disable}
config sw-eh-hash
set computation {xor4 | xor8 | xor16 | crc16}
set ip-protocol {include | exclude}
set source-ip-upper-16 {include | exclude}
set source-ip-lower-16 {include | exclude}
set destination-ip-upper-16 {include | exclude}
set destination-ip-lower-16 {include | exclude}
set source-port {include | exclude}
set destination-port {include | exclude}
set netmask-length {0 - 32}
end
end

For example, to use XOR16 and include all of the fields in the 5-tuple to compute the link in the LAG interface that the
packet is distributed to:
config system npu
set lag-out-port-select enable

FortiOS 7.2.1 Administration Guide 187


Fortinet Inc.
Network

config sw-eh-hash
set computation xor16
set ip-protocol include
set source-ip-upper-16 include
set source-ip-lower-16 include
set destination-ip-upper-16 include
set destination-ip-lower-16 include
set source-port include
set destination-port include
set netmask-length 32
end
end

Failure detection for aggregate and redundant interfaces

When an aggregate or redundant interface goes down, the corresponding fail-alert interface changes to down. When an
aggregate or redundant interface comes up, the corresponding fail-alert interface changes to up.

Fail-detect for aggregate and redundant interfaces can be configured using the CLI.

To configure an aggregate interface so that port3 goes down with it:

config system interface


edit "agg1"
set vdom "root"
set fail-detect enable
set fail-alert-method link-down
set fail-alert-interfaces "port3"
set type aggregate
set member "port1" "port2"
next
end

To configure a redundant interface so that port4 goes down with it:

config system interface


edit "red1"
set vdom "root"
set fail-detect enable
set fail-alert-method link-down
set fail-alert-interfaces "port4"
set type redundant
set member "port1" "port2"
next
end

FortiOS 7.2.1 Administration Guide 188


Fortinet Inc.
Network

Loopback interface

A loopback interface is a logical interface that is always up. Its IP address does not depend on one specific physical port,
and the attached subnet is always present in the routing table. Therefore, it can be accessed through several physical or
VLAN interfaces.
Typically, a loopback interface can be used with management access, BGP peering, PIM rendezvous points, and SD-
WAN.
Loopback interfaces require appropriate firewall policies to allow traffic to and from the interfaces. Multiple loopback
interfaces can be configured in either non-VDOM mode or in each VDOM.
Dynamic routing protocols can be enabled on loopback interfaces. For example, loopback interfaces are a good practice
for OSPF. To make it easier to troubleshoot OSPF, set the OSPF router ID to the same value as the loopback IP address
to access a specific FortiGate using that IP address and SSH.
A loopback interface is configured using similar steps as a physical interface (see Configuring an interface).

Software switch

A software switch is a virtual switch that is implemented at the software or firmware level and not at the hardware level. A
software switch can be used to simplify communication between devices connected to different FortiGate interfaces. For
example, using a software switch, you can place the FortiGate interface connected to an internal network on the same
subnet as your wireless interfaces. Then devices on the internal network can communicate with devices on the wireless
network without any additional configuration on the FortiGate unit, such as additional security policies.
A software switch can also be useful if you require more hardware ports for the switch on a FortiGate unit. For example, if
your FortiGate unit has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and you need one more port, you can create
a soft switch that can include the four-port switch and the DMZ interface, all on the same subnet. These types of
applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces such as those in
FortiWiFi and FortiAP units.
Similar to a hardware switch, a software switch functions like a single interface. It has one IP address and all the
interfaces in the software switch are on the same subnet. Traffic between devices connected to each interface are not
regulated by security policies, and traffic passing in and out of the switch are controlled by the same policy.
When setting up a software switch, consider the following:
l Ensure that you have a back up of the configuration.
l Ensure that you have at least one port or connection, such as the console port, to connect to the FortiGate unit. If
you accidentally combine too many ports, you need a way to undo errors.
l The ports that you include must not have any link or relation to any other aspect of the FortiGate unit, such as DHCP
servers, security policies, and so on.
l For increased security, you can create a captive portal for the switch to allow only specific user groups access to the
resources connected to the switch.
Some of the difference between software and hardware switches are:

FortiOS 7.2.1 Administration Guide 189


Fortinet Inc.
Network

Feature Software switch Hardware switch

Processing Packets are processed in software by the Packets are processed in hardware by the
CPU. hardware switch controller, or SPU where
applicable.

STP Not Supported Supported

Wireless SSIDs Supported Not Supported

Intra-switch traffic Allowed by default. Can be explicitly set to Allowed by default.


require a policy.

To create a software switch in the GUI:

1. Go to Network > Interfaces.


2. Click Create New > Interface.
3. Set Type to Software Switch.
4. Configure the Name, Interface members, and other fields as required.
To add an interface to a software switch, it cannot be referenced by an existing configuration and its IP address
must be set to 0.0.0.0/0.0.0.0.
5. Click OK.

To create a software switch in the CLI:

config system switch-interface


edit <interface>
set vdom <vdom>
set member <interface_list>
set type switch
next
end
config system interface
edit <interface>
set vdom <vdom>
set type switch
set ip <ip_address>
set allowaccess https ssh ping
next
end

To add an interface to a software switch, it cannot be referenced by an existing configuration and its IP address must be
set to 0.0.0.0/0.0.0.0.

Example

For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1 interface to facilitate
wireless synchronizing from an iPhone and a local computer. Because synchronizing between two subnets is
problematic, putting both interfaces on the same subnet allows the synchronizing will work. The software switch will
accomplish this.

FortiOS 7.2.1 Administration Guide 190


Fortinet Inc.
Network

1. Clear the interfaces and back up the configuration:


a. Ensure the interfaces are not used for other security policy or for other use on the FortiGate unit.
b. Check the WiFi and DMZ1 ports to ensure that DHCP is not enabled and that there are no other dependencies
on these interfaces.
c. Save the current configuration so that it can be recovered if something foes wrong.
2. Merge the WiFi port and DMZ1 port to create a software switch named synchro with an IP address of 10.10.21.12
and administrative access for HTTPS, SSH and PING:
config system switch-interface
edit synchro
set vdom "root"
set type switch
set member dmz1 wifi
next
end
config system interface
edit synchro
set ip 10.10.21.12 255.255.255.0
set allowaccess https ssh ping
next
end

After the switch is set up, you add security policies, DHCP servers, and any other settings that are required.

Hardware switch

A hardware switch is a virtual switch interface that groups different ports together so that the FortiGate can use the group
as a single interface. Supported FortiGate models have a default hardware switch called either internal or lan. The
hardware switch is supported by the chipset at the hardware level.
Ports that are connected to the same hardware switch behave like they are on the same physical switch in the same
broadcast domain. Ports can be removed from a hardware switch and assigned to another switch or used as standalone
interfaces.
Some of the difference between hardware and software switches are:

Feature Hardware switch Software switch

Processing Packets are processed in hardware by the Packets are processed in software by the
hardware switch controller, or SPU where CPU.
applicable.

STP Supported Not Supported

Wireless SSIDs Not Supported Supported

Intra-switch traffic Allowed by default. Allowed by default. Can be explicitly set to


require a policy.

FortiOS 7.2.1 Administration Guide 191


Fortinet Inc.
Network

To change the ports in a hardware switch in the GUI:

1. Go to Network > Interface and edit the hardware switch.


2. Click inside the Interface members field.

3. Select interfaces to add or remove them from the hardware switch, then click Close.
To add an interface to a hardware switch, it cannot be referenced by an existing configuration and its IP address
must be set to 0.0.0.0/0.0.0.0.
4. Click OK.
Removed interfaces will now be listed as standalone interfaces in the Physical Interface section.

To remove ports from a hardware switch in the CLI:

config system virtual-switch


edit "internal"
config port
delete internal2
delete internal7
...
end
next
end

To add ports to a hardware switch in the CLI:

config system virtual-switch


edit "internal"
set physical-switch "sw0"
config port
edit "internal3"
next
edit "internal5"
next
edit "internal4"
next
edit "internal6"
next
end
next
end

FortiOS 7.2.1 Administration Guide 192


Fortinet Inc.
Network

To add an interface to a hardware switch, it cannot be referenced by an existing configuration and its IP address must be
set to 0.0.0.0/0.0.0.0.

Using 802.1X on virtual switches for certain NP6 platforms

802.1X is supported under the hardware switch interface on the following NP6 platforms: FG-30xE, FG-40xE, and FG-
110xE.
In this example, port3 and port4 are part of a hardware switch interface. The hardware switch acts as a virtual switch so
that devices can connect directly to these ports and perform 802.1X authentication on the port.

Prerequisites:

1. Configure a RADIUS server (see RADIUS servers on page 1882).


2. Define a user group named test to use the remote RADIUS server and for 802.1X authentication (see User
definition and groups on page 1854).
3. Configure a hardware switch (named 18188) with port3 and port4 as the members.
4. Configure a firewall policy that allows traffic from the 18188 hardware switch to go to the internet.
5. Enable 802.1X authentication on the client devices.

To configure 802.1X authentication on a hardware switch in the GUI:

1. Go to Network > Interfaces and edit the hardware switch.


2. In the Network section, enable Security mode and select 802.1X.

FortiOS 7.2.1 Administration Guide 193


Fortinet Inc.
Network

3. Click the + to add the User group.

4. Click OK.

To configure 802.1X authentication on a hardware switch in the CLI:

1. Configure the virtual hardware switch interfaces:


config system virtual-switch
edit "18188"
set physical-switch "sw0"
config port
edit "port3"
next
edit "port4"
next

FortiOS 7.2.1 Administration Guide 194


Fortinet Inc.
Network

end
next
end

2. Configure 802.1X authentication:


config system interface
edit "18188"
set vdom "vdom1"
set ip 1.1.1.1 255.255.255.0
set allowaccess ping https ssh snmp fgfm ftm
set type hard-switch
set security-mode 802.1X
set security-groups "test"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 52
next
end

To verify the that the 802.1X authentication was successful:

1. Get a client connected to port3 to authenticate to access the internet.


2. In FortiOS, verify the 802.1X authentication port status:
# diagnose sys 802-1x status

Virtual switch '18188' (default mode) 802.1x member status:


port3: Link up, 802.1X state: authorized
port4: Link up, 802.1X state: unauthorized

Zone

Zones are a group of one or more physical or virtual FortiGate interfaces that you can apply firewall policies to for
controlling inbound and outbound traffic. Grouping interfaces and VLAN subinterfaces into zones simplifies creating
firewall policies where a number of network segments can use the same policy settings and protection profiles.
When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Each interface
still has its own address. Routing is still done between interfaces, that is, routing is not affected by zones. You can use
firewall policies to control the flow of intra-zone traffic.
For example, in the sample configuration below, the network includes three separate groups of users representing
different entities on the company network. While each group has its own set of ports and VLANs in each area, they can
all use the same firewall policy and protection profiles to access the Internet. Rather than the administrator making nine
separate firewall policies, he can make administration simpler by adding the required interfaces to a zone and creating
three policies.

Example configuration

You can configure policies for connections to and from a zone but not between interfaces in a zone. For this example,
you can create a firewall policy to go between zone 1 and zone 3, but not between WAN2 and WAN1, or WAN1 and
DMZ1.

FortiOS 7.2.1 Administration Guide 195


Fortinet Inc.
Network

To create a zone in the GUI:

1. Go to Network > Interfaces.

If VDOMs are enabled, go to the VDOM to create a zone.

2. Click Create New > Zone.


3. Configure the Name and add the Interface Members.
4. Enable or disable Block intra-zone traffic as required.
5. Click OK.

To configure a zone to include the internal interface and a VLAN using the CLI:

config system zone


edit zone_1
set interface internal VLAN_1
set intrazone {deny | allow}
next
end

Using zone in a firewall policy

To configure a firewall policy to allow any interface to access the Internet using the CLI:

config firewall policy


edit 2
set name "2"
set srcintf "Zone_1"
set dstintf "port15"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

FortiOS 7.2.1 Administration Guide 196


Fortinet Inc.
Network

Intra-zone traffic

In the zone configuration you can set intrazone deny to prohibit the different interfaces in the same zone to talk to
each other.
For example, if you have ten interfaces in your zone and the intrazone setting is deny. You now want to allow traffic
between a very small number of networks on different interfaces that are part of the zone but you do not want to disable
the intra-zone blocking.
In this example, the zone VLANs are defined as: 192.168.1.0/24, 192.168.2.0/24, ... 192.168.10.0/24.
This policy allows traffic from 192.168.1.x to 192.168.2.x even though they are in the same zone and intra-zone blocking
is enabled. The intra-zone blocking acts as a default deny rule and you have to specifically override it by creating a policy
within the zone.

To enable intra-zone traffic, create the following policy:

Source Interface Zone-name, e.g., Vlans

Source Address 192.168.1.0/24

Destination Zone-name (same as Source Interface, i.e., Vlans)

Destination Address 192.168.2.0/24

Virtual wire pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode
VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a
virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual
wire pair. Redundant and 802.3ad aggregate (LACP) interfaces can be included in a virtual wire pair.
Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port
pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the
request’s MAC address pair.

Example

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate
operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the
ISFW over the virtual wire pair.

Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before
creating a virtual wire pair, make sure you have a different port configured to allow admin
access using your preferred protocol.

FortiOS 7.2.1 Administration Guide 197


Fortinet Inc.
Network

To add a virtual wire pair using the GUI:

1. Go to Network > Interfaces.


2. Click Create New > Virtual Wire Pair.
3. Enter a name for the virtual wire pair.
4. Select the Interface Members to add to the virtual wire pair (port3 and port 4).
These interfaces cannot be part of a switch, such as the default LAN/internal interface.
5. If required, enable Wildcard VLAN and set the VLAN Filter.
6. Click OK.

To add a virtual wire pair using the CLI:

config system virtual-wire-pair


edit "VWP-name"
set member "port3" "port4"
set wildcard-vlan disable
next
end

To create a virtual wire pair policy using the GUI:

1. Go to Policy & Objects > Firewall Virtual Wire Pair Policy.


2. Click Create New.
3. In the Virtual Wire Pair field, click the + to add the virtual wire pair.
4. Select the direction (arrows) that traffic is allowed to flow.
5. Configure the other settings as needed.
6. Click OK.

To create a virtual wire pair policy using the CLI:

config firewall policy


edit 1
set name "VWP-Policy"
set srcintf "port3" "port4"
set dstintf "port3" "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set fsso disable

FortiOS 7.2.1 Administration Guide 198


Fortinet Inc.
Network

next
end

Configuring multiple virtual wire pairs in a virtual wire pair policy

You can create a virtual wire pair policy that includes different virtual wire pairs in NGFW profile and policy mode. This
reduces overhead to create multiple similar policies for each VWP. In NGFW policy mode, multiple virtual wire pairs can
be configured in a Security Virtual Wire Pair Policy and Virtual Wire Pair SSL Inspection & Authentication policy.
The virtual wire pair settings must have wildcard VLAN enabled. When configuring a policy in the CLI, the virtual wire pair
members must be entered in srcintf and dstintf as pairs.

To configure multiple virtual wire pairs in a policy in the GUI:

1. Configure the virtual wire pairs:


a. Go to Network > Interfaces and click Create New > Virtual Wire Pair.
b. Create a pair with the following settings:

Name test-vwp-1

Interface members wan1, wan2

Wildcard VLAN Enable

c. Click OK.
d. Click Create New > Virtual Wire Pair and create another pair with the following settings:

Name test-vwp-2

Interface members port19, port20

Wildcard VLAN Enable

e. Click OK.
2. Configure the policy:
a. Go to Policy & Objects > Firewall Virtual Wire Pair Policy and click Create New.
b. In the Virtual Wire Pair field, click the + to add test-vwp-1 and test-vwp-2. Select the direction for each of the
selected virtual wire pairs.

FortiOS 7.2.1 Administration Guide 199


Fortinet Inc.
Network

c. Configure the other settings as needed.


d. Click OK.

To configure multiple virtual wire pairs in a policy in the CLI:

1. Configure the virtual wire pairs:


config system virtual-wire-pair
edit "test-vwp-1"
set member "wan1" "wan2"
set wildcard-vlan enable
next
edit "test-vwp-2"
set member "port19" "port20"
set wildcard-vlan enable
next
end

2. Configure the policy:


config firewall policy
edit 1
set name "vwp1&2-policy"
set srcintf "port19" "wan1"
set dstintf "port20" "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

FortiOS 7.2.1 Administration Guide 200


Fortinet Inc.
Network

PRP handling in NAT mode with virtual wire pair

PRP (Parallel Redundancy Protocol) is supported in NAT mode for a virtual wire pair. This preserves the PRP RCT
(redundancy control trailer) while the packet is processed by the FortiGate.

To configure PRP handling on a device in NAT mode:

1. Enable PRP in the VDOM settings:


(root) # config system settings
set prp-trailer-action enable
end

2. Enable PRP in the NPU attributes:


(global) # config system npu
set prp-port-in "port15"
set prp-port-out "port16"
end

3. Configure the virtual wire pair:


(root) # config system virtual-wire-pair
edit "test-vwp-1"
set member "port15" "port16"
next
end

Enhanced MAC VLAN

The Media Access Control (MAC) Virtual Local Area Network (VLAN) feature in Linux allows you to configure multiple
virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.
FortiGate implements an enhanced MAC VLAN consisting of a MAC VLAN with bridge functionality. Because each MAC
VLAN has a unique MAC address, virtual IP addresses (VIPs) and IP pools are supported, and you can disable Source
Network Address Translation (SNAT) in policies.
MAC VLAN cannot be used in a transparent mode virtual domain (VDOM). In a transparent mode VDOM, a packet
leaves an interface with the MAC address of the original source instead of the interface’s MAC address. FortiGate
implements an enhanced version of MAC VLAN where it adds a MAC table in the MAC VLAN which learns the MAC
addresses when traffic passes through.
If you configure a VLAN ID for an enhanced MAC VLAN, it won’t join the switch of the underlying interface. When a
packet is sent to this interface, a VLAN tag is inserted in the packet and the packet is sent to the driver of the underlying
interface. When the underlying interface receives a packet, if the VLAN ID doesn’t match, it won’t deliver the packet to
this enhanced MAC VLAN interface.

When using a VLAN ID, the ID and the underlying interface must be a unique pair, even if the
belong to different VDOMs. This is because the underlying, physical interface uses the VLAN
ID as the identifier to dispatch traffic among the VLAN and enhanced MAC VLAN interfaces.

If you use an interface in an enhanced MAC VLAN, do not use it for other purposes such as a management interface, HA
heartbeat interface, or in Transparent VDOMs.
If a physical interface is used by an EMAC VLAN interface, you cannot use it in a Virtual Wire Pair.

FortiOS 7.2.1 Administration Guide 201


Fortinet Inc.
Network

In high availability (HA) configurations, enhanced MAC VLAN is treated as a physical interface. It’s assigned a unique
physical interface ID and the MAC table is synchronized with the secondary devices in the same HA cluster.

Example 1: Enhanced MAC VLAN configuration for multiple VDOMs that use the same
interface or VLAN

In this example, a FortiGate is connected, through port 1 to a router that’s connected to the Internet. Three VDOMs share
the same interface (port 1) which connects to the same router that’s connected to the Internet. Three enhanced MAC
VLAN interfaces are configured on port 1 for the three VDOMs. The enhanced MAC VLAN interfaces are in the same IP
subnet segment and each have unique MAC addresses.
The underlying interface (port 1) can be a physical interface, an aggregate interface, or a VLAN interface on a physical or
aggregate interface.

To configure enhanced MAC VLAN for this example in the CLI:

config system interface


edit port1.emacvlan1
set vdom VDOM1
set type emac-vlan
set interface port1
next
edit port 1.emacvlan2
set vdom VDOM2
set type emac-vlan
set interface port1
next
edit port1.emacvlan3
set vdom VDOM3
set type emac-vlan
set interface port1
next
end

FortiOS 7.2.1 Administration Guide 202


Fortinet Inc.
Network

Example 2: Enhanced MAC VLAN configuration for shared VDOM links among multiple
VDOMs

In this example, multiple VDOMs can connect to each other using enhanced MAC VLAN on network processing unit
(NPU) virtual link (Vlink) interfaces.
FortiGate VDOM links (NPU-Vlink) are designed to be peer-to-peer connections and VLAN interfaces on NPU Vlink
ports use the same MAC address. Connecting more than two VDOMs using NPU Vlinks and VLAN interfaces is not
recommended.

To configure enhanced MAC VLAN for this example in the CLI:

config system interface


edit npu0_vlink0.emacvlan1
set vdom VDOM1
set type emac-vlan
set interface npu0_vlink0
next
edit npu0_vlink0.emacvlan2
set vdom VDOM3
set type emac-vlan
set interface npu0_vlink0
next
edit npu0_vlink1.emacvlan1
set vdom VDOM2
set type emac-vlan
set interface npu0_vlink1
next
end

Example 3: Enhanced MAC VLAN configuration for unique MAC addresses for each
VLAN interface on the same physical port

Some networks require a unique MAC address for each VLAN interface when the VLAN interfaces share the same
physical port. In this case, the enhanced MAC VLAN interface is used the same way as normal VLAN interfaces.

FortiOS 7.2.1 Administration Guide 203


Fortinet Inc.
Network

To configure this, use the set vlanid command for the VLAN tag. The VLAN ID and interface must be a unique pair,
even if they belong to different VDOMs.

To configure enhanced MAC VLAN:

config system interface


edit <interface-name>
set type emac-vlan
set vlanid <VLAN-ID>
set interface <physical-interface>
next
end

VXLAN

Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud computing deployments. It
encapsulates layer 2 Ethernet frames within layer 3 IP packets using the standard destination port 4789. VXLAN
endpoints that terminate VXLAN tunnels can be virtual or physical switch ports, and are known as VXLAN tunnel
endpoints (VTEPs). For more information about VXLAN, see RFC 7348.
The following topics provide information about VXLAN:
l VLAN inside VXLAN on page 204
l Virtual wire pair with VXLAN on page 206

VLAN inside VXLAN

VLANs can be assigned to VXLAN interfaces. In a data center network where VXLAN is used to create an L2 overlay
network and for multitenant environments, a customer VLAN tag can be assigned to VXLAN interface. This allows the
VLAN tag from VLAN traffic to be encapsulated within the VXLAN packet.

To configure VLAN inside VXLAN on HQ1:

1. Configure VXLAN:
config system vxlan
edit "vxlan1"
set interface port1
set vni 1000
set remote-ip 173.1.1.1

next
end

FortiOS 7.2.1 Administration Guide 204


Fortinet Inc.
Network

2. Configure system interface:


config system interface
edit vlan100
set vdom root
set vlanid 100
set interface dmz
next
edit vxlan100
set type vlan
set vlanid 100
set vdom root
set interface vxlan1
next
end

3. Configure software-switch:
config system switch-interface
edit sw1
set vdom root
set member vlan100 vxlan100
set intra-switch-policy implicit
next
end

The default intra-switch-policy implicit behavior allows traffic between member


interfaces within the switch. Therefore, it is not necessary to create firewall policies to allow
this traffic.

Instead of creating a software-switch, it is possible to use a virtual-wire-pair as well. See


Virtual wire pair with VXLAN on page 206.

To configure VLAN inside VXLAN on HQ2:

1. Configure VXLAN:
config system vxlan
edit "vxlan2"
set interface port25
set vni 1000
set remote-ip 173.1.1.2
next
end
2. Configure system interface:
config system interface
edit vlan100
set vdom root
set vlanid 100
set interface port20
next
edit vxlan100
set type vlan
set vlanid 100
set vdom root

FortiOS 7.2.1 Administration Guide 205


Fortinet Inc.
Network

set interface vxlan2


next
end
3. Configure software-switch:
config system switch-interface
edit sw1
set vdom root
set member vlan100 vxlan100
next
end

To verify the configuration:

Ping PC1 from PC2.


The following is captured on HQ2:

This captures the VXLAN traffic between 172.1.1.1 and 172.1.1.2 with the VLAN 100 tag inside.

Virtual wire pair with VXLAN

Virtual wire pairs can be used with VXLAN interfaces.


In this examples, VXLAN interfaces are added between FortiGate HQ1 and FortiGate HQ2, a virtual wire pair is added in
HQ1, and firewall policies are created on both HQ1 and HQ2.

To create VXLAN interface on HQ1:

config system interface


edit "port11"
set vdom "root"
set ip 10.2.2.1 255.255.255.0

FortiOS 7.2.1 Administration Guide 206


Fortinet Inc.
Network

set allowaccess ping https ssh snmp telnet


next
end
config system vxlan
edit "vxlan1"
set interface "port11"
set vni 1000
set remote-ip "10.2.2.2"
next
end

To create VXLAN interface on HQ2:

config system interface


edit "port11"
set vdom "root"
set ip 10.2.2.2 255.255.255.0
set allowaccess ping https ssh snmp http
next
end
config system vxlan
edit "vxlan1"
set interface "port11"
set vni 1000
set remote-ip "10.2.2.1"
next
end
config system interface
edit "vxlan1"
set vdom "root"
set ip 10.1.100.2 255.255.255.0
set allowaccess ping https ssh snmp
next
end

To create a virtual wire pair on HQ1:

config system virtual-wire-pair


edit "vwp1"
set member "port10" "vxlan1"
next
end

To create a firewall policy on HQ1:

config firewall policy


edit 5
set name "vxlan-policy"
set srcintf "port10" "vxlan1"
set dstintf "port10" "vxlan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable

FortiOS 7.2.1 Administration Guide 207


Fortinet Inc.
Network

set ssl-ssh-profile "certificate-inspection"


set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set fsso disable
next
end

To create a firewall policy on HQ2:

config firewall policy


edit 5
set name "1"
set srcintf "port13"
set dstintf "vxlan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next
end

DNS

Domain name system (DNS) is used by devices to locate websites by mapping a domain name to a website’s IP
address.
A FortiGate can serve different roles based on user requirements:
l A FortiGate can control what DNS server a network uses.
l A FortiGate can function as a DNS server.
FortiGuard Dynamic DNS (DDNS) allows a remote administrator to access a FortiGate's Internet-facing interface using a
domain name that remains constant even when its IP address changes.
FortiOS supports DNS configuration for both IPv4 and IPv6 addressing. When a user requests a website, the FortiGate
looks to the configured DNS servers to provide the IP address of the website in order to know which server to contact to
complete the transaction.
The FortiGate queries the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP
or web servers defined by their domain names.
The following topics provide information about DNS:
l Important DNS CLI commands on page 209
l DNS domain list on page 210
l FortiGate DNS server on page 212
l DDNS on page 214
l DNS latency information on page 218

FortiOS 7.2.1 Administration Guide 208


Fortinet Inc.
Network

l DNS over TLS and HTTPS on page 220


l DNS troubleshooting on page 224

Important DNS CLI commands

DNS settings can be configured with the following CLI command:


config system dns
set primary <ip_address>
set secondary <ip_address>
set protocol {cleartext dot doh}
set ssl-certificate <string>
set server-hostname <hostname>
set domain <domains>
set ip6-primary <ip6_address>
set ip6-secondary <ip6_address>
set timeout <integer>
set retry <integer>
set dns-cache-limit <integer>
set dns-cache-ttl <integer>
set cache-notfound-responses {enable | disable}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
set source-ip <class_ip>
end

For a FortiGate with multiple logical CPUs, you can set the DNS process number from 1 to the number of logical CPUs.
The default DNS process number is 1.
config system global
set dnsproxy-worker-count <integer>
end

DNS protocols

The following DNS protocols can be enabled:


l cleartext: Enable clear text DNS over port 53 (default).
l dot: Enable DNS over TLS.
l doh: Enable DNS over HTTPS.
For more information, see DNS over TLS and HTTPS on page 220.

cache-notfound-responses

When enabled, any DNS requests that are returned with NOT FOUND can be stored in the cache. The DNS server is not
asked to resolve the host name for NOT FOUND entries. By default, this option is disabled.

FortiOS 7.2.1 Administration Guide 209


Fortinet Inc.
Network

dns-cache-limit

Set the number of DNS entries that are stored in the cache (0 to 4294967295, default = 5000). Entries that remain in the
cache provide a quicker response to requests than going out to the Internet to get the same information.

dns-cache-ttl

The duration that the DNS cache retains information, in seconds (60 to 86400 (1 day), default = 1800).

VDOM DNS

When the FortiGate is in multi-vdom mode, DNS is handled by the management VDOM. However in some cases,
administrators may want to configure custom DNS settings on a non-management VDOM. For example, in a multi-
tenant scenario, each VDOM might be occupied by a different tenant, and each tenant might require its own DNS server.

To configure a custom VDOM within a non-management VDOM:

config vdom
edit <vdom>
config system vdom-dns
set vdom-dns enable
set primary <primary_DNS>
set secondary <secondary_DNS>
set protocol {cleartext dot doh}
set ip6-primary <primary_IPv6_DNS>
set ip6-secondary <secondary_IPv6_DNS>
set source-ip <IP_address>
set interface-select-method {auto | sdwan | specify}
end

DNS domain list

You can configure up to eight domains in the DNS settings using the GUI or the CLI.
When a client requests a URL that does not include an FQDN, FortiOS resolves the URL by traversing through the DNS
domain list and performing a query for each domain until the first match is found.
By default, FortiGate uses FortiGuard's DNS servers:
l Primary: 96.45.45.45
l Secondary: 96.45.46.46
You can also customize the DNS timeout time and the number of retry attempts.

To configure a DNS domain list in the GUI:

1. Go to Network > DNS.


2. Set DNS Servers to Specify.
3. Configure the primary and secondary DNS servers as needed.

FortiOS 7.2.1 Administration Guide 210


Fortinet Inc.
Network

4. In the Local Domain Name field, enter the first domain (sample.com in this example).
5. Click the + to add more domains (example.com and domainname.com in this example). You can enter up to eight
domains.
6. Configure additional DNS protocol and IPv6 settings as needed.

7. Click Apply.

To configure a DNS domain list in the CLI:

config system dns


set primary 96.45.45.45
set secondary 96.45.46.46
set domain "sample.com" "example.com" "domainname.com"
end

Verify the DNS configuration

In the following example, the local DNS server has the entry for host1 mapped to the FQDN of host1.sample.com, and
the entry for host2 is mapped to the FQDN of host2.example.com.

To verify that the DNS domain list is configured:

1. Open Command Prompt.


2. Enter ping host1.
The system returns the following response:
PING host1.sample.com (1.1.1.1): 56 data bytes
As the request does not include an FQDN, FortiOS traverses the configured DNS domain list to find a match.
Because host1 is mapped to the host1.sample.com, FortiOS resolves host1 to sample.com, the first entry in the
domain list.
3. Enter ping host2.
The system returns the following response:
PING host2.example.com (2.2.2.2): 56 data bytes
FortiOS traverses the domain list to find a match. It first queries sample.com, the first entry in the domain list, but
does not find a match. It then queries the second entry in the domain list, example.com. Because host2 is mapped

FortiOS 7.2.1 Administration Guide 211


Fortinet Inc.
Network

to the FQDN of host2.example.com, FortiOS resolves host2 to example.com.

DNS timeout and retry settings

The DNS timeout and retry settings can be customized using the CLI.
config system dns
set timeout <integer>
set retry <integer>
end

timeout <integer> The DNS query timeout interval, in seconds (1 - 10, default = 5).
retry <integer> The number of times to retry the DNS query (0 - 5, default - 2).

FortiGate DNS server

You can create local DNS servers for your network. Depending on your requirements, you can either manually maintain
your entries (primary DNS server), or use it to refer to an outside source (secondary DNS server).
A local, primary DNS server requires that you to manually add all URL and IP address combinations. Using a primary
DNS server for local services can minimize inbound and outbound traffic, and access time. Making it authoritative is not
recommended, because IP addresses can change, and maintaining the list can become labor intensive.
A secondary DNS server refers to an alternate source to obtain URL and IP address combinations. This is useful when
there is a primary DNS server where the entry list is maintained.
FortiGate as a DNS server also supports TLS and HTTPS connections to a DNS client. See DNS over TLS and HTTPS
on page 220 for details.
By default, DNS server options are not available in the FortiGate GUI.

To enable DNS server options in the GUI:

1. Go to System > Feature Visibility.


2. Enable DNS Database in the Additional Features section.
3. Click Apply.

Example configuration

This section describes how to create an unauthoritative primary DNS server. The interface mode is recursive so that, if
the request cannot be fulfilled, the external DNS servers will be queried.

To configure FortiGate as a primary DNS server in the GUI:

1. Go to Network > DNS Servers.


2. In the DNS Database table, click Create New.
3. Set Type to Primary.

FortiOS 7.2.1 Administration Guide 212


Fortinet Inc.
Network

4. Set View to Shadow.


The View setting controls the accessibility of the DNS server. If you select Public, external users can access or use
the DNS server. If you select Shadow, only internal users can use it.
5. Enter a DNS Zone, for example, WebServer.
6. Enter the Domain Name of the zone, for example, fortinet.com.
7. Enter the Hostname of the DNS server, for example, Corporate.
8. Enter the Contact Email Address for the administrator, for example, [email protected].
9. Disable Authoritative.

10. Add DNS entries:


a. In the DNS Entries table, click Create New.
b. Select a Type, for example Address (A).
c. Set the Hostname, for example web.example.com.

d. Configure the remaining settings as needed. The options vary depending on the selected Type.
e. Click OK.
11. Add more DNS entries as needed.
12. Click OK.
13. Enable DNS services on an interface:
a. Go to Network > DNS Servers.
b. In the DNS Service on Interface table, click Create New.
c. Select the Interface for the DNS server, such as wan2.

FortiOS 7.2.1 Administration Guide 213


Fortinet Inc.
Network

d. Set the Mode to Recursive.

e. Click OK.

To configure FortiGate as a primary DNS server in the CLI:

config system dns-database


edit WebServer
set domain example.com
set type master
set view shadow
set ttl 86400
set primary-name corporate
set contact [email protected]
set authoritative disable
config dns-entry
edit 1
set status enable
set hostname web.example.com
set type A
set ip 192.168.21.12
next
end
next
end

config system dns-server


edit wan2
set mode recursive
next
end

DDNS

If your external IP address changes regularly and you want a static domain name, you can configure the external
interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to
your company firewall. You can configure FortiGuard as the DDNS server using the GUI or CLI.
A license or subscription is not required to use the DDNS service, but configuring DDNS in the GUI is not supported if:
l The FortiGate model is a 1000-series or higher.
l The FortiGate is a VM.
l The DNS server is not using FortiGuard as the DNS.

FortiGate does not support DDNS when in transparent mode.

FortiOS 7.2.1 Administration Guide 214


Fortinet Inc.
Network

Sample topology

In this example, FortiGuard DDNS is enabled and the DDNS server is set to float-zone.com. Other DDNS server options
include fortiddns.com and fortidyndns.com.

To configure FortiGuard DDNS service as a DDNS server in the GUI:

1. Go to Network > DNS


2. Enable FortiGuard DDNS.
3. Select the Interface with the dynamic connection.
4. Select the Server that you have an account with.
5. Enter your Unique Location.

6. Click Apply.

To configure the FortiGuard DDNS service as an IPv4 DDNS server in the CLI:

config system ddns


edit 1
set ddns-server FortiGuardDDNS
set server-type ipv4
set ddns-domain "branch.float-zone.com"
set addr-type ipv4

FortiOS 7.2.1 Administration Guide 215


Fortinet Inc.
Network

set use-public-ip enable


set monitor-interface "wan1"
next
end

To configure the FortiGuard DDNS service as an IPv6 DDNS server in the CLI:

config system ddns


edit 1
set ddns-server FortiGuardDDNS
set server-type ipv6
set ddns-domain "fgtatest001.float-zone.com"
set addr-type ipv6
set monitor-interface "wan1"
next
end

DDNS servers other than FortiGuard

If you do not have a FortiGuard subscription, or want to use a different DDNS server, you can configure a DDNS server
for each interface. Only the first configure port appears in the GUI.
The available commands vary depending on the selected DDNS server.

To configure DDNS servers other than FortiGuard in the CLI:

config system ddns


edit <DDNS_ID>
set monitor-interface <external_interface>
set ddns-server <ddns_server_selection>
set server-type {ipv4 | ipv6}
set ddns-server-addr <address>
set addr-type ipv6 {ipv4 | ipv6}
next
end

To configure an IPv6 DDNS client with generic DDNS on port 3 in the CLI:

config system ddns


edit 1
set ddns-server genericDDNS
set server-type ipv6
set ddns-server-addr "2004:16:16:16::2" "16.16.16.2" "ddns.genericddns.com"
set ddns-domain "test.com"
set addr-type ipv6
set monitor-interface "port3"
next
end

Refresh DDNS IP addresses

When using a public IP that is not assigned to the FortiGate, the FortiGate cannot trigger an update when the IP address
changes. The FortiGate can be configured to refresh DDNS IP addresses by periodically checking the DDNS server at

FortiOS 7.2.1 Administration Guide 216


Fortinet Inc.
Network

an update interval.

To configure FortiGate to refresh DDNS IP addresses in the CLI:

config system ddns


edit 1
set use-public-ip enable
set update-interval <seconds>
next
end

When update-interval is set to 0:


l For FortiGuard DDNS, the interval is 300 seconds.
l For third part DDNS servers, the interval is assigned by the DDNS server.

Disable cleartext

When clear-text is disabled, FortiGate uses the SSL connection to send and receive DDNS updates.

To disable cleartext and set the SSL certificate in the CLI:

config system ddns


edit 2
set clear-text disable
set ssl-certificate <cert_name>
next
end

DDNS update override

A DHCP server has an override command option that allows DHCP server communications to go through DDNS to
perform updates for the DHCP client. This enforces a DDNS update of the A field every time even if the DHCP client
does not request it. This allows support for the allow, ignore, and deny client-updates options.

To enable DDNS update override in the CLI:

config system dhcp server


edit 1
set ddns-update enable
set ddns-update-override enable
set ddns-server-ip <ddns_server_ip>
set ddns-zone <ddns_zone>
next
end

FortiOS 7.2.1 Administration Guide 217


Fortinet Inc.
Network

Troubleshooting

To debug DDNS:

# diagnose debug application ddnscd -1


# diagnose debug enable

To check if a DDNS server is available:

# diagnose test application ddnscd 3

Not available:
FortiDDNS status:
ddns_ip=0.0.0.0, ddns_ip6=::, ddns_port=443 svr_num=0 domain_num=0

Available:
FortiDDNS status:
ddns_ip=208.91.113.230, ddns_ip6=::, ddns_port=443 svr_num=1 domain_num=3
svr[0]= 208.91.113.230
domain[0]= fortiddns.com
domain[1]= fortidyndns.com
domain[2]= float-zone.com

DNS latency information

High latency in DNS traffic can result in an overall sluggish experience for end-users. In the DNS Settings pane, you can
quickly identify DNS latency issues in your configuration.
Go to Network > DNS to view DNS latency information in the right side bar. If you use FortiGuard DNS, latency
information for DNS, DNS filter, web filter, and outbreak prevention servers is also visible. Hover your pointer over a
latency value to see when it was last updated.

FortiOS 7.2.1 Administration Guide 218


Fortinet Inc.
Network

To view DNS latency information using the CLI:

# diagnose test application dnsproxy 2


worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=2001::1 latency=1494 updated=73311
vfid=0 server=96.45.46.46 latency=1405 updated=2547
vfid=0 server=8.8.8.8 latency=19 updated=91
SDNS latency info:
vfid=0 server=173.243.140.53 latency=1 updated=707681
DNS_CACHE: alloc=35, hit=26
RATING_CACHE: alloc=1, hit=49
DNS UDP: req=66769 res=63438 fwd=83526 alloc=0 cmp=0 retrans=16855 to=3233
cur=111 switched=8823467 num_switched=294 v6_cur=80 v6_switched=7689041 num_v6_
switched=6
ftg_res=8 ftg_fwd=8 ftg_retrans=0
DNS TCP: req=0, res=0, fwd=0, retrans=0 alloc=0, to=0
FQDN: alloc=45 nl_write_cnt=9498 nl_send_cnt=21606 nl_cur_cnt=0
Botnet: searched=57 hit=0 filtered=57 false_positive=0

To view the latency from web filter and outbreak protection servers using the CLI:

# diagnose debug rating


Locale : english

Service : Web-filter
Status : Enable
License : Contract

Service : Antispam
Status : Disable

Service : Virus Outbreak Prevention


Status : Disable

-=- Server List (Tue Jan 22 08:03:14 2019) -=-

IP Weight RTT Flags TZ Packets Curr Lost Total Lost Updated Time
173.243.138.194 10 0 DI -8 700 0 2 Tue Jan 22 08:02:44
2019
173.243.138.195 10 0 -8 698 0 4 Tue Jan 22 08:02:44
2019
173.243.138.198 10 0 -8 698 0 4 Tue Jan 22 08:02:44
2019
173.243.138.196 10 0 -8 697 0 3 Tue Jan 22 08:02:44
2019
173.243.138.197 10 1 -8 694 0 0 Tue Jan 22 08:02:44
2019
96.45.33.64 10 22 D -8 701 0 6 Tue Jan 22 08:02:44
2019
64.26.151.36 40 62 -5 704 0 10 Tue Jan 22 08:02:44
2019
64.26.151.35 40 62 -5 703 0 9 Tue Jan 22 08:02:44
2019

FortiOS 7.2.1 Administration Guide 219


Fortinet Inc.
Network

209.222.147.43 40 70 D -5 696 0 1 Tue Jan 22 08:02:44


2019
66.117.56.42 40 70 -5 697 0 3 Tue Jan 22 08:02:44
2019
66.117.56.37 40 71 -5 702 0 9 Tue Jan 22 08:02:44
2019
65.210.95.239 40 74 -5 695 0 1 Tue Jan 22 08:02:44
2019
65.210.95.240 40 74 -5 695 0 1 Tue Jan 22 08:02:44
2019
45.75.200.88 90 142 0 706 0 12 Tue Jan 22 08:02:44
2019
45.75.200.87 90 155 0 714 0 20 Tue Jan 22 08:02:44
2019
45.75.200.85 90 156 0 711 0 17 Tue Jan 22 08:02:44
2019
45.75.200.86 90 159 0 704 0 10 Tue Jan 22 08:02:44
2019
62.209.40.72 100 157 1 701 0 7 Tue Jan 22 08:02:44
2019
62.209.40.74 100 173 1 705 0 11 Tue Jan 22 08:02:44
2019
62.209.40.73 100 173 1 699 0 5 Tue Jan 22 08:02:44
2019
121.111.236.179 180 138 9 706 0 12 Tue Jan 22 08:02:44
2019
121.111.236.180 180 138 9 704 0 10 Tue Jan 22 08:02:44
2019

DNS over TLS and HTTPS

DNS over TLS (DoT) is a security protocol for encrypting and encapsulating DNS queries and responses over the TLS
protocol. DoT increases user privacy and security by preventing eavesdropping and manipulation of DNS data via man-
in-the-middle attacks. Similarly, DNS over HTTPS (DoH) provides a method of performing DNS resolution over a secure
HTTPS connection. DoT and DoH are supported in explicit mode where the FortiGate acts as an explicit DNS server that
listens for DoT and DoH requests. Local-out DNS traffic over TLS and HTTPS is also supported.

Basic configurations for enabling DoT and DoH for local-out DNS queries

Before enabling DoT or DoH, ensure that they are supported by the DNS servers. The legacy FortiGuard DNS servers
(208.91.112.53 and 208.91.112.52) do not support DoT or DoH queries, and will drop these packets. At times, the
latency status of the DNS servers might also appear high or unreachable.
Disabling DoT and DoH is recommended when they are not supported by the DNS servers.

To enable DoT and DoH DNS in the GUI:

1. Go to Network > DNS.


2. Enter the primary and secondary DNS server addresses.

FortiOS 7.2.1 Administration Guide 220


Fortinet Inc.
Network

3. In the DNS Protocols section, enable TLS (TCP/853) and HTTPS (TCP/443).

4. Configure the other settings as needed.


5. Click Apply.

To enable DoT and DoH DNS in the CLI:

config system dns


set primary 1.1.1.1
set secondary 1.0.0.1
set protocol {cleartext dot doh}
end

To enable DoH on the DNS server in the GUI:

1. Go to Network > DNS Servers.


2. In the DNS Service on Interface section, edit an existing interface, or create a new one.
3. Select a Mode, and DNS Filter profile.
4. Enable DNS over HTTPS.

5. Click OK.

To enable DoH on the DNS server in the CLI:

config system dns-server


edit "port1"
set dnsfilter-profile "dnsfilter"

FortiOS 7.2.1 Administration Guide 221


Fortinet Inc.
Network

set doh enable


next
end

Examples

The following examples demonstrate how configure DNS settings to support DoT and DoH queries made to the
FortiGate.

DoT

The following example uses a DNS filter profile where the education category is blocked.

To enable scanning DoT traffic in explicit mode with a DNS filter:

1. Configure the DNS settings:


config system dns
set primary 1.1.1.1
set secondary 1.0.0.1
set protocol dot
end

2. Configure the DNS filter profile:


config dnsfilter profile
edit "dnsfilter"
config ftgd-dns
config filters
edit 1
set category 30
set action block
next
end
end
next
end

FortiOS 7.2.1 Administration Guide 222


Fortinet Inc.
Network

3. Configure the DNS server settings:


config system dns-server
edit "port1"
set dnsfilter-profile "dnsfilter"
next
end

4. Send a DNS query over TLS (this example uses kdig on an Ubuntu client) using the FortiGate as the DNS server.
The www.ubc.ca domain belongs to the education category:
root@client:/tmp# kdig -d @10.1.100.173 +tls +header +all www.ubc.ca
;; DEBUG: Querying for owner(www.ubc.ca.), class(1), type(1), server(10.1.100.173), port
(853), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1,
C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=FortiGate,CN=FG3H1E5818903681,EMAIL=support
@fortinet.com
;; DEBUG: SHA-256 PIN: Xhkpv9ABEhxDLtWG+lGEndNrBR7B1xjRYlGn2ltlkb8=
;; DEBUG: #2, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate
Authority,CN=fortinet-subca2001,[email protected]
;; DEBUG: SHA-256 PIN: 3T8EqFBjpRSkxQNPFagjUNeEUghXOEYp904ROlJM8yo=
;; DEBUG: #3, C=US,ST=California,L=Sunnyvale,O=Fortinet,OU=Certificate
Authority,CN=fortinet-ca2,[email protected]
;; DEBUG: SHA-256 PIN: /QfV4N3k5oxQR5RHtW/rbn/HrHgKpMLN0DEaeXY5yPg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56719
;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.ubc.ca. IN A

;; ANSWER SECTION:
www.ubc.ca. 60 IN A 208.91.112.55

;; Received 44 B
;; Time 2021-03-12 23:11:27 PST
;; From 10.1.100.173@853(TCP) in 0.2 ms
root@client:/tmp#

The IP returned by the FortiGate for ubc.ca belongs to the FortiGuard block page, so the query was blocked
successfully.

DoH

The following example uses a DNS filter profile where the education category is blocked.

To configure scanning DoH traffic in explicit mode with a DNS filter:

1. Configure the DNS settings:


config system dns
set primary 1.1.1.1
set secondary 1.0.0.1

FortiOS 7.2.1 Administration Guide 223


Fortinet Inc.
Network

set protocol doh


end

2. Configure the DNS filter profile:


config dnsfilter profile
edit "dnsfilter"
config ftgd-dns
config filters
edit 1
set category 30
set action block
next
end
end
next
end

3. Configure the DNS server settings:


config system dns-server
edit "port1"
set dnsfilter-profile "dnsfilter"
set doh enable
next
end

4. In your browser, enable DNS over HTTPS.


5. On your computer, edit the TCP/IP settings to use the FortiGate interface address as the DNS server.
6. In your browser, go to a website in the education category (www.ubc.ca). The website is redirected to the block
page.

DNS troubleshooting

The following diagnose command can be used to collect DNS debug information. If you do not specify worker ID, the
default worker ID is 0.
# diagnose test application dnsproxy
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting

FortiOS 7.2.1 Administration Guide 224


Fortinet Inc.
Network

13. Show Hostname cache


14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
18. DNS debug obj mem
99. Restart dnsproxy worker

To view useful information about the ongoing DNS connection:

# diagnose test application dnsproxy 3


worker idx: 0
vdom: root, index=0, is primary, vdom dns is disabled, mip-169.254.0.1 dns_log=1 tls=0 cert=
dns64 is disabled
vdom: vdom1, index=1, is primary, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert=
dns64 is disabled
dns-server:96.45.45.220:45 tz=-480 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37
probe=9 failure=0 last_failed=0
dns-server:8.8.8.8:53 tz=0 tls=0 req=73 to=0 res=73 rt=5 rating=0 ready=1 timer=0 probe=0
failure=0 last_failed=0
dns-server:65.39.139.63:53 tz=0 tls=0 req=39 to=0 res=39 rt=1 rating=0 ready=1 timer=0
probe=0 failure=0 last_failed=0
dns-server:62.209.40.75:53 tz=60 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37
probe=9 failure=0 last_failed=0
dns-server:209.222.147.38:53 tz=-300 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37
probe=9 failure=0 last_failed=0
dns-server:173.243.138.221:53 tz=-480 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37
probe=9 failure=0 last_failed=0
dns-server:45.75.200.89:53 tz=0 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37
probe=9 failure=0 last_failed=0
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=-1
DNS FD: udp_s=12 udp_c=17:18 ha_c=22 unix_s=23, unix_nb_s=24, unix_nc_s=25
v6_udp_s=11, v6_udp_c=20:21, snmp=26, redir=13, v6_redir=14
DNS FD: tcp_s=29, tcp_s6=27, redir=31 v6_redir=32
FQDN: hash_size=1024, current_query=1024
DNS_DB: response_buf_sz=131072
LICENSE: expiry=2015-04-08, expired=1, type=2
FDG_SERVER:96.45.45.220:45
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=eb19, tz=-480, error_allow=0
FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:

Important fields include:

tls 1 if the connection is TLS, 0 if the connection is not TLS.


rt The round trip time of the DNS latency.
probe The number of probes sent.

To dump the second DNS worker's cache:

diagnose test application dnsproxy 7 1

FortiOS 7.2.1 Administration Guide 225


Fortinet Inc.
Network

To enable debug on the second worker:

diagnose debug application dnsproxy -1 1

To enable debug on all workers by specifying -1 as worker ID:

diagnose debug application dnsproxy -1 -1

Explicit and transparent proxies

This section contains instructions for configuring explicit and transparent proxies.
l Explicit web proxy on page 226
l Transparent proxy on page 232
l FTP proxy on page 230
l Proxy policy addresses on page 234
l Proxy policy security profiles on page 241
l Explicit proxy authentication on page 245
l Transparent web proxy forwarding on page 251
l Upstream proxy authentication in transparent proxy mode on page 255
l Multiple dynamic header count on page 257
l Restricted SaaS access on page 259
l Explicit proxy and FortiSandbox Cloud on page 268
l Proxy chaining on page 270
l WAN optimization SSL proxy chaining on page 275
l Agentless NTLM authentication for web proxy on page 283
l Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers on page 286
l Learn client IP addresses on page 287
l Explicit proxy authentication over HTTPS on page 288
l mTLS client certificate authentication on page 290
l CORS protocol in explicit web proxy when using session-based, cookie-enabled, and captive portal-enabled SAML
authentication on page 296

Explicit web proxy

Explicit web proxy can be configured on FortiGate for proxying HTTP and HTTPS traffic.
To deploy explicit proxy, individual client browsers can be manually configured to send requests directly to the proxy, or
they can be configured to download proxy configuration instructions from a Proxy Auto-Configuration (PAC) file.
When explicit proxy is configured on an interface, the interface IP address can be used by client browsers to forward
requests directly to the FortiGate. FortiGate also supports PAC file configuration.

FortiOS 7.2.1 Administration Guide 226


Fortinet Inc.
Network

To configure explicit web proxy in the GUI:

1. Enable and configure explicit web proxy:


a. Go to Network > Explicit Proxy.
b. Enable Explicit Web Proxy.
c. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
d. Configure the remaining settings as needed.

e. Click Apply.
2. Create an explicit web proxy policy:
a. Go to Policy & Objects > Proxy Policy.
b. Click Create New.
c. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
d. Also set Source and Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.

FortiOS 7.2.1 Administration Guide 227


Fortinet Inc.
Network

e. Click OK to create the policy.

This example creates a basic policy. If required, security profiles can be enabled, and deep
SSL inspection can be selected to inspect HTTPS traffic.

3. Configure a client to use the FortiGate explicit proxy:


Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the
PAC file.

To configure explicit web proxy in the CLI:

1. Enable and configure explicit web proxy:


config web-proxy explicit
set status enable
set ftp-over-http enable
set socks enable
set http-incoming-port 8080
set ipv6-status enable
set unknown-http-version best-effort
end
config system interface
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set explicit-web-proxy enable
set snmp-index 12
end
next
end

FortiOS 7.2.1 Administration Guide 228


Fortinet Inc.
Network

2. Create an explicit web proxy policy:


config firewall proxy-policy
edit 1
set name "proxy-policy-explicit"
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
next
end

This example creates a basic policy. If required, security profiles can be enabled, and deep
SSL inspection can be selected to inspect HTTPS traffic.

3. Configure a client to use the FortiGate explicit web proxy:


Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the
PAC file.

Downloading a PAC file using HTTPS

PAC files can be downloaded for an explicit proxy through the FortiGate's captive portal using HTTPS to ensure a secure
download.
In this example, a Windows PC has an HTTPS URL configured in its proxy settings to download a PAC file from a
FortiGate by using a download link, https://cp.myqalab.local:7831/proxy.pac, through a captive portal. Once the PAC file
is securely downloaded using HTTPS, browsers installed on the PC can use the proxy in the PAC file to visit a website.
The global web proxy settings must be configured to use a customized SSL certificate because the default Fortinet_
Factory certificate will not be accepted by Windows due to security restrictions. The customized SSL certificate is used
as the HTTPS server's certificate on the FortiGate. All CA certificates in the server certificate must be installed and
trusted on the Windows PC.

To download a PAC file using HTTPS:

1. Configure the explicit web proxy to get a PAC file through HTTPS:
config web-proxy explicit
set pac-file-server-status enable
unset pac-file-server-port
set pac-file-name "proxy.pac"
set pac-file-data "function FindProxyForURL(url, host) {
// testtest
return \"PROXY 10.1.100.1:8080\";
}
"
set pac-file-through-https enable
end

FortiOS 7.2.1 Administration Guide 229


Fortinet Inc.
Network

2. Configure the captive portal to be used as an HTTPS server to provide the service to download the PAC file:
config authentication setting
set captive-portal-type ip
set captive-portal-ip 10.1.100.1
set captive-portal-ssl-port 7831
end

3. Configure the global web proxy settings to use a customized SSL certificate:
config web-proxy global
set ssl-cert "server_cert"
end

4. On the Windows PC, go to Settings > Network & Internet > Proxy.

5. In the Automatic proxy setup section, click Save to trigger the PAC file download from the HTTPS URL.

FTP proxy

FTP proxies can be configured on the FortiGate so that FTP traffic can be proxied. When the FortiGate is configured as
an FTP proxy, FTP client applications should be configured to send FTP requests to the FortiGate.

To configure explicit FTP proxy in the GUI:

1. Enable and configure explicit FTP proxy:


a. Go to Network > Explicit Proxy.
b. Enable Explicit FTP Proxy.
c. Select port2 as the Listen on Interfaces and set the HTTP Port to 21.
d. Configure the Default Firewall Policy Action as needed.

FortiOS 7.2.1 Administration Guide 230


Fortinet Inc.
Network

e. Click Apply.
2. Create an explicit FTP proxy policy:
a. Go to Policy & Objects > Proxy Policy.
b. Click Create New.
c. Set Proxy Type to FTP and Outgoing Interface to port1.
d. Also set Source and Destination to all, Schedule to always, and Action to ACCEPT.

e. Click OK to create the policy.

This example creates a basic policy. If required, security profiles can be enabled.

3. Configure the FTP client application to use the FortiGate IP address.

To configure explicit FTP proxy in the CLI:

1. Enable and configure explicit FTP proxy:


config ftp-proxy explicit
set status enable
set incoming-port 21
end
config system interface
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set explicit-ftp-proxy enable

FortiOS 7.2.1 Administration Guide 231


Fortinet Inc.
Network

set snmp-index 12
next
end

2. Create an explicit FTP proxy policy:


config firewall proxy-policy
edit 4
set name "proxy-policy-ftp"
set proxy ftp
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
next
end

This example creates a basic policy. If required, security profiles can be enabled.

3. Configure the FTP client application to use the FortiGate IP address.

Transparent proxy

In a transparent proxy deployment, the user's client software, such as a browser, is unaware that it is communicating
with a proxy.
Users request internet content as usual, without any special client configuration, and the proxy serves their requests.
FortiGate also allows users to configure in transparent proxy mode.
To redirect HTTPS traffic, SSL inspection is required.

To configure transparent proxy in the GUI:

1. Configure a regular firewall policy with HTTP redirect:


a. Go to Policy & Objects > Firewall Policy.
b. Click Create New.
c. Name the policy appropriately, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
d. Also set Source and Destination to all, Schedule to always, Service to ALL, and Action to ACCEPT.
e. Set Inspection Mode to Proxy-based and SSL Inspection to deep-inspection.

FortiOS 7.2.1 Administration Guide 232


Fortinet Inc.
Network

f. Configure the remaining settings as needed.


g. Click OK.
2. Configure a transparent proxy policy:
a. Go to Policy & Objects > Proxy Policy.
b. Click Create New.
c. Set Proxy Type to Transparent Web, set the Incoming Interface to port2, and set the Outgoing Interface to
port1.
d. Also set Source and Destination to all, Scheduleto always, Service to webproxy, and Action to ACCEPT.

e. Configure the remaining settings as needed.


f. Click OK to create the policy.
3. No special configuration is required on the client to use FortiGate transparent proxy. As the client is using the
FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the
transparent proxy policy.

FortiOS 7.2.1 Administration Guide 233


Fortinet Inc.
Network

To configure transparent proxy in the CLI:

1. Configure a regular firewall policy with HTTP redirect:


config firewall policy
edit 1
set name "LAN To WAN"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set inspection-mode proxy
set http-policy-redirect enable
set fsso disable
set ssl-ssh-profile "deep-inspection"
set nat enable
next
end

2. Configure a transparent proxy policy:


config firewall proxy-policy
edit 5
set name "proxy-policy-transparent"
set proxy transparent-web
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
next
end

This example creates a basic policy. If required, security profiles can be enabled, and deep
SSL inspection can be selected to inspect HTTPS traffic.

3. No special configuration is required on the client to use FortiGate transparent proxy. As the client is using the
FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the
transparent proxy policy.

Proxy policy addresses

Proxy addresses are designed to be used only by proxy policies. The following address types are available:
l Host regex match on page 235
l URL pattern on page 236
l URL category on page 237
l HTTP method on page 237

FortiOS 7.2.1 Administration Guide 234


Fortinet Inc.
Network

l HTTP header on page 238


l User agent on page 239
l Advanced (source) on page 239
l Advanced (destination) on page 240

Fast policy match

The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate
devices.
When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different
proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at
a time from the beginning of the policy list.
Fast policy matching is enabled by default, and can be configured with the following CLI command:
config web-proxy global
set fast-policy-match {enable | disable}
end

Host regex match

In this address type, a user can create a hostname as a regular expression. Once created, the hostname address can be
selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the
regular expression.
This example creates a host regex match address with the pattern qa.[a-z]*.com.

To create a host regex match address in the GUI:

1. Go to Policy & Objects > Addresses.


2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to Host Regex,
l Type to Host Regex Match, and
l Host Regex Pattern to qa.[a-z]*.com.

4. Click OK.

FortiOS 7.2.1 Administration Guide 235


Fortinet Inc.
Network

To create a host regex match address in the CLI:

config firewall proxy-address


edit "Host Regex"
set type host-regex
set host-regex "qa.[a-z]*.com"
next
end

URL pattern

In this address type, a user can create a URL path as a regular expression. Once created, the path address can be
selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the
regular expression.
This example creates a URL pattern address with the pattern /filetypes/.

To create a URL pattern address in the GUI:

1. Go to Policy & Objects > Addresses.


2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to URL Regex,
l Type to URL Pattern,
l Host to all, and
l URL Path Regex to /filetypes/.

4. Click OK.

To create a URL pattern address in the CLI:

config firewall proxy-address


edit "URL Regex"
set type url
set host "all"
set path "/filetypes/"
next
end

FortiOS 7.2.1 Administration Guide 236


Fortinet Inc.
Network

URL category

In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be
selected as a destination of a proxy policy. This means that a policy will only allow or block requests that match the URL
category.
The example creates a URL category address for URLs in the Education category. For more information about
categories, see https://fortiguard.com/webfilter/categories.
For information about creating and using custom local and remote categories, see Web rating override on page 1375
and Threat feeds on page 2630.

To create a URL category address in the GUI:

1. Go to Policy & Objects > Addresses.


2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,

l Name to url-category,

l Type to URL Category,

l Host to all, and

l URL Category to Education.

4. Click OK.

To create a URL category address in the CLI:

config firewall proxy-address


edit "url-category"
set type category
set host "all"
set category 30
next
end

To see a list of all the categories and their numbers, when editing the address, enter set category ?.

HTTP method

In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method
options are supported, including: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, and TRACE. Once
created, the address can be selected as a source of a proxy policy. This means that a policy will only allow or block
requests that match the selected HTTP method.

FortiOS 7.2.1 Administration Guide 237


Fortinet Inc.
Network

The example creates a HTTP method address that uses the GET method.

To create a HTTP method address in the GUI:

1. Go to Policy & Objects > Addresses.


2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to method_get,
l Type to HTTP Method,
l Host to all, and
l Request Method to GET.
4. Click OK.

To create a HTTP method address in the CLI:

config firewall proxy-address


edit "method_get"
set type method
set host "all"
set method get
next
end

HTTP header

In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can
be selected as a source of a proxy policy. This means that a policy will only allow or block requests where the HTTP
header matches the regular expression.
This example creates a HTTP header address with the pattern Q[A-B].

To create a HTTP header address in the GUI:

1. Go to Policy & Objects > Addresses.


2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to HTTP-header,
l Type to HTTP Header,
l Host to all,
l Header Name to Header_Test, and
l Header Regex to Q[A-B].
4. Click OK.

FortiOS 7.2.1 Administration Guide 238


Fortinet Inc.
Network

To create a HTTP header address in the CLI:

config firewall proxy-address


edit "method_get"
set type header
set host "all"
set header-name "Header_Test"
set header "Q[A-B]"
next
end

User agent

In this address type, a user can create an address based on the names of the browsers that are used as user agents.
Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can
be selected as a source of a proxy policy. This means that a policy will only allow or block requests from the specified
user agent.
This example creates a user agent address for Google Chrome.

To create a user agent address in the GUI:

1. Go to Policy & Objects > Addresses.


2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to UA-Chrome,
l Type to User Agent,
l Host to all, and
l User Agent to Google Chrome.
4. Click OK.

To create a user agent address in the CLI:

config firewall proxy-address


edit "UA-Chrome"
set type ua
set host "all"
set ua chrome
next
end

Advanced (source)

In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent,
and HTTP header. Once created, the address can be selected as a source of a proxy policy. This means that a policy will
only allow or block requests that match the selected address.
This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with
the pattern Q[A-B].

FortiOS 7.2.1 Administration Guide 239


Fortinet Inc.
Network

To create an advanced (source) address in the GUI:

1. Go to Policy & Objects > Addresses.


2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to advanced_src,
l Type to Advanced (Source),
l Host to all,
l Request Method to GET,
l User Agent to Google Chrome, and
l HTTP header to Header_Test : Q[A-B].
4. Click OK.

To create an advanced (source) address in the CLI:

config firewall proxy-address


edit "advance_src"
set type src-advanced
set host "all"
set method get
set ua chrome
config header-group
edit 1
set header-name "Header_Test"
set header "Q[A-B]"
next
end
next
end

Advanced (destination)

In this address type, a user can create an address based on URL pattern and URL category parameters. Once created,
the address can be selected as a destination of a proxy policy. This means that a policy will only allow or block requests
that match the selected address.
This example creates an address with the URL pattern /about that are in the Education category. For more information
about categories, see https://fortiguard.com/webfilter/categories.

To create an advanced (destination) address in the GUI:

1. Go to Policy & Objects > Addresses.


2. Click Create New > Address.
3. Set the following:
l Category to Proxy Address,
l Name to Advanced-dst,
l Type to Advanced (Destination),
l Host to all,

FortiOS 7.2.1 Administration Guide 240


Fortinet Inc.
Network

l URL Path Regex to /about, and


l URL Category to Education.

4. Click OK.

To create an advanced (destination) address in the CLI:

config firewall proxy-address


edit "Advanced-dst"
set type dst-advanced
set host "ubc"
set path "/about"
set category 30
next
end

Proxy policy security profiles

Web proxy policies support most security profile types.

Security profiles must be created before they can be used in a policy, see Security Profiles on
page 1135 for information.

Explicit web proxy policy

The security profiles supported by explicit web proxy policies are:


l AntiVirus
l Web Filter
l Video Filter
l Application Control
l IPS
l DLP Profile
l ICAP
l Web Application Firewall
l File Filter
l SSL Inspection

FortiOS 7.2.1 Administration Guide 241


Fortinet Inc.
Network

To configure security profiles on an explicit web proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.


2. Click Create New.
3. Set the following:

Proxy Type Explicit Web

Outgoing Interface port1

Source all

Destination all

Schedule always

Service webproxy

Action ACCEPT

4. In the Firewall / Network Options section, set Protocol Options to default.


5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been
created):

AntiVirus av

Web Filter urlfiler

Application Control app

IPS Sensor-1

DLP Profile dlp

ICAP default

Web Application Firewall default

SSL Inspection deep-inspection

6. Click OK to create the policy.

To configure security profiles on an explicit web proxy policy in the CLI:

config firewall proxy-policy


edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set utm-status enable
set av-profile "av"
set webfilter-profile "urlfilter"
set dlp-profile "dlp"
set ips-sensor "sensor-1"

FortiOS 7.2.1 Administration Guide 242


Fortinet Inc.
Network

set application-list "app"


set icap-profile "default"
set waf-profile "default"
set ssl-ssh-profile "deep-inspection"
next
end

Transparent proxy

The security profiles supported by transparent proxy policies are:


l AntiVirus
l Web Filter
l Video Filter
l Application Control
l IPS
l DLP Profile
l ICAP
l Web Application Firewall
l File Filter
l SSL Inspection

To configure security profiles on a transparent proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.


2. Click Create New.
3. Set the following:

Proxy Type Explicit Web

Incoming Interfae port2

Outgoing Interface port1

Source all

Destination all

Schedule always

Service webproxy

Action ACCEPT

4. In the Firewall / Network Options section, set Protocol Options to default.


5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been
created):

AntiVirus av

Web Filter urlfiler

Application Control app

FortiOS 7.2.1 Administration Guide 243


Fortinet Inc.
Network

IPS Sensor-1

DLP Profile dlp

ICAP default

Web Application Firewall default

SSL Inspection deep-inspection

6. Click OK to create the policy.

To configure security profiles on a transparent proxy policy in the CLI:

config firewall proxy-policy


edit 2
set proxy transparent-web
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set utm-status enable
set av-profile "av"
set webfilter-profile "urlfilter"
set dlp-profile "dlp"
set ips-sensor "sensor-1"
set application-list "app"
set icap-profile "default"
set waf-profile "default"
set ssl-ssh-profile "certificate-inspection"
next
end

FTP proxy

The security profiles supported by FTP proxy policies are:


l AntiVirus
l Application Control
l IPS
l File Filter
l DLP Profile

To configure security profiles on an FTP proxy policy in the GUI:

1. Go to Policy & Objects > Proxy Policy.


2. Click Create New.
3. Set the following:

FortiOS 7.2.1 Administration Guide 244


Fortinet Inc.
Network

Proxy Type FTP

Outgoing Interface port1

Source all

Destination all

Schedule always

Action ACCEPT

4. In the Firewall / Network Options section, set Protocol Options to default.


5. In the Security Profiles section, make the following selections (for this example, these profiles have all already been
created):

AntiVirus av

Application Control app

IPS Sensor-1

DLP Profile dlp

6. Click OK to create the policy.

To configure security profiles on an FTP proxy policy in the CLI:

config firewall proxy-policy


edit 3
set proxy ftp
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set utm-status enable
set av-profile "av"
set dlp-profile "dlp"
set ips-sensor "sensor-1"
set application-list "app"
next
end

Explicit proxy authentication

FortiGate supports multiple authentication methods. This topic explains using an external authentication server with
Kerberos as the primary and NTLM as the fallback.

To configure Explicit Proxy with authentication:

1. Enable and configure the explicit proxy on page 246.


2. Configure the authentication server and create user groups on page 246.
3. Create an authentication scheme and rules on page 248.

FortiOS 7.2.1 Administration Guide 245


Fortinet Inc.
Network

4. Create an explicit proxy policy and assign a user group to the policy on page 249.
5. Verify the configuration on page 250.

Enable and configure the explicit proxy

To enable and configure explicit web proxy in the GUI:

1. Go to Network > Explicit Proxy.


2. Enable Explicit Web Proxy.
3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
4. Configure the remaining settings as needed.
5. Click Apply.

To enable and configure explicit web proxy in the CLI:

config web-proxy explicit


set status enable
set ftp-over-http enable
set socks enable
set http-incoming-port 8080
set ipv6-status enable
set unknown-http-version best-effort
end
config system interface
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set explicit-web-proxy enable
set snmp-index 12
end
next
end

Configure the authentication server and create user groups

Since we are using an external authentication server with Kerberos authentication as the primary and NTLM as the
fallback, Kerberos authentication is configured first and then FSSO NTLM authentication is configured.
For successful authorization, the FortiGate checks if user belongs to one of the groups that is permitted in the security
policy.

To configure an authentication server and create user groups in the GUI:

1. Configure Kerberos authentication:


a. Go to User & Authentication > LDAP Servers.
b. Click Create New.

FortiOS 7.2.1 Administration Guide 246


Fortinet Inc.
Network

c. Set the following:

Name ldap-kerberos

Server IP 172.18.62.220

Server Port 389

Common Name Identifier cn

Distinguished Name dc=fortinetqa,dc=local

d. Click OK
2. Define Kerberos as an authentication service. This option is only available in the CLI. For information on generating
a keytab, see Generating a keytab on a Windows server on page 251.
3. Configure FSSO NTLM authentication:
FSSO NTLM authentication is supported in a Windows AD network. FSSO can also provide NTLM authentication
service to the FortiGate unit. When a user makes a request that requires authentication, the FortiGate initiates
NTLM negotiation with the client browser, but does not process the NTLM packets itself. Instead, it forwards all the
NTLM packets to the FSSO service for processing.
a. Go to Security Fabric > External Connectors.
b. Click Create New and select FSSO Agent on Windows AD from the Endpoint/Identity category.
c. Set the Name to FSSO, Primary FSSO Agent to 172.16.200.220, and enter a password.
d. Click OK.
4. Create a user group for Kerberos authentication:
a. Go to User & Authentication > User Groups.
b. Click Create New.
c. Set the Name to Ldap-Group, and Type to Firewall.
d. In the Remote Groups table, click Add, and set the Remote Server to the previously created ldap-kerberos
server.
e. Click OK.
5. Create a user group for NTLM authentication:
a. Go to User & Authentication > User Groups.
b. Click Create New.
c. Set the Name to NTLM-FSSO-Group, Type to Fortinet Single Sign-On (FSSO), and add FORTINETQA/FSSO
as a member.
d. Click OK.

To configure an authentication server and create user groups in the CLI:

1. Configure Kerberos authentication:


config user ldap
edit "ldap-kerberos"
set server "172.18.62.220"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********

FortiOS 7.2.1 Administration Guide 247


Fortinet Inc.
Network

next
end

2. Define Kerberos as an authentication service:


config user krb-keytab
edit "http_service"
set pac-data disable
set principal "HTTP/[email protected]"
set ldap-server "ldap-kerberos"
set keytab
"BQIAAABFAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEAAE
ACKLCMonpitnVAAAARQACABBGT1JUSU5FVFFBLkxPQ0FMAARIVFRQABRGR1QuRk9SVElORVRRQS5MT0NBTAAAAAE
AAAAABAADAAiiwjKJ6YrZ1QAAAE0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAAURkdULkZPUlRJTkVUUUEuTE9
DQUwAAAABAAAAAAQAFwAQUHo9uqR9cSkzyxdzKCEXdwAAAF0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAAURkd
ULkZPUlRJTkVUUUEuTE9DQUwAAAABAAAAAAQAEgAgzee854Aq1HhQiKJZvV4tL2Poy7hMIARQpK8MCB//BIAAAAB
NAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEABEAEG49vHE
iiBghr63Z/lnwYrU="
next
end

For information on generating a keytab, see Generating a keytab on a Windows server on page 251.
3. Configure FSSO NTLM authentication:
config user fsso
edit "1"
set server "172.18.62.220"
set password *********
next
end

4. Create a user group for Kerberos authentication:


config user group
edit "Ldap-Group"
set member "ldap" "ldap-kerberos"
next
end

5. Create a user group for NTLM authentication:


config user group
edit "NTLM-FSSO-Group"
set group-type fsso-service
set member "FORTINETQA/FSSO"
next
end

Create an authentication scheme and rules

Explicit proxy authentication is managed by authentication schemes and rules. An authentication scheme must be
created first, and then the authentication rule.

FortiOS 7.2.1 Administration Guide 248


Fortinet Inc.
Network

To create an authentication scheme and rules in the GUI:

1. Create an authentication scheme:


a. Go to Policy & Objects > Authentication Rules.
b. Click Create New > Authentication Schemes.
c. Set the Name to Auth-scheme-Negotiate and select Negotiate as the Method.
d. Click OK.
2. Create an authentication rule:
a. Go to Policy & Objects > Authentication Rules.
b. Click Create New > Authentication Rules.
c. Set the Name to Auth-Rule, Source Address to all, and Protocol to HTTP.
d. Enable Authentication Scheme, and select the just created Auth-scheme-Negotiate scheme.
e. Click OK.

To create an authentication scheme and rules in the CLI:

1. Create an authentication scheme:


config authentication scheme
edit "Auth-scheme-Negotiate"
set method negotiate <<< Accepts both Kerberos and NTLM as fallback
next
end

2. Create an authentication rule:


config authentication rule
edit "Auth-Rule"
set status enable
set protocol http
set srcaddr "all"
set ip-based enable
set active-auth-method "Auth-scheme-Negotiate"
set comments "Testing"
next
end

Create an explicit proxy policy and assign a user group to the policy

To create an explicit proxy policy and assign a user group to it in the GUI:

1. Go to Policy & Objects > Proxy Policy.


2. Click Create New.
3. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
4. Set Source to all, and the just created user groups NTLM-FSSO-Group and Ldap-Group.
5. Also set Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.
6. Click OK.

FortiOS 7.2.1 Administration Guide 249


Fortinet Inc.
Network

To create an explicit proxy policy and assign a user group to it in the CLI:

config firewall proxy-policy


edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set logtraffic all
set groups "NTLM-FSSO-Group" "Ldap-Group"
set av-profile "av"
set ssl-ssh-profile "deep-custom"
next
end

Verify the configuration

Log in using a domain and system that would be authenticated using the Kerberos server, then enter the diagnose
wad user list CLI command to verify:
# diagnose wad user list
ID: 8, IP: 10.1.100.71, VDOM: vdom1
user name : [email protected]
duration : 389
auth_type : IP
auth_method : Negotiate
pol_id : 1
g_id : 1
user_based : 0
expire : no
LAN:
bytes_in=4862 bytes_out=11893
WAN:
bytes_in=7844 bytes_out=1023

Log in using a system that is not part of the domain. The NTLM fallback server should be used:
# diagnose wad user list
ID: 2, IP: 10.1.100.202, VDOM: vdom1
user name : TEST31@FORTINETQA
duration : 7
auth_type : IP
auth_method : NTLM
pol_id : 1
g_id : 5
user_based : 0
expire : no
LAN:
bytes_in=6156 bytes_out=16149
WAN:
bytes_in=7618 bytes_out=1917

FortiOS 7.2.1 Administration Guide 250


Fortinet Inc.
Network

Generating a keytab on a Windows server

A keytab is used to allow services that are not running Windows to be configured with service instance accounts in the
Active Directory Domain Service (AD DS). This allows Kerberos clients to authenticate to the service through Windows
Key Distribution Centers (KDCs).
For an explanation of the process, see https://docs.microsoft.com/en-us/windows-server/administration/windows-
commands/ktpass.

To generate a keytab on a Windows server:

1. On the server, create a user for the FortiGate:


l The service name is the FQDN for the explicit proxy interface, such as the hostname in the client browser proxy
configuration. In this example, the service name is FGT.
l The account only requires domain users membership.
l The password must be very strong.
l The password is set to never expire.
2. Add the FortiGate FQDN in to the Windows DNS domain, as well as in-addr.arpa.
3. Generate the Kerberos keytab using the ktpass command on Windows servers and many domain workstations:
# ktpass -princ HTTP/<domain name of test fgt>@realm -mapuser <user> -pass <password> -
crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab

For example:
ktpass -princ HTTP/[email protected] -mapuser FGT -pass ***********
-crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab

If the FortiGate is handling multiple keytabs in Kerberos authentication, use different


passwords when generating each keytab.

4. Encode the keytab to base64 in a text file:


l On Windows: certutil -encode fgt.keytab tmp.b64 && findstr /v /c:- tmp.b64 >
fgt.txt
l On Linux: base64 fgt.keytab > fgt.txt
l On MacOS: base64 -i fgt.keytab -o fgt.txt
5. Use the code in fgt.txt as the keytab parameter when configuring the FortiGate.

Transparent web proxy forwarding

In FortiOS, there is an option to enable proxy forwarding for transparent web proxy policies and regular firewall policies
for HTTP and HTTPS.
In previous versions of FortiOS, you could forward proxy traffic to another proxy server (proxy chaining) with explicit
proxy. Now, you can forward web traffic to the upstream proxy without having to reconfigure your browsers or publish a
proxy auto-reconfiguration (PAC) file.
Once configured, the FortiGate forwards traffic generated by a client to the upstream proxy. The upstream proxy then
forwards it to the server.

FortiOS 7.2.1 Administration Guide 251


Fortinet Inc.
Network

To configure proxy forwarding:

1. Configure the web proxy forwarding server:


config web-proxy forward-server
edit "upStream_proxy_1"
set ip 172.16.200.20
set healthcheck enable
set monitor "http://www.google.ca"
next
end

2. Append the web proxy forwarding server to a firewall policy:


config firewall policy
edit 1
set name "LAN To WAN"
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set webproxy-forward-server "upStream_proxy_1"
set fsso disable
set av-profile "av"
set ssl-ssh-profile "deep-custom"
set nat enable
next
end

Selectively forward web requests to a transparent web proxy

Web traffic over HTTP/HTTPS can be forwarded selectively by the FortiGate's transparent web proxy to an upstream
web proxy to avoid overwhelming the proxy server. Traffic can be selected by specifying the proxy address, which can
be based on a FortiGuard URL category.

The FortiGuard web filter service must be enabled on the downstream FortiGate.

FortiOS 7.2.1 Administration Guide 252


Fortinet Inc.
Network

Topology

Forwarding behavior

The forward server will be ignored if the proxy policy matching for a particular session needs the FortiGate to see
authentication information inside the HTTP (plain text) message. For example, assume that user authentication is
required and a forward server is configured in the transparent web proxy, and the authentication method is an active
method (such as basic). When the user or client sends the HTTP request over SSL with authentication information to the
FortiGate, the request cannot be forwarded to the upstream proxy. Instead, it will be forwarded directly to the original
web server (assuming deep inspection and http-policy-redirect are enabled in the firewall policy).
The FortiGate will close the session before the client request can be forwarded if all of the following conditions are met:
l The certificate inspection is configured in the firewall policy that has the http-policy-redirect option enabled.
l A previously authenticated IP-based user record cannot be found by the FortiGate's memory during the SSL
handshake.
l Proxy policy matching needs the FortiGate to see the HTTP request authentication information.
This means that in order to enable user authentication and use webproxy-forward-server in the transparent web
proxy policy at the same time, the following best practices should be followed:
l In the firewall policy that has the http-policy-redirect option enabled, set ssl-ssh-profile to use the
deep-inspection profile.
l Use IP-based authentication rules; otherwise, the webproxy-forward-server setting in the transparent web
proxy policy will be ignored.
l Use a passive authentication method such as FSSO. With FSSO, once the user is authenticated as a domain user
by a successful login, the web traffic from the user's client will always be forwarded to the upstream proxy as long as
the authenticated user remains unexpired. If the authentication method is an active authentication method (such as
basic, digest, NTLM, negotiate, form, and so on), the first session containing authentication information will bypass
the forward server, but the following sessions will be connected through the upstream proxy.

FortiOS 7.2.1 Administration Guide 253


Fortinet Inc.
Network

Sample configuration

On the downstream FortiGate proxy, there are two category proxy addresses used in two separate transparent web
proxy policies as the destination address:
l In the policy with upstream_proxy_1 as the forward server, the proxy address category_infotech is used to
match URLs in the information technology category.
l In the policy with upstream_proxy_2 as the forward server, the proxy address category_social is used to
match URLs in the social media category.

To configure forwarding requests to transparent web proxies:

1. Configure the proxy forward servers:


config web-proxy forward-server
edit "upStream_proxy_1"
set ip 172.16.200.20
next
edit "upStream_proxy_2"
set ip 172.16.200.46
next
end

2. Configure the web proxy addresses:


config firewall proxy-address
edit "category_infotech"
set type category
set host "all"
set category 52
next
edit "category_social"
set type category
set host "all"
set category 37
next
end

3. Configure the firewall policy:


config firewall policy
edit 1
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set http-policy-redirect enable
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
set nat enable
next
end

FortiOS 7.2.1 Administration Guide 254


Fortinet Inc.
Network

4. Configure the proxy policies:


config firewall proxy-policy
edit 1
set proxy transparent-web
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "category_infotech"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
set webproxy-forward-server "upStream_proxy_1"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
next
edit 2
set proxy transparent-web
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "category_social"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
set webproxy-forward-server "upStream_proxy_2"
set utm-status enable
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
next
end

Upstream proxy authentication in transparent proxy mode

A downstream proxy FortiGate that needs to be authenticated by the upstream web proxy can use the basic
authentication method to send its username and password, in the base64 format, to the upstream web proxy for
authentication. If the authentication succeeds, web traffic that is forwarded from the downstream proxy FortiGate to the
upstream proxy can be accepted and forwarded to its destinations.
In this example, a school has a FortiGate acting as a downstream proxy that is configured with firewall policies for each
user group (students and staff). In each policy, a forwarding server is configured to forward the web traffic to the
upstream web proxy.
The username and password that the upstream web proxy uses to authenticate the downstream proxy are configured on
the forwarding server, and are sent to the upstream web proxy with the forwarded HTTP requests.

Username Password

student.proxy.local:8080 students ABC123

staff.proxy.local:8081 staff 123456

FortiOS 7.2.1 Administration Guide 255


Fortinet Inc.
Network

On the downstream FortiGate, configure forwarding servers with the usernames and passwords for authentication on
the upstream web proxy, then apply those servers to firewall policies for transparent proxy. For explicit web proxy, the
forwarding servers can be applied to proxy policies.
When the transparent proxy is configured, clients can access websites without configuring a web proxy in their browser.
The downstream proxy sends the username and password to the upstream proxy with forwarded HTTP requests to be
authenticated.

To configure the forwarding server on the downstream FortiGate:

config web-proxy forward-server


edit "Student_Upstream_WebProxy"
set addr-type fqdn
set fqdn "student.proxy.local"
set port 8080
set username "student"
set password ABC123
next
edit "Staff_Upstream_WebProxy"
set addr-type fqdn
set fqdn "staff.proxy.local"
set port 8081
set username "staff"
set password 123456
next
end

To configure firewall policies for transparent proxy:

config firewall policy


edit 1
set srcintf "Vlan_Student"
set dstintf "port9"
set srcaddr "Student_Subnet"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection"
set av-profile "av"
set webproxy-forward-server "Student_Upstream_WebProxy"
set nat enable
next
edit 2
set srcintf "Vlan_Staff"
set dstintf "port9"
set srcaddr "Staff_Subnet"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection"

FortiOS 7.2.1 Administration Guide 256


Fortinet Inc.
Network

set av-profile "av"


set webproxy-forward-server "Staff_Upstream_WebProxy"
set nat enable
next
end

Multiple dynamic header count

Multiple dynamic headers are supported for web proxy profiles, as well as Base64 encoding and the append/new
options.
Administrators only have to select the dynamic header in the profile. The FortiGate will automatically display the
corresponding static value. For example, if the administrator selects the $client-ip header, the FortiGate will display
the actual client IP address.
The supported headers are:

$client-ip Client IP address


$user Authentication user name
$domain User domain name
$local_grp Firewall group name
$remote_grp Group name from authentication server
$proxy_name Proxy realm name

To configure dynamic headers using the CLI:

Since authentication is required, FSSO NTLM authentication is configured in this example.


1. Configure LDAP:
config user ldap
edit "ldap-kerberos"
set server "172.18.62.220"
set cnid "cn"a
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********
next
end

2. Configure FSSO:
config user fsso
edit "1"
set server "172.18.62.220"
set password *********
next
end

3. Configure a user group:

FortiOS 7.2.1 Administration Guide 257


Fortinet Inc.
Network

config user group


edit "NTLM-FSSO"
set group-type fsso-service
set member "FORTINETQA/FSSO"
next
end

4. Configure an authentication scheme:


config authentication scheme
edit "au-sch-ntlm"
set method ntlm
next
end

5. Configure an authentication rule:


config authentication rule
edit "au-rule-fsso"
set srcaddr "all"
set active-auth-method "au-sch-ntlm"
next
end

6. Create a web proxy profile that adds a new dynamic and custom Via header:
config web-proxy profile
edit "test"
set log-header-change enable
config headers
edit 1
set name "client-ip"
set content "$client-ip"
next
edit 2
set name "Proxy-Name"
set content "$proxy_name"
next
edit 3
set name "user"
set content "$user"
next
edit 4
set name "domain"
set content "$domain"
next
edit 5
set name "local_grp"
set content "$local_grp"
next
edit 6
set name "remote_grp"
set content "$remote_grp"
next
edit 7
set name "Via"
set content "Fortigate-Proxy"
next

FortiOS 7.2.1 Administration Guide 258


Fortinet Inc.
Network

end
next
end

7. In the proxy policy, append the web proxy profile created in the previous step:
config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set logtraffic all
set groups "NTLM-FSSO"
set webproxy-profile "test"
set utm-status enable
set av-profile "av"
set webfilter-profile "content"
set ssl-ssh-profile "deep-custom"
next
end

8. Once traffic is being generated from the client, look at the web filter logs to verify that it is working.
The corresponding values for all the added header fields are shown in the Web Filter card at Log & Report >
Security Events, in the Change headers section at the bottom of the Log Details pane.
1: date=2019-02-07 time=13:57:24 logid="0344013632" type="utm" subtype="webfilter"
eventtype="http_header_change" level="notice" vd="vdom1" eventtime=1549576642 policyid=1
transid=50331689 sessionid=1712788383 user="TEST21@FORTINETQA" group="NTLM-FSSO"
profile="test" srcip=10.1.100.116 srcport=53278 dstip=172.16.200.46 dstport=80
srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6
service="HTTP" url="http://172.16.200.46/" agent="curl/7.22.0" chgheaders="Added=client-
ip: 10.1.100.116|Proxy-Name: 1.1 100D.qa|user: TEST21|domain: FORTINETQA|local_grp:
NTLM-FSSO|remote_grp: FORTINETQA/FSSO|Via: Fortigate-Proxy"

Restricted SaaS access

Large organizations may want to restrict SaaS access to resources like Microsoft Office 365, Google Workspace, and
Dropbox by tenant to block non-company login attempts and secure the users from accessing non-approved cloud
resources. Many cloud vendors enable this by applying tenant restrictions for access control. For example, users
accessing Microsoft 365 applications with tenant restrictions through the corporate proxy will only be allowed to log in as
the company’s tenant and access the organization’s applications.
To implement this, access requests from the clients pass through the company’s web proxy, which inserts headers to
notify the SaaS service to apply tenant restrictions with the permitted tenant list. Users are redirected the SaaS service
login page, and are only allowed to log in if they belong to the permitted tenant list.
For more information, refer to the vendor-specific documentation:
l Office 365: Restrict access to a tenant
l Google Workspace: Block access to consumer accounts
l Dropbox: Network control

FortiOS 7.2.1 Administration Guide 259


Fortinet Inc.
Network

Basic configuration

A web proxy profile can specify access permissions for Microsoft Office 365, Google Workspace, and Dropbox by
inserting vendor-defined headers that restrict access to the specific accounts. Custom headers can also be inserted for
any destination. The web proxy profile can then be applied to a firewall policy to control the header's insertion.

To implement Office 365 tenant restriction, Google Workspace account access control, and Dropbox
network access control:

1. Configure a web proxy profile according to the vendors' specifications:


a. Set the header name (defined by the service provider).
b. Set the traffic destination (the service provider).
c. Set the HTTP header content to be inserted into the traffic (defined by your settings).
config web-proxy profile
edit <name>
config headers
edit <id>
set name <string>
set dstaddr <address>
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content <string>
next
end
next
end

2. Apply the web proxy profile to a policy. SSL deep inspection must be used in the firewall policy:

The following table lists the vendor-specific config headers settings that must be configured in the web proxy profile
(config web-proxy profile):

Setting Vendor specification

Microsoft Office 365 Google Workspace Dropbox


name <string> l Restrict- l X-GoogApps- l X-Dropbox-allowed-
Access-To- Allowed-Domains Team-Ids
Tenants
l Restrict-
Access-Context
dstaddr l Use the built-in l Use the built-in G l Use the built-in
<address> Microsoft Suite address. wildcard.dropbox.com
Office 365 address.
address.
content <string> l Enter the domain for l Enter the domain. l Enter the Dropbox team ID.
Restrict-
Access-To-

FortiOS 7.2.1 Administration Guide 260


Fortinet Inc.
Network

Setting Vendor specification

Microsoft Office 365 Google Workspace Dropbox

Tenants.
l Enter the directory ID
for Restrict-
Access-Context.

Due to vendors' changing requirements, these settings may no longer comply with the vendors' official guidelines. See
the vendor documentation for more details.

Microsoft Office 365 example

In this example, a web proxy profile is created to control permissions for Microsoft Office 365 to allow corporate domains
and deny personal accounts, such as Hotmail and Outlook that are accessed through login.live.com.

1. When a user attempts to access login.microsoftonline.com, login.microsoft.com, or login.windows.net, the traffic will
match a proxy inspection mode firewall policy with the assigned web proxy profile.
2. The web proxy profile adds new headers to the customer tenant, indicating the allowed domain and restricted
access for personal accounts. Next, the FortiGate starts a new connection with the Microsoft Office 365 domain
controller including the new headers.
3. The Microsoft Office 365 domain controller assesses this data and will allow or deny this access, then sends a reply
to the FortiGate.
4. The FortiGate sends a reply to the client.
The FortiGate will only indicate the correct domains to be allowed or denied through the headers to Microsoft. The
custom sign-in portal in the browser is generated by Microsoft.

Configuration summary

The following must be configured in FortiOS:


l An FQDN address for login.live.com
l An SSL inspection profile that uses deep inspection with an exemption for login.live.com

Ensure that the firewall certificate is installed on the client machines. A company certificate
signed by an internal CA is recommended.

l A web filter profile in proxy mode with static URL filters for the SNI URLs
l A web proxy profile that adds new headers to the customer tenant

FortiOS 7.2.1 Administration Guide 261


Fortinet Inc.
Network

l A firewall policy using proxy mode inspection that applies the configured SSL SSL inspection, web filter, and web
proxy profiles
The Restrict-Access-To-Tenants and Restrict-Access-Context headers are inserted for incoming requests
to: login.microsoftonline.com, login.microsoft.com, and login.windows.net, which are part of the Microsoft Office
365 address group.
To restrict access to personal accounts using the login.live.com domain, the sec-Restrict-Tenant-Access-
Policy header is inserted and uses restrict-msa as the header content.
Before configuring the FortiGate, collect the information related to the company domain in the Office 365 contract.
l Restrict-Access-To-Tenants: your <domain.com>
l Restrict-Access-Context: Directory ID

To find the Directory ID related to the domain, locate it in the Azure portal, or use the
whatismytenantid.com open tool.

To configure the FortiGate:

1. Add the FQDN address for login.live.com:


config firewall address
edit "login.live.com"
set type fqdn
set fqdn "login.live.com"
next
end

2. Configure the SSL inspection profile. In this example, the deep-inspection profile is cloned, and the live.com
FQDN is removed from the exemption list.
a. Clone the deep-inspection profile:
config firewall ssl-ssh-profile
clone "deep-inspection" to "Tenant"
end

b. Edit the Tenant profile and remove live.com from the config ssl-exempt list.
3. Configure the URL filter list:
config webfilter urlfilter
edit 1
set name "Auto-webfilter-urlfilter"
config entries
edit 1
set url "login.microsoftonline.com"
set action allow
next
edit 2
set url "login.microsoft.com"
set action allow
next
edit 3
set url "login.windows.net"
set action allow

FortiOS 7.2.1 Administration Guide 262


Fortinet Inc.
Network

next
edit 4
set url "login.live.com"
set action allow
next
end
next
end

4. Configure the web filter profile:


config webfilter profile
edit "Tenant"
set comment "Office 365"
set feature-set proxy
config web
set urlfilter-table 1
end
next
end

5. Configure the web proxy profile (enter the header names exactly as shown):
config web-proxy profile
edit "SaaS-Tenant-Restriction"
set header-client-ip pass
set header-via-request pass
set header-via-response pass
set header-x-forwarded-for pass
set header-x-forwarded-client-cert pass
set header-front-end-https pass
set header-x-authenticated-user pass
set header-x-authenticated-groups pass
set strip-encoding disable
set log-header-change disable
config headers
edit 1
set name "Restrict-Access-To-Tenants"
set dstaddr "login.microsoft.com" "login.microsoftonline.com"
"login.windows.net"
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content <domain>
next
edit 2
set name "Restrict-Access-Context"
set dstaddr "login.microsoftonline.com" "login.microsoft.com"
"login.windows.net"
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content <directory_ID>
next
edit 3

FortiOS 7.2.1 Administration Guide 263


Fortinet Inc.
Network

set name "sec-Restrict-Tenant-Access-Policy"


set dstaddr "login.live.com"
set action add-to-request
set base64-encoding disable
set add-option new
set protocol https http
set content "restrict-msa"
next
end
next
end

6. Configure the firewall policy:


config firewall policy
edit 10
set name "Tenant"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "users-lan"
set dstaddr "login.microsoft.com" "login.microsoftonline.com"
"login.windows.net" "login.live.com"
set schedule "always"
set service "HTTP" "HTTPS"
set utm-status enable
set inspection-mode proxy
set webproxy-profile "SaaS-Tenant-Restriction"
set ssl-ssh-profile "Tenant"
set webfilter-profile "Tenant"
set logtraffic all
set nat enable
next
end

FortiOS 7.2.1 Administration Guide 264


Fortinet Inc.
Network

Testing the access

To test the access to corporate domains and personal accounts:

1. Get a client to log in with their corporate email using the login.microsoftonline.com domain.

2. The client is able to enter their credentials and log in successfully.

FortiOS 7.2.1 Administration Guide 265


Fortinet Inc.
Network

3. Get a client to log in to their personal Outlook account.

4. After the client enters their credentials, a message appears that they cannot access this resource because it is
restricted by the cross-tenant access policy.

FortiOS 7.2.1 Administration Guide 266


Fortinet Inc.
Network

Verifying the header insertion

To verify the header insertion for corporate domains and personal accounts:

1. On the FortiGate, start running the WAD debugs:


# diagnose wad debug enable category http
# diagnose wad debug enable level info
# diagnose debug enable

2. After a client attempts to access corporate domains, verify that the header information is sent to the Microsoft Active
Directory:
[I][p:234][s:2481][r:33] wad_dump_fwd_http_req :2567 hreq=0x7fc75f0cd468
Forward request to server:
POST /common/GetCredentialType?mkt=en-US HTTP/1.1
Host: login.microsoftonline.com
Connection: keep-alive
Content-Length: 1961
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
hpgrequestid: d7f706a8-1143-4cdd-ad52-1cc69dc7bb00
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/101.0.4951.54 Safari/537.36
client-request-id: 5c3d196d-5939-45cc-a45b-232b9ed13fce
...
Restrict-Access-To-Tenants: fortinet-us.com
Restrict-Access-Context: ********-****-452f-8535-************

3. After a client attempts to access a personal account, verify that the header information is sent to the Microsoft Active
Directory:
[I][p:234][s:2519][r:34] wad_dump_fwd_http_req :2567 hreq=0x7fc75f0ce6a8
Forward request to server:
GET /oauth20_authorize.srf?client_id=4765445b-32c6-49b0-83e6-
1d93765276ca&scope=openid+profile+https%3a%2f%2ffanyv88.com%3a443%2fhttps%2fwww.office.com%2fv2%2fOfficeHome.All&red
irect_uri=https%3a%2f%2ffanyv88.com%3a443%2fhttps%2fwww.office.com%2flandingv2&response_type=code+id_
token&state=7tAtndYhcA3132S--UOTyLVEtyIZs8FgndTpeYM9mJ1EeA-
X5nfqrSalnnPH41cHxfHGug6N5cbliK676v6xZgszgH_
JARVKrptZwBvjI2cbnZ4mttYNNdK1FTlbEtu5VBjgtBOX2u6v3F_
9g7UikCpGTnBRGhvO2pyTndT3EEIyAHvhg9LsKRtY3kxce8dQkfk1iDjLcc3q-01r4rpxSx2xZSbwg_
KkAN3kCRQ9uLfE0ziHAcpvunuKmzGBWKnBhC4sJJkXrMEfXwCg4nsOjg&response_mode=form_
post&nonce=637877163655610380.MjNjZmM4NzQtOTU5My00OGZlLTk0NTItZTE5NDU2YjVlODdjNjViOTQwYm
UtOTZlMS00M2Y5LTkyN2MtN2QyMjgwNjcxY2Uz&x-client-SKU=ID_NETSTANDARD2_0&x-client-
Ver=6.12.1.0&uaid=5c3d196d593945cca45b232b9ed13fce&msproxy=1&issuer=mso&tenant=common&u
i_locales=en-US&epct=AQABAAAAAAD--DLA3VO7QrddgJg7WevrfA6SLaDsJUcjb1Bg9OKonF3d_
lfNJsdDAIH5hlJdUSGejEBIqsko-A7JX67PzaGdEJgOIGa37VhJzGTYBZ-KgATe9FHssnNmLjM_
dojr0dAT83xDhiqQTN2-UcYdcP2s3vPainF7Nqes5ecXRaEoE9Vw9-
sN7jfASOkPRWW03aI6buz0niABvA860YOWDb98vdJWPGkWE-euDr6n8_
zI5iAA&jshs=0&username=****************%40outlook.com&login_
hint=***************%40outlook.com HTTP/1.1
Host: login.live.com
Connection: keep-alive
...
Referer: https://login.microsoftonline.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
sec-Restrict-Tenant-Access-Policy: restrict-msa

FortiOS 7.2.1 Administration Guide 267


Fortinet Inc.
Network

Explicit proxy and FortiSandbox Cloud

Explicit proxy connections can leverage FortiSandbox Cloud for advanced threat scanning and updates. This allows
FortiGates behind isolated networks to connect to FortiCloud services.

To configure FortiGuard services to communicate with an explicit proxy server:

config system fortiguard


set proxy-server-ip 172.16.200.44
set proxy-server-port 3128
set proxy-username "test1"
set proxy-password *********
end

To verify the explicit proxy connection to FortiSandbox Cloud:

# diagnose debug application forticldd -1


Debug messages will be on for 30 minutes.
# diagnose debug enable
[2942] fds_handle_request: Received cmd 23 from pid-2526, len 0
[40] fds_queue_task: req-23 is added to Cloud-sandbox-controller
[178] fds_svr_default_task_xmit: try to get IPs for Cloud-sandbox-controller
[239] fds_resolv_addr: resolve aptctrl1.fortinet.com
[169] fds_get_addr: name=aptctrl1.fortinet.com, id=32, cb=0x2bc089
[101] dns_parse_resp: DNS aptctrl1.fortinet.com -&gt; 172.16.102.21
[227] fds_resolv_cb: IP-1: 172.16.102.21
[665] fds_ctx_set_addr: server: 172.16.102.21:443
[129] fds_svr_default_pickup_server: Cloud-sandbox-controller: 172.16.102.21:443
[587] fds_https_start_server: server: 172.16.102.21:443
[579] ssl_new: SSL object is created
[117] https_create: proxy server 172.16.200.44 port:3128
[519] fds_https_connect: https_connect(172.16.102.21) is established.
[261] fds_svr_default_on_established: Cloud-sandbox-controller has connected to
ip=172.16.102.21
[268] fds_svr_default_on_established: server-Cloud-sandbox-controller handles cmd-23
[102] fds_pack_objects: number of objects: 1
[75] fds_print_msg: FCPC: len=109
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Command=RegionList
[81] fds_print_msg: Firmware=FG101E-FW-6.02-0917
[81] fds_print_msg: SerialNumber=FG101E4Q17002429
[81] fds_print_msg: TimeZone=-7
[75] fds_print_msg: http req: len=248
[81] fds_print_msg: POST https://172.16.102.21:443/FCPService HTTP/1.1

FortiOS 7.2.1 Administration Guide 268


Fortinet Inc.
Network

[81] fds_print_msg: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)


[81] fds_print_msg: Host: 172.16.102.21:443
[81] fds_print_msg: Cache-Control: no-cache
[81] fds_print_msg: Connection: close
[81] fds_print_msg: Content-Type: application/octet-stream
[81] fds_print_msg: Content-Length: 301
[524] fds_https_connect: http request to 172.16.102.21: header=248, ext=301.
[257] fds_https_send: sent 248 bytes: pos=0, len=248
[265] fds_https_send: 172.16.102.21: sent 248 byte header, now send 301-byte body
[257] fds_https_send: sent 301 bytes: pos=0, len=301
[273] fds_https_send: sent the entire request to server: 172.16.102.21:443
[309] fds_https_recv: read 413 bytes: pos=413, buf_len=2048
[332] fds_https_recv: received the header from server: 172.16.102.21:443, [HTTP/1.1 200
Content-Type: application/octet-stream
Content-Length: 279
Date: Thu, 20 Jun 2019 16:41:11 GMT
Connection: close]
[396] fds_https_recv: Do memmove buf_len=279, pos=279
[406] fds_https_recv: server: 172.16.102.21:443, buf_len=279, pos=279
[453] fds_https_recv: received a packet from server-172.16.102.21:443: sz=279, objs=1
[194] __ssl_data_ctx_free: Done
[839] ssl_free: Done
[830] ssl_disconnect: Shutdown
[481] fds_https_recv: obj-0: type=FCPR, len=87
[294] fds_svr_default_on_response: server-Cloud-sandbox-controller handles cmd-23
[75] fds_print_msg: fcpr: len=83
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Response=202
[81] fds_print_msg: ResponseItem=Region:Europe,Global,Japan,US
[81] fds_print_msg: existing:Japan
[3220] aptctrl_region_res: Got rsp: Region:Europe,Global,Japan,US
[3222] aptctrl_region_res: Got rsp: Region existing:Japan
[439] fds_send_reply: Sending 28 bytes data.
[395] fds_free_tsk: cmd=23; req.noreply=1
# [136] fds_on_sys_fds_change: trace
[2942] fds_handle_request: Received cmd 22 from pid-170, len 0
[40] fds_queue_task: req-22 is added to Cloud-sandbox-controller
[587] fds_https_start_server: server: 172.16.102.21:443
[579] ssl_new: SSL object is created
[117] https_create: proxy server 172.16.200.44 port:3128
[519] fds_https_connect: https_connect(172.16.102.21) is established.
[261] fds_svr_default_on_established: Cloud-sandbox-controller has connected to
ip=172.16.102.21
[268] fds_svr_default_on_established: server-Cloud-sandbox-controller handles cmd-22
[102] fds_pack_objects: number of objects: 1
[75] fds_print_msg: FCPC: len=146
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Command=UpdateAPT
[81] fds_print_msg: Firmware=FG101E-FW-6.02-0917
[81] fds_print_msg: SerialNumber=FG101E4Q17002429
[81] fds_print_msg: TimeZone=-7
[81] fds_print_msg: TimeZoneInMin=-420
[81] fds_print_msg: DataItem=Region:US
[75] fds_print_msg: http req: len=248
[81] fds_print_msg: POST https://172.16.102.21:443/FCPService HTTP/1.1
[81] fds_print_msg: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

FortiOS 7.2.1 Administration Guide 269


Fortinet Inc.
Network

[81] fds_print_msg: Host: 172.16.102.21:443


[81] fds_print_msg: Cache-Control: no-cache
[81] fds_print_msg: Connection: close
[81] fds_print_msg: Content-Type: application/octet-stream
[81] fds_print_msg: Content-Length: 338
[524] fds_https_connect: http request to 172.16.102.21: header=248, ext=338.
[257] fds_https_send: sent 248 bytes: pos=0, len=248
[265] fds_https_send: 172.16.102.21: sent 248 byte header, now send 338-byte body
[257] fds_https_send: sent 338 bytes: pos=0, len=338
[273] fds_https_send: sent the entire request to server: 172.16.102.21:443
[309] fds_https_recv: read 456 bytes: pos=456, buf_len=2048
[332] fds_https_recv: received the header from server: 172.16.102.21:443, [HTTP/1.1 200
Content-Type: application/octet-stream
Content-Length: 322
Date: Thu, 20 Jun 2019 16:41:16 GMT
Connection: close]
[396] fds_https_recv: Do memmove buf_len=322, pos=322
[406] fds_https_recv: server: 172.16.102.21:443, buf_len=322, pos=322
[453] fds_https_recv: received a packet from server-172.16.102.21:443: sz=322, objs=1
[194] __ssl_data_ctx_free: Done
[839] ssl_free: Done
[830] ssl_disconnect: Shutdown
[481] fds_https_recv: obj-0: type=FCPR, len=130
[294] fds_svr_default_on_response: server-Cloud-sandbox-controller handles cmd-22
[75] fds_print_msg: fcpr: len=126
[81] fds_print_msg: Protocol=2.0
[81] fds_print_msg: Response=202
[81] fds_print_msg: ResponseItem=Server1:172.16.102.51:514
[81] fds_print_msg: Server2:172.16.102.52:514
[81] fds_print_msg: Contract:20210215
[81] fds_print_msg: NextRequest:86400
[615] parse_apt_contract_time_str: The APTContract is valid to Mon Feb 15 23:59:59 2021
[616] parse_apt_contract_time_str: FGT current local time is Thu Jun 20 09:41:16 2019
[3289] aptctrl_update_res: Got rsp: APT=172.16.102.51:514 APTAlter=172.16.102.52:514 next-
upd=86400
[395] fds_free_tsk: cmd=22; req.noreply=1

Proxy chaining

For the explicit web proxy you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy
sessions to other proxy servers. Proxy chaining can be used to forward web proxy sessions from the FortiGate unit to
one or more other proxy servers on your network or on a remote network. You can use proxy chaining to integrate the
FortiGate explicit web proxy with a web proxy solution that you already have in place.
A FortiGate unit can forward sessions to most web proxy servers including a remote FortiGate unit with the explicit web
proxy enabled. No special configuration of the explicit web proxy on the remote FortiGate unit is required.
You can deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite
offices and a main office. If each office has a FortiGate unit, users at each of the satellite offices can use their local
FortiGate unit as an explicit web proxy server. The satellite office FortiGate units can forward explicit web proxy sessions
to an explicit web proxy server at the central office. From here the sessions can connect to web servers on the Internet.
FortiGate proxy chaining does not support web proxies in the proxy chain authenticating each other.
The following examples assume explicit web proxy has been enabled.

FortiOS 7.2.1 Administration Guide 270


Fortinet Inc.
Network

To enable explicit web proxy in the GUI:

1. Go to System > Feature Visibility.


2. In the Security Features column, enable Explicit Proxy.
3. Configure the explicit web proxy settings. See Explicit web proxy on page 226.

To add a web proxy forwarding server in the GUI:

1. Go to Network > Explicit Proxy. The Explicit Proxy page opens.


2. In the Web Proxy Forwarding Servers section, click Create New.
3. Configure the server settings:

Name Enter the name of the forwarding server.

Proxy Address Type Select the type of IP address of the forwarding server. A forwarding server can
have an FQDN or IP address.

Proxy Address Enter the IP address of the forwarding server.

Port Enter the port number on which the proxy receives connections. Traffic leaving
the FortiGate explicit web proxy for this server has its destination port number
changed to this number.

Server Down Action Select the action the explicit web proxy will take if the forwarding server is
down.
l Block: Blocks the traffic if the remote server is down.

l Use Original Server: Forwards the traffic from the FortiGate to its

destination as if no forwarding server is configured.

Health Monitor Select to enable health check monitoring.

Health Check Monitor Site Enter the address of a remote site.

4. Click OK.

Example

The following example adds a web proxy forwarding server named fwd-srv at address proxy.example.com and port
8080.

To add a web proxy forwarding server in the CLI:

config web-proxy forward-server


edit fwd-srv
set addr-type fqdn
set fqdn proxy.example.com
set port 8080
next
end

FortiOS 7.2.1 Administration Guide 271


Fortinet Inc.
Network

Web proxy forwarding server monitoring and health checking

By default, a FortiGate unit monitors a web proxy forwarding server by forwarding a connection to the remote server
every 10 seconds. The remote server is assumed to be down if it does not respond to the connection. FortiGate
continues checking the server. The server is assumed to be back up when the server sends a response. If you enable
health checking, the FortiGate unit attempts to get a response from a web server every 10 seconds by connecting
through the remote forwarding server.
You can configure health checking for each remote server and specify a different website to check for each one.
If the remote server is found to be down you can configure the FortiGate unit to block sessions until the server comes
back up or to allow sessions to connect to their destination, bypassing the remote forwarding server. You cannot
configure the FortiGate unit to fail over to another remote forwarding server.

To configure proxy server monitor and health checking in the GUI:

1. Go to Network > Explicit Proxy. The Explicit Proxy page opens.


2. In the Web Proxy Forwarding Servers section, edit a server.
3. Configure the Server Down Action and Health Monitor settings.

Server Down Action Select the action the explicit web proxy will take if the forwarding server is
down.
l Block: Blocks the traffic if the remote server is down.

l Use Original Server: Forwards the traffic from the FortiGate to its

destination as if no forwarding server configured.

Health Monitor Select to enable health check monitoring.

Health Check Monitor Site Enter the address of a remote site.

4. Click OK.

Example

The following example enables health checking for a web proxy forwarding server and sets the server down option to
bypass the forwarding server if it is down.

To configure proxy server monitor and health checking in the CLI:

config web-proxy forward-server


edit fwd-srv
set healthcheck enable
set monitor http://example.com
set server-down-option pass
next
end

Grouping forwarding servers and load balancing traffic to the servers

You can add multiple web proxy forwarding servers to a forwarding server group and then add the server group to an
explicit web proxy policy instead of adding a single server. Forwarding server groups are created from the FortiGate CLI
but can be added to policies from the web-based manager (or from the CLI).

FortiOS 7.2.1 Administration Guide 272


Fortinet Inc.
Network

When you create a forwarding server group you can select a load balancing method to control how sessions are load
balanced to the forwarding servers in the server group. Two load balancing methods are available:
l Weighted load balancing sends more sessions to the servers with higher weights. You can configure the weight for
each server when you add it to the group.
l Least-session load balancing sends new sessions to the forwarding server that is processing the fewest sessions.
When you create a forwarding server group you can also enable affinity. Enable affinity to have requests from the same
client processed by the same server. This can reduce delays caused by using multiple servers for a single multi-step
client operation. Affinity takes precedence over load balancing.
You can also configure the behavior of the group if all of the servers in the group are down. You can select to block traffic
or you can select to have the traffic pass through the FortiGate explicit proxy directly to its destination instead of being
sent to one of the forwarding servers.

Example

The following example adds a forwarding server group that uses weighted load balancing to load balance traffic to three
forwarding servers. Server weights are configured to send most traffic to server2. The group has affinity enabled
and blocks traffic if all of the forward servers are down.

To configure load balancing in the CLI:

config web-proxy forward-server


edit server_1
set ip 172.20.120.12
set port 8080
next
edit server_2
set ip 172.20.120.13
set port 8000
next
edit server_3
set ip 172.20.120.14
set port 8090
next
end

config web-proxy forward-server-group


edit New-fwd-group
set affinity enable
set ldb-method weighted
set group-down-option block
config server-list
edit server_1
set weight 10
next
edit server_2
set weight 40
next
edit server_3
set weight 10
next
end
next
end

FortiOS 7.2.1 Administration Guide 273


Fortinet Inc.
Network

Adding proxy chaining to an explicit web proxy policy

You can enable proxy chaining for web proxy sessions by adding a web proxy forwarding server or server group to an
explicit web proxy policy. In a policy you can select one web proxy forwarding server or server group. All explicit web
proxy traffic accepted by this security policy is forwarded to the specified web proxy forwarding server or server group.

To add an explicit web proxy forwarding server in the GUI:

1. Go to Policy & Objects > Proxy Policy and click Create New.
2. Configure the policy settings:

Proxy Type Explicit Web

Outgoing Interface wan1

Source Internal_subnet

Destination all

Schedule always

Service webproxy

Action Accept

3. Enable Web Proxy Forwarding Server and select the forwarding server, (for example,fwd-srv).
4. Click OK.

Example

The following example adds a security policy that allows all users on the 10.31.101.0 subnet to use the explicit web
proxy for connections through the wan1 interface to the Internet. The policy forwards web proxy sessions to a remote
forwarding server named fwd-srv.

To add an explicit web proxy forwarding server in the CLI:

config firewall proxy-policy


edit 0
set proxy explicit-web
set dstintf "wan1"
set srcaddr "Internal_subnet"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set webproxy-forward-server "fwd-srv"
next
end

Using TLS 1.3 with web proxy forward servers

A FortiGate can handle TLS 1.3 traffic in both deep and certificate inspection modes.

FortiOS 7.2.1 Administration Guide 274


Fortinet Inc.
Network

Example

The following example demonstrates that the Squid server and the FortiGate can handle TLS 1.3 traffic.

The following output from the Squid server demonstrates that the FortiGate supports TLS 1.3 traffic and forwards the
hello retry request back to the client PC. The client PC then sends the client hello again, and the connection is
successfully established.

WAN optimization SSL proxy chaining

An SSL server does not need to be defined for WAN optimization (WANOpt) SSL traffic offloading (traffic acceleration).
The server side FortiGate uses an SSL profile to resign the HTTP server's certificate, both with and without an external
proxy, without an SSL server configured. GCM and ChaCha ciphers can also be used in the SSL connection.

Examples

In these examples, HTTPS traffic is accelerated without configuring an SSL server, including with a proxy in between,
and when the GCM or ChaCha ciphers are used.

Example 1

In this example, the server certificate is resigned by the server side FortiGate, and HTTPS traffic is accelerated without
configuring an SSL server.

FortiOS 7.2.1 Administration Guide 275


Fortinet Inc.
Network

HTTPS traffic with the GCM or ChaCha cipher can pass though WANOpt tunnel.

To configure FGT_A:

1. Configure the hard disk to perform WANOpt:


config system storage
edit "HDD2"
set status enable
set usage wanopt
set wanopt-mode mix
next
end

2. Configure the WANOpt peer and profile:


config wanopt peer
edit "FGT-D"
set ip 120.120.120.172
next
end

config wanopt profile


edit "test"
config http
set status enable
set ssl enable
end
next
end

3. Create an SSL profile with deep inspection on HTTPS port 443:


config firewall ssl-ssh-profile
edit "ssl"
config https
set ports 443
set status deep-inspection
end
next
end

4. Configure a firewall policy in proxy mode with WANOpt enabled and the WANOpt profile selected:
config firewall policy
edit 1
set name "WANOPT-A"

FortiOS 7.2.1 Administration Guide 276


Fortinet Inc.
Network

set srcintf "port21"


set dstintf "port27"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set profile-protocol-options "protocol"
set ssl-ssh-profile "ssl"
set wanopt enable
set wanopt-profile "test"
set nat enable
next
end

To configure FGT_D:

1. Configure the hard disk to perform WANOpt:


config system storage
edit "HDD2"
set status enable
set usage wanopt
set wanopt-mode mix
next
end

2. Configure the WANOpt peer:


config wanopt peer
edit "FGT-A"
set ip 110.110.110.171
next
end

3. Create an SSL profile with deep inspection on HTTPS port 443. The default Fortinet_CA_SSL certificate is used to
resign the server certificate:
config firewall ssl-ssh-profile
edit "ssl"
config https
set ports 443
set status deep-inspection
end
next
end

4. Configure a firewall policy in proxy mode with WANOpt enabled and passive WANOpt detection:
config firewall policy
edit 1
set name "WANOPT-B"
set srcintf "port27"
set dstintf "port23"
set action accept
set srcaddr "all"

FortiOS 7.2.1 Administration Guide 277


Fortinet Inc.
Network

set dstaddr "all"


set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set wanopt enable
set wanopt-detection passive
set nat enable
next
end

5. Configure a proxy policy to apply the SSL profile:


config firewall proxy-policy
edit 100
set proxy wanopt
set dstintf "port23"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
set action accept
set schedule "always"
set utm-status enable
set profile-protocol-options "protocol"
set ssl-ssh-profile "ssl"
next
end

To confirm that traffic is accelerated:

1. On the client PC, curl a 10MB test sample for the first time:
root@client:/tmp# curl -k https://172.16.200.144/test_10M.pdf -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9865k 100 9865k 0 0 663k 0 0:00:14 0:00:15 --:--:-- 1526k

It takes 15 seconds to finish the download.


2. On FGT_A, check the WAD statistics:
# diagnose wad stats worker.tunnel
comp.n_in_raw_bytes 10155840
comp.n_in_comp_bytes 4548728
comp.n_out_raw_bytes 29624
comp.n_out_comp_bytes 31623

# diagnose wad stats worker.protos.http


wan.bytes_in 0
wan.bytes_out 0
lan.bytes_in 760
lan.bytes_out 10140606
tunnel.bytes_in 4548728
tunnel.bytes_out 31623

3. Curl the same test sample a second time:


root@client:/tmp# curl -k https://172.16.200.144/test_10M.pdf -O
% Total % Received % Xferd Average Speed Time Time Time Current

FortiOS 7.2.1 Administration Guide 278


Fortinet Inc.
Network

Dload Upload Total Spent Left Speed


100 9865k 100 9865k 0 0 663k 0 0:00:01 0:00:01 --:--:-- 1526k

It now takes less than one second to finish the download.


4. On FGT_A, check the WAD statistics again:
# diagnose wad stats worker.tunnel
comp.n_in_raw_bytes 10181157
comp.n_in_comp_bytes 4570331
comp.n_out_raw_bytes 31627
comp.n_out_comp_bytes 34702

# diagnose wad stats worker.protos.http


wan.bytes_in 0
wan.bytes_out 0
lan.bytes_in 1607
lan.bytes_out 20286841
tunnel.bytes_in 4570331
tunnel.bytes_out 34702

The tunnel bytes are mostly unchanged, but the LAN bytes are doubled. This means that the bytes of the second
curl come from the cache, showing that the traffic is accelerated.

To confirm that a curl using the GCM cipher is accepted and accelerated:

1. On the client PC, curl a 10MB test sample with the GCM cipher:
root@client:/tmp# curl -v -k --ciphers DHE-RSA-AES128-GCM-SHA256
https://172.16.200.144/test_10M.pdf -O
* Trying 172.16.200.144...
* TCP_NODELAY set
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
Connected to 172.16.200.144 (172.16.200.144) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: DHE-RSA-AES128-GCM-SHA256
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [100 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1920 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [783 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):

FortiOS 7.2.1 Administration Guide 279


Fortinet Inc.
Network

} [16 bytes data]


* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / DHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=ubuntu
* start date: Sep 20 21:38:01 2018 GMT
* expire date: Sep 17 21:38:01 2028 GMT
* issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority;
CN=Fortinet Untrusted CA; [email protected]
* SSL certificate verify result: self signed certificate in certificate chain (19),
continuing anyway.
} [5 bytes data]
> GET /test_10M.pdf HTTP/1.1
> Host: 172.16.200.144
> User-Agent: curl/7.64.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Sat, 12 Jun 2021 00:31:08 GMT
< Server: Apache/2.4.37 (Ubuntu)
< Upgrade: h2,h2c
< Connection: Upgrade
< Last-Modified: Fri, 29 Jan 2021 20:10:25 GMT
< ETag: "9a2572-5ba0f98404aa5"
< Accept-Ranges: bytes
< Content-Length: 10102130
< Content-Type: application/pdf
<
{ [5 bytes data]
100 9865k 100 9865k 0 0 16.7M 0 --:--:-- --:--:-- --:--:-- 16.8M
* Connection #0 to host 172.16.200.144 left intact
* Closing connection 0

To confirm that a curl using the ChaCha cipher is accepted and accelerated:

1. On the client PC, curl a 10MB test sample with the ChaCha cipher:
root@client:/tmp# curl -v -k --ciphers ECDHE-RSA-CHACHA20-POLY1305
https://172.16.200.144/test.doc -O
* Trying 172.16.200.144...
* TCP_NODELAY set
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
Connected to 172.16.200.144 (172.16.200.144) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ECDHE-RSA-CHACHA20-POLY1305
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

FortiOS 7.2.1 Administration Guide 280


Fortinet Inc.
Network

} [512 bytes data]


* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [100 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1920 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=ubuntu
* start date: Sep 20 21:38:01 2018 GMT
* expire date: Sep 17 21:38:01 2028 GMT
* issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority;
CN=Fortinet Untrusted CA; [email protected]
* SSL certificate verify result: self signed certificate in certificate chain (19),
continuing anyway.
} [5 bytes data]
> GET /test.doc HTTP/1.1
> Host: 172.16.200.144
> User-Agent: curl/7.64.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Sat, 12 Jun 2021 00:32:11 GMT
< Server: Apache/2.4.37 (Ubuntu)
< Upgrade: h2,h2c
< Connection: Upgrade
< Last-Modified: Wed, 05 May 2021 21:59:49 GMT
< ETag: "4c00-5c19c504b63f4"
< Accept-Ranges: bytes
< Content-Length: 19456
< Content-Type: application/msword
<
{ [5 bytes data]
100 19456 100 19456 0 0 137k 0 --:--:-- --:--:-- --:--:-- 138k
* Connection #0 to host 172.16.200.144 left intact
* Closing connection 0

Example 2

In this example, an external proxy is added to the configuration in Example 1.

FortiOS 7.2.1 Administration Guide 281


Fortinet Inc.
Network

To reconfigure FGT_A:

config firewall profile-protocol-options


edit "protocol"
config http
set ports 80 8080
unset options
unset post-lang
end
next
end

To reconfigure FGT_D:

1. Configure a new firewall policy for traffic passing from port27 to port29:
config firewall policy
edit 1
set name "WANOPT-B"
set srcintf "port27"
set dstintf "port29"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set wanopt enable
set wanopt-detection passive
set nat enable
next
end

2. Configure a proxy policy for traffic on destination interface port29:


config firewall proxy-policy
edit 100
set proxy wanopt
set dstintf "port29"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
set action accept

FortiOS 7.2.1 Administration Guide 282


Fortinet Inc.
Network

set schedule "always"


set profile-protocol-options "protocol"
set ssl-ssh-profile "ssl"
next
end

To confirm that HTTPS traffic is still being accelerated:

1. On the client PC, curl the same 10MB test sample through the explicit proxy:
root@client:/tmp# curl -x 100.100.100.174:8080 -v -k https://172.16.200.144/test_10M.pdf
-O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9865k 100 9865k 0 0 663k 0 0:00:01 0:00:01 --:--:-- 1526k

It takes less than a second to finish the download.

Agentless NTLM authentication for web proxy

Agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:
l Multiple servers
l Individual users
You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high
service stability.
You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS
matches the user's group information from an LDAP server.

To support multiple domain controllers for agentless NTLM using the CLI:

1. Configure an LDAP server:


config user ldap
edit "ldap-kerberos"
set server "172.18.62.177"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********
next
end

2. Configure multiple domain controllers:


config user domain-controller
edit "dc1"
set ip-address 172.18.62.177
config extra-server
edit 1
set ip-address 172.18.62.220
next
end

FortiOS 7.2.1 Administration Guide 283


Fortinet Inc.
Network

set ldap-server "ldap-kerberos"


next
end

3. Create an authentication scheme and rule:


config authentication scheme
edit "au-ntlm"
set method ntlm
set domain-controller "dc1"
next
end

config authentication rule


edit "ru-ntlm"
set srcaddr "all"
set ip-based disable
set active-auth-method "au-ntlm"
next
end

4. In the proxy policy, append the user group for authorization:


config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set groups "ldap-group"
set utm-status enable
set av-profile "av"
set ssl-ssh-profile "deep-custom"
next
end

This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication
request to the first domain controller. Later when another user logs in, the FortiGate sends the authentication
request to another domain controller.
5. Verify the behavior after the user successfully logs in:
# diagnose wad user list
ID: 1825, IP: 10.1.100.71, VDOM: vdom1
user name : test1
duration : 497
auth_type : Session
auth_method : NTLM
pol_id : 1 g_id : 5
user_based : 0 e
xpire : 103
LAN:
bytes_in=2167 bytes_out=7657
WAN:
bytes_in=3718 bytes_out=270

FortiOS 7.2.1 Administration Guide 284


Fortinet Inc.
Network

To support individual users for agentless NTLM using the CLI:

1. Configure an LDAP server:


config user ldap
edit "ldap-kerberos"
set server "172.18.62.177"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password *********
next
end

2. Configure the user group and allow user-based matching:


config user group
edit "ldap-group"
set member "ldap" "ldap-kerberos"
config match
edit 1
set server-name "ldap-kerberos"
set group-name "test1"
next
end
next
end

3. Create an authentication scheme and rule:


config authentication scheme
edit "au-ntlm"
set method ntlm
set domain-controller "dc1"
next
end

config authentication rule


edit "ru-ntlm"
set srcaddr "all"
set ip-based disable
set active-auth-method "au-ntlm"
next
end

4. In the proxy policy, append the user group for authorization:


config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set groups "ldap-group"
set utm-status enable

FortiOS 7.2.1 Administration Guide 285


Fortinet Inc.
Network

set av-profile "av"


set ssl-ssh-profile "deep-custom"
next
end

This implementation lets you configure a single user instead of a whole group. The FortiGate will now allow the user
named test1.

To verify the configuration using the CLI:

diagnose wad user list


ID: 1827, IP: 10.1.15.25, VDOM: vdom1
user name : test1
duration : 161
auth_type : Session
auth_method : NTLM
pol_id : 1
g_id : 5
user_based : 0
expire : 439
LAN:
bytes_in=1309 bytes_out=4410
WAN:
bytes_in=2145 bytes_out=544

Multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers

Multiple LDAP servers can be configured in Kerberos keytabs and agentless NTLM domain controllers for multi-forest
deployments.

To use multiple LDAP servers in Kerberos keytabs and agentless NTLM domain controllers:

1. Add multiple LDAP servers:


config user ldap
edit "ldap-kerberos"
set server "172.16.200.98"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password xxxxxxxxx
next
edit "ldap-two"
set server "172.16.106.128"
set cnid "cn"
set dn "OU=Testing,DC=ad864r2,DC=com"
set type regular
set username "cn=Testadmin,cn=users,dc=AD864R2,dc=com"
set password xxxxxxxxx
next
end

2. Configure a Kerberos keytab entry that uses both LDAP servers:

FortiOS 7.2.1 Administration Guide 286


Fortinet Inc.
Network

config user krb-keytab


edit "http_service"
set pac-data disable
set principal "HTTP/[email protected]"
set ldap-server "ldap-kerberos" "ldap-two"
set keytab xxxxxxxxx
next
end

3. Configure a domain controller that uses both LDAP servers:


config user domain-controller
edit "dc1"
set ip-address 172.16.200.98
set ldap-server "ldap-two" "ldap-kerberos"
next
end

Learn client IP addresses

Learning the actual client IP addresses is imperative for authorization. This function identifies the real client IP address
when there is a NATing device between the FortiGate and the client.
config web-proxy global
set learn-client-ip {enable | disable}
set learn-client-ip-from-header {true-client-ip | x-real-ip | x-forwarded-for}
set learn-client-ip-srcaddr <address> ... <address>
end

learn-client-ip {enable | Enable/disable learning the client's IP address from headers.


disable}
learn-client-ip-from- Learn client IP addresses from the specified headers.
header {true-client-
ip | x-real-ip | x-
forwarded-for}
learn-client-ip-srcaddr The source address names.
<address> ...
<address>

Example

In this example, the real client IP address is used to match a policy for FSSO authentication.

To enable learning the client IP address:

config web-proxy global


set proxy-fqdn "default.fqdn"
set webproxy-profile "default"
set learn-client-ip enable
set learn-client-ip-from-header x-forwarded-for
set learn-client-ip-srcaddr "all"
end

FortiOS 7.2.1 Administration Guide 287


Fortinet Inc.
Network

To configure the proxy policy:

config firewall proxy-policy


edit 1
set proxy explicit-web
set dstintf "mgmt1"
set srcaddr "all"
set dstaddr "all"
set service "w"
set action accept
set schedule "always"
set groups "fsso1"
set utm-status enable
set av-profile "default"
set dlp-profile "default"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
next
end

To configure the authentication scheme and rule:

config authentication scheme


edit "scheme1"
set method fsso
next
end

config authentication rule


edit "rule1"
set srcaddr "all"
set sso-auth-method "scheme1"
next
end

Explicit proxy authentication over HTTPS

When a HTTP request requires authentication in an explicit proxy, the authentication can be redirected to a secure
HTTPS captive portal. Once authentication is complete, the client can be redirected back to the original destination over
HTTP.

Example

A user visits a website via HTTP through the explicit web proxy on a FortiGate. The user is required to authenticate by
either basic or form IP-based authentication for the explicit web proxy service. The user credentials need to be
transmitted over the networks in a secured method over HTTPS rather than in plain text. The user credentials are
protected by redirecting the client to a captive portal of the FortiGate over HTTPS for authentication where the user
credentials are encrypted and transmitted over HTTPS.

FortiOS 7.2.1 Administration Guide 288


Fortinet Inc.
Network

In this example, explicit proxy authentication over HTTPS is configured with form IP-based authentication. Once
configured, you can enable authorization for an explicit web proxy by configuring users or groups in the firewall proxy
policy.

To configure explicit proxy authentication over HTTPS:

1. Configure the authentication settings:


config authentication setting
set captive-portal-type fqdn
set captive-portal "fgt-cp"
set auth-https enable
end

2. Configure the authentication scheme:


config authentication scheme
edit "form"
set method form
set user-database "local-user-db"
next
end

3. Configure the authentication rule:


config authentication rule
edit "form"
set srcaddr "all"
set active-auth-method "form"
next
end

If a session-based basic authentication method is used, enable web-auth-cookie.

4. Configure the firewall address:


config firewall address
edit "fgt-cp"
set type fqdn
set fqdn "fgt.fortinetqa.local"
next
end

5. Configure the interface:

FortiOS 7.2.1 Administration Guide 289


Fortinet Inc.
Network

config system interface


edit "port10"
set ip 10.1.100.1 255.255.255.0
set explicit-web-proxy enable
set proxy-captive-portal enable
next
end

6. Configure a firewall proxy policy with users or groups (see Explicit web proxy on page 226).

Verification

When a client visits a HTTP website, the client will be redirected to the captive portal for authentication by HTTPS. For
example, the client could be redirected to a URL by a HTTP 303 message similar to the following:
HTTP/1.1 303 See Other
Connection: close
Content-Type: text/html
Cache-Control: no-cache
Location:
https://fgt.fortinetqa.local:7831/XX/YY/ZZ/cpauth?scheme=http&4Tmthd=0&host=172.16.200.46&port=80&rule=75&uri
=Lw==&
Content-Length: 0
The captive portal URL used for authentication is https://fgt.fortinetqa.local:7831/.... Once the authentication is complete
with all user credentials protected by HTTPS, the client is redirected to the original HTTP website they intended to visit.

mTLS client certificate authentication

FortiGate supports client certificate authentication used in mutual Transport Layer Security (mTLS) communication
between a client and server. Clients are issued certificates by the CA, and an access proxy configured on the FortiGate
uses the new certificate method in the authentication scheme to identify and approve the certificate provided by the client
when they try to connect to the access proxy. The FortiGate can also add the HTTP header X-Forwarded-Client-Cert to
forward the certificate information to the server.

Examples

In these examples, the access proxy VIP IP address is 10.1.100.200.

FortiOS 7.2.1 Administration Guide 290


Fortinet Inc.
Network

Example 1

In this example, clients are issued unique client certificates from your CA. The FortiGate authenticates the clients by their
user certificate before allowing them to connect to the access proxy. The access server acts as a reverse proxy for the
web server that is behind the FortiGate.
This example assumes that you have already obtained the public CA certificate from your CA, the root CA of the client
certificate has been imported (CA_Cert_1), and the client certificate has been distributed to the endpoints.

To configure the FortiGate:

1. Configure user authentication. Both an authentication scheme and rule must be configured, as the authentication is
applied on the access proxy:
config authentication scheme
edit "mtls"
set method cert
set user-cert enable
next
end

config authentication rule


edit "mtls"
set srcintf "port2"
set srcaddr "all"
set dstaddr "all"
set active-auth-method "mtls"
next
end

2. Select the CA or CAs used to verify the client certificate:


config authentication setting
set user-cert-ca "CA_Cert_1"
end

3. Configure the users. Users can be matched based on either the common-name on the certificate or the trusted
issuer.
l Verify the user based on the common name on the certificate:
config user certificate
edit "single-certificate"
set type single-certificate
set common-name "client.fortinet.com"
next
end

l Verify the user based on the CA issuer:


config user certificate
edit "trusted-issuer"
set type trusted-issuer
set issuer "CA_Cert_1"
next
end

4. Configure the access proxy VIP. The SSL certificate is the server certificate that is presented to the user as they
connect:

FortiOS 7.2.1 Administration Guide 291


Fortinet Inc.
Network

config firewall vip


edit "mTLS"
set type access-proxy
set extip 10.1.100.200
set extintf "port2"
set server-type https
set extport 443
set ssl-certificate "Fortinet_CA_SSL"
next
end

5. Configure the access proxy policy, including the real server to be mapped. To request the client certificate for
authentication, client-cert is enabled:
config firewall access-proxy
edit "mTLS-access-proxy"
set vip "mTLS"
set client-cert enable
set empty-cert-action accept
config api-gateway
edit 1
config realservers
edit 1
set ip 172.16.200.44
next
end
next
end
next
end

6. Configure the firewall policy to allow the client to connect to the access proxy:
config firewall policy
edit 1
set srcintf "port2"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "mTLS"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set logtraffic all
set nat enable
next
end

7. Configure the proxy policy to apply authentication and the security profile, selecting the appropriate user object
depending on the user type:
config firewall proxy-policy
edit 3
set proxy access-proxy
set access-proxy "mTLS-access-proxy"
set srcintf "port2"
set srcaddr "all"
set dstaddr "all"

FortiOS 7.2.1 Administration Guide 292


Fortinet Inc.
Network

set action accept


set schedule "always"
set users {"single-certificate" | "trusted-issuer"}
set utm-status enable
set ssl-ssh-profile "deep-inspection-clone"
set av-profile "av"
next
end

To verify the results:

1. In a web browser, access the VIP address. This example uses Chrome.
2. When prompted, select the client certificate, then click OK.

3. Click Certificate information to view details about the certificate.

4. On the FortiGate, check the traffic logs.


l If client certificate authentication passes:
1: date=2021-06-03 time=15:48:36 eventtime=1622760516866635697 tz="-0700"
logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1"

FortiOS 7.2.1 Administration Guide 293


Fortinet Inc.
Network

srcip=10.1.100.11 srcport=45532 srcintf="port2" srcintfrole="undefined"


dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.44 dstport=443
dstintf="vdom1" dstintfrole="undefined" sessionid=154900 service="HTTPS"
wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-
policy" poluuid="af5e2df2-c321-51eb-7d5d-42fa58868dcb" duration=0 user="single-
certificate" wanin=2550 rcvdbyte=2550 wanout=627 lanin=4113 sentbyte=4113 lanout=2310
appcat="unscanned"

l If the CA issuer is used to verify the client:


1: date=2021-06-03 time=15:43:02 eventtime=1622760182384776037 tz="-0700"
logid="0000000010" type="traffic" subtype="forward" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=45514 srcintf="port2" srcintfrole="undefined"
dstcountry="Reserved" srccountry="Reserved" dstip=10.1.100.200 dstport=443
dstintf="vdom1" dstintfrole="undefined" sessionid=153884 service="HTTPS"
wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-
policy" poluuid="af5e2df2-c321-51eb-7d5d-42fa58868dcb" duration=0 user="trusted-
issuer" wanin=0 rcvdbyte=0 wanout=0 lanin=4089 sentbyte=4089 lanout=7517
appcat="unscanned" utmaction="block" countweb=1 crscore=30 craction=8 utmref=65535-0

l If the client certificate authentication fails, and the traffic is blocked:


1: date=2021-06-03 time=15:45:53 eventtime=1622760353789703671 tz="-0700"
logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1"
srcip=10.1.100.11 srcport=45518 srcintf="port2" srcintfrole="undefined"
dstip=172.16.200.44 dstport=443 dstintf="vdom1" dstintfrole="undefined"
srccountry="Reserved" dstcountry="Reserved" sessionid=154431 proto=6 action="deny"
policyid=0 policytype="proxy-policy" user="single-certificate" service="HTTPS"
trandisp="noop" url="https://10.1.100.200/" agent="curl/7.68.0" duration=0 sentbyte=0
rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=131072
crlevel="high" msg="Traffic denied because of explicit proxy policy"

Example 2

In this example, the same configuration as in Example 1 is used, with a web proxy profile added to enable adding the
client certificate to the HTTP header X-Forwarded-Client-Cert. The header is then forwarded to the server.

To configure the FortiGate:

1. Repeat steps 1 to 6 of Example 1, using the common name on the certificate to verify the user.
2. Configure a web proxy profile that adds the HTTP x-forwarded-client-cert header in forwarded requests:
config web-proxy profile
edit "mtls"
set header-x-forwarded-client-cert add
next
end

3. Configure the proxy policy to apply authentication, the security profile, and web proxy profile:
config firewall proxy-policy
edit 3
set uuid af5e2df2-c321-51eb-7d5d-42fa58868dcb
set proxy access-proxy
set access-proxy "mTLS-access-proxy"
set srcintf "port2"
set srcaddr "all"

FortiOS 7.2.1 Administration Guide 294


Fortinet Inc.
Network

set dstaddr "all"


set action accept
set schedule "always"
set logtraffic all
set users "single-certificate"
set webproxy-profile "mtls"
set utm-status enable
set ssl-ssh-profile "deep-inspection-clone"
set av-profile "av"
next
end

To verify the results:

The WAD debug shows that the FortiGate adds the client certificate information to the HTTP header. The added header
cannot be checked using the sniffer, because the FortiGate encrypts the HTTP header to forward it to the server.
1. Enable WAD debug on all categories:
# diagnose wad debug enable category all

2. Set the WAD debug level to verbose:


# diagnose wad debug enable level verbose

3. Enable debug output:


# diagnose debug enable

4. Check the debug output.


l When the FortiGate receives the client HTTP request:
[0x7fc8d4bc4910] Received request from client: 10.1.100.11:45544

GET / HTTP/1.1
Host: 10.1.100.200
User-Agent: curl/7.68.0
Accept: */*

l When the FortiGate adds the client certificate in to the HTTP header and forwards the client HTTP request:
[0x7fc8d4bc4910] Forward request to server:
GET / HTTP/1.1
Host: 172.16.200.44
User-Agent: curl/7.68.0
Accept: */*
X-Forwarded-Client-Cert: -----BEGIN CERTIFICATE-----
MIIFXzCCA0egAwI...aCFHDHlR+wb39s=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFpTCCA42gAwI...OtDtetkNoFLbvb
-----END CERTIFICATE-----

FortiOS 7.2.1 Administration Guide 295


Fortinet Inc.
Network

CORS protocol in explicit web proxy when using session-based, cookie-enabled,


and captive portal-enabled SAML authentication

The FortiGate explicit web proxy supports the Cross-Origin Resource Sharing (CORS) protocol, which allows the
FortiGate to process a CORS preflight request and an actual CORS request properly, in addition to a simple CORS
request when using session-based, cookie-enabled, and captive portal-enabled SAML authentication. This allows a
FortiGate explicit web proxy user with this specific configuration to properly view a web page requiring CORS with
domains embedded in it other than its own domain.

To configure the FortiGate:

1. Configure the authentication rule:


config authentication rule
edit "saml"
set srcaddr "all"
set ip-based disable
set active-auth-method "saml"
set web-auth-cookie enable
next
end

2. Configure the captive portal:


config authentication setting
set captive-portal "fgt9.myqalab.local"
end

3. Configure the proxy policy


config firewall proxy-policy
edit 3
set proxy explicit-web
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"

FortiOS 7.2.1 Administration Guide 296


Fortinet Inc.
Network

set action accept


set schedule "always"
set logtraffic all
set groups "ldap-group-saml"
set utm-status enable
set profile-protocol-options "protocol"
set ssl-ssh-profile "deep-custom"
set av-profile "av"
set application-list "fff"
next
end

CORS request scenarios

Preflight CORS request

The client sends the initial CORS preflight request (OPTIONS with the origin header) to the web server through
FortiGate's web proxy and receives a CORS 200 OK response (with headers, such as Access-Control-Allow-
Origin). The FortiGate will not redirect the client to the captive capital for authentication:
> OPTIONS /bidRequest HTTP/1.1
> Host: c2shb.pubgw.yahoo.com
> User-Agent: curl/7.61.1
> Accept: */*
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: content-type,x-openrtb-version
> Origin: https://www.cnn.com
...
< HTTP/1.1 200 OK
< Date: Thu, 19 May 2022 01:49:17 GMT
< Content-Length: 0
< Server: ATS/9.1.0.46
< Access-Control-Allow-Origin: https://www.cnn.com
< Access-Control-Allow-Methods: GET,POST,OPTIONS
< Access-Control-Allow-Headers: X-Requested-With,Content-Type,X-Openrtb-Version
< Access-Control-Allow-Credentials: true
< Access-Control-Max-Age: 600
< Age: 0
< Connection: keep-alive
< Set-Cookie: A3=d=AQABBB2ihWICEIUyD_Du5ol8tMdKKWxspR8FEgEBAQHzhmKPYgAAAAAA_
eMAAA&S=AQAAAlU0dAheQx6euvcPs8ErK4I; Expires=Fri, 19 May 2023 07:49:17 GMT; Max-
Age=31557600; Domain=.yahoo.com; Path=/; SameSite=None; Secure; HttpOnly

Real CORS request

Once the initial preflight request for the client is successful, the client sends the real CORS request (GET request with
origin header) to the FortiGate, The FortiGate then replies with a 30x response to redirect the client to the captive portal.
The 30x response includes CORS headers such as Access-Control-Allow-Origin:
> GET /bidRequest HTTP/1.1
> Host: c2shb.pubgw.yahoo.com
> User-Agent: curl/7.61.1
> Accept: */*
> Origin: https://www.cnn.com
...

FortiOS 7.2.1 Administration Guide 297


Fortinet Inc.
Network

< HTTP/1.1 303 See Other


< Access-Control-Max-Age: 1
< Access-Control-Allow-Origin: https://www.cnn.com
< Access-Control-Allow-Credentials: true
< Set-Cookie: FTNT-EP-
FG900D3915800054=pqWlpdswdcCnpaWli6WlpcjEwszGmJbGksbBwMCVwcPBlpKRnMGTl52QxJeUwYPW18aYlJWLlIu
UlZWLlJalpQ==; Path=/; Domain=.pubgw.yahoo.com; HttpOnly; SameSite=None; Secure
< Connection: close
< Content-Type: text/html
< Cache-Control: no-cache
< Location:
https://fgt9.myqalab.local:7831/test/saml/login/?cptype=ckauth&scheme=https&4Tmthd=0&host=c2
shb.pubgw.yahoo.com&port=443&rule=98&uri=L2JpZFJlcXVlc3Q=&cdata=pqWlpdswdcCnpaWli6WlpcjEwszG
mJbGksbBwMCVwcPBlpKRnMGTl52QxJeUwYPW18aYlJWLlIuUlZWLlJalpQ==
< Content-Length: 0

Redirection to captive portal

Once the client's real CORS request is redirected to the captive portal, the client senda another preflight to the captive
portal. The captive portal then replies with a 20x response, which includes CORS headers such as Access-Control-
Allow-Origin:
> OPTIONS
/test/saml/login/?cptype=ckauth&scheme=https&4Tmthd=1&host=gql.reddit.com&port=443&rule=98&u
ri=Lw==&cdata=pqWlpQM5dcCnpaWliqWlpcjEwszGmJbGksbAk5WTl8aTwJDGnJ2Tl52QxpHDkYPW18aYlJWLlIuUlZ
WLlJGWpQ== HTTP/1.1
> Host: fgt9.myqalab.local:7831
> Connection: keep-alive
> Accept: */*
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: authorization,content-type,x-reddit-compression,x-reddit-
loid,x-reddit-session
> Origin: null
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/100.0.4896.75 Safari/537.36 Edg/100.0.1185.36
> Sec-Fetch-Mode: cors
> Sec-Fetch-Site: cross-site
> Sec-Fetch-Dest: empty
> Referer: https://www.reddit.com/
> Accept-Encoding: gzip, deflate, br
> Accept-Language: en-US,en;q=0.9
...
< HTTP/1.1 204 No Content
< Access-Control-Max-Age: 86400
< Access-Control-Allow-Methods: GET
< Access-Control-Allow-Headers: authorization,content-type,x-reddit-compression,x-reddit-
loid,x-reddit-session
< Access-Control-Allow-Origin: null
< Access-Control-Allow-Credentials: true

Simple CORS request

If a simple CORS request (no preflight request sent before it) is used, when the FortiGate receives the simple request, it
replies with a 30x response that includes CORS headers, such as Access-Control-Allow-Origin:

FortiOS 7.2.1 Administration Guide 298


Fortinet Inc.
Network

> Host: www.yahoo.com


> User-Agent: curl/7.61.1
> Accept: */*
> Origin: https://www.cnn.com
...
< HTTP/1.1 303 See Other
< Access-Control-Max-Age: 1
< Access-Control-Allow-Origin: https://www.cnn.com
< Access-Control-Allow-Credentials: true
< Set-Cookie: FTNT-EP-
FG900D3915800000=pqWlpaw7dcCnpaWli6WlpcjEwszGmJbGksbAkpOcxMDDlpbGlMSTl52QwcGcl4PW18aYlJWLlIu
UlZWLlJalpQ==; Path=/; Domain=.yahoo.com; HttpOnly; SameSite=None; Secure
< Connection: close
< Content-Type: text/html
< Cache-Control: no-cache
< Location:
https://fgt9.myqalab.local:7831/test/saml/login/?cptype=ckauth&scheme=https&4Tmthd=0&host=ww
w.yahoo.com&port=443&rule=98&uri=Lw==&cdata=pqWlpaw7dcCnpaWli6WlpcjEwszGmJbGksbAkpOcxMDDlpbG
lMSTl52QwcGcl4PW18aYlJWLlIuUlZWLlJalpQ==
< Content-Length: 0

DHCP server

A DHCP server leases IP addresses from a defined address range to clients on the network that request dynamically
assigned addresses.
A DHCP server can be in server or relay mode. In server mode, you can define one or more address ranges it assigns
addresses from, and options such as the default gateway, DNS server, lease time, and other advanced options. In relay
mode, the interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses
to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients
arrive at the unit.
l DHCP options on page 302
l IP address assignment with relay agent information option on page 303
l DHCP client options on page 305
l VCI pattern matching for DHCP assignment on page 306

Configure a DHCP server on an interface

To configure a DHCP server in the GUI:

1. Go to Network > Interfaces.


2. Edit an interface.
3. Enable the DHCP Server option and configure the settings.
4. Click OK.

To configure a DHCP server in the CLI:

config system dhcp server


edit 1

FortiOS 7.2.1 Administration Guide 299


Fortinet Inc.
Network

set dns-service default


set default-gateway 192.168.1.2
set netmask 255.255.255.0
set interface "port1"
config ip-range
edit 1
set start-ip 192.168.1.1
set end-ip 192.168.1.1
next
edit 2
set start-ip 192.168.1.3
set end-ip 192.168.1.254
next
end
set timezone-option default
set tftp-server "172.16.1.2"
next
end

Configure a DHCP relay on an interface

To configure a DHCP relay in the GUI:

1. Go to Network > Interfaces.


2. Edit an interface.
3. Enable the DHCP Server option and set DHCP status to Disabled.
4. Expand the Advanced section and set Mode to Relay.
5. Enter the DHCP Server IP.
6. Click OK.

To configure a DHCP relay in the CLI:

1. Configure the interface:


config system interface
edit "port2"
set vdom "root"
set dhcp-relay-service enable
set ip 10.1.1.5 255.255.255.0
set allowaccess ping https ssh fabric
set type physical
set snmp-index 4
set dhcp-relay-ip "192.168.20.10"
next
end

2. On the DHCP server settings for the interface, set the status to disable:
config system dhcp server
edit 17
set status disable
set dns-service default
set default-gateway 10.1.1.5
set netmask 255.255.255.0

FortiOS 7.2.1 Administration Guide 300


Fortinet Inc.
Network

set interface "port2"


next
end

Configure a DHCP server and relay on an interface

A FortiGate interface can be configured to work in DHCP server mode to lease out addresses, and at the same time
relay the DHCP packets to another device, such as a FortiNAC to perform device profiling.
The DHCP message to be forwarded to the relay server under the following conditions:
l dhcp-relay-request-all-server is enabled
l Message type is either DHCPDISCOVER or DHCPINFORM
l Client IP address in client message is 0
l Server ID is NULL in the client message
l Server address is a broadcast address (255.255.255.255)
l Server address is 0

To configure a DHCP server and relay in the GUI:

1. Go to Network > Interfaces.


2. Edit an interface.
3. Enable the DHCP Server option and set DHCP status to Enabled.
4. Edit the address range as required.
5. Expand the Advanced section and set Mode to Relay.
6. Enter the DHCP Server IP.
7. Click OK.
8. In the CLI, enable dhcp-relay-request-all-server.

To configure a DHCP server and relay in the CLI:

1. Configure the interface:


config system interface
edit "port2"
set vdom "root"
set dhcp-relay-service enable
set ip 10.1.1.5 255.255.255.0
set allowaccess ping https ssh fabric
set type physical
set snmp-index 4
set dhcp-relay-ip "192.168.20.10"
set dhcp-relay-request-all-server enable
next
end

2. Configure the DHCP server settings:


config system dhcp server
edit 17
set status enable
set dns-service default

FortiOS 7.2.1 Administration Guide 301


Fortinet Inc.
Network

set default-gateway 10.1.1.5


set netmask 255.255.255.0
set interface "port2"
next
end

DHCP options

When adding a DHCP server, you can include DHCP codes and options. The DHCP options are BOOTP vendor
information fields that provide additional vendor-independent configuration parameters to manage the DHCP server. For
example, you might need to configure a FortiGate DHCP server that gives out a separate option as well as an IP
address, such as an environment that needs to support PXE boot with Windows images.
The option numbers and codes are specific to the application. The documentation for the application indicates the values
to use. Option codes are represented in a option value/HEX value pairs. The option is a value between 1 and 255.
You can add up to three DHCP code/option pairs per DHCP server.
For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions.

To configure option 252 with value http://192.168.1.1/wpad.dat using the CLI:

config system dhcp server


edit <server_entry_number>
set option1 252 687474703a2f2f3139322e3136382e312e312f777061642e646174
next
end

Option 82

The DHCP relay agent information option (option 82 in RFC 3046) helps protect the FortiGate against attacks such as
spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation.
This option is disabled by default. However, when dhcp-relay-service is enabled, dhcp-relay-agent-option
becomes enabled.

To configure the DHCP relay agent option using the CLI:

config system interface


edit <interface>
set vdom root
set dhcp-relay-service enable
set dhcp-relay-ip <ip>
set dhcp-relay-agent-option enable
set vlanid <id>
next
end

See IP address assignment with relay agent information option on page 303 for an example.

Option 42

This option specifies a list of the NTP servers available to the client by IP address.

FortiOS 7.2.1 Administration Guide 302


Fortinet Inc.
Network

config system dhcp server


edit 2
set ntp-service {local | default | specify}
set ntp-server1 <class_ip>
set ntp-server2 <class_ip>
set ntp-server3 <class_ip>
next
end

The NTP service options include:


l local: The IP address of the interface that the DHCP server is added to becomes the client's NTP server
IP address.
l default: Clients are assigned the FortiGate's configured NTP servers.
l specify: Specify up to three NTP servers in the DHCP server configuration.

IP address assignment with relay agent information option

Option 82 (DHCP relay information option) helps protect the FortiGate against attacks such as spoofing (or forging) of IP
and MAC addresses, and DHCP IP address starvation.

The following CLI variables are included in the config system dhcp server > config reserved-address
command:

circuit-id-type {hex | DHCP option type; hex or string (default).


string}
circuit-id <value> Option 82 circuit ID of the client that will get the reserved IP address.
Format: vlan-mod-port
l vlan: VLAN ID (2 bytes)

l mod: 1 = snoop, 0 = relay (1 byte)

l port: port number (1 byte)

remote-id-type {hex | DHCP option type; hex or string (default).


string}
remote-id <value> Option 82 remote ID of the client that will get the reserved IP address.
Format: the MAC address of the client.
type {mac | option82} The DHCP reserved address type; mac (default) or option82.

FortiOS 7.2.1 Administration Guide 303


Fortinet Inc.
Network

To create an IP address assignment rule using option 82 in the GUI:

1. Go to Network > Interfaces.


2. Edit an existing port, or create a new one.

The port Role must be LAN or Undefined.

3. Enable DHCP Server.


4. Configure the address ranges and other settings as needed.
5. Click + to expand the Advanced options.

6. In the IP Address Assignment Rules table, click Create New.


The Create New IP Address Assignment Rule pane opens.
7. Configure the new rule:
a. For the Type, select DHCP Relay Agent.
b. Enter the Circuit ID and Remote ID.
c. Enter the IP address that will be reserved.

FortiOS 7.2.1 Administration Guide 304


Fortinet Inc.
Network

8. Click OK.

To create an IP address assignment rule using option 82 with the CLI:

config system dhcp server


edit 1
set netmask 255.255.255.0
set interface "port4"
config ip-range
edit 1
set start-ip 100.100.100.1
set end-ip 100.100.100.99
next
edit 2
set start-ip 100.100.100.101
set end-ip 100.100.100.254
next
end
config reserved-address
edit 1
set type option82
set ip 100.100.100.12
set circuit-id-type hex
set circuit-id "00010102"
set remote-id-type hex
set remote-id "704ca5e477d6"
next
end
next
end

DHCP client options

When an interface is in DHCP addressing mode, DHCP client options can be configured in the CLI. For example, a
vendor class identifier (usually DCHP client option 60) can be specified so that a request can be matched by a specific
DHCP offer.
Multiple options can be configured, but any options not recognized by the DHCP server are discarded.

FortiOS 7.2.1 Administration Guide 305


Fortinet Inc.
Network

To configure client option 60 - vendor class identifier:

config system interface


edit port1
set vdom vdom1
set mode dhcp
config client-options
edit 1
set code 60
set type hex
set value aabbccdd
next
end
set type physical
set snmp-index 4
next
end

Variable Description
code <integer> DHCP client option code (0 - 255, default = 0).
See Dynamic Host Configuration Protocol (DHCP) and Bootstrap Protocol
(BOOTP) Parameters for a list of possible options.
type {hex | string | ip | DHCP client option type (default = hex).
fqdn}
value <string> DHCP client option value.
ip <ip> DHCP client option IP address. This option is only available when type is ip.

VCI pattern matching for DHCP assignment

VCIs (vendor class identifiers) are supported in DHCP to allow VCI pattern matching as a condition for IP or DHCP
option assignment. A single IP address, IP ranges of a pool, and dedicated DHCP options can be mapped to a specific
VCI string.
config system dhcp server
edit <id>
config ip-range
edit <id>
set vci-match {enable | disable}
set vci-string <string>
next
end
config options
edit <id>
set vci-match {enable | disable}
set vci-string <string>
next
end
next
end

FortiOS 7.2.1 Administration Guide 306


Fortinet Inc.
Network

vci-match {enable | Enable/disable VCI matching. When enabled, only DHCP requests with a
disable} matching VCI are served with this range.
vci-string <string> Set the VCI string. Enter one or more VCI strings in quotation marks separated by
spaces.

Example

In this example, any DHCP client that matches the FortiGate-201F VCI will get their IP from the pool of 10.2.2.133-
10.2.2.133, and options 42 (NTP servers) and 150 (TFTP server address). Any DHCP client that matches the FortiGate-
101F VCI will get their IP from the default pool (10.2.2.132-10.2.2.132/10.2.2.134-10.2.2.254) and only get the 150
option.

To configure VCI pattern matching on FortiGate A:

config system dhcp server


edit 1
set dns-service default
set default-gateway 10.2.2.131
set netmask 255.255.255.0
set interface "port3"
config ip-range
edit 1
set start-ip 10.2.2.132
set end-ip 10.2.2.132
next
edit 2
set start-ip 10.2.2.133
set end-ip 10.2.2.133
set vci-match enable
set vci-string "FortiGate-201F"
next
edit 3
set start-ip 10.2.2.134
set end-ip 10.2.2.254
next
end
config options
edit 1
set code 42
set type ip
set vci-match enable
set vci-string "FortiGate-201F"
set ip "8.8.8.8"
next

FortiOS 7.2.1 Administration Guide 307


Fortinet Inc.
Network

edit 2
set code 150
set type ip
set ip "172.16.200.55"
next
end
set vci-match enable
set vci-string "FortiGate-201F" "FortiGate-101F"
next
end

Static routing

Static routing is one of the foundations of firewall configuration. It is a form of routing in which a device uses manually-
configured routes. In the most basic setup, a firewall will have a default route to its gateway to provide network access. In
a more complex setup with dynamic routing, ADVPN, or SD-WAN involved, you would still likely find static routes being
deployed.
This section explores concepts in using static routing and provides examples in common use cases:
l Routing concepts on page 308
l Policy routes on page 320
l Equal cost multi-path on page 323
l Dual internet connections on page 327
The following topics include additional information about static routes:
l Deploying the Security Fabric on page 2399
l Security Fabric over IPsec VPN on page 2420
l Adding a static route on page 520
l IPsec VPN in an HA environment on page 1523
l IPsec VPN to Azure with virtual network gateway on page 1449
l FortiGate as dialup client on page 1469
l ADVPN with BGP as the routing protocol on page 1591
l ADVPN with OSPF as the routing protocol on page 1600
l ADVPN with RIP as the routing protocol on page 1609
l Basic site-to-site VPN with pre-shared key on page 1415
l Site-to-site VPN with digital certificate on page 1420
l Site-to-site VPN with overlapping subnets on page 1427
l Tunneled Internet browsing on page 1497
l Multiple concurrent SDN connectors on page 2608
l Packet distribution and redundancy for aggregate IPsec tunnels on page 1529
l Use MAC addresses in SD-WAN rules and policy routes on page 600
l Using BGP tags with SD-WAN rules on page 643

Routing concepts

This section contains the following topics:

FortiOS 7.2.1 Administration Guide 308


Fortinet Inc.
Network

l Default route on page 309


l Adding or editing a static route on page 309
l Configuring FQDNs as a destination address in static routes on page 310
l Routing table on page 310
l Viewing the routing database on page 313
l Kernel routing table on page 314
l Route cache on page 315
l Route look-up on page 316
l Blackhole routes on page 316
l Reverse path look-up on page 317
l Asymmetric routing on page 317
l Routing changes on page 320

Default route

The default route has a destination of 0.0.0.0/0.0.0.0, representing the least specific route in the routing table. It is
a catch all route in the routing table when traffic cannot match a more specific route. Typically this is configured with a
static route with an administrative distance of 10. In most instances, you will configure the next hop interface and the
gateway address pointing to your next hop. If your FortiGate is sitting at the edge of the network, your next hop will be
your ISP gateway. This provides internet access for your network.
Sometimes the default route is configured through DHCP. On some desktop models, the WAN interface is preconfigured
in DHCP mode. Once the WAN interface is plugged into the network modem, it will receive an IP address, default
gateway, and DNS server. FortiGate will add this default route to the routing table with a distance of 5, by default. This
will take precedence over any default static route with a distance of 10. Therefore, take caution when you are configuring
an interface in DHCP mode, where Retrieve default gateway from server is enabled. You may disable it and/or change
the distance from the Network > Interfaces page when you edit an interface.

Adding or editing a static route

To add a static route using the GUI:

1. Go to Network > Static Routes and click Create New.


2. Enter the following information:

Dynamic Gateway When enabled, a selected DHCP/PPPoE interface will automatically retrieve
its dynamic gateway.

Destination l Subnet
Enter the destination IP address and netmask. A value of
0.0.0.0/0.0.0.0 creates a default route.
l Named Address
Select an address or address group object. Only addresses with static
route configuration enabled will appear on the list. This means a
geography type address cannot be used.
l Internet Service
Select an Internet Service. These are known IP addresses of popular

FortiOS 7.2.1 Administration Guide 309


Fortinet Inc.
Network

services across the Internet.

Interface Select the name of the interface that the static route will connect through.

Gateway Address Enter the gateway IP address. When selecting an IPsec VPN interface or SD-
WAN creating a blackhole route, the gateway cannot be specified.

Administrative Distance Enter the distance value, which will affect which routes are selected first by
different protocols for route management or load balancing. The default is 10.

Advanced Options Optionally, expand Advanced Options and enter a Priority. When two routes
have an equal distance, the route with a lower priority number will take
precedence. The default is 0.

3. Click OK.

Configuring FQDNs as a destination address in static routes

You can configure FQDN firewall addresses as destination addresses in a static route, using either the GUI or the CLI.
In the GUI, to add an FQDN firewall address to a static route in the firewall address configuration, enable the Static
Route Configuration option. Then, when you configure the static route, set Destination to Named Address.

To configure an FQDN as a destination address in a static route using the CLI:

config firewall address


edit 'Fortinet-Documentation-Website'
set type fqdn
set fqdn docs.fortinet.com
set allow-routing enable
next
end

config router static


edit 0
set dstaddr Fortinet-Documentation-Website
...
next
end

Routing table

A routing table consists of only the best routes learned from the different routing protocols. The most specific route
always takes precedence. If there is a tie, then the route with a lower administrative distance will be injected into the
routing table. If administrative distances are also equal, then all the routes are injected into the routing table, and Cost
and Priority become the deciding factors on which a route is preferred. If these are also equal, then FortiGate will use
Equal cost multi-path on page 323 to distribute traffic between these routes.

Viewing the routing table in the GUI

You can view routing tables in the FortiGate GUI under Dashboard > Network > Static & Dynamic Routing by default.
Expand the widget to see the full page. Additionally, if you want to convert the widget into a dashboard, click on the Save
as Monitor icon on the top right of the page.

FortiOS 7.2.1 Administration Guide 310


Fortinet Inc.
Network

You can also monitor policy routes by toggling from Static & Dynamic to Policy on the top right corner of the page. The
active policy routes include policy routes that you created, SD-WAN rules, and Internet Service static routes. It also
supports downstream devices in the Security Fabric.
The following figure show an example of the static and dynamic routes in the Routing Monitor:

To view more columns, right-click on the column header to select the columns to be displayed:

Field Description

IP Version Shows whether the route is IPv4 or IPv6.

Network The IP addresses and network masks of destination networks that the FortiGate can reach.

Gateway IP The IP addresses of gateways to the destination networks.

Interfaces The interface through which packets are forwarded to the gateway of the destination network.

Distance The administrative distance associated with the route. A lower value means the route is
preferable compared to other routes to the same destination.

Type The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or BGP):
l Connected: All routes associated with direct connections to FortiGate interfaces

l Static: The static routes that have been added to the routing table manually

l RIP: All routes learned through RIP

l RIPNG: All routes learned through RIP version 6 (which enables the sharing of routes

through IPv6 networks)


l BGP: All routes learned through BGP

l OSPF: All routes learned through OSPF

l OSPF6: All routes learned through OSPF version 6 (which enables the sharing of routes

through IPv6 networks)


l IS-IS: All routes learned through IS-IS

l HA: RIP, OSPF, and BGP routes synchronized between the primary unit and the

subordinate units of a high availability (HA) cluster. HA routes are maintained on


subordinate units and are visible only if you're viewing the router monitor from a virtual
domain that is configured as a subordinate virtual domain in a virtual cluster.

FortiOS 7.2.1 Administration Guide 311


Fortinet Inc.
Network

Field Description

Metric The metric associated with the route type. The metric of a route influences how the FortiGate
dynamically adds it to the routing table. The following are types of metrics and the protocols
they are applied to:
l Hop count: Routes learned through RIP

l Relative cost: Routes learned through OSPF

l Multi-Exit Discriminator (MED): Routes learned through BGP. By default, the MED value

associated with a BGP route is zero. However, the MED value can be modified
dynamically. If the value was changed from the default, the Metric column displays a non-
zero value.

Priority In static routes, priorities are 0 by default. When two routes have an equal distance, the route
with the lower priority number will take precedence.

VRF Virtual routing and forwarding (VRF) allows multiple routing table instances to co-exist. VRF
can be assigned to an Interface. Packets are only forwarded between interfaces with the
same VRF.

Up Since The total accumulated amount of time that a route learned through RIP, OSPF, or BGP has
been reachable.

Viewing the routing table in the CLI

Viewing the routing table using the CLI displays the same routes as you would see in the GUI.
If VDOMs are enabled on the FortiGate, all routing-related CLI commands must be run within a VDOM and not in the
global context.

To view the routing table using the CLI:

# get router info routing-table all


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2


i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 172.31.0.1, MPLS [1/0]via 192.168.2.1, port1 [1/0] via
192.168.122.1, port2
S 1.2.3.4/32 [10/0] via 172.16.100.81, VLAN100
C 10.10.2.0/24 is directly connected, hub
C 10.10.2.1/32 is directly connected, hub
O 10.10.10.0/24 [110/101] via 192.168.2.1, port1, 01:54:18
C 10.253.240.0/20 is directly connected, wqt.root
S 110.2.2.122/32 [22/0] via 2.2.2.2, port2, [3/3]
C 172.16.50.0/24 is directly connected, WAN1-VLAN50
C 172.16.60.0/24 is directly connected, WAN2-VLAN60
C 172.16.100.0/24 is directly connected, VLAN100
C 172.31.0.0/30 is directly connected, MPLS
C 172.31.0.2/32 is directly connected, MPLS

FortiOS 7.2.1 Administration Guide 312


Fortinet Inc.
Network

B 192.168.0.0/24 [20/0] via 172.31.0.1, MPLS, 00:31:43


C 192.168.2.0/24 is directly connected, port1
C 192.168.20.0/24 is directly connected, port3
C 192.168.99.0/24 is directly connected, Port1-VLAN99
C 192.168.122.0/24 is directly connected, port2
Routing table for VRF=10
C 172.16.101.0/24 is directly connected, VLAN101

Examining an entry:

B 192.168.0.0/24 [20/0] via 172.31.0.1, MPLS, 00:31:43

Value Description
B BGP. The routing protocol used.
192.168.0.0/24 The destination of this route, including netmask.
[20/0] 20 indicates an administrative distance of 20 out of a range of 0 to 255. 0 is an
additional metric associated with this route, such as in OSPF.
172.31.0.1 The gateway or next hop.
MPLS The interface that the route uses.

00:31:43 The age of the route in HH:MM:SS.

Viewing the routing database

The routing database consists of all learned routes from all routing protocols before they are injected into the routing
table. This likely lists more routes than the routing table as it consists of routes to the same destinations with different
distances. Only the best routes are injected into the routing table. However, it is useful to see all learned routes for
troubleshooting purposes.

To view the routing database using the CLI:

# get router info routing-table database


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2


E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info
Routing table for VRF=0
S *> 0.0.0.0/0 [1/0] via 172.31.0.1, MPLS
*> [1/0] via 192.168.2.1, port1
*> [1/0] via 192.168.122.1, port2
S *> 1.2.3.4/32 [10/0] via 172.16.100.81, VLAN100
C *> 10.10.2.0/24 is directly connected, hub
C *> 10.10.2.1/32 is directly connected, hub
O *> 10.10.10.0/24 [110/101] via 192.168.2.1, port1, 02:10:17
C *> 10.253.240.0/20 is directly connected, wqt.root
S *> 110.2.2.122/32 [22/0] via 2.2.2.2, port2, [3/3]

FortiOS 7.2.1 Administration Guide 313


Fortinet Inc.
Network

C *> 172.16.50.0/24 is directly connected, WAN1-VLAN50


C *> 172.16.60.0/24 is directly connected, WAN2-VLAN60
C *> 172.16.100.0/24 is directly connected, VLAN100
O 172.31.0.0/30 [110/201] via 192.168.2.1, port1, 00:47:36
C *> 172.31.0.0/30 is directly connected, MPLS

Selected routes are marked by the > symbol. In the above example, the OSPF route to destination 172.31.0.0/30 is
not selected.

Kernel routing table

The kernel routing table makes up the actual Forwarding Information Base (FIB) that used to make forwarding decisions
for each packet. The routes here are often referred to as kernel routes. Parts of this table are derived from the routing
table that is generated by the routing daemon.

To view the kernel routing table using the CLI:

# get router info kernel


tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0
gwy=172.31.0.1 flag=04 hops=0 oif=31(MPLS)
gwy=192.168.2.1 flag=04 hops=0 oif=3(port1)
gwy=192.168.122.1 flag=04 hops=0 oif=4(port2)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 192.168.122.98/255.255.255.255/0->1.1.1.1/32
pref=0.0.0.0 gwy=192.168.122.1 dev=4(port2)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 172.31.0.2/255.255.255.255/0->1.1.1.1/32
pref=0.0.0.0 gwy=172.31.0.1 dev=31(MPLS)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 192.168.2.5/255.255.255.255/0->1.1.1.1/32
pref=0.0.0.0 gwy=192.168.2.1 dev=3(port1)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->1.2.3.4/32 pref=0.0.0.0
gwy=172.16.100.81 dev=20(VLAN100)
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 192.168.122.98/255.255.255.255/0->8.8.8.8/32
pref=0.0.0.0 gwy=192.168.122.1 dev=4(port2)

The kernel routing table entries are:

Value Description
tab Table number: It will either be 254 (unicast) or 255 (multicast).
vf Virtual domain of the firewall: It is the VDOM index number. If
VDOMs are not enabled, this number is 0.
type Type of routing connection. Valid values include:
l 0 - unspecific

l 1 - unicast

l 2 - local

l 3 - broadcast

l 4 - anycast

l 5 - multicast

l 6 - blackhole

l 7 - unreachable

l 8 - prohibited

FortiOS 7.2.1 Administration Guide 314


Fortinet Inc.
Network

Value Description
proto Type of installation that indicates where the route came from.
Valid values include:
l 0 - unspecific

l 2 - kernel

l 11 - ZebOS routing module

l 14 - FortiOS

l 15 - HA

l 16 - authentication based

l 17 - HA1

prio Priority of the route. Lower priorities are preferred.

->0.0.0.0/0 The IP address and subnet mask of the destination.


(->x.x.x.x/mask)

pref Preferred next hop along this route.


gwy Gateway: The address of the gateway this route will use.
dev Outgoing interface index: This number is associated with the
interface for this route. If VDOMs are enabled, the VDOM is
also included here. If an interface alias is set for this interface, it
is also displayed here.

Route cache

The route cache contains recently used routing entries in a table. It is consulted before the routing table to speed up the
route look-up process.

To view the route cache using the CLI:

# diagnose ip rtcache list


family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=00000200
0.0.0.0@0-&gt;208.91.113.230@3(port1) gwy=192.168.2.1 prefsrc=192.168.2.5
ci: ref=0 lastused=1 expire=0 err=00000000 used=5 br=0 pmtu=1500

family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=00000200


192.168.2.5@0-&gt;8.8.8.8@3(port1) gwy=192.168.2.1 prefsrc=0.0.0.0
ci: ref=0 lastused=0 expire=0 err=00000000 used=2 br=0 pmtu=1500

family=02 tab=254 vrf=0 vf=0 type=02 tos=8 flag=80000200


8.8.8.8@31(MPLS)-&gt;172.31.0.2@6(root) gwy=0.0.0.0 prefsrc=172.31.0.2
ci: ref=1 lastused=0 expire=0 err=00000000 used=0 br=0 pmtu=16436

family=02 tab=254 vrf=0 vf=0 type=02 tos=0 flag=84000200


192.168.20.6@5(port3)-&gt;192.168.20.5@6(root) gwy=0.0.0.0 prefsrc=192.168.20.5
ci: ref=2 lastused=0 expire=0 err=00000000 used=1 br=0 pmtu=16436
...

The size of the route cache is calculated by the kernel, but can be modified.

FortiOS 7.2.1 Administration Guide 315


Fortinet Inc.
Network

To modify the size of the route cache:

config system global


set max-route-cache-size <number_of_cache_entries>
end

Route look-up

Route look-up typically occurs twice in the life of a session. Once when the first packet is sent by the originator and once
more when the first reply packet is sent from the responder. When a route look-up occurs, the routing information is
written to the session table and the route cache. If routing changes occur during the life of a session, additional routing
look-ups may occur.
FortiGate performs a route look-up in the following order:
1. Policy-based routes: If a match occurs and the action is to forward, traffic is forwarded based on the policy route.
2. Route Cache: If there are no matches, FortiGate looks for the route in the route cache.
3. Forwarding Information Base, otherwise known as the kernel routing table.
4. If no match occurs, the packet is dropped.

Searching the routing table

When there are many routes in your routing table, you can perform a quick search by using the search bar to specify your
criteria, or apply filters on the column header to display only certain routes. For example, if you want to only display static
routes, you may use "static" as the search term, or filter by the Type field with value Static.
Route look-up on the other hand provides a utility for you to enter criteria such as Destination, Destination Port, Source,
Protocol and/or Source Interface, in order to determine the route that a packet will take. Once you click Search, the
corresponding route will be highlighted.
You can also use the CLI for a route look-up. The CLI provides a basic route look-up tool.

To look-up a route in the CLI:

# get router info routing-table details 4.4.4.4


Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
* 172.31.0.1, via MPLS distance 0
* 192.168.2.1, via port1 distance 0
* 192.168.122.1, via port2 distance 0

Blackhole routes

Sometimes upon routing table changes, it is not desirable for traffic to be routed to a different gateway. For example, you
may have traffic destined for a remote office routed through your IPsec VPN interface. When the VPN is down, traffic will
try to re-route to another interface. However, this may not be viable and traffic will instead be routed to your default route
through your WAN, which is not desirable. Traffic may also be routed to another VPN, which you do not want. For such
scenarios, it is good to define a blackhole route so that traffic is dropped when your desired route is down. Upon
reconnection, your desired route is once again added to the routing table and your traffic will resume routing to your
desired interface. For this reason, blackhole routes are created when you configure an IPsec VPN using the IPsec
wizard.

FortiOS 7.2.1 Administration Guide 316


Fortinet Inc.
Network

To create a blackhole route in the GUI:

1. Go to Network > Static Routes.


2. Click Create New. The New Static Route screen appears.
3. Specify a Destination type.
4. Select Blackhole from the Interface field.
5. Type the desired Administrative Distance.
6. Click OK.

Route priority for a Blackhole route can only be configured from the CLI.

Reverse path look-up

Whenever a packet arrives at one of the interfaces on a FortiGate, the FortiGate determines whether the packet was
received on a legitimate interface by doing a reverse look-up using the source IP address in the packet header. This
protects against IP spoofing attacks. If the FortiGate does not have a route to the source IP address through the interface
on which the packet was received, the FortiGate drops the packet as per Reverse Path Forwarding (RPF) check. There
are two modes of RPF – feasible path and strict. The default feasible RPF mode checks only for the existence of at least
one active route back to the source using the incoming interface. The strict RPF check ensures the best route back to the
source is used as the incoming interface.

To configure a strict Reverse Path Forwarding check in the CLI:

config system settings


set strict-src-check enable
end

You can remove RPF state checks without needing to enable asymmetric routing by disabling state checks for traffic
received on specific interfaces. Disabling state checks makes a FortiGate less secure and should only be done with
caution for troubleshooting purposes.

To remove Reverse Path Forwarding checks from the state evaluation process in the CLI:

config system interface


edit <interface_name>
set src-check disable
next
end

Asymmetric routing

Asymmetric routing occurs when request and response packets follow different paths that do not cross the same firewall.
In the following topology, traffic between PC1 and PC2 takes two different paths.

FortiOS 7.2.1 Administration Guide 317


Fortinet Inc.
Network

Traffic from PC1 to PC2 goes through the FortiGate, while traffic from PC2 to PC1 does not.
In TCP, if the packets in the request and response directions follow different paths, the FortiGate will block the packets,
since the TCP three-way handshake is not established through the FortiGate.

Scenario 1: PC1 starts a TCP connection with PC2

1. The TCP SYN is allowed by the FortiGate.


2. The TCP SYN/ACK bypasses the FortiGate.
3. The TCP ACK is blocked by the FortiGate.
4. Subsequent TCP packets are blocked by the FortiGate.

Scenario 2: PC2 starts a TCP connection with PC1

1. The TCP SYN bypasses the FortiGate.


2. The TCP SYN/ACK is blocked by the FortiGate.
3. Subsequent TCP packets are blocked by the FortiGate.
In ICMP, consider the following scenarios.

Scenario 1: PC1 pings PC2

1. The ICMP request passes through the FortiGate. A session is created.


2. The ICMP reply bypasses the FortiGate, but reaches PC1. The ping is successful.
3. The ICMP request passes through the FortiGate, and it matches the previous session.
4. The ICMP reply bypasses the FortiGate, but it reaches PC1. The ping is successful.
5. Subsequent ICMP requests are allowed by the FortiGate.

Scenario 2: PC2 pings PC1

1. The ICMP request bypasses the FortiGate, but it reaches PC1.


2. The ICMP reply passes through the FortiGate. No session is matched, and the packet is dropped.
3. Subsequent ICMP replies are blocked by the FortiGate.
If an ICMP request does not pass through the FortiGate, but the response passes through the FortiGate, then by default
it blocks the packet as invalid.

Permitting asymmetric routing

If required, the FortiGate can be configured to permit asymmetric routing.

FortiOS 7.2.1 Administration Guide 318


Fortinet Inc.
Network

To permit asymmetric routing:

config system settings


set asymroute enable
end

This setting should be used only when the asymmetric routing issue cannot be resolved by ensuring both directions of
traffic pass through the FortiGate.
When asymmetric routing is enabled and occurs, the FortiGate cannot inspect all traffic. Potentially malicious traffic may
pass through and compromise the security of the network.
Asymmetric routing behaves as follows when it is permitted by the FortiGate:

TCP packets

Scenario 1: PC1 starts a TCP connection with PC2

1. The TCP SYN is allowed by the FortiGate. The FortiGate creates a session, checks the firewall policies, and applies
the configuration from the matching policy (UTM inspection, NAT, traffic shaping, and so on).
2. The TCP SYN/ACK bypasses the FortiGate.
3. The TCP ACK is allowed by the FortiGate. The packet matches the previously created session.
4. Subsequent TCP packets are allowed by the FortiGate. The packets in the session can also be offloaded where
applicable.

Scenario 2: PC2 starts a TCP connection with PC1

1. The TCP SYN bypasses the FortiGate.


2. The TCP SYN/ACK is allowed by the FortiGate. No session is matched. The packet passes to the CPU and is
forwarded based on the routing table.
3. The TCP ACK bypasses the FortiGate.
4. Subsequent TCP packets are allowed by the FortiGate. The FortiGate acts as a router that only makes routing
decisions. No security inspection is performed.

ICMP packets

Scenario 1: PC1 pings PC2

1. There is no difference from when asymmetric routing is disabled.

Scenario 2: PC2 pings PC1

1. The ICMP request bypasses the FortiGate, but it reaches PC1.


2. The ICMP reply passes through the FortiGate. No session is matched. The packet passes to the CPU and is
forwarded based on the routing table.
3. Subsequent ICMP replies are allowed by the FortiGate. The FortiGate acts as a router that only makes routing
decisions. No security inspection is performed.

UDP packets

Asymmetric routing does not affect UDP packets. UDP packets are checked by the session table regardless of
asymmetric routing. A policy is required to allow UDP.

FortiOS 7.2.1 Administration Guide 319


Fortinet Inc.
Network

Routing changes

When routing changes occur, routing look-up may occur on an existing session depending on certain configurations.

Routing changes without SNAT

When a routing change occurs, FortiGate flushes all routing information from the session table and performs new routing
look-up for all new packets on arrival by default. You can modify the default behavior using the following commands:
config system interface
edit <interface>
set preserve-session-route enable
next
end

By enabling preserve-session-route, the FortiGate marks existing session routing information as persistent.
Therefore, routing look-up only occurs on new sessions.

Routing changes with SNAT

When SNAT is enabled, the default behavior is opposite to that of when SNAT is not enabled. After a routing change
occurs, sessions with SNAT keep using the same outbound interface as long as the old route is still active. This may be
the case if the priority of the static route was changed. You can modify this default behavior using the following
commands:
config system global
set snat-route-change enable
end

By enabling snat-route-change, sessions with SNAT will require new route look-up when a routing change occurs.
This will apply a new SNAT to the session.

Policy routes

Policy routing allows you to specify an interface to route traffic. This is useful when you need to route certain types of
network traffic differently than you would if you were using the routing table. You can use the incoming traffic's protocol,
source or destination address, source interface, or port number to determine where to send the traffic.
When a packet arrives, the FortiGate starts at the top of the policy route list and attempts to match the packet with a
policy. For a match to be found, the policy must contain enough information to route the packet. At a minimum, this
requires the outgoing interface to forward the traffic, and the gateway to route the traffic to. If one or both of these are not
specified in the policy route, then the FortiGate searches the routing table to find the best active route that corresponds
to the policy route. If no routes are found in the routing table, then the policy route does not match the packet. The
FortiGate continues down the policy route list until it reaches the end. If no matches are found, then the FortiGate does a
route lookup using the routing table.

Policy routes are sometimes referred to as Policy-based routes (PBR).

FortiOS 7.2.1 Administration Guide 320


Fortinet Inc.
Network

Configuring a policy route

In this example, a policy route is configured to send all FTP traffic received at port1 out through port4 and to a next hop
router at 172.20.120.23. To route FTP traffic, the protocol is set to TCP (6) and the destination ports are set to 21 (the
FTP port).

To configure a policy route in the GUI:

1. Go to Network > Policy Routes.


2. Click Create New > Policy Route.
3. Configure the following fields:

Incoming interface port1

Source Address 0.0.0.0/0.0.0.0

Destination Address 0.0.0.0/0.0.0.0

Protocol TCP

Destination ports 21 - 21

Type of service 0x00

Bit Mask 0x00

Outgoing interface Enable and select port4

Gateway address 172.20.120.23

4. Click OK.

FortiOS 7.2.1 Administration Guide 321


Fortinet Inc.
Network

To configure a policy route in the CLI:

config router policy


edit 1
set input-device "port1"
set src "0.0.0.0/0.0.0.0"
set dst "0.0.0.0/0.0.0.0"
set protocol 6
set start-port 21
set end-port 21
set gateway 172.20.120.23
set output-device "port4"
set tos 0x00
set tos-mask 0x00
next
end

Moving a policy route

A routing policy is added to the bottom of the table when it is created. Routing policies can be moved to a different
location in the table to change the order of preference. In this example, routing policy 3 will be moved before routing
policy 2.

To move a policy route in the GUI:

1. Go to Network > Policy Routes.


2. In the table, select the policy route.

3. Drag the selected policy route to the desired position.

To move a policy route in the CLI:

config router policy


move 3 after 1
end

FortiOS 7.2.1 Administration Guide 322


Fortinet Inc.
Network

Equal cost multi-path

Equal cost multi-path (ECMP) is a mechanism that allows a FortiGate to load-balance routed traffic over multiple
gateways. Just like routes in a routing table, ECMP is considered after policy routing, so any matching policy routes will
take precedence over ECMP.
ECMP pre-requisites are as follows:
l Routes must have the same destination and costs. In the case of static routes, costs include distance and priority
l Routes are sourced from the same routing protocol. Supported protocols include static routing, OSPF, and BGP

ECMP and SD-WAN implicit rule

ECMP and SD-WAN implicit rule are essentially similar in the sense that an SD-WAN implicit rule is processed after SD-
WAN service rules are processed. See Implicit rule on page 584 to learn more.
The following table summarizes the different load-balancing algorithms supported by each:

SD-WAN
ECMP Description
GUI CLI

Traffic is divided equally between the


interfaces. Sessions that start at the same
source-ip-based Source IP source-ip-based
source IP address use the same path.
This is the default selection.

The workload is distributed based on the


number of sessions that are connected
through the interface.
The weight that you assign to each interface
weight-based Sessions weight-based
is used to calculate the percentage of the
total sessions allowed to connect through an
interface, and the sessions are distributed to
the interfaces accordingly.

The interface is used until the traffic


bandwidth exceeds the ingress and egress
usage-based Spillover usage-based thresholds that you set for that interface.
Additional traffic is then sent through the next
interface member.

Traffic is divided equally between the


source-dest-ip- Source-Destination source-dest-ip- interfaces. Sessions that start at the same
based IP based source IP address and go to the same
destination IP address use the same path.

This mode is supported in SD-WAN only.


measured-volume- The workload is distributed based on the
Not supported Volume based number of packets that are going through the
interface.

FortiOS 7.2.1 Administration Guide 323


Fortinet Inc.
Network

To configure the ECMP algorithm from the CLI:

l At the VDOM level:


config system settings
set v4-ecmp-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-
based}
end

l If SD-WAN is enabled, the above option is not available and ECMP is configured under the SD-WAN settings:
config system sdwan
set status enable
set load-balance-mode {source-ip-based* | weight-based | usage-based | source-dest-
ip-based | measured-volume-based}
end

For ECMP in IPv6, the mode must also be configured under SD-WAN:
# diagnose sys vd list
system fib version=63
list virtual firewall info:
name=root/root index=0 enabled fib_ver=40 use=168 rt_num=46 asym_rt=0 sip_helper=0, sip_nat_
trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0
ecmp=source-ip-based, ecmp6=source-ip-based asym_rt6=0 rt6_num=55 strict_src_check=0 dns_
log=1 ses_num=20 ses6_num=0 pkt_num=19154477

To change the number of paths allowed by ECMP:

config system settings


set ecmp-max-paths <number of paths>
end

Setting ecmp-max-paths to the lowest value of 1 is equivalent to disabling ECMP.

ECMP configuration examples

The following examples demonstrate the behavior of ECMP in different scenarios:


l Example 1: Default ECMP on page 325
l Example 2: Same distance, different priority on page 325
l Example 3: Weight-based ECMP on page 325
l Example 4: Load-balancing BGP routes on page 326

FortiOS 7.2.1 Administration Guide 324


Fortinet Inc.
Network

Example 1: Default ECMP


config router static
edit 1
set gateway 172.16.151.1
set device "port1"
next
edit 2
set gateway 192.168.2.1
set device "port2"
next
end

# get router info routing-table all


Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 172.16.151.1, port1
[10/0] via 192.168.2.1, port2
C 172.16.151.0/24 is directly connected, port1
C 192.168.2.0/24 is directly connected, port2

Result:

Both routes are added to the routing table and load-balanced based on the source IP.

Example 2: Same distance, different priority


config router static
edit 1
set gateway 172.16.151.1
set priority 5
set device "port1"
next
edit 2
set gateway 192.168.2.1
set device "port2"
next
end

# get router info routing-table all


Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 192.168.2.1, port2
[10/0] via 172.16.151.1, port1, [5/0]
C 172.16.151.0/24 is directly connected, port1
C 192.168.2.0/24 is directly connected, port2

Result:

Both routes are added to the routing table, but traffic is routed to port2 which has a lower priority value with a default of
0.

Example 3: Weight-based ECMP


config router static
edit 3
set dst 10.10.30.0 255.255.255.0

FortiOS 7.2.1 Administration Guide 325


Fortinet Inc.
Network

set weight 80
set device "vpn2HQ1"
next
edit 5
set dst 10.10.30.0 255.255.255.0
set weight 20
set device "vpn2HQ2"
next
end

# get router info routing-table all


Routing table for VRF=0
...
S 10.10.30.0/24 [10/0] is directly connected, vpn2HQ1, [0/80]
[10/0] is directly connected, vpn2HQ2, [0/20]
C 172.16.151.0/24 is directly connected, port1
C 192.168.0.0/24 is directly connected, port3
C 192.168.2.0/24 is directly connected, port2

Result:

Both routes are added to the routing table, but 80% of the sessions to 10.10.30.0/24 are routed to vpn2HQ1, and
20% are routed to vpn2HQ2.

Example 4: Load-balancing BGP routes


config router bgp
set as 64511
set router-id 192.168.2.86
set ebgp-multipath enable
config neighbor
edit "192.168.2.84"
set remote-as 64512
next
edit "192.168.2.87"
set remote-as 64512
next
end
end
# get router info routing-table all
Routing table for VRF=0
...
C 172.16.151.0/24 is directly connected, port1
C 192.168.0.0/24 is directly connected, port3
C 192.168.2.0/24 is directly connected, port2
B 192.168.80.0/24 [20/0] via 192.168.2.84, port2, 00:00:33
[20/0] via 192.168.2.87, port2, 00:00:33

Result:

The network 192.168.80.0/24 is advertised by two BGP neighbors. Both routes are added to the routing table, and
traffic is load-balanced based on Source IP.
For multiple BGP paths to be added to the routing table, you must enable ebgp-multipath for eBGP or ibgp-
multipath for iBGP. These settings are disabled by default.

FortiOS 7.2.1 Administration Guide 326


Fortinet Inc.
Network

Dual internet connections

Dual internet connections, also referred to as dual WAN or redundant internet connections, refers to using two FortiGate
interfaces to connect to the Internet. This is generally accomplished with SD-WAN, but this legacy solution provides the
means to configure dual WAN without using SD-WAN. You can use dual internet connections in several ways:
l Link redundancy: If one interface goes down, the second interface automatically becomes the main connection.
l Load sharing: This ensures better throughput.
l Use a combination of link redundancy and load sharing.

This section describes the following dual internet connection scenarios:


l Scenario 1: Link redundancy and no load-sharing on page 327
l Scenario 2: Load-sharing and no link redundancy on page 329
l Scenario 3: Link redundancy and load-sharing on page 331

Scenario 1: Link redundancy and no load-sharing

Link redundancy ensures that if your Internet access is no longer available through a certain port, the FortiGate uses an
alternate port to connect to the Internet.
In this scenario, two interfaces, WAN1 and WAN2, are connected to the Internet using two different ISPs. WAN1 is the
primary connection. In the event of a failure of WAN1, WAN2 automatically becomes the connection to the Internet. For
this configuration to function correctly, you must configure the following settings:
l Link health monitor on page 327: To determine when the primary interface (WAN1) is down and when the
connection returns.
l Routing on page 328: Configure a default route for each interface.
l Security policies on page 329: Configure security policies to allow traffic through each interface to the internal
network.

Link health monitor

Adding a link health monitor is required for routing failover traffic. A link health monitor confirms the device interface
connectivity by probing a gateway or server at regular intervals to ensure it is online and working. When the server is not
accessible, that interface is marked as down.
Set the interval (how often to send a ping) and failtime (how many lost pings are considered a failure). A smaller
interval value and smaller number of lost pings results in faster detection, but creates more traffic on your network.

FortiOS 7.2.1 Administration Guide 327


Fortinet Inc.
Network

The link health monitor supports both IPv4 and IPv6, and various other protocols including ping, tcp-echo, udp-echo,
http, and twamp.

To add a link health monitor (IPv4) using the CLI:

config system link-monitor


edit <link-monitor-name>
set addr-mode ipv4
set srcintf <interface-name>
set server <server-IP-address>
set protocol {ping tcp-echo udp-echo http twamp}
set gateway-ip <gateway-IP-address>
set interval <seconds>
set failtime <retry-attempts>
set recoverytime <number-of-successful-responses>
set status enable
next
end

Option Description
set update-cascade-interface {enable | This option is used in conjunction with fail-detect and fail-
disable} alert options in interface settings to cascade the link
failure down to another interface. See the Bring other
interfaces down when link monitor fails KB article for
details.
set update-static-route {enable | disable} When the link fails, all static routes associated with the
interface will be removed.

Routing

You must configure a default route for each interface and indicate your preferred route as follows:
l Specify different distances for the two routes. The lower of the two distance values is declared active and placed in
the routing table.
Or
l Specify the same distance for the two routes, but give a higher priority to the route you prefer by defining a lower
value. Both routes will be added to the routing table, but the route with a higher priority will be chosen as the best
route
In the following example, we will use the first method to configure different distances for the two routes. You might not be
able to connect to the backup WAN interface because the FortiGate does not route traffic out of the backup interface.
The FortiGate performs a reverse path look-up to prevent spoofed traffic. If an entry cannot be found in the routing table
that sends the return traffic out through the same interface, the incoming traffic is dropped.

To configure the routing of the two interfaces using the GUI:

1. Go to Network > Static Routes, and click Create New.


2. Enter the following information:

Destination For an IPv4 route, enter a subnet of 0.0.0.0/0.0.0.0.

FortiOS 7.2.1 Administration Guide 328


Fortinet Inc.
Network

For an IPv6 route, enter a subnet of ::/0.

Interface Select the primary connection. For example, wan1.

Gateway Address Enter the gateway address.

Administrative Distance Leave as the default of 10.

3. Click OK.
4. Repeat the above steps to set Interface to wan2 and Administrative Distance to 20.

To configure the routing of the two interfaces using the CLI:

config router {static | static6}


edit 1
set dst 0.0.0.0 0.0.0.0
set device wan1
set gateway <gateway_address>
set distance 10
next
edit 2
set dst 0.0.0.0 0.0.0.0
set device wan2
set gateway <gateway_address>
set distance 20
next
end

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1,
regular traffic is allowed to pass through WAN2, as it did with WAN1. This ensures that failover occurs with minimal effect
to users.

Scenario 2: Load-sharing and no link redundancy

Load sharing may be accomplished in a few of the following ways of the many possible ways:
l By defining a preferred route with a lower distance, and specifying policy routes to route certain traffic to the
secondary interface.
l By defining routes with same distance values but different priorities, and specifying policy routes to route certain
traffic to the secondary interface.
l By defining routes with same distance values and priorities, and use equal-cost multi-path (ECMP) routing to
equally distribute traffic between the WAN interfaces.
In our example, we will use the first option for our configuration. In this scenario, because link redundancy is not required,
you do not have to configure a link monitor.

FortiOS 7.2.1 Administration Guide 329


Fortinet Inc.
Network

Traffic behaviour without a link monitor is as follows:


l If the remote gateway is down but the primary WAN interface of a FortiGate is still up, the

FortiGate will continue to route traffic to the primary WAN. This results in traffic
interruptions.
l If the primary WAN interface of a FortiGate is down due to physical link issues, the

FortiGate will remove routes to it and the secondary WAN routes will become active.
Traffic will failover to the secondary WAN.

Routing

Configure routing as you did in Scenario 1: Link redundancy and no load-sharing on page 327 above.

Policy routes

By configuring policy routes, you can redirect specific traffic to the secondary WAN interface. This works in this case
because policy routes are checked before static routes. Therefore, even though the static route for the secondary WAN
is not in the routing table, traffic can still be routed using the policy route.
In this example, we will create a policy route to route traffic from one address group to the secondary WAN interface.

To configure a policy route from the GUI:

1. Go to Network > Policy Routes, and click Create New.


2. Enter the following information:

Incoming interface Define the source of the traffic. For example, internal.

Source Address If we prefer to route traffic only from a group of addresses, define an address or
address group, and add here.

Destination Address Because we want to route all traffic from the address group here, we do not specify a
destination address.

Protocol Specify any protocol.

Action Forward traffic.

Outgoing interface Select the secondary WAN as the outbound interface. For example, wan2.

Gateway address Input the gateway address for your secondary WAN.
Because its default route has a higher distance value and is not added to the routing
table, the gateway address must be added here.

3. Click OK.

To configure a policy route from the CLI:

config router policy


edit 1
set input-device "internal"
set srcaddr "Laptops"
set gateway <gateway_address>
set output-device "wan2"

FortiOS 7.2.1 Administration Guide 330


Fortinet Inc.
Network

next
end

Security policies

Your security policies should allow all traffic from internal to WAN1. Because link redundancy is not needed, you do
not need to duplicate all WAN1 policies to WAN2. You will only need to define policies used in your policy route.

Scenario 3: Link redundancy and load-sharing

In this scenario, both the links are available to distribute Internet traffic with the primary WAN being preferred more.
Should one of the interfaces fail, the FortiGate will continue to send traffic over the other active interface. The
configuration is a combination of both the link redundancy and the load-sharing scenarios. The main difference is that
the configured routes have equal distance values, with the route with a higher priority being preferred more. This ensures
both routes are active in the routing table, but the route with a higher priority will be the best route.

Link health monitor

Link monitor must be configured for both the primary and the secondary WAN interfaces. This ensures that if the primary
or the secondary WAN fails, the corresponding route is removed from the routing table and traffic re-routed to the other
WAN interface.
For configuration details, see sample configurations in Scenario 1: Link redundancy and no load-sharing on page 327.

Routing

Both WAN interfaces must have default routes with the same distance. However, preference is given to the primary
WAN by giving it a higher priority.

To configure the routing of the two interfaces using the CLI:

config router {static | static6}


edit 1
set dst 0.0.0.0 0.0.0.0
set device wan1
set gateway <gateway_address>
set distance 10
set priority 0
next
edit 2
set dst 0.0.0.0 0.0.0.0
set device wan2
set gateway <gateway_address>
set distance 10
set priority 10
next
end

Policy routes

The policy routes configuration is very similar to that of the policy routes in Scenario 2: Load-sharing and no link
redundancy on page 329, except that the gateway address should not be specified. When a policy route is matched and

FortiOS 7.2.1 Administration Guide 331


Fortinet Inc.
Network

the gateway address is not specified, the FortiGate looks at the routing table to obtain the gateway. In case the
secondary WAN fails, traffic may hit the policy route. Because there is no gateway specified and the route to the
secondary WAN is removed by the link monitor, the policy route will by bypassed and traffic will continue through the
primary WAN. This ensures that the policy route is not active when the link is down.

Security policies

When you create security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1,
regular traffic is allowed to pass through WAN2, as it was with WAN1. This ensures that failover occurs with minimal
effect to users.

Dynamic routing

Dynamic routing protocols attempt to build a map of the network topology to identify the best routes to reach different
destinations. Instead of manually defining static routes, which is not scalable, dynamic routing typically involves defining
neighbors and peer routers that share their network topology and routing updates with each other. Protocols like
distance vector, link state, and path vector are used by popular routing protocols. FortiGate supports RIP, OSPF, BGP,
and IS-IS, which are interoperable with other vendors. When different dynamic routing protocols are used, the
administrative distance of each protocol helps the FortiGate decide which route to pick.

Go to System > Feature Visibility and enable Advanced Routing to configure dynamic routing
options in the GUI. See Feature visibility on page 2269 for more information.

This section includes:


l RIP on page 333
l OSPF on page 353
l BGP on page 370
l BFD on page 403
l Routing objects on page 412
To view the routing table and perform route look-ups in the GUI, go to Dashboard > Network and expand the Routing
widget.

FortiOS 7.2.1 Administration Guide 332


Fortinet Inc.
Network

To view the routing table in the CLI:

# get router info routing-table all


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 192.168.0.1, wan1
C 10.10.10.0/24 is directly connected, internal
C 169.254.2.1/32 is directly connected, Dialup-test
C 172.31.0.0/30 is directly connected, toKVM-MPLS
C 172.31.0.1/32 is directly connected, toKVM-MPLS
C 192.168.0.0/24 is directly connected, wan1
O 192.168.2.0/24 [110/101] via 10.10.10.11, internal, 00:00:26
S 192.168.20.0/24 [10/0] via 172.31.0.2, toKVM-MPLS
[10/0] via 10.10.10.11, internal

RIP

Routing Information Protocol (RIP) is a distance-vector routing protocol that is intended for small and relatively
homogeneous networks. It works well when there are minimal redundant paths and limited hop counts. FortiGate
supports RIP version 1 (RFC 1058), RIP version 2 (RFC 2453), and RIPng (RFC 2080).

Basic configuration

To configure the FortiGate to participate in RIP using the most basic configurations in the GUI:

1. Go to Network > RIP.


2. Set the Version.
3. Add the networks that the FortiGate will advertise in and that will participate in RIP.
4. If the interface settings, such as passive interface, authentication, or enabling send/receive updates, must be
edited, add the interfaces to the Interface table.
5. Click Apply.

To configure the FortiGate to participate in RIP using the most basic configurations in the CLI:

config router rip


config network
edit 1
set prefix <subnet> <netmask>
next
end
config interface
edit <interface>
set receive-version 2
set send-version 2
next
end
end

FortiOS 7.2.1 Administration Guide 333


Fortinet Inc.
Network

Default route injection

Enabling Inject default route (default-information-originate) advertises a default route into the FortiGate's
RIP network.

To enable/disable default route injection in the GUI:

1. Go to Network > RIP.


2. Expand the Advanced Options.
3. Enable/disable Inject Default Route.
4. Click OK.

To enable/disable default route injection in the CLI:

config router rip


set default-information-originate {enable | disable}
end

Default metric

The default metric setting sets the default metric for all redistributed routes. If the default metric is set to five, and static
routes are redistributed, then static routes have a metric of five. This value can be overridden by setting a specific metric
value for a protocol. For example, the static route metric can be set to two, overriding the default metric.
config router rip
set default-metric 5
config redistribute "static"
set status enable
set metric 2
end
end

The default metric is five, but redistributed static routes have a metric of two. So, the default metric is overridden and the
metric for redistributed static routes is two.

Timers

RIP uses the update, timeout, and garbage timers to regulate its performance. The default timer settings are effective in
most configurations. When customizing the settings, you must ensure that the new settings are compatible with your
local routers and access servers.
Go to Network > RIP and expand the Advanced Options to configure the timers in the GUI, or use the CLI:
config router rip
set timeout-timer <seconds>
set update-timer <seconds>
set garbage-timer <seconds>
end

FortiOS 7.2.1 Administration Guide 334


Fortinet Inc.
Network

Update timer

The update timer sets the interval between routing updates. The default value is 30 seconds. Randomness is added to
help prevent network congestion due to multiple routers trying to update their neighbors simultaneously. The update
timer must be at least three times shorter than the timeout timer.
If there is significant RIP traffic on the network, you can increase the update timer to send fewer updates. You must apply
the same increase to all routers on the network to avoid timeouts that degrade your network speed.

Timeout timer

The timeout timer is the maximum amount of time that a reachable route is kept in the routing table since its last update.
The default value is 180 seconds. If an update for the route is received before the timeout period elapses, then the timer
is reset. The timeout timer should be at least three times longer than the update timer.
If routers are not responding to updates in time, increasing the timeout timer can help. A longer timeout timer results in
longer update periods, and the FortiGate could wait a considerable amount of time for all of the timers to expire on an
unresponsive route.

Garbage timer

The garbage timer is the amount of time that the FortiGate advertises a route as unreachable before deleting the route
from the routing table. The default value is 120 seconds.
If the timer is short, older routes are removed from the routing table more quickly, resulting in a smaller routing table. This
can be useful for large networks, or if the network changes frequently.

Authentication and key chain

RIP version 1 (RIPv1) has no authentication. RIP version 2 (RIPv2) uses text passwords or authentication keys to
ensure that the routing information exchanged between routers is reliable. For authentication to work, both the sending
and receiving routers must be set to use authentication and must be configured with the same password or keys. An
authentication key that uses authentication key chains is more secure than a text password because the intervals when
the key is valid can be configured.
A key chain is a list of one or more authentication keys that each have send and receive lifetimes. Keys are used to
authenticate routing packets only during the keys specified lifetimes. The FortiGate migrates from one key to the next
according to the scheduled lifetimes. The sending and receiving routers should have synchronized system dates and
times to ensure that both ends are using the same keys at the same times. You can overlap the key lifetimes to make
sure that a key is always available, even if there is some difference in the system times.

To configure a text password in the GUI:

1. Go to Network > RIP.


2. In the Interfaces table, click Create New, or edit an existing interface.
3. Enable Authentication and select Text or MD5.
4. Click Change, and enter the password.
5. Configure the remaining settings as needed.
6. Click OK.
7. Click Apply.

FortiOS 7.2.1 Administration Guide 335


Fortinet Inc.
Network

To configure a text password in the CLI:

config router rip


config interface
edit <interface>
set auth-mode {text | md5}
set auth-string **********
next
end
end

To configure a key chain with two sequentially valid keys and use it in a RIP interface:

config router key-chain


edit rip_key
config key
edit 1
set accept-lifetime 09:00:00 23 02 2020 09:00:00 17 03 2020
set send-lifetime 09:00:00 23 02 2020 09:00:00 17 03 2020
set key-string **********
next
edit 2
set accept-lifetime 09:01:00 17 03 2020 09:00:00 1 04 2020
set send-lifetime 09:01:00 17 03 2020 09:00:00 1 04 2020
set key-string **********
next
end
next
end

config router rip


config interface
edit port1
set auth-keychain "rip_key"
next
end
end

Passive RIP interfaces

By default, an active RIP interface keeps the FortiGate routing table current by periodically asking neighbors for routes
and sending out route updates. This can generate a significant amount of extra traffic in a large network.
A passive RIP interface listens to updates from other routers, but does not send out route updates. This can reduce
network traffic when there are redundant routers in the network that would always send out essentially the same
updates.
This example shows how to configure a passive RIPv2 interface on port1 using MD5 authentication.

To configure a passive RIP interface in the GUI:

1. Go to Network > RIP.


2. In the Interfaces table, click Create New.
3. Set Interface to the required interface.

FortiOS 7.2.1 Administration Guide 336


Fortinet Inc.
Network

4. Enable Passive.
5. Enable Authentication and set it to MD5.
6. Click Change and enter a password.
7. Set Receive Version to 2.
8. Click OK.

To configure a passive RIP interface in the CLI:

config router rip


set passive-interface "port1"
config interface
edit "port1"
set auth-mode md5
set auth-string **********
set receive-version 2
set send-version 2
next
end
end

RIP and IPv6

RIP next generation (RIPng) is an extension of RIPv2 that includes support for IPv6. See Basic RIPng example on page
350 and IPv6 tunneling on page 491 for more information.

Basic RIP example

In this example, a medium-sized network is configured using RIPv2.


l Two core routers, RIP Router2 and RIP Router3, connect to the ISP router for two redundant paths to the internet.
l Two other routers, RIP Router1 and RIP Router4, connect to the two core routers and to different local networks.
l The ISP router is using RIP for its connections to the core routers, and redistributes its default route to the network -
that is, default route injection is enabled.
l The ISP router uses NAT and has a static route to the internet. None of the other routers use NAT or static routes.

FortiOS 7.2.1 Administration Guide 337


Fortinet Inc.
Network

All of the FortiGate routers are configured as shown, using netmask 255.255.255.0. Firewall policies have been
configured to allow the required traffic to flow across the interfaces.

Router Interface Interface name IP address

port1 LoSales 10.11.101.101

Router1 port2 vd12link0 10.11.201.101

port3 vd13link0 10.11.202.101

port1 vd23link0 10.12.101.102

port2 vd12link1 10.11.201.102


Router2
port3 vd42link1 10.14.201.102

port4 vdr2link1 172.20.120.102

port1 vd23link1 10.12.101.103

port2 vd13link1 10.11.202.103


Router3
port3 vd43link1 10.14.202.103

port4 vdr3link1 172.20.121.103

FortiOS 7.2.1 Administration Guide 338


Fortinet Inc.
Network

Router Interface Interface name IP address

port1 LoAccounting 10.14.101.104

Router4 port2 vd42link0 10.14.201.104

port3 vd43link0 10.14.202.104

port1 port1 To internet

ISP Router port2 vdr2link0 172.20.120.5

port3 vdr3link0 172.20.121.5

After configuring each router, you can check the status of the connections by viewing the RIP database, RIP interfaces,
and routing table. See Verifying the configuration on page 343.
After the network is configured, you can test it to ensure that when network events occur, such as a downed link, routing
updates are triggered and converge as expected. See Testing the configuration and routing changes on page 347.

ISP router

To configure the ISP Router in the GUI:

1. Go to Network > RIP.


2. Set the Version to 2.
3. Under Networks, add two networks:
l 172.20.120.0/255.255.255.0
l 172.20.121.0/255.255.255.0
4. Add the interfaces:
a. In the Interfaces table, click Create New.
b. Set Interface to port2.
c. Leave the remaining settings as their default values.
d. Click OK.
e. Repeat these steps for port3.
5. Under Advanced Options, enable Inject Default Route.
This setting allows the ISP router to share its default 0.0.0.0 routes with other routers in the RIP network.
6. Click Apply.

To configure the ISP Router in the CLI:

config router rip


set default-information-originate enable
config network
edit 1
set prefix 172.20.121.0 255.255.255.0
next
edit 2
set prefix 172.20.120.0 255.255.255.0
next
end

FortiOS 7.2.1 Administration Guide 339


Fortinet Inc.
Network

config interface
edit "port2"
set receive-version 2
set send-version 2
next
edit "port3"
set receive-version 2
set send-version 2
next
end
end

Router2 and Router3

Router2 and Router3 RIP configurations have different IP addresses, but are otherwise the same.

To configure Router2 and Router3 in the GUI:

1. Go to Network > RIP.


2. Set the Version to 2.
3. Under Networks, add the IP addresses for each port:

10.12.101.0/255.255.255.0

10.11.201.0/255.255.255.0
Router2
10.14.201.0/255.255.255.0

172.20.120.0/255.255.255.0

10.12.101.0/255.255.255.0

10.11.202.0/255.255.255.0
Router3
10.14.202.0/255.255.255.0

172.20.121.0/255.255.255.0

4. Add the interfaces:


a. In the Interfaces table, click Create New.
b. Set Interface to port1.
c. Leave the remaining settings as their default values.
d. Click OK.
e. Repeat these steps for port2, port3, and port4.
5. Click Apply.

To configure Router2 in the CLI:

config router rip


config network
edit 1
set prefix 10.12.101.0 255.255.255.0
next
edit 2

FortiOS 7.2.1 Administration Guide 340


Fortinet Inc.
Network

set prefix 10.11.201.0 255.255.255.0


next
edit 3
set prefix 10.14.201.0 255.255.255.0
next
edit 4
set prefix 172.20.120.0 255.255.255.0
next
end
config interface
edit "port1"
set receive-version 2
set send-version 2
next
edit "port2"
set receive-version 2
set send-version 2
next
edit "port3"
set receive-version 2
set send-version 2
next
edit "port4"
set receive-version 2
set send-version 2
next
end
end

To configure Router3 in the CLI:

config router rip


config network
edit 1
set prefix 10.12.101.0 255.255.255.0
next
edit 2
set prefix 10.11.202.0 255.255.255.0
next
edit 3
set prefix 10.14.202.0 255.255.255.0
next
edit 4
set prefix 172.20.121.0 255.255.255.0
next
end
config interface
edit "port1"
set receive-version 2
set send-version 2
next
edit "port2"
set receive-version 2
set send-version 2
next
edit "port3"

FortiOS 7.2.1 Administration Guide 341


Fortinet Inc.
Network

set receive-version 2
set send-version 2
next
edit "port4"
set receive-version 2
set send-version 2
next
end
end

Router1 and Router4

Router1 and Router4 RIP configurations have different IP addresses, but are otherwise the same.

To configure Router1 and Router4 in the GUI:

1. Go to Network > RIP.


2. Set the Version to 2.
3. Under Networks, add the IP addresses for each port:

10.11.101.0/255.255.255.0

Router1 10.11.201.0/255.255.255.0

10.11.202.0/255.255.255.0

10.14.101.0/255.255.255.0

Router4 10.14.201.0/255.255.255.0

10.14.202.0/255.255.255.0

4. Add the interfaces:


a. In the Interfaces table, click Create New.
b. Set Interface to port1.
c. For port1 only, enable Passive.
d. Leave the remaining settings as their default values.
e. Click OK.
f. Repeat these steps for port2 and port3, making sure that Passive is disabled.
5. Click Apply.

To configure Router1 in the CLI:

config router rip


config network
edit 1
set prefix 10.11.101.0 255.255.255.0
next
edit 2
set prefix 10.11.201.0 255.255.255.0
next
edit 3
set prefix 10.11.202.0 255.255.255.0

FortiOS 7.2.1 Administration Guide 342


Fortinet Inc.
Network

next
end
set passive-interface "port1"
config interface
edit "port1"
set receive-version 2
set send-version 2
next
edit "port2"
set receive-version 2
set send-version 2
next
edit "port3"
set receive-version 2
set send-version 2
next
end
end

To configure Router4 in the CLI:

config router rip


config network
edit 1
set prefix 10.14.101.0 255.255.255.0
next
edit 2
set prefix 10.14.201.0 255.255.255.0
next
edit 3
set prefix 10.14.202.0 255.255.255.0
next
end
set passive-interface "port1"
config interface
edit "port1"
set receive-version 2
set send-version 2
next
edit "port2"
set receive-version 2
set send-version 2
next
edit "port3"
set receive-version 2
set send-version 2
next
end
end

Verifying the configuration

The interface's names are shown in the debugs. The same commands should also be run on the other routers.

FortiOS 7.2.1 Administration Guide 343


Fortinet Inc.
Network

To verify the configuration after the ISP router, Router2, and Route3 have been configured:

This verification can be done after the ISP router, Router2, and Router3 have been configured. Only Router2's debugs
are shown.
1. Check the RIP interface information:
# get router info rip interface
Router2 is up, line protocol is up
RIP is not enabled on this interface
ssl.Router2 is up, line protocol is up
RIP is not enabled on this interface
vdr2link1 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
172.20.120.102/24
vd12link1 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.11.201.102/24
vd42link1 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.14.201.102/24
vd23link0 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.12.101.102/24

RIP starts exchanging routes as soon as the networks are added to the Router2 and Router3 configurations
because the RIP interfaces are active by default, and start sending and receiving RIP updates when a matching
interface on the subnet is found. The interface configuration allows the interface settings to be fine tuned, in this
case to specify only RIPv2 support.
2. Check the RIP database:
# get router info rip database
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 172.20.120.5 2 172.20.120.5 vdr2link1 02:55
Rc 10.11.201.0/24 1 vd12link1

FortiOS 7.2.1 Administration Guide 344


Fortinet Inc.
Network

R 10.11.202.0/24 10.12.101.103 2 10.12.101.103 vd23link0 02:33


Rc 10.12.101.0/24 1 vd23link0
Rc 10.14.201.0/24 1 vd42link1
R 10.14.202.0/24 10.12.101.103 2 10.12.101.103 vd23link0 02:33
Rc 172.20.120.0/24 1 vdr2link1
R 172.20.121.0/24 10.12.101.103 2 10.12.101.103 vd23link0 02:33

3. Check the routing table:


# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
R* 0.0.0.0/0 [120/2] via 172.20.120.5, vdr2link1, 13:37:23
C 10.11.201.0/24 is directly connected, vd12link1
R 10.11.202.0/24 [120/2] via 10.12.101.103, vd23link0, 14:10:01
C 10.12.101.0/24 is directly connected, vd23link0
C 10.14.201.0/24 is directly connected, vd42link1
R 10.14.202.0/24 [120/2] via 10.12.101.103, vd23link0, 14:10:01
C 172.20.120.0/24 is directly connected, vdr2link1
R 172.20.121.0/24 [120/2] via 10.12.101.103, vd23link0, 13:20:36

Router2 has learned the default gateway from the ISP router, and has learned of other networks from Router3.
4. If firewall policies are correctly configured, the outside network can be reached:
# execute ping-options source 10.11.201.102
# execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=115 time=4.5 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=4.2 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=4.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=115 time=4.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=115 time=4.1 ms
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 4.1/4.2/4.5 ms

# execute traceroute 8.8.8.8


traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 172.20.120.5 0.101 ms 0.030 ms 0.014 ms
2 172.16.151.1 0.169 ms 0.144 ms 0.131 ms
3 * * *

To verify the configuration after Router1 and Router4 have also been configured:

This verification can be done after Router1 and Router4 have been configured. Only Router1's debugs are shown.
1. Check the RIP interface information:
# get router info rip interface
Router1 is up, line protocol is up
RIP is not enabled on this interface
ssl.Router1 is up, line protocol is up
RIP is not enabled on this interface

FortiOS 7.2.1 Administration Guide 345


Fortinet Inc.
Network

vd12link0 is up, line protocol is up


Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.11.201.101/24
vd13link0 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.11.202.101/24
LoSales is up, line protocol is up
Routing Protocol: RIP
Receive RIPv2 packets only
Send RIPv2 packets only
Passive interface: Enabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.11.101.101/24
127.0.0.1/8

2. Check the RIP database:


# get router info rip database
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 10.11.202.103 3 10.11.202.103 vd13link0 02:35
Rc 10.11.101.0/24 1 LoSales
Rc 10.11.201.0/24 1 vd12link0
Rc 10.11.202.0/24 1 vd13link0
R 10.12.101.0/24 10.11.202.103 2 10.11.202.103 vd13link0 02:35
R 10.14.101.0/24 10.11.202.103 3 10.11.202.103 vd13link0 02:35
R 10.14.201.0/24 10.11.201.102 2 10.11.201.102 vd12link0 02:30
R 10.14.202.0/24 10.11.202.103 2 10.11.202.103 vd13link0 02:35
R 172.20.120.0/24 10.11.201.102 2 10.11.201.102 vd12link0 02:30
R 172.20.121.0/24 10.11.202.103 2 10.11.202.103 vd13link0 02:35

3. Check the routing table:


# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
R* 0.0.0.0/0 [120/3] via 10.11.202.103, vd13link0, 00:09:42
C 10.11.101.0/24 is directly connected, LoSales
C 10.11.201.0/24 is directly connected, vd12link0
C 10.11.202.0/24 is directly connected, vd13link0

FortiOS 7.2.1 Administration Guide 346


Fortinet Inc.
Network

R 10.12.101.0/24 [120/2] via 10.11.202.103, vd13link0, 00:09:42


R 10.14.101.0/24 [120/3] via 10.11.202.103, vd13link0, 00:09:42
R 10.14.201.0/24 [120/2] via 10.11.201.102, vd12link0, 00:09:42
R 10.14.202.0/24 [120/2] via 10.11.202.103, vd13link0, 00:09:42
R 172.20.120.0/24 [120/2] via 10.11.201.102, vd12link0, 00:09:42
R 172.20.121.0/24 [120/2] via 10.11.202.103, vd13link0, 00:09:42

4. If firewall policies are correctly configured, the accounting network and the internet are reachable from the sales
network:
# execute ping-options source 10.11.101.101
# execute ping 10.14.101.104
PING 10.14.101.104 (10.14.101.104): 56 data bytes
64 bytes from 10.14.101.104: icmp_seq=0 ttl=254 time=0.1 ms
64 bytes from 10.14.101.104: icmp_seq=1 ttl=254 time=0.0 ms
64 bytes from 10.14.101.104: icmp_seq=2 ttl=254 time=0.0 ms
64 bytes from 10.14.101.104: icmp_seq=3 ttl=254 time=0.0 ms
64 bytes from 10.14.101.104: icmp_seq=4 ttl=254 time=0.0 ms
--- 10.14.101.104 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.1 ms

# execute traceroute 10.14.101.104


traceroute to 10.14.101.104 (10.14.101.104), 32 hops max, 3 probe packets per hop, 84
byte packets
1 10.11.202.103 0.079 ms 0.029 ms 0.013 ms
2 10.14.101.104 0.043 ms 0.020 ms 0.010 ms

# execute ping 8.8.8.8


PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=114 time=4.3 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=4.1 ms
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.1/4.2/4.3 ms

# execute traceroute 8.8.8.8


traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 10.11.202.103 0.094 ms 0.036 ms 0.030 ms
2 172.20.121.5 0.216 ms 0.045 ms 0.038 ms

Testing the configuration and routing changes

After the network is configured, test it to ensure that when network events occur, such as a downed link, routing updates
are triggered and converge as expected.
In the following examples, we disable certain links to simulate network outages, then verify that routing and connectivity
is restored after the updates have converged.

Example 1 - ISP router port3 interface goes down

In this example, a link outage occurs on port3 of the ISP router. Consequently, all routers must use Router2, and not
Router3, to reach the internet. Note the RIP database before and after the link failure, and the time taken for the route
updates to propagate and return to a functioning state.
Router4's debugs are shown.
Before:

FortiOS 7.2.1 Administration Guide 347


Fortinet Inc.
Network

# get router info rip database


Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 10.14.202.103 3 10.14.202.103 vd43link0 02:31
R 10.11.101.0/24 10.14.202.103 3 10.14.202.103 vd43link0 02:31
R 10.11.201.0/24 10.14.201.102 2 10.14.201.102 vd42link0 02:47
R 10.11.202.0/24 10.14.202.103 2 10.14.202.103 vd43link0 02:31
R 10.12.101.0/24 10.14.202.103 2 10.14.202.103 vd43link0 02:31
Rc 10.14.101.0/24 1 LoAccounting
Rc 10.14.201.0/24 1 vd42link0
Rc 10.14.202.0/24 1 vd43link0
R 172.20.120.0/24 10.14.201.102 2 10.14.201.102 vd42link0 02:47
R 172.20.121.0/24 10.14.202.103 2 10.14.202.103 vd43link0 02:31

# get router info routing-table all


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
R* 0.0.0.0/0 [120/3] via 10.14.202.103, vd43link0, 02:45:15
R 10.11.101.0/24 [120/3] via 10.14.202.103, vd43link0, 02:44:49
R 10.11.201.0/24 [120/2] via 10.14.201.102, vd42link0, 02:45:15
R 10.11.202.0/24 [120/2] via 10.14.202.103, vd43link0, 02:45:15
R 10.12.101.0/24 [120/2] via 10.14.202.103, vd43link0, 02:45:15
C 10.14.101.0/24 is directly connected, LoAccounting
C 10.14.201.0/24 is directly connected, vd42link0
C 10.14.202.0/24 is directly connected, vd43link0
R 172.20.120.0/24 [120/2] via 10.14.201.102, vd42link0, 02:45:15
R 172.20.121.0/24 [120/2] via 10.14.202.103, vd43link0, 02:45:15

# execute traceroute 8.8.8.8


traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 10.14.202.103 0.187 ms 0.054 ms 0.030 ms
2 172.20.121.5 0.117 ms 0.062 ms 0.040 ms
3 * * *

After:
l You might see different routes, and the routes might change, while convergence is occurring. During convergence,
the metric for your default route increases to 16.
# get router info rip database
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 10.14.202.103 16 10.14.202.103 vd43link0 01:50

l After convergence is complete, the RIP database will look similar to the following:
# get router info rip database
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 10.14.201.102 3 10.14.201.102 vd42link0 02:53
R 10.11.101.0/24 10.14.202.103 3 10.14.202.103 vd43link0 03:00

FortiOS 7.2.1 Administration Guide 348


Fortinet Inc.
Network

R 10.11.201.0/24 10.14.201.102 2 10.14.201.102 vd42link0 02:53


R 10.11.202.0/24 10.14.202.103 2 10.14.202.103 vd43link0 03:00
R 10.12.101.0/24 10.14.202.103 2 10.14.202.103 vd43link0 03:00
Rc 10.14.101.0/24 1 LoAccounting
Rc 10.14.201.0/24 1 vd42link0
Rc 10.14.202.0/24 1 vd43link0
R 172.20.120.0/24 10.14.201.102 2 10.14.201.102 vd42link0 02:53

l The default router should point to Router2, with the same number of hops:
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
R* 0.0.0.0/0 [120/3] via 10.14.201.102, vd42link0, 00:05:24
R 10.11.101.0/24 [120/3] via 10.14.202.103, vd43link0, 02:58:13
R 10.11.201.0/24 [120/2] via 10.14.201.102, vd42link0, 02:58:39
R 10.11.202.0/24 [120/2] via 10.14.202.103, vd43link0, 02:58:39
R 10.12.101.0/24 [120/2] via 10.14.202.103, vd43link0, 02:58:39
C 10.14.101.0/24 is directly connected, LoAccounting
C 10.14.201.0/24 is directly connected, vd42link0
C 10.14.202.0/24 is directly connected, vd43link0
R 172.20.120.0/24 [120/2] via 10.14.201.102, vd42link0, 02:58:39

# execute traceroute 8.8.8.8


traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 10.14.201.102 0.167 ms 0.063 ms 0.029 ms
2 172.20.120.5 0.117 ms 0.073 ms 0.041 ms
3 172.16.151.1 0.303 ms 0.273 ms 0.253 ms

Example 2- Additional link failures on Router2

In addition to the link failure on the ISP router in example, port1 and port3 on Router2 have also failed. This means that
Router4 must go through Router3, Router1, Router2, then the ISP router to reach the internet. Note that, for a period of
time, some routes' metrics increase to 16. If no better routes are found for these networks, then they eventually
disappear.
After the convergence completes, the RIP database and routing table on Router4 should resemble the following:
# get router info rip database
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time
R 0.0.0.0/0 10.14.202.103 5 10.14.202.103 vd43link0 02:54
R 10.11.101.0/24 10.14.202.103 3 10.14.202.103 vd43link0 02:54
R 10.11.201.0/24 10.14.202.103 3 10.14.202.103 vd43link0 02:54
R 10.11.202.0/24 10.14.202.103 2 10.14.202.103 vd43link0 02:54
Rc 10.14.101.0/24 1 LoAccounting
Rc 10.14.202.0/24 1 vd43link0
R 172.20.120.0/24 10.14.202.103 4 10.14.202.103 vd43link0 02:54

# get router info routing-table all


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area

FortiOS 7.2.1 Administration Guide 349


Fortinet Inc.
Network

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2


E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
R* 0.0.0.0/0 [120/5] via 10.14.202.103, vd43link0, 00:03:54
R 10.11.101.0/24 [120/3] via 10.14.202.103, vd43link0, 03:10:12
R 10.11.201.0/24 [120/3] via 10.14.202.103, vd43link0, 00:03:54
R 10.11.202.0/24 [120/2] via 10.14.202.103, vd43link0, 03:10:38
C 10.14.101.0/24 is directly connected, LoAccounting
C 10.14.202.0/24 is directly connected, vd43link0
R 172.20.120.0/24 [120/4] via 10.14.202.103, vd43link0, 00:03:54

Reaching the internet on the default gateway now requires five hops from Router4:
# execute traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 10.14.202.103 0.087 ms 0.026 ms 0.012 ms
2 10.11.202.101 0.045 ms 0.024 ms 0.025 ms
3 10.11.201.102 0.048 ms 0.024 ms 0.015 ms
4 172.20.120.5 0.050 ms 0.028 ms 0.019 ms
5 * * *

Basic RIPng example

In this example, a small network is configured with RIP next generation (RIPng). Two FortiGates are connected to the
internal network and the ISP, providing some redundancy to help ensure that the internal network can always reach the
internet.
The FortiGates are running in NAT mode with VDOMs disabled, and firewall policies have already been configured to
allow traffic to flow across the interfaces.
All of the internal computers and other network devices support IPv6 addressing and are running RIPng (where
applicable), so no static routing is required. Internal network devices only need to know the FortiGate's internal interface
network addresses.

Router Interface (alias) IPv6 address

Router1 port1 (internal) 2002:A0B:6565:0:0:0:0:0

port2 (ISP) 2002:AC14:7865:0:0:0:0:0

FortiOS 7.2.1 Administration Guide 350


Fortinet Inc.
Network

Router Interface (alias) IPv6 address

Router2 port1 (internal) 2002:A0B:6566:0:0:0:0:0

port2 (ISP) 2002:AC14:7866:0:0:0:0:0

On each FortiGate, the interfaces are configured first, and then RIPng. No redistribution or authentication is configured.
In the RIPng configuration, only the interface names are required. The ISP router and the other FortiGate are configured
as neighbors. Declaring the neighbors reduces the discovery traffic when the routers start. There is no specific command
to include a subnet in the RIP broadcast, and RIPng can only be configured using the CLI.

To configure Router1:

1. Configure the interfaces:


config system interface
edit port1
set allowaccess ping https ssh
set type physical
set description "Internal RnD network"
set alias "internal"
config ipv6
set ip6-address 2002:a0b:6565::/0
end
next
edit port2
set allowaccess ping https ssh
set type physical
set description "ISP and Internet"
set alias "ISP"
config ipv6
set ip6-address 2002:ac14:7865::/0
end
next
end

2. Configure RIPng:
config router ripng
config neighbor
edit 1
set ip6 2002:a0b:6566::
set interface port1
next
edit 2
set ip6 2002:ac14:7805::
set interface port2
next
end
config interface
edit port1
next
edit port2
next
end
end

FortiOS 7.2.1 Administration Guide 351


Fortinet Inc.
Network

To configure Router2:

1. Configure the interfaces:


config system interface
edit port1
set allowaccess ping https ssh
set type physical
set description "Internal RnD network"
set alias "internal"
config ipv6
set ip6-address 2002:a0b:6566::/0
end
next
edit port2
set allowaccess ping https ssh
set type physical
set description "ISP and Internet"
set alias "ISP"
config ipv6
set ip6-address 2002:ac14:7866::/0
end
next
end

2. Configure RIPng:
config router ripng
config neighbor
edit 1
set ip6 2002:a0b:6565::
set interface port1
next
edit 2
set ip6 2002:ac14:7805::
set interface port2
next
end
config interface
edit port1
next
edit port2
next
end
end

Testing the configuration

The following commands can be used to check the RIPng information on the FortiGates, and can help track down
issues:

To view the local scope IPv6 addresses used as next-hops by RIPng on the FortiGate:

# diagnose ipv6 address list

FortiOS 7.2.1 Administration Guide 352


Fortinet Inc.
Network

To view IPv6 addresses that are installed in the routing table:

# diagnose ipv6 route list

To view the IPv6 routing table:

# get router info6 routing-table

This information is similar to the diagnose ipv6 route list command, but it is presented in an easier to read
format.

To view the brief output on the RIP information for the interface listed:

# get router info6 rip interface external

This includes information such as, if the interface is up or down, what routing protocol is being used, and whether
passive interface or split horizon is enabled.

OSPF

Open Shortest Path First (OSPF) is a link state routing protocol that is commonly used in large enterprise networks with
L3 switches, routers, and firewalls from multiple vendors. It can quickly detect link failures, and converges network traffic
without networking loops. It also has features to control which routes are propagated, allowing for smaller routing tables,
and provides better load balancing on external links when compared to other routing protocols.
To configure OSPF in the GUI, go to Network > OSPF:

Option Description

Router ID A unique ID to identify your router in the network, typically in the format x.x.x.x.

Areas The areas that the router is part of. For each are area, define the Area ID, Type,
and Authentication method.

Networks The networks that OSPF is enabled in, and the area that they belong to.

Interfaces OSPF interfaces for transmitting and receiving packets. Configure interface
properties, such as Network Type, Cost, Hello interval, and others.

Advanced Options Settings for Inject Default Route, Passive Interfaces, and Redistribute.
Redistribution can be enabled by protocol and the metric for each protocol can be
configured.

This section includes the following topics:


l Basic OSPF example on page 353
l OSPFv3 neighbor authentication on page 364
l OSPF graceful restart upon a topology change on page 366

Basic OSPF example

In this example, three FortiGate devices are configured in an OSPF network.

FortiOS 7.2.1 Administration Guide 353


Fortinet Inc.
Network

l Router1 is the Designated Router (DR). It has the highest priority and the lowest IP address, to ensure that it
becomes the DR.
l Router2 is the Backup Designated Router (BDR). It has a high priority to ensure that it becomes the BDR.
l Router3 is the Autonomous System Border Router (ASBR). It routes all traffic to the ISP BGP router for internet
access. It redistributes routes from BGP and advertises a default route to its neighbors. It can allow different types of
routes, learned outside of OSPF, to be used in OSPF. Different metrics can be assigned to these routes to make
them more or less preferred than regular OSPF routes. Route maps could be used to further control what prefixes
are advertised or received from the ISP.

FortiGate Interface IP address

port1 10.11.101.1
Router1 (DR)
port2 10.11.102.1

port3 192.168.102.1

port1 10.11.101.2

Router2 (BDR) port2 10.11.103.2

port3 192.168.103.2

port1 10.11.102.3

Router3 (ASBR) port2 10.11.103.3

port3 172.20.120.3

l Firewall policies are already configured to allow unfiltered traffic in both directions between all of the connected
interfaces.
l The interfaces are already configured, and NAT is only used for connections to public networks. The costs for all of
the interfaces is left at 0.
l The OSPF network belongs to Area 0, and is not connected to any other OSPF networks. All of the routers are part
of the backbone 0.0.0.0 area, so no inter-area communications are needed.

FortiOS 7.2.1 Administration Guide 354


Fortinet Inc.
Network

l Router3 redistributes BGP routes into the OSPF AS and peers with the ISP BGP Router over eBGP. For information
about configuring BGP, see BGP on page 370.
l The advertised networks - 10.11.101.0, 10.11.102.0, and 10.11.103.0 - are summarized by 10.11.0.0/16. Additional
networks are advertised individually by the /24 subnet.

Router1

To configure Router1 in the GUI:

1. Go to Network > OSPF.


2. Set Router ID to 10.11.101.1.
3. In the Areas table, click Create New and set the following:

Area ID 0.0.0.0

Type Regular

Authentication None

4. Click OK.
5. In the Networks table, click Create New and set the following:

Area 0.0.0.0

IP/Netmask 10.11.0.0 255.255.0.0

6. Click OK.
7. In the Networks table, click Create New again and set the following:

Area 0.0.0.0

IP/Netmask 192.168.102.0 255.255.255.0

8. Click OK.
9. In the Interfaces table, click Create New and set the following:

Name Router1-Internal-DR

Interface port1

Cost 0

Priority 255

Authentication None

Timers l Hello Interval: 10


l Dead Interval: 40

10. Click OK.


11. In the Interfaces table, click Create New again and set the following:

Name Router1-External

Interface port2

FortiOS 7.2.1 Administration Guide 355


Fortinet Inc.
Network

Cost 0

Authentication None

Timers l Hello Interval: 10


l Dead Interval: 40

12. Click OK.


13. Click Apply.

To configure Router1 in the CLI:

config router ospf


set router-id 10.11.101.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "Router1-Internal-DR"
set interface "port1"
set priority 255
set dead-interval 40
set hello-interval 10
next
edit "Router1-External"
set interface "port2"
set dead-interval 40
set hello-interval 10
next
end
config network
edit 1
set prefix 10.11.0.0 255.255.0.0
next
edit 2
set prefix 192.168.102.0 255.255.255.0
next
end
end

Router2

To configure Router2 in the GUI:

1. Go to Network > OSPF.


2. Set Router ID to 10.11.101.2.
3. In the Areas table, click Create New and set the following:

Area ID 0.0.0.0

Type Regular

Authentication None

FortiOS 7.2.1 Administration Guide 356


Fortinet Inc.
Network

4. Click OK.
5. In the Networks table, click Create New and set the following:

Area 0.0.0.0

IP/Netmask 10.11.0.0 255.255.0.0

6. Click OK.
7. In the Networks table, click Create New again and set the following:

Area 0.0.0.0

IP/Netmask 192.168.103.0 255.255.255.0

8. Click OK.
9. In the Interfaces table, click Create New and set the following:

Name Router2-Internal

Interface port1

Cost 0

Priority 250

Authentication None

Timers l Hello Interval: 10


l Dead Interval: 40

10. Click OK.


11. In the Interfaces table, click Create New again and set the following:

Name Router2-External

Interface port2

Cost 0

Authentication None

Timers l Hello Interval: 10


l Dead Interval: 40

12. Click OK.


13. Click Apply.

To configure Router2 in the CLI:

config router ospf


set router-id 10.11.101.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "Router2-Internal"

FortiOS 7.2.1 Administration Guide 357


Fortinet Inc.
Network

set interface "port1"


set priority 250
set dead-interval 40
set hello-interval 10
next
edit "Router2-External"
set interface "port2"
set dead-interval 40
set hello-interval 10
next
end
config network
edit 1
set prefix 10.11.0.0 255.255.0.0
next
edit 2
set prefix 192.168.103.0 255.255.255.0
next
end
end

Router3

To configure Router3 in the GUI:

1. Go to Network > OSPF.


2. Set Router ID to 10.11.103.3.
3. Under Default Settings, set Inject default route to Regular Areas.
A default route must be present on Router3 to advertise it to other routers.
4. Enable Redistribute BGP and use the default settings.
5. In the Areas table, click Create New and set the following:

Area ID 0.0.0.0

Type Regular

Authentication None

6. Click OK.
7. In the Networks table, click Create New and set the following:

Area 0.0.0.0

IP/Netmask 10.11.0.0 255.255.0.0

8. Click OK.
9. In the Interfaces table, click Create New and set the following:

Name Router3-Internal

Interface port1

Cost 0

FortiOS 7.2.1 Administration Guide 358


Fortinet Inc.
Network

Authentication None

Timers l Hello Interval: 10


l Dead Interval: 40

10. Click OK.


11. In the Interfaces table, click Create New again and set the following:

Name Router3-Internal2

Interface port2

Cost 0

Authentication None

Timers l Hello Interval: 10


l Dead Interval: 40

12. Click OK.


13. Click Apply.

To configure Router3 in the CLI:

config router ospf


set default-information-originate enable
set router-id 10.11.103.3
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "Router3-Internal"
set interface "port1"
set dead-interval 40
set hello-interval 10
next
edit "Router3-Internal2"
set interface "port2"
set dead-interval 40
set hello-interval 10
next
end
config network
edit 1
set prefix 10.11.0.0 255.255.0.0
next
end
config redistribute "bgp"
set status enable
end
end

FortiOS 7.2.1 Administration Guide 359


Fortinet Inc.
Network

To configure BGP on Router3 in the CLI:

config router bgp


set as 64511
set router-id 1.1.1.1
config neighbor
edit "172.20.120.5"
set remote-as 64512
next
end
config network
edit 1
set prefix 172.20.120.0 255.255.255.0
next
end
end

For more information on configuring BGP, see BGP on page 370.

Testing the configuration

Both the network connectivity and OSPF routing are tested. When a link goes down, routes should converge as
expected.

Working state

l Router3:
Router3 # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
10.11.101.1 1 Full/Backup 00:00:34 10.11.102.1 port1
10.11.101.2 1 Full/Backup 00:00:38 10.11.103.2 port2

Router3 # get router info ospf status


Routing Process "ospf 0" with ID 10.11.103.3
Process uptime is 18 hours 52 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
This router is an ASBR (injecting external routing information)
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 3. Checksum 0x021B78
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 2
External LSA database is unlimited.
Number of LSA originated 16
Number of LSA received 100
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE)
Number of interfaces in this area is 2(2)

FortiOS 7.2.1 Administration Guide 360


Fortinet Inc.
Network

Number of fully adjacent neighbors in this area is 2


Area has no authentication
SPF algorithm last executed 00:37:36.690 ago
SPF algorithm executed 13 times
Number of LSA 6. Checksum 0x03eafa

Router3 # get router info routing-table all


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
B* 0.0.0.0/0 [20/0] via 172.20.120.5, port3, 01:10:12
O 10.11.101.0/24 [110/2] via 10.11.103.2, port2, 00:39:34
[110/2] via 10.11.102.1, port1, 00:39:34
C 10.11.102.0/24 is directly connected, port1
C 10.11.103.0/24 is directly connected, port2
C 172.20.120.0/24 is directly connected, port3
O 192.168.102.0/24 [110/2] via 10.11.102.1, port1, 02:24:59
O 192.168.103.0/24 [110/2] via 10.11.103.2, port2, 02:14:32
B 192.168.160.0/24 [20/0] via 172.20.120.5, port3, 19:08:39
B 192.168.170.0/24 [20/0] via 172.20.120.5, port3, 01:10:12

l Router2:
Router2 # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
10.11.101.1 255 Full/DR 00:00:35 10.11.101.1 port1
10.11.103.3 1 Full/DR 00:00:38 10.11.103.3 port3

Router2 # get router info ospf status


Routing Process "ospf 0" with ID 10.11.101.2
Process uptime is 2 hours 53 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 3. Checksum 0x021979
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 2
External LSA database is unlimited.
Number of LSA originated 5
Number of LSA received 128
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE)
Number of interfaces in this area is 3(3)
Number of fully adjacent neighbors in this area is 2
Area has no authentication
SPF algorithm last executed 00:47:49.990 ago

FortiOS 7.2.1 Administration Guide 361


Fortinet Inc.
Network

SPF algorithm executed 15 times


Number of LSA 6. Checksum 0x03e8fb

Router2 # get router info routing-table all


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
O*E2 0.0.0.0/0 [110/10] via 10.11.103.3, port2, 01:03:58
C 10.11.101.0/24 is directly connected, port1
O 10.11.102.0/24 [110/2] via 10.11.103.3, port2, 00:49:01
[110/2] via 10.11.101.1, port1, 00:49:01
C 10.11.103.0/24 is directly connected, port2
O 192.168.102.0/24 [110/2] via 10.11.101.1, port1, 00:49:01
C 192.168.103.0/24 is directly connected, port3
O E2 192.168.160.0/24 [110/10] via 10.11.103.3, port2, 01:39:31
O E2 192.168.170.0/24 [110/10] via 10.11.103.3, port2, 01:19:39

The default route advertised by Router3 using default-information-originate is considered an OSPF E2


route. Other routes redistributed from BGP are also E2 routes.
l Router1:
Router1 # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
10.11.101.2 250 Full/Backup 00:00:36 10.11.101.2 port1
10.11.103.3 1 Full/DR 00:00:37 10.11.102.3 port2

Router1 # get router info ospf status


Routing Process "ospf 0" with ID 10.11.101.1
Process uptime is 3 hours 7 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 3. Checksum 0x02157B
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 2
External LSA database is unlimited.
Number of LSA originated 2
Number of LSA received 63
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE)
Number of interfaces in this area is 3(3)
Number of fully adjacent neighbors in this area is 2
Area has no authentication
SPF algorithm last executed 00:54:08.160 ago
SPF algorithm executed 11 times
Number of LSA 6. Checksum 0x03e6fc

FortiOS 7.2.1 Administration Guide 362


Fortinet Inc.
Network

Router1 # get router info routing-table all


Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0 [110/10] via 10.11.102.3, port2, 01:09:48
C 10.11.101.0/24 is directly connected, port1
C 10.11.102.0/24 is directly connected, port2
O 10.11.103.0/24 [110/2] via 10.11.102.3, port2, 00:54:49
[110/2] via 10.11.101.2, port1, 00:54:49
C 192.168.102.0/24 is directly connected, port3
O 192.168.103.0/24 [110/2] via 10.11.101.2, port1, 00:54:49
O E2 192.168.160.0/24 [110/10] via 10.11.102.3, port2, 01:45:21
O E2 192.168.170.0/24 [110/10] via 10.11.102.3, port2, 01:25:29

Link down state

If port1 is disconnected on Router3:


l Router3:
Router3 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
B* 0.0.0.0/0 [20/0] via 172.20.120.5, VLAN20, 01:29:25
O 10.11.101.0/24 [110/2] via 10.11.103.2, port2, 00:00:09
C 10.11.103.0/24 is directly connected, port2
C 172.20.120.0/24 is directly connected, port3
O 192.168.102.0/24 [110/3] via 10.11.103.2, port2, 00:00:09
O 192.168.103.0/24 [110/2] via 10.11.103.2, port2, 02:33:45
B 192.168.160.0/24 [20/0] via 172.20.120.5, port3, 19:27:52
B 192.168.170.0/24 [20/0] via 172.20.120.5, port3, 01:29:25

l Router2:
Router2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
O*E2 0.0.0.0/0 [110/10] via 10.11.103.3, port2, 01:16:36
C 10.11.101.0/24 is directly connected, port1
O 10.11.102.0/24 [110/2] via 10.11.101.1, port1, 00:02:27
C 10.11.103.0/24 is directly connected, port2
O 192.168.102.0/24 [110/2] via 10.11.101.1, port1, 01:01:39
C 192.168.103.0/24 is directly connected, port3

FortiOS 7.2.1 Administration Guide 363


Fortinet Inc.
Network

O E2 192.168.160.0/24 [110/10] via 10.11.103.3, port2, 01:52:09


O E2 192.168.170.0/24 [110/10] via 10.11.103.3, port2, 01:32:17

l Router1:
Router1 # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0 [110/10] via 10.11.101.2, port1, 00:05:14
C 10.11.101.0/24 is directly connected, port1
C 10.11.102.0/24 is directly connected, port2
O 10.11.103.0/24 [110/2] via 10.11.101.2, port1, 00:05:15
C 192.168.102.0/24 is directly connected, port3
O 192.168.103.0/24 [110/2] via 10.11.101.2, port1, 01:03:50
O E2 192.168.160.0/24 [110/10] via 10.11.101.2, port1, 00:05:14
O E2 192.168.170.0/24 [110/10] via 10.11.101.2, port1, 00:05:14

OSPFv3 neighbor authentication

OSPFv3 neighbor authentication is available for enhanced IPv6 security.

To configure an OSPF6 interface:

config router ospf6


config ospf6-interface
edit <name>
set authentication {none | ah | esp | area}
set key-rollover-interval <integer>
set ipsec-auth-alg {md5 | sha1 | sha256 | sha384 | sha512}
set ipsec-enc-alg {null | des | 3des | aes128 | aes192 | aes256}
config ipsec-keys
edit <spi>
set auth-key <string>
set enc-key <string>
next
end
next
end
end

To configure an OSPF6 virtual link:

config router ospf6


config area
edit <id>
config virtual-link
edit <name>
set authentication {none | ah | esp | area}
set key-rollover-interval <integer>
set ipsec-auth-alg {md5 | sha1 | sha256 | sha384 | sha512}

FortiOS 7.2.1 Administration Guide 364


Fortinet Inc.
Network

set ipsec-enc-alg {null | des | 3des | aes128 | aes192 | aes256}


config ipsec-keys
edit <spi>
set auth-key <string>
set enc-key <string>
next
end
next
end
next
end
end

To configure an OSPF6 area:

config router ospf6


config area
edit <id>
set authentication {none | ah | esp}
set key-rollover-interval <integer>
set ipsec-auth-alg {md5 | sha1 | sha256 | sha384 | sha512}
set ipsec-enc-alg {null | des | 3des | aes128 | aes192 | aes256}
config ipsec-keys
edit <spi>
set auth-key <string>
set enc-key <string>
next
end
next
end
end

CLI command descriptions

Command Description

<id> Area entry IP address.

authentication {none | ah | esp | Authentication mode:


area} l none: Disable authentication

l ah: Authentication Header

l esp: Encapsulating Security Payload

l area: Use the routing area authentication configuration

key-rollover-interval <integer> Enter an integer value (300 - 216000, default = 300).

ipsec-auth-alg {md5 | sha1 | Authentication algorithm.


sha256 | sha384 | sha512}

ipsec-enc-alg {null | des | 3des | Encryption algorithm.


aes128 | aes192 | aes256}

<spi> Security Parameters Index.

auth-key <string> Authentication key should be hexadecimal numbers.

FortiOS 7.2.1 Administration Guide 365


Fortinet Inc.
Network

Command Description

Key length for each algorithm:


l MD5: 16 bytes

l SHA1: 20 bytes

l SHA256: 32 bytes

l SHA384:48 bytes

l SHA512:84 bytes

If the key is shorter than the required length, it will be padded with zeroes.

enc-key <string> Encryption key should be hexadecimal numbers.


Key length for each algorithm:
l DES: 8 bytes

l 3DES: 24 bytes

l AES128: 16 bytes

l AES192: 24 bytes

l AES256: 32 bytes

If the key is shorter than the required length, it will be padded with zeroes.

OSPF graceful restart upon a topology change

In OSPF graceful restart mode, the restart-on-topology-change option can be used to keep restarting the router
in graceful restart mode when a topology change is detected during a restart.
config router ospf
set restart-on-topology-change {enable | disable}
end

OSPFv3 graceful restart mode upon a topology change can be used in OSPF6:
config router ospf6
set restart-on-topology-change {enable | disable}
end

Example

In this example, a restarting router (one of the FG-300Es in the HA cluster) informs its neighbors using grace LSAs
before restarting its OSPF process. When the helper router (the FG-601E) receives the grace LSAs, it enters helper
mode to help with the graceful restart until the graceful period expires. It will act as though there are no changes on the
restarting router (FG-300E). A generic router simulates a topology change during the restart event.
If restart-on-topology-change is enabled on the restarting router, it will not exit the graceful restart mode even
when a topology change is detected.
If restart-on-topology-change is disabled on the restarting router, it will exit graceful restart mode when a
topology change is detected.

FortiOS 7.2.1 Administration Guide 366


Fortinet Inc.
Network

To configure the restarting router:

config router ospf


set router-id 31.1.1.1
set restart-mode graceful-restart
set restart-period 180
set restart-on-topology-change enable
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 172.16.200.0 255.255.255.0
next
edit 2
set prefix 31.1.1.1 255.255.255.255
next
end
end

To configure the restarting helper router:

config router ospf


set router-id 3.3.3.3
set restart-mode graceful-restart
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 172.16.200.0 255.255.255.0
next
edit 2
set prefix 3.3.3.3 255.255.255.255

FortiOS 7.2.1 Administration Guide 367


Fortinet Inc.
Network

next
end
end

Testing the configuration

Topology change with continuing graceful restart enabled:

When restart-on-topology-change is enabled and there is a topology change during the HA OSPF graceful
restart, the graceful restart will continue. The routes on the helper router (FG-601E) are still there and no traffic will drop.
# get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
31.1.1.1 1 Full/DR 00:14:47* 172.16.200.31 port1

# get router info routing-table ospf


Routing table for VRF=0
O 21.21.21.21/32 [110/300] via 172.16.200.31, port1, 00:09:55
O 31.1.1.1/32 [110/200] via 172.16.200.31, port1, 00:55:31
O 100.21.1.0/24 [110/200] via 172.16.200.31, port1, 00:12:31

# get router info ospf neighbor


OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
31.1.1.1 1 Full/DR 00:14:47* 172.16.200.31 port1

# get router info routing-table ospf


Routing table for VRF=0
O 21.21.21.21/32 [110/300] via 172.16.200.31, port1, 00:10:07
O 31.1.1.1/32 [110/200] via 172.16.200.31, port1, 00:55:43
O 100.21.1.0/24 [110/200] via 172.16.200.31, port1, 00:12:43

# get router info ospf neighbor


OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
31.1.1.1 1 Full/DR 00:14:38* 172.16.200.31 port1

# get router info routing-table ospf


Routing table for VRF=0
O 21.21.21.21/32 [110/300] via 172.16.200.31, port1, 00:10:17
O 31.1.1.1/32 [110/200] via 172.16.200.31, port1, 00:55:53
O 100.21.1.0/24 [110/200] via 172.16.200.31, port1, 00:12:53

# get router info ospf neighbor


OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
31.1.1.1 1 Full/DR 00:00:38 172.16.200.31 port1

# get router info routing-table ospf


Routing table for VRF=0
O 21.21.21.21/32 [110/300] via 172.16.200.31, port1, 00:10:37
O 31.1.1.1/32 [110/200] via 172.16.200.31, port1, 00:56:13
O 100.21.1.0/24 [110/200] via 172.16.200.31, port1, 00:13:13

FortiOS 7.2.1 Administration Guide 368


Fortinet Inc.
Network

Topology change with continuing graceful restart disabled:

When restart-on-topology-change is disabled and there is a topology change during the HA OSPF graceful
restart, the graceful restart will exit. The routes on the helper router (FG-601E) are lost and traffic will drop.
# get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
31.1.1.1 1 Full/DR 00:14:57* 172.16.200.31 port1

# get router info routing-table ospf


Routing table for VRF=0
O 21.21.21.21/32 [110/300] via 172.16.200.31, port1, 00:11:16
O 31.1.1.1/32 [110/200] via 172.16.200.31, port1, 00:56:52
O 100.21.1.0/24 [110/200] via 172.16.200.31, port1, 00:13:52

# get router info ospf neighbor


OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
31.1.1.1 1 Full/DR 00:14:42* 172.16.200.31 port1

# get router info routing-table ospf


Routing table for VRF=0
O 21.21.21.21/32 [110/300] via 172.16.200.31, port1, 00:11:31
O 31.1.1.1/32 [110/200] via 172.16.200.31, port1, 00:57:07
O 100.21.1.0/24 [110/200] via 172.16.200.31, port1, 00:14:07

# get router info ospf neighbor


OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
31.1.1.1 1 Full/DR 00:14:40* 172.16.200.31 port1

No routes are lost:


# get router info routing-table ospf
Routing table for VRF=0
O 31.1.1.1/32 [110/200] via 172.16.200.31, port1, 00:57:09

# get router info ospf neighbor


OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
31.1.1.1 1 Full/DR 00:14:38* 172.16.200.31 port1

No routes are lost:


# get router info routing-table ospf
Routing table for VRF=0
O 31.1.1.1/32 [110/200] via 172.16.200.31, port1, 00:57:11

No routes are lost:


# get router info routing-table ospf
Routing table for VRF=0
O 21.21.21.21/32 [110/300] via 172.16.200.31, port1, 00:04:42
O 31.1.1.1/32 [110/200] via 172.16.200.31, port1, 01:01:59
O 100.21.1.0/24 [110/200] via 172.16.200.31, port1, 00:04:42

FortiOS 7.2.1 Administration Guide 369


Fortinet Inc.
Network

BGP

Border Gateway Protocol (BGP) is a standardized routing protocol that is used to route traffic across the internet. It
exchanges routing information between Autonomous Systems (AS) on the internet and makes routing decisions based
on path, network policies, and rule sets. BGP contains two distinct subsets: internal BGP (iBGP) and external BGP
(eBGP). iBGP is intended for use within your own networks. eBGP is used to connect different networks together and is
the main routing protocol for the internet backbone.
To configure BGP in the GUI, go to Network > BGP:

Option Description

Local AS The AS number for the local router.

Router ID A unique ID to identify your router in the network, typically in the format x.x.x.x.

Neighbors The neighbors that the FortiGate will be peering with. Configure the remote
router's AS number, any other properties used for peering with the neighbor, and
IPv4 and IPv6 filtering.

Neighbor Groups The neighbor groups that share the same outbound policy configurations.

Neighbor Ranges The source address range of BGP neighbors that will be automatically assigned
to a neighbor group.

IPv4 & IPv6 Networks The networks to be advertised to other BGP routers.

IPv4 & IPv6 Redistribute Enable redistribution by protocol. Specify either All routes, or Filter by route map.

Dampening Enable route flap dampening to reduce the propagation of flapping routes.

Graceful Restart Enable BGP graceful restart, which causes the adjacent routers to keep routes
active while the BGP peering is restarted on the FortiGate. This is useful in HA
instances when failover occurs.

Advanced Options Various advanced settings, such as Local Preference, Distance internal,
Keepalive, Holdtime, and others

Best Path Selection Configure path selection attributes on this router.

This section includes the following topics:


l Basic BGP example on page 371
l Route filtering with a distribution list on page 379
l Next hop recursive resolution using other BGP routes on page 383
l Next hop recursive resolution using ECMP routes on page 384
l BGP conditional advertisement on page 385
l BGP error handling per RFC 7606 on page 391
l BGP next hop tag-match mode on page 393
l Troubleshooting BGP on page 399

FortiOS 7.2.1 Administration Guide 370


Fortinet Inc.
Network

Basic BGP example

In this example, BGP is configured on two FortiGate devices. The FortiGates are geographically separated, and form
iBGP peering over a VPN connection. FGT_A also forms eBGP peering with ISP2.
FGT_A learns routes from ISP2 and redistributes them to FGT_B while preventing any iBGP routes from being
advertised.
The internal networks behind the FortiGates can communicate with each other, and the internal networks behind FGT_B
can traverse FGT_A to reach networks that are advertised by ISP2.

l FGT_A and FGT_B have static routes to each other through ISP1. ISP1 does not participate in BGP.
l The IPsec VPN tunnel between FGT_A and FGT_B is configured with wildcard 0.0.0.0/0 networks for phase2 local
and remote selectors. The VPN interfaces have IP addresses already configured and are used for peering between
FGT_A and FGT_B.
l FGT_A is configure to peer with ISP2 on 10.10.108.86.
l The firewall policies between FGT_A and FGT_B are not NATed. The firewall policies egressing on wan2 are
NATed.

Configuring iBGP peering

To configure FGT_A to establish iBGP peering with FGT_B in the GUI:

1. Go to Network > BGP.


2. Set Local AS to 64511
3. Set Router ID to 1.1.1.1.
4. In the Neighbors table, click Create New and set the following:

IP 10.100.201.88

Remote AS 64511

5. Click OK.
6. Under Networks, set IP/Netmask to 192.168.86.0/24.
7. Click Apply.
8. In the CLI, set the interface used as the source IP address of the TCP connection (where the BGP session,
TCP/179, is connecting from) for the neighbor (update-source) to toFGTB.

FortiOS 7.2.1 Administration Guide 371


Fortinet Inc.
Network

To configure FGT_A to establish iBGP peering with FGT_B in the CLI:

config router bgp


set as 64511
set router-id 1.1.1.1
config neighbor
edit "10.100.201.88"
set remote-as 64511
set update-source "toFGTB"
next
end
config network
edit 1
set prefix 192.168.86.0 255.255.255.0
next
end
end

To configure FGT_B to establish iBGP peering with FGT_A in the GUI:

1. Go to Network > BGP.


2. Set Local AS to 64511
3. Set Router ID to 2.2.2.2.
4. In the Neighbors table, click Create New and set the following:

IP 10.100.201.86

Remote AS 64511

5. Click OK.
6. Under Networks, set IP/Netmask to 192.168.88.0/24.
7. Click Apply.
8. In the CLI, set the interface used as the source IP address of the TCP connection (where the BGP session,
TCP/179, is connecting from) for the neighbor (update-source) to toFGTA.

To configure FGT_B to establish iBGP peering with FGT_A in the CLI:

config router bgp


set as 64511
set router-id 2.2.2.2
config neighbor
edit "10.100.201.86"
set remote-as 64511
set update-source "toFGTA"
next
end
config network
edit 1
set prefix 192.168.88.0 255.255.255.0
next
end
end

FortiOS 7.2.1 Administration Guide 372


Fortinet Inc.
Network

To check the FGT_A and FGT_B peering:

1. Check the BGP neighbors:


# get router info bgp neighbors

2. Check the networks learned from neighbors:


# get router info bgp network

3. Check that the routes are added to the routing table:


# get router info routing-table all

To see the neighborship status, network, and routing table command outputs for the completed example, see
Troubleshooting and debugging on page 375.

Configuring eBGP peering

By establishing eBGP peering with ISP2, learned routes will have a distance of 20 and will automatically be propagated
to iBGP peers. iBGP peers do not change the next hop when they advertise a route. To make FGT_B receive a route
with FGT_A as the next hop, and not ISP 2's network, Next hop self (next-hop-self) is enabled for routes advertised
to FGT_B.
Additionally, to peer with another router that is multiple hops away, enable ebg-enforce-multihop in the neighbor
configuration.
In this example, the iBGP routes are automatically advertised to the eBGP neighbor, so a route map is created to deny
iBGP routes from being advertised to ISP 2. Prefixes from ISP 2 are advertised to FGT_A and FGT_B, but no prefixes
are advertised from FGT_A to ISP 2.

To configure FGT_A to establish eBGP peering with ISP 2 in the GUI:

1. Configure a route map to prevent advertisement of iBGP routes to ISP 2:


a. Go to Network > Routing Objects and click Create New > Route Map.
b. Set Name to exclude1.
c. In the Rules table, click Create New.
d. Set Action to Deny.
e. Under Other Rule Variables, enable Match origin and set it to IGP.
f. Click OK.
g. Click OK.
2. Update the BGP configuration:
a. Go to Network > BGP.
b. In the Neighbors table, click Create New and set the following:

IP 10.10.102.87

Remote AS 64512

Route map out exclude1

c. Click OK.
d. In the Neighbors table, edit the previously created entry, 10.100.201.88.
e. Under IPv4 Filtering, select Next hop self.

FortiOS 7.2.1 Administration Guide 373


Fortinet Inc.
Network

f. Click OK.
g. Click Apply.

To configure FGT_A to establish eBGP peering with ISP 2 in the CLI:

1. Configure a route map to prevent advertisement of iBGP routes to ISP 2:


config router route-map
edit "exclude1"
config rule
edit 1
set action deny
set match-origin igp
next
end
next
end

2. Update the BGP configuration:


config router bgp
config neighbor
edit "10.10.102.87"
set remote-as 64512
set route-map-out "exclude1"
next
edit "10.100.201.88"
set next-hop-self enable
next
end
end

To see the neighborship status, network, and routing table command outputs for the completed example, see
Troubleshooting and debugging on page 375.

Firewall policies

On FGT_A configure the following policies:


l Allow the internal subnet to the VPN interface. Do not enable NAT. Enable security profiles as required.
l Allow the VPN interface to the internal subnet. Do not enable NAT. Enable security profiles as required.
l Allow the internal subnet to wan2. Enable NAT and security profiles as required.
l Allow VPN traffic from toFGTA to wan2. Enable NAT and security profiles as required.
On FGT_B configure the following policies:
l Allow the internal subnet to the VPN interface. Do not enable NAT. Enable security profiles as required.
l Allow the VPN interface to the internal subnet. Do not enable NAT. Enable security profiles as required.

To verify that pinging from FGT_B to FGT_A is successful:

FGT_B # execute ping-options source 192.168.88.88


FGT_B # execute ping 192.168.86.86
PING 192.168.86.86 (192.168.86.86): 56 data bytes
64 bytes from 192.168.86.86: icmp_seq=0 ttl=255 time=0.5 ms
...

FortiOS 7.2.1 Administration Guide 374


Fortinet Inc.
Network

--- 192.168.86.86 ping statistics ---


5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.5 ms

To verify that pinging from FGT_B to a subnet in ISP 2 is successful:

FGT_B # execute ping-options source 192.168.88.88


FGT_B # execute ping 172.16.201.87
PING 172.16.201.87 (172.16.201.87): 56 data bytes
64 bytes from 172.16.201.87: icmp_seq=0 ttl=254 time=0.6 ms
...
--- 172.16.201.87 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.6 ms

FGT_B # execute traceroute-options source 192.168.88.88


FGT_B # execute traceroute 172.16.201.87
traceroute to 172.16.201.87 (172.16.201.87), 32 hops max, 3 probe packets per hop, 84 byte
packets
1 10.100.201.86 0.315 ms 0.143 ms 0.110 ms
2 172.16.201.87 0.258 ms 0.144 ms 0.222 ms

Troubleshooting and debugging

When troubleshooting issues, logically step through the debugs. For example, if peering cannot be established between
FGT_A and FGT_B:
1. Verify the basic connectivity between the FGT_A wan1 interface and the FGT_B port1 interface.
2. Verify that the VPN between FGT_A and FGT_B is established.
3. Verify the connectivity between the VPN interfaces.
4. Check the neighborship status on each peer. Use the BGP state to help determine the possible issue, for example:

Idle state The local FortiGate has not started the BGP process with the neighbor. This could be
because the eBGP peer is multiple hops away, but multihop is not enabled.

Connect The local FortiGate has started the BGP process, but has not initiated a TCP connection,
possibly due to improper routing.

Active The local FortiGate has initiated a TCP connection, but there is no response. This might
indicate issues with the delivery or the response from the remote peer.

5. If there are issues establishing the TCP connection, use the command diagnose sniffer packet any 'tcp
and port 179' to identify the problem at the packet level.
The following outputs show instances where all of the configurations are completed, peering has formed, and routes
have been exchanged. The debug output during each configuration step might differ from these outputs. These debug
outputs can be used to help identify what might be missing or misconfigured on your device.

To verify the status of the neighbors:

FGT_A # get router info bgp neighbors


VRF 0 neighbor table:
BGP neighbor is 10.10.102.87, remote AS 64512, local AS 64511, external link
BGP version 4, remote router ID 192.168.2.87
BGP state = Established, up for 01:54:37

FortiOS 7.2.1 Administration Guide 375


Fortinet Inc.
Network

Last read 00:00:29, hold time is 180, keepalive interval is 60 seconds


Configured hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received (old and new)
Address family IPv4 Unicast: advertised and received
Address family IPv6 Unicast: advertised and received
Received 513 messages, 1 notifications, 0 in queue
Sent 517 messages, 2 notifications, 0 in queue
Route refresh request: received 0, sent 0
Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 5, neighbor version 0
Index 3, Offset 0, Mask 0x8
Community attribute sent to this neighbor (both)
Outbound path policy configured
Route map for outgoing advertisements is *exclude1root
4 accepted prefixes, 4 prefixes in rib
0 announced prefixes
For address family: IPv6 Unicast
BGP table version 1, neighbor version 0
Index 3, Offset 0, Mask 0x8
Community attribute sent to this neighbor (both)
0 accepted prefixes, 0 prefixes in rib
0 announced prefixes
Connections established 4; dropped 3
Local host: 10.10.102.86, Local port: 20364
Foreign host: 10.10.102.87, Foreign port: 179
Nexthop: 10.10.102.86
Nexthop interface: wan2
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Last Reset: 01:54:42, due to BGP Notification sent
Notification Error Message: (CeaseUnspecified Error Subcode)
BGP neighbor is 10.100.201.88, remote AS 64511, local AS 64511, internal link
BGP version 4, remote router ID 2.2.2.2
BGP state = Established, up for 01:54:07
Last read 00:00:11, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received (old and new)
Address family IPv4 Unicast: advertised and received
Address family IPv6 Unicast: advertised and received
Received 527 messages, 3 notifications, 0 in queue
Sent 543 messages, 8 notifications, 0 in queue
Route refresh request: received 0, sent 0
Minimum time between advertisement runs is 30 seconds
Update source is toFGTB
For address family: IPv4 Unicast
BGP table version 5, neighbor version 4
Index 1, Offset 0, Mask 0x2
NEXT_HOP is always this router
Community attribute sent to this neighbor (both)
1 accepted prefixes, 1 prefixes in rib
5 announced prefixes
For address family: IPv6 Unicast

FortiOS 7.2.1 Administration Guide 376


Fortinet Inc.
Network

BGP table version 1, neighbor version 1


Index 1, Offset 0, Mask 0x2
Community attribute sent to this neighbor (both)
0 accepted prefixes, 0 prefixes in rib
0 announced prefixes
Connections established 7; dropped 6
Local host: 10.100.201.86, Local port: 179
Foreign host: 10.100.201.88, Foreign port: 6245
Nexthop: 10.100.201.86
Nexthop interface: toFGTB
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Last Reset: 01:54:12, due to BGP Notification received
Notification Error Message: (CeaseUnspecified Error Subcode)

FGT_B # get router info bgp neighbors


VRF 0 neighbor table:
BGP neighbor is 10.100.201.86, remote AS 64511, local AS 64511, internal link
BGP version 4, remote router ID 1.1.1.1
BGP state = Established, up for 01:56:04
Last read 00:00:48, hold time is 180, keepalive interval is 60 seconds
Configured hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received (old and new)
Address family IPv4 Unicast: advertised and received
Address family IPv6 Unicast: advertised and received
Received 532 messages, 3 notifications, 0 in queue
Sent 526 messages, 3 notifications, 0 in queue
Route refresh request: received 0, sent 0
Minimum time between advertisement runs is 30 seconds
Update source is toFGTA
For address family: IPv4 Unicast
BGP table version 4, neighbor version 3
Index 1, Offset 0, Mask 0x2
Community attribute sent to this neighbor (both)
5 accepted prefixes, 5 prefixes in rib
1 announced prefixes
For address family: IPv6 Unicast
BGP table version 1, neighbor version 1
Index 1, Offset 0, Mask 0x2
Community attribute sent to this neighbor (both)
0 accepted prefixes, 0 prefixes in rib
0 announced prefixes
Connections established 7; dropped 6
Local host: 10.100.201.88, Local port: 6245
Foreign host: 10.100.201.86, Foreign port: 179
Nexthop: 10.100.201.88
Nexthop interface: toFGTA
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Last Reset: 01:56:09, due to BGP Notification sent
Notification Error Message: (CeaseUnspecified Error Subcode)

# get router info bgp neighbors <neighbor's IP> can also be used to verify the status of a specific
neighbor.

FortiOS 7.2.1 Administration Guide 377


Fortinet Inc.
Network

To verify the networks learned from neighbors or a specific network:

FGT_A # get router info bgp network


VRF 0 BGP table version is 5, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 172.16.201.0/24 10.10.102.87 0 0 0 64512 i <-/1>
*> 172.16.202.0/24 10.10.102.87 0 0 0 64512 i <-/1>
*> 172.16.203.0/24 10.10.102.87 0 0 0 64512 i <-/1>
*> 172.16.204.0/24 10.10.102.87 0 0 0 64512 i <-/1>
*> 192.168.86.0 0.0.0.0 100 32768 0 i <-/1>
*>i192.168.88.0 10.100.201.88 0 100 0 0 i <-/1>
Total number of prefixes 6
FGT_A # get router info bgp network 172.16.201.0
VRF 0 BGP routing table entry for 172.16.201.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
10.100.201.88
Original VRF 0
64512
10.10.102.87 from 10.10.102.87 (192.168.2.87)
Origin IGP metric 0, localpref 100, valid, external, best
Last update: Tue Dec 15 22:52:08 2020

FGT_A # get router info bgp network 192.168.88.0


VRF 0 BGP routing table entry for 192.168.88.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
Local
10.100.201.88 from 10.100.201.88 (2.2.2.2)
Origin IGP metric 0, localpref 100, valid, internal, best
Last update: Tue Dec 15 22:52:39 2020

FGT_B # get router info bgp network


VRF 0 BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i172.16.201.0/24 10.100.201.86 0 100 0 0 64512 i <-/1>
*>i172.16.202.0/24 10.100.201.86 0 100 0 0 64512 i <-/1>
*>i172.16.203.0/24 10.100.201.86 0 100 0 0 64512 i <-/1>
*>i172.16.204.0/24 10.100.201.86 0 100 0 0 64512 i <-/1>
*>i192.168.86.0 10.100.201.86 0 100 0 0 i <-/1>
*> 192.168.88.0 0.0.0.0 100 32768 0 i <-/1>
Total number of prefixes 6

To verify the routing tables on FGT_A and FGT_B:

FGT_A # get router info routing-table all


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2

FortiOS 7.2.1 Administration Guide 378


Fortinet Inc.
Network

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area


* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 172.16.151.1, port1, [5/0]
[10/0] via 192.168.2.1, port2, [10/0]
C 10.10.101.0/24 is directly connected, wan1
C 10.10.102.0/24 is directly connected, wan2
S 10.10.103.0/24 [10/0] via 10.10.101.84, wan1
C 10.100.201.0/24 is directly connected, toFGTB
C 10.100.201.86/32 is directly connected, toFGTB
C 172.16.151.0/24 is directly connected, port1
B 172.16.201.0/24 [20/0] via 10.10.102.87, wan2, 02:09:50
B 172.16.202.0/24 [20/0] via 10.10.102.87, wan2, 02:09:50
B 172.16.203.0/24 [20/0] via 10.10.102.87, wan2, 02:09:50
B 172.16.204.0/24 [20/0] via 10.10.102.87, wan2, 02:09:50
C 192.168.2.0/24 is directly connected, port2
C 192.168.86.0/24 is directly connected, vlan86
B 192.168.88.0/24 [200/0] via 10.100.201.88, toFGTB, 02:09:19

FGT_B # get router info routing-table all


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.10.103.84, port1
C 10.10.103.0/24 is directly connected, port1
C 10.100.201.0/24 is directly connected, toFGTA
C 10.100.201.88/32 is directly connected, toFGTA
B 172.16.201.0/24 [200/0] via 10.100.201.86, toFGTA, 02:11:36
B 172.16.202.0/24 [200/0] via 10.100.201.86, toFGTA, 02:11:36
B 172.16.203.0/24 [200/0] via 10.100.201.86, toFGTA, 02:11:36
B 172.16.204.0/24 [200/0] via 10.100.201.86, toFGTA, 02:11:36
B 192.168.86.0/24 [200/0] via 10.100.201.86, toFGTA, 02:11:36
C 192.168.88.0/24 is directly connected, vlan88

Route filtering with a distribution list

During BGP operations, routes can be propagated between BGP peers and redistributed from other routing protocols. In
some situations, advertising routes from one peer to another might need to be prevented.
The Basic BGP example on page 371 explains using a route map to filter routes that are learned from iBGP to prevent
them from propagating to an eBGP peer. In this example, a distribution list is used to prevent certain routes from one
peer from being advertised to another peer.

FortiOS 7.2.1 Administration Guide 379


Fortinet Inc.
Network

l A company has its own web and email servers in an OSPF area, and needs to advertise routes to these resources
to external peers. Users, routers, and other server all reside in the OSPF area.
l The FortiGate acts as the BGP border router, redistributing routes from the company's network to its BGP peers. It
is connected to the OSPF area using its DMZ interface.
l Two ISP managed BGP peers in an AS (Peer 1 and Peer 2) are used to access the internet, and routes must not to
be advertised from Peer 1 to Peer 2. The manufacturers of these routers, and information about other devices on
the external BGP AS, are not known.
l Routes to the BGP peers are redistributed so that external locations can access the web and email servers in the
OSPF area. The FortiGate device's external interfaces and the BGP peers are in different ASs, and form eBGP
peers.
l Other networking devices must be configured for BGP. The peer routers must be updated with the FortiGate
device's BGP information, including IP addresses, AS number, and any specific capabilities that are used, such as
IPv6, graceful restart, BFD, and so on.
l It is assumed that security policies have been configured to allow traffic between the networks and NAT is not used.
To tighten security, only the required services should be allowed inbound to the various servers.
l In a real life scenario, public IP addresses would be used in place of private IP addresses.

Configuring BGP

In this example, Peer 1 routes are blocked from being advertised to Peer 2 using an access list. All incoming routes from
Peer 1 are blocked when updates are sent to Peer 2.
Routes learned from OSPF are redistributed into BGP. EBGP multi path is enabled to load-balance traffic between the
peers using ECMP. See Equal cost multi-path on page 323 for more information.

To configure BGP in the GUI:

1. Configure an access list to block Peer 1 routes:


a. Go to Network > Routing Objects and click Create New > Access List.
b. Set Name to block_peer1.
c. In the Rules table, click Create New.
d. Set Action to Deny.
e. Enable Exact Match and specify the prefix 172.21.111.0 255.255.255.0.
f. Click OK.
g. Click OK.

FortiOS 7.2.1 Administration Guide 380


Fortinet Inc.
Network

2. Configure BGP:
a. Go to Network > BGP.
b. Set Local AS to 65001
c. Set Router ID to 10.11.201.110.
d. In the Neighbors table, click Create New and set the following:

IP 172.21.111.5

Remote AS 65001

e. Click OK.
f. In the Neighbors table, click Create New again and set the following:

IP 172.22.222.5

Remote AS 65001

Distribute list out Enable, and select the block_peer1 access list.

g. Click OK.
h. Under IPv4 Redistribute, enable OSPF and select ALL.
i. Expand Best Path Selection and enable EBGP multi path.
j. Click Apply.

To configure BGP in the CLI:

1. Configure an access list to block Peer 1 routes:


config router access-list
edit "block_peer1"
config rule
edit 1
set action deny
set prefix 172.21.111.0 255.255.255.0
set exact-match enable
next
end
next
end

2. Configure BGP:
config router bgp
set as 65001
set router-id 10.11.201.110
set ebgp-multipath enable
config neighbor
edit "172.21.111.5"
set remote-as 65001
next
edit "172.22.222.5"
set distribute-list-out "block_peer1"
set remote-as 65001
next
end

FortiOS 7.2.1 Administration Guide 381


Fortinet Inc.
Network

config redistribute "ospf"


set status enable
end
end

Configuring OSPF

In this example, all of the traffic is within the one OSPF area, and there are other OSPF routers in the network. When
adjacencies are formed, other routers receive the routes advertised from the FortiGate that are redistributed from BGP.

To configure OSPF in the GUI:

1. Go to Network > OSPF.


2. Set Router ID to 10.11.201.110.
3. In the Areas table, click Create New and set the following:

Area ID 0.0.0.0

Type Regular

Authentication None

4. Click OK.
5. In the Networks table, click Create New and set the following:

Area 0.0.0.0

IP/Netmask 10.11.201.0 255.255.255.0

6. Click OK.
7. In the Interfaces table, click Create New and set the following:

Name OSPF_dmz_network

Interface dmz

8. Click OK.
9. Enable Redistribute BGP and set Metric value to 1.
10. Click Apply.

To configure OSPF in the CLI:

config router ospf


set router-id 10.11.201.110
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "OSPF_dmz_network"
set interface "dmz"
next
end
config network

FortiOS 7.2.1 Administration Guide 382


Fortinet Inc.
Network

edit 1
set prefix 10.11.201.0 255.255.255.0
next
end
config redistribute "bgp"
set status enable
set metric 1
end
end

Testing the configuration

To test this configuration, run the standard connectivity checks, and also make sure that routes are being passed
between protocols as expected. Use the following checklist to help verify that the FortiGate is configured successfully:
1. Check that the FortiGate has established peering with BGP Peer 1 and Peer 2:
# get router info bgp summary

# get router info bgp neighbors

2. Check that the FortiGate has formed adjacency with OSPF neighbors:
# get router info ospf status

# get router info ospf neighbors

3. Check the routing table on the FortiGate to make sure that routes from both OSPF and BGP are included:
# get router info routing-table all

4. Check devices in the OSPF network for internet connectivity and to confirm that routes redistributed from BGP are
in their routing tables.
5. Check the routing table on Peer 2 to confirm that no routes from Peer 1 are included.
6. Check that the routes from the internal OSPF network are redistributed to Peer 1 and Peer 2.
7. Verify connectivity to the HTTP and email servers.

Next hop recursive resolution using other BGP routes

By default, BGP routes are not considered when a BGP next hop requires recursive resolution. They are considered
when recursive-next-hop is enabled. Recursive resolution will resolve to one level.

To consider BGP routes for recursive resolution of next hops:

config router bgp


set recursive-next-hop enable
end

FortiOS 7.2.1 Administration Guide 383


Fortinet Inc.
Network

Example

To see the change in the routing table when the option is enabled:

1. Check the BGP routing table:


# get router info routing-table bgp
Routing table for VRF=0
B 10.100.1.4/30 [200/0] via 10.100.1.14 (recursive is directly connected, R560),
00:02:06

2. Enable BGP routes for recursive resolution of next hops:


config router bgp
set recursive-next-hop enable
end

3. Check the BGP routing table again:


# get router info routing-table bgp
Routing table for VRF=0
B 10.100.1.4/30 [200/0] via 10.100.1.14 (recursive is directly connected, R560),
00:02:15
B 172.16.203.0/24 [200/0] via 10.100.1.6 (recursive via 10.100.1.14, R560),
00:00:06

The second BGP route's next hop is now recursively resolved by another BGP route.

Next hop recursive resolution using ECMP routes

When there are multiple ECMP routes to a BGP next hop, all of them are considered for the next hop recursive
resolution. This ensures that the outgoing traffic can be load balanced.

To support multipath, either EGBP or IGBP multipath must be enabled:


config router bgp
set ebgp-multipath enable
set ibgp-multipath enable
end

FortiOS 7.2.1 Administration Guide 384


Fortinet Inc.
Network

In this example, there are two static routes. The FortiGate has learned two BGP routes from Router 1 that have the same
next hop at 10.100.100.1. The next hop is resolved by the two static routes.

To verify that the routes are added to the BGP routing table:

1. Check the two static routes:


# get router info routing-table static
Routing table for VRF=0
S 10.100.100.0/24 [10/0] via 172.16.200.55, port9
[10/0] via 172.16.203.2, agg1

2. Confirm that both routes are in the BGP routing table:


# get router info routing-table bgp
Routing table for VRF=0
B 10.100.10.0/24 [20/200] via 10.100.100.1 (recursive via 172.16.200.55, port9),
00:00:07
(recursive via 172.16.203.2, agg1),
00:00:07
B 10.100.11.0/24 [20/200] via 10.100.100.1 (recursive via 172.16.200.55, port9),
00:00:07
(recursive via 172.16.203.2, agg1),
00:00:07

BGP conditional advertisement

BGP conditional advertisement allows the router to advertise a route only when certain conditions are met. Multiple
conditions can be used together, with conditional route map entries treated as an AND operator, and IPv6 is supported.

Multiple conditions example

In this example, the FortiGate only advertises routes to its neighbor 2.2.2.2 if it learns multiple BGP routes defined in its
conditional route map entry. All conditionals must be met.

FortiOS 7.2.1 Administration Guide 385


Fortinet Inc.
Network

To configure multiple conditions in BGP conditional advertisements:

1. Configure the IPv4 prefix list:


config router prefix-list
edit "281"
config rule
edit 1
set prefix 172.28.1.0 255.255.255.0
unset ge
unset le
next
end
next
edit "222"
config rule
edit 1
set prefix 172.22.2.0 255.255.255.0
unset ge
unset le
next
end
next
end

2. Configure the community list:


config router community-list
edit "30:5"
config rule
edit 1
set action permit
set match "30:5"
next
end
next
end

3. Configure the IPv4 route maps:


config router route-map
edit "comm1"
config rule
edit 1
set match-community "30:5"
set set-route-tag 15
next
end
next
edit "2224"
config rule
edit 1
set match-ip-address "222"
next
end
next
edit "2814"
config rule

FortiOS 7.2.1 Administration Guide 386


Fortinet Inc.
Network

edit 1
set match-ip-address "281"
next
end
next
end

4. Configure the IPv6 prefix list:


config router prefix-list6
edit "adv-222"
config rule
edit 1
set prefix6 2003:172:22:1::/64
unset ge
unset le
next
end
next
edit "list6-2"
config rule
edit 1
set prefix6 2003:172:28:2::/64
unset ge
unset le
next
end
next
end

5. Configure the IPv6 route maps:


config router route-map
edit "map-222"
config rule
edit 1
set match-ip6-address "adv-222"
next
end
next
edit "map-282"
config rule
edit 1
set action deny
set match-ip6-address "list6-2"
next
end
next
end

6. Configure the BGP settings:


config router bgp
config neighbor
edit "2.2.2.2"
config conditional-advertise
edit "2224"
set condition-routemap "2814" "2224" "comm1"

FortiOS 7.2.1 Administration Guide 387


Fortinet Inc.
Network

set condition-type non-exist


next
end
next
edit "2003::2:2:2:2"
config conditional-advertise6
edit "map-222"
set condition-routemap "map-222" "map-282"
next
end
set route-reflector-client6 enable
next
end
end

To verify the IPv4 conditional advertisements:

# get router info bgp neighbors 2.2.2.2


...
Conditional advertise-map:
Adv-map 2224root 2814root, cond-state 0-1
2224root, cond-state 0-1
comm1root, cond-state 0-0
...

In this output, the condition is that the routes in route maps 2814, 2224 and comm1 do not exist. However, routes for
2814 and 2224 exist, so the conditions are not met.

To verify the IPv6 conditional advertisements:

# get router info6 bgp neighbors 2003::2:2:2:2


...
Conditional advertise-map:
Adv-map map-222root map-222root, cond-state 1-1
map-282root, cond-state 1-0
...

In this output, the condition is that the routes in route maps map-222 and map-282 exist. However, routes for map-222
exist, but map-282 does not, so the conditions are not met.

To view the conditional route maps:

# diagnose ip router command show-vrf root show running router bgp


...
neighbor 2.2.2.2 advertise-map 2224root exist-map 2814root
neighbor 2.2.2.2 advertise-map 2224root exist-map 2224root
neighbor 2.2.2.2 advertise-map 2224root exist-map comm1root
... ...
!
address-family ipv6
neighbor 2003::2:2:2:2 advertise-map map-222root non-exist-map map-222root
neighbor 2003::2:2:2:2 advertise-map map-222root non-exist-map map-282root
!

FortiOS 7.2.1 Administration Guide 388


Fortinet Inc.
Network

IPv6 example 1

In this example, the FortiGate advertises its local network to the secondary router when the primary router is down. The
FortiGate detects the primary router is down in the absence of a learned route.

l When the FortiGate learns route 2003:172:28:1::/64 from the primary router, it does not advertise its local route
(2003:172:22:1::/64) to the secondary router.
l When the FortiGate does not learn route 2003:17:28:1::/64 from the primary router, advertises its local route
(2003:172:22:1::/64) to the secondary router.
l The BGP conditional advertisement condition is set to be true if the condition route map (2003:172:28:1::/64) is not
matched (non-exist).

To configure BGP conditional advertisement with IPv6:

1. Configure the IPv6 prefix lists:


config router prefix-list6
edit "adv-222"
config rule
edit 1
set prefix6 2003:172:22:1::/64
unset ge
unset le
next
end
next
edit "lrn-281"
config rule
edit 1
set prefix6 2003:172:28:1::/64
unset ge
unset le
next
end
next
end

2. Configure the route maps:


config router route-map
edit "map-221"

FortiOS 7.2.1 Administration Guide 389


Fortinet Inc.
Network

config rule
edit 1
set match-ip6-address "adv-222"
next
end
next
edit "map-281"
config rule
edit 1
set match-ip6-address "lrn-281"
next
end
next
end

3. Configure BGP:
config router bgp
set as 65412
set router-id 1.1.1.1
set ibgp-multipath enable
set network-import-check disable
set graceful-restart enable
config neighbor
edit "2003::2:2:2:2"
set soft-reconfiguration6 enable
set remote-as 65412
set update-source "loopback1"
config conditional-advertise6
edit "map-221"
set condition-routemap "map-281"
set condition-type non-exist
next
end
next
edit "2003::3:3:3:3"
set soft-reconfiguration6 enable
set remote-as 65412
set update-source "loopback1"
next
end
end

In this configuration, if route map map-281 does not exist, then the FortiGate advertises route map map-221 to
neighbor 2003::2:2:2:2.
4. Verify the routing table:
# get router info6 routing-table bgp
B 2003:172:28:1::/64 [200/0] via 2003::3:3:3:3 (recursive via
****::***:***:****:****, port9), 01:23:45
B 2003:172:28:2::/64 [200/0] via 2003::3:3:3:3 (recursive via
****::***:***:****:****, port9), 23:09:22

When the FortiGate learns 2003:172:28:1::/64, it will not advertise its local route 2003:172:22:1::/64 to neighbor
2003::2:2:2:2. If the FortiGate has not learned 2003:172:28:1::/64, it will advertise its local route 2003:172:22:1::/64 to
neighbor 2003::2:2:2:2.

FortiOS 7.2.1 Administration Guide 390


Fortinet Inc.
Network

IPv6 example 2

With the same IPv6 prefix lists and route maps, when the FortiGate does learn 2003:172:28:1::/64, it advertises local
route 2003:172:22:1::/64 to the secondary router. The BGP conditional advertisement condition is set to be true if the
condition route map is matched (exist).

To configure BGP conditional advertisement with IPv6:

1. Configure BGP:
config router bgp
config neighbor
edit "2003::2:2:2:2"
config conditional-advertise6
edit "map-221"
set condition-routemap "map-281"
set condition-type exist
next
end
next
end
end

2. Verify the routing table:


# get router info6 routing-table bgp
B 2003:172:28:1::/64 [200/0] via 2003::3:3:3:3 (recursive via
****::***:***:****:****, port9), 01:23:45
B 2003:172:28:2::/64 [200/0] via 2003::3:3:3:3 (recursive via
****::***:***:****:****, port9), 23:09:22

When the FortiGate learns 2003:172:28:1::/64, it will advertise its local route 2003:172:22:1::/64 to neighbor
2003::2:2:2:2. If the FortiGate has not learned route 2003:172:28:1::/64, it will not advertise its local route
2003:172:22:1::/64 to neighbor 2003::2:2:2:2.

BGP error handling per RFC 7606

The FortiGate uses one of the three approaches to handle malformed attributes in BGP UPDATE messages, in order of
decreasing severity:
1. Notification and Session reset
2. Treat-as-withdraw
3. Attribute discard

When a BGP UPDATE message contains multiple malformed attributes, the most severe approach that is triggered by
one of the attributes is followed. See RFC 7606 for more information.
The following table lists the BGP attributes, and how FortiGate handles a malformed attribute in the UPDATE message:

BGP attribute Handling

origin Handled by the treat-as-withdraw approach.

AS path Handled by the treat-as-withdraw approach.

FortiOS 7.2.1 Administration Guide 391


Fortinet Inc.
Network

BGP attribute Handling

AS 4 path Handled by the attribute discard approach.

aggregator Handled by the attribute discard approach.

aggregator 4 Handled by the attribute discard approach.

next-hop Handled by the treat-as-withdraw approach.

multiple exit discriminator Handled by the treat-as-withdraw approach.

local preference Handled by the treat-as-withdraw approach.

atomic aggregate Handled by the attribute discard approach.

community Handled by the treat-as-withdraw approach.

extended community Handled by the treat-as-withdraw approach.

originator Handled by the treat-as-withdraw approach.

cluster Handled by the treat-as-withdraw approach.

PMSI Handled by the treat-as-withdraw approach.

MP reach Handled by the notification message approach.

MP unreach Handled by the notification message approach.

attribute set Handled by the treat-as-withdraw approach.

AIGP Handled by the treat-as-withdraw approach.

Unknown If the BGP flag does not indicate that this is an optional attribute, this malformed
attribute is handled by the notification message approach.

This example shows how the ORIGIN attribute can be malformed, and how it is handled.

Reason for malformed Handling


attribute

ORIGIN attribute length not one The prefix will be gone and the BGP session will not be reset.

FortiOS 7.2.1 Administration Guide 392


Fortinet Inc.
Network

Reason for malformed Handling


attribute

ORIGIN attribute value is invalid The prefix will be gone and the BGP session will not be reset.

Two ORIGIN attributes with The attributes are ignored, the BGP session will not be reset, and the BGP route
different values will remain.

ORIGIN attribute is absent The BGP session will be reset

For example, if the FortiGate receives a malformed UPDATE packet from the neighbor at 27.1.1.124 that has no ORIGIN
attribute, the BGP session is reset and the state of the neighbor is shown as Idle, the first state of the BGP
neighborship connection.
# get router info bgp summary
VRF 0 BGP router identifier 27.1.1.125, local AS number 125
BGP table version is 6
1 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd


3.3.3.3 4 33 0 0 0 0 0 never Active
27.1.1.124 4 124 94 126 0 0 0 never Idle

Total number of neighbors 2

BGP next hop tag-match mode

Tag-match mode can be configured to increase flexibility when controlling how BGP routes' next hops are resolved:
config router bgp
set tag-resolve-mode {disable | preferred | merge}
end

Best-match (disable) Resolve the BGP route's next hops with best-matched routes. This is the default
setting.

Tag-match (preferred) Resolve the BGP route's next hops with routes that have the same tag. If there
are no results, resolve the next hops with best-matched routes.

Tag-and-best-match (merge) Merge tag-match with best-match if they are using different routes, then let
shortcuts hide their parents. The results exclude the next hops of tag-match
whose interfaces have appeared in best-match.

In these examples:
l Each spoke has two IPsec tunnels to each hub, and one BGP peer on loopback interface to each hub (route-
reflector).
l The loopbacks are exchanged with IKE between the spokes and hubs. They are installed as static routes that are
used to provide reachability for establishing BGP neighbors.
l The summary BGP routes from the loopback IP address ranges that originated on the hubs are advertised to the
spokes for resolving the BGP next hop s on the spokes.
l The spokes' PC LAN subnets are reflected by the hubs.

FortiOS 7.2.1 Administration Guide 393


Fortinet Inc.
Network

l Spoke_1 receives BGP routes (the LAN subnet and loopback IP summary) from Hub_1 with tag 1 and from Hub_2
with tag 2.
l SD-WAN is enabled on Spoke_1, and all of the tunnels are SD-WAN members.

Example 1: Connection between Hub and Spoke down

If the connections between Hub_1 and Spoke_2 are down, traffic from PC_3 to PC_4 can still go through Hub_1
because of the best-match resolving on Spoke_1, but packets will be dropped on Hub_1. When tag-match is enabled on
Spoke_1, the spoke will resolve the PC_4 LAN route to Hub2, and traffic will be forwarded to Hub_2 and reach its
destination.

To test the tag-match mode:

1. View the key routes on Spoke_1:


Spoke_1(root) # get router info routing-table all
C 10.0.3.0/24 is directly connected, port4
B 10.0.4.0/24 [200/0] via 172.31.0.66 [2] (recursive via H1_T11 tunnel
172.31.1.1), 20:09:52
(recursive via H1_T22 tunnel 10.0.0.2), 20:09:52
(recursive via H2_T11 tunnel 172.31.1.101), 20:09:52
(recursive via H2_T22 tunnel 10.0.0.4), 20:09:52
B 172.31.0.0/25 [200/0] via 172.31.0.1 (recursive via H1_T11 tunnel 172.31.1.1),
23:25:37
(recursive via H1_T22 tunnel 10.0.0.2), 23:25:37
[200/0] via 172.31.0.2 (recursive via H2_T11 tunnel 172.31.1.101), 23:25:37
(recursive via H2_T22 tunnel 10.0.0.4), 23:25:37
S 172.31.0.1/32 [15/0] via H1_T11 tunnel 172.31.1.1, [1/0]
[15/0] via H1_T22 tunnel 10.0.0.2, [1/0]
S 172.31.0.2/32 [15/0] via H2_T11 tunnel 172.31.1.101, [1/0]
[15/0] via H2_T22 tunnel 10.0.0.4, [1/0]
C 172.31.0.65/32 is directly connected, Loopback0
...

172.31.0.0/25 is the loopback IP summary originated by both Hub_1 and Hub_2. The next hop of the PC_4 LAN
route is resolved to Hub_1 (H1_T11, H1_T22) and Hub_2 (H2_T11, H2_T22) based on the loopback IP summary
route.

FortiOS 7.2.1 Administration Guide 394


Fortinet Inc.
Network

2. When connections between Spoke_2 and Hub_1 fails due to the BGP neighbor, tunnels, or physical ports going
down, the PC_4 LAN route can be still resolved to Hub_1 and Hub_2 because the loopback IP summary can still be
received from both Hub_1 and Hub_2:
Spoke_1(root) # get router info routing-table all
C 10.0.3.0/24 is directly connected, port4
B 10.0.4.0/24 [200/0] via 172.31.0.66 (recursive via H1_T11 tunnel 172.31.1.1),
00:03:06
(recursive via H1_T22 tunnel 10.0.0.2), 00:03:06
(recursive via H2_T11 tunnel 172.31.1.101), 00:03:06
(recursive via H2_T22 tunnel 10.0.0.4), 00:03:06
B 172.31.0.0/25 [200/0] via 172.31.0.1 (recursive via H1_T11 tunnel 172.31.1.1),
23:55:34
(recursive via H1_T22 tunnel 10.0.0.2), 23:55:34
[200/0] via 172.31.0.2 (recursive via H2_T11 tunnel 172.31.1.101), 23:55:34
(recursive via H2_T22 tunnel 10.0.0.4), 23:55:34
...

3. If traffic sent from PC_3 to PC_4 goes through Hub_1, packets are dropped because there is no PC_4 LAN route on
Hub_1:
Spoke_1 (root) # diagnose sniffer packet any 'host 10.0.4.2' 4
interfaces=[any]
filters=[host 10.0.4.2]
11.261264 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
11.261349 H1_T11 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
12.260268 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
12.260291 H1_T11 out 10.0.3.2 -> 10.0.4.2: icmp: echo request

Hub_1 (root) # diagnose sniffer packet any 'host 10.0.4.2' 4


interfaces=[any]
filters=[host 10.0.4.2]
6.966064 EDGE_T1 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
7.965012 EDGE_T1 in 10.0.3.2 -> 10.0.4.2: icmp: echo request

4. If the tag-match mode is set to tag-match (preferred) on Spoke_1, then the PC_4 LAN route can only be resolved
to Hub_2 because of tag-match checking:
Spoke_1(root) # get router info routing-table all
C 10.0.3.0/24 is directly connected, port4
B 10.0.4.0/24 [200/0] via 172.31.0.66 tag 2 (recursive via H2_T11 tunnel
172.31.1.101), 00:02:35
(recursive via H2_T22 tunnel 10.0.0.4), 00:02:35
B 172.31.0.0/25 [200/0] via 172.31.0.1 tag 1 (recursive via H1_T11 tunnel
172.31.1.1), 03:18:41
(recursive via H1_T22 tunnel 10.0.0.2), 03:18:41
[200/0] via 172.31.0.2 tag 2 (recursive via H2_T11 tunnel 172.31.1.101),
03:18:41
(recursive via H2_T22 tunnel 10.0.0.4), 03:18:41
...

Spoke_1 (root) # get router info routing-table details 10.0.4.0/24

Routing table for VRF=0


Routing entry for 10.0.4.0/24
Known via "bgp", distance 200, metric 0, best
Last update 00:01:11 ago

FortiOS 7.2.1 Administration Guide 395


Fortinet Inc.
Network

* 172.31.0.66, tag 2 (recursive via H2_T11 tunnel 172.31.1.101), tag-match


(recursive via H2_T22 tunnel 10.0.0.4), tag-match

5. If traffic is again sent from PC_3 to PC_4, it will go through Hub_2 and reach the destination:
Spoke_1 (root) # diagnose sniffer packet any 'host 10.0.4.2' 4
interfaces=[any]
filters=[host 10.0.4.2]
7.216948 port4 in 10.0.3.2 -> 10.0.4.2: icmp: echo request
7.217035 H2_T11 out 10.0.3.2 -> 10.0.4.2: icmp: echo request
7.217682 H2_T11 in 10.0.4.2 -> 10.0.3.2: icmp: echo reply
7.217729 port4 out 10.0.4.2 -> 10.0.3.2: icmp: echo reply

Example 2: SD-WAN failover when shortcut down

After the shortcut from Spoke_1 to Spoke_2 is established, Spoke_1 will only resolve the PC_4 LAN route to the
shortcut, because of best-match resolving, prohibiting SD-WAN failover. When tag-and-best-match is enabled on
Spoke_1, the spoke can resolve the PC_4 LAN route to the shortcut and to other alternative tunnels, allowing SD-WAN
failover.

To test the tag-and-best-match mode:

1. Unset tag-resolve-mode and resume the connections between Spoke_2 and Hub_1. The routing table on
Spoke_1 changes to the initial state:
Spoke_1(root) # get router info routing-table all
C 10.0.3.0/24 is directly connected, port4
B 10.0.4.0/24 [200/0] via 172.31.0.66 [2] (recursive via H1_T11 tunnel
172.31.1.1), 00:01:54
(recursive via H1_T22 tunnel 10.0.0.2), 00:01:54
(recursive via H2_T11 tunnel 172.31.1.101), 00:01:54
(recursive via H2_T22 tunnel 10.0.0.4), 00:01:54
B 172.31.0.0/25 [200/0] via 172.31.0.1 (recursive via H1_T11 tunnel 172.31.1.1),
03:30:35
(recursive via H1_T22 tunnel 10.0.0.2), 03:30:35
[200/0] via 172.31.0.2 (recursive via H2_T11 tunnel 172.31.1.101), 03:30:35
(recursive via H2_T22 tunnel 10.0.0.4), 03:30:35
S 172.31.0.1/32 [15/0] via H1_T11 tunnel 172.31.1.1, [1/0]
[15/0] via H1_T22 tunnel 10.0.0.2, [1/0]
S 172.31.0.2/32 [15/0] via H2_T11 tunnel 172.31.1.101, [1/0]
[15/0] via H2_T22 tunnel 10.0.0.4, [1/0]
C 172.31.0.65/32 is directly connected, Loopback0

...

2. Send traffic from PC_3 to PC_4.


The shortcut from Spoke_1 o Spoke_2 is established.
The PC_4 LAN route is only resolved to the shortcut because of best-match resolving. If the shortcut is out of SLA,
then the traffic cannot switch over to another, alternative tunnel.
Spoke_1 (root) # get router info routing-table all
C 10.0.3.0/24 is directly connected, port4
B 10.0.4.0/24 [200/0] via 172.31.0.66 [2] (recursive via H1_T11_0 tunnel
10.0.0.40), 00:09:22
B 172.31.0.0/25 [200/0] via 172.31.0.1 (recursive via H1_T11 tunnel 172.31.1.1),
03:40:12

FortiOS 7.2.1 Administration Guide 396


Fortinet Inc.
Network

(recursive via H1_T22 tunnel 10.0.0.2), 03:40:12


[200/0] via 172.31.0.2 (recursive via H2_T11 tunnel 172.31.1.101), 03:40:12
(recursive via H2_T22 tunnel 10.0.0.4), 03:40:12
S 172.31.0.1/32 [15/0] via H1_T11 tunnel 172.31.1.1, [1/0]
[15/0] via H1_T22 tunnel 10.0.0.2, [1/0]
S 172.31.0.2/32 [15/0] via H2_T11 tunnel 172.31.1.101, [1/0]
[15/0] via H2_T22 tunnel 10.0.0.4, [1/0]
C 172.31.0.65/32 is directly connected, Loopback0
S 172.31.0.66/32 [15/0] via H1_T11_0 tunnel 10.0.0.40, [1/0]
...

3. If the tag-match mode is set to tag-and-best-match (merge) on Spoke_1, then the PC_4 LAN route is resolved to
the H1_T11_0 shortcut based on best-match resolving, and to H1_T11, H1_T22, H2_T11, H2_T22 based on
tag-match resolving. It is then resolved to H1_T11, H1_T22, H2_T11, H2_T22 after letting the shortcut hide its
parent tunnel.
Spoke_1 (root) # get router info routing-table all
C 10.0.3.0/24 is directly connected, port4
B 10.0.4.0/24 [200/0] via 172.31.0.66 tag 1 (recursive via H1_T11_0 tunnel
10.0.0.40), 00:07:36
(recursive via H1_T22 tunnel 10.0.0.2), 00:07:36
[200/0] via 172.31.0.66 tag 2 (recursive via H1_T11_0 tunnel 10.0.0.40),
00:07:36
(recursive via H2_T11 tunnel 172.31.1.101), 00:07:36
(recursive via H2_T22 tunnel 10.0.0.4), 00:07:36
B 172.31.0.0/25 [200/0] via 172.31.0.1 tag 1 (recursive via H1_T11 tunnel
172.31.1.1), 03:48:26
(recursive via H1_T22 tunnel 10.0.0.2), 03:48:26
[200/0] via 172.31.0.2 tag 2 (recursive via H2_T11 tunnel 172.31.1.101),
03:48:26
(recursive via H2_T22 tunnel 10.0.0.4), 03:48:26
S 172.31.0.1/32 [15/0] via H1_T11 tunnel 172.31.1.1, [1/0]
[15/0] via H1_T22 tunnel 10.0.0.2, [1/0]
S 172.31.0.2/32 [15/0] via H2_T11 tunnel 172.31.1.101, [1/0]
[15/0] via H2_T22 tunnel 10.0.0.4, [1/0]
C 172.31.0.65/32 is directly connected, Loopback0
S 172.31.0.66/32 [15/0] via H1_T11_0 tunnel 10.0.0.40, [1/0]

...

Spoke_1 (root) # get router info routing-table details 10.0.4.0/24

Routing table for VRF=0


Routing entry for 10.0.4.0/24
Known via "bgp", distance 200, metric 0, best
Last update 00:01:02 ago
* 172.31.0.66, tag 1 (recursive via H1_T11_0 tunnel 10.0.0.42), best-match
(recursive via H1_T22 tunnel 10.0.0.2), tag-match
* 172.31.0.66, tag 2 (recursive via H1_T11_0 tunnel 10.0.0.42), best-match
(recursive via H2_T11 tunnel 172.31.1.101), tag-match
(recursive via H2_T22 tunnel 10.0.0.4), tag-match

4. If the H1_T11_0 shortcut goes out of SLA, traffic will switch to tunnel H1_T22 and shortcut H1_T22_0 is triggered.
The PC_4 LAN route is resolved to H1_T11, H1_T22, H2_T11, H2_T22.
Spoke_1 (root) # get router info routing-table all
C 10.0.3.0/24 is directly connected, port4

FortiOS 7.2.1 Administration Guide 397


Fortinet Inc.
Network

B 10.0.4.0/24 [200/0] via 172.31.0.66 tag 1 (recursive via H1_T11_0 tunnel


10.0.0.40), 00:18:50
(recursive via H1_T22_0 tunnel 10.0.0.41), 00:18:50
[200/0] via 172.31.0.66 tag 2 (recursive via H1_T11_0 tunnel 10.0.0.40),
00:18:50
(recursive via H1_T22_0 tunnel 10.0.0.41), 00:18:50
(recursive via H2_T11 tunnel 172.31.1.101), 00:18:50
(recursive via H2_T22 tunnel 10.0.0.4), 00:18:50
B 172.31.0.0/25 [200/0] via 172.31.0.1 tag 1 (recursive via H1_T11 tunnel
172.31.1.1), 03:59:40
(recursive via H1_T22 tunnel 10.0.0.2), 03:59:40
[200/0] via 172.31.0.2 tag 2 (recursive via H2_T11 tunnel 172.31.1.101),
03:59:40
(recursive via H2_T22 tunnel 10.0.0.4), 03:59:40
S 172.31.0.1/32 [15/0] via H1_T11 tunnel 172.31.1.1, [1/0]
[15/0] via H1_T22 tunnel 10.0.0.2, [1/0]
S 172.31.0.2/32 [15/0] via H2_T11 tunnel 172.31.1.101, [1/0]
[15/0] via H2_T22 tunnel 10.0.0.4, [1/0]
C 172.31.0.65/32 is directly connected, Loopback0
S 172.31.0.66/32 [15/0] via H1_T11_0 tunnel 10.0.0.40, [1/0]
[15/0] via H1_T22_0 tunnel 10.0.0.41, [1/0]
...

Spoke_1 (root) # get router info routing-table details 10.0.4.0/24

Routing table for VRF=0


Routing entry for 10.0.4.0/24
Known via "bgp", distance 200, metric 0, best
Last update 00:06:40 ago
* 172.31.0.66, tag 1 (recursive via H1_T11_0 tunnel 10.0.0.42), best-match
(recursive via H1_T22_0 tunnel 10.0.0.43), best-match
* 172.31.0.66, tag 2 (recursive via H1_T11_0 tunnel 10.0.0.42), best-match
(recursive via H1_T22_0 tunnel 10.0.0.43), best-match
(recursive via H2_T11 tunnel 172.31.1.101), tag-match
(recursive via H2_T22 tunnel 10.0.0.4), tag-match

Spoke_1(root) # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla


Gen(22), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Member sub interface(4):
1: seq_num(1), interface(H1_T11):
1: H1_T11_0(93)
3: seq_num(4), interface(H1_T22):
1: H1_T22_0(94)
Members(4):
1: Seq_num(1 H1_T11), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
2: Seq_num(4 H1_T22_0), alive, sla(0x1), gid(0), cfg_order(3), cost(0), selected
3: Seq_num(4 H1_T22), alive, sla(0x1), gid(0), cfg_order(3), cost(0), selected
4: Seq_num(1 H1_T11_0), alive, sla(0x0), gid(0), cfg_order(0), cost(0), selected
Src address(1):
10.0.0.0-10.255.255.255
Dst address(1):
10.0.0.0-10.255.255.255

Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla


Gen(10), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order

FortiOS 7.2.1 Administration Guide 398


Fortinet Inc.
Network

Members(2):
1: Seq_num(6 H2_T11), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
2: Seq_num(9 H2_T22), alive, sla(0x1), gid(0), cfg_order(3), cost(0), selected
Src address(1):
10.0.0.0-10.255.255.255
Dst address(1):
10.0.0.0-10.255.255.255

Troubleshooting BGP

There are some features in BGP that are used to deal with problems that may arise. Typically, the problems with a BGP
network that has been configured involve routes going offline frequently. This is called route flap and causes problems
for the routers using that route.

Clearing routing table entries

To see if a new route is being properly added to the routing table, you can clear all or some BGP neighbor connections
(sessions) using the execute router clear bgp command.
For example, if you have 10 routes in the BGP routing table and you want to clear the specific route to IP address
10.10.10.1, enter the following CLI command:
# execute router clear bgp ip 10.10.10.1

To remove all routes for AS number 650001, enter the following CLI command:
# execute router clear bgp as 650001

Route flap

When routers or hardware along a route go offline and back online that is called a route flap. Flapping is the term that is
used if these outages continue, especially if they occur frequently.
Route flap is a problem in BGP because each time a peer or a route goes down, all the peer routers that are connected to
that out-of-service router advertise the change in their routing tables. This creates a lot of administration traffic on the
network and the same traffic re-occurs when that router comes back online. If the problem is something like a faulty
network cable that alternates online and offline every 10 seconds, there could easily be an overwhelming amount of
routing updates sent out unnecessarily.
Another possible reason for route flap occurs with multiple FortiGate devices in HA mode. When an HA cluster fails over
to the secondary unit, other routers on the network may see the HA cluster as being offline, resulting in route flap. While
this doesn't occur often, or more than once at a time, it can still result in an interruption in traffic which is disruptive for
network users. The easy solution for this problem is to increase the timers on the HA cluster, such as TTL timers, so they
don't expire during the failover process. Also, configuring graceful restart on the HA cluster helps with a smooth failover.
The first method of dealing with route flap is to check your hardware. If a cable is loose or bad, it can easily be replaced
and eliminate the problem. If an interface on the router is bad, either avoid using that interface or swap in a functioning
router. If the power source is bad on a router, either replace the power supply or use a power conditioning backup power
supply. These quick and easy fixes can save you from configuring more complex BGP options. However, if the route flap
is from another source, configuring BGP to deal with the outages will ensure your network users uninterrupted service.
Some methods of dealing with route flap in BGP include:
l Holdtime timer on page 400
l Dampening on page 400

FortiOS 7.2.1 Administration Guide 399


Fortinet Inc.
Network

l Graceful restart on page 401


l BFD on page 402

Holdtime timer

The first step to troubleshooting a flapping route is the holdtime timer. This timer reduces how frequently a route going
down will cause a routing update to be broadcast.
Once activated, the holdtime timer won't allow the FortiGate to accept any changes to that route for the duration of the
timer. If the route flaps five times during the timer period, only the first outage will be recognized by the FortiGate. For the
duration of the other outages, there won't be changes because the Fortigate is essentially treating this router as down. If
the route is still flapping after the timer expires, it will start again.
If the route isn't flapping (for example, if it goes down, comes up, and stays back up) the timer will still count down and the
route is ignored for the duration of the timer. In this situation, the route is seen as down longer than it really is but there
will be only the one set of route updates. This isn't a problem in normal operation because updates are not frequent.
The potential for a route to be treated as down when it's really up can be viewed as a robustness feature. Typically, you
don't want most of your traffic being routed over an unreliable route. So if there's route flap going on, it's best to avoid that
route if you can. This is enforced by the holdtime timer.

How to configure the holdtime timer

There are three different route flapping situations that can occur: the route goes up and down frequently, the route goes
down and back up once over a long period of time, or the route goes down and stays down for a long period of time.
These can all be handled using the holdtime timer.
For example, your network has two routes that you want to set the timer for. One is your main route (to 10.12.101.4) that
all of your Internet traffic goes through, and it can't be down for long if it's down. The second is a low speed connection to
a custom network that's used infrequently (to 10.13.101.4). The timer for the main route should be fairly short (for
example, 60 seconds). The second route timer can be left at the default, since it's rarely used.

To configure the BGP holdtime timer:

config router bgp


config neighbor
edit 10.12.101.4
set holdtime-timer 60
set keepalive-timer 60
next
edit 10.13.101.4
set holdtime-timer 180
set keepalive-timer 60
next
end
end

Dampening

Dampening is a method that's used to limit the amount of network problems due to flapping routes. With dampening, the
flapping still occurs but the peer routers pay less and less attention to that route as it flaps more often. One flap doesn't
start dampening, but the second flap starts a timer where the router won't use that route because it is considered
unstable. If the route flaps again before the timer expires, the timer continues to increase. There's a period of time called

FortiOS 7.2.1 Administration Guide 400


Fortinet Inc.
Network

the reachability half-life, after which a route flap will be suppressed for only half the time. This half-life comes into effect
when a route has been stable for a while but not long enough to clear all the dampening completely. For the flapping
route to be included in the routing table again, the suppression time must expire.
If the route flapping was temporary, you can clear the flapping or dampening from the FortiGate device's cache by using
one of the execute router clear bgp CLI commands:
# execute router clear bgp dampening {<ip_address> | <ip_address/netmask>}

or
# execute router clear bgp flap-statistics {<ip_address> | <ip_address/netmask>}

For example, to remove route flap dampening information for the 10.10.0.0/16 subnet, enter the following CLI command:
# execute router clear bgp dampening 10.10.0.0/16

To configure BGP route dampening:

config router bgp


set dampening {enable | disable}
set dampening-max-suppress-time <minutes_integer>
set dampening-reachability-half-life <minutes_integer>
set dampening-reuse <reuse_integer>
set dampening-route-map <routemap-name_str>
set dampening-suppress <limit_integer>
set dampening-unreachability-half-life <minutes_integer>
end

Graceful restart

BGP4 has the capability to gracefully restart.


In some situations, route flap is caused by routers that appear to be offline but the hardware portion of the router (control
plane) can continue to function normally. One example of this is when some software is restarting or being upgraded but
the hardware can still function normally.
Graceful restart is best used for these situations where routing won't be interrupted, but the router is unresponsive to
routing update advertisements. Graceful restart doesn't have to be supported by all routers in a network, but the network
will benefit when more routers support it.
FortiGate HA clusters can benefit from graceful restart. When a failover takes place, the HA cluster advertises that it is
going offline, and will not appear as a route flap. It will also enable the new HA main unit to come online with an updated
and usable routing table. If there is a flap, the HA cluster routing table will be out-of-date.
For example, the FortiGate is one of four BGP routers that send updates to each other. Any of those routers may support
graceful starting. When a router plans to go offline, it sends a message to its neighbors stating how long it expects to be
offline. This way, its neighboring routers don't remove it from their routing tables. However, if that router isn't back online
when expected, the routers will mark it offline. This prevents routing flap and its associated problems.
FortiGate devices support both graceful restart of their own BGP routing software and neighboring BGP routers.

To configure BGP graceful restart:

config router bgp


set graceful-restart {disable | enable}
set graceful-restart-time <seconds_integer>

FortiOS 7.2.1 Administration Guide 401


Fortinet Inc.
Network

set graceful-stalepath-time <seconds_integer>


set graceful-update-delay <seconds_integer>
config neighbor
edit 10.12.101.4
set capability-graceful-restart {enable | disable}
next
end
end

Before the restart, the router sends its peers a message to say it's restarting. The peers mark all the restarting router's
routes as stale, but they continue to use the routes. The peers assume the router will restart, check its routes, and take
care of them, if needed, after the restart is complete. The peers also know what services the restarting router can
maintain during its restart. After the router completes the restart, the router sends its peers a message to say it's done
restarting.

To restart the router:

# execute router restart

Scheduled time offline

Graceful restart is a means for a router to advertise that it is going to have a scheduled shutdown for a very short period
of time. When neighboring routers receive this notice, they will not remove that router from their routing table until after a
set time elapses. During that time, if the router comes back online, everything continues to function as normal. If that
router remains offline longer than expected, then the neighboring routers will update their routing tables as they assume
that the router will be offline for a long time.
The following example demonstrates if you want to configure graceful restart on the FortiGate where you expect the
FortiGate to be offline for no more than two minutes, and after three minutes the BGP network should consider the
FortiGate to be offline.

To configure graceful restart time settings:

config router bgp


set graceful-restart enable
set graceful-restart-time 120
set graceful-stalepath-time 180
end

BFD

Bidirectional Forwarding Detection (BFD) is a protocol that you can use to quickly locate hardware failures in the
network. Routers running BFD communicate with each other and if a timer runs out on a connection then that router is
declared down. BFD then communicates this information to the routing protocol and the routing information is updated.
For more information about BFD, see BFD on page 403.

BGP path selection process

Sometimes the FortiGate may receive multiple BGP paths from neighbors and must decide which is the best path to
take. The following criteria are used to determine the best path.
Consider only routes with no AS loops and a valid next hop, and then:

FortiOS 7.2.1 Administration Guide 402


Fortinet Inc.
Network

1. Prefer the highest weight (this attribute is local to the FortiGate).


2. Prefer the highest local preference (applicable within AS).
3. Prefer the route originated by the local router (next hop = 0.0.0.0).
4. Prefer the shortest AS path.
5. Prefer the lowest origin code (IGP > EGP > incomplete).
6. Prefer the lowest MED (exchanged between autonomous systems).
7. Prefer the EBGP path over IBGP path.
8. Prefer the path through the closest IGP neighbor.
9. Prefer the oldest route for EBGP paths.
10. Prefer the path with the lowest neighbor BGP router ID.
11. Prefer the path with the lowest neighbor IP address.

BFD

Bidirectional Forwarding Detection (BFD) is a protocol that you can use to quickly locate hardware failures in the
network. Routers running BFD send packets to each other at a negotiated rate. If packets from a BFD-enabled router fail
to arrive, that router is declared to be down. BFD communicates this information to the associated routing protocols and
the routing information is updated. It helps detect one way device failure and is used for fast convergence of routing
protocols.
BFD can run on an entire FortiGate, selected interfaces, or on a protocol, such as BGP, for all configured interfaces. The
configuration hierarchy allows each lower level to override the BFD setting of the upper level. For example, if you enable
BFD for an entire FortiGate, you can disable BFD for an interface or for BGP.

Echo mode and authentication are not supported for BFD on the FortiGate.

BFD can be enabled per device, VDOM, or interface. Once enabled, a BFD neighbor should be defined. Finally, enable
BFD on a route or routing protocol.

To configure BFD for an entire FortiGate:

config system settings


set bfd {enable | disable}
set bfd-desired-min-tx <ms>
set bfd-required-min-rx <ms>
set bfd-detect-mult <multiplier>
set bfd-dont-enforce-src-port {enable | disable}
end

To configure BFD for an interface:

config system interface


edit <interface-name>
set bfd {global | enable | disable}
set bfd-desired-min-tx <ms>
set bfd-required-min-rx <ms>
set bfd-detect-mult <multiplier>

FortiOS 7.2.1 Administration Guide 403


Fortinet Inc.
Network

next
end

To configure BFD neighbors:

config router {bfd | bfd6}


config neighbor
edit <IP-address>
set interface <interface-name>
next
end
end

To show BFD neighbors:

# get router {info | info6} bfd neighbor

To show BFD requests:

# get router {info | info6} bfd requests

BFD and static routes

BFD for static routes allows you to configure routing failover based on remote path failure detection. BFD removes a
static route from the routing table if the FortiGate can't reach the route's destination and returns the route to the routing
table if the route's destination is restored.
For example, you can add two static routes with BFD enabled. If one of the routes has a higher priority, all matching
traffic uses that route. If BFD determines that the link to the gateway of the route with the higher priority is down, the
higher priority route is removed from the routing table and all matching traffic uses the lower priority route. If the link to
the gateway for the higher priority route comes back up, BFD adds the route back into the routing table and all matching
traffic switches to use the higher priority route.
You can configure BFD for IPv4 and IPv6 static routes.

To configure BFD for static routes:

config router {static | static6}


edit <sequence-number>
set bfd {enable | disable}
set device <gateway-out-interface>
next
end

Example

The following example demonstrates the configuration of static routes between two FortiGates. There is a host behind
FortiGate 2 with an IP address of 1.1.1.1. FortiGate 1 has multiple paths to reach the host.

FortiOS 7.2.1 Administration Guide 404


Fortinet Inc.
Network

To configure static routes:

1. Configure FortiGate 1:
config system interface
edit "port1"
set vdom "root"
set ip 10.180.6.237 255.255.240.0
set allowaccess ping
set bfd enable
next
end
config router bfd
config neighbor
edit 10.180.4.136
set interface "port1"
next
end
end

2. Configure FortiGate 2:
config system interface
edit "port1"
set vdom "root"
set ip 10.180.4.136 255.255.240.0
set allowaccess ping
set bfd enable
next
end
config router bfd
config neighbor
edit 10.180.6.237
set interface "port1"
next
end
end

3. Configure two static routes:


config router static
edit 2
set dst 1.1.1.1 255.255.255.255

FortiOS 7.2.1 Administration Guide 405


Fortinet Inc.
Network

set gateway 10.180.4.136


set device "port1"
set bfd enable
next
edit 3
set dst 1.1.1.1 255.255.255.255
set gateway 10.180.2.44
set distance 20
set device "port1"
next
end

4. Confirm that BFD neighborship is established:


# get router info bfd neighbor
OurAddress NeighAddress State Interface LDesc/RDesc
10.180.6.237 10.180.4.136 UP port1 1/1

5. Review the active route in the routing table:


# get router info routing-table all
S 1.1.1.1/32 [10/0] via 10.180.4.136, port1
C 10.180.0.0/20 is directly connected, port1

The route with the lower distance is preferred in the routing table.

If port1 on FortiGate 2 goes down or FortiGate 1 is unable to reach 10.180.4.126, the BFD neighborship will go down.
# get router info bfd neighbor
OurAddress NeighAddress State Interface LDesc/RDesc
10.180.6.237 10.180.4.136 DOWN port1 1/1

With BFD neighborship down, the FortiGate is unable to reach 1.1.1.1/32 through gateway 10.180.4.136. The routing
table will be updated so that the route through gateway 10.180.2.44 is active in the routing table.
# get router info routing-table all
S 1.1.1.1/32 [20/0] via 10.180.2.44, port1
C 10.180.0.0/20 is directly connected, port1

BFD removes a static route from the routing table if the FortiGate cannot reach the route's destination. The static route
will be returned to the routing table is the route's destination is restored.

BFD and OSPF

You can configure BFD for Open Shortest Path First (OSPF) on a FortiGate. FortiGate supports BFD for OSPF for both
IPv4 and IPv6. BFD must be configured globally and per interface.

To configure BFD for OSPF:

config router {ospf | ospf6}


set bfd {enable | disable}
end

FortiOS 7.2.1 Administration Guide 406


Fortinet Inc.
Network

To enable BFD on a specific OSPF interface:

config router {ospf | ospf6}


set bfd enable
config {ospf-interface | ospf6-interface}
edit <ID>
set bfd {global | enable | disable}
set area-id <IP address>
next
end
end

If BFD is configured when OSPF is not, no BFD packets will be sent. When both BFD and OSFP are configured, the
neighbors for both will be the same. Use the following commands to confirm that the neighbor IP addresses match:
# get router info ospf neighbor
# get router info bfd neighbor

BFD and BGP

While BGP can detect route failures, BFD can be configured to detect these failures more quickly, which allows for faster
responses and improved convergence. This can be balanced with the bandwidth BFD uses in its frequent route
checking.
The config router bgp commands allow you to set the addresses of the neighbor units that are also running BFD.
Both units must be configured with BFD in order to use it.

To configure BFD for BGP:

config router bgp


config neighbor
edit <neighbor-IP-address>
set bfd {enable | disable}
next
end
end

BFD for Multihop paths

FortiGate BFD can support neighbors connected over multiple hops. When BFD is down, BGP sessions will be reset and
will try to re-establish neighbor connection immediately. See BFD for multihop path for BGP on page 408 for more
information.

To configure BFD for multihop paths:

config router {bfd | bfd6}


config multihop-template
edit <ID>
set src <IP address/netmask>
set dst <IP address/netmask>
set bfd-desired-min-tx <integer>
set bfd-required-min-rx <integer>
set bfd-detect-mult <integer>

FortiOS 7.2.1 Administration Guide 407


Fortinet Inc.
Network

set auth-mode {none | md5}


set md5-key <password>
next
end
end

Troubleshooting BFD

You can troubleshoot BFD using the following commands:


# get router {info | info6} bfd neighbor
# get router {info | info6} bfd requests
# diagnose sniffer packet any <filter> <sniffer count>
# diagnose debug application bfdd <debug level>
# diagnose debug enable

BFD for multihop path for BGP

In BFD, a FortiGate can support neighbors connected over multiple hops. When BFD is down, BGP sessions are reset
and will try to immediately re-establish neighbor connections. Previously, BFD was only supported when two routers or
FortiGates were directly connected on the same network.
config router {bfd | bfd6}
config multihop-template
edit <ID>
set src <class_IP/netmask>
set dst <class_IP/netmask>
set bfd-desired-min-tx <integer>
set bfd-required-min-rx <integer>
set bfd-detect-mult <integer>
set auth-mode {none | md5}
set md5-key <password>
next
end
end

src <class_IP/netmask> Enter the source prefix.


dst <class_IP/netmask> Enter the destination prefix.
bfd-desired-min-tx Set the BFD desired minimal transmit interval, in milliseconds (100 - 30000,
<integer> default = 250).
bfd-required-min-rx Set the BFD required minimal transmit interval, in milliseconds (100 - 30000,
<integer> default = 250).
bfd-detect-mult <integer> Set the BFD detection multiplier (3 - 50, default = 3).
auth-mode {none | md5} Set the authentication mode (none or meticulous MD5).
md5-key <password> Enter the password.

FortiOS 7.2.1 Administration Guide 408


Fortinet Inc.
Network

Example

This example includes IPv4 and IPv6 BFD neighbor configurations. The BFD neighbor is also a BGP neighbor that is in a
different AS.

To configure BFD with multihop BGP paths:

1. Enable BFD on all interfaces:


config system settings
set bfd enable
end

2. Enable BFD on port1 and ignore the global configuration:


config system interface
edit "port1"
set bfd enable
next
end

3. Configure the BGP neighbors:


config router bgp
set as 65412
set router-id 1.1.1.1
config neighbor
edit "172.16.201.2"
set bfd enable
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set remote-as 65050
next
edit "2000:172:16:201::2"
set bfd enable
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set remote-as 65050
next
end
end

4. Configure the IPv4 BFD:


config router bfd
config multihop-template
edit 1
set src 172.16.200.0 255.255.255.0
set dst 172.16.201.0 255.255.255.0
set auth-mode md5

FortiOS 7.2.1 Administration Guide 409


Fortinet Inc.
Network

set md5-key **********


next
end
end

5. Configure the IPv6 BFD:


config router bfd6
config multihop-template
edit 1
set src 2000:172:16:200::/64
set dst 2000:172:16:201::/64
next
end
end

Testing the connection

1. Verify the BFD status for IPv4 and IPv6:


# get router info bfd requests
BFD Peer Requests:
client types(ct in 0x): 01=external 02=static
04=ospf 08=bgp 10=pim-sm
src=172.16.200.1 dst=172.16.201.2 ct=08 ifi=9 type=SM

# get router info bfd neighbor


OurAddress NeighAddress State Interface LDesc/RDesc
172.16.200.1 172.16.201.2 UP port1 5/3/M

# get router info6 bfd requests


BFD Peer Requests:
client types(ct in 0x): 01=external 02=static
04=ospf 08=bgp 10=pim-sm
src=2000:172:16:200::1
dst=2000:172:16:201::2
ct=08 ifi=9 type=SM

# get router info6 bfd neighbor


OurAddress: 2000:172:16:200::1
NeighAddress: 2000:172:16:201::2
State: UP Interface: port1 Desc: 6/4 Multi-hop

2. Verify the BGP status and the BGP routing table:


# get router info bgp summary
VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
BGP table version is 11
3 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd


172.16.201.2 4 65050 185 187 10 0 0 00:54:20 4
2000:172:16:201::2 4 65050 159 160 10 0 0 00:54:24 4

Total number of neighbors 2

# get router info routing-table bgp


Routing table for VRF=0

FortiOS 7.2.1 Administration Guide 410


Fortinet Inc.
Network

B 172.28.1.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1),


00:54:32
B 172.28.2.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1),
00:54:32
B 172.28.5.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1),
00:54:32
B 172.28.6.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1),
00:54:32

# get router info6 bgp summary


VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
BGP table version is 8
3 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd


172.16.201.2 4 65050 185 187 7 0 0 00:54:24 3
2000:172:16:201::2 4 65050 159 160 7 0 0 00:54:28 3

Total number of neighbors 2

# get router info6 routing-table bgp


Routing table for VRF=0
B 2000:172:28:1::/64 [20/0] via 2000:172:16:201::2 (recursive via
2000:172:16:200::4, port1), 00:54:40
B 2000:172:28:2::/64 [20/0] via 2000:172:16:201::2 (recursive via
2000:172:16:200::4, port1), 00:54:40
B 2000:172:28:3::/64 [20/0] via 2000:172:16:201::2 (recursive via
2000:172:16:200::4, port1), 00:54:40

3. Simulate a disruption to the BFD connection. The BFD neighbor is lost:


# get router info bfd neighbor
OurAddress NeighAddress State Interface LDesc/RDesc

# get router info6 bfd neighbor

4. The BGP neighbor is reset, and the FortiGate attempts to re-establish a connection with the neighbor. The timers
are reset once the neighbor connection is re-established:
# get router info bgp summary
VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
BGP table version is 12
4 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

172.16.201.2 4 65050 189 192 11 0 0 00:00:11 4


2000:172:16:201::2 4 65050 165 167 12 0 0 00:00:08 4

Total number of neighbors 2

# get router info6 bgp summary


VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
BGP table version is 10
4 BGP AS-PATH entries
0 BGP community entries

FortiOS 7.2.1 Administration Guide 411


Fortinet Inc.
Network

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd


172.16.201.2 4 65050 189 192 8 0 0 00:00:15 3
2000:172:16:201::2 4 65050 165 167 9 0 0 00:00:12 3

Total number of neighbors 2

5. The BGP routes are learned again, and there are new timers in the route tables:
# get router info routing-table bgp
Routing table for VRF=0
B 172.28.1.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1),
00:00:15
B 172.28.2.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1),
00:00:15
B 172.28.5.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1),
00:00:15
B 172.28.6.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1),
00:00:15

# get router info6 routing-table bgp


Routing table for VRF=0
B 2000:172:28:1::/64 [20/0] via 2000:172:16:201::2 (recursive via
2000:172:16:200::4, port1), 00:00:13
B 2000:172:28:2::/64 [20/0] via 2000:172:16:201::2 (recursive via
2000:172:16:200::4, port1), 00:00:13
B 2000:172:28:3::/64 [20/0] via 2000:172:16:201::2 (recursive via
2000:172:16:200::4, port1), 00:00:13

Routing objects

The following objects can be configured from the Network > Routing Objects page:
l Route maps on page 412
l Access lists on page 415
l Prefix lists on page 417
l AS path lists on page 420
l Community lists on page 421

Route maps

Route maps are a powerful tool to apply custom actions to dynamic routing protocols based on specific conditions. They
are used primarily in BGP to manipulate routes advertised by the FortiGate (route-map-out) or received routes from
other BGP routers (route-map-in).
Route maps can be used in OSPF for conditional default-information-originate, filtering external routes, or
matching specific routes for redistribution. Similarly, route maps can be used by RIP to match routes for redistribution.
A route map may have multiple rules that are processed from the top down. Each rule has an action to permit or deny.
The rules have criteria for matching a route based on various attributes, or setting attributes based on a matched route.
For example, a route map can be used to match BGP routes with a certain community string, and then set an AS path to
the matching route. This can be applied to a BGP neighbor by configuring the route map in setting for that neighbor.

FortiOS 7.2.1 Administration Guide 412


Fortinet Inc.
Network

To configure a route map that matches criteria based on other routing objects:

config router route-map


edit <name>
config rule
edit <id>
set action {permit | deny}
set match-as-path <string>
set match-community <string>
set match-ip-address <string>
set match-ip6-address <string>
set match-ip-nexthop <string>
set match-ip6-nexthop <string>
next
end
next
end

match-as-path <string> Match a BGP AS path list.


match-community <string> Match a BGP community list.
match-ip-address <string> Match an IPv4 address permitted by access-list or prefix-list.
match-ip6-address Match an IPv6 address permitted by access-list6 or prefix-list6.
<string>
match-ip-nexthop <string> Match a next hop IPv4 address passed by access-list or prefix-list.
match-ip6-nexthop Match a next hop IPv6 address passed by access-list6 or prefix-list6.
<string>

Route maps can be used by various routing protocols, such as RIP, OSPF, and BGP.

To use a route map with RIP:

config router rip


config redistribute
edit <name>
set routemap <string>
next
end
end

To use a route map with OSPF:

config router ospf


set default-information-route-map <string>
set distribute-route-map-in <string>
config redistribute <string>
set routemap <string>
end
end

default-information- Enter the default information route map.


route-map <string>

FortiOS 7.2.1 Administration Guide 413


Fortinet Inc.
Network

distribute-route-map-in Enter the route map to filter incoming external routes.


<string>
redistribute <string> Configure the redistribute protocol.

To use a route map with BGP:

config router bgp


config neighbor
edit <ip>
set route-map-in <string>
set route-map-in6 <string>
set route-map-in-vpnv4 <string>
set route-map-out <string>
set route-map-out-preferable <string>
set route-map-out6 <string>
set route-map-out6-preferable <string>
set route-map-out-vpnv4 <string>
set route-map-out-vpnv4-preferable <string>
next
end
config network
edit <id>
set prefix <IP/netmask>
set route-map <string>
next
end
config redistribute <string>
set route-map <string>
end
end

route-map-in <string> Enter the IPv4 inbound route map filter.


route-map-in6 <string> Enter the IPv6 inbound route map filter.
route-map-in-vpnv4 Enter the VPNv4 inbound route map filter.
<string>
route-map-out <string> Enter the IPv4 outbound route map filter.
route-map-out-preferable Enter the IPv4 outbound route map filter if the peer is preferred.
<string>
route-map-out6 <string> Enter the IPv6 outbound route map filter.
route-map-out6-preferable Enter the IPv6 outbound route map filter if the peer is preferred.
<string>
route-map-out-vpnv4 Enter the VPNv4 outbound route map filter.
<string>
route-map-out-vpnv4- Enter the VPNv4 outbound route map filter if the peer is preferred.
preferable <string>
route-map <string> Enter the route map to modify the generated route.
redistribute <string> Configure the redistribute protocol.

FortiOS 7.2.1 Administration Guide 414


Fortinet Inc.
Network

To use a route map with BGP conditional advertisement:

config router bgp


set as <AS_number>
config neighbor
edit <ip>
set remote-as <AS_number>
config conditional-advertise
edit <advertise-routemap>
set condition-routemap <name1>, <name2>, ...
set condition-type {exist | non-exist}
next
end
next
end
end

<advertise-routemap> Edit the advertising route map.


condition-routemap Enter the list of conditional route maps.
<name1>, <name2>,
...

Access lists

Access lists are simple lists used for filtering routes based on a prefix consisting of an IPv4 or IPv6 address and netmask.

To configure an IPv4 access list:

config router access-list


edit <name>
config rule
edit <id>
set action {permit | deny}
set prefix <IPv4_address>
set wildcard <wildcard_filter>
set exact-match {enable | disable}
next
end
next
end

To configure an IPv6 access list:

config router access-list6


edit <name>
config rule
edit <id>
set action {permit | deny}
set prefix <IPv6_address>
set exact-match {enable | disable}
next
end
next
end

FortiOS 7.2.1 Administration Guide 415


Fortinet Inc.
Network

In RIP, an access list can be used in the distribute-list setting to filter received or advertised routes, or in an
offset-list to offset the hop count metric for a specific prefix.

To use an access list in RIP:

config router rip


config distribute-list
edit <id>
set direction {in | out}
set listname <string>
next
end
config offset-list
edit <id>
set direction {in | out}
set access-list <string>
set offset <integer>
next
end
end

listname <string> Enter the distribute access or prefix list name.


access-list <string> Enter the access list name.

In OSPF, an access list can be used in the distribute-list-in setting to act as a filter to prevent a certain route
from being inserted into the routing table. An access list can also be used in the distribute-list to filter the routes
that can be distributed from other protocols.

To use an access list in OSPF:

config router ospf


set distribute-list-in <string>
config distribute-list
edit <id>
set access-list <string>
set protocol {connected | static | rip}
next
end
end

distribute-list-in Enter the filter for incoming routes.


<string>
access-list <string> Enter the access list name.

In BGP, an access list can be used to filter updates from a neighbor or to a neighbor.

To use an access list in BGP:

config router bgp


config neighbor
edit <ip>
set distribute-list-in <string>
set distribute-list-in6 <string>

FortiOS 7.2.1 Administration Guide 416


Fortinet Inc.
Network

set distribute-list-in-vpnv4 <string>


set distribute-list-out <string>
set distribute-list-out6 <string>
set distribute-list-out-vpnv4 <string>
next
end
end

distribute-list-in Enter the filter for IPv4 updates from this neighbor.
<string>
distribute-list-in6 Enter the filter for IPv6 updates from this neighbor.
<string>
distribute-list-in-vpnv4 Enter the filter for VPNv4 updates from this neighbor.
<string>
distribute-list-out Enter the filter for IPv4 updates to this neighbor.
<string>
distribute-list-out6 Enter the filter for IPv6 updates to this neighbor.
<string>
distribute-list-out-vpnv4 Enter the filter for VPNv4 updates to this neighbor.
<string>

In a route map, an access list can be used to match IP addresses and next hops.

To use an access list in a route map:

config router route-map


edit <name>
config rule
edit <id>
set match-ip-address <string>
set match-ip6-address <string>
set match-ip-nexthop <string>
set match-ip6-nexthop <string>
next
end
next
end

match-ip-address <string> Match an IPv4 address permitted by access-list or prefix-list.


match-ip6-address Match an IPv6 address permitted by access-list6 or prefix-list6.
<string>
match-ip-nexthop <string> Match a next hop IPv4 address passed by access-list or prefix-list.
match-ip6-nexthop Match a next hop IPv6 address passed by access-list6 or prefix-list6.
<string>

Prefix lists

Similar to access lists, prefix lists are simple lists used for filtering routes based on a prefix consisting of an IPv4 or IPv6
address and netmask, but they use settings to specify the minimum (ge, greater than or equal) and maximum (le, less

FortiOS 7.2.1 Administration Guide 417


Fortinet Inc.
Network

than or equal) prefix length to be matched. For example, a prefix of 10.0.0.0/8 with a ge of 16 will match anything in the
10.0.0.0/8 network with /16 or above; 10.10.0.0/16 will match, and 10.10.0.0/12 will not match.

To configure an IPv4 prefix list:

config router prefix-list


edit "prefix-list1"
config rule
edit 1
set action {permit | deny}
set prefix <IPv4_address>
set ge <integer>
set le <integer>
next
end
next
end

To configure an IPv6 prefix list:

config router prefix-list6


edit "prefix-list-IPv6"
config rule
edit 1
set action {permit | deny}
set prefix6 <IPv6_address>
set ge <integer>
set le <integer>
next
end
next
end

In RIP, an prefix list can be used in the distribute-list setting to filter received or advertised routes.

To use a prefix list in RIP:

config router rip


config distribute-list
edit <id>
set listname <string>
next
end
end

listname <string> Enter the distribute access or prefix list name.

In OSPF, a prefix list can be used in the distribute-list-in setting to act as a filter to prevent a certain route from
being inserted into the routing table.

To use a prefix list in OSPF:

config router ospf


set distribute-list-in <string>
end

FortiOS 7.2.1 Administration Guide 418


Fortinet Inc.
Network

distribute-list-in Enter the filter for incoming routes.


<string>

In BGP, a prefix list can be used to filter updates from a neighbor or to a neighbor.

To use a prefix list in BGP:

config router bgp


config neighbor
edit <ip>
set prefix-list-in <string>
set prefix-list-in6 <string>
set prefix-list-in-vpnv4 <string>
set prefix-list-out <string>
set prefix-list-out6 <string>
set prefix-list-out-vpnv4 <string>
next
end
end

prefix-list-in <string> Enter the IPv4 inbound filter for updates from this neighbor.
prefix-list-in6 <string> Enter the IPv6 inbound filter for updates from this neighbor.
prefix-list-in-vpnv4 Enter the inbound filter for VPNv4 updates from this neighbor.
<string>
prefix-list-out <string> Enter the IPv4 outbound filter for updates to this neighbor.
prefix-list-out6 <string> Enter the IPv6 outbound filter for updates to this neighbor.
prefix-list-out-vpnv4 Enter the outbound filter for VPNv4 updates to this neighbor.
<string>

In a route map, a prefix list can be used to match IP addresses and next hops.

To use a prefix list in a route map:

config router route-map


edit <name>
config rule
edit <id>
set match-ip-address <string>
set match-ip6-address <string>
set match-ip-nexthop <string>
set match-ip6-nexthop <string>
next
end
next
end

match-ip-address <string> Match an IPv4 address permitted by access-list or prefix-list.


match-ip6-address Match an IPv6 address permitted by access-list6 or prefix-list6.
<string>

FortiOS 7.2.1 Administration Guide 419


Fortinet Inc.
Network

match-ip-nexthop <string> Match a next hop IPv4 address passed by access-list or prefix-list.
match-ip6-nexthop Match a next hop IPv6 address passed by access-list6 or prefix-list6.
<string>

AS path lists

AS path lists use regular expressions to compare and match the AS_PATH attribute for a BGP route. They can be used
to filter inbound or outbound routes from a BGP neighbor, or as matching criteria in a route map to match an AS_PATH in
a BGP route.

To configure an AS path list:

config router aspath-list


edit <name>
config rule
edit <id>
set action {deny | permit}
set regexp <string>
next
end
next
end

To use an AS path list in BGP:

config router bgp


config neighbor
edit <ip>
set filter-list-in <string>
set filter-list-in6 <string>
set filter-list-out <string>
set filter-list-out6 <string>
next
end
end

filter-list-in <string> Enter the BGP filter for IPv4 inbound routes.
filter-list-in6 <string> Enter the BGP filter for IPv6 inbound routes.
filter-list-out <string> Enter the BGP filter for IPv4 outbound routes.
filter-list-out6 <string> Enter the BGP filter for IPv6 outbound routes.

To use an AS path list in a route map:

config router route-map


edit <name>
config rule
edit <id>
set match-as-path <string>
next
end

FortiOS 7.2.1 Administration Guide 420


Fortinet Inc.
Network

next
end

match-as-path <string> Match a BGP AS path list.

Community lists

Community lists provide a means to filter BGP routes using a community string. They can be applied in a route map to
match routes that have the community string defined in the community list.

To configure a community list:

config router community-list


edit <name>
set type {standard | expanded}
config rule
edit <id>
set action {deny | permit}
set regexp <string>
set match <string>
next
end
next
end

To use a community list in a route map to match a BGP community:

config router route-map


edit <name>
config rule
edit <id>
set match-community <string>
next
end
next
end

match-community <string> Match a BGP community list.

In an SD-WAN deployment, a remote BGP router or spoke may communicate a preferred


interface or path to route traffic using a community string. See Using BGP tags with SD-WAN
rules on page 643 and Controlling traffic with BGP route mapping and service rules on page
648 for examples.

Multicast

The following topics include information about multicast:

FortiOS 7.2.1 Administration Guide 421


Fortinet Inc.
Network

l Multicast routing and PIM support on page 422


l Configuring multicast forwarding on page 422

Multicast routing and PIM support

Multicasting (also called IP multicasting) consists of using a single multicast source to send data to many receivers.
Multicasting can be used to send data to many receivers simultaneously while conserving bandwidth and reducing
network traffic. Multicasting can be used for one-way delivery of media streams to multiple receivers and for one-way
data transmission for news feeds, financial information, and so on. Many dynamic routing protocols such as RIPv2,
OSPF, and EIGRP use multicasting to share hello packets and routing information.
A FortiGate can operate as a Protocol Independent Multicast (PIM) version 2 router. FortiGates support PIM sparse
mode (RFC 4601) and PIM dense mode (RFC 3973), and can service multicast servers or receivers on the network
segment to which a FortiGate interface is connected. Multicast routing is not supported in transparent mode.
To support PIM communications, the sending and receiving applications, and all connecting PIM routers in between,
must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their
destinations. To enable source-to-destination packet delivery, sparse mode or dense mode must be enabled on the PIM
router interfaces. Sparse mode routers cannot send multicast messages to dense mode routers. If the FortiGate is
located between a source and a PIM router, between two PIM routers, or is connected directly to a receiver, you must
manually create a multicast policy to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the
source and destination.

PIM domains

A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least one bootstrap
router (BSR), and if sparse mode is enabled, a number of rendezvous points (RPs) and designated routers (DRs). When
PIM is enabled, the FortiGate can perform any of these functions at any time as configured.
A PIM domain can be configured in the GUI by going to Network > Multicast, or in the CLI using config router
multicast. Note that PIM version 2 must be enabled on all participating routers between the source and receivers. Use
config router multicast to set the global operating parameters.
When PIM is enabled, the FortiGate allocates memory to manage mapping information. The FortiGate communicates
with neighboring PIM routers to acquire mapping information and, if required, processes the multicast traffic associated
with specific multicast groups.
Instead of sending multiple copies of generated IP traffic to more than one specific IP destination address, PIM-enabled
routers encapsulate the data and use a Class D multicast group address (224.0.0.0 to 239.255.255.255) to forward
multicast packets to multiple destinations. A single stream of data can be sent because one destination address is used.
Client applications receive multicast data by requesting that the traffic destined for a certain multicast group address be
delivered to them.

Configuring multicast forwarding

There is sometimes confusion between the terms forwarding and routing. These two functions should not take place at
the same time. Multicast forwarding should be enabled when the FortiGate is in NAT mode and you want to forward
multicast packets between multicast routers and receivers. However, this function should not be enabled when the
FortiGate itself is operating as a multicast router, or has an applicable routing protocol that uses multicast.

FortiOS 7.2.1 Administration Guide 422


Fortinet Inc.
Network

Multicast forwarding is not supported on enhanced MAC VLAN interfaces. To use multicast with enhanced MAC VLAN
interfaces, use PIM (Multicast routing and PIM support on page 422).
There are two steps to configure multicast forwarding:
1. Enabling multicast forwarding on page 423
2. Configuring multicast policies on page 424

Enabling multicast forwarding

Multicast forwarding is enabled by default. If a FortiGate is operating in transparent mode, adding a multicast policy
enables multicast forwarding. In NAT mode you must use the multicast-forward setting to enable or disable
multicast forwarding.

Multicast forwarding in NAT mode

When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher
to all interfaces and VLAN interfaces, except the receiving interface. The TTL in the IP header will be reduced by 1. Even
though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets
through the FortiGate.

To enable multicast forwarding in NAT mode:

config system settings


set multicast-forward enable
end

Prevent the TTL for forwarded packets from being changed

You can use the multicast-ttl-notchange option so that the FortiGate does not increase the TTL value for
forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.

To prevent the TTL for forwarded packets from being changed:

config system settings


set multicast-ttl-notchange enable
end

Disable multicast traffic from passing through the FortiGate without a policy check in
transparent mode

In transparent mode, the FortiGate does not forward frames with multicast destination addresses. The FortiGate should
not interfere with the multicast traffic used by routing protocols, streaming media, or other multicast communication. To
avoid any issues during transmission, you can disable multicast-skip-policy and configure multicast security
policies.

To disable multicast traffic from passing through the FortiGate without a policy check in transparent
mode:

config system settings


set multicast-skip-policy disable

FortiOS 7.2.1 Administration Guide 423


Fortinet Inc.
Network

end

Configuring multicast policies

Multicast packets require multicast policies to allow packets to pass from one interface to another. Similar to firewall
policies, in a multicast policy you specify the source and destination interfaces, and the allowed address ranges for the
source and destination addresses of the packets. You can also use multicast policies to configure source NAT and
destination NAT for multicast packets.
Keep the following in mind when configuring multicast policies:
l The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP address.
l The snat setting is optional. Use it when SNAT is needed.

IPv4 and IPv6 multicast policies can be configured in the GUI. Go to System > Feature
Visibility, and enable Multicast Policy and IPv6.

Sample basic policy

In this basic policy, multicast packets received on an interface are flooded unconditionally to all interfaces on the
forwarding domain, except the incoming interface.
config firewall multicast-policy
edit 1
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
next
end

The destination address (dstaddr) is a multicast address object. The all option corresponds to all multicast addresses
in the range 224.0.0.0-239.255.255.255.

Sample policy with specific source and destination interfaces

This multicast policy only applies to the source port wan1 and the destination port internal.
config firewall multicast-policy
edit 1
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
next
end

Sample policy with specific source address object

In this policy, packets are allowed to flow from wan1 to internal, and sourced by the address 172.20.120.129, which is
represented by the example_addr-1 address object.

FortiOS 7.2.1 Administration Guide 424


Fortinet Inc.
Network

config firewall multicast-policy


edit 1
set srcintf "wan1"
set dstintf "internal"
set srcaddr "example_addr-1"
set dstaddr "all"
next
end

Sample detailed policy

This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range
239.168.4.0-255. The policy allows the multicast packets to enter the internal interface and then exit the external
interface. When the packets leave the external interface, their source address is translated to 192.168.18.10.
config firewall address
edit "192.168.5.18"
set subnet 192.168.5.18 255.255.255.255
next
end

config firewall multicast-address


edit "239.168.4.0"
set start-ip 239.168.4.0
set end-ip 239.168.4.255
next
end

config firewall multicast-policy


edit 1
set srcintf "internal"
set dstintf "external"
set srcaddr "192.168.5.18"
set dstaddr "239.168.4.0"
set snat enable
set snat-ip 192.168.18.10
next
end

To configure multicast policies in the GUI, enable Multicast Policy in System > Feature
Visibility.

FortiExtender

There are two configuration modes available on the FortiGate for FortiExtender integration: WAN extension mode and
LAN extension mode.

FortiOS 7.2.1 Administration Guide 425


Fortinet Inc.
Network

WAN extension mode

In WAN extension mode, the FortiExtender works as an extended WAN interface in IP pass-through mode. The
FortiGate manages FortiExtender over the CAPWAP protocol in IP pass-through mode, and is integrated into FortiOS as
a manageable interface.

Sample configurations in WAN extension mode could include connecting a FortiExtender to two FortiGates in HA active-
passive mode, or connecting two FortiExtenders to two FortiGates in HA active-active mode to provide dual active
redundancy for wireless WAN access.
For more information, see FortiExtender and FortiGate integration in the FortiExtender (Managed) Administration Guide.

LAN extension mode

The LAN extension configuration mode allows FortiExtender to provide remote thin edge connectivity back to the
FortiGate over a backhaul connection. A FortiExtender deployed at a remote location will discover the FortiGate access
controller (AC) and form an IPsec tunnel (or multiple tunnels when multiple links exist on the FortiExtender) back to the
FortiGate. A VXLAN is established over the IPsec tunnels to create an L2 network between the FortiGate and the
network behind the remote FortiExtender.

For more information, see FortiExtender as FortiGate LAN extension in the FortiExtender (Managed) Administration
Guide.

Adding a FortiExtender

To add a FortiExtender to the FortiGate, create a virtual FortiExtender interface, then add a FortiExtender and assign the
interface to the modem. Like other interface types, the FortiExtender interface can be used in static routes, SD-WAN
(see Manage dual FortiExtender devices), policies, and other functions.

FortiOS 7.2.1 Administration Guide 426


Fortinet Inc.
Network

To create a virtual FortiExtender interface in the GUI:

1. Go to Network > Interfaces and click Create New > FortiExtender.


2. Enter a name for the interface.
3. Configure the remaining settings as needed. See Interface settings on page 143 for more details.

4. Click OK.

To add a FortiExtender in the GUI:

1. Go to Network > FortiExtender and click Create New > Extenders.


2. Enter your FortiExtender's serial number in the Serial number field.
3. Optionally, set an Alias for the FortiExtender.
4. In the State section, enable Authorized.
5. Set Interface to the FortiExtender interface.
6. Configure the remaining setting as required. See the FortiExtender Administration Guide (FGT-Managed) for more
information.

7. Click OK.
8. In the extenders list, right-click on the FortiExtender and select Diagnostics and Tools to review the modem and SIM
status, and other details about the FortiExtender.

To create a virtual FortiExtender interface in the CLI:

config system interface


edit "fext"
set vdom "root"

FortiOS 7.2.1 Administration Guide 427


Fortinet Inc.
Network

set mode dhcp


set allowaccess ping https speed-test
set type fext-wan
set estimated-upstream-bandwidth 1000
set estimated-downstream-bandwidth 500
next
end

To configure the FortiExtender in the CLI:

config extender-controller extender


edit "FX211E0000000000"
set id "FX211E0000000000"
set authorized enable
config modem1
set ifname "fext"
end
next
end

To verify the modem settings in the CLI:

get extender modem-status FX211E0000000000 1


Modem 0:
physical_port: 2-1.2
manufacture: Sierra Wireless, Incorporated
product: Sierra Wireless, Incorporated
....

Direct IP support for LTE/4G

Direct IP is a public IP address that is assigned to a computing device, which allows the device to directly access the
internet.
When an LTE modem is enabled in FortiOS, a DHCP interface is created. As a result, the FortiGate can acquire direct IP
(which includes IP, DNS, and gateway) from the LTE network carrier.
Since some LTE modems require users to input the access point name (APN) for the LTE network, the LTE modem
configuration allows you to set the APN.

LTE modems can only be enabled by using the CLI.

To enable direct IP support using the CLI:

1. Enable the LTE modem:


config system lte-modem
set status enable
end

FortiOS 7.2.1 Administration Guide 428


Fortinet Inc.
Network

2. Check that the LTE interface was created:


config system interface
edit "wwan"
set vdom "root"
set mode dhcp
set status down
set distance 1
set type physical
set snmp-index 23
next
end

Shortly after the LTE modem joins its carrier network, wwan is enabled and granted direct IP:
config system interface
edit wwan
get
name : wwan
....
ip : 100.112.75.43 255.255.255.248
....
status : up
....
defaultgw : enable
DHCP Gateway : 100.112.75.41
Lease Expires : Thu Feb 21 19:33:27 2019
dns-server-override : enable
Acquired DNS1 : 184.151.118.254
Acquired DNS2 : 70.28.245.227
....

PCs can reach the internet via the following firewall policy:
config firewall policy
edit 5
set name "LTE"
set srcintf "port9"
set dstintf "wwan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set fsso disable
set nat enable
next
end

Sample LTE interface

When an LTE modem is enabled, you can view the LTE interface in the GUI and check the acquired IP, DNS, and
gateway.

FortiOS 7.2.1 Administration Guide 429


Fortinet Inc.
Network

To view the LTE interface in the GUI:

1. Go to Network > Interfaces.


2. Double-click the LTE interface (wwan) to view the properties.
3. Look in the Address section to see the Obtained IP/Netmask, Acquired DNS, and Default Gateway.
4. Click Return.

To configure the firewall policy that uses the LTE interface:

1. Go to Policy & Objects > Firewall Policy.


2. Edit the LTE policy.
3. In the Outgoing Interface field, select the interface (wwan in this example).
4. Configure the rest of the policy as needed.

5. Click OK.

Limitations

l Most LTE modems have a preset APN in their SIM card. Therefore, the APN does not need to be set in the FortiOS
configuration. In cases where the internet cannot be accessed, consult with your carrier and set the APN in the LTE
modem configuration (for example, inet.bell.ca):
config system lte-modem
set status enable
set apn "inet.bell.ca"
end

l Some models, such as the FortiGate 30E-3G4G, have built-in LTE modems. In this scenario, the LTE modem is
enabled by default. The firewall policy via the LTE interface is also created by default. Once you plug in a SIM card,
your network devices can connect to the internet.

Sample FortiGate 30E-3G4G default configuration:

config system lte-modem


set status enable
set extra-init ''

FortiOS 7.2.1 Administration Guide 430


Fortinet Inc.
Network

set manual-handover disable


set force-wireless-profile 0
set authtype none
set apn ''
set modem-port 255
set network-type auto
set auto-connect disable
set gpsd-enabled disable
set data-usage-tracking disable
set gps-port 255
end

config firewall policy


....
edit 3
set srcintf "internal"
set dstintf "wwan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

LLDP reception

Device detection can scan LLDP as a source for device identification, but the FortiGate does not read or store the full
information. Enabling LLDP reception allows the FortiGate to receive and store LLDP messages, learn about active
neighbors, and makes the LLDP information available via the CLI, REST API, and SNMP.
You need to enable device-identification at the interface level, and then lldp-reception can be enabled on
three levels: globally, per VDOM, or per interface.

To configure device identification on an interface:

config system interface


edit <port>
set device-identification enable
next
end

To configure LLDP reception globally:

config system global


set lldp-reception enable
end

FortiOS 7.2.1 Administration Guide 431


Fortinet Inc.
Network

To configure LLDP reception per VDOM:

config system setting


set lldp-reception enable
end

To configure LLDP reception per interface:

config system interface


edit <port>
set lldp-reception enable
next
end

To view the LLDP information in the GUI:

1. Go to Dashboard > Users & Devices.


2. Expand the Device Inventory widget to full screen.

To view the received LLDP information in the CLI:

# diagnose user device list


hosts
vd root/0 44:0a:a0:0a:0a:0a gen 3 req S/2
created 10290s gen 1 seen 0s port3 gen 1
ip 172.22.22.22 src lldp
type 20 'Other Network Device' src lldp id 155 gen 2
os 'Artist EOS ' version '4.20.4' src lldp id 155
host 'artist' src lldp

To view additional information about LLDP neighbors and ports:

# diagnose lldprx neighbor {summary | details | clear}

# diagnose lldprx port {details | summary | neighbor | filter}

# diagnose lldprx port neighbor {summary | details}

Note that the port index in the output corresponds to the port index from the following command:
# diagnose netlink interface list port2 port3 | grep index
if=port2 family=00 type=1 index=4 mtu=1500 link=0 master=0
if=port3 family=00 type=1 index=5 mtu=1500 link=0 master=0

FortiOS 7.2.1 Administration Guide 432


Fortinet Inc.
Network

To view the received LLDP information in the REST API:

{
"http_method":"GET",
"results":[
{
"mac":"90:9c:9c:c9:c9:90",
"chassis_id":"90:9C:9C:C9:C9:90",
"port":19,
"port_id":"port12",
"port_desc":"port12",
"system_name":"S124DN3W00000000",
"system_desc":"FortiSwitch-124D v3.6.6,build0416,180515 (GA)",
"ttl":120,
"addresses":[
{
"type":"ipv4",
"address":"192.168.1.99"
}
]
}
],
"vdom":"root",
"path":"network",
"name":"lldp",
"action":"neighbors",
"status":"success",
"serial":"FG201E4Q00000000",
"version":"v6.2.0",
"build":866
}

{
"http_method":"GET",
"results":[
{
"name":"port1",
"rx":320,
"neighbors":1
}
],
"vdom":"root",
"path":"network",
"name":"lldp",
"action":"ports",
"mkey":"port1",
"status":"success",
"serial":"FG201E4Q00000000",
"version":"v6.2.0",
"build":866
}

FortiOS 7.2.1 Administration Guide 433


Fortinet Inc.
Network

Virtual routing and forwarding

Virtual Routing and Forwarding (VRF) is used to divide the FortiGate's routing functionality (layer 3), including interfaces,
routes, and forwarding tables, into separate units. Packets are only forwarded between interfaces that have the same
VRF.
VDOMs divide the FortiGate into two or more complete and independent virtual units that include all FortiGate functions.
VDOMs can be used for routing segmentation, but that should not be the only reason to implement them when a less
complex solution (VRFs) can be used. VDOMs also support administration boundaries, but VRFs do not.
Up to 64 VRFs can be configured per VDOM for devices that support 200 VDOMs, but only ten VDOMs can be
configured by default on a FortiGate (more VDOMs can be configured on larger devices with additional licenses).
l Implementing VRF on page 434
l VRF routing support on page 435
l Route leaking between VRFs with BGP on page 440
l Route leaking between multiple VRFs on page 442
l VRF with IPv6 on page 452
l IBGP and EBGP support in VRF on page 456
l Support cross-VRF local-in and local-out traffic for local services on page 458

Implementing VRF

VRFs are always enabled and, by default, all routing is done in VRF 0. To use additional VRFs, assign a VRF ID to an
interface. All routes relating to that interface are isolated to that VRF specific routing table. Interfaces in one VRF cannot
reach interfaces in a different VRF.
If some traffic does have to pass between VRFs, route leaking can be used. See Route leaking between VRFs with BGP
on page 440.

Enable Advanced Routing in System > Feature Visibility to configure VRFs.

To configure a VRF ID on an interface in the GUI:

1. Go to Network > Interfaces and click Create New > Interface.


2. Enter a value in the VRF ID field.
3. Configure the other settings as needed.

FortiOS 7.2.1 Administration Guide 434


Fortinet Inc.
Network

4. Click OK.
5. To add the VRF column in the interface table, click the gear icon, select VRF, and click Apply.

To configure a VRF ID on an interface in the CLI:

config system interface


edit interface42
...
set vrf 14
next
end

VRF routing support

VRF supports static routing, OSPF, and BGP. Other routing protocols require using VDOMs.

FortiOS 7.2.1 Administration Guide 435


Fortinet Inc.
Network

BGP

In this example, BGP is used to update the VRF that it is neighbors with.
The hub is configured with two neighbors connected to two interfaces. The branches are configured to match the hub,
with branch networks configured to redistribute into BGP.
Policies must be created on the hub and branches to allow traffic between them.

To configure the hub:

config router bgp


set as 65000
config neighbor
edit "10.101.101.2"
set soft-reconfiguration enable
set interface "port2"
set remote-as 65101
set update-source "port2"
next
edit "10.102.102.2"
set soft-reconfiguration enable
set interface "port3"
set remote-as 65102
set update-source "port3"
next
end
end

To configure branch 101:

config router bgp


set as 65101
config neighbor
edit "10.101.101.1"
set soft-reconfiguration enable
set interface "port2"
set remote-as 65000
set update-source "port2"
next
end
config redistribute connected
set status enable
end
end

To configure branch 102:

config router bgp


set as 65102
config neighbor
edit "10.102.102.1"
set soft-reconfiguration enable
set interface "port2"
set remote-as 65000

FortiOS 7.2.1 Administration Guide 436


Fortinet Inc.
Network

set update-source "port2"


next
end
config redistribute connected
set status enable
end
end

To verify the BGP neighbors and check the routing table on the hub:

# get router info bgp summary


BGP router identifier 192.168.0.1, local AS number 65000
BGP table version is 2
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pf


10.101.101.2 4 65101 4 4 2 0 0
10.102.102.2 4 65102 3 3 1 0 0

Total number of neighbors 2

# get router info routing-table all


Routing table for VRF=0
Codes (…)
S* 0.0.0.0/0 [10/0] via 192.168.0.254, port1
C 10.101.101.0/24 is directly connected, port2
C 10.102.102.0/24 is directly connected, port3
C 192.168.0.0/24 is directly connected, port1
B 192.168.101.0/24 [20/0] via 10.101.101.2, port2, 00:01:25
B 192.168.102.0/24 [20/0] via 10.102.102.2, port3, 00:00:50

To configure VRF on the hub:

1. Put the interfaces into VRF:


config system interface
edit port2
set vrf 10
next
edit port3
set vrf 20
next
end

2. Restart the router to reconstruct the routing tables:


# execute router restart

3. Check the routing tables:


# get router info routing-table all
Routing table for VRF=0
Codes (…)
S* 0.0.0.0/0 [10/0] via 192.168.0.254, port1
C 192.168.0.0/24 is directly connected, port1

Routing table for VRF=10

FortiOS 7.2.1 Administration Guide 437


Fortinet Inc.
Network

C 10.101.101.0/24 is directly connected, port2


B 192.168.101.0/24 [20/0] via 10.101.101.2, port2, 00:02:25

Routing table for VRF=20


C 10.102.102.0/24 is directly connected, port3
B 192.168.102.0/24 [20/0] via 10.102.102.2, port2, 00:01:50

4. Check the BGP summary:


# get router info bgp summary

VRF 10 BGP router identifier 10.101.101.1, local AS number 65000


BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State


10.101.101.2 4 65101 4 4 2 0 0

Total number of neighbors 1

VRF 10 BGP router identifier 10.101.101.1, local AS number 65000


BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State


10.102.102.2 4 65102 3 3 1 0 0

Total number of neighbors 1

OSPF

OSPF routes in VRFs work the same as BGP: the interface that OSPF is using is added to the VRF.

To configure the hub:

1. Configure OSPF:
config router ospf
set router-id 1.1.1.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit Branch101
set interface “port2”
set dead-interval 40
set hello-interval 10
next
edit Branch102
set dead-interval 40
set hello-interval 10
next
end

FortiOS 7.2.1 Administration Guide 438


Fortinet Inc.
Network

config network
edit 0
set prefix 10.101.101.0 255.255.255.0
next
edit 0
set prefix 10.102.102.0 255.255.255.0
next
edit 0
set prefix 192.168.1.0 255.255.255.0
next
end
end

2. Put the interfaces into VRF:


config system interface
edit port2
set vrf 10
next
edit port3
set vrf 20
next
end

To configure branch 101:

config router ospf


set router-id 101.101.101.101
config area
edit 0.0.0.0
next
end
config ospf-interface
edit HUB
set interface port2
set dead-interval 40
set hello-interval 10
next
end
config network
edit 0
set prefix 10.101.101.0 255.255.255.0
next
edit 0
set prefix 192.168.101.0 255.255.255.0
next
end
end

To check the routing table and OSPF summary:

# get router info routing-table ospf

# get router info ospf interface

FortiOS 7.2.1 Administration Guide 439


Fortinet Inc.
Network

Route leaking between VRFs with BGP

Route leaking allows you to configure communication between VRFs. If route leaking is not configured, then the VRFs
are isolated. This example shows route leaking with BGP using virtual inter-VDOM links.
In this example, a hub FortiGate forms BGP neighbors with two branches. It learns the networks 192.168.101.0/24 and
192.168.102.0/24 from the neighbors and separates them into VRF 10 and VRF 20.
To leak the learned routes to each other, an inter-VDOM link (IVL) is formed. An IVL normally bridges two VDOMs, but in
this case the links reside on the same VDOM and are used to bridge the two VRFs. NPU links could also be used on
models that support it to deliver better performance.
VRF 10 has a leaked route to 192.168.102.0/24 on IVL link-10-20-0, and VRF 20 has a leaked route to 192.168.101.0/24
on IVL link-10-20-1,

To configure route leaking:

1. Configure inter-VDOM links:


config global
config system vdom-link
edit link-10-20-
next
end
config system interface
edit link-10-20-0
set vdom “root”
set vrf 10
set ip 10.1.1.1/30
next
edit link-10-20-1
set vdom “root”
set vrf 20
set ip 10.1.1.2/30
next
end
end

2. Create prefix lists:


These object define the subnet and mask that are leaked.
config router prefix-list
edit VRF10_Route
config rule
edit 1
set prefix 192.168.101.0 255.255.255.0

FortiOS 7.2.1 Administration Guide 440


Fortinet Inc.
Network

next
end
next
edit VRF20_Route
config rule
edit 1
set prefix 192.168.102.0 255.255.255.0
next
end
next
end

3. Create the route map:


The route map can be used to group one or more prefix lists.
config router route-map
edit "Leak_from_VRF10_to_VRF20"
config rule
edit 1
set match-ip-address "VRF10_Route"
next
end
next
edit "Leak_from_VRF20_to_VRF10"
config rule
edit 1
set match-ip-address "VRF20_Route"
next
end
next
end

4. Configure the VRF leak in BGP, specifying a source VRF, destination VRF, an the route map to use:
config router bgp
config vrf
edit "10"
config leak-target
edit "20"
set route-map "Leak_from_VRF10_to_VRF20"
set interface "link-10-20-0"
next
end
next
edit "20"
config leak-target
edit "10"
set route-map "Leak_from_VRF20_to_VRF10"
set interface "link-10-20-1"
next
end
next
end
end

5. Create policies to allow traffic between the VRFs.


Without a policy permitting traffic on the route between the VRFs, the VRFs are still isolated.

FortiOS 7.2.1 Administration Guide 441


Fortinet Inc.
Network

Route leaking between multiple VRFs

In this example, routing leaking between three VRFs in a star topology is configured. This allows the solution to be
scaled to more VRFs without building full mesh, one-to-one connections between each pair of VRFs. VLAN
subinterfaces are created on VDOM links to connect each VRF to the central VRF, allowing routes to be leaked from a
VRF to the central VRF, and then to the other VRFs. Static routes are used for route leaking in this example.
For instructions on creating route leaking between two VRFs, see Route leaking between VRFs with BGP on page 440.

Physical topology:

Logical topology:

FortiOS 7.2.1 Administration Guide 442


Fortinet Inc.
Network

In this example, a specific route is leaked from each of the VRFs to each of the other VRFs. VLAN subinterfaces are
created based on VDOM links to connect each VRF to the core VRF router.
Multi VDOM mode is enabled so that NP VDOM links can be used. The setup could be configured without enabling multi
VDOM mode by manually creating non-NP VDOM links, but this is not recommended as the links are not offloaded to the
NPU.
After VDOMs are enabled, all of the configuration is done in the root VDOM.

To configure the FortiGate:

1. Enable multi VDOM mode:


config system global
set vdom-mode multi-vdom
end

If the FortiGate has an NP, the VDOM links will be created:


# show system interface
config system interface
...
edit "npu0_vlink0"
set vdom "root"
set type physical
next
edit "npu0_vlink1"
set vdom "root"
set type physical
next
...
end

If multi VDOM mode is not used, the VDOM links can be manually created:
config system vdom-link
edit <name of vdlink>
next
end

2. Allow interface subnets to use overlapping IP addresses:


config vdom
edit root
config system settings
set allow-subnet-overlap enable
end

3. Configure the inter-connecting VLAN subinterfaces between VRF based on VDOM-LINK:


config system interface
edit "vlink0_Vlan_10"
set vdom "root"
set vrf 10
set ip 10.1.1.1 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink0_Vlan_10"
set role lan
set interface "npu0_vlink0"

FortiOS 7.2.1 Administration Guide 443


Fortinet Inc.
Network

set vlanid 10
next
edit "vlink1_Vlan_10"
set vdom "root"
set vrf 31
set ip 10.1.1.2 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink1_Vlan_10"
set role lan
set interface "npu0_vlink1"
set vlanid 10
next
edit "vlink0_Vlan_11"
set vdom "root"
set vrf 11
set ip 11.1.1.1 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink0_Vlan_11"
set role lan
set interface "npu0_vlink0"
set vlanid 11
next
edit "vlink1_Vlan_11"
set vdom "root"
set vrf 31
set ip 11.1.1.2 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink1_Vlan_11"
set role lan
set interface "npu0_vlink1"
set vlanid 11
next
edit "vlink0_Vlan_12"
set vdom "root"
set vrf 12
set ip 12.1.1.1 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink0_Vlan_12"
set role lan
set interface "npu0_vlink0"
set vlanid 12
next
edit "vlink1_Vlan_12"
set vdom "root"
set vrf 31
set ip 12.1.1.2 255.255.255.252
set allowaccess ping https ssh http
set alias "vlink1_Vlan_12"
set role lan
set interface "npu0_vlink1"
set vlanid 12
next
end

4. Configure a zone to allow intrazone traffic between VLANs in the central VRF:

FortiOS 7.2.1 Administration Guide 444


Fortinet Inc.
Network

config system zone


edit "Core-VRF-Router"
set intrazone allow
set interface "vlink1_Vlan_10" "vlink1_Vlan_11" "vlink1_Vlan_12"
next
end

5. Add allow policies for the VRF31 core router:


config firewall policy
edit 0
set name "any_to_core_vrf31"
set srcintf "any"
set dstintf "Core-VRF-Router"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 0
set name "core_vrf31_to_any"
set srcintf "Core-VRF-Router"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

6. Configure VRF10, VRF11, and VRF12 on the Internal and WAN VLAN sub-interfaces:
config system interface
edit "Internal_VRF10"
set vdom "root"
set vrf 10
set ip 172.16.10.1 255.255.255.0
set allowaccess ping https ssh http
set alias "Internal_VRF10"
set role lan
set interface "internal"
set vlanid 10
next
edit "Internal_VRF11"
set vdom "root"
set vrf 11
set ip 172.16.11.1 255.255.255.0
set allowaccess ping https ssh http
set alias "Internal_VRF11"
set role lan
set interface "internal"
set vlanid 11
next

FortiOS 7.2.1 Administration Guide 445


Fortinet Inc.
Network

edit "Internal_VRF12"
set vdom "root"
set vrf 12
set ip 172.16.12.1 255.255.255.0
set allowaccess ping https ssh http
set alias "Internal_VRF12"
set role lan
set interface "internal"
set vlanid 12
next
edit "wan1_VRF10"
set vdom "root"
set vrf 10
set ip 202.100.10.1 255.255.255.0
set allowaccess ping
set alias "wan1_VRF10"
set role wan
set interface "wan1"
set vlanid 10
next
edit "wan1_VRF11"
set vdom "root"
set vrf 11
set ip 202.100.11.1 255.255.255.0
set allowaccess ping
set alias "wan1_VRF11"
set role wan
set interface "wan1"
set vlanid 11
next
edit "wan1_VRF12"
set vdom "root"
set vrf 12
set ip 202.100.12.1 255.255.255.0
set allowaccess ping
set alias "wan1_VRF12"
set role wan
set interface "wan1"
set vlanid 12
next
end

7. Configure static routing and route leaking between each VRF and Core-VRF-Router:
config router static
edit 1
set dst 172.16.10.0 255.255.255.0
set gateway 10.1.1.1
set device "vlink1_Vlan_10"
set comment "VRF31_Core_Router"
next
edit 2
set dst 172.16.11.0 255.255.255.0
set gateway 11.1.1.1
set device "vlink1_Vlan_11"
set comment "VRF31_Core_Router"

FortiOS 7.2.1 Administration Guide 446


Fortinet Inc.
Network

next
edit 3
set dst 172.16.12.0 255.255.255.0
set gateway 12.1.1.1
set device "vlink1_Vlan_12"
set comment "VRF31_Core_Router"
next
edit 4
set dst 172.16.11.0 255.255.255.0
set gateway 10.1.1.2
set device "vlink0_Vlan_10"
set comment "VRF10_Route_Leaking"
next
edit 5
set dst 172.16.12.0 255.255.255.0
set gateway 10.1.1.2
set device "vlink0_Vlan_10"
set comment "VRF10_Route_Leaking"
next
edit 6
set dst 172.16.10.0 255.255.255.0
set gateway 11.1.1.2
set device "vlink0_Vlan_11"
set comment "VRF11_Route_Leaking"
next
edit 7
set dst 172.16.12.0 255.255.255.0
set gateway 11.1.1.2
set device "vlink0_Vlan_11"
set comment "VRF11_Route_Leaking"
next
edit 8
set dst 172.16.10.0 255.255.255.0
set gateway 12.1.1.2
set device "vlink0_Vlan_12"
set comment "VRF12_Route_Leaking"
next
edit 9
set dst 172.16.11.0 255.255.255.0
set gateway 12.1.1.2
set device "vlink0_Vlan_12"
set comment "VRF12_Route_Leaking"
next
edit 10
set gateway 202.100.10.254
set device "wan1_VRF10"
set comment "VRF10_Default_Route"
next
edit 11
set gateway 202.100.11.254
set device "wan1_VRF11"
set comment "VRF11_Default_Route"
next
edit 12
set gateway 202.100.12.254

FortiOS 7.2.1 Administration Guide 447


Fortinet Inc.
Network

set device "wan1_VRF12"


set comment "VRF12_Default_Route"
next
end

In the GUI, go to Network > Static Routes to view the static routes:

8. Configure firewall policies for VRF10, VRF11, and VRF12


config firewall policy
edit 6
set name "VRF10_to_Internet_Policy"
set srcintf "Internal_VRF10"
set dstintf "wan1_VRF10"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 7
set name "VRF10_to_VRF_Leaking_Route"
set srcintf "Internal_VRF10"
set dstintf "vlink0_Vlan_10"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 8
set name "VRF_Leaking_Route_to_VRF10"
set srcintf "vlink0_Vlan_10"
set dstintf "Internal_VRF10"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all

FortiOS 7.2.1 Administration Guide 448


Fortinet Inc.
Network

next
edit 9
set name "VRF11_to_Internet_Policy"
set srcintf "Internal_VRF11"
set dstintf "wan1_VRF11"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 10
set name "VRF11_to_VRF_Leaking_Route"
set srcintf "Internal_VRF11"
set dstintf "vlink0_Vlan_11"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 11
set name "VRF_Leaking_Route_to_VRF11"
set srcintf "vlink0_Vlan_11"
set dstintf "Internal_VRF11"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 12
set name "VRF12_to_Internet_Policy"
set srcintf "Internal_VRF12"
set dstintf "wan1_VRF12"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 13
set name "VRF12_to_VRF_Leaking_Route"
set uuid 92bccf8e-b27b-51eb-3c56-6d5259af6299
set srcintf "Internal_VRF12"
set dstintf "vlink0_Vlan_12"
set srcaddr "all"
set dstaddr "all"
set action accept

FortiOS 7.2.1 Administration Guide 449


Fortinet Inc.
Network

set schedule "always"


set service "ALL"
set logtraffic all
next
edit 14
set name "VRF_Leaking_Route_to_VRF12"
set srcintf "vlink0_Vlan_12"
set dstintf "Internal_VRF12"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

In the GUI, go to Policy & Objects > Firewall Policy to view the policies.

To check the results:

1. On the FortiGate, check the routing table to see each VRF:


# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0


C 10.6.30.0/24 is directly connected, mgmt

Routing table for VRF=10


S* 0.0.0.0/0 [10/0] via 202.100.10.254, wan1_VRF10
C 10.1.1.0/30 is directly connected, vlink0_Vlan_10
C 172.16.10.0/24 is directly connected, Internal_VRF10
S 172.16.11.0/24 [10/0] via 10.1.1.2, vlink0_Vlan_10
S 172.16.12.0/24 [10/0] via 10.1.1.2, vlink0_Vlan_10
C 202.100.10.0/24 is directly connected, wan1_VRF10

Routing table for VRF=11


S* 0.0.0.0/0 [10/0] via 202.100.11.254, wan1_VRF11
C 11.1.1.0/30 is directly connected, vlink0_Vlan_11
S 172.16.10.0/24 [10/0] via 11.1.1.2, vlink0_Vlan_11
C 172.16.11.0/24 is directly connected, Internal_VRF11
S 172.16.12.0/24 [10/0] via 11.1.1.2, vlink0_Vlan_11
C 202.100.11.0/24 is directly connected, wan1_VRF11

Routing table for VRF=12


S* 0.0.0.0/0 [10/0] via 202.100.12.254, wan1_VRF12
C 12.1.1.0/30 is directly connected, vlink0_Vlan_12
S 172.16.10.0/24 [10/0] via 12.1.1.2, vlink0_Vlan_12
S 172.16.11.0/24 [10/0] via 12.1.1.2, vlink0_Vlan_12
C 172.16.12.0/24 is directly connected, Internal_VRF12

FortiOS 7.2.1 Administration Guide 450


Fortinet Inc.
Network

C 202.100.12.0/24 is directly connected, wan1_VRF12

Routing table for VRF=31


C 10.1.1.0/30 is directly connected, vlink1_Vlan_10
C 11.1.1.0/30 is directly connected, vlink1_Vlan_11
C 12.1.1.0/30 is directly connected, vlink1_Vlan_12
S 172.16.10.0/24 [10/0] via 10.1.1.1, vlink1_Vlan_10
S 172.16.11.0/24 [10/0] via 11.1.1.1, vlink1_Vlan_11
S 172.16.12.0/24 [10/0] via 12.1.1.1, vlink1_Vlan_12

2. From the FW10-PC:


# ifconfig ens32
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.10.100 netmask 255.255.255.0 broadcast 172.16.10.255
inet6 fe80::dbed:c7fe:170e:e61c prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:2a:3a:17 txqueuelen 1000 (Ethernet)
RX packets 1632 bytes 160001 (156.2 KiB)
RX errors 0 dropped 52 overruns 0 frame 0
TX packets 2141 bytes 208103 (203.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.10.1 0.0.0.0 UG 100 0 0 ens32
172.16.10.0 0.0.0.0 255.255.255.0 U 100 0 0 ens32
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0

a. Ping a public IP address through VRF10:


# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=4.33 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=4.17 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=113 time=4.04 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 4.049/4.188/4.336/0.117 ms

b. Ping the internet gateway through VRF10:


# ping 202.100.10.254
PING 202.100.10.254 (202.100.10.254) 56(84) bytes of data.
64 bytes from 202.100.10.254: icmp_seq=1 ttl=254 time=0.294 ms
64 bytes from 202.100.10.254: icmp_seq=2 ttl=254 time=0.225 ms
64 bytes from 202.100.10.254: icmp_seq=3 ttl=254 time=0.197 ms
^C
--- 202.100.10.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.197/0.238/0.294/0.044 ms

c. Ping the FW11-PC on VRF11 from VRF10:


# ping 172.16.11.100
PING 172.16.11.100 (172.16.11.100) 56(84) bytes of data.
64 bytes from 172.16.11.100: icmp_seq=1 ttl=61 time=0.401 ms
64 bytes from 172.16.11.100: icmp_seq=2 ttl=61 time=0.307 ms

FortiOS 7.2.1 Administration Guide 451


Fortinet Inc.
Network

64 bytes from 172.16.11.100: icmp_seq=3 ttl=61 time=0.254 ms


64 bytes from 172.16.11.100: icmp_seq=4 ttl=61 time=0.277 ms
64 bytes from 172.16.11.100: icmp_seq=5 ttl=61 time=0.262 ms
^C
--- 172.16.11.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.254/0.300/0.401/0.054 ms

3. On the FortiGate, sniff traffic between VRF10 and VRF11:


# diagnose sniffer packet any "icmp and host 172.16.11.100" 4 l 0
interfaces=[any]
filters=[icmp and host 172.16.11.100]
10.086656 Internal_VRF10 in 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086705 vlink0_Vlan_10 out 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086706 npu0_vlink0 out 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.086711 vlink1_Vlan_10 in 172.16.10.100 -> 172.16.11.100: icmp: echo request


10.086739 vlink1_Vlan_11 out 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086740 npu0_vlink1 out 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.086744 vlink0_Vlan_11 in 172.16.10.100 -> 172.16.11.100: icmp: echo request


10.086929 Internal_VRF11 out 172.16.10.100 -> 172.16.11.100: icmp: echo request
10.086930 internal out 172.16.10.100 -> 172.16.11.100: icmp: echo request

10.087053 Internal_VRF11 in 172.16.11.100 -> 172.16.10.100: icmp: echo reply


10.087061 vlink0_Vlan_11 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
10.087062 npu0_vlink0 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087066 vlink1_Vlan_11 in 172.16.11.100 -> 172.16.10.100: icmp: echo reply


10.087071 vlink1_Vlan_10 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
10.087072 npu0_vlink1 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply

10.087076 vlink0_Vlan_10 in 172.16.11.100 -> 172.16.10.100: icmp: echo reply


10.087176 Internal_VRF10 out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
10.087177 internal out 172.16.11.100 -> 172.16.10.100: icmp: echo reply
^C
20 packets received by filter
0 packets dropped by kernel

VRF with IPv6

IPv6 routes support VRF. Static, connected, OSPF, and BGP routes can be isolated in different VRFs. BGP IPv6 routes
can be leaked from one VRF to another.
config router bgp
config vrf6
edit <origin vrf-id>
config leak-target
edit <target vrf-id>
set route-map <route-map>
set interface <interface>
next
end
next

FortiOS 7.2.1 Administration Guide 452


Fortinet Inc.
Network

end
end

The origin or target VRF ID is an integer value from 0 - 31.


config router static6
edit <id>
set vrf <vrf-id>
next
end

Using a VRF leak on BGP

In this example, the route 2000:5:5:5::/64 learned from Router 1 is leaked to VRF 20 through the interface vlan552.
Conversely, the route 2009:3:3:3::/64 learned from Router 2 is leaked to VRF 10 through interface vlan55.

To configure VRF leaking in BGP:

1. Configure the BGP neighbors:


config router bgp
set as 65412
config neighbor
edit "2000:10:100:1::1"
set activate disable
set remote-as 20
set update-source "R150"
next
edit "2000:10:100:1::5"
set activate disable
set soft-reconfiguration enable
set interface "R160"
set remote-as 20
next
end
end

2. Configure the VLAN interfaces:


config system interface
edit "vlan55"
set vdom "root"
set vrf 10
set ip 55.1.1.1 255.255.255.0

FortiOS 7.2.1 Administration Guide 453


Fortinet Inc.
Network

set device-identification enable


set role lan
set snmp-index 51
config ipv6
set ip6-address 2000:55::1/64
end
set interface "npu0_vlink0"
set vlanid 55
next
edit "vlan552"
set vdom "root"
set vrf 20
set ip 55.1.1.2 255.255.255.0
set device-identification enable
set role lan
set snmp-index 53
config ipv6
set ip6-address 2000:55::2/64
end
set interface "npu0_vlink1"
set vlanid 55
next
end

3. Configure the IPv6 prefixes:


config router prefix-list6
edit "1"
config rule
edit 1
set prefix6 2000:5:5:5::/64
unset ge
unset le
next
end
next
edit "2"
config rule
edit 1
set prefix6 2009:3:3:3::/64
unset ge
unset le
next
end
next
end

4. Configure the route maps:


config router route-map
edit "from106"
config rule
edit 1
set match-ip6-address "1"
next
end
next

FortiOS 7.2.1 Administration Guide 454


Fortinet Inc.
Network

edit "from206"
config rule
edit 1
set match-ip6-address "2"
next
end
next
end

5. Configure the IPv6 route leaking (leak route 2000:5:5:5::/64 learned from Router 1 to VRF 20, then leak route
2009:3:3:3::/64 learned from Router 2 to VRF 10):
config router bgp
config vrf6
edit "10"
config leak-target
edit "20"
set route-map "from106"
set interface "vlan55"
next
end
next
edit "20"
config leak-target
edit "10"
set route-map "from206"
set interface "vlan552"
next
end
next
end
end

To verify the VRF leaking:

1. Check the routing table before the leak:


# get router info6 routing-table bgp
Routing table for VRF=10
B 2000:5:5:5::/64 [20/0] via fe00::2000:0000:0000:00, R150, 00:19:45

Routing table for VRF=20


B 2008:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:18:49
B 2009:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:18:49

2. Check the routing table after the leak:


# get router info6 routing-table bgp
Routing table for VRF=10
B 2000:5:5:5::/64 [20/0] via fe00::2000:0000:0000:0, R150, 00:25:45
B 2009:3:3:3::/64 [20/0] via fe80::10:0000:0000:4245, vlan55, 00:00:17

Routing table for VRF=20


B 2000:5:5:5::/64 [20/0] via fe80::10:0000:0000:4244, vlan552, 00:00:16
B 2008:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:24:49
B 2009:3:3:3::/64 [20/0] via fe00::3000:0000:0000:00, R160, 00:24:49

FortiOS 7.2.1 Administration Guide 455


Fortinet Inc.
Network

Using VRF on a static route

In this example, a VRF is defined on static route 22 so that it will only appear in the VRF 20 routing table.

To configure the VRF on the static route:

config router static6


edit 22
set dst 2010:2:2:2::/64
set blackhole enable
set vrf 20
next
end

IBGP and EBGP support in VRF

Support is included for internal and external border gateway protocols (IBGP and EBGP) in virtual routing and forwarding
(VRF).
FortiGate can establish neighbor connections with other FortiGates or routers, and the learned routes are put into
different VRF tables according to the neighbor's settings.
This example uses the following topology:

l BGP routes learned from the Router1 neighbor are put into vrf10.
l BGP routes learned from the Router2 neighbor are put into vrf20.

To configure this example:

config system interface


edit port1
set vrf 10
next
edit port2
set vrf 20
next
end

config router bgp


config neighbor
edit "192.168.1.1"

FortiOS 7.2.1 Administration Guide 456


Fortinet Inc.
Network

set update-source port1


next
edit "192.168.2.1"
set interface port2
next
end
end

Results

Using the above topology:


l Both Router1 and Router2 establish OSPF and BGP neighbor with the FortiGate.
l Router1 advertises 10.10.1.0/24 into OSPF and 10.10.2.0/24 into BGP.
l Router2 advertises 20.20.1.0/24 into OSPF and 20.20.2.0/24 into BGP.
When port1 and port2 have not set VRF, all of the routing is in VRF=0:
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0


S* 0.0.0.0/0 [5/0] via 10.0.1.254, port9
C 10.0.1.0/24 is directly connected, port9
O 10.10.1.0/24 [110/10] via 192.168.1.1, port1, 00:18:31
B 10.10.2.0/24 [20/200] via 192.168.1.1, port1, 00:01:31
O 20.20.1.0/22 [110/10] via 192.168.2.1, port2, 00:19:05
B 20.20.2.0/24 [20/200] via 192.168.2.1, port2, 00:01:31
C 192.168.1.0/24 is directly connected, port1
C 192.168.2.0/24 is directly connected, port2

After VRF is set for BGP, BGP routes are added to the VRF tables along with OSPF and connected routes:
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0


S* 0.0.0.0/0 [5/0] via 10.0.1.254, port9
C 10.0.1.0/24 is directly connected, port9

Routing table for VRF=10


O 10.10.1.0/24 [110/10] via 192.168.1.1, port1, 00:18:31
B 10.10.2.0/24 [20/200] via 192.168.1.1, port1, 00:01:31
C 192.168.1.0/24 is directly connected, port1

Routing table for VRF=20


O 20.20.1.0/22 [110/10] via 192.168.2.1, port2, 00:19:05

FortiOS 7.2.1 Administration Guide 457


Fortinet Inc.
Network

B 20.20.2.0/24 [20/200] via 192.168.2.1, port2, 00:01:31


C 192.168.2.0/24 is directly connected, port2

BGP neighbor groups

This feature is also supported in the BGP neighbor groups. For example:
config router bgp
config neighbor-group
edit "FGT"
set update-source "port1"
next
end
config neighbor-range
edit 1
set prefix 172.16.201.0 255.255.255.0
set neighbor-group "FGT"
next
end
end

Note that the set interface command is not supported.

Support cross-VRF local-in and local-out traffic for local services

When local-out traffic such as SD-WAN health checks, SNMP, syslog, and so on are initiated from an interface on one
VRF and then pass through interfaces on another VRF, the reply traffic will be successfully forwarded back to the original
VRF.

Example

In this example, there is an NPU VDOM link that is configured on the root VDOM. Two VLANs, vrf10 and vrf20, are
created on either ends of the NPU VDOM link, each belonging to a different VRF.

When pinging from the vrf10 interface in VRF 10 to the destination server 172.16.202.2, since there is a single static
route for VRF 10 with a gateway of vrf20/10.32.70.2, traffic is sent to the next hop and subsequently routed through
port12 to the server.
As seen in the sniffer trace, the ICMP replies are received on port12 in VRF 20, then pass through vrf20, and are
ultimately forwarded back to vrf10 in VRF 10. The traffic flow demonstrates that local-out traffic sourced from one VRF
passing through another VRF can return back to the original VRF.

FortiOS 7.2.1 Administration Guide 458


Fortinet Inc.
Network

To configure cross-VRF local-out traffic for local services:

1. Configure the interfaces:


config system interface
edit "vrf10"
set vdom "root"
set vrf 10
set ip 10.32.70.1 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 35
set interface "npu0_vlink0"
set vlanid 22
next
edit "vrf20"
set vdom "root"
set vrf 20
set ip 10.32.70.2 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 36
set interface "npu0_vlink1"
set vlanid 22
next
edit "port12"
set vdom "root"
set vrf 20
set ip 172.16.202.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response
fabric ftm speed-test
set type physical
set alias "TO_FGT_D_port22"
set snmp-index 14
config ipv6
set ip6-address 2003:172:16:202::1/64
set ip6-allowaccess ping
end
next
end

2. Configure the firewall policy:


config firewall policy
edit 1
set srcintf "vrf20"
set dstintf "port12"
set action accept
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"

FortiOS 7.2.1 Administration Guide 459


Fortinet Inc.
Network

next
end

3. Configure the static route:


config router static
edit 2
set gateway 10.32.70.2
set distance 3
set device "vrf10"
next
end

To test the configuration:

1. Execute a ping from the vrf10 interface in VRF 10 to the destination server (172.16.202.2):
# execute ping-options interface vrf10
# execute ping 172.16.202.2
PING 172.16.202.2 (172.16.202.2): 56 data bytes
64 bytes from 172.16.202.2: icmp_seq=0 ttl=254 time=0.1 ms
64 bytes from 172.16.202.2: icmp_seq=1 ttl=254 time=0.0 ms

--- 172.16.202.2 ping statistics ---


2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.1 ms

2. Run a sniffer trace on 172.16.202.2 for ICMP:


# diagnose sniffer packet any "host 172.16.202.2 and icmp" 4
interfaces=[any]
filters=[host 172.16.202.2 and icmp]
3.393920 vrf10 out 10.32.70.1 -> 172.16.202.2: icmp: echo request
3.393922 npu0_vlink0 out 10.32.70.1 -> 172.16.202.2: icmp: echo request
3.393927 vrf20 in 10.32.70.1 -> 172.16.202.2: icmp: echo request
3.393943 port12 out 10.32.70.1 -> 172.16.202.2: icmp: echo request
3.393977 port12 in 172.16.202.2 -> 10.32.70.1: icmp: echo reply
3.393987 vrf20 out 172.16.202.2 -> 10.32.70.1: icmp: echo reply
3.393988 npu0_vlink1 out 172.16.202.2 -> 10.32.70.1: icmp: echo reply
3.393993 vrf10 in 172.16.202.2 -> 10.32.70.1: icmp: echo reply
4.393941 vrf10 out 10.32.70.1 -> 172.16.202.2: icmp: echo request
4.393942 npu0_vlink0 out 10.32.70.1 -> 172.16.202.2: icmp: echo request
4.393948 vrf20 in 10.32.70.1 -> 172.16.202.2: icmp: echo request
4.393957 port12 out 10.32.70.1 -> 172.16.202.2: icmp: echo request
4.393980 port12 in 172.16.202.2 -> 10.32.70.1: icmp: echo reply
4.393987 vrf20 out 172.16.202.2 -> 10.32.70.1: icmp: echo reply
4.393987 npu0_vlink1 out 172.16.202.2 -> 10.32.70.1: icmp: echo reply
4.393994 vrf10 in 172.16.202.2 -> 10.32.70.1: icmp: echo reply

NetFlow

NetFlow allows you to collect IP network traffic statistics for an interface, and then export those statistics for analysis.
NetFlow samplers, that sample every packet, are configured per interface. Full NetFlow is supported through the
information maintained in the firewall session.

FortiOS 7.2.1 Administration Guide 460


Fortinet Inc.
Network

To configure NetFlow:

config system netflow


set collector-ip <ip>
set collector-port <port>
set source-ip <ip>
set active-flow-timeout <integer>
set inactive-flow-timeout <integer>
set template-tx-timeout <integer>
set template-tx-counter <integer>
end

collector-ip <ip> Collector IPv4 or IPv6 address.


collector-port <port> NetFlow collector port number (0 - 65535).
source-ip <ip> Source IPv4 or IPv6 address, for communication with the NetFlow agent.
active-flow-timeout Timeout to report active flows, in minutes (1 - 60, default = 30).
<integer>
inactive-flow-timeout Timeout for periodic report of finished flows, in seconds (10 - 600, default = 15).
<integer>
template-tx-timeout Timeout for periodic template flowset transmission, in minutes (1 - 1440, default =
<integer> 30).
template-tx-counter Counter of flowset records, before resending a template flowset record (10 - 6000,
<integer> default = 20).

To configure NetFlow in a specific VDOM:

config vdom
edit <vdom>
config system vdom-netflow
set vdom-netflow enable
set collector-ip <ip>
set collector-port <port>
set source-ip <ip>
end
next
end

To configure a NetFlow sampler on an interface:

config system interface


edit <interface>
set netflow-sampler {disable | tx | rx | both}
next
end

disable Disable the NetFlow protocol on this interface (default).


tx Monitor transmitted traffic on this interface.
rx Monitor received traffic on this interface.
both Monitor transmitted/received traffic on this interface.

FortiOS 7.2.1 Administration Guide 461


Fortinet Inc.
Network

Verification and troubleshooting

If data are not seen on the NetFlow collector after it has been configured, use the following sniffer commands to verify if
the FortiGate and the collector are communicating:
l By collector port:
# diagnose sniffer packet 'port <collector-port>' 6 0 a

l By collector IP address:
# diagnose sniffer packet 'host <collector-ip>' 6 0 a

NetFlow uses the sflow daemon. The current NetFlow configuration can be viewed using test level 3 or 4:
# diagnose test application sflowd 3

# diagnose test application sflowd 4


Netflow Cache Stats:
vdoms=1 Collectors=1 Cached_intf=2 Netflow_enabled_intf=1 Live_sessions=0 Session cache max
count:71950

NetFlow templates

NetFlow uses templates to capture and categorize the data that it collects. FortiOS supports the following NetFlow
templates:

Name Template ID Description

STAT_OPTIONS 256 Statistics information about exporter

APP_ID_OPTIONS 257 Application information

IPV4 258 No NAT IPv4 traffic

IPV6 259 No NAT IPv6 traffic

ICMP4 260 No NAT ICMPv4 traffic

ICMP6 261 No NAT ICMPv6 traffic

IPV4_NAT 262 Source/Destination NAT IPv4 traffic

IPV4_AF_NAT 263 AF NAT IPv4 traffic (4->6)

IPV6_NAT 264 Source/Destination NAT IPv6 traffic

IPV6_AF_NAT 265 AF NAT IPv6 traffic (6->4)

ICMP4_NAT 266 Source/Destination NAT ICMPv4 traffic

ICMP4_AF_NAT 267 AF NAT ICMPv4 traffic (4->6)

ICMP6_NAT 268 Source/Destination NAT ICMPv6 traffic

ICMPv6_AF_NAT 269 AF NAT ICMPv6 traffic (6->4)

FortiOS 7.2.1 Administration Guide 462


Fortinet Inc.
Network

256 - STAT_OPTIONS

Description Statistics information about exporter

Scope Field Count 1

Data Field Count 7

Option Scope Length 4

Option Length 28

Padding 0000

Scope fields

Field # Field Type Length

1 System System (1) 2

Data fields

Field # Field Type Length

1 TOTAL_BYTES_EXP TOTAL_BYTES_EXP (40) 8

2 TOTAL_PKTS_EXP TOTAL_PKTS_EXP (41) 8

3 TOTAL_FLOWS_EXP TOTAL_FLOWS_EXP (42) 8

4 FLOW_ACTIVE_TIMEOUT FLOW_ACTIVE_TIMEOUT (36) 2

5 FLOW_INACTIVE_TIMEOUT FLOW_INACTIVE_TIMEOUT (37) 2

6 SAMPLING_INTERVAL SAMPLING_INTERVAL (34) 4

7 SAMPLING_ALGORITHM SAMPLING_ALGORITHM (35) 1

257 - APP_ID_OPTIONS

Description Application information

Scope Field Count 1

Data Field Count 4

Option Scope Length 4

Option Length 16

Padding 0000

FortiOS 7.2.1 Administration Guide 463


Fortinet Inc.
Network

Scope fields

Field # Field Type Length

1 System System (1) 2

Data fields

Field # Field Type Length

1 APPLICATION_ID APPLICATION_ID (95) 9

2 APPLICATION_NAME APPLICATION_NAME (96) 64

3 APPLICATION_DESC APPLICATION_DESC (94) 64

4 applicationCategoryName applicationCategoryName (372) 32

258 - IPV4

Description No NAT IPv4 traffic

Data Field Count 17

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

FortiOS 7.2.1 Administration Guide 464


Fortinet Inc.
Network

Field # Field Type Length

15 flowEndReason flowEndReason (136) 1

16 IP_SRC_ADDR IP_SRC_ADDR (8) 4

17 IP_DST_ADDR IP_DST_ADDR (12) 4

259 - IPV6

Description No NAT IPv6 traffic

Data Field Count 17

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

17 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

260 - ICMP4

Description No NAT ICMPv4 traffic

Data Field Count 16

FortiOS 7.2.1 Administration Guide 465


Fortinet Inc.
Network

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IP_SRC_ADDR IP_SRC_ADDR (8) 4

16 IP_DST_ADDR IP_DST_ADDR(12) 4

261 - ICMP6

Description No NAT ICMPv6 traffic

Data Field Count 16

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

FortiOS 7.2.1 Administration Guide 466


Fortinet Inc.
Network

Field # Field Type Length

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

16 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

262 - IPV4_NAT

Description Source/Destination NAT IPv4 traffic

Data Field Count 21

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

FortiOS 7.2.1 Administration Guide 467


Fortinet Inc.
Network

Field # Field Type Length

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IP_SRC_ADDR IP_SRC_ADDR (8) 4

17 IP_DST_ADDR IP_DST_ADDR (12) 4

18 postNATSourceIPv4Address postNATSourceIPv4Address (225) 4

19 postNATDestinationIPv4Address postNATDestinationIPv4Address (226) 4

20 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

21 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

263 - IPV4_AF_NAT

Description AF NAT IPv4 traffic (4->6)

Data Field Count 21

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

FortiOS 7.2.1 Administration Guide 468


Fortinet Inc.
Network

Field # Field Type Length

16 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

17 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

18 postNATSourceIPv6Address postNATSourceIPv6Address (281) 16

19 postNATDestinationIPv6Address postNATDestinationIPv6Address (282) 16

20 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

21 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

264 - IPV6_NAT

Description Source/Destination NAT IPv6 traffic

Data Field Count 21

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IP_SRC_ADDR IP_SRC_ADDR (8) 4

17 IP_DST_ADDR IP_DST_ADDR (12) 4

FortiOS 7.2.1 Administration Guide 469


Fortinet Inc.
Network

Field # Field Type Length

18 postNATSourceIPv6Address postNATSourceIPv6Address (281) 16

19 postNATDestinationIPv6Address postNATDestinationIPv6Address (282) 16

20 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

21 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

265 - IPV6_AF_NAT

Description AF NAT IPv6 traffic (6->4)

Data Field Count 21

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 L4_SRC_PORT L4_SRC_PORT (7) 2

8 L4_DST_PORT L4_DST_PORT (11) 2

9 INPUT_SNMP INPUT_SNMP (10) 2

10 OUTPUT_SNMP OUTPUT_SNMP (14) 2

11 PROTOCOL PROTOCOL (4) 1

12 APPLICATION_ID APPLICATION_ID (95) 9

13 FLOW_FLAGS FLOW_FLAGS (65) 2

14 FORWARDING_STATUS FORWARDING_STATUS (89) 1

15 flowEndReason flowEndReason (136) 1

16 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

17 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

18 postNATSourceIPv4Address postNATSourceIPv4Address (225) 4

19 postNATDestinationIPv4Address postNATDestinationIPv4Address (226) 4

FortiOS 7.2.1 Administration Guide 470


Fortinet Inc.
Network

Field # Field Type Length

20 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

21 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

266 - ICMPV4_NAT

Description Source/Destination NAT ICMPv4 traffic

Data Field Count 20

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IP_SRC_ADDR IP_SRC_ADDR (8) 4

16 IP_DST_ADDR IP_DST_ADDR (12) 4

17 postNATSourceIPv4Address postNATSourceIPv4Address (225) 4

18 postNATDestinationIPv4Address postNATDestinationIPv4Address (226) 4

19 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

20 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

FortiOS 7.2.1 Administration Guide 471


Fortinet Inc.
Network

267 - ICMPV4_AF_NAT

Description AF NAT ICMPv4 traffic (4->6)

Data Field Count 20

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

16 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

17 postNATSourceIPv6Address postNATSourceIPv6Address (281) 16

18 postNATDestinationIPv6Address postNATDestinationIPv6Address (282) 16

19 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

20 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

268 - ICMPV6_NAT

Description Source/Destination NAT ICMPv6 traffic

Data Field Count 20

FortiOS 7.2.1 Administration Guide 472


Fortinet Inc.
Network

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IP_SRC_ADDR IP_SRC_ADDR (8) 4

16 IP_DST_ADDR IP_DST_ADDR (12) 4

17 postNATSourceIPv6Address postNATSourceIPv6Address (281) 16

18 postNATDestinationIPv6Address postNATDestinationIPv6Address (282) 16

19 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

20 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

269 - ICMPV6_AF_NAT

Description AF NAT ICMPv6 traffic (6->4)

Data Field Count 20

Data fields

Field # Field Type Length

1 BYTES BYTES (1) 8

FortiOS 7.2.1 Administration Guide 473


Fortinet Inc.
Network

Field # Field Type Length

2 OUT_BYTES OUT_BYTES (23) 8

3 PKTS PKTS (2) 4

4 OUT_PKTS OUT_PKTS (24) 4

5 FIRST_SWITCHED FIRST_SWITCHED (22) 4

6 LAST_SWITCHED LAST_SWITCHED (21) 4

7 INPUT_SNMP INPUT_SNMP (10) 2

8 OUTPUT_SNMP OUTPUT_SNMP (14) 2

9 ICMP_TYPE ICMP_TYPE (32) 2

10 PROTOCOL PROTOCOL (4) 1

11 APPLICATION_ID APPLICATION_ID (95) 9

12 FLOW_FLAGS FLOW_FLAGS (65) 2

13 FORWARDING_STATUS FORWARDING_STATUS (89) 1

14 flowEndReason flowEndReason (136) 1

15 IPV6_SRC_ADDR IPV6_SRC_ADDR (27) 16

16 IPV6_DST_ADDR IPV6_DST_ADDR (28) 16

17 postNATSourceIPv4Address postNATSourceIPv4Address (225) 4

18 postNATDestinationIPv4Address postNATDestinationIPv4Address (226) 4

19 postNAPTSourceTransportPort postNAPTSourceTransportPort (227) 2

20 postNAPTDestinationTransportPort postNAPTDestinationTransportPort 2
(228)

NetFlow on FortiExtender and tunnel interfaces

NetFlow sampling is supported on FortiExtender and VPN tunnel interfaces.


VPN tunnel interfaces can be IPsec, IP in IP, or GRE tunnels. NetFlow sampling is supported on both NPU and non-
NPU offloaded tunnels.

Examples

In the following examples, a FortiExtender and a VPN tunnel interface are configured with NetFlow sampling.

FortiOS 7.2.1 Administration Guide 474


Fortinet Inc.
Network

To configure a FortiExtender interface with NetFlow sampling:

1. Configure a FortiExtender interface with NetFlow sampling enabled for both transmitted and received traffic:
config system interface
edit "fext-211"
set vdom "root"
set mode dhcp
set type fext-wan
set netflow-sampler both
set role wan
set snmp-index 8
set macaddr 2a:4e:68:a3:f4:6a
next
end

2. Check the NetFlow status and configuration:


Device index 26 is the FortiExtender interface fext-211.
# diagnose test application sflowd 3
===== Netflow Vdom Configuration =====
Global collector:172.18.60.80:[2055] source ip: 0.0.0.0 active-timeout(seconds):60
inactive-timeout(seconds):600
____ vdom: root, index=0, is master, collector: disabled (use global config) (mgmt vdom)
|_ coll_ip:172.18.60.80[2055],src_ip:10.6.30.105,seq_num:300,pkts/time to next
template: 18/29
|_ exported: Bytes:3026268, Packets:11192, Sessions:290 Flows:482
|____ interface:fext-211 sample_direction:both device_index:26 snmp_index:8

3. Check the network interface list:


# diagnose netlink interface list
...
if=fext-211 family=00 type=1 index=26 mtu=1500 link=0 master=0
ref=27 state=start present fw_flags=60000 flags=up broadcast run multicast
...

4. Check the session list for the FortiExtender interface and NetFlow flowset packet:
# diagnose sys session list
session info: proto=1 proto_state=00 duration=1732 expire=59 timeout=0 flags=00000000
socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=145572/1733/1 reply=145572/1733/1 tuples=2
tx speed(Bps/kbps): 83/0 rx speed(Bps/kbps): 83/0
orgin->sink: org pre->post, reply pre->post dev=5->26/26->5
gwy=10.39.252.244/172.16.200.55
hook=post dir=org act=snat 172.16.200.55:61290->8.8.8.8:8(10.39.252.243:61290)
hook=pre dir=reply act=dnat 8.8.8.8:61290->10.39.252.243:0(172.16.200.55:61290)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00001298 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x040000

FortiOS 7.2.1 Administration Guide 475


Fortinet Inc.
Network

no_ofld_reason: non-npu-intf
total session 1

5. The flowset packet can be captured on UDP port 2055 by a packet analyzer, such as Wireshark:

To configure a VPN tunnel interface with NetFlow sampling:

1. Configure a VPN interface with NetFlow sampling enabled for both transmitted and received traffic:
config system interface
edit "A-to-B_vpn"
set vdom "vdom1"
set type tunnel
set netflow-sampler both
set snmp-index 42
set interface "port3"
next
end

2. Configure the VPN tunnel:


config vpn ipsec phase1-interface
edit "A-to-B_vpn"
set interface "port3"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: A-to-B_vpn [Created by VPN wizard]"
set wizard-type static-fortigate
set remote-gw 10.2.2.2
set psksecret ENC
next
end

config vpn ipsec phase2-interface


edit "A-to-B_vpn"
set phase1name "A-to-B_vpn"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305

FortiOS 7.2.1 Administration Guide 476


Fortinet Inc.
Network

set comments "VPN: A-to-B_vpn [Created by VPN wizard]"


set src-addr-type name
set dst-addr-type name
set src-name "A-to-B_vpn_local"
set dst-name "A-to-B_vpn_remote"
next
end

3. Check the NetFlow status and configuration:


Device index 52 is the VPN interface A-to-B_vpn.
# diagnose test application sflowd 3
===== Netflow Vdom Configuration =====
Global collector:172.18.60.80:[2055] source ip: 0.0.0.0 active-timeout(seconds):60
inactive-timeout(seconds):15
____ vdom: vdom1, index=1, is master, collector: disabled (use global config) (mgmt
vdom)
|_ coll_ip:172.18.60.80[2055],src_ip:10.1.100.1,seq_num:60,pkts/time to next
template: 15/6
|_ exported: Bytes:11795591, Packets:48160, Sessions:10 Flows:34
|____ interface:A-to-B_vpn sample_direction:both device_index:52 snmp_index:42

4. Check the session list for the VPN interface and NetFlow flowset packet (unencapsulated traffic going through the
VPN tunnel):
# diagnose sys session list
session info: proto=6 proto_state=01 duration=6 expire=3599 timeout=3600 flags=00000000
socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu netflow-origin netflow-reply
statistic(bytes/packets/allow_err): org=6433/120/1 reply=884384/713/1 tuples=2
tx speed(Bps/kbps): 992/7 rx speed(Bps/kbps): 136479/1091
orgin->sink: org pre->post, reply pre->post dev=10->52/52->10 gwy=10.2.2.2/10.1.100.22
hook=pre dir=org act=noop 10.1.100.22:43714->172.16.200.55:80(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.55:80->10.1.100.22:43714(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:0c:29:ac:ae:4f
misc=0 policy_id=5 auth_info=0 chk_client_info=0 vd=1
serial=00003b6c tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x000001 no_offload
npu info: flag=0x82/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0,
vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: disabled-by-policy
total session 1

5. The flowset packet can be captured on UDP port 2055 by a packet analyzer, such as Wireshark:

FortiOS 7.2.1 Administration Guide 477


Fortinet Inc.
Network

sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that may impact performance
and throughput. FortiGate supports sFlow v5. sFlow collector software is available from a number of third-party software
vendors. For more information about sFlow, see www.sflow.org.
The packet information that the FortiGate's sFlow agent collects depends on the interface type:
l On an internal interface, when the interface receives packets from devices with private IP addresses, the collected
information includes the private IP addresses.
l On an external, or WAN, interface, when the interface receives to route to or from the internet, the collected
information includes the IP address of the WAN interface as the source or destination interface, depending on the
direction of the traffic. It does not include IP addresses that are NATed on another interface.
sFlow datagrams contain the following information:
l Packet headers, such as MAC, IPv4, and TCP
l Sample process parameters, such as rate and pool
l Input and output ports
l Priority (802.1p and ToS)
l VLAN (802.1Q)
l Source prefixes, destination prefixes, and next hop addresses
l BGP source AS, source peer AS, destination peer AS, communities, and local preference
l User IDs (TACACS, RADIUS) for source and destination
l Interface statistics (RFC 1573, RFC 2233, and RFC 2358)

Configuring sFlow

sFlow can be configured globally, then on traffic VDOMs and individual interfaces.

FortiOS 7.2.1 Administration Guide 478


Fortinet Inc.
Network

When configuring sFlow on a VDOM, the collector can be specified, or the collector that is configured globally can be
used.
sFlow is supported on some interface types, such as physical, VLAN, and aggregate. It is not supported on virtual
interfaces, such as VDOM link, IPsec, GRE, or SSL. When configuring sFlow on an interface, the rate that the agent
samples traffic, the direction of that traffic, and the frequency that the agent sends sFlow datagrams to the sFlow
collector can be specified. If sFlow is configured on the VDOM that the interface belongs to, the agent sends datagrams
to the collector configured for the VDOM. Otherwise, the datagrams are sent to the collector that is configured globally.
Configuring sFlow for an interface disables NP offloading for all traffic on that interface.

To configure sFlow globally:

config system sflow


set collector-ip <ipv4_address>
set collector-port <port>
set source-ip <ipv4_address>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

collector-ip <ipv4_ The IPv4 address of the sFlow collector that sFlow agents added to interface
address> (default = 0.0.0.0).
collector-port <port> The UDP port number used for sending sFlow datagrams (0 - 65535, default =
6343).
Only configured this option if required by the sFlow collector or your network
configuration.
source-ip <ipv4_address> The source IPv4 address that the sFlow agent used to send datagrams to the
collector (default = 0.0.0.0).
If this option is not configured, the FortiGate uses the IP address of the interface
that it sends the datagram through.
interface-select-method How the outgoing interface to reach the server is selected (default = auto).
{auto | sdwan |
specify}
interface <interface> The outgoing interface used to reach the server.
This option is only available when interface-select-method is specify.

To configure sFlow for a VDOM:

config vdom
edit <vdom>
config system vdom-sflow
set vdom-sflow {enable | disable}
set collector-ip <ipv4_address>
set collector-port <port>
set source-ip <ipv4_address>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end
next
end

FortiOS 7.2.1 Administration Guide 479


Fortinet Inc.
Network

vdom-sflow {enable | Enable/disable the sFlow configuration for the current VDOM (default = disable).
disable}
collector-ip <ipv4_ The IPv4 address of the sFlow collector that sFlow agents added to interface
address> (default = 0.0.0.0).
If this option is not configured, the global setting will be used.
collector-port <port> The UDP port number used for sending sFlow datagrams (0 - 65535, default =
6343).
Only configured this option if required by the sFlow collector or your network
configuration.
If this option is not configured, the global setting will be used.
source-ip <ipv4_address> The source IPv4 address that the sFlow agent used to send datagrams to the
collector (default = 0.0.0.0).
If this option is not configured, the FortiGate uses the IP address of the interface
that it sends the datagram through.
interface-select-method How the outgoing interface to reach the server is selected (default = auto).
{auto | sdwan |
specify}
interface <interfae> The outgoing interface used to reach the server.
This option is only available when interface-select-method is specify.

To configure sFlow on an interface:

config system interface


edit <interface>
set sflow-sampler {enable | disable}
set sample-rate <integer>
set polling-interval <integer>
set sample-direction {tx | rx | both}
next
end

sflow-sampler {enable | Enable/disable sFlow on this interface (default = disable).


disable}
sample-rate <integer> The average number of packets that the agent lets pass before taking a sample
(10 - 99999, default = 2000).
Setting a lower rate will sample a higher number of packets, increasing the
accuracy or the sampling data, but also increasing the CPU and network
bandwidth usage. The default value is recommended.
polling-interval The amount of time that the agent waits between sending datagrams to the
<integer> collector, in seconds (1 - 255, default = 20).
Setting a higher value lowers the amount of data that the agent sends across the
network, but makes the collector's view of the network less current.
sample-direction {tx | rx The direction of the traffic that the agent collects (default = both).
| both}

FortiOS 7.2.1 Administration Guide 480


Fortinet Inc.
Network

Link monitor

The link monitor is a mechanism that allows the FortiGate to probe the status of a detect server in order to determine the
health of the link, next hop, or the path to the server. Ping, TCP echo, UDP echo, HTTP, and TWAMP protocols can be
used for the probes. Typically, the detect server is set to a stable server several hops away. Multiple servers can also be
configured with options to define the protocol and weights for each server.
The link monitor serves several purposes. In the most basic configuration, it can be used to detect failures and remove
routes associated with the interface and gateway to prevent traffic from routing out the failed link. More granularity is
added in 7.0 that allows only the routes specified in the link monitor to be removed from the routing table. With this
benefit, only traffic to specific routing destinations are removed, rather than all routing destinations.
Another enhancement starting in 7.0.1 is an option to toggle between enabling or disabling policy route updates when a
link health monitor fails.
The link monitor can also monitor remote servers for HA failover. Using the HA built-in link monitor, it is only able to
detect physical link failovers to trigger HA link failover. With the link monitor, remote servers can be used to monitor the
health of the path to the server in order to trigger HA failover.
Finally, the link monitor can cascade the failure to other interfaces. When the update-cascade-interface option is
enabled, the interface can be configured in conjunction with fail-detect enabled to trigger a link down event on other
interfaces.
The following topics provide more information about the link monitor:
l Link monitor with route updates on page 481
l Enable or disable updating policy routes when link health monitor fails on page 483
l Add weight setting on each link health monitor server on page 485
l Dual internet connections on page 327
l SLA link monitoring for dynamic IPsec and SSL VPN tunnels on page 488

Link monitor with route updates

When a link monitor fails, only the routes that are specified in the link monitor are removed from the routing table, instead
of all the routes with the same interface and gateway. If no routes are specified, then all of the routes are removed. Only
IPv4 routes are supported.

Example

In this example, the FortiGate has several routes to 23.2.2.2/32 and 172.16.202.2/24, and is monitoring the link agg1 by
pinging the server at 10.1.100.22. The link monitor uses the gateway 172.16.203.2.

FortiOS 7.2.1 Administration Guide 481


Fortinet Inc.
Network

When the link monitor fails, only the routes to the specified subnet using interface agg1 and gateway 172.16.203.2 are
removed.

To configure the link monitor:

config system link-monitor


edit "22"
set srcintf "agg1"
set server "10.1.100.22"
set gateway-ip 172.16.203.2
set route "23.2.2.2/32" "172.16.202.0/24"
next
end

To check the results:

1. When the link monitor is alive:


# get router info routing-table static
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 10.100.1.249, port12
S 10.1.100.0/24 [10/0] via 172.16.203.2, agg1
S 23.2.2.2/32 [10/0] via 172.16.203.2, agg1
S 23.2.3.2/32 [10/0] via 172.16.203.2, agg1
S 172.16.201.0/24 [10/0] via 172.16.200.4, port9
S 172.16.202.0/24 [10/0] via 172.16.203.2, agg1
S 172.16.204.0/24 [10/0] via 172.16.200.4, port9
[10/0] via 172.16.203.2, agg1
[10/0] via 172.16.206.2, vlan100, [100/0]

2. When the link monitor is dead:


# get router info routing-table static
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 10.100.1.249, port12
S 10.1.100.0/24 [10/0] via 172.16.203.2, agg1
S 23.2.3.2/32 [10/0] via 172.16.203.2, agg1
S 172.16.201.0/24 [10/0] via 172.16.200.4, port9
S 172.16.204.0/24 [10/0] via 172.16.200.4, port9
[10/0] via 172.16.203.2, agg1
[10/0] via 172.16.206.2, vlan100, [100/0]

FortiOS 7.2.1 Administration Guide 482


Fortinet Inc.
Network

Enable or disable updating policy routes when link health monitor fails

An option has been added to toggle between enabling or disabling policy route updates when a link health monitor fails.
By disabling policy route updates, a link health monitor failure will not cause corresponding policy-based routes to be
removed.
config system link-monitor
edit <name>
set update-policy-route {enable | disable}
next
end

Example

In the following topology, the FortiGate is monitoring the detect server, 10.1.100.22. The FortiGate has a policy-based
route to destination 172.16.205.10 using the same gateway (172.16.202.1) and interface (port22). By configuring
update-policy-route disable, the policy-based route is not removed when the link health monitor detects a
failure.

To disable updating policy routes when the link health monitor fails:

1. Configure the link health monitor:


config system link-monitor
edit "test-1"
set srcintf "port22"
set server "10.1.100.22"
set gateway-ip 172.16.202.1
set failtime 3
set update-policy-route disable
next
end

2. Configure the policy route:


config router policy
edit 1
set input-device "port16"
set dst "172.16.205.10/255.255.255.255"
set gateway 172.16.202.1
set output-device "port22"
set tos 0x14
set tos-mask 0xff

FortiOS 7.2.1 Administration Guide 483


Fortinet Inc.
Network

next
end

3. When the health link monitor status is up, verify that the policy route is active.
a. Verify the link health monitor status:
# diagnose sys link-monitor status
Link Monitor: test-1, Status: alive, Server num(1), HA state: local(alive), shared
(alive)
Flags=0x1 init, Create time: Fri May 28 15:20:15 2021
Source interface: port22 (14)
Gateway: 172.16.202.1
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Peer: 10.1.100.22(10.1.100.22)
Source IP(172.16.202.2)
Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
protocol: ping, state: alive
Latency(Min/Max/Avg): 0.374/0.625/0.510 ms
Jitter(Min/Max/Avg): 0.008/0.182/0.074
Packet lost: 0.000%
Number of out-of-sequence packets: 0
Fail Times(0/3)
Packet sent: 7209, received: 3400, Sequence(sent/rcvd/exp):
7210/7210/7211

b. Verify the policy route list:


# diagnose firewall proute list
list route policy info(vf=root):
id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41
dport=0-65535 oif=14(port22) gwy=172.16.202.1
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 172.16.205.10/255.255.255.255
hit_count=1 last_used=2021-05-27 23:04:33

4. When the health link monitor status is down, verify that the policy route is active:
a. Verify the link health monitor status:
# diagnose sys link-monitor status
Link Monitor: test-1, Status: die, Server num(1), HA state: local(die), shared(die)
Flags=0x9 init log_downgateway, Create time: Fri May 28 15:20:15 2021
Source interface: port22 (14)
Gateway: 172.16.202.1
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Peer: 10.1.100.22(10.1.100.22)
Source IP(172.16.202.2)
Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
protocol: ping, state: die
Packet lost: 11.000%
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(0/3)

FortiOS 7.2.1 Administration Guide 484


Fortinet Inc.
Network

Packet sent: 7293, received: 3471, Sequence(sent/rcvd/exp):


7294/7281/7282

b. Verify the policy route list:


# diagnose firewall proute list
list route policy info(vf=root):
id=1 dscp_tag=0xff 0xff flags=0x0 tos=0x14 tos_mask=0xff protocol=0 sport=0-0 iif=41
dport=0-65535 oif=14(port22) gwy=172.16.202.1
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 172.16.205.10/255.255.255.255
hit_count=1 last_used=2021-05-27 23:04:33

If the update-policy-route setting is enabled, the link health monitor would be down and the policy-based
route would be disabled:
# diagnose firewall proute list
list route policy info(vf=root):
id=1 dscp_tag=0xff 0xff flags=0x8 disable tos=0x14 tos_mask=0xff protocol=0 sport=0-0
iif=41 dport=0-65535 oif=14(port22) gwy=172.16.202.1
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 172.16.205.10/255.255.255.255
hit_count=1 last_used=2021-05-27 23:04:33

Add weight setting on each link health monitor server

Prior to FortiOS 7.0.1, the link health monitor is determined to be dead when all servers are unreachable. Starting in
7.0.1, the link health monitor can configure multiple servers and allow each server to have its own weight setting. When
the link health monitor is down, it will trigger static route updates and cascade interface updates if the weight of all dead
servers exceeds the monitor's fail weight threshold.
config system link-monitor
edit <name>
set srcintf <interface>
set server-config {default | individual}
set fail-weight <integer>
config server-list
edit <id>
set dst <address>
set weight <integer>
next
end
next
end

server-config Set the server configuration mode:


l default: all servers share the same attributes.

l individual: some attributes can be specified for individual servers.


fail-weight <integer> Threshold weight to trigger link failure alert (0 - 255, default = 0).
server-list Configure the servers to be monitored by the link monitor.
dst <address> Enter the IP address of the server to be monitored.
weight <integer> Weight of the monitor to this destination (0 - 255, default = 0).

FortiOS 7.2.1 Administration Guide 485


Fortinet Inc.
Network

Examples

In the following topology, there are two detect servers that connect to the FortiGate through a router: server 1
(10.1.100.22) and server 2 (10.1.100.55).

Alive link health monitor

In this configuration, one server is dead and one server alive. The failed server weight is not over the threshold, so the
link health monitor status is alive.

To configure the weight settings on the link health monitor:

1. Configure the link health monitor:


config system link-monitor
edit "test-1"
set srcintf "port22"
set server-config individual
set gateway-ip 172.16.202.1
set failtime 3
set fail-weight 40
config server-list
edit 1
set dst "10.1.100.22"
set weight 60
next
edit 2
set dst "10.1.100.55"
set weight 30
next
end
next
end

2. Trigger server 2 to go down. The link monitor is still alive because the fail weight threshold has not been reached.

FortiOS 7.2.1 Administration Guide 486


Fortinet Inc.
Network

3. Verify the link health monitor status:


# diagnose sys link-monitor status test-1
Link Monitor: test-1, Status: alive, Server num(2), HA state: local(alive), shared
(alive)
Flags=0x1 init, Create time: Fri Jun 4 17:23:29 2021
Source interface: port22 (14)
Gateway: 172.16.202.1
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Fail-weight (40): not activated
Peer: 10.1.100.22(10.1.100.22)
Source IP(172.16.202.2)
Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
protocol: ping, state: alive
Latency(Min/Max/Avg): 0.417/0.585/0.530 ms
Jitter(Min/Max/Avg): 0.007/0.159/0.057
Packet lost: 0.000%
Number of out-of-sequence packets: 0
Fail Times(0/3)
Packet sent: 239, received: 236, Sequence(sent/rcvd/exp): 240/240/241
Peer: 10.1.100.55(10.1.100.55)
Source IP(172.16.202.2)
Route: 172.16.202.2->10.1.100.55/32, gwy(172.16.202.1)
Fail weight 30 applied
protocol: ping, state: dead
Packet lost: 100.000%
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(1/3)
Packet sent: 239, received: 3, Sequence(sent/rcvd/exp): 240/4/5

Dead link health monitor

In this configuration, one server is dead and one server alive. The failed server weight is over the threshold, so the link
health monitor status is dead.

To configure the weight settings on the link health monitor:

1. Configure the link health monitor:


config system link-monitor
edit "test-1"
set srcintf "port22"
set server-config individual
set gateway-ip 172.16.202.1
set failtime 3
set fail-weight 40
config server-list
edit 1
set dst "10.1.100.22"
set weight 30
next
edit 2
set dst "10.1.100.55"

FortiOS 7.2.1 Administration Guide 487


Fortinet Inc.
Network

set weight 50
next
end
next
end

2. Trigger server 2 to go down. The link monitor is dead because the fail weight threshold has been reached.
3. Verify the link health monitor status:
# diagnose sys link-monitor status test-1
Link Monitor: test-1, Status: dead, Server num(2), HA state: local(dead), shared(dead)
Flags=0x9 init log_downgateway, Create time: Fri Jun 4 17:23:29 2021
Source interface: port22 (14)
Gateway: 172.16.202.1
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Fail-weight (40): activated
Peer: 10.1.100.22(10.1.100.22)
Source IP(172.16.202.2)
Route: 172.16.202.2->10.1.100.22/32, gwy(172.16.202.1)
protocol: ping, state: alive
Latency(Min/Max/Avg): 0.393/0.610/0.520 ms
Jitter(Min/Max/Avg): 0.009/0.200/0.095
Packet lost: 0.000%
Number of out-of-sequence packets: 0
Fail Times(0/3)
Packet sent: 680, received: 677, Sequence(sent/rcvd/exp): 681/681/682
Peer: 10.1.100.55(10.1.100.55)
Source IP(172.16.202.2)
Route: 172.16.202.2->10.1.100.55/32, gwy(172.16.202.1)
Fail weight 50 applied
protocol: ping, state: dead
Packet lost: 100.000%
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(1/3)
Packet sent: 680, received: 3, Sequence(sent/rcvd/exp): 681/4/5

SLA link monitoring for dynamic IPsec and SSL VPN tunnels

The link health monitor settings can measure SLA information of dynamic VPN interfaces, which assign IP addresses to
their clients during tunnel establishment. This includes SSL VPN tunnels, IPsec remote access, and IPsec site-to-site
tunnels.

This feature currently only supports IPv4 and the ICMP monitoring protocol. In the IPsec
tunnel settings, net-device must be disabled.

config system link-monitor


edit <name>
set server-type {static | dynamic}
next
end

FortiOS 7.2.1 Administration Guide 488


Fortinet Inc.
Network

To view the dial-up tunnel statistics:

# diagnose sys link-monitor tunnel {name | all} [<tunnel_name>]

Example

In this example, endpoint users dial up using FortiClient to create IPSec tunnels with the FortiGate and obtain IP
addresses. The link monitor on the FortiGate's dynamic VPN interface detects the path quality to the endpoints.

To configure SLA link health monitoring in dynamic IPsec tunnels:

1. Configure the IPsec phase 1 interface:


config vpn ipsec phase1-interface
edit "for_Branch"
set type dynamic
set interface "port15"
set mode aggressive
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set dhgrp 5
set xauthtype auto
set authusrgrp "vpngroup"
set assign-ip-from name
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include "172.16.205.0"
set ipv4-name "client_range"
set save-password enable
set psksecret **********
set dpd-retryinterval 60
next
end

FortiOS 7.2.1 Administration Guide 489


Fortinet Inc.
Network

2. Configure the IPsec phase 2 interface:


config vpn ipsec phase2-interface
edit "for_Branch_p2"
set phase1name "for_Branch"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set dhgrp 5
next
end

3. Configure the dynamic interface:


config system interface
edit "for_Branch"
set vdom "root"
set ip 10.10.10.254 255.255.255.255
set type tunnel
set remote-ip 10.10.10.253 255.255.255.0
set snmp-index 100
set interface "port15"
next
end

4. Add the IPsec dial-up tunnel to the link health monitor:


config system link-monitor
edit "1"
set srcintf "for_Branch"
set server-type dynamic
next
end

5. Once endpoint users have connected using FortiClient, verify the tunnel information:
# get vpn ipsec tunnel summary
'for_Branch_0' 10.1.100.23:0 selectors(total,up): 1/1 rx(pkt,err): 21091/0 tx
(pkt,err): 20741/0
'for_Branch_1' 10.1.100.13:0 selectors(total,up): 1/1 rx(pkt,err): 19991/0 tx
(pkt,err): 20381/0

6. Verify the link health monitor status:


# diagnose sys link-monitor tunnel all
for_Branch_0 (1): state=alive, peer=10.10.10.1, create_time=2022-02-08 10:43:11,
srcintf=for_Branch, latency=0.162, jitter=0.018, pktloss=0.000%
for_Branch_1 (1): state=alive, peer=10.10.10.2, create_time=2022-02-08 10:49:24,
srcintf=for_Branch, latency=0.266, jitter=0.015, pktloss=0.000%

7. Manually add 200 ms latency on the path between the FortiGate and FortiClients.
8. Verify the link health monitor status again:
# diagnose sys link-monitor tunnel all
for_Branch_0 (1): state=alive, peer=10.10.10.1, create_time=2022-02-08 10:43:11,
srcintf=for_Branch, latency=200.177, jitter=0.021, pktloss=0.000%
for_Branch_1 (1): state=alive, peer=10.10.10.2, create_time=2022-02-08 10:49:24,
srcintf=for_Branch, latency=200.257, jitter=0.017, pktloss=0.000%

FortiOS 7.2.1 Administration Guide 490


Fortinet Inc.
Network

IPv6

The following topics provide information about IPv6:


l IPv6 tunneling on page 491
l IPv6 tunnel inherits MTU based on physical interface on page 493
l Configuring IPv4 over IPv6 DS-Lite service on page 495

IPv6 tunneling

IPv6 tunneling involves tunneling IPv6 packets from an IPv6 network through an IPv4 network to another IPv6 network.
This is different than NAT because once the packet reaches its final destination, the true originating address of the
sender is still readable. The IPv6 packets are encapsulated within packets with IPv4 headers that carry their IPv6
payload through the IPv4 network. IPv6 tunneling is suitable in networks that have completely transitioned over to IPv6
but need an internet connection, which is still mostly IPv4 addresses.
Both IPv6 tunneling devices, whether they are a host or a network device, must be dual stack compatible. The tunneling
process is as follows:
1. The tunnel entry node creates an encapsulating IPv4 header and transmits the encapsulated packet.
2. The tunnel exit node receives the encapsulated packet.
3. The IPv4 header is removed.
4. The IPv6 header is updated and the IPv6 packet is processed.
There are two types of tunnels in IPv6 tunneling, automatic and configured. Automatic tunnels are configured by using
IPv4 address information embedded in an IPv6 address. The IPv6 address of the destination host includes information
about which IPv4 address the packet should be tunneled to. Configured tunnels are manually configured, and they are
used for IPv6 addresses that do not have any embedded IPv4 information. The IPv6 and IPv4 addresses of the tunnel
endpoints must be specified.

Tunnel configurations

There are four tunneling configurations available depending on which segment of the path between the endpoints of the
session the encapsulation takes place.

Type Description

Network device-to-network Dual stack capable devices connected by an IPv4 infrastructure can tunnel IPv6
device packets between themselves. The tunnel spans one segment of the path taken by
the IPv6 packets.

Host-to-network device Dual stack capable hosts can tunnel IPv6 packets to an intermediary IPv6 or IPv4
network device that is reachable through an IPv4 infrastructure. The tunnel spans
the first segment of the path taken by the IPv6 packets.

Host-to-host Dual stack capable hosts that are interconnected by an IPv4 infrastructure can
tunnel IPv6 packets between themselves. The tunnel spans the entire path taken
by the IPv6 packets.

FortiOS 7.2.1 Administration Guide 491


Fortinet Inc.
Network

Type Description

Network device-to-host Dual stack capable network devices can tunnel IPv6 packets to their final
destination IPv6 or IPv4 host. The tunnel spans only the last segment of the path
taken by the IPv6 packets.

Regardless of whether the tunnel starts at a host or a network device, the node that does the encapsulation needs to
maintain soft state information, such as the maximum transmission unit (MTU), about each tunnel in order to process the
IPv6 packets.

6in4 tunnel

The following tunnel configuration tunnels IPv6 traffic over an IPv4 network. An internal IPv6 interface can be configured
under config system interface.

To configure an IPv6 tunnel over IPv4:

config system sit-tunnel


edit <name>
set source <src_IPv4_address>
set destination <dst_IPv4_address>
set interface <src_interface>
set ip6 <tunnel_IPv6_address>
next
end

4in6 tunnel

Conversely, the following tunnel configuration tunnels IPv4 traffic over an IPv6 network.

To configure an IPv4 tunnel over IPv6:

config system ipv6-tunnel


edit <name>
set source <src_IPv6_address>
set destination <dst_IPv6_address>
set interface <src_interface>
next
end

The preceding configurations are not available in transparent mode.

FortiOS 7.2.1 Administration Guide 492


Fortinet Inc.
Network

IPv6 tunnel inherits MTU based on physical interface

The MTU of an IPv6 tunnel interface is calculated from the MTU of its parent interface minus headers.

Example

In this topology, FortiGate B and FortiGate D are connected over an IPv6 network. An IPv6 tunnel is formed, and IPv4
can be used over the IPv6 tunnel. The tunnel interface MTU is based on the physical interface MTU minus the IP and
TCP headers (40 bytes). On FortiGate B's physical interface port5, the MTU is set to 1320. The IPv6 tunnel is based on
port5, and its MTU value of 1280 is automatically calculated from the MTU value of its physical interface minus the
header. The same is true for port3 on FortiGate D.

To verify the MTU for the IPv6 tunnel on FortiGate B:

1. Configure port5:
config system interface
edit "port5"
set vdom "root"
set type physical
set snmp-index 7
config ipv6
set ip6-address 2000:172:16:202::1/64
set ip6-allowaccess ping
end
set mtu-override enable
set mtu 1320
next
end

2. Configure the IPv6 tunnel:


config system ipv6-tunnel
edit "B_2_D"
set source 2000:172:16:202::1
set destination 2000:172:16:202::2
set interface "port5"
next
end

3. Configure the tunnel interface:


config system interface
edit "B_2_D"
set vdom "root"
set ip 172.16.210.1 255.255.255.255
set allowaccess ping https http
set type tunnel

FortiOS 7.2.1 Administration Guide 493


Fortinet Inc.
Network

set remote-ip 172.16.210.2 255.255.255.255


set snmp-index 33
config ipv6
set ip6-address 2000:172:16:210::1/64
set ip6-allowaccess ping
config ip6-extra-addr
edit fe80::2222/10
next
end
end
set interface "port5"
next
end

4. Verify the interface lists:


# diagnose netlink interface list port5
if=port5 family=00 type=1 index=13 mtu=1320 link=0 master=0
ref=68 state=start present fw_flags=0 flags=up broadcast run multicast
Qdisc=mq hw_addr=**:**:**:**:**:** broadcast_addr=**:**:**:**:**:**
stat: rxp=1577 txp=1744 rxb=188890 txb=203948 rxe=0 txe=0 rxd=0 txd=0 mc=825 collision=0
@ time=1631647112
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0
input_type=0 state=3 arp_entry=0 refcnt=68

# diagnose netlink interface list B_2_D


if=B_2_D family=00 type=769 index=41 mtu=1280 link=0 master=0
ref=25 state=start present fw_flags=0 flags=up p2p run noarp multicast
Qdisc=noqueue local=0.0.0.0 remote=0.0.0.0
stat: rxp=407 txp=417 rxb=66348 txb=65864 rxe=0 txe=61 rxd=0 txd=0 mc=0 collision=60 @
time=1631647126
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0
input_type=0 state=3 arp_entry=0 refcnt=25

To verify the MTU for the IPv6 tunnel on FortiGate D:

1. Configure port3:
config system interface
edit "port3"
set vdom "root"
set type physical
set snmp-index 5
config ipv6
set ip6-address 2000:172:16:202::2/64
set ip6-allowaccess ping
end
set mtu-override enable
set mtu 1320
next
end

FortiOS 7.2.1 Administration Guide 494


Fortinet Inc.
Network

2. Configure the IPv6 tunnel:


config system ipv6-tunnel
edit "D_2_B"
set source 2000:172:16:202::2
set destination 2000:172:16:202::1
set interface "port3"
next
end

3. Configure the tunnel interface:


config system interface
edit "D_2_B"
set vdom "root"
set ip 172.16.210.2 255.255.255.255
set allowaccess ping https http
set type tunnel
set remote-ip 172.16.210.1 255.255.255.255
set snmp-index 36
config ipv6
set ip6-address 2000:172:16:210::2/64
set ip6-allowaccess ping
config ip6-extra-addr
edit fe80::4424/10
next
end
end
set interface "port3"
next
end

4. Verify the interface lists:


# diagnose netlink interface list port3

# diagnose netlink interface list D_2_B

Configuring IPv4 over IPv6 DS-Lite service

IPv4 over IPv6 DS-Lite service can be configured on a virtual network enabler (VNE) tunnel. In addition, VNE tunnel
fixed IP mode supports username and password authentication.
config system vne-tunnel
set status enable
set mode {map-e | fixed-ip | ds-lite}
set ipv4-address <IPv4_address>
set br <IPv6_address or FQDN>
set http-username <string>
set http-password <password>
end

mode {map-e | fixed-ip | Set the VNE tunnel mode:


ds-lite} l map-e: MAP-E

l fixed-ip: fixed IP

l ds-lite: DS-Lite

FortiOS 7.2.1 Administration Guide 495


Fortinet Inc.
Network

ipv4-address <IPv4_ Enter the tunnel IPv4 address and netmask. This setting is optional.
address>
br <IPv6_address or FQDN> Enter the IPv6 or FQDN of the border relay.
http-username <string> Enter the HTTP authentication user name.
http-password <password> Enter the HTTP authentication password.

DS-Lite allows applications using IPv4 to access the internet with IPv6. DS-Lite is supported by internet providers that do
not have enough public IPv4 addresses for their customers, so DS-Lite is used for IPv6 internet connections. When a
DS-Lite internet connections is used, the FortiGate encapsulates all data from IPv4 applications into IPv6 packets. The
packets are then transmitted to the internet service provider using the IPv6 connection. Next, a dedicated server
unpacks the IPv6 packets and forwards the IPv4 data to the actual destination on the internet.

DS-Lite example

In this example, DS-Lite VNE tunnel mode is used between the FortiGate and the BR.

To configure a DS-Lite tunnel between the FortiGate and the BR:

1. Configure the IPv6 interface:


config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm
set type physical
set role wan
set snmp-index 1
config ipv6
set ip6-allowaccess ping
set dhcp6-information-request enable
set autoconf enable
set unique-autoconf-addr enable
end
next
end

FortiOS 7.2.1 Administration Guide 496


Fortinet Inc.
Network

2. Configure the VNE tunnel:


config system vne-tunnel
set status enable
set interface "wan1"
set ssl-certificate "Fortinet_Factory"
set auto-asic-offload enable
set ipv4-address 192.168.1.99 255.255.255.255
set br "dgw.xxxxx.jp"
set mode ds-lite
end

3. View the wan1 IPv6 configuration details:

config system interface


edit "wan1"
config ipv6
get
ip6-mode : static
nd-mode : basic
ip6-address : 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2/64
ip6-allowaccess : ping
icmp6-send-redirect : enable
ra-send-mtu : enable
ip6-reachable-time : 0
ip6-retrans-time : 0
ip6-hop-limit : 0
dhcp6-information-request: enable
cli-conn6-status : 1
vrrp-virtual-mac6 : disable
vrip6_link_local : ::
ip6-dns-server-override: enable
Acquired DNS1 : 2001:f70:2880:xxxx:xxxx:xxxx:fe40:9082
Acquired DNS2 : ::
ip6-extra-addr:
ip6-send-adv : disable
autoconf : enable
prefix : 2001:f70:2880:xxxx::/64
preferred-life-time : 942735360
valid-life-time : 1077411840
unique-autoconf-addr: enable
interface-identifier: ::
dhcp6-relay-service : disable
end
next
end

4. Verify the IPv6 address list:

# diagnose ipv6 address list


dev=5 devname=wan1 flag= scope=0 prefix=64 addr=2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2
preferred=11525 valid=13325 cstamp=6520 tstamp=6892
dev=5 devname=wan1 flag=P scope=253 prefix=64 addr=fe80::xxxx:xxxx:fe39:ccd2

FortiOS 7.2.1 Administration Guide 497


Fortinet Inc.
Network

preferred=4294967295 valid=4294967295 cstamp=6373 tstamp=6373


dev=18 devname=root flag=P scope=254 prefix=128 addr=::1 preferred=4294967295
valid=4294967295 cstamp=3531 tstamp=3531
dev=25 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1 preferred=4294967295
valid=4294967295 cstamp=5604 tstamp=5604
dev=27 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1 preferred=4294967295
valid=4294967295 cstamp=6377 tstamp=6377

5. Test the tunnel connection by pinging the Google public DNS IPv6 address:

# execute ping6 2001:4860:4860::8888


PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=114 time=6.89 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=114 time=3.39 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=114 time=3.46 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=114 time=3.34 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=114 time=3.39 ms
--- 2001:4860:4860::8888 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss, time 4079ms
rtt min/avg/max/mdev = 3.340/4.097/6.895/1.400 ms

Fixed IP mode example

In this example, fixed IP VNE tunnel mode with HTTP authentication is used between the FortiGate and the BR.

To configure a fixed IP mode with HTTP authentication between the FortiGate and the BR:

1. Configure the IPv6 interface:


config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm
set type physical
set role wan
set snmp-index 1
config ipv6
set ip6-allowaccess ping
set dhcp6-information-request enable
set autoconf enable
end
next
end

2. Configure the VNE tunnel:


config system vne-tunnel
set status enable
set interface "wan1"
set ipv4-address 120.51.xxx.xxx1 255.255.255.255
set br "2001:f60:xxxx:xxxx::1"
set update-url "https://ddnsweb1.ddns.xxxxxx.jp/cgi-bin/ddns_
api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp"

FortiOS 7.2.1 Administration Guide 498


Fortinet Inc.
Network

set mode fixed-ip


set http-username "laptop-1"
set http-password **********
end

3. Verify the wan1 IPv6 configuration details:


config system interface
edit "wan1"
config ipv6
get
....

4. Verify the VNE daemon:

# diagnose test application vned 1


----------------------------------------------------------------------------
vdom: root/0, is master, devname=wan1 link=0 tun=vne.root mode=fixed-ip ssl_
cert=Fortinet_Factory
end user ipv6 perfix: 2001:f70:2880:xxxx::/64
interface ipv6 addr: 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2
config ipv4 perfix: 120.51.xxx.xxx1/255.255.255.255
config br: 2001:f60:xxxx:xxxx::1
HTTP username: laptop-1
update url: https://ddnsweb1.ddns.xxxxxx.jp/cgi-bin/ddns_
api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp
host: ddnsweb1.ddns.xxxxxx.jp path: /cgi-bin/ddns_
api.cgi?d=xxxxxx.v4v6.xxxxx.jp&p=**********&a=[IP6]&u=xxxxxx.v4v6.xxxxx.jp port:443 ssl:
1
tunnel br: 2001:f60:xxxx:xxxx::1
tunnel ipv6 addr: 2001:f70:2880:xxxx:xxxx:xxxx:fe39:ccd2
tunnel ipv4 addr: 120.51.xxx.xxx1/255.255.255.255
update result: <H1>DDNS API</H1><HR><H2>* Query parameter check :
OK</H2>FQDN=xxxxxx.v4v6.xxxxx.jp<BR>Password=**********<BR>IPv6=2001:f70:2880:xxxx:xxxx:
xxxx:fe39:ccd2<BR>UID=xxxxxx.v4v6.xxxxx.jp<BR>Address=2001:f70:2880:xxxx:xxxx:xxxx:fe39:
ccd2<BR><H2>* routerinfo check : OK</H2><H2>* records check : OK</H2><H2>* routerinfo
update : OK</H2><H2>* records update : OK</H2><H2>* DDNS API update : Success [2022-01-
18 18:37:58 1642498678]</H2>
Fixed IP rule client: state=succeed retries=0 interval=0 expiry=0 reply_code=0
fqdn=2001:f60:xxxx:xxxx::1 num=1 cur=0 ttl=4294967295 expiry=0
2001:f60:xxxx:xxxx::1
Fixed IP DDNS client: state=succeed retries=0 interval=10 expiry=0 reply_code=200
fqdn=ddnsweb1.ddns.xxxxxx.jp num=1 cur=0 ttl=6 expiry=0
2001:f61:0:2a::18

5. Test the tunnel connection by pinging the Google public DNS IPv4 and IPv6 addresses:

# execute ping 8.8.8.8


PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=119 time=3.7 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=3.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=3.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=3.6 ms

FortiOS 7.2.1 Administration Guide 499


Fortinet Inc.
Network

64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=3.5 ms


--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 3.5/3.6/3.7 ms

# execute ping6 2001:4860:4860::8888


PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=114 time=6.99 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=114 time=3.61 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=114 time=3.34 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=114 time=3.27 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=5 ttl=114 time=3.75 ms
--- 2001:4860:4860::8888 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss, time 4039ms
rtt min/avg/max/mdev = 3.276/4.195/6.992/1.409 ms

FortiGate LAN extension

LAN extension mode allows a remote FortiGate to provide remote connectivity to a local FortiGate over a backhaul
connection.
The remote FortiGate, called the FortiGate Connector, discovers the local FortiGate, called the FortiGate Controller, and
forms one or more IPsec tunnels back to the FortiGate Controller. A VXLAN is established over the IPsec tunnels
creating an L2 network between the FortiGate Controller and the network behind the FortiGate Connector.

In this example, the Controller provides secure internet access to the remote network behind the Connector. The
Controller has two WAN connections: an inbound backhaul connection and an outbound internet connection. The
Connector has two wired WAN/uplink ports that are connected to the internet.
After the Connector discovers the Controller and is authorized by the Controller, the Controller pushes a FortiGate LAN
extension profile to the Connector. The Connector uses the profile configurations to form two IPsec tunnels back to the
Controller. Additional VXLAN aggregate interfaces are automatically configured to create an L2 network between the
Connector LAN port and a virtual LAN extension interface on the Controller. Clients behind the Connector can then
connect to the internet through the Controller that is securing the internet connection.

FortiOS 7.2.1 Administration Guide 500


Fortinet Inc.
Network

To discover and authorize the FortiGate Controller:

1. On the FortiGate Controller:


a. Enable security fabric connections on port3 to allow the Connector to connect over CAPWAP:
config system interface
edit "port3"
set vdom "root"
set ip 1.1.1.10 255.255.255.0
set allowaccess fabric ping
next
end

2. On the FortiGate Connector:


a. Set the VDOM type to LAN extension, making the VDOM act as a FortiExtender in LAN extension mode, and
add the Controller IP address:
config vdom
edit lan-ext
config system settings
set vdom-type lan-extension
set lan-extension-controller-addr "1.1.1.10"
set ike-port 4500
end
next
end

b. Configure port1 and port2 to access the Controller:


config system interface
edit "port1"
set vdom "lan-ext"
set ip 5.5.5.1 255.255.255.0
set allowaccess ping fabric
set type physical
set lldp-reception enable
set role wan
next
edit "port2"
set vdom "lan-ext"

FortiOS 7.2.1 Administration Guide 501


Fortinet Inc.
Network

set ip 6.6.6.1 255.255.255.0


set allowaccess ping fabric
set type physical
set lldp-reception enable
set role wan
next
end

3. On the FortiGate Controller:


a. Extension controller configurations are automatically initialized:
config extension-controller fortigate-profile
edit "FGCONN-lanext-default"
set id 0
config lan-extension
set ipsec-tunnel "fg-ipsec-XdSpij"
set backhaul-interface "port3"
end
next
end

config extension-controller fortigate


edit "FGT60E0000000001"
set id "FG5H1E0000000001"
set device-id 0
set profile "FGCONN-lanext-default"
next
end

b. Enable FortiGate administration to authorize the Connector:


config extension-controller fortigate
edit "FGT60E0000000001"
set authorized enable
next
end

4. After the FortiGate Connector has been authorized, the Controller pushes the IPsec tunnel configuration to the
Connector, forcing it to establish the tunnel and form the VXLAN mechanism.

FortiOS 7.2.1 Administration Guide 502


Fortinet Inc.
Network

The VXLANs are built on the IPsec tunnels between the Connector and Controller. The VXLAN interfaces are
aggregated for load balancing and redundancy. A softswitch combines the aggregate interface with the local LAN
ports, allowing the LAN ports to be part of the VXLAN. This combines the local LAN ports with the virtual LAN
extension interface on the FortiGate Controller.
a. The Connector receives the IPsec configurations from the Controller, and creates tunnels for each uplink:
config vpn ipsec phase1-interface
edit "ul-port1"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "peerid-T4YLv2rp62SU6JhoCPIv02MzjLtS7P5HlxRER1Qpi6O9ZsAsbPSpvoiE"
set dpd on-idle
set comments "[FGCONN] Do NOT edit. Automatically generated by extension
controller."
set remote-gw 1.1.1.10
set psksecret ******
next
edit "ul-port2"
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "peerid-T4YLv2rp62SU6JhoCPIv02MzjLtS7P5HlxRER1Qpi6O9ZsAsbPSpvoiE"
set dpd on-idle
set comments "[FGCONN] Do NOT edit. Automatically generated by extension
controller."
set remote-gw 1.1.1.10
set psksecret ******
next
end

b. VXLAN interfaces are formed over each tunnel:


config system vxlan
edit "vx-port1"
set interface "ul-port1"
set vni 1
set dstport 9999
set remote-ip "10.252.0.1"
next
edit "vx-port2"
set interface "ul-port2"
set vni 1
set dstport 9999
set remote-ip "10.252.0.1"
next
end

c. An aggregate interface is configured to load balance between the two VXLAN interfaces, using the source
MAC and providing link redundancy:
config system interface
edit "le-agg-link"

FortiOS 7.2.1 Administration Guide 503


Fortinet Inc.
Network

set vdom "lan-ext"


set type aggregate
set member "vx-port1" "vx-port2"
set snmp-index 35
set lacp-mode static
set algorithm Source-MAC
next
end

d. The softswitch bridges the aggregate interface and the local LAN to connect the LAN to the VXLAN bridged L2
network that goes to the FortiGate LAN extension interface:
config system switch-interface
edit "le-switch"
set vdom "lan-ext"
set member "le-agg-link" "lan"
next
end

e. After the IPsec tunnel is setup and the VXLAN is created over the tunnel, the LAN extension interface is
automatically created on the Controller:
config system interface
edit "FGT60E0000000001"
set vdom "root"
set ip 192.168.0.254 255.255.255.0
set allowaccess ping ssh
set type lan-extension
set role lan
set snmp-index 27
set ip-managed-by-fortiipam enable
set interface "fg-ipsec-XdSpij"
next
end

To configure the LAN extension interface and firewall policy on the FortiGate Controller:

1. Set the IP address and netmask of the LAN extension interface:


config system interface
edit "FGT60E0000000001"
set ip 9.9.9.99 255.255.255.0
set ip-managed-by-fortiipam enable
next
end

Devices on the remote LAN network will use this as their gateway.
2. Optionally, enable DHCP on the interface to assign IP addresses to the remote devices:
config system dhcp server
edit 3
set dns-service default
set default-gateway 9.9.9.99
set netmask 255.255.255.0
set interface "FGT60E0000000001"
config ip-range
edit 1
set start-ip 9.9.9.100

FortiOS 7.2.1 Administration Guide 504


Fortinet Inc.
Network

set end-ip 9.9.9.254


next
end
set dhcp-settings-from-fortiipam enable
config exclude-range
edit 1
set start-ip 9.9.9.254
set end-ip 9.9.9.254
next
end
next
end

3. Configure the firewall policy to allow traffic from the LAN extension interface to the WAN interface (port1):
config firewall policy
edit "lan-ext"
set name "qsaf"
set srcintf "FGT60E0000000001"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end

Optionally, security profiles and other settings can be configured.


The policy allows remote LAN clients to access the internet through the backhaul channel. Clients in the remote
LAN behind the Connector receive an IP address over DHCP and access the internet securely through the
Controller.

Diagnostics

Administrators can use the Diagnostics page to access the following tools:

Capture packet Captures packet streams in real-time to let you view header and payload information. See
Using the packet capture tool on page 505.

Debug flow Traces packet flow through FortiOS to help you diagnose and debug issues. See Using the
debug flow tool on page 509.

See also Performing a sniffer trace or packet capture on page 2797 and Debugging the packet flow on page 2798.

Using the packet capture tool

Administrators can use the packet capture tool to select a packet and view its header and payload information in real-
time. Once completed, packets can be filtered by various fields or through the search bar. The capture can be saved as a
PCAP file that you can use with a third-party application, such as Wireshark, for further analysis.

FortiOS 7.2.1 Administration Guide 505


Fortinet Inc.
Network

Recent capture criteria is saved after the packet capture, and you can select and use the same criteria again.
For information about running a packet capture in the CLI, see Performing a sniffer trace or packet capture on page
2797.

To use the packet capture tool in the GUI:

1. Go to Network > Diagnostics and select the Packet Capture tab.


2. Optionally, select an Interface (any is the default).
3. Optionally, enable Filters and select a Filtering syntax:
a. Basic: enter criteria for the Host, Port, and Protocol number.

b. Advanced: enter a string, such as src host 172.16.200.254 and dst host 172.16.200.1 and dst port 443.

4. Click Start capture. The capture is visible in real-time.

FortiOS 7.2.1 Administration Guide 506


Fortinet Inc.
Network

5. While the capture is running, select a packet, then click the Headers or Packet Data tabs to view more information.

FortiOS 7.2.1 Administration Guide 507


Fortinet Inc.
Network

6. When the capture is finished, click Save as pcap. The PCAP file is automatically downloaded.

7. Optionally, use the Search bar or the column headers to filter the results further.
The packet capture history is listed under Recent Capture Criteria in the right-side of the screen. Clicking the
hyperlink will take you back to the main page with the interface and filter settings already populated.

FortiOS 7.2.1 Administration Guide 508


Fortinet Inc.
Network

For more granular sniffer output with various verbose settings, use diagnose sniffer
packet <interface> <'filter'> <verbose> <count> <tsformat>. See
Performing a sniffer trace or packet capture on page 2797.

To use recent capture criteria:

1. Go to Network > Diagnostics and select the Packet Capture tab.


2. Under Recent Capture Criteria, click one of the saved capture criteria. The criteria populate the fields.
3. Click Start Capture.

Using the debug flow tool

Administrators can use the debug flow tool to display debug flow output in real-time until it is stopped. The completed
output can be filtered by time, message, or function. The output can be exported as a CSV file.
For information about using the debug flow tool in the CLI, see Debugging the packet flow on page 2798.

To run a debug flow:

1. Go to Network > Diagnostics and select the Debug Flow tab.


2. Optionally, enable Filters and select a Filter type:
a. Basic: filter by IP address, Port, and Protocol, which is the equivalent of:
l # diagnose debug flow filter addr <addr/range>

l # diagnose debug flow filter port <port/range>

l # diagnose debug flow filter proto <protocol>

FortiOS 7.2.1 Administration Guide 509


Fortinet Inc.
Network

b. Advanced: filter by Source IP, Source port, Destination IP, Destination port, and Protocol, which is the
equivalent of:
l # diagnose debug flow filter saddr <addr/range>

l # diagnose debug flow filter sport <port/range>

l # diagnose debug flow filter daddr <addr/range>

l # diagnose debug flow filter dport <port/range>

l # diagnose debug flow filter proto <protocol>

3. Click Start debug flow. The debug messages are visible in real-time.

FortiOS 7.2.1 Administration Guide 510


Fortinet Inc.
Network

4. When the debug flow is finished (or you click Stop debug flow), click Save as CSV. The CSV file is automatically
downloaded.

FortiOS 7.2.1 Administration Guide 511


Fortinet Inc.
Network

The current output can be filtered by Time and Message. The Function field can be added.
5. Hover over the table header and click the gear icon (Configure Table).
6. Select Function and click Apply. The Function column is displayed and can be used to filter the output for further
analysis.

FortiOS 7.2.1 Administration Guide 512


Fortinet Inc.
Network

FortiOS 7.2.1 Administration Guide 513


Fortinet Inc.
SD-WAN

The following topics provide information about SD-WAN:


l SD-WAN overview on page 514
l SD-WAN quick start on page 518
l SD-WAN zones on page 528
l Performance SLA on page 537
l SD-WAN rules on page 576
l Advanced routing on page 637
l VPN overlay on page 667
l Advanced configuration on page 724
l SD-WAN cloud on-ramp on page 759
l Troubleshooting SD-WAN on page 780

SD-WAN overview

SD-WAN is a software-defined approach to managing Wide-Area Networks (WAN). It consolidates the physical
transport connections, or underlays, and monitors and load-balances traffic across the links. VPN overlay networks can
be built on top of the underlays to control traffic across different sites.
Health checks and SD-WAN rules define the expected performance and business priorities, allowing the FortiGate to
automatically and intelligently route traffic based on the application, internet service, or health of a particular connection.
WAN security and intelligence can be extended into the LAN by incorporating wired and wireless networks under the
same domain. FortiSwitch and FortiAP devices intgrate seamlessly with the FortiGate to form the foundation of an SD-
Branch.
Some of the key benefits of SD-WAN include:
l Reduced cost with transport independence across MPLS, 4G/5G LTE, and others.
l Reduced complexity with a single vendor and single-pane-of-glass management.
l Improve business application performance thanks to increased availability and agility.
l Optimized user experience and efficiency with SaaS and public cloud applications.

SD-WAN components and design principles

SD-WAN can be broken down into three layers:


l Management and orchestration
l Control, data plane, and security
l Network access

FortiOS 7.2.1 Administration Guide 514


Fortinet Inc.
SD-WAN

The control, data plane, and security layer can only be deployed on a FortiGate. The other two layers can help to scale
and enhance the solution. For large deployments, FortiManager and FortiAnalyzer provide the management and
orchestration capabilities FortiSwitch and FortiAP provide the components to deploy an SD-Branch.

Layer Functions Devices

Management and orchestration l Unified management FortiManager FortiAnalyzer


l Template based solution
l Zero touch provisioning
l Logging, monitoring, and analysis
l Automated orchestration using the
REST API

Control, data plane, and security l Consolidation of underlays and FortiGate


overlays into SD-WAN zones
l Underlay and Overlay
l Scalable VPN solutions using ADVPN
l Overlay
l Static and dynamic routing definition
l Routing
l NGFW firewalling
l Security
l SD-WAN health-checks and
monitoring
l SD-WAN
l Application-aware steering and
intelligence
l SD-WAN

Network access l Wired and wireless network FortiSwitch FortiAP


segmentation
l Built-in network access control

Design principles

The Five-pillar approach, described in the SD-WAN / SD-Branch Architecture for MSSPs guide, is recommended when
designing a secure SD-WAN solution.

Underlay

Determine the WAN links that will be used for the underlay network, such as your broadband link, MPLS, 4G/5G LTE
connection, and others.
For each link, determine the bandwidth, quality and reliability (packet loss, latency, and jitter), and cost. Use this
information to determine which link to prefer, what type of traffic to send across the each link, and to help you the
baselines for health-checks.

FortiOS 7.2.1 Administration Guide 515


Fortinet Inc.
SD-WAN

Overlay

VPN overlays are needed when traffic must travel across multiple sites. These are usually site-to-site IPsec tunnels that
interconnect branches, datacenters, and the cloud, forming a hub-and-spoke topology.
The management and maintenance of the tunnels should be considered when determining the overlay network
requirements. Manual tunnel configuration might be sufficient in a small environment, but could become unmanageable
as the environment size increases. ADVPN can be used to help scale the solution; see ADVPN on page 1587 for more
information.

Routing

Traditional routing designs manipulate routes to steer traffic to different links. SD-WAN uses traditional routing to build
the basic routing table to reach different destinations, but uses SD-WAN rules to steer traffic. This allows the steering to
be based on criteria such as destination, internet service, application, route tag, and the health of the link. Routing in an
SD-WAN solution is used to identify all possible routes across the underlays and overlays, which the FortiGate balances
using ECMP.
In the most basic configuration, static gateways that are configured on an SD-WAN member interface automatically
provide the basic routing needed for the FortiGate to balance traffic across the links. As the number of sites and
destinations increases, manually maintaining routes to each destination becomes difficult. Using dynamic routing to
advertise routes across overlay tunnels should be considered when you have many sites to interconnect.

Security

Security involves defining policies for access control and applying the appropriate protection using the FortiGate's
NGFW features. Efficiently grouping SD-WAN members into SD-WAN zones must also be considered. Typically,
underlays provide direct internet access and overlays provide remote internet or network access. Grouping the
underlays together into one zone, and the overlays into one or more zones could be an effective method.

SD-WAN

The SD-WAN pillar is the intelligence that is applied to traffic steering decisions. It is comprised of four primary elements:
l SD-WAN zones
SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies
as source and destination interfaces. You can define multiple zones to group SD-WAN interfaces together, allowing
logical groupings for overlay and underlay interfaces. Routing can be configured per zone.
See SD-WAN zones on page 528.
l SD-WAN members
Also called interfaces, SD-WAN members are the ports and interfaces that are used to run traffic. At least one
interface must be configured for SD-WAN to function.
See Configuring the SD-WAN interface on page 519.
l Performance SLAs
Also called health-checks, performance SLAs are used to monitor member interface link quality, and to detect link
failures. When the SLA falls below a configured threshold, the route can be removed, and traffic can be steered to
different links in the SD-WAN rule.
SLA health-checks use active or passive probing:

FortiOS 7.2.1 Administration Guide 516


Fortinet Inc.
SD-WAN

l Active probing requires manually defining the server to be probed, and generates consistent probing traffic.
l Passive probing uses active sessions that are passing through firewall policies used by the related SD-WAN
interfaces to derive health measurements. It reduces the amount of configuration, and eliminates probing
traffic. See Passive WAN health measurement on page 547 for details.
See Performance SLA on page 537.
l SD-WAN rules
Also called services, SD-WAN rules control path selection. Specific traffic can be dynamically sent to the best link,
or use a specific route.
Rules control the strategy that the FortiGate uses when selecting the outbound traffic interface, the SLAs that are
monitored when selecting the outgoing interface, and the criteria for selecting the traffic that adheres to the rule.
When no SD-WAN rules match the traffic, the implicit rule applies.
See SD-WAN rules on page 576.

SD-WAN designs and architectures

The core functionalities of Fortinet's SD-WAN solution are built into the FortiGate. Whether the environment contains
one FortiGate, or one hundred, you can use SD-WAN by enabling it on the individual FortiGates.
At a basic level, SD-WAN can be deployed on a single device in a single site environment:

At a more advanced level, SD-WAN can be deployed in a multi-site, hub and spoke environment:

At an enterprise or MSSP level, the network can include multiple hubs, possibly across multiple regions:

FortiOS 7.2.1 Administration Guide 517


Fortinet Inc.
SD-WAN

For more details, see the SD-WAN / SD-Branch Architecture for MSSPs guide.

SD-WAN quick start

This section provides an example of how to start using SD-WAN for load balancing and redundancy.
In this example, two ISP internet connections, wan1 (DHCP) and wan2 (static), use SD-WAN to balance traffic between
them at 50% each.

1. Configuring the SD-WAN interface on page 519


2. Adding a static route on page 520
3. Selecting the implicit SD-WAN algorithm on page 520
4. Configuring firewall policies for SD-WAN on page 521
5. Link monitoring and failover on page 521
6. Results on page 523
7. Configuring SD-WAN in the CLI on page 526

FortiOS 7.2.1 Administration Guide 518


Fortinet Inc.
SD-WAN

Configuring the SD-WAN interface

First, SD-WAN must be enabled and member interfaces must be selected and added to a zone. The selected FortiGate
interfaces can be of any type (physical, aggregate, VLAN, IPsec, and others), but must be removed from any other
configurations on the FortiGate.
In this step, two interfaces are configured and added to the default SD-WAN zone (virtual-wan-link) as SD-WAN member
interfaces. This example uses a mix of static and dynamic IP addresses; your deployment could also use only one or the
other.
Once the SD-WAN members are created and added to a zone, the zone can be used in firewall policies, and the whole
SD-WAN can be used in static routes.

To configure SD-WAN members:

1. Configure the wan1 and wan2 interfaces. See Interface settings on page 143 for details.
a. Set the wan1 interface Addressing mode to DHCP and Distance to 10.

By default, a DHCP interface has a distance of 5, and a static route has a distance of
10. It is important to account for this when configuring your SD-WAN for 50/50 load
balancing by setting the DHCP interface's distance to 10.

b. Set the wan2 interface IP/Netmask to 10.100.20.1 255.255.255.0.


2. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
3. Set the Interface to wan1.
4. Leave SD-WAN Zone as virtual-wan-link.
5. As wan1 uses DHCP, leave Gateway set to 0.0.0.0.
If IPv6 visibility is enabled in the GUI, an IPv6 gateway can also be added for each member. See Feature visibility
on page 2269 for details.
6. Leave Cost as 0.
The Cost field is used by the Lowest Cost (SLA) strategy. The link with the lowest cost is chosen to pass traffic. The
lowest possible Cost is 0.

7. Set Status to Enable, and click OK.

FortiOS 7.2.1 Administration Guide 519


Fortinet Inc.
SD-WAN

8. Repeat the above steps for wan2, setting Gateway to the ISP's gateway: 10.100.20.2.

Adding a static route

You must configure a default route for the SD-WAN. The default gateways for each SD-WAN member interface do not
need to be defined in the static routes table. FortiGate will decide what route or routes are preferred using Equal Cost
Multi-Path (ECMP) based on distance and priority.

To create a static route for SD-WAN:

1. Go to Network > Static Routes.


2. Click Create New. The New Static Route page opens.
3. Set Destination to Subnet, and leave the IP address and subnet mask as 0.0.0.0/0.0.0.0.
4. In the Interface field select an SD-WAN zone.

5. Ensure that Status is Enabled.


6. Click OK.

Selecting the implicit SD-WAN algorithm

SD-WAN rules define specific routing options to route traffic to an SD-WAN member.
If no routing rules are defined, the default Implicit rule is used. It can be configured to use one of five different load
balancing algorithms. See Implicit rule on page 584 for more details and examples.
This example shows four methods to equally balance traffic between the two WAN connections. Go to Network > SD-
WAN, select the SD-WAN Rules tab, and edit the sd-wan rule to select the method that is appropriate for your
requirements.
l Source IP (CLI command: source-ip-based):
Select this option to balance traffic equally between the SD-WAN members according to a hash algorithm based on
the source IP addresses.

FortiOS 7.2.1 Administration Guide 520


Fortinet Inc.
SD-WAN

l Session (weight-based):
Select this option to balance traffic equally between the SD-WAN members by the session numbers ratio among its
members. Use weight 50 for each of the 2 members.
l Source-Destination IP (source-dest-ip-based):
Select this option to balance traffic equally between the SD-WAN members according to a hash algorithm based on
the source and destination IP addresses.
l Volume (measured-volume-based):
Select this option to balance traffic equally between the SD-WAN members according to the bandwidth ratio among
its members.

Configuring firewall policies for SD-WAN

SD-WAN zones can be used in policies as source and destination interfaces. Individual SD-WAN members cannot be
used in policies.
You must configure a policy that allows traffic from your organization's internal network to the SD-WAN zone. Policies
configured with the SD-WAN zone apply to all SD-WAN interface members in that zone.

To create a firewall policy for SD-WAN:

1. Go to Policy & Objects > Firewall Policy.


2. Click Create New. The New Policy page opens.
3. Configure the following:

Name Enter a name for the policy.

Incoming Interface internal

Outgoing Interface virtual-wan-link

Source all

Destination all

Schedule always

Service ALL

Action ACCEPT

Firewall / Network Options Enable NAT and set IP Pool Configuration to Use Outgoing Interface Address.

Security Profiles Apply profiles as required.

Logging Options Enable Log Allowed Traffic and select All Sessions. This allows you to verify
results later.

4. Enable the policy, then click OK.

Link monitoring and failover

Performance SLA link monitoring measures the health of links that are connected to SD-WAN member interfaces by
sending probing signals through each link to a server, and then measuring the link quality based on latency, jitter, and

FortiOS 7.2.1 Administration Guide 521


Fortinet Inc.
SD-WAN

packet loss. If a link is broken, the routes on that link are removed and traffic is routed through other links. When the link
is working again, the routes are re-enabled. This prevents traffic being sent to a broken link and lost.

In this example, the detection server IP address is 208.91.112.53. A performance SLA is created so that, if ping fails per
the metrics defined, the routes to that interface are removed and traffic is detoured to the other interface. The ping
protocol is used, but other protocols could also be selected as required.

To configure a performance SLA:

1. Go to Network > SD-WAN, select the Performance SLAs tab, and click Create New.
2. Enter a name for the SLA and set Protocol to Ping.
3. In the Server field, enter the detection server IP address (208.91.112.53 in this example).
4. In the Participants field, select Specify and add wan1 and wan2.

SLA targets are not required for link monitoring.


5. Configure the required metrics in Link Status.
6. Ensure that Update static route is enabled. This disables static routes for the inactive interface and restores routes
on recovery.
7. Click OK.

FortiOS 7.2.1 Administration Guide 522


Fortinet Inc.
SD-WAN

Results

The following GUI pages show the function of the SD-WAN and can be used to confirm that it is setup and running
correctly:
l Interface usage on page 523
l Performance SLA on page 524
l Routing table on page 525
l Firewall policy on page 526

Interface usage

Go to Network > SD-WAN and select the SD-WAN Zones tab to review the SD-WAN interfaces' usage.

Bandwidth

Select Bandwidth to view the amount of downloaded and uploaded data for each interface.

Volume

Select Volume to see donut charts of the received and sent bytes on the interfaces.

FortiOS 7.2.1 Administration Guide 523


Fortinet Inc.
SD-WAN

Sessions

Select Sessions to see a donut chart of the number of active sessions on each interface.

Performance SLA

Go to Network > SD-WAN, select the Performance SLAs tab, and select the SLA from the table (server in this example)
to view the packet loss, latency, and jitter on each SD-WAN member in the health check server.

Packet loss

Select Packet Loss to see the percentage of packets lost for each member.

FortiOS 7.2.1 Administration Guide 524


Fortinet Inc.
SD-WAN

Latency

Select Latency to see the current latency, in milliseconds, for each member.

Jitter

Select Jitter to see the jitter, in milliseconds, for each member.

Routing table

Go to Dashboard > Network, expand the Routing widget, and select Static & Dynamic to review all static and dynamic
routes. For more information about the widget, see Static & Dynamic Routing monitor on page 95.

FortiOS 7.2.1 Administration Guide 525


Fortinet Inc.
SD-WAN

Firewall policy

Go to Policy & Objects > Firewall Policy to review the SD-WAN policy.

Configuring SD-WAN in the CLI

This example can be entirely configured using the CLI.

To configure SD-WAN in the CLI:

1. Configure the wan1 and wan2 interfaces:


config system interface
edit "wan1"
set alias to_ISP1
set mode dhcp
set distance 10
next
edit "wan2"
set alias to_ISP2
set ip 10.100.20.1 255.255.255.0
next
end

2. Enable SD-WAN and add the interfaces as members:


config system sdwan
set status enable
config members
edit 1
set interface "wan1"
next
edit 2
set interface "wan2"
set gateway 10.100.20.2
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

FortiOS 7.2.1 Administration Guide 526


Fortinet Inc.
SD-WAN

3. Create a static route for SD-WAN:


config router static
edit 1
set sdwan-zone "virtual-wan-link"
next
end

4. Select the implicit SD-WAN algorithm:


config system sdwan
set load-balance-mode {source-ip-based | weight-based | source-dest-ip-based |
measured-volume-based}
end

5. Create a firewall policy for SD-WAN:


config firewall policy
edit <policy_id>
set name <policy_name>
set srcintf "internal"
set dstintf "virtual-wan-link"
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set utm-status enable
set ssl-ssh-profile <profile_name>
set av-profile <profile_name>
set webfilter-profile <profile_name>
set dnsfilter-profile <profile_name>
set emailfilter-profile <profile_name>
set ips_sensor <sensor_name>
set application-list <app_list>
set voip-profile <profile_name>
set logtraffic all
set nat enable
set status enable
next
end

6. Configure a performance SLA:


config system sdwan
config health-check
edit "server"
set server "208.91.112.53"
set update-static-route enable
set members 1 2
next
end
end

FortiOS 7.2.1 Administration Guide 527


Fortinet Inc.
SD-WAN

Results

To view the routing table:

# get router info routing-table all

Routing table for VRF=0


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S* 0.0.0.0/0 [1/0] via 172.16.20.2, wan1


[1/0] via 10.100.20.2, wan2
C 10.100.20.0/24 is directly connected, wan2
C 172.16.20.2/24 is directly connected, wan1
C 192.168.0.0/24 is directly connected, internal

To diagnose the Performance SLA status:

FGT # diagnose sys sdwan health-check


Health Check(server):
Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0

SD-WAN zones

SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are used in policies,
static routes, and SD-WAN rules.
You can define multiple zones to group SD-WAN interfaces together, allowing logical groupings for overlay and underlay
interfaces. Zones are used in firewall policies, as source and destination interfaces, to allow for more granular control.
SD-WAN members cannot be used directly in policies.
SD-WAN zones and members can both be used in IPv4 and IPv6 static routes to make route configuration more flexible,
and in SD-WAN rules to simplify the rule configuration. See Specify an SD-WAN zone in static routes and SD-WAN rules
on page 532 for more information.

In the CLI:
l config system sdwan has replaced config system virtual-wan-link.

l diagnose sys sdwan has replaced diagnose sys virtual-wan-link.

l When configuring a static route, the sdwan-zone variable has replaced the sdwan

variable.

When the Security Fabric is configured, SD-WAN zones are included in the Security Fabric topology views.

FortiOS 7.2.1 Administration Guide 528


Fortinet Inc.
SD-WAN

To create an SD-WAN zone in the GUI:

1. Go to Network > SD-WAN and select the SD-WAN Zones tab.


The default SD-WAN zones are virtual-wan-link and SASE.
2. Click Create New > SD-WAN Zone.
3. Enter a name for the new zone, such as vpn-zone.
4. If SD-WAN members have already been created, add the required members to the zone.
Members can also be added to the zone after it has been created by editing the zone, or when creating or editing the
member.

5. Click OK.

FortiOS 7.2.1 Administration Guide 529


Fortinet Inc.
SD-WAN

To create an SD-WAN interface member in the GUI:

1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
2. Select an interface.
The interface can also be left as none and selected later, or click +VPN to create an IPsec VPN for the SD-WAN
member.
3. Select the SD-WAN zone that the member will join. A member can also be moved to a different zone at any time.

4. Set the Gateway, Cost, and Status as required.


5. Click OK.
The interface list at Network > Interfaces shows the SD-WAN zones and their members.

To create a policy using the SD-WAN zone in the GUI:

1. Go to Policy & Objects > Firewall Policy, Policy & Objects > Proxy Policy, or Policy & Objects > Security Policy.
2. Click Create New .
3. Configure the policy settings as needed, selecting an SD-WAN zone or zones for the incoming and/or outgoing
interface.

4. Click OK.

FortiOS 7.2.1 Administration Guide 530


Fortinet Inc.
SD-WAN

To view SD-WAN zones in a Security Fabric topology:

1. Go to Security Fabric > Physical Topology or Security Fabric > Logical Topology. The SD-WAN zones and their
members are shown.

To configure SD-WAN in the CLI:

1. Enable SD-WAN and create a zone:


config system sdwan
set status enable
config zone
edit "vpn-zone"
next
end
end

FortiOS 7.2.1 Administration Guide 531


Fortinet Inc.
SD-WAN

2. Configure SD-WAN members and add them to a zone:


config system sdwan
config members
edit 1
set interface "to_ISP2"
set zone "vpn-zone"
next
edit 2
set interface "vpn-to-dc"
set zone "vpn-zone"
next
end
end

To create a policy using the SD-WAN zone in the CLI:

config firewall policy


edit 1
set name sd-wan-1
set srcintf internal
set dstintf vpn-zone
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set utm-status enable
set logtraffic all
set nat enable
set status enable
next
end

Specify an SD-WAN zone in static routes and SD-WAN rules

SD-WAN zones can be used in IPv4 and IPv6 static routes, and in SD-WAN service rules. This makes route
configuration more flexible, and simplifies SD-WAN rule configuration.

To configure an SD-WAN zone in a static route in the GUI:

1. Go to Network > Static Routes


2. Edit an existing static route, or click Create New to create a new route.
3. Set Interface to one or more SD-WAN zones.

FortiOS 7.2.1 Administration Guide 532


Fortinet Inc.
SD-WAN

4. Configure the remaining settings are required.


5. Click OK.

To configure an SD-WAN zone in a static route in the CLI:

config router {static | static6}


edit 1
set sdwan-zone <zone> <zone> ...
next
end

To configure an SD-WAN zone in an SD-WAN rule in the GUI:

1. Go to Network > SD-WAN and select the SD-WAN Rules tab


2. Edit an existing rule, or click Create New to create a new rule.
3. In the Zone preference field add one or more SD-WAN zones.

4. Configure the remaining settings are needed.


5. Click OK.

To configure an SD-WAN zone in an SD-WAN rule in the CLI:

config system sdwan


config service
edit 1
set priority-zone <zone>
next
end
end

FortiOS 7.2.1 Administration Guide 533


Fortinet Inc.
SD-WAN

Examples

In these two examples, three SD-WAN members are created. Two members, port13 and port15, are in the default zone
(virtual-wan-link), and the third member, to_FG_B_root, is in the SASE zone.

Example 1

In this example:
l Two service rules are created. Rule 1 uses the virtual-wan-link zone, and rule 2 uses the SASE zone.
l Two IPv4 static routes are created. The first route uses the virtual-wan-link zone, and the second route uses the
SASE zone.

To configure the SD-WAN:

1. Assign port13 and port15 to the virtual-wan-link zone and to_FG_B_root to the SASE zone:
config system sdwan
set status enable
config members
edit 1
set interface "port13"
set zone "virtual-wan-link"
set gateway 10.100.1.1
next
edit 2
set interface "port15"
set zone "virtual-wan-link"
set gateway 10.100.1.5
next
edit 3
set interface "to_FG_B_root"
set zone "SASE"
next
end
end

2. Create two service rules, one for each SD-WAN zone:


config system sdwan
config service

FortiOS 7.2.1 Administration Guide 534


Fortinet Inc.
SD-WAN

edit 1
set dst "10.100.20.0"
set priority-zone "virtual-wan-link"
next
edit 2
set internet-service enable
set internet-service-name "Fortinet-FortiGuard"
set priority-zone "SASE"
next
end
end

3. Configure static routes for each of the SD-WAN zones:


config router static
edit 1
set distance 1
set sdwan-zone "virtual-wan-link"
next
edit 2
set dst 172.16.109.0 255.255.255.0
set distance 1
set sdwan-zone "SASE"
next
end

To verify the results:

1. Check the service rule 1 diagnostics:


# diagnose sys sdwan service 1

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla


Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(2):
1: Seq_num(1 port13), alive, selected
2: Seq_num(2 port15), alive, selected
Dst address(1):
10.100.20.0-10.100.20.255

Both members of the virtual-wan-link zone are selected. In manual mode, the interface members are selected
based on the member configuration order. In SLA and priority mode, the order depends on the link status. If all of the
link statuses pass, then the members are selected based on the member configuration order.
2. Check the service rule 2 diagnostics:
# diagnose sys sdwan service 2

Service(2): Address Mode(IPV4) flags=0x200 use-shortcut-sla


Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Members(1):
1: Seq_num(3 to_FG_B_root), alive, selected
Internet Service(1): Fortinet-FortiGuard(1245324,0,0,0)

The member of the SASE zone is selected.


3. Review the routing table:

FortiOS 7.2.1 Administration Guide 535


Fortinet Inc.
SD-WAN

# get router info routing-table static


Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 10.100.1.1, port13
[1/0] via 10.100.1.5, port15
S 172.16.109.0/24 [1/0] via 172.16.206.2, to_FG_B_root

The default gateway has the members from the virtual-wan-link zone, and the route to 172.16.10.9.0/24 has the
single member from the SASE zone.

Example 2

In this example, two IPv6 static routes are created. The first route uses the virtual-wan-link zone, and the second route
uses the SASE zone.

To configure the SD-WAN:

1. Configure port13 and port15 with IPv6 addresses and assign them to the virtual-wan-link zone, and assign to_FG_
B_root to the SASE zone:
config system sdwan
set status enable
config members
edit 1
set interface "port13"
set zone "virtual-wan-link"
set gateway6 2004:10:100:1::1
set source6 2004:10:100:1::2
next
edit 2
set interface "port15"
set zone "virtual-wan-link"
set gateway6 2004:10:100:1::5
set source6 2004:10:100:1::6
next
edit 3
set interface "to_FG_B_root"
set zone "SASE"
next
end
end

2. Configure IPv6 static routes for each of the SD-WAN zones:


config router static6
edit 1
set distance 1
set sdwan-zone "virtual-wan-link"
next
edit 2
set dst 2003:172:16:109::/64
set distance 1
set sdwan-zone "SASE"
next
end

FortiOS 7.2.1 Administration Guide 536


Fortinet Inc.
SD-WAN

To verify the results:

1. Review the routing table:


# get router info6 routing-table static
Routing table for VRF=0
S* ::/0 [1/0] via 2004:10:100:1::1, port13, 00:20:51, [1024/0]
[1/0] via 2004:10:100:1::5, port15, 00:20:51, [1024/0]
S 2003:172:16:109::/64 [1/0] via ::ac10:ce02, to_FG_B_root, 00:20:51, [1024/0]
S 2003:172:16:209::/64 [5/0] via ::ac10:ce02, to_FG_B_root, 14:40:14, [1024/0]

The IPv6 default route includes the members from the virtual-wan-link zone, and the route to 2003:172:16:109::/64
has the single member from the SASE zone.

Performance SLA

The following topics provide instructions on configuring performance SLA:


l Link health monitor on page 537
l Factory default health checks on page 540
l Health check options on page 542
l Link monitoring example on page 545
l SLA targets example on page 546
l Passive WAN health measurement on page 547
l Passive health-check measurement by internet service and application on page 553
l Health check packet DSCP marker support on page 556
l Manual interface speedtest on page 557
l Scheduled interface speedtest on page 558
l Monitor performance SLA on page 559
l SLA monitoring using the REST API on page 562
l Mean opinion score calculation and logging in performance SLA health checks on page 566
l Embedded SD-WAN SLA information in ICMP probes on page 568

Link health monitor

Performance SLA link health monitoring measures the health of links that are connected to SD-WAN member interfaces
by either sending probing signals through each link to a server, or using session information that is captured on firewall
policies (see Passive WAN health measurement on page 547 for information), and measuring the link quality based on
latency, jitter, and packet loss. If a link fails all of the health checks, the routes on that link are removed from the SD-WAN
link load balancing group, and traffic is routed through other links. When the link is working again the routes are
reestablished. This prevents traffic being sent to a broken link and lost.
When an SD-WAN member has multiple health checks configured, all of the checks must fail for the routes on that link to
be removed from the SD-WAN link load balancing group.
Two health check servers can be configured to ensure that, if there is a connectivity issue, the interface is at fault and not
the server. A server can only be used in one health check.

FortiOS 7.2.1 Administration Guide 537


Fortinet Inc.
SD-WAN

The FortiGate uses the first server configured in the health check server list to perform the health check. If the first server
is unavailable, then the second server is used. The second server continues to be used until it becomes unavailable, and
then the FortiGate returns to the first server, if it is available. If both servers are unavailable, then the health check fails.
You can configure the protocol that is used for status checks, including: Ping, HTTP, DNS, TCP echo, UDP echo, two-
way active measurement protocol (TWAMP), TCP connect, and FTP. In the GUI, only Ping, HTTP, and DNS are
available.
You can view link quality measurements by going to Network > SD-WAN and selecting the Performance SLAs tab. The
table shows the default health checks, the health checks that you configured, and information about each health check.
The values shown in the Packet Loss, Latency, and Jitter columns are for the health check server that the FortiGate is
currently using. The green up arrows indicate that the server is responding, and does not indicate if the health checks are
being met. See Results on page 523 for more information.

To configure a link health monitor in the GUI:

1. Go to Network > SD-WAN, select the Performance SLAs tab, and click Create New.
2. Set a Name for the SLA.
3. Set the Protocol that you need to use for status checks: Ping, HTTP, or DNS.
4. Set Server to the IP addresses of up to two servers that all of the SD-WAN members in the performance SLA can
reach.
5. Set Participants to All SD-WAN Members, or select Specify to choose specific SD-WAN members.
6. Set Enable probe packets to enable or disable sending probe packets.
7. Configure SLA Target:
If the health check is used in an SD-WAN rule that uses Manual or Best Quality strategies, enabling SLA Target is
optional. If the health check is used in an SD-WAN rule that uses Lowest Cost (SLA) or Maximum Bandwidth (SLA)
strategies, then SLA Target is enabled.
When SLA Target is enabled, configure the following:
l Latency threshold: Calculated based on last 30 probes (default = 5ms).
l Jitter threshold: Calculated based on last 30 probes (default = 5ms).
l Packet Loss threshold: Calculated based on last 100 probes (default = 0%).

8. In the Link Status section configure the following:


l Check interval: The interval in which the FortiGate checks the interface, in milliseconds (500 - 3600000, default

= 500).
l Failures before inactive: The number of failed status checks before the interface shows as inactive (1 - 3600,

default =5). This setting helps prevent flapping, where the system continuously transfers traffic back and forth
between links
l Restore link after: The number of successful status checks before the interface shows as active (1 - 3600,

default = 5). This setting helps prevent flapping, where the system continuously transfers traffic back and forth
between links
9. In the Actions when Inactive section, enable Update static route to disable static routes for inactive interfaces and
restore routes when interfaces recover.

FortiOS 7.2.1 Administration Guide 538


Fortinet Inc.
SD-WAN

10. Click OK.

To configure a link health monitor in the CLI:

config system sdwan


config health-check
edit "PingSLA"
set addr-mode {ipv4 | ipv6}
set server <server1_IP_address> <server2_IP_address>
set detect-mode {active | passive | prefer-passive}
set protocol {ping | tcp-echo | udp-echo | http | twamp | dns | tcp-connect |
ftp}
set ha-priority <integer>
set probe-timeout <integer>
set probe-count <integer>
set probe-packets {enable | disable}
set interval <integer>
set failtime <integer>
set recoverytime <integer>
set diffservcode <binary>
set update-static-route {enable | disable}
set update-cascade-interface {enable | disable}
set sla-fail-log-period <integer>
set sla-pass-log-period <integer>
set threshold-warning-packetloss <integer>
set threshold-alert-packetloss <integer>
set threshold-warning-latency <integer>
set threshold-alert-latency <integer>
set threshold-warning-jitter <integer>
set threshold-alert-jitter <integer>
set members <member_number> ... <member_number>
config sla
edit 1
set link-cost-factor {latency jitter packet-loss}
set latency-threshold <integer>
set jitter-threshold <integer>
set packetloss-threshold <integer>

FortiOS 7.2.1 Administration Guide 539


Fortinet Inc.
SD-WAN

next
end
next
end
end

Additional settings are available for some of the protocols:

Protocol Additional options

http port <port_number>


http-get <url>
http-match <response_string>

twamp port <port_number>


security mode {none | authentication}
password <password>
packet-size <size>

ftp ftp {passive | port}


ftp-file <path>

For more examples see Health check options on page 542.

Factory default health checks

There are six predefined performance SLA profiles for newly created VDOMs or factory reset FortiGate devices:
l AWS
l System DNS
l FortiGuard
l Gmail
l Google Search
l Office 365
You can view and configure the SLA profiles by going to Network > SD-WAN and selecting the Performance SLAs tab.

FortiOS 7.2.1 Administration Guide 540


Fortinet Inc.
SD-WAN

After configuring a health check, you will be able to view packet loss, latency, and jitter data for the SLA profiles. If a
value is colored red, it means that it failed to meet the SLA requirements.

To configure the performance SLA profiles in the CLI:

config system sdwan


config health-check
edit "Default_DNS"
set system-dns enable
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5
next
end
next
edit "Default_Office_365"
set server "www.office.com"
set protocol http
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5
next
end
next
edit "Default_Gmail"
set server "gmail.com"
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1

FortiOS 7.2.1 Administration Guide 541


Fortinet Inc.
SD-WAN

set latency-threshold 250


set jitter-threshold 50
set packetloss-threshold 2
next
end
next
edit "Default_AWS"
set server "aws.amazon.com"
set protocol http
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5
next
end
next
edit "Default_Google Search"
set server "www.google.com"
set protocol http
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5
next
end
next
edit "Default_FortiGuard"
set server "fortiguard.com"
set protocol http
set interval 1000
set probe-timeout 1000
set recoverytime 10
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packetloss-threshold 5
next
end
next
end
end

Health check options

Health checks include several protocols and protocol specific options.


The health check protocol options include:

FortiOS 7.2.1 Administration Guide 542


Fortinet Inc.
SD-WAN

ping Use PING to test the link with the server.

tcp-echo Use TCP echo to test the link with the server.

udp-echo Use UDP echo to test the link with the server.

http Use HTTP-GET to test the link with the server.

twamp Use TWAMP to test the link with the server.

dns Use DNS query to test the link with the server.
The FortiGate sends a DNS query for an A Record and the response matches the expected IP
address.

tcp-connect Use a full TCP connection to test the link with the server.
The method to measure the quality of the TCP connection can be:
l half-open: FortiGate sends SYN and gets SYN-ACK. The latency is based on the

round trip between SYN and SYN-ACK (default).


l half-close: FortiGate sends FIN and gets FIN-ACK. The latency is based on the

round trip between FIN and FIN-ACK.

ftp Use FTP to test the link with the server.


The FTP mode can be:
l passive: The FTP health-check initiates and establishes the data connection (default).

l port: The FTP server initiates and establishes the data connection.

SD-WAN health checks can generate traffic that becomes quite high as deployments grow.
Please take this into consideration when setting DoS policy thresholds. For details on setting
DoS policy thresholds, refer to DoS policy on page 827.

To use UDP-echo and TCP-echo as health checks:

config system sdwan


set status enable
config health-check
edit "h4_udp1"
set protocol udp-echo
set port 7
set server <server>
next
edit "h4_tcp1"
set protocol tcp-echo
set port 7
set server <server>
next
edit "h6_udp1"
set addr-mode ipv6
set server "2032::12"
set protocol udp-echo
set port 7
next
end
end

FortiOS 7.2.1 Administration Guide 543


Fortinet Inc.
SD-WAN

To use DNS as a health check, and define the IP address that the response must match:

config system sdwan


set status enable
config health-check
edit "h4_dns1"
set protocol dns
set dns-request-domain "ip41.forti2.com"
set dns-match-ip 1.1.1.1
next
edit "h6_dns1"
set addr-mode ipv6
set server "2000::15.1.1.4"
set protocol dns
set port 53
set dns-request-domain "ip61.xxx.com"
next
end
end

To use TCP Open (SYN/SYN-ACK) and TCP Close (FIN/FIN-ACK) to verify connections:

config system sdwan


set status enable
config health-check
edit "h4_tcpconnect1"
set protocol tcp-connect
set port 443
set quality-measured-method {half-open | half-close}
set server <server>
next
edit "h6_tcpconnect1"
set addr-mode ipv6
set server "2032::13"
set protocol tcp-connect
set port 444
set quality-measured-method {half-open | half-close}
next
end
end

To use active or passive mode FTP to verify connections:

config system sdwan


set status enable
config health-check
edit "h4_ftp1"
set protocol ftp
set port 21
set user "root"
set password ***********
set ftp-mode {passive | port}
set ftp-file "1.txt"
set server <server>
next
edit "h6_ftp1"

FortiOS 7.2.1 Administration Guide 544


Fortinet Inc.
SD-WAN

set addr-mode ipv6


set server "2032::11"
set protocol ftp
set port 21
set user "root"
set password ***********
set ftp-mode {passive | port}
set ftp-file "2.txt"
next
end
end

Link monitoring example

Performance SLA link monitoring measures the health of links that are connected to SD-WAN member interfaces by
sending probing signals through each link to a server and measuring the link quality based on latency, jitter, and packet
loss. If a link is broken, the routes on that link are removed, and traffic is routed through other links. When the link is
working again, the routes are reenabbled. This prevents traffic being sent to a broken link and lost.

In this example:
l Interfaces wan1 and wan2 connect to the internet through separate ISPs
l The detection server IP address is 208.91.114.182
A performance SLA is created so that, if one link fails, its routes are removed and traffic is detoured to the other link.

To configure a Performance SLA using the GUI:

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 518 for details.
2. Go to Network > SD-WAN, select the Performance SLAs tab, and click Create New.
3. Enter a name for the SLA and select a protocol.
4. In the Server field, enter the detection server IP address (208.91.114.182 in this example).
5. In the Participants field, select both wan1 and wan2.
6. Configured the remaining settings as needed, then click OK.

FortiOS 7.2.1 Administration Guide 545


Fortinet Inc.
SD-WAN

To configure a Performance SLA using the CLI:

config system sdwan


config health-check
edit "server"
set server "208.91.114.182"
set update-static-route enable
set members 1 2
next
end
end

To diagnose the Performance SLA status:

# diagnose sys sdwan health-check


Health Check(server):
Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(13.621), jitter(6.905) sla_map=0x0

SLA targets example

SLA targets are a set of constraints that are used in SD-WAN rules to control the paths that traffic take.
The available constraints are:
l Latency threshold: Latency for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
l Jitter threshold: Jitter for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
l Packet loss threshold: Packet loss for SLA to make decision, in percentage (0 - 100, default = 0).

To configure Performance SLA targets using the GUI:

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 518 for details.
2. Go to Network > SD-WAN and select the Performance SLAs tab.
3. Create a new Performance SLA or edit an existing one. See Link monitoring example on page 545.
4. Enable SLA Targetsand configure the constraints. To add multiple SLA targets, use the CLI.
5. Configured the remaining settings as needed, then click OK.

FortiOS 7.2.1 Administration Guide 546


Fortinet Inc.
SD-WAN

To configure Performance SLA targets using the CLI:

config system sdwan


config health-check
edit "server"
set server "208.91.114.182"
set members 1 2
config sla
edit 1
set link-cost-factor latency jitter packet-loss
set latency-threshold 10
set jitter-threshold 10
set packetloss-threshold 1
next
edit 2
set link-cost-factor latency packet-loss
set latency-threshold 15
set packetloss-threshold 2
next
end
next
end
end

The link-cost-factor variable is used to select which constraints are enabled.

Passive WAN health measurement

SD-WAN passive WAN health measurement determines the health check measurements using session information that
is captured on firewall policies that have Passive Health Check (passive-wan-health-measurement) enabled.
Passive measurements analyze session information that is gathered from various TCP sessions to determine the jitter,
latency, and packet loss.
Using passive WAN health measurement reduces the amount of configuration required and decreases the traffic that is
produced by health check monitor probes doing active measurements. Passive WAN health measurement analyzes
real-life traffic; active WAN health measurement using a detection server might not reflect the real-life traffic.
By default, active WAN health measurement is enabled when a new health check is created. It can be changed to
passive or prefer passive:

passive Health is measured using traffic, without probes. No link health monitor needs to
be configured.

prefer-passive Health is measured using traffic when there is traffic, and using probes when
there is no traffic. A link health monitor must be configured, see Link health
monitor for details.

When passive-wan-health-measurement is enabled, auto-asic-offload will be


disabled.

FortiOS 7.2.1 Administration Guide 547


Fortinet Inc.
SD-WAN

Example

In this example, the FortiGate is configured to load-balance between two WAN interfaces, port15 and port16. A health
check is configured in passive mode, and SLA thresholds are set. Passive WAN health measurement is enabled on the
SD-WAN policy.
Measurements are taken from YouTube traffic generated by the PC. When latency is introduced to the traffic on port15,
the passive health check trigger threshold is exceeded and traffic is rerouted to port16.

To configure the SD-WAN in the GUI:

1. Create the SD-WAN zone:


a. Go to Network > SD-WAN and select the SD-WAN Zones tab.
b. Click Create New > SD-WAN Zone.
c. Enter a name for the zone, such as SD-WAN.
d. Click OK.
2. Create the SD-WAN members:
a. Go to Network > SD-WAN and select the SD-WAN Zones tab.
b. Click Create New > SD-WAN Member.
c. Set Interface to port15, SD-WAN Zone to SD-WAN, and Gateway set to 172.16.209.2.
d. Click OK.
e. Click Create New > SD-WAN Member again.
f. Set Interface to port16, SD-WAN Zone to SD-WAN, and Gateway set to 172.16.210.2.
g. Click OK.
3. Create a performance SLA:
a. Go to Network > SD-WAN and select the Performance SLAs tab.
b. Edit an existing health check, or create a new one.
c. Set Probe mode to Passive.
d. Set Participants to Specify and add port15 and port16.
e. Configure two SLA targets. Note that the second SLA target must be configured in the CLI.

FortiOS 7.2.1 Administration Guide 548


Fortinet Inc.
SD-WAN

f. Configure the remaining settings as needed.


g. Click OK.
The SLA list shows the probe mode in the Detect Server column, if the probe mode is passive or prefer passive.

Probe packets can only be disabled in the CLI and when the probe mode is not
passive.

4. Create SD-WAN rules:


a. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
b. Configure the first rule:

Name Background_Traffic

Source address 172.16.205.0

Application Click in the field, and in the Select Entries pane search for YouTube and
select all of the entries

Strategy Maximize Bandwidth (SLA)

Interface preference port15 and port16

Required SLA target Passive_Check#2

c. Click OK.

FortiOS 7.2.1 Administration Guide 549


Fortinet Inc.
SD-WAN

d. Click Create New again and configure the second rule:

Name Foreground_Traffic

Source address 172.16.205.0

Address all

Protocol number Specify - 1

Strategy Lowest Cost (SLA)

Interface preference port15 and port16

Required SLA target Passive_Check#1

e. Click OK.

To configure the firewall policy in the GUI:

1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Configure the policy:

Name SD-WAN-HC-policy

Incoming Interface port5

Outgoing Interface SD-WAN

Source all

Destination all

Schedule always

Service ALL

Action ACCEPT

Passive Health Check Enabled


Passive health check can only be enabled in a policy when the outgoing
interface is an SD-WAN zone.

3. Click OK.

To configure the SD-WAN in the CLI:

config system sdwan


set status enable
config zone
edit "SD-WAN"
next
end
config members
edit 1
set zone "SD-WAN"
set interface "port15"
set gateway 172.16.209.2
next

FortiOS 7.2.1 Administration Guide 550


Fortinet Inc.
SD-WAN

edit 2
set zone "SD-WAN"
set interface "port16"
set gateway 172.16.210.2
next
end
config health-check
edit "Passive_Check"
set detect-mode passive
set members 1 2
config sla
edit 1
set latency-threshold 500
set jitter-threshold 500
set packetloss-threshold 10
next
edit 2
set latency-threshold 1000
set jitter-threshold 1000
set packetloss-threshold 10
next
end
next
end
config service
edit 1
set name "Background_Traffic"
set mode load-balance
set src "172.16.205.0"
set internet-service enable
set internet-service-app-ctrl 31077 33321 41598 31076 33104 23397 30201 16420
17396 38569 25564
config sla
edit "Passive_Check"
set id 2
next
end
set priority-member 1 2
next
edit 2
set name "Foreground_Traffic"
set mode sla
set src "172.16.205.0"
set protocol 1
set dst "all"
config sla
edit "Passive_Check"
set id 1
next
end
set priority-member 1 2
next
end
end

FortiOS 7.2.1 Administration Guide 551


Fortinet Inc.
SD-WAN

To configure the firewall policy in the CLI:

config firewall policy


edit 1
set name "SD-WAN-HC-policy"
set srcintf "port5"
set dstintf "SD-WAN"
set nat enable
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set passive-wan-health-measurement enable
set auto-asic-offload disable
next
end

Results

When both links pass the SLA:

# diagnose sys link-monitor-passive interface


Interface port16 (28):
Latency 10.000 Jitter 5.000 Packet_loss 0.000% Last_updated Fri Mar 5 10:09:21 2021

Interface port15 (27):


Latency 60.000 Jitter 0.000 Packet_loss 0.000% Last_updated Fri Mar 5 10:39:24 2021

# diagnose sys sdwan health-check


Health Check(Passive_Check):
Seq(1 port15): state(alive), packet-loss(0.000%) latency(60.000), jitter(0.750) sla_map=0x3
Seq(2 port16): state(alive), packet-loss(0.000%) latency(10.000), jitter(5.000) sla_map=0x3

# diagnose sys sdwan service 2

Service(2): Address Mode(IPV4) flags=0x200


Gen(1), TOS(0x0/0x0), Protocol(1: 1->65535), Mode(sla), sla-compare-order
Members(2):
1: Seq_num(1 port15), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
2: Seq_num(2 port16), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
Src address(1):
172.16.205.0-172.16.205.255

Dst address(1):
8.8.8.8-8.8.8.8

When the latency is increased to 610ms on port15, the SLA is broken and pings are sent on port16:

# diagnose sys sdwan health-check


Health Check(Passive_Check):
Seq(1 port15): state(alive), packet-loss(0.000%) latency(610.000), jitter(2.500) sla_map=0x3
Seq(2 port16): state(alive), packet-loss(0.000%) latency(50.000), jitter(21.000) sla_map=0x3

# diagnose sys sdwan service 2

Service(2): Address Mode(IPV4) flags=0x200

FortiOS 7.2.1 Administration Guide 552


Fortinet Inc.
SD-WAN

Gen(6), TOS(0x0/0x0), Protocol(1: 1->65535), Mode(sla), sla-compare-order


Members(2):
1: Seq_num(2 port16), alive, sla(0x1), gid(1), cfg_order(1), cost(0), selected
2: Seq_num(1 port15), alive, sla(0x0), gid(2), cfg_order(0), cost(0), selected
Src address(1):
172.16.205.0-172.16.205.255

Dst address(1):
8.8.8.8-8.8.8.8

Passive health-check measurement by internet service and application

Passive health measurement supports passive detection for each internet service and application.
If internet services or applications are defined in an SD-WAN rule with passive health check, SLA information for each
service or application will be differentiated and collected. SLA metrics (latency, jitter, and packet loss) on each SD-WAN
member in the rule are then calculated based on the relevant internet service's or application's SLA information.
In this example, three SD-WAN rules are created:
l Rule 1: Best quality (latency) using passive SLA for the internet services Alibaba and Amazon.
l Rule 2: Best quality (latency) using passive SLA for the applications Netflix and YouTube.
l Rule 3: Best quality (latency) using passive SLA for all other traffic.
After passive application measurement is enabled for rules one and two, the SLA metric of rule one is the average
latency of the internet services Alibaba and Amazon, and the SLA metric of rule two is the average latency of the
applications Netflix and YouTube.

To configure the SD-WAN:

1. Configure the SD-WAN members:


config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "dmz"
set gateway 172.16.208.2
next
edit 2
set interface "port15"
set gateway 172.16.209.2
next

FortiOS 7.2.1 Administration Guide 553


Fortinet Inc.
SD-WAN

end
end

2. Configure the passive mode health check:


config health-check
edit "Passive_HC"
set detect-mode passive
set members 1 2
next
end

3. Configure SD-WAN service rules:


config service
edit 1
set name "1"
set mode priority
set src "172.16.205.0"
set internet-service enable
set internet-service-name "Alibaba-Web" "Amazon-Web"
set health-check "Passive_HC"
set priority-members 1 2
set passive-measurement enable //Enable "passive application measurement", it
is a new command which is introduced in this project.
next
edit 2
set name "2"
set mode priority
set src "172.16.205.0"
set internet-service enable
set internet-service-app-ctrl 18155 31077
set health-check "Passive_HC"
set priority-members 1 2
set passive-measurement enable ////Enable "passive application measurement"
next
edit 3
set name "3"
set mode priority
set dst "all"
set src "172.16.205.0"
set health-check "Passive_HC"
set priority-members 1 2
next
end

4. Configure SD-WAN routes:


config router static
edit 1
set distance 1
set sdwan-zone "virtual-wan-link"
next
end

5. Configure the firewall policy with passive WAN health measurement enabled:
config firewall policy
edit 1

FortiOS 7.2.1 Administration Guide 554


Fortinet Inc.
SD-WAN

set uuid 972345c6-1595-51ec-66c5-d705d266f712


set srcintf "port5"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "172.16.205.0"
set dstaddr "all"
set schedule "always"
set service "ALL"
set passive-wan-health-measurement enable
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set application-list "g-default"
set auto-asic-offload disable
next
end

To verify the results:

1. On the PC, open the browser and visit the internet services and applications.
2. On the FortiGate, check the collected SLA information to confirm that each server or application on the SD-WAN
members was measured individually:
# diagnose sys link-monitor-passive interface

Interface dmz (5):


Default(0x00000000): latency=3080.0 11:57:54, jitter=5.0 11:58:08,
pktloss=0.0 % NA
Alibaba-Web(0x00690001): latency=30.0 11:30:06, jitter=25.0 11:29:13,
pktloss=0.0 % NA
YouTube(0x00007965): latency=100.0 12:00:35, jitter=2.5 12:00:30,
pktloss=0.0 % NA
Netflix(0x000046eb): latency=10.0 11:31:24, jitter=10.0 11:30:30,
pktloss=0.0 % NA
Amazon-Web(0x00060001): latency=80.0 11:31:52, jitter=35.0 11:32:07,
pktloss=0.0 % NA

Interface port15 (27):


Default(0x00000000): latency=100.0 12:00:42, jitter=0.0 12:00:42,
pktloss=0.0 % NA
Amazon-Web(0x00060001): latency=30.0 11:56:05, jitter=0.0 11:55:21,
pktloss=0.0 % NA
Alibaba-Web(0x00690001): latency=0.0 11:26:08, jitter=35.0 11:27:08,
pktloss=0.0 % NA
YouTube(0x00007965): latency=100.0 11:33:34, jitter=0.0 11:33:50,
pktloss=0.0 % NA
Netflix(0x000046eb): latency=0.0 11:26:29, jitter=0.0 11:29:03,
pktloss=0.0 % NA

3. Verify that the SLA metrics on the members are calculated as expected:
# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x600 use-shortcut-sla


Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor
(latency), link-cost-threshold(10), heath-check(Passive_HC)
Members(2):

FortiOS 7.2.1 Administration Guide 555


Fortinet Inc.
SD-WAN

1: Seq_num(2 port15), alive, latency: 15.000, selected // Average latency


of "Alibaba-Web" and "Amazon-Web" on port15: 15.000 = (0.0+30.0)/2
2: Seq_num(1 dmz), alive, latency: 55.000, selected // Average latency
of "Alibaba-Web" and "Amazon-Web" on dmz: 55.000 = (30.0+80.0)/2
Internet Service(2): Alibaba-Web(6881281,0,0,0) Amazon-Web(393217,0,0,0)
Src address(1):
172.16.205.0-172.16.205.255

Service(2): Address Mode(IPV4) flags=0x600 use-shortcut-sla


Gen(2), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor
(latency), link-cost-threshold(10), heath-check(Passive_HC)
Members(2):
1: Seq_num(1 dmz), alive, latency: 55.000, selected // Average latency
of "Netflix" and "YouTube" on dmz: 55.000 = (10.0+100.0)/2
2: Seq_num(2 port15), alive, latency: 50.000, selected // Average latency
of "Netflix" and "YouTube" on port15: 50.000 = (0.0+100.0)/2
Internet Service(2): Netflix(4294837427,0,0,0 18155) YouTube(4294838283,0,0,0 31077)
Src address(1):
172.16.205.0-172.16.205.255

Service(3): Address Mode(IPV4) flags=0x200 use-shortcut-sla


Gen(9), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor
(latency), link-cost-threshold(10), heath-check(Passive_HC)
Members(2):
1: Seq_num(2 port15), alive, latency: 46.000, selected // Average latency
of all TCP traffic on port15: 46 = (100.0+30.0+0.0+100.0+0.0)/5
2: Seq_num(1 dmz), alive, latency: 660.000, selected // Average latency of
all TCP traffic on dmz: 660 = (3080.0+30.0+100.0+10.0+80.0)/5
Src address(1):
172.16.205.0-172.16.205.255

Dst address(1):
0.0.0.0-255.255.255.255

Health check packet DSCP marker support

SD-WAN health check probe packets support Differentiated Services Code Point (DSCP) markers for accurate
evaluation of the link performance for high priority applications by upstream devices.
When the SD-WAN health check packet is sent out, the DSCP can be set with a CLI command.

FortiOS 7.2.1 Administration Guide 556


Fortinet Inc.
SD-WAN

To mark health-check packets with DSCP:

config system sdwan


config health-check
edit <name>
set diffservcode <6 bits binary, range 000000-111111>
next
end
end

Manual interface speedtest

An interface speedtest can be manually performed on WAN interfaces in the GUI. The results of the test can be added to
the interface's Estimated bandwidth. The estimated upstream and downstream bandwidths can be used in SD-WAN
service rules to determine the best link to use when either Maximize Bandwidth or Best Quality strategies are selected.
An SD-WAN Network Monitor license is required to use the speedtest. The License widget and the System > FortiGuard
page show the license status.

To run an interface speedtest in the GUI:

1. Go to Network > Interfaces.


2. Edit a WAN interface. The interfaces can be grouped by role using the grouping dropdown on the right side of the
toolbar.
3. Click Execute speed test in the right pane.

FortiOS 7.2.1 Administration Guide 557


Fortinet Inc.
SD-WAN

4. When the test completes, click OK in the Confirm pane to apply the results to the estimated bandwidth.
The results can also be applied later by clicking Apply results to estimated bandwidth.
The speedtest results are used to populate the Estimated bandwidth fields.
5. Click OK.

The FortiGate must be connected to FortiGuard, and able to reach either the AWS or Google
speedtest servers.

Scheduled interface speedtest

The SD-WAN Network Monitor service supports running a speed test based on a schedule. The test results are
automatically updated in the interface measured-upstream-bandwidth and measured-downstream-bandwidth
fields. These fields do not impact the interface inbound bandwidth, outbound bandwidth, estimated upstream bandwidth,
or estimated downstream bandwidth settings.
An SD-WAN Network Monitor license is required to use the speedtest. The License widget and the System > FortiGuard
page show the license status.
When the scheduled speed tests run, it is possible to temporarily bypass the bandwidth limits set on the interface and
configure custom maximum or minimum bandwidth limits. These configurations are optional.
config system speed-test-schedule
edit <interface>
set schedules <schedule> ...
set update-inbandwidth enable {enable | disable}
set update-outbandwidth enable {enable | disable}
set update-inbandwidth-maximum <integer>
set update-inbandwidth-minimum <integer>
set update-outbandwidth-maximum <integer>
set update-outbandwidth-minimum <integer>
next
end

update-inbandwidth enable Enable/disable bypassing the interface's inbound bandwidth setting.


{enable | disable}
update-outbandwidth Enable/disable bypassing the interface's outbound bandwidth setting.
enable {enable |
disable}
update-inbandwidth- Maximum downloading bandwidth to be used in a speed test, in Kbps (0 -
maximum <integer> 16776000).
update-inbandwidth- Minimum downloading bandwidth to be considered effective, in Kbps (0 -
minimum <integer> 16776000).
update-outbandwidth- Maximum uploading bandwidth to be used in a speed test, in Kbps (0 -
maximum <integer> 16776000).
update-outbandwidth- Minimum uploading bandwidth to be considered effective, in Kbps (0 - 16776000).
minimum <integer>

In the following example, a speed test is scheduled on port1 at 10:00 AM, and another one at 14:00 PM.

FortiOS 7.2.1 Administration Guide 558


Fortinet Inc.
SD-WAN

To run a speed test based on a schedule:

1. Configure the recurring schedules:


config firewall schedule recurring
edit "10"
set start 10:00
set end 12:00
set day monday tuesday wednesday thursday friday
next
edit "14"
set start 14:00
set end 16:00
set day monday tuesday wednesday thursday friday
next
end

2. Configure the speed test schedule:


config system speed-test-schedule
edit "port1"
set schedules "10" "14"
set update-inbandwidth enable
set update-outbandwidth enable
set update-inbandwidth-maximum 60000
set update-inbandwidth-minimum 10000
set update-outbandwidth-maximum 50000
set update-outbandwidth-minimum 10000
next
end

3. View the speed test results:


config system interface
edit port1
get | grep measure
measured-upstream-bandwidth: 23691
measured-downstream-bandwidth: 48862
bandwidth-measure-time: Wed Jan 27 14:00:39 2021
next
end

Monitor performance SLA

SD-WAN diagnostics can be used to help maintain your SD-WAN solution

Monitoring SD-WAN link quality status

Link quality plays a significant role in link selection for SD-WAN. Investigate any prolonged issues with packet loss,
latency, or jitter to ensure that your network does not experience degraded performance or an outage.
You can monitor the link quality status of SD-WAN interface members by going to Network > SD-WAN and selecting the
Performance SLAs tab.

FortiOS 7.2.1 Administration Guide 559


Fortinet Inc.
SD-WAN

The live charts show the packet loss, latency, or jitter for the selected health check. Hover the cursor over a line in the
chart to see the specific value for that interface at that specific time.
The table shows information about each health check, including the configured servers, link quality data, and thresholds.
The colored arrow indicates the status of the interface when the last status check was performed: green means that the
interface was active, and red means that the interface was inactive. Hover the cursor over the arrow for additional
information.

Monitoring system event logs

The features adds an SD-WAN daemon function to keep a short, 10 minute history of SLA that can be viewed in the CLI.
Performance SLA results related to interface selection, session failover, and other information, can be logged. These
logs can then be used for long-term monitoring of traffic issues at remote sites, and for reports and views in
FortiAnalyzer.
The time intervals that Performance SLA fail and pass logs are generated in can be configured.

To configure the fail and pass logs' generation time interval:

config system sdwan


config health-check
edit "PingSLA"
set sla-fail-log-period 30
set sla-pass-log-period 60
next
end
end

To view the 10 minute Performance SLA link status history:

FGDocs # diagnose sys sdwan sla-log PingSLA 1


Timestamp: Fri Sep 4 10:32:37 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 4.455, jitter: 0.430, packet loss: 0.000%.
Timestamp: Fri Sep 4 10:32:37 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 4.461, jitter: 0.436, packet loss: 0.000%.
Timestamp: Fri Sep 4 10:32:38 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 4.488, jitter: 0.415, packet loss: 0.000%.
...
Timestamp: Fri Sep 4 10:42:36 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 6.280, jitter: 0.302, packet loss: 0.000%.

FortiOS 7.2.1 Administration Guide 560


Fortinet Inc.
SD-WAN

Timestamp: Fri Sep 4 10:42:37 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 6.261, jitter: 0.257, packet loss: 0.000%.
Timestamp: Fri Sep 4 10:42:37 2020, vdom root, health-check PingSLA, interface: wan2,
status: up, latency: 6.229, jitter: 0.245, packet loss: 0.000%.

SLA pass logs

The FortiGate generates Performance SLA logs at the specified pass log interval (sla-pass-log-period) when SLA
passes.
date="2021-04-15" time="10:04:56" id=6951431609690095758 bid=52507 dvid=1047
itime=1618506296 euid=3 epid=3 dsteuid=3 dstepid=3 logver=700000066 logid="0113022925"
type="event" subtype="sdwan" level="information" msg="Health Check SLA status."
logdesc="SDWAN SLA information" status="up" interface="port1" eventtime=1618506296222639301
tz="-0700" eventtype="SLA" jitter="0.277" inbandwidthavailable="10.00Gbps"
outbandwidthavailable="10.00Gbps" bibandwidthavailable="20.00Gbps" packetloss="1.000%"
latency="186.071" slamap="0x1" healthcheck="BusinessCritical_CloudApps" slatargetid=1
outbandwidthused="40kbps" inbandwidthused="24kbps" bibandwidthused="64kbps"
devid="FGVM02TM20000000" vd="root" devname="Branch_Office_01" csf="fabric"

date="2021-04-15" time="10:04:56" id=6951431609690095759 bid=52507 dvid=1047


itime=1618506296 euid=3 epid=3 dsteuid=3 dstepid=3 logver=700000066 logid="0113022925"
type="event" subtype="sdwan" level="information" msg="Health Check SLA status."
logdesc="SDWAN SLA information" status="up" interface="port2" eventtime=1618506296223163068
tz="-0700" eventtype="SLA" jitter="0.204" inbandwidthavailable="10.00Gbps"
outbandwidthavailable="10.00Gbps" bibandwidthavailable="20.00Gbps" packetloss="0.000%"
latency="185.939" slamap="0x1" healthcheck="BusinessCritical_CloudApps" slatargetid=1
outbandwidthused="142kbps" inbandwidthused="23kbps" bibandwidthused="165kbps"
devid="FGVM02TM20000000" vd="root" devname="Branch_Office_01" csf="fabric"

In the FortiAnalyzer GUI:

SLA fail logs

The FortiGate generates Performance SLA logs at the specified fail log interval (sla-fail-log-period) when SLA
fails.
date="2021-04-15" time="10:04:59" id=6951431618280030243 bid=52507 dvid=1047
itime=1618506298 euid=3 epid=3 dsteuid=3 dstepid=3 logver=700000066 logid="0113022925"

FortiOS 7.2.1 Administration Guide 561


Fortinet Inc.
SD-WAN

type="event" subtype="sdwan" level="notice" msg="Health Check SLA status. SLA failed due to
being over the performance metric threshold." logdesc="SDWAN SLA information" status="down"
interface="To-HQ-MPLS" eventtime=1618506299718862835 tz="-0700" eventtype="SLA"
jitter="0.000" inbandwidthavailable="10.00Gbps" outbandwidthavailable="10.00Gbps"
bibandwidthavailable="20.00Gbps" packetloss="100.000%" latency="0.000" slamap="0x0"
healthcheck="BusinessCritical_CloudApps" slatargetid=1 metric="packetloss"
outbandwidthused="0kbps" inbandwidthused="0kbps" bibandwidthused="0kbps"
devid="FGVM02TM20000000" vd="root" devname="Branch_Office_01" csf="fabric"

date="2021-04-15" time="10:05:03" id=6951431639754866704 bid=52514 dvid=1046


itime=1618506303 euid=3 epid=3 dsteuid=3 dstepid=3 logver=700000066 logid="0113022925"
type="event" subtype="sdwan" level="notice" msg="Health Check SLA status. SLA failed due to
being over the performance metric threshold." logdesc="SDWAN SLA information" status="down"
interface="To-HQ-MPLS" eventtime=1618506304085863643 tz="-0700" eventtype="SLA"
jitter="0.000" inbandwidthavailable="10.00Gbps" outbandwidthavailable="10.00Gbps"
bibandwidthavailable="20.00Gbps" packetloss="100.000%" latency="0.000" slamap="0x0"
healthcheck="BusinessCritical_CloudApps" slatargetid=1 metric="packetloss"
outbandwidthused="6kbps" inbandwidthused="3kbps" bibandwidthused="9kbps"
devid="FGVM02TM20000000" vd="root" devname="Branch_Office_02" csf="fabric"

In the FortiAnalyzer GUI:

SLA monitoring using the REST API

SLA log information and interface SLA information can be monitored using the REST API. This feature is also be used by
FortiManager as part of its detailed SLA monitoring and drill-down features.

Interface log command example:

https://172.172.172.9/api/v2/monitor/virtual-wan/interface-log
{
"http_method":"GET",
"results":[
{
"interface":"port13",
"logs":[
{
"timestamp":1547087168,

FortiOS 7.2.1 Administration Guide 562


Fortinet Inc.
SD-WAN

"tx_bandwidth":3447,
"rx_bandwidth":3457,
"bi_bandwidth":6904,
"tx_bytes":748875,
"rx_bytes":708799,
"egress_queue":[
]
},
{
"timestamp":1547087178,
"tx_bandwidth":3364,
"rx_bandwidth":3400,
"bi_bandwidth":6764,
"tx_bytes":753789,
"rx_bytes":712835,
"egress_queue":[
]
},
....
....

SLA log command example:

https://172.172.172.9/api/v2/monitor/virtual-wan/sla-log
{
"http_method":"GET",
"results":[
{
"name":"ping",
"interface":"spoke11-p1",
"logs":[
{
"timestamp":1614813142,
"link":"up",
"latency":0.13763333857059479,
"jitter":0.02996666356921196,
"packetloss":0
},

"child_intfs":{
"spoke11-p1_0":[
{
"timestamp":1614813142,
"link":"up",
"latency":0.12413334846496582,
"jitter":0.028366668149828911,
"packetloss":0
},

{
"name":"ping",
"interface":"spoke12-p1",
"logs":[
{
"timestamp":1614813143,
"link":"up",

FortiOS 7.2.1 Administration Guide 563


Fortinet Inc.
SD-WAN

"latency":0.11373332887887955,
"jitter":0.023099998012185097,
"packetloss":0
},

"child_intfs":{
"spoke12-p1_0":[
{
"timestamp":1614813143,
"link":"up",
"latency":0.0930333212018013,
"jitter":0.011033335700631142,
"packetloss":0
},
....
....

Health check command example:

https://172.172.172.9/api/v2/monitor/virtual-wan/health-check
{
"http_method":"GET",
"results":{
"ping":{
"spoke11-p1":{
"status":"up",
"latency":0.13406667113304138,
"jitter":0.023000005632638931,
"packet_loss":0,
"packet_sent":29722,
"packet_received":29718,
"sla_targets_met":[
1
],
"session":2,
"tx_bandwidth":1353,
"rx_bandwidth":1536,
"state_changed":1614798274,
"child_intfs":{
"spoke11-p1_0":{
"status":"up",
"latency":0.12929999828338623,
"jitter":0.028200000524520874,
"packet_loss":0,
"packet_sent":29626,
"packet_received":29625,
"sla_targets_met":[
1
],
"session":0,
"tx_bandwidth":2608,
"rx_bandwidth":1491,
"state_changed":0
}
}
},

FortiOS 7.2.1 Administration Guide 564


Fortinet Inc.
SD-WAN

"spoke12-p1":{
"status":"up",
"latency":0.11356667429208755,
"jitter":0.015699999406933784,
"packet_loss":0,
"packet_sent":29722,
"packet_received":29717,
"sla_targets_met":[
1
],
"session":2,
"tx_bandwidth":1353,
"rx_bandwidth":1536,
"state_changed":1614798274,
"child_intfs":{
"spoke12-p1_0":{
"status":"up",
"latency":0.095466658473014832,
"jitter":0.0092999991029500961,
"packet_loss":0,
"packet_sent":29687,
"packet_received":29686,
"sla_targets_met":[
1
],
"session":0,
"tx_bandwidth":1309,
"rx_bandwidth":2553,
"state_changed":0
}
}
}
}
},
....
....

CLI diagnose commands:

# diagnose sys sdwan intf-sla-log port13


Timestamp: Wed Jan 9 18:33:49 2019, used inbandwidth: 3208bps, used outbandwidth:
3453bps, used bibandwidth: 6661bps, tx bytes: 947234bytes, rx bytes: 898622bytes.
Timestamp: Wed Jan 9 18:33:59 2019, used inbandwidth: 3317bps, used outbandwidth:
3450bps, used bibandwidth: 6767bps, tx bytes: 951284bytes, rx bytes: 902937bytes.
Timestamp: Wed Jan 9 18:34:09 2019, used inbandwidth: 3302bps, used outbandwidth:
3389bps, used bibandwidth: 6691bps, tx bytes: 956268bytes, rx bytes: 907114bytes.
Timestamp: Wed Jan 9 18:34:19 2019, used inbandwidth: 3279bps, used outbandwidth:
3352bps, used bibandwidth: 6631bps, tx bytes: 958920bytes, rx bytes: 910793bytes.
Timestamp: Wed Jan 9 18:34:29 2019, used inbandwidth: 3233bps, used outbandwidth:
3371bps, used bibandwidth: 6604bps, tx bytes: 964374bytes, rx bytes: 914854bytes.
Timestamp: Wed Jan 9 18:34:39 2019, used inbandwidth: 3235bps, used outbandwidth:
3362bps, used bibandwidth: 6597bps, tx bytes: 968250bytes, rx bytes: 918846bytes.
Timestamp: Wed Jan 9 18:34:49 2019, used inbandwidth: 3165bps, used outbandwidth:
3362bps, used bibandwidth: 6527bps, tx bytes: 972298bytes, rx bytes: 922724bytes.
Timestamp: Wed Jan 9 18:34:59 2019, used inbandwidth: 3184bps, used outbandwidth:
3362bps, used bibandwidth: 6546bps, tx bytes: 977282bytes, rx bytes: 927019bytes.

FortiOS 7.2.1 Administration Guide 565


Fortinet Inc.
SD-WAN

# diagnose sys sdwan sla-log ping 1 spoke11-p1_0


Timestamp: Wed Mar 3 15:35:20 2021, vdom root, health-check ping, interface: spoke11-
p1_0, status: up, latency: 0.135, jitter: 0.029, packet loss: 0.000%.

# diagnose sys sdwan sla-log ping 2 spoke12-p1_0


Timestamp: Wed Mar 3 15:36:08 2021, vdom root, health-check ping, interface: spoke12-
p1_0, status: up, latency: 0.095, jitter: 0.010, packet loss: 0.000%.

# diagnose sys sdwan health-check


Health Check(ping):
Seq(1 spoke11-p1): state(alive), packet-loss(0.000%) latency(0.156), jitter(0.043) sla_
map=0x1
Seq(1 spoke11-p1_0): state(alive), packet-loss(0.000%) latency(0.128), jitter(0.024)
sla_map=0x1
Seq(2 spoke12-p1): state(alive), packet-loss(0.000%) latency(0.125), jitter(0.028) sla_
map=0x1
Seq(2 spoke12-p1_0): state(alive), packet-loss(0.000%) latency(0.093), jitter(0.008)
sla_map=0x1

Mean opinion score calculation and logging in performance SLA health checks

The mean opinion score (MOS) is a method of measuring voice quality using a formula that takes latency, jitter, packet
loss, and the codec into account to produce a score from zero to five (0 - 5). The G.711, G.729, and G.722 codecs can be
selected in the health check configurations, and an MOS threshold can be entered to indicate the minimum MOS score
for the SLA to pass. The maximum MOS score will depend on which codec is used, since each codec has a theoretical
maximum limit.
config system sdwan
config health-check
edit <name>
set mos-codec {g711 | g729 | g722}
config sla
edit <id>
set link-cost-factor {latency jitter packet-loss mos}
set mos-threshold <value>
next
end
next
end
end

mos-codec {g711 | g729 | Set the VoIP codec to use for the MOS calculation (default = g711).
g722}
link-cost-factor {latency Set the criteria to base the link selection on.
jitter packet-loss
mos}
mos-threshold <value> Set the minimum MOS for the SLA to be marked as pass (1.0 - 5.0, default = 3.6).

Currently, the MOS cannot be used as the link-cost-factor to steer traffic in an SD-WAN
rule.

FortiOS 7.2.1 Administration Guide 566


Fortinet Inc.
SD-WAN

To configure a health check to calculate the MOS:

config system sdwan


set status enable
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "dmz"
set gateway 172.16.208.2
next
edit 2
set interface "port15"
set gateway 172.16.209.2
next
end
config health-check
edit "Test_MOS"
set server "2.2.2.2"
set sla-fail-log-period 30
set sla-pass-log-period 30
set members 0
set mos-codec g729
config sla
edit 1
set link-cost-factor mos
set mos-threshold "4.0"
next
end
next
end
end

To verify the MOS calculation results:

1. Verify the health check diagnostics:


# diagnose sys sdwan health-check
Health Check(Test_MOS):
Seq(1 dmz): state(alive), packet-loss(0.000%) latency(0.114), jitter(0.026), mos(4.123),
bandwidth-up(999999), bandwidth-dw(999997), bandwidth-bi(1999996) sla_map=0x1
Seq(2 port15): state(alive), packet-loss(0.000%) latency(0.100), jitter(0.008), mos
(4.123), bandwidth-up(999999), bandwidth-dw(999999), bandwidth-bi(1999998) sla_map=0x1

# diagnose sys sdwan sla-log Test_MOS 1


Timestamp: Tue Jan 4 11:23:06 2022, vdom root, health-check Test_MOS, interface: dmz,
status: up, latency: 0.151, jitter: 0.040, packet loss: 0.000%, mos: 4.123.
Timestamp: Tue Jan 4 11:23:07 2022, vdom root, health-check Test_MOS, interface: dmz,
status: up, latency: 0.149, jitter: 0.041, packet loss: 0.000%, mos: 4.123.

# diagnose sys sdwan sla-log Test_MOS 2


Timestamp: Tue Jan 4 11:25:09 2022, vdom root, health-check Test_MOS, interface:
port15, status: up, latency: 0.097, jitter: 0.009, packet loss: 0.000%, mos: 4.123.
Timestamp: Tue Jan 4 11:25:10 2022, vdom root, health-check Test_MOS, interface:
port15, status: up, latency: 0.097, jitter: 0.008, packet loss: 0.000%, mos: 4.123.

FortiOS 7.2.1 Administration Guide 567


Fortinet Inc.
SD-WAN

2. Change the mos-codec to g722. The diagnostics will now display different MOS values:
# diagnose sys sdwan health-check
Health Check(Test_MOS):
Seq(1 dmz): state(alive), packet-loss(0.000%) latency(0.150), jitter(0.031), mos(4.453),
bandwidth-up(999999), bandwidth-dw(999997), bandwidth-bi(1999996) sla_map=0x1
Seq(2 port15): state(alive), packet-loss(0.000%) latency(0.104), jitter(0.008), mos
(4.453), bandwidth-up(999999), bandwidth-dw(999999), bandwidth-bi(1999998) sla_map=0x1

3. Increase the latency on the link in port15. The calculated MOS value will decrease accordingly. In this example,
port15 is out of SLA since its MOS value is now less than the 4.0 minimum:
# diagnose sys sdwan health-check
Health Check(Test_MOS):
Seq(1 dmz): state(alive), packet-loss(0.000%) latency(0.106), jitter(0.022), mos(4.453),
bandwidth-up(999999), bandwidth-dw(999997), bandwidth-bi(1999996) sla_map=0x1
Seq(2 port15): state(alive), packet-loss(0.000%) latency(300.119), jitter(0.012), mos
(3.905), bandwidth-up(999999), bandwidth-dw(999999), bandwidth-bi(1999998) sla_map=0x0

Sample logs

date=2022-01-04 time=11:57:54 eventtime=1641326274876828300 tz="-0800" logid="0113022933"


type="event" subtype="sdwan" level="notice" vd="root" logdesc="SDWAN SLA notification"
eventtype="SLA" healthcheck="Test_MOS" slatargetid=1 interface="port15" status="up"
latency="300.118" jitter="0.013" packetloss="0.000" mos="3.905"
inbandwidthavailable="1000.00Mbps" outbandwidthavailable="1000.00Mbps"
bibandwidthavailable="2.00Gbps" inbandwidthused="0kbps" outbandwidthused="0kbps"
bibandwidthused="0kbps" slamap="0x0" metric="mos" msg="Health Check SLA status. SLA failed
due to being over the performance metric threshold."

date=2022-01-04 time=11:57:24 eventtime=1641326244286635920 tz="-0800" logid="0113022923"


type="event" subtype="sdwan" level="notice" vd="root" logdesc="SDWAN status"
eventtype="Health Check" healthcheck="Test_MOS" slatargetid=1 oldvalue="2" newvalue="1"
msg="Number of pass member changed."

date=2022-01-04 time=11:57:24 eventtime=1641326244286627260 tz="-0800" logid="0113022923"


type="event" subtype="sdwan" level="notice" vd="root" logdesc="SDWAN status"
eventtype="Health Check" healthcheck="Test_MOS" slatargetid=1 member="2" msg="Member status
changed. Member out-of-sla."

date=2022-01-04 time=11:57:02 eventtime=1641326222516756500 tz="-0800" logid="0113022925"


type="event" subtype="sdwan" level="information" vd="root" logdesc="SDWAN SLA information"
eventtype="SLA" healthcheck="Test_MOS" slatargetid=1 interface="port15" status="up"
latency="0.106" jitter="0.007" packetloss="0.000" mos="4.453"
inbandwidthavailable="1000.00Mbps" outbandwidthavailable="1000.00Mbps"
bibandwidthavailable="2.00Gbps" inbandwidthused="0kbps" outbandwidthused="0kbps"
bibandwidthused="0kbps" slamap="0x1" msg="Health Check SLA status."

Embedded SD-WAN SLA information in ICMP probes

In the hub and spoke SD-WAN design, in order for traffic to pass symmetrically from spoke to hub and hub to spoke, it is
essential for the hub to know which IPsec overlay is in SLA and out of SLA. Prior to introducing embedded SLA
information in ICMP probes, it is common practice for spokes to use the SD-WAN neighbor feature and route-map-
out-preferable setting to signal the health of each overlay to the hub. However, this requires BGP to be configured
per overlay, and to manipulate BGP routes using custom BGP communities.

FortiOS 7.2.1 Administration Guide 568


Fortinet Inc.
SD-WAN

With embedded SLA information in ICMP probes, spokes can communicate their SLA for each overlay directly through
ICMP probes to the hub. The hub learns these SLAs and maps the status for each spoke and its corresponding overlays.
The hub uses the SLA status to apply priorities to the IKE routes, giving routes over IPsec overlays that are within SLAs a
lower priority value and routes over overlays out of SLAs a higher priority value. If BGP is used, recursively resolved
BGP routes can inherit the priority from its parent.
Embedded SLA information in ICMP probes allows hub and spoke SD-WAN to be designed with a BGP on loopback
topology, or without BGP at all. The following topology outlines an example of the BGP on loopback design where each
spoke is peered with the hub and route reflector on the loopback interface.

In this topology, each FortiGate’s BGP router ID is based on its Loopback0 interface. Each spoke has SLA health checks
defined to send ICMP probes to the server’s Lo_HC interface on 172.31.100.100. The ICMP probes include embedded
SLA information for each SD-WAN overlay member.

Related SD-WAN settings:

config system sdwan


config health-check
edit <name>

FortiOS 7.2.1 Administration Guide 569


Fortinet Inc.
SD-WAN

set detect-mode {active | passive | prefer-passive | remote}


set embed-measured-health {enable | disable}
config sla
edit <id>
set priority-in-sla <integer>
set priority-out-sla <integer>
next
end
set sla-redistribute-id <id>
next
end
end

detect-mode {active | Set the mode that determines how to detect the server:
passive | prefer- l active: the probes are sent actively (default).
passive | remote}
l passive: the traffic measures health without probes.

l prefer-passive: the probes are sent in case of no new traffic.

l remote: the link health is obtained from remote peers.

embed-measured-health Enable/disable embedding SLA information in ICMP probes (default = disable).


{enable | disable}
set priority-in-sla Set the priority that will be set to the IKE route when the corresponding overlay is
<integer> in SLA (0 - 65535).
set priority-out-sla Set the priority that will be set to the IKE route when the corresponding overlay is
<integer> out of SLA (0 - 65535).
sla-redistribute-id <id> Set the SLA entry (ID) that will be applied to the IKE routes (0 - 31, default = 0).

Related BGP setting:

config router bgp


set recursive-inherit-priority {enable | disable}
end

recursive-inherit- Enable/disable allowing recursive resolved BGP routes to inherit priority from its
priority {enable | parent (default = disable).
disable}

Example with BGP on loopback SD-WAN

This example demonstrates the configurations needed to configure the SD-WAN and BGP settings for the preceding
topology. It is assumed that IPsec VPN overlays are already configured per the topology, and that loopback interfaces
are already configured on each FortiGate.

Configuring the Spoke_1 FortiGate

In the SD-WAN settings, note the following requirements:


1. Configure the SD-WAN zones and members. For each SD-WAN member, define the source of its probes to be the
Loopback0 interface IP.
2. Configure the SLA health check to point to the Hub’s Lo_HC interface and IP. Enable embed-measured-health.

FortiOS 7.2.1 Administration Guide 570


Fortinet Inc.
SD-WAN

3. Configure an SD-WAN service rule to route traffic based on the maximize bandwidth (SLA) algorithm to prefer
member H1_T11 over H1_T22.

To configure the SD-WAN settings:

config system sdwan


set status enable
config zone
edit "virtual-wan-link"
next
edit "overlay"
next
end
config members
edit 1
set interface "H1_T11"
set zone "overlay"
set source 172.31.0.65
next
edit 4
set interface "H1_T22"
set zone "overlay"
set source 172.31.0.65
next
end
config health-check
edit "HUB"
set server "172.31.100.100"
set embed-measured-health enable
set members 0
config sla
edit 1
set link-cost-factor latency
set latency-threshold 100
next
end
next
end
config service
edit 1
set mode sla
set dst "CORP_LAN"
set src "CORP_LAN"
config sla
edit "HUB"
set id 1
next
end
set priority-members 1 4
next
end
end

FortiOS 7.2.1 Administration Guide 571


Fortinet Inc.
SD-WAN

To configure the BGP settings:

config router bgp


set as 65001
set router-id 172.31.0.65
config neighbor
edit "172.31.0.1"
set remote-as 65001
set update-source "Loopback0"
next
end
config network
edit 1
set prefix 10.0.3.0 255.255.255.0
next
end
end

Configuring the hub FortiGate

In the SD-WAN settings, note the following requirements:


1. Configure the SD-WAN zone and members.
2. Configure the SLA health checks to detect SLAs based on the remote site (spoke). This must be defined for each
SD-WAN member:
a. For the SLA, specify the same link cost factor and metric as the spoke (100).
b. Define the IKE route priority for in and out of SLA. Lower priority values have higher priority than higher priority
values.
c. Define the SLA entry ID that will be applied to the IKE routes.

To configure the SD-WAN settings:

config system sdwan


set status enable
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "EDGE_T1"
next
edit 2
set interface "EDGE_T2"
next
end
config health-check
edit "1"
set detect-mode remote
set sla-id-redistribute 1
set members 1
config sla
edit 1
set link-cost-factor latency
set latency-threshold 100

FortiOS 7.2.1 Administration Guide 572


Fortinet Inc.
SD-WAN

set priority-in-sla 10
set priority-out-sla 20
next
end
next
edit "2"
set detect-mode remote
set sla-id-redistribute 1
set members 2
config sla
edit 1
set link-cost-factor latency
set latency-threshold 100
set priority-in-sla 15
set priority-out-sla 25
next
end
next
end
end

In the BGP settings, note the following requirements:


1. Enable recursive-inherit-priority to inherit the route priority from its parent, which is the priority defined in
the health check SLA settings.
2. Configure the other BGP settings similar to a regular BGP hub.

To configure the BGP settings:

config router bgp


set as 65001
set router-id 172.31.0.1
set recursive-inherit-priority enable
config neighbor-group
edit "EDGE"
set remote-as 65001
set update-source "Loopback0"
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 172.31.0.64 255.255.255.192
set neighbor-group "EDGE"
next
end
end

Testing and verification

Once the hub and spokes are configured, verify that SLA statuses are passed from the spoke to the hub.

FortiOS 7.2.1 Administration Guide 573


Fortinet Inc.
SD-WAN

To verify that the SLA statuses are passed from the spoke to the hub:

1. On Spoke_1, display the status of the health-checks for H1_T11 and H1_T22:
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(1 H1_T11): state(alive), packet-loss(0.000%) latency(0.228), jitter(0.018), mos
(4.404), bandwidth-up(999999), bandwidth-dw(1000000), bandwidth-bi(1999999) sla_map=0x1
Seq(4 H1_T22): state(alive), packet-loss(0.000%) latency(0.205), jitter(0.007), mos
(4.404), bandwidth-up(999998), bandwidth-dw(1000000), bandwidth-bi(1999998) sla_map=0x1

2. On Spoke_1, display the status and order of the overlays in the SD-WAN service rule:
# diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Tie break: cfg
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members(2):
1: Seq_num(1 H1_T11), alive, sla(0x1), gid(0), cfg_order(0), local cost(0), selected

2: Seq_num(4 H1_T22), alive, sla(0x1), gid(0), cfg_order(3), local cost(0), selected

Src address(1):
10.0.0.0-10.255.255.255
Dst address(1):
10.0.0.0-10.255.255.255

Both overlays are within SLA, so H1_T11 is preferred due to its cfg-order.
Spoke_1’s SLA information for H1_T11 and H1_T22 is embedded into the ICMP probes destined for the hub’s Lo_
HC interface. The hub receives this information and maps the SLAs correspondingly per spoke and overlay based
on the same SLA targets.
As a result, since all SLAs are within target, the hub sets the routes over each overlay as follows:

Hub SD-WAN member Overlay SLA status Priority for IKE routes

1 EDGE_T1 0x1 – within SLA 10

2 EDGE_T2 0x1 – within SLA 15

Simultaneously, BGP recursive routes inherit the priority based on the parent IKE routes. The recursively resolved
BGP routes that pass through EDGE_T1 will have a priority of 10, and routes that pass through EDGE_T2 will have
a priority of 15. Therefore, traffic from the hub to spoke will be routed to EDGE_T1.
3. Verify the routing tables.
a. Static:
# get router info routing-table static
Routing table for VRF=0
S 172.31.0.65/32 [15/0] via EDGE_T1 tunnel 10.0.0.69 vrf 0, [10/0]
[15/0] via EDGE_T2 tunnel 172.31.0.65 vrf 0, [15/0]

b. BGP:
# get router info routing-table bgp
Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T1 tunnel 10.0.0.69
vrf 0 [10]), 04:32:53

FortiOS 7.2.1 Administration Guide 574


Fortinet Inc.
SD-WAN

(recursive via EDGE_T2 tunnel 172.31.0.65


vrf 0 [15]), 04:32:53, [1/0]

Next, test by making the health checks over the spokes' H1_T11 tunnel out of SLA. This should trigger traffic to start
flowing from the spokes' H1_T22 tunnel. Consequently, the SLA statuses are passed from the spoke to the hub, and the
hub will start routing traffic to EDGE_T2.

To verify that the hub will start routing traffic to EDGE_T2 when the spoke H1_T11 tunnel is out of SLA:

1. On Spoke_1, display the status of the health checks for H1_T11 and H1_T22:
# diagnose sys sdwan health-check
Health Check(HUB):
Seq(1 H1_T11): state(alive), packet-loss(0.000%) latency(120.228), jitter(0.013), mos
(4.338), bandwidth-up(999999), bandwidth-dw(1000000), bandwidth-bi(1999999) sla_map=0x0
Seq(4 H1_T22): state(alive), packet-loss(0.000%) latency(0.220), jitter(0.008), mos
(4.404), bandwidth-up(999998), bandwidth-dw(1000000), bandwidth-bi(1999998) sla_map=0x1

2. Verify the routing tables.


a. Static:
# get router info routing-table static
Routing table for VRF=0
S 172.31.0.65/32 [15/0] via EDGE_T2 tunnel 172.31.0.65 vrf 0, [15/0]
[15/0] via EDGE_T1 tunnel 10.0.0.69 vrf 0, [20/0]

The priority for EDGE_T1 has changed from 10 to 20.


b. BGP:
# get router info routing-table bgp
Routing table for VRF=0
B 10.0.3.0/24 [200/0] via 172.31.0.65 (recursive via EDGE_T2 tunnel 172.31.0.65
vrf 0 [15]), 00:01:19
(recursive via EDGE_T1 tunnel 10.0.0.69
vrf 0 [20]), 00:01:19, [1/0]

EDGE_T2 is now preferred. The priority for EDGE_T1 has changed from 10 to 20.
Spoke_1’s SLA information for H1_T11 embedded into the ICMP probes has now changed.
As a result, the hub sets the routes over each overlay as follows:

Hub SD-WAN member Overlay SLA status Priority for IKE routes

1 EDGE_T1 0x0 – out of SLA 20

2 EDGE_T2 0x1 – within SLA 15

The BGP recursive routes inherit the priority based on the parent IKE routes. Since priority for IKE routes on EDGE_T1
has changed to 20, recursively resolved BGP routes passing through EDGE_T1 has also dropped to 20. As a result, hub
to spoke_1 traffic will go over EDGE_T2.

FortiOS 7.2.1 Administration Guide 575


Fortinet Inc.
SD-WAN

SD-WAN rules

SD-WAN rules, which are sometimes called service rules, identify traffic of interest, and then route the traffic based on a
strategy and the condition of the route or link between two devices. You can use many strategies to select the outgoing
interface and many performance service level agreements (SLAs) to evaluate the link conditions.
Use the following topics to learn about and create SD-WAN rules for your needs:
l Overview on page 576
l Implicit rule on page 584
l Automatic strategy on page 588
l Manual strategy on page 589
l Best quality strategy on page 590
l Lowest cost (SLA) strategy on page 594
l Maximize bandwidth (SLA) strategy on page 597
l Use MAC addresses in SD-WAN rules and policy routes on page 600
l SD-WAN traffic shaping and QoS on page 601
l SDN dynamic connector addresses in SD-WAN rules on page 606
l Application steering using SD-WAN rules on page 608
l DSCP tag-based traffic steering in SD-WAN on page 621
l ECMP support for the longest match in SD-WAN rule matching on page 628
l Override quality comparisons in SD-WAN longest match rule matching on page 630
l Use an application category as an SD-WAN rule destination on page 633

Overview

SD-WAN rules control how sessions are distributed to SD-WAN members. You can configure SD-WAN rules from the
GUI and CLI.
From the GUI, go to Network > SD-WAN > SD-WAN Rules. When creating a new SD-WAN rule, or editing an existing
SD-WAN rule, use the Source and Destination sections to identify traffic, and use the Outgoing interfaces section to
configure WAN intelligence for routing traffic.

FortiOS 7.2.1 Administration Guide 576


Fortinet Inc.
SD-WAN

From the CLI, use the following command to configure SD-WAN rules:
config system sdwan
config service
edit <ID>
next
end
end

The following topics describe the fields used to configure SD-WAN rules:
l Fields for identifying traffic on page 577
l Fields for configuring WAN intelligence on page 580
l Additional fields for configuring WAN intelligence on page 583

Fields for identifying traffic

This topic describes the fields in an SD-WAN rule used for defining the traffic to which the rule applies. Some fields are
available only in the CLI.
SD-WAN rules can identify traffic by source address, destination address, service, and individual or user group matches.
SD-WAN rules can also identify traffic by application control (application-aware routing), internet service database
(ISDB), BGP route tags, and Differentiated Services Code Point (DSCP) tags.
In the GUI, go to Network > SD-WAN > SD-WAN Rules. Click Create New, or double-click an existing rule to open it for
editing. The Source and Destination sections are used to identify traffic for the rule:

FortiOS 7.2.1 Administration Guide 577


Fortinet Inc.
SD-WAN

In the CLI, edit the service definition ID number to identify traffic for the rule:
config system sdwan
config service
edit <ID>
<CLI commands from the following tables>
...
end
end

The following table describes the fields used for the name, ID, and IP version of the SD-WAN rule:

Name, ID, and IP version

Field CLI Description

Name set name <string> The name does not need to relate to
the traffic being matched, but it is good
practice to have intuitive rule names.

ID config system sdwan ID is generated when the rule is


config service created. You can only specify the
edit <ID> ID from the CLI.
next
end
end

IP version set addr-mode <ipv4 | ipv6> The addressing mode can be IPv4 or
IPv6.
To configure in the GUI, IPv6 must be
enabled from System > Feature
Visibility page.

The following table describes the fields used for source section of the SD-WAN rule:

Source

Field CLI Description

Source address set src <object> One or more address objects.

FortiOS 7.2.1 Administration Guide 578


Fortinet Inc.
SD-WAN

Source

Field CLI Description

May be negated from the CLI with set


src-negate.

User group set users <user object> Individual users or user groups
set groups <group object>

Source interface (input- set input-device <interface CLI only.


device) name> Select one or more source interfaces.
May be negated with set input-
device-negate enable.

The following table describes the fields used for the destination section of the SD-WAN rule:

Destination

Field CLI Description

Address set dst <object> One or more address objects.


set protocol <integer> One protocol and one port range can
set start-port <integer>, set be combined with the address object.
end-port <integer> If it is necessary for an SD-WAN rule to
Use set dst-negate enable to match multiple protocols or multiple
negate the address object. port ranges, you can create a custom
Internet Service.

Internet Service set internet-service enable One or more internet services or


set internet-service-custom service groups.
<name_1> <name_2> ... <name_ This applies only to IPv4 rules, and
n> cannot be used in conjunction with an
set internet-service-custom- address object.
group <name_1> <name_2> ...
<name_n>
set internet-service-name
<name_1> <name_2> ... <name_
n>
set internet-service-group
<name_1> <name_2> ... <name_
n>

Application set internet-service-app- One or more applications or application


ctrl <id_1> <id_2> ... <id_ groups.
n> This applies only to IPv4 rules, and
set internet-service-app- cannot be used in conjunction with an
ctrl-group <name_1> <name_2> address object.
... <name_n> May be used with internet services or
service group.

FortiOS 7.2.1 Administration Guide 579


Fortinet Inc.
SD-WAN

Destination

Field CLI Description


set internet-service-app-
ctrl-category <id_1> <id_2>
... <id_n>

Route tag (route-tag) set route-tag <integer> CLI only.


This replaces the dst field (if
previously configured) and matches a
BGP route tag configured in a route
map. See Using BGP tags with SD-
WAN rules on page 643.

TOS mask (tos-mask) set tos-mask <8-bit hex CLI only.


value> In order to leverage type of service
(TOS) matching or DSCP matching on
the IP header, the SD-WAN rule must
specify the bit mask of the byte holding
the TOS value. For example, a TOS
mask of 0xe0 (11100000) matches the
upper 3 bits.

TOS (tos) set tos <8 bit hex value> CLI only.
The value specified here is matched
after the tos-mask is applied.
For example, the FortiGate receives
DSCP values 110000 and 111011.
(DSCP is the upper 6 bits of the TOS
field – 11000000 and 11101100
respectively). Using the TOS value
0xe0 (11100000), only the second
DSCP value is matched.

Fields for configuring WAN intelligence

This topic describes the fields in an SD-WAN rule used for configuring WAN intelligence, which processes and routes
traffic that matches the SD-WAN rule.
In the GUI, go to Network > SD-WAN > SD-WAN Rules. Click Create New, or double-click an existing rule to open it for
editing. The Outgoing Interfaces section is used to configure WAN intelligence for the rule:

FortiOS 7.2.1 Administration Guide 580


Fortinet Inc.
SD-WAN

WAN intelligence is comprised of the following parts:


l Interface or zone preference on page 581
l Strategy on page 582
l Performance SLA on page 582

Interface or zone preference

By default, the configured order of interfaces and/or zones in a rule are used. Interfaces and zones that are selected first
have precedence over interfaces selected second and so on.
You can specify both interfaces and zones. When a zone is specified in the Zone preference field, it is equivalent to
selecting each of the contained interface members in the Interface preference section. Interface members in a zone
have lower priority than interfaces configured in the Interface preference section.
For example:
l There are 3 interfaces: port1, port2 and port3.
l Port2 is in Zone1

l Port1 and port3 belong to the default virtual-wan-link zone.

l An SD-WAN rule is created with Interface preference set to port3 and port1, and Zone preference set to Zone1.

The SD-WAN rule prefers the interfaces in the following order:


1. port3
2. port1
3. port2
You can configure the interface and zone preference in the CLI:

FortiOS 7.2.1 Administration Guide 581


Fortinet Inc.
SD-WAN

config system sdwan


config service
edit <ID>
set priority-members <integer>
set priority-zone <interface>
next
end
end

Strategy

Strategy dictates how the interface and/or zone order changes as link conditions change. You can use the following
strategies:
l Automatic (auto): interfaces are assigned a priority based on quality. See Automatic strategy on page 588.
l Manual (manual): interfaces are manually assigned a priority. See Manual strategy on page 589.
l Best Quality (priority): interfaces are assigned a priority based on the link-cost-factor of the interface.
See Best quality strategy on page 590.
l Lowest cost (SLA) (sla): interfaces are assigned a priority based on selected SLA settings. See Lowest cost (SLA)
strategy on page 594.
l Maximize Bandwidth (SLA) (load-balance): traffic is distributed among all available links based on the selected
load balancing algorithm. See Maximize bandwidth (SLA) strategy on page 597.

Performance SLA

The best quality, lowest cost, and maximize bandwidth strategies are the most intelligent modes, and they leverage SLA
health checks to provide meaningful metrics for a given link. FortiGate uses the metrics to make intelligent decisions to
route traffic.
Automatic and manual strategies have pre-configured logic that do not leverage SLA health checks.
The goal of the performance SLA is to measure the quality of each SD-WAN member link. The following methods can be
used to measure the quality of a link:
l Active measurement
l Health-check traffic is sent to a server with a variety of protocols options.

l The following SLA metrics are measured on this probe traffic:

l Latency

l Jitter

l Packet loss

l Passive measurement
l SLA metrics are measured on real or live traffic, reducing the amount of probe traffic that is sent and received.

l There is the option (prefer passive) to initiate probe traffic when no live traffic is present.

Performance SLA is utilized by auto, Lowest Cost (SLA), Maximize Bandwidth (SLA), and Best Quality strategies.
Lowest Cost (SLA) and Maximize Bandwidth SLA use SLA targets in a pass or fail style to evaluate whether a link is
considered for traffic. Best Quality compares a specific metric of the SLA to pick the best result.
Therefore it is integral to select or create an SLA target(s) that relates to the traffic targeted by the rule. It does not make
sense to evaluate a public resource, such as YouTube, when the rule matches Azure traffic.
See Performance SLA on page 537 for more details.

FortiOS 7.2.1 Administration Guide 582


Fortinet Inc.
SD-WAN

Additional fields for configuring WAN intelligence

This topic describes the fields in an SD-WAN rule used for configuring WAN intelligence for egress traffic:
l Forward and/or reverse differentiated services code point (DSCP) on page 583
l Default and gateway options on page 583
For information about accessing fields for configuring WAN intelligence, see Fields for configuring WAN intelligence on
page 580.

Forward and/or reverse differentiated services code point (DSCP)

The FortiGate differentiated services feature can be used to change the DSCP value for all packets accepted by a policy.
The packet's DSCP field for traffic initiating a session (forward) or for reply traffic (reverse) can be changed and enabled
in each direction separately by configuring it in the firewall policy using the Forward DSCP and Reverse DSCP fields.
From the CLI:
config system sdwan
config service
edit <ID>
...
set dscp-forward enable
...
next
end
end

set dscp-forward enable Enable use of forward DSCP tag.


set dscp-forward-tag Forward traffic DSCP tag.
000000
set dscp-reverse enable Enable use of reverse DSCP tag.
set dscp-reverse-tag Reverse traffic DSCP tag.
000000

Default and gateway options

Following are additional gateway options that can be set only in the CLI:
config system sdwan
config service
edit <ID>
...
set default enable
...
next
end
end

set default Enable or disable use of SD-WAN as default service.


[enable|disable]
set gateway Enable or disable SD-WAN service gateway.
[enable|disable]

FortiOS 7.2.1 Administration Guide 583


Fortinet Inc.
SD-WAN

By default, these settings are set to disable.


These two commands help adjust FortiGate route selection by affecting how the FortiGate consults the Forward
Information Base (FIB).
In order to decide whether an SD-WAN policy-route can be matched, FortiGate performs the following FIB lookups:
l FIB best match for the destination must return an SD-WAN member.
l FIB route to the destination must exist over the desired SD-WAN member.
When set default enable is used with set gateway enable, FortiGate bypasses the FIB checks, and instead
routes any matching traffic of the SD-WAN rule to the chosen SD-WAN member using the member’s configured
gateway. SD-WAN members must have a gateway configured.
When set default disable is used with set gateway enable, FortiGate keeps the first rule in effect but causes
the second rule to change to:
l FIB route to the gateway IP address must exist over any interface.
See also Fields for configuring WAN intelligence on page 580.

Implicit rule

SD-WAN rules define specific policy routing options to route traffic to an SD-WAN member. When no explicit SD-WAN
rules are defined, or if none of the rules are matched, then the default implicit rule is used.
In an SD-WAN configuration, the default route usually points to the SD-WAN interface, so each active member's
gateway is added to the routing table's default route. FortiOS uses equal-cost multipath (ECMP) to balance traffic
between the interfaces. One of five load balancing algorithms can be selected:

Source IP (source-ip-based) Traffic is divided equally between the interfaces, including the SD-WAN interface.
Sessions that start at the same source IP address use the same path.
This is the default selection.

Sessions (weight-based) The workload is distributing based on the number of sessions that are connected
through the interface.
The weight that you assign to each interface is used to calculate the percentage of
the total sessions that are allowed to connect through an interface, and the
sessions are distributed to the interfaces accordingly.
Sessions with the same source and destination IP addresses (src-ip and dst-
ip) are forwarded to the same path, but are still considered in later session ratio
calculations.
An interface's weight value cannot be zero.

Spillover (usage-based) The interface is used until the traffic bandwidth exceeds the ingress and egress
thresholds that you set for that interface. Additional traffic is then sent through the
next SD-WAN interface member.

Source-Destination IP (source- Traffic is divided equally between the interfaces. Sessions that start at the same
dest-ip-based) source IP address and go to the same destination IP address use the same path.

Volume (measured-volume- The workload is distributing based on the number of packets that are going
based) through the interface.

FortiOS 7.2.1 Administration Guide 584


Fortinet Inc.
SD-WAN

The volume weight that you assign to each interface is used to calculate the
percentage of the total bandwidth that is allowed to go through an interface, and
the bandwidth is distributed to the interfaces accordingly.
An interface's volume value cannot be zero.

You cannot exclude an interface from participating in load balancing using the implicit rule. If
the weight or volume were set to zero in a previous FortiOS version, the value is treated as a
one.
Interfaces with static routes can be excluded from ECMP if they are configured with a lower
priority than other static routes.

Examples

The following four examples demonstrate how to use the implicit rules (load-balance mode).

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

Example 1

Outgoing traffic is equally balanced between wan1 and wan2, using source-ip-based or source-dest-ip-based mode.

Using the GUI:

1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See SD-WAN quick start on page 518 for details.
2. Go to Network > SD-WAN and select the SD-WAN Rules tab.
3. Edit the sd-wan rule (the last default rule).
4. For the Load Balancing Algorithm, select either Source IP or Source-Destination IP.
5. Click OK.

FortiOS 7.2.1 Administration Guide 585


Fortinet Inc.
SD-WAN

Using the CLI:

1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 518 for details.
2. Set the load balancing algorithm:
Source IP based:
config system sdwan
set load-balance-mode source-ip-based
end

Source-Destination IP based:
config system sdwan
set load-balance-mode source-dest-ip-based
end

Example 2

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using weight-based mode: wan1 runs 80%
of the sessions, and wan2 runs 20% of the sessions.
Sessions with the same source and destination IP addresses (src-ip and dst-ip) will be forwarded to the same
path, but will still be considered in later session ratio calculations.

Using the GUI:

1. Go to Network > SD-WAN and select the SD-WAN Rules tab.


2. Edit the sd-wan rule (the last default rule).
3. For the Load Balancing Algorithm, select Sessions.
4. Enter 80 in the wan1 field, and 20 in the wan2 field.

5. Click OK.

Using the CLI:

config system sdwan


set load-balance-mode weight-based
config members
edit 1
set interface "wan1"
set weight 80

FortiOS 7.2.1 Administration Guide 586


Fortinet Inc.
SD-WAN

next
edit 2
set interface "wan2"
set weight 20
next
end
end

Example 3

Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using measured-volume-based mode:
wan1 runs 80% of the volume, and wan2 runs 20% of the volume.

Using the GUI:

1. Go to Network > SD-WAN and select the SD-WAN Rules tab.


2. Edit the sd-wan rule (the last default rule).
3. For the Load Balancing Algorithm, select Volume.
4. Enter 80 in the wan1 field, and 20 in the wan2 field.
5. Click OK.

Using the CLI:

config system sdwan


set load-balance-mode measured-volume-based
config members
edit 1
set interface "wan1"
set volume-ratio 80
next
edit 2
set interface "wan2"
set volume-ratio 20
next
end
end

Example 4

Load balancing can be used to reduce costs when internet connections are charged at different rates. For example, if
wan2 charges based on volume usage and wan1 charges a fixed monthly fee, we can use wan1 at its maximum
bandwidth, and use wan2 for overflow.
In this example, wan1's bandwidth is 10Mbps down and 2Mbps up. Traffic will use wan1 until it reaches its spillover limit,
then it will start to use wan2. Note that auto-asic-offload must be disabled in the firewall policy.

Using the GUI:

1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See SD-WAN quick start on page 518 for details.
2. Go to Network > SD-WAN and select the SD-WAN Rules tab.
3. Edit the sd-wan rule (the last default rule).
4. For the Load Balancing Algorithm, select Spillover.

FortiOS 7.2.1 Administration Guide 587


Fortinet Inc.
SD-WAN

5. Enter 10000 in the wan1 Ingress Spillover Threshold field, and 2000 in the wan1 Egress Spillover Threshold field.

6. Click OK.

Using the CLI:

config system sdwan


set load-balance-mode usage-based
config members
edit 1
set interface "wan1"
set spillover-threshold 2000
set ingress-spillover-threshold 10000
next
end
end

Automatic strategy

The automatic strategy is a legacy rule that lets you select an outgoing interface based on its performance ranking
compared to the other SD-WAN interfaces. This is achieved by applying a performance SLA to rank the interfaces, and
then selecting the desired rank.
In this example, you have three SD-WAN interfaces to three different ISPs that all go to the public internet. WAN1 is your
highest quality link and should be reserved for business critical traffic. WAN2 and WAN3 are redundant backup links.
You noticed one non-critical application is taking up a lot of bandwidth and want to prioritize it to the lowest quality link at
any given time.

To configure automatic SD-WAN rules from the CLI:

config system sdwan


config members
edit 1
set interface "wan1"
next
edit 2
set interface "wan2"
next
edit 3
set interface "wan3"
next

FortiOS 7.2.1 Administration Guide 588


Fortinet Inc.
SD-WAN

end
config health-check
edit "non-critical application"
set server "noncritical.application.com"
set members 1 2 3
config sla
edit 1
set latency-threshold 250
set jitter-threshold 50
set packletloss-threshold 3
next
end
next
end
config service
edit 1
set name "non-critical application"
set mode auto
set quality-link 3
set dst "non-critical-app-address-object"
set health-check "non-critical application"
next
end
end

The auto option is only available in the CLI. If you use the GUI to edit the rule, the auto option
will be overwritten because you cannot select auto in the GUI.

Manual strategy

In manual mode, no health checks are used. As a result, the decision making closer resembles logic than intelligence.
SD-WAN manual rules are similar to regular policy-based routes, but have the added features of application-aware
routing and BGP-tag routing. A manual strategy rule is comprised of the following parts:
l Defining the interfaces to be used
l Ordering the interfaces based on preference

To configure manual SD-WAN rules from the GUI:

1. Go to Network > SD-WAN.


2. Select the SD-WAN Rules tab, and click Create New.

FortiOS 7.2.1 Administration Guide 589


Fortinet Inc.
SD-WAN

3. Set the following options to create a manual rule:

Name Type a name for the rule.

Source (Optional) Specify a Source address and/or User group.

Destination Specify the destination using an Address object or an Internet Service or an


Application.

Zone preference Specify one or more SD-WAN interfaces or zones.


The order in which the interfaces or zones are specified determines their
priority when the rule is matched.

4. Set the remaining options as desired, and click OK to create the rule.

To configure manual SD-WAN rules from the CLI:

config system sdwan


config members
edit 1
set interface "wan1"
next
edit 2
set interface "wan2"
next
end
config service
edit 1
set name "manual"
set mode manual
set priority-members 2 1
set dst "DC_net"
set hold-down-time 60
next
end
end

l The command set mode manual will not appear in the configuration because it is the
default mode.
l The command set hold-down-time <integer> is an optional command that
controls how long to wait before switching back to the primary interface in the event of a
failover.

Best quality strategy

When using Best Quality mode, SD-WAN will choose the best link to forward traffic by comparing the link-cost-factor. A
link-cost factor is a specific metric of participating link(s) (such as, latency, packet loss, and so on) evaluated against a
target that you define (such as a health-check server), for example, the latency of WAN1 and WAN2 to your datacenter.
Below is a list of link-cost factors available to you:

FortiOS 7.2.1 Administration Guide 590


Fortinet Inc.
SD-WAN

GUI CLI Description

Latency latency Select a link based on latency.

Jitter jitter Select a link based on jitter.

Packet Loss packet-loss Select a link based on packet loss.

Downstream inbandwidth Select a link based on available bandwidth of incoming traffic.

Upstream outbandwidth Select a link based on available bandwidth of outgoing traffic.

Bandwidth bibandwidth Select a link based on available bandwidth of bidirectional traffic.

Customized profile custom-profile-1 Select link based on customized profile. If selected, set the
following weights:
l packet-loss-weight: Coefficient of packet-loss.

l latency-weight: Coefficient of latency.

l jitter-weight: Coefficient of jitter.

l bandwidth-weight: Coefficient of reciprocal of available

bidirectional bandwidth.

Although SD-WAN intelligence selects the best quality link according to the selected metric, by default a preference or
advantage is given to the first configured SD-WAN member. This default is 10% and may be configured with the CLI
command set link-cost-threshold 10.
Example of how link-cost-threshold works:
config system sdwan
config members
edit 1
set interface "wan1"
next
edit 2
set interface "wan2"
next
end
config service
edit 1
set name "Best_Quality"
set mode priority
set priority-members 2 1
set dst "DC_net"
set health-check “DC_HealthCheck”
set link-cost-factor latency
set link-cost-threshold 10
next
end
end

In this example both WAN1 and WAN2 are assumed to have 200ms latency to the health-check server named DC_
HealthCheck. Because WAN2 is specified before WAN1 in priority-members, SD-WAN parses the two interfaces
metric as follows:
l WAN1: 200ms
l WAN2: 200ms / (1+10%) = ~182ms
As a result, WAN2 is selected because the latency is lower.

FortiOS 7.2.1 Administration Guide 591


Fortinet Inc.
SD-WAN

If the Downstream (inbandwidth), Upstream (outbandwidth), or Bandwidth (bibandwidth) quality criteria is used,
the FortiGate uses the upstream and downstream bandwidth values configured on the member interfaces to calculate
bandwidth.
The interface bandwidth configuration can be done manually, or the interface speedtest can be used to populate the
bandwidth values based on the speedtest results. See Manual interface speedtest on page 557 for details.

To manually configure the upstream and downstream interface bandwidth values:

config system interface


edit <interface>
set estimated-upstream-bandwidth <speed in kbps>
set estimated-downstream-bandwidth <speed in kbps>
next
end

Example

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet, and you
want Gmail services to use the link with the least latency.

To configure an SD-WAN rule to use Best Quality:

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 518 for details.
2. Create a new Performance SLA named google. See Link monitoring example on page 545.
3. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
4. Enter a name for the rule, such as gmail.
5. Configure the following settings:

FortiOS 7.2.1 Administration Guide 592


Fortinet Inc.
SD-WAN

Internet Service Google-Gmail

Strategy Best Quality

Interface wan1 and wan2


preference

Measured SLA google (created in step 2).

Quality criteria Latency

6. Click OK to create the rule.

To configure an SD-WAN rule to use priority:

config system sdwan


config health-check
edit "google"
set server "google.com"
set members 1 2
next
end
config service
edit 1
set name "gmail"
set mode priority
set internet-service enable
set internet-service-id 65646
set health-check "google"

FortiOS 7.2.1 Administration Guide 593


Fortinet Inc.
SD-WAN

set link-cost-factor latency


set priority-members 1 2
next
end
end

To diagnose the Performance SLA status:

FGT # diagnose sys sdwan health-check google


Health Check(google):
Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys sdwan service 1


Service(1):

TOS(0x0/0x0), protocol(0: 1->65535), Mode(priority), link-cost-facotr(latency), link-


cost-threshold(10), health-check(google) Members:

1: Seq_num(2), alive, latency: 12.633, selected


2: Seq_num(1), alive, latency: 14.563, selected

Internet Service: Google-Gmail(65646)

As wan2 has a smaller latency, SD-WAN will put Seq_num(2) on top of Seq_num(1) and wan2 will be used to forward
Gmail traffic.

Lowest cost (SLA) strategy

When using Lowest Cost (SLA) mode (sla in the CLI), SD-WAN will choose the lowest cost link that satisfies SLA to
forward traffic. The lowest possible cost is 0. If multiple eligible links have the same cost, the Interface preference order
will be used to select a link.

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. The
cost of wan2 is less than that of wan1. You want to configure Gmail services to use the lowest cost interface, but the link
quality must meet a standard of latency: 10ms, and jitter: 5ms.

FortiOS 7.2.1 Administration Guide 594


Fortinet Inc.
SD-WAN

To configure an SD-WAN rule to use Lowest Cost (SLA):

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 518 for details.
2. Create a new Performance SLA named google that includes an SLA Target with Latency threshold = 10ms and
Jitter threshold = 5ms. See Link monitoring example on page 545.
3. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
4. Enter a name for the rule, such as gmail.
5. Configure the following settings:

Internet Service Google-Gmail

Strategy Lowest Cost (SLA)

Interface wan1 and wan2


preference

Required SLA google (created in step 2).


target

6. Click OK to create the rule.

To configure an SD-WAN rule to use SLA:

config system sdwan


config members
edit 1
set interface "wan1"
set cost 10

FortiOS 7.2.1 Administration Guide 595


Fortinet Inc.
SD-WAN

next
edit 2
set interface "wan2"
set cost 5
next
end
config health-check
edit "google"
set server "google.com"
set members 1 2
config sla
edit 1
set latency-threshold 10
set jitter-threshold 5
next
end
next
end
config service
edit 1
set name "gmail"
set mode sla
set internet-service enable
set internet-service-id 65646
config sla
edit "google"
set id 1
next
end
set priority-members 1 2
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

The CLI command set minimum-sla-meet-members allows you to specify the number of
links that must meet SLA for the rule to take effect. If the number of members is less than the
minimum set with this command, the rule will not take effect.

To diagnose the Performance SLA status:

FGT # diagnose sys sdwan health-check google


Health Check(google):
Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FGT # diagnose sys sdwan service 1


Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)

FortiOS 7.2.1 Administration Guide 596


Fortinet Inc.
SD-WAN

Members:<<BR>>

1: Seq_num(2), alive, sla(0x1), cfg_order(1), selected


2: Seq_num(1), alive, sla(0x1), cfg_order(0), selected

Internet Service: Google.Gmail(65646)

When both wan1 and wan2 meet the SLA requirements, Gmail traffic will only use wan2. If only wan1 meets the SLA
requirements, Gmail traffic will only use wan1, even though it has a higher cost. If neither interface meets the
requirements, wan2 will be used.
If both interface had the same cost and both met the SLA requirements, the first link configured in set priority-
members would be used.

Maximize bandwidth (SLA) strategy

When using Maximize Bandwidth mode (load-balance in the CLI), SD-WAN will choose all of the links that satisfies
SLA to forward traffic based on a load balancing algorithm. The load balancing algorithm, or hash method, can be one of
the following:

round-robin All traffic are distributed to selected interfaces in equal portions and circular order.
This is the default method, and the only option available when using the GUI.

source-ip-based All traffic from a source IP is sent to the same interface.

source-dest-ip- All traffic from a source IP to a destination IP is sent to the same interface.
based

inbandwidth All traffic are distributed to a selected interface with most available bandwidth for incoming traffic.

outbandwidth All traffic are distributed to a selected interface with most available bandwidth for outgoing traffic.

bibandwidth All traffic are distributed to a selected interface with most available bandwidth for both incoming
and outgoing traffic.

When the inbandwidth, outbandwidth), or bibandwidth load balancing algorithm is used, the FortiGate will
compare the bandwidth based on the configured upstream and downstream bandwidth values.
The interface speedtest can be used to populate the bandwidth values based on the speedtest results. See Manual
interface speedtest on page 557 for details.

To manually configure the upstream and downstream bandwidth values:

config system interface


edit <interface>
set estimated-upstream-bandwidth <speed in kbps>
set estimated-downstream-bandwidth <speed in kbps>
next
end

ADVPN is not supported in this mode.

FortiOS 7.2.1 Administration Guide 597


Fortinet Inc.
SD-WAN

In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. You
want to configure Gmail services to use both of the interface, but the link quality must meet a standard of latency: 10ms,
and jitter: 5ms. This can maximize the bandwidth usage.

To configure an SD-WAN rule to use Maximize Bandwidth (SLA):

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route. See SD-WAN
quick start on page 518 for details.
2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and
Jitter threshold = 5ms. See Link monitoring example on page 545.
3. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
4. Enter a name for the rule, such as gmail.
5. Configure the following settings:

FortiOS 7.2.1 Administration Guide 598


Fortinet Inc.
SD-WAN

Field Setting

Internet Service Google-Gmail

Strategy Maximize Bandwidth (SLA)

Interface preference wan1 and wan2

Required SLA target google (created in step 2).

6. Click OK to create the rule.

To configure an SD-WAN rule to use SLA:

config system sdwan


config health-check
edit "google"
set server "google.com"
set members 1 2
config sla
edit 1
set latency-threshold 10
set jitter-threshold 5
next
end
next
end
config service
edit 1
set name "gmail"
set addr-mode ipv4
set mode load-balance
set hash-mode round-robin
set internet-service enable
set internet-service-name Google-Gmail
config sla
edit "google"
set id 1
next
end
set priority-members 1 2
next
end
end

The CLI command set minimum-sla-meet-members allows you to specify the number of
links that must meet SLA for the rule to take effect. If the number of members is less than the
minimum set with this command, the rule will not take effect.

To diagnose the performance SLA status:

FGT # diagnose sys sdwan health-check google


Health Check(google):
Seq(1): state(alive), packet-loss(0.000%) latency(14.563), jitter(4.334) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(12.633), jitter(6.265) sla_map=0x0

FortiOS 7.2.1 Administration Guide 599


Fortinet Inc.
SD-WAN

FGT # diagnose sys sdwan service 1


Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance)


Members:<<BR>>

1: Seq_num(1), alive, sla(0x1), num of pass(1), selected


2: Seq_num(2), alive, sla(0x1), num of pass(1), selected

Internet Service: Google.Gmail(65646)

When both wan1 and wan2 meet the SLA requirements, Gmail traffic will use both wan1 and wan2. If only one of the
interfaces meets the SLA requirements, Gmail traffic will only use that interface.
If neither interface meets the requirements but health-check is still alive, then wan1 and wan2 tie. The traffic will try to
balance between wan1 and wan2, using both interfaces to forward traffic.

Use MAC addresses in SD-WAN rules and policy routes

You can use MAC addresses as the source in SD-WAN rules and policy routes.
The FABRIC_DEVICE address object (a dynamic object that includes the IPs of Security Fabric devices) can be used as
a source or destination in SD-WAN rules and policy routes.
The diagnose ip proute match command accepts either the IP or MAC address format for the source:
diagnose ip proute match <destination> <source> <interface> <protocol> <port>

To configure a MAC address as a source for SD-WAN and a policy route:

1. Configure the MAC address:


config firewall address
edit "mac-add"
set type mac
set macaddr 70:4c:a5:86:de:56
next
end

2. Configure the policy route:


config router policy
edit 3
set srcaddr "mac-add"
set gateway 15.1.1.34
set output-device ha
next
end

3. Configure the SD-WAN rule:


config system sdwan
config service
edit 1
set dst "all"
set src "mac-add"

FortiOS 7.2.1 Administration Guide 600


Fortinet Inc.
SD-WAN

set priority-members 1
next
edit 2
set dst "FABRIC_DEVICE"
set priority-members 2
next
end
end

To verify the policy route matching for a MAC address:

# diagnose ip proute match 3.1.1.34 70:4c:a5:86:de:56 port3 22 6


dst=3.1.1.34 src=0.0.0.0 smac=70:4c:a5:86:de:56 iif=11 protocol=22 dport=6
id=00000003 type=Policy Route
seq-num=3

SD-WAN traffic shaping and QoS

Use a traffic shaper in a firewall shaping policy to control traffic flow. You can use it to control maximum and guaranteed
bandwidth, or put certain traffic to one of the three different traffic priorities: high, medium, or low.
An advanced shaping policy can classify traffic into 30 groups. Use a shaping profile to define the percentage of the
interface bandwidth that is allocated to each group. Each group of traffic is shaped to the assigned speed limit based on
the outgoing bandwidth limit configured on the interface.
For more information, see Traffic shaping on page 957.

Sample topology

Sample configuration

This example shows a typical customer usage where the customer's SD-WAN uses the default zone, and has two
member: wan1 and wan2, each set to 10Mb/s.
An overview of the procedures to configure SD-WAN traffic shaping and QoS with SD-WAN includes:
1. Give HTTP/HTTPS traffic high priority and give FTP low priority so that if there are conflicts, FortiGate will forward
HTTP/HTTPS traffic first.

FortiOS 7.2.1 Administration Guide 601


Fortinet Inc.
SD-WAN

2. Even though FTP has low priority, configure FortiGate to give it a 1Mb/s guaranteed bandwidth on each SD-WAN
member so that if there is no FTP traffic, other traffic can use all the bandwidth. If there is heavy FTP traffic, it can
still be guaranteed a 1Mb/s bandwidth.
3. Traffic going to specific destinations such as a VOIP server uses wan1 to forward, and SD-WAN forwards with an
Expedited Forwarding (EF) DSCP tag 101110.

To configure SD-WAN traffic shaping and QoS with SD-WAN in the GUI:

1. On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route.
See SD-WAN quick start on page 518.
2. Add a firewall policy with Application Control enabled. See Configuring firewall policies for SD-WAN on page 521.
3. Go to Policy & Objects > Traffic Shaping, select the Traffic Shapers tab, and edit low-priority.
a. Enable Guaranteed Bandwidth and set it to 1000 kbps.
4. Go to Policy & Objects > Traffic Shaping, select the Traffic Shaping Policies tab, and click Create New.
a. Name the traffic shaping policy, for example, HTTP-HTTPS.
b. Set the following:

Source all

Destination all

Service HTTP and HTTPS

Outgoing interface virtual-wan-link

Shared Shaper Enable and set to high-priority

Reverse Shaper Enable and set to high-priority

c. Click OK.
5. Go to Policy & Objects > Traffic Shaping, select the Traffic Shaping Policies tab, and click Create New.
a. Name the traffic shaping policy, for example, FTP.
b. Set the following:

Source all

Destination all

Service FTP, FTP_GET, and FTP_PUT

Outgoing interface virtual-wan-link

Shared Shaper Enable and set to low-priority

Reverse Shaper Enable and set to low-priority

c. Click OK
6. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
a. Enter a name for the rule, such as Internet.
b. In the Destination section, click Address and select the VoIP server that you created in the firewall address.
c. Under Outgoing Interfaces select Manual.
d. For Interface preference select wan1.
e. Click OK.
7. Use CLI commands to modify DSCP settings. See the DSCP CLI commands below.

FortiOS 7.2.1 Administration Guide 602


Fortinet Inc.
SD-WAN

To configure the firewall policy using the CLI:

config firewall policy


edit 1
set name "1"
set srcintf "dmz"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set application-list "default"
set nat enable
next
end

To configure the firewall traffic shaper priority using the CLI:

config firewall shaper traffic-shaper


edit "high-priority"
set maximum-bandwidth 1048576
set per-policy enable
next
edit "low-priority"
set guaranteed-bandwidth 1000
set maximum-bandwidth 1048576
set priority low
set per-policy enable
next
end

To configure the firewall traffic shaping policy using the CLI:

config firewall shaping-policy


edit 1
set name "http-https"
set service "HTTP" "HTTPS"
set dstintf "virtual-wan-link"
set traffic-shaper "high-priority"
set traffic-shaper-reverse "high-priority"
set srcaddr "all"
set dstaddr "all"
next
edit 2
set name "FTP"
set service "FTP" "FTP_GET" "FTP_PUT"
set dstintf "virtual-wan-link"
set traffic-shaper "low-priority"
set traffic-shaper-reverse "low-priority"
set srcaddr "all"
set dstaddr "all"
next
end

FortiOS 7.2.1 Administration Guide 603


Fortinet Inc.
SD-WAN

To configure SD-WAN traffic shaping and QoS with SD-WAN in the CLI:

config system sdwan


set status enable
config members
edit 1
set interface "wan1"
set gateway 172.16.20.2
next
edit 2
set interface "wan2"
set gateway 10.100.20.2
next
end
config service
edit 1
set name "SIP"
set priority-members 1
set dst "voip-server"
set dscp-forward enable
set dscp-forward-tag 101110
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

To use the diagnose command to check if specific traffic is attached to the correct traffic shaper:

# diagnose firewall iprope list 100015

policy index=1 uuid_idx=0 action=accept


flag (0):
shapers: orig=high-priority(2/0/134217728) reply=high-priority(2/0/134217728)
cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 0 -> zone(2): 36 38
source(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
service(2):
[6:0x0:0/(1,65535)->(80,80)] helper:auto
[6:0x0:0/(1,65535)->(443,443)] helper:auto

policy index=2 uuid_idx=0 action=accept


flag (0):
shapers: orig=low-priority(4/128000/134217728) reply=low-priority(4/128000/134217728)
cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0

FortiOS 7.2.1 Administration Guide 604


Fortinet Inc.
SD-WAN

zone(1): 0 -> zone(2): 36 38


source(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
service(3):
[6:0x0:0/(1,65535)->(21,21)] helper:auto
[6:0x0:0/(1,65535)->(21,21)] helper:auto
[6:0x0:0/(1,65535)->(21,21)] helper:auto

To use the diagnose command to check if the correct traffic shaper is applied to the session:

# diagnose sys session list


session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=5
origin-shaper=low-priority prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops
0B
reply-shaper=
per_ip_shaper=
class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255
state=may_dirty npu npd os mif route_preserve
statistic(bytes/packets/allow_err): org=868/15/1 reply=752/10/1 tuples=2
tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 66/0
orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0
hook=post dir=org act=snat 10.1.100.11:58241->172.16.200.55:21(172.16.200.1:58241)
hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58241(10.1.100.11:58241)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4
serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=0x100000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0,
vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: offload-denied helper
total session 1

To use the diagnose command to check the status of a shared traffic shaper:

# diagnose firewall shaper traffic-shaper list

name high-priority
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 0 KB/sec
current-bandwidth 0 B/sec
priority 2
tos ff
packets dropped 0
bytes dropped 0

name low-priority
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 125 KB/sec
current-bandwidth 0 B/sec
priority 4
tos ff

FortiOS 7.2.1 Administration Guide 605


Fortinet Inc.
SD-WAN

packets dropped 0
bytes dropped 0

name high-priority
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 0 KB/sec
current-bandwidth 0 B/sec
priority 2
policy 1
tos ff
packets dropped 0
bytes dropped 0

name low-priority
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 125 KB/sec
current-bandwidth 0 B/sec
priority 4
policy 2
tos ff
packets dropped 0
bytes dropped 0

SDN dynamic connector addresses in SD-WAN rules

SDN dynamic connector addresses can be used in SD-WAN rules. FortiGate supports both public (AWS, Azure, GCP,
OCI, AliCloud) and private (Kubernetes, VMware ESXi and NSX, OpenStack, ACI, Nuage) SDN connectors.
The configuration procedure for all of the supported SDN connector types is the same. This example uses an Azure
public SDN connector.

There are four steps to create and use an SDN connector address in an SD-WAN rule:
1. Configure the FortiGate IP address and network gateway so that it can reach the Internet.
2. Create an Azure SDN connector.
3. Create a firewall address to associate with the configured SDN connector.
4. Use the firewall address in an SD-WAN service rule.

To create an Azure SDN connector:

1. Go to Security Fabric > External Connectors.


2. Click Create New.
3. In the Public SDN section, click Microsoft Azure.

FortiOS 7.2.1 Administration Guide 606


Fortinet Inc.
SD-WAN

4. Enter the following:

Name azure1

Status Enabled

Update Interval Use Default

Server region Global

Directory ID 942b80cd-1b14-42a1-8dcf-4b21dece61ba

Application ID 14dbd5c5-307e-4ea4-8133-68738141feb1

Client secret xxxxxx

Resource path disabled

5. Click OK.

To create a firewall address to associate with the configured SDN connector:

1. Go to Policy & Objects > Addresses.


2. Click Create New > Address.
3. Enter the following:

Category Address

Name azure-address

Type Dynamic

Sub Type Fabric Connector Address

SDN Connector azure1

SDN address type Private

Filter SecurityGroup=edsouza-centos

Interface Any

4. Click OK.

FortiOS 7.2.1 Administration Guide 607


Fortinet Inc.
SD-WAN

To use the firewall address in an SD-WAN service rule:

1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
2. Set the Name to Azure1.
3. For the Destination Address select azure-address.
4. Configure the remaining settings as needed. See SD-WAN rules on page 576 for details.
5. Click OK.

Diagnostics

Use the following CLI commands to check the status of and troubleshoot the connector.

To see the status of the SDN connector:

# diagnose sys sdn status


SDN Connector Type Status Updating Last update
-----------------------------------------------------------------------------------------
azure1 azure connected no n/a

To debug the SDN connector to resolve the firewall address:

# diagnose debug application azd -1


Debug messages will be on for 30 minutes.

...
azd sdn connector azure1 start updating IP addresses
azd checking firewall address object azure-address-1, vd 0
IP address change, new list:
10.18.0.4
10.18.0.12
...
...

# diagnose sys sdwan service

Service(2): Address Mode(IPV4) flags=0x0


TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service role: standalone
Member sub interface:
Members:
1: Seq_num(1), alive, selected
Dst address:
10.18.0.4 - 10.18.0.4
10.18.0.12 - 10.18.0.12
... ...
... ...
... ...

Application steering using SD-WAN rules

This topic covers how to use application steering in a topology with multiple WAN links. The following examples illustrate
how to use different strategies to perform application steering to accommodate different business needs:

FortiOS 7.2.1 Administration Guide 608


Fortinet Inc.
SD-WAN

l Static application steering with a manual strategy on page 609


l Dynamic application steering with lowest cost and best quality strategies on page 612

Application matching

To apply application steering, SD-WAN service rules match traffic based on the applications that are in the application
signature database. To view the signatures, go to Security Profiles > Application Signatures and select Signature.

On the first session that passes through, the IPS engine processes the traffic in the application layer to match it to a
signature in the application signature database. The first session does not match any SD-WAN rules because the
signature has not been recognized yet. When the IPS engine recognizes the application, it records the 3-tuple IP
address, protocol, and port in the application control Internet Service ID list. To view the application and corresponding
3-tuple:
# diagnose sys sdwan internet-service-app-ctrl-list [app ID]
52.114.142.254
Microsoft.Teams(43541 4294837333): 52.114.142.254 6 443 Fri Jun 18 13:52:18 2021

The recognized application and 3-tuple stay in the application control list for future matches to occur. If there are no hits
on the entry for eight hours, the entry is deleted.

For services with multiple IP addresses, traffic might not match the expected SD-WAN rule
because the traffic is destined for an IP address that hat no previously been recognized by the
FortiGate. The diagnose sys sdwan internet-service-app-ctrl-list command
can be used to help troubleshoot such situations.

Static application steering with a manual strategy

This example covers a typical usage scenario where the SD-WAN has two members: MPLS and DIA. DIA is primarily
used for direct internet access to internet applications, such as Office365, Google applications, Amazon, and Dropbox.
MPLS is primarily used for SIP, and works as a backup when DIA is not working.

FortiOS 7.2.1 Administration Guide 609


Fortinet Inc.
SD-WAN

This example configures all SIP traffic to use MPLS while all other traffic uses DIA. If DIA is not working, the traffic will
use MPLS.

To configure an SD-WAN rule to use SIP and DIA in the GUI:

1. Add port1 (DIA) and port2 (MPLS) as SD-WAN members, and configure a static route. See Configuring the SD-
WAN interface on page 519 for details.
2. Create a firewall policy with an Application Control profile configured. See Configuring firewall policies for SD-WAN
on page 521 for details.
3. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
4. Enter a name for the rule, such as SIP.
5. Click the Application field and select the applicable SIP applications from the Select Entries panel.
6. Under Outgoing Interfaces, select Manual.
7. For Interface preference, select MPLS.
8. Click OK.
9. Click Create New to create another rule.
10. Enter a name for the rule, such as Internet.
11. Click the Address field and select all from the panel.
12. Under Outgoing Interfaces, select Manual.
13. For Interface preference, select DIA.
14. Click OK.

To configure the firewall policy using the CLI:

config firewall policy


edit 1
set name "1"
set srcintf "dmz"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set fsso disable

FortiOS 7.2.1 Administration Guide 610


Fortinet Inc.
SD-WAN

set application-list "default"


set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end

To configure an SD-WAN rule to use SIP and DIA using the CLI:

config system sdwan


set status enable
config members
edit 1
set interface "MPLS"
next
edit 2
set interface "DIA"
next
end
config service
edit 1
set name "SIP"
set internet-service enable
set internet-service-app-ctrl 34640 152305677 38938 26180 26179 30251
set priority-members 2
next
edit 2
set name "Internet"
set dst "all"
set priority-members 1
next
end
end

All SIP traffic uses MPLS. All other traffic goes to DIA. If DIA is broken, the traffic uses MPLS. If you use VPN instead of
MPLS to run SIP traffic, you must configure a VPN interface, for example vpn1, and then replace member 1 from MPLS
to vpn1 for SD-WAN member.

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

To use the diagnose command to check performance SLA status using the CLI:

# diagnose sys sdwan service 1

Service(1): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)


Members:<<BR>>

1: Seq_num(1), alive, selected

Internet Service: SIP(4294836224 34640) SIP.Method(4294836225 152305677) SIP.Via.NAT

FortiOS 7.2.1 Administration Guide 611


Fortinet Inc.
SD-WAN

(4294836226 38938) SIP_Media.Type.Application(4294836227 26180) SIP_Message(4294836228


26179) SIP_Voice(4294836229 30251)

# diagnose sys sdwan service 2

Service(2): Address Mode(IPV4) flags=0x0

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)


Members:<<BR>>

1: Seq_num(2), alive, selected

Dst address: 0.0.0.0-255.255.255.255

# diagnose sys sdwan internet-service-app-ctrl-list


Ctrl application(SIP 34640):Internet Service ID(4294836224)
Ctrl application(SIP.Method 152305677):Internet Service ID(4294836225)
Ctrl application(SIP.Via.NAT 38938):Internet Service ID(4294836226)
Ctrl application(SIP_Media.Type.Application 26180):Internet Service ID(4294836227)
Ctrl application(SIP_Message 26179):Internet Service ID(4294836228)
Ctrl application(SIP_Voice 30251):Internet Service ID(4294836229)

Dynamic application steering with lowest cost and best quality strategies

In this example, the SD-WAN has three members: two ISPs (DIA_1 and DIA_2) that are used for access to internet
applications, and an MPLS link that is used exclusively as a backup for business critical applications.

Business applications, such as Office365, Google, Dropbox, and SIP, use the Lowest Cost (SLA) strategy to provide
application steering, and traffic falls back to MPLS only if both ISP1 and ISP2 are down. Non-business applications, such
as Facebook and Youtube, use the Best Quality strategy to choose between the ISPs.

To configure the SD-WAN members, static route, and firewall policy in the GUI:

1. Add port1 (DIA_1), port2 (DIA_2), and port3 (MPLS) as SD-WAN members. Set the cost of DIA_1 and DIA_2 to 0,
and MPLS to 20. See Configuring the SD-WAN interface on page 519 for details.
2. Configure a static route. See Adding a static route on page 520 for details.

FortiOS 7.2.1 Administration Guide 612


Fortinet Inc.
SD-WAN

3. Create a firewall policy to allow traffic out on SD-WAN, with an Application Control profile configured. See
Configuring firewall policies for SD-WAN on page 521 for details.

To configure the SD-WAN rule and performance SLA checks for business critical application in the GUI:

1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
2. Set the name to BusinessCriticalApps.
This rule will steer your business critical traffic to the appropriate link based on the Lowest Cost (SLA).
3. Set Source address to all.
4. Under Destination, set Application to your required applications. In this example: Microsoft.Office.365,
Microsoft.Office.Online, Google.Docs, Dropbox, and SIP.
5. Under Outgoing Interfaces, select Lowest Cost (SLA).
The lowest cost is defined in the SD-WAN member interface settings (see Configuring the SD-WAN interface on
page 519). The lowest possible cost is 0, which represents the most preferred link. In this example, DIA_1 and DIA_
2 both have a cost of 0, while MPLS has a cost of 20 because it is used for backup.
6. In Interface preference, add the interfaces in order of preference when the cost of the links is tied. In this example,
DIA_1, DIA_2, then MPLS.
MPLS will always be chosen last, because it has the highest cost. DIA_1 and DIA_2 have the same cost, so an
interface is selected based on their order in the Interface preference list.
7. Set Required SLA target to ensure that only links that pass your SLA target are chosen in this SD-WAN rule:
a. Click in the Required SLA target field.
b. In the Select Entries pane, click Create. The New Performace SLA pane opens.
c. Set Name to BusinessCriticalApps_HC.
This health check is used for business critical applications in your SD-WAN rule.
d. Leave Protocol set to Ping, and add up to two servers, such as office.com and google.com.
e. Set Participants to Specify, and add all three interfaces: DIA_1, DIA_2, and MPLS.
f. Enable SLA Target.
The attributes in your target determine the quality of your link. The SLA target of each link is compared when
determining which link to use based on the lowest cost. Links that meet the SLA target are preferred over links
that fail, and move to the next step of selection based on cost. If no links meet the SLA target, then they all
move to the next step.
In this example, disable Latency threshold and Jitter threshold, and set Packet loss threshold to 1.
g. Click OK.
h. Select the new performance SLA to set it as the Required SLA target.
When multiple SLA targets are added, you can choose which target to use in the SD-WAN rule.

FortiOS 7.2.1 Administration Guide 613


Fortinet Inc.
SD-WAN

8. Click OK to create the SD-WAN rule.

To configure the SD-WAN rule and performance SLA checks for non-business critical application in the
GUI:

1. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
2. Set the name to NonBusinessCriticalApps.
This rule will steer your non-business critical traffic to the appropriate link based on the Best Quality. No SLA target
must be met, as the best link is selected based on the configured quality criteria and interface preference order.
3. Set Source address to all.
4. Under Destination, set Application to your required applications. In this example: Facebook, and Youtube.
5. Under Outgoing Interfaces, select Best Quality.
6. In Interface preference, add the interfaces in order of preference.
By default, a more preferred link has an advantage of 10% over a less preferred link. For example, when latency is
used, the preferred link’s calculated latency = real latency / (1+10%).

FortiOS 7.2.1 Administration Guide 614


Fortinet Inc.
SD-WAN

The preferred link advantage can be customized in the CLI when the mode is priority
(Best Quality) or auto:
config system sdwan
config service
edit <id>
set link-cost-threshold <integer>
next
end
end

7. Create and apply a new performance SLA profile:


a. Click in the Measured SLA field.
b. In the drop-down list, click Create. The New Performace SLA pane opens.
c. Set Name to NonBusinessCritical_HC.
This health check is used for non-business critical applications in your SD-WAN rule.
d. Leave Protocol set to Ping, and add up to two servers, such as youtube.com and facebook.com.
e. Set Participants to Specify, and add the DIA_1 and DIA_2 interfaces. In this example, MPLS is not used for
non-business critical applications.
f. Leave SLA Target disabled.
g. Click OK.
h. Select the new performance SLA from the list to set it as the Measured SLA.
8. Set Quality criteria as required. In this example, Latency is selected.
For bandwidth related criteria, such as Downstream, Upstream, and Bandwidth (bi-directional), the selection is
based on available bandwidth. An estimated bandwidth should be configured on the interface to provide a baseline,
maximum available bandwidth.

FortiOS 7.2.1 Administration Guide 615


Fortinet Inc.
SD-WAN

9. Click OK to create the SD-WAN rule.

To configure the SD-WAN members, static route, and firewall policy in the CLI:

1. Configure the interfaces:


config system interface
edit "port1"
set ip <class_ip&net_netmask>
set alias "DIA_1"
set role wan
next
edit "port2"
set ip <class_ip&net_netmask>
set alias "DIA_2"
set role wan
next
edit "port3"
set ip <class_ip&net_netmask>
set alias "MPLS"
set role wan
next
end

2. Configure the SD-WAN members:


config system sdwan
set status enable
config members

FortiOS 7.2.1 Administration Guide 616


Fortinet Inc.
SD-WAN

edit 1
set interface "port1"
set gateway 172.16.20.2
next
edit 2
set interface "port2"
set gateway 172.17.80.2
next
edit 3
set interface "port3"
set gateway 10.100.20.2
set cost 20
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

3. Configure a static route. See Adding a static route on page 520 for details.
4. Create a firewall policy to allow traffic out on SD-WAN, with an Application Control profile configured. See
Configuring firewall policies for SD-WAN on page 521 for details.

To configure the SD-WAN rule and performance SLA checks for business critical application in the CLI:

1. Configure the BusinessCriticalApps_HC health-check:


config system sdwan
config health-check
edit "BusinessCriticalApps_HC"
set server "office.com" "google.com"
set members 1 2 3
config sla
edit 1
set link-cost-factor packet-loss
set packetloss-threshold 1
next
end
next
end
end

2. Configure the BusinessCriticalApps service to use Lowest Cost (SLA):


config system sdwan
config service
edit 1
set name "BusinessCriticalApps"
set mode sla
set src "all"
set internet-service enable
set internet-service-app-ctrl 17459 16541 33182 16177 34640
config sla
edit "BusinessCriticalApps_HC"
set id 1

FortiOS 7.2.1 Administration Guide 617


Fortinet Inc.
SD-WAN

next
end
set priority-members 1 2 3
next
end
end

To configure the SD-WAN rule and performance SLA checks for non-business critical application in the
CLI:

1. Configure the nonBusinessCriticalApps_HC health-check:


config system sdwan
config health-check
edit "NonBusinessCriticalApps_HC"
set server "youtube.com" "facebook.com"
set members 1 2
next
end
end

2. Configure the NonBusinessCriticalApps service to use Lowest Cost (SLA):


config system sdwan
config service
edit 4
set name "NonBusinessCriticalApps"
set mode priority
set src "all"
set internet-service enable
set internet-service-app-ctrl 15832 31077
set health-check "NonBusinessCriticalApps_HC"
set priority-members 1 2
next
end
end

Verification

Check the following GUI pages, and run the following CLI commands to confirm that your traffic is being steered by the
SD-WAN rules.

FortiOS 7.2.1 Administration Guide 618


Fortinet Inc.
SD-WAN

Health checks

To verify the status of each of the health checks in the GUI:

1. Go to Network > SD-WAN, select the Performance SLAs tab, and select each of the health checks from the list.

To verify the status of each of the health checks in the CLI:

# diagnose sys sdwan health-check


Health Check(BusinessCritical_HC):
Seq(1 port1): state(alive), packet-loss(0.000%) latency(12.884), jitter(0.919) sla_map=0x1
Seq(2 port2): state(alive), packet-loss(0.000%) latency(13.018), jitter(0.723) sla_map=0x1
Seq(3 port3): state(alive), packet-loss(0.000%) latency(13.018), jitter(0.923) sla_map=0x1
Health Check(NonBusinessCritical_HC):
Seq(1 port1): state(alive), packet-loss(0.000%) latency(6.888), jitter(0.953) sla_map=0x0
Seq(2 port2): state(alive), packet-loss(0.000%) latency(6.805), jitter(0.830) sla_map=0x0

FortiOS 7.2.1 Administration Guide 619


Fortinet Inc.
SD-WAN

Rule members and hit count

To verify the active members and hit count of the SD-WAN rule in the GUI:

1. Go to Network > SD-WAN and select the SD-WAN Rules tab.

The interface that is currently selected by the rule has a checkmark next to its name in the Members column. Hover
the cursor over the checkmark to open a tooltip that gives the reason why that member is selected. If multiple
members are selected, only the highest ranked member is highlighted (unless the mode is Maximize Bandwidth
(SLA)).

To verify the active members and hit count of the SD-WAN rule in the CLI:

# diagnose sys sdwan service

Service(3): Address Mode(IPV4) flags=0x0


Gen(13), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members:
1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2 port2), alive, sla(0x1), cfg_order(1), cost(0), selected
3: Seq_num(3 port3), alive, sla(0x1), cfg_order(2), cost(20), selected
Internet Service: Dropbox(4294836727,0,0,0 17459) Google.Docs(4294836992,0,0,0 16541)
Microsoft.Office.365(4294837472,0,0,0 33182) Microsoft.Office.Online(4294837475,0,0,0 16177)
SIP(4294837918,0,0,0 34640)
Src address:
0.0.0.0-255.255.255.255

Service(4): Address Mode(IPV4) flags=0x0


Gen(211), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency),
link-cost-threshold(10), heath-check(NonBusinessCritical_HC)
Members:
1: Seq_num(1 port1), alive, latency: 5.712, selected
2: Seq_num(2 port2), alive, latency: 5.511, selected
Internet Service: Facebook(4294836806,0,0,0 15832) YouTube(4294838537,0,0,0 31077)
Src address:
0.0.0.0-255.255.255.255

Applications and sessions

To verify sessions in FortiView:

1. Go to a dashboard and add the FortiView Cloud Applications widget sorted by bytes. See Cloud application view on
page 130 for details.

FortiOS 7.2.1 Administration Guide 620


Fortinet Inc.
SD-WAN

2. Drill down on an application, such as YouTube, then select the Sessions tab.

To verify applications identified by Application Control in SD-WAN:

# diagnose sys sdwan internet-service-app-ctrl-list

Steam(16518 4294838108): 23.6.148.10 6 443 Thu Apr 15 08:51:54 2021


Netflix(18155 4294837589): 54.160.93.182 6 443 Thu Apr 15 09:13:25 2021
Netflix(18155 4294837589): 54.237.226.164 6 443 Thu Apr 15 10:04:37 2021
Minecraft(27922 4294837491): 65.8.232.41 6 443 Thu Apr 15 09:12:19 2021
Minecraft(27922 4294837491): 65.8.232.46 6 443 Thu Apr 15 09:02:07 2021
Minecraft(27922 4294837491): 99.84.244.51 6 443 Thu Apr 15 10:23:57 2021
Minecraft(27922 4294837491): 99.84.244.63 6 443 Thu Apr 15 10:03:30 2021
YouTube(31077 4294838537): 74.125.69.93 6 443 Thu Apr 15 08:52:59 2021
YouTube(31077 4294838537): 108.177.112.136 6 443 Thu Apr 15 09:33:53 2021
YouTube(31077 4294838537): 142.250.1.93 6 443 Thu Apr 15 10:35:13 2021
...

DSCP tag-based traffic steering in SD-WAN

Differentiated Services Code Point (DSCP) tags can be used to categorize traffic for quality of service (QoS). SD-WAN
traffic steering on an edge device can be provided based on the DSCP tags.
This section provides an example of using DSCP tag-based traffic steering using secure SD-WAN. Traffic from the
customer service and marketing departments at a headquarters are marked with separate DSCP tags by the core switch
and passed to the edge FortiGate. The edge FortiGate reads the tags, then steers traffic to the preferred interfaces
based on the defined SD-WAN rules.

FortiOS 7.2.1 Administration Guide 621


Fortinet Inc.
SD-WAN

VoIP and social media traffic are steered. VoIP traffic from the customer service department is more important than
social media traffic. The edge FortiGate identifies the tagged traffic based on SD-WAN rules then steers the traffic:
l VoIP traffic is marked with DSCP tag 011100 and steered to the VPN overlay with the lowest jitter, to provide the
best quality voice communication with the remote PBX server.
l Social media traffic is marked with the DSCP tag 001100 and steered to the internet connection with the lowest cost.
The following is assumed to be already configured:
l Two IPsec tunnels (IPsec VPNs on page 1385):
l Branch-HQ-A on Internet_A (port 1)
l Branch-HQ-B on Internet_B (port 5)
l Four SD-WAN members in two zones (Configuring the SD-WAN interface on page 519):
l Overlay zone includes members Branch-HQ-A and Branch-HQ-B
l virtual-wan-link zone includes members Internet_A and Internet_B
Internet_A has a cost of 0 and Internet_B has a cost of 10. When using the lowest cost strategy, Internet_A will
be preferred. Both members are participants in the Default_DNS performance SLA.
l A static route that points to the SD-WAN interface (Adding a static route on page 520).
l Two firewall policies:

Name SD-WAN-OUT Overlay-OUT

From port3 port3

To virtual-wan-link Overlay

Source all all

Destination all all

Schedule always always

Service all all

Action Accept Accept

NAT enabled enabled

After the topology is configured, you can proceed with the configuration of the edge FortiGate:
l Configuring SD-WAN rules on page 623
l Results on page 624

FortiOS 7.2.1 Administration Guide 622


Fortinet Inc.
SD-WAN

Configuring SD-WAN rules

Configure SD-WAN rules to govern the steering of DSCP tag-based traffic to the appropriate interfaces. Traffic is steered
based on the criteria that are configured in the SD-WAN rules.
In this example, three SD-WAN rules are configured to govern DSCP tagged traffic:
l VoIP-Steer for VoIP traffic.
l Facebook-DSCP-steer for Social media traffic.
l All-traffic for all of the Other web traffic.
After configuring the rules, go to Network > SD-WAN and select the SD-WAN Rules tab to check the rules.

VoIP traffic

VoIP traffic is steered to the Overlay zone.


DSCP values are usually 6-bit binary numbers that are padded with zeros at the end. VoIP traffic with DSCP tag 011100
will become 01110000. This 8-bit binary number is represented in its hexadecimal form, 0x70, as the type of service bit
pattern (tos) value. The type of service evaluated bits (tos-mask) hexadecimal value of 0xf0 (11110000 in binary) is
used to check the four most significant bits in the tos value. The four most significant bits of the tos (0111) are used to
match the first four bits of the DSCP tag. Only the non-zero bit positions in the tos-mask are used for comparison; the
zero bit positions are ignored.
The Best quality (priority mode) strategy is used to select the preferred interface, with the Quality criteria (link-
cost-members) set to Jitter. The interface with the lowest amount of jitter is selected. For more information about
configuring SD-WAN rules with the Best Quality strategy, see Best quality strategy on page 590.

To configure the rule for DSCP tagged VoIP traffic using the CLI:

config sys sdwan


config service
edit 5
set name "VoIP-Steer"
set mode priority
set tos 0x70
set tos-mask 0xf0
set dst "all"
set health-check "Default_DNS"
set link-cost-factor jitter
set priority-members 4 3
next
end
end

Social media traffic

Social media traffic is steered to the virtual-wan-link zone.


DSCP values are usually 6-bit binary numbers that are padded with zeros at the end. Social media traffic traffic with
DSCP tag 001100 will become 00110000. This 8-bit binary number is represented in its hexadecimal form, 0x30, as the
tos value. The tos-mask hexadecimal value of 0xf0 (11110000 in binary) is used to check the four most significant bits
in the tos value. The four most significant bits of the tos (0011) are used to match the first four bits of the DSCP tag. Only
the non-zero bit positions in the tos-mask are used for comparison; the zero bit positions are ignored.

FortiOS 7.2.1 Administration Guide 623


Fortinet Inc.
SD-WAN

The Manual (manual mode) strategy is used to select the preferred interface. Internet_B (port5, priority member 2) is set
as the preferred interface to steer all social media traffic to. For more information about configuring SD-WAN rules with
the manual strategy, see Manual strategy on page 589.

To configure SD-WAN rule for DSCP tagged social media traffic using the CLI:

config system sdwan


config service
edit 3
set name "Facebook-DSCP-steer"
set mode manual
set tos 0x30
set tos-mask 0xf0
set dst "all"
set priority-members 2 1
next
end
end

Other web traffic

Other web traffic is steered to the virtual-wan-link zone.


The Lowest Cost (SLA) strategy (sla mode) is used to select the preferred interface. The interface that meets the
defined SLA targets (Default_DNS in this case) is selected. If there is a tie, the interface with the lowest cost is selected,
Internet_A (port1) in this case.
For more information about configuring SD-WAN rules with the Lowest Cost (SLA) strategy, see Lowest cost (SLA)
strategy on page 594.

To configure SD-WAN rule for all other web traffic using the CLI:

config system sdwan


config service
edit 2
set name "All-traffic"
set mode sla
set dst "all"
config sla
edit "Default_DNS"
set id 1
next
end
set priority-members 1 2
next
end
end

Results

These sections show the function of SD-WAN with respect to DSCP tagged traffic steering, and can help confirm that it is
running as expected:

FortiOS 7.2.1 Administration Guide 624


Fortinet Inc.
SD-WAN

l Verifying the DSCP tagged traffic on FortiGate on page 625


l Verifying the service rules on page 626
l Verifying traffic steering on the SD-WAN rules on page 626
l Verifying that steered traffic is leaving from the expected interface on page 627

Verifying the DSCP tagged traffic on FortiGate

Packet sniffing is used to verify the incoming DSCP tagged traffic. See Using the FortiOS built-in packet sniffer for more
information.
Wireshark is used to verify that VoIP traffic is tagged with the expected DSCP tag, 0x70 or 0x30.

VoIP traffic marked with DSCP tag 0x70:

# diagnose sniffer packet any '(ip and ip[1] & 0xfc == 0x70)' 6 0 l

Web traffic marked with DSCP tag 0x30:

# diagnose sniffer packet any '(ip and ip[1] & 0xfc == 0x30)' 6 0 l

FortiOS 7.2.1 Administration Guide 625


Fortinet Inc.
SD-WAN

Verifying the service rules

To check that the expected DSCP tags and corresponding interfaces are used by the SD-WAN rules to
steer traffic:

# diagnose sys sdwan service

Service(5): Address Mode(IPV4) flags=0x0


Gen(1), TOS(0x70/0xf0), Protocol(0: 1->65535), Mode(manual)
Members:
1: Seq_num(4 Branch-HQ-B), alive, selected
Dst address:
0.0.0.0-255.255.255.255

Service(3): Address Mode(IPV4) flags=0x0


Gen(1), TOS(0x30/0xf0), Protocol(0: 1->65535), Mode(manual)
Members:
1: Seq_num(2 port5), alive, selected
Dst address:
0.0.0.0-255.255.255.255

Service(2): Address Mode(IPV4) flags=0x0


Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members:
1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2 port5), alive, sla(0x1), cfg_order(1), cost(10), selected
Dst address:
0.0.0.0-255.255.255.255

Verifying traffic steering on the SD-WAN rules

Go to Network > SD-WAN and select the SD-WAN Rules tab to check the Hit Count on the SD-WAN interfaces.

FortiOS 7.2.1 Administration Guide 626


Fortinet Inc.
SD-WAN

Verifying that steered traffic is leaving from the expected interface

To confirm that web traffic (port 443) flows through the correct underlay interface members, and VoIP traffic flows
through the correct overlay interface members, go to Dashboard > FortiView Policies and double click on the policy
name.
Web traffic is expected to leave on Interface_A (port1) or Interface_B (port5):

VoIP traffic is expected to leave on the preferred VPN_B_Tunnel (Branch-HQ-B) interface:

FortiOS 7.2.1 Administration Guide 627


Fortinet Inc.
SD-WAN

ECMP support for the longest match in SD-WAN rule matching

The longest match SD-WAN rule can match ECMP best routes. The rule will select the egress ports on ECMP specific
routes, and not the less specific routes, to transport traffic.
The service mode determines which egress port on the ECMP specific routes is selected to forward traffic:
l Manual (manual): The first configured alive port is selected.
l Best Quality (priority): The best quality port is selected.
l Lowest Cost (sla): The first configured or lower cost port in SLA is selected.

Example

By default, SD-WAN selects the outgoing interface from all of the links that have valid routes to the destination. In some
cases, it is required that only the links that have the best (or longest match) routes (single or ECMP) to the destination
are considered.

In this example, four SD-WAN members in two zones are configured. The remote PC (PC_2 - 10.1.100.22) is accessible
on port15 and port16, even though there are valid routes for all of the SD-WAN members. A single SD-WAN service rule
is configured that allows traffic to balanced between all four of the members, but only chooses between port15 and
port16 for the specific 10.1.100.22 address.
A performance SLA health check is configured to monitor 10.1.100.2. An SD-WAN service rule in Lowest Cost (SLA)
mode is configured to select the best interface to steer the traffic. In the rule, the method of selecting a member if more
than one meets the SLA (tie-break) is configured to select members that meet the SLA and match the longest prefix
in the routing table (fib-best-match). If there are multiple ECMP routes with the same destination, the FortiGate will
take the longest (or best) match in the routing table, and choose from those interface members.

To configure the SD-WAN:

config system sdwan


config zone
edit "virtual-wan-link"
next
edit "z1"
next
end
config members
edit 1
set interface "port1"
set gateway 172.16.200.2
next
edit 2

FortiOS 7.2.1 Administration Guide 628


Fortinet Inc.
SD-WAN

set interface "dmz"


set gateway 172.16.208.2
next
edit 3
set interface "port15"
set zone "z1"
set gateway 172.16.209.2
next
edit 4
set interface "port16"
set zone "z1"
set gateway 172.16.210.2
next
end
config health-check
edit "1"
set server "10.1.100.2"
set members 0
config sla
edit 1
next
end
next
end
config service
edit 1
set name "1"
set mode sla
set dst "all"
set src "172.16.205.0"
config sla
edit "1"
set id 1
next
end
set priority-members 1 2 3 4
set tie-break fib-best-match
next
end
end

To check the results:

1. The debug shows the SD-WAN service rule. All of the members meet SLA, and because no specific costs are
attached to the members, the egress interface is selected based on the interface priority order that is configured in
the rule:
FGT_A (root) # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla


Gen(4), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members(4):
1: Seq_num(1 port1), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
2: Seq_num(2 dmz), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
3: Seq_num(3 port15), alive, sla(0x1), gid(0), cfg_order(2), cost(0), selected
4: Seq_num(4 port16), alive, sla(0x1), gid(0), cfg_order(3), cost(0), selected

FortiOS 7.2.1 Administration Guide 629


Fortinet Inc.
SD-WAN

Src address(1):
172.16.205.0-172.16.205.255
Dst address(1):
0.0.0.0-255.255.255.255

2. The routing table shows that there are ECMP default routes on all of the members, and ECMP specific (or best)
routes only on port15 and port16:
FGT_A (root) # get router info routing-table static
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 172.16.200.2, port1
[1/0] via 172.16.208.2, dmz
[1/0] via 172.16.209.2, port15
[1/0] via 172.16.210.2, port16
S 10.1.100.22/32 [10/0] via 172.16.209.2, port15
[10/0] via 172.16.210.2, port16

Because tie-break is set to fib-best-match, the first configured member from port15 and port16 is selected to
forward traffic to PC_2. For all other traffic, the first configured member from all four of the interfaces is selected to
forward traffic.
3. On PC-1, generate traffic to PC-2:
ping 10.1.100.22

4. On FGT_A, sniff for traffic sent to PC_2:


# diagnose sniffer packet any 'host 10.1.100.22' 4
interfaces=[any]
filters=[host 10.1.100.22]
2.831299 port5 in 172.16.205.11 -> 10.1.100.22: icmp: echo request
2.831400 port15 out 172.16.205.11 -> 10.1.100.22: icmp: echo request

Traffic is leaving on port15, the first configured member from port15 and port16.

Override quality comparisons in SD-WAN longest match rule matching

In SD-WAN rules, the longest match routes will override the quality comparisons when all of the specific routes are out of
SLA.
With this feature in an SD-WAN rule:
l Lowest Cost (sla): Even though all of the egress ports on specific routes (longest matched routes) are out of SLA,
the SD-WAN rule still selects the first configured or lower-cost port from the egress ports to forward traffic.
l Best Quality (priority): Even though the egress ports on specific routes (longest matched routes) have worse
quality that all other ports on less specific routes, the SD-WAN rule still selects the best quality port from the ports on
specific routes to forward traffic.
This features avoids a situation where, if the members on specific routes (longest matched routes) are out of SLA or
have worse quality, the traffic might be forwarded to the wrong members in SLA (higher quality) on the default or
aggregate routes.

FortiOS 7.2.1 Administration Guide 630


Fortinet Inc.
SD-WAN

Example

In this example, four SD-WAN members in two zones are configured. The remote PC (PC_2 - 10.1.100.22) is accessible
on port15 and port16, even though there are valid routes for all of the SD-WAN members. A single SD-WAN service rule
is configured that allows traffic to balanced between all four of the members, but only chooses between port15 and
port16 for the specific 10.1.100.22 address. If neither port15 nor port16 meet the SLAs, traffic will be forwarded on one of
these interfaces, instead of on port1 or dmz.
A performance SLA health check is configured to monitor 10.1.100.2. An SD-WAN service rule in Lowest Cost (SLA)
mode is configured to select the best interface to steer the traffic. In the rule, the method of selecting a member if more
than one meets the SLA (tie-break) is configured to select members that meet the SLA and match the longest prefix
in the routing table (fib-best-match). If there are multiple ECMP routes with the same destination, the FortiGate will
take the longest (or best) match in the routing table, and choose from those interface members.

To configure the SD-WAN:

config system sdwan


config zone
edit "virtual-wan-link"
next
edit "z1"
next
end
config members
edit 1
set interface "port1"
set gateway 172.16.200.2
next
edit 2
set interface "dmz"
set gateway 172.16.208.2
next
edit 3
set interface "port15"
set zone "z1"
set gateway 172.16.209.2
next
edit 4
set interface "port16"
set zone "z1"
set gateway 172.16.210.2
next
end
config health-check

FortiOS 7.2.1 Administration Guide 631


Fortinet Inc.
SD-WAN

edit "1"
set server "10.1.100.2"
set members 0
config sla
edit 1
next
end
next
end
config service
edit 1
set name "1"
set mode sla
set dst "all"
set src "172.16.205.0"
config sla
edit "1"
set id 1
next
end
set priority-members 1 2 3 4
set tie-break fib-best-match
next
end
end

To check the results:

1. The debug shows the SD-WAN service rule. Both port15 and port16 are up, but out of SLA:
FGT_A (root) # diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Gen(3), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members(4):
1: Seq_num(1 port1), alive, sla(0x1), gid(0), cfg_order(0), cost(0), selected
2: Seq_num(2 dmz), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected
3: Seq_num(3 port15), alive, sla(0x0), gid(0), cfg_order(2), cost(0), selected
4: Seq_num(4 port16), alive, sla(0x0), gid(0), cfg_order(3), cost(0), selected
Src address(1):
172.16.205.0-172.16.205.255

Dst address(1):
0.0.0.0-255.255.255.255

2. The routing table shows that there are ECMP default routes on all of the members, and ECMP specific (or best)
routes only on port15 and port16:
FGT_A (root) # get router info routing-table static
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 172.16.200.2, port1
[1/0] via 172.16.208.2, dmz
[1/0] via 172.16.209.2, port15
[1/0] via 172.16.210.2, port16
S 10.1.100.22/32 [10/0] via 172.16.209.2, port15
[10/0] via 172.16.210.2, port16

FortiOS 7.2.1 Administration Guide 632


Fortinet Inc.
SD-WAN

Because tie-break is set to fib-best-match, even though both port15 and port16 are out of SLA, the first
configured member of the two (port15) is selected to forward traffic to PC_2. For all other traffic, the first configured
member from all of the interfaces that are in SLA is selected to forward traffic (port1).
3. On PC-1, generate traffic to PC-2:
ping 10.1.100.22

4. On FGT_A, sniff for traffic sent to PC_2:


# diagnose sniffer packet any 'host 10.1.100.22' 4
interfaces=[any]
filters=[host 10.1.100.22]
2.831299 port5 in 172.16.205.11 -> 10.1.100.22: icmp: echo request
2.831400 port15 out 172.16.205.11 -> 10.1.100.22: icmp: echo request

Traffic is leaving on port15, the first configured member from port15 and port16, even though both are out of SLA.

Use an application category as an SD-WAN rule destination

An application category can be selected as an SD-WAN service rule destination criterion. Previously, only application
groups or individual applications could be selected.
config system sdwan
config service
edit <id>
set internet-service enable
set internet-service-app-ctrl-category <id_1> <id_2> ... <id_n>
next
end
end

To view the detected application categories details based on category ID, use diagnose sys sdwan internet-
service-app-ctrl-category-list <id>.

Example

In this example, traffic steering is applied to traffic detected as video/audio (category ID 5) or email (category ID 21) and
applies the lowest cost (SLA) strategy to this traffic. When costs are tied, the priority goes to member 1, dmz.

To configure application categories as an SD-WAN rule destination in the GUI:

1. Enable the feature visibility:


a. Go to System > Feature Visibility.
b. In the Additional Features section, enable Application Detection Based SD-WAN.
c. Click Apply.

FortiOS 7.2.1 Administration Guide 633


Fortinet Inc.
SD-WAN

2. Configure the SD-WAN members:


a. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
b. Set the Interface to dmz, and set the Gateway to 172.16.208.2.
c. Click OK.
d. Repeat these steps to create another member for the vlan100 interface with gateway 172.16.206.2.
3. Configure the performance SLA (health check):
a. Go to Network > SD-WAN, and select the Performance SLAs tab, and click Create New.
b. Configure the following settings:

Name 1

Protocol DNS

Server 8.8.8.8

SLA Target Enable

c. Click OK.
4. Configure the SD-WAN rule to use the video/audio and email application categories:
a. Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
b. In the Destination section, click the + in the Application field.
c. Click Category, and select Video/Audio and Email.

d. Configure the other settings as needed.


e. Click OK.
5. Configure the firewall policy:
a. Go to Policy & Objects > Firewall Policy and click Create New.
b. Configure the following settings:

Incoming Interface port5

FortiOS 7.2.1 Administration Guide 634


Fortinet Inc.
SD-WAN

Outgoing Interface virtual-wan-link

Source 172.16.205.0

Destination all

Schedule always

Service ALL

Action ACCEPT

Application Control g-default

SSL Inspection certificate-inspection

c. Click OK.

To configure application categories as an SD-WAN rule destination in the CLI:

1. Configure the SD-WAN settings:


config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "dmz"
set gateway 172.16.208.2
next
edit 2
set interface "vlan100"
set gateway 172.16.206.2
next
end
config health-check
edit "1"
set server "8.8.8.8"
set protocol dns
set members 0
config sla
edit 1
next
end
next
end
end

2. Configure the SD-WAN rule to use application categories 5 and 21:


config system sdwan
config service
edit 1
set name "1"
set mode sla

FortiOS 7.2.1 Administration Guide 635


Fortinet Inc.
SD-WAN

set src "172.16.205.0"


set internet-service enable
set internet-service-app-ctrl-category 5 21
config sla
edit "1"
set id 1
next
end
set priority-members 1 2
next
end
end

3. Configure the firewall policy:


config firewall policy
edit 1
set srcintf "port5"
set dstintf "virtual-wan-link"
set action accept
set srcaddr 172.16.205.0
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set application-list "g-default"
next
end

To test the configuration:

1. Verify that the traffic is sent over dmz:


# diagnose firewall proute list
list route policy info(vf=root):
id=2133590017(0x7f2c0001) vwl_service=1(1) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0
tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=5(dmz)
oif=95(vlan100)
source(1): 172.16.205.0-172.16.205.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
hit_count=469 last_used=2021-12-15 15:06:05

2. View some videos and emails on the PC, then verify the detected application details for each category:
# diagnose sys sdwan internet-service-app-ctrl-category-list 5
YouTube(31077 4294838537): 142.250.217.110 6 443 Wed Dec 15 15:39:50 2021
YouTube(31077 4294838537): 173.194.152.89 6 443 Wed Dec 15 15:37:20 2021
YouTube(31077 4294838537): 173.194.152.170 6 443 Wed Dec 15 15:37:37 2021
YouTube(31077 4294838537): 209.52.146.205 6 443 Wed Dec 15 15:37:19 2021

# diagnose sys sdwan internet-service-app-ctrl-category-list 21


Gmail(15817 4294836957): 172.217.14.197 6 443 Wed Dec 15 15:39:47 2021

3. Verify that the captured email traffic is sent over dmz:


# diagnose sniffer packet any 'host 172.217.14.197' 4
interfaces=[any]

FortiOS 7.2.1 Administration Guide 636


Fortinet Inc.
SD-WAN

filters=[host 172.217.14.197]
5.079814 dmz out 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961561240 ack
2277134591

4. Edit the SD-WAN rule so that dmz has a higher cost and vlan100 is preferred.
5. Verify that the traffic is now sent over vlan100:
# diagnose firewall proute list
list route policy info(vf=root):
id=2134048769(0x7f330001) vwl_service=1(1) vwl_mbr_seq=2 1 dscp_tag=0xff 0xff flags=0x0
tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0 dport=1-65535 path(2) oif=95
(vlan100) oif=5(dmz)
source(1): 172.16.205.0-172.16.205.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(2): (null)(0,5,0,0,0) (null)(0,21,0,0,0)
hit_count=635 last_used=2021-12-15 15:55:43

# diagnose sniffer packet any 'host 172.217.14.197' 4


interfaces=[any]
filters=[host 172.217.14.197]
304.625168 vlan100 in 172.16.205.100.60592 -> 172.217.14.197.443: psh 2961572711 ack
2277139565

Advanced routing

The following topics provide instructions on SD-WAN advanced routing:


l Local out traffic on page 637
l Using BGP tags with SD-WAN rules on page 643
l BGP multiple path support on page 646
l Controlling traffic with BGP route mapping and service rules on page 648
l Applying BGP route-map to multiple BGP neighbors on page 655
l Using multiple members per SD-WAN neighbor configuration on page 661

Local out traffic

Local out, or self-originating, traffic is traffic that originates from the FortiGate going to external servers and services. The
traffic can be from Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others.
By default, local out traffic relies on routing table lookups to determine the egress interface that is used to initiate the
connection. However, many types of local out traffic support selecting the egress interface based on SD-WAN or
manually specified interfaces. When manually specifying the egress interface, the source IP address can also be
manually configured.
Go to Network > Local Out Routing to configure the available types of local out traffic. Some types of traffic can only be
configured in the CLI.

By default Local Out Routing is not visible in the GUI. Go to System > Feature Visibility to
enable it. See Feature visibility on page 2269 for more information.

FortiOS 7.2.1 Administration Guide 637


Fortinet Inc.
SD-WAN

When VDOMs are enabled, the following entries are available on the local out routing page:

Global view VDOM view

External Resources LDAP Servers

AWS_IP_Blacklist ldap

AWS_Malware_Hash Log

Log Log FortiAnalyzer Override Settings

Log FortiAnalyzer Setting Log Syslogd Override Settings

Log FortiAnalyzer Cloud Setting RADIUS Servers

FortiGate Cloud Log Settings fac_radius_server

Log Syslogd Setting TACACS+

System TACACS

System DNS

System FortiGuard

System FortiSandbox

If a service is disabled, it is grayed out. To enable it, select the service and click Enable Service. If a service is enabled,
there is a Local Out Setting button in the gutter of that service's edit page to directly configure the local-out settings.

Examples

To configure DNS local-out routing:

1. Go to Network > Local Out Routing and double-click System DNS.


2. For Outgoing interface, select one of the following:

Auto Select the outgoing interface automatically based on the routing table.

SD-WAN Select the outgoing interface using the configured SD-WAN interfaces and
rules.

Specify Select the outgoing interface from the dropdown.

Use Interface IP Use the primary IP, which cannot be configured by the user.

Manually Selected an IP from the list, if the selected interface has multiple IPs
3. configured.

If Specify is selected, select a setting for Source IP:

FortiOS 7.2.1 Administration Guide 638


Fortinet Inc.
SD-WAN

4. Click OK.

To edit local-out settings from a RADIUS server entry:

1. Go to User & Authentication > RADIUS Servers and double-click an entry to edit it.
2. Click Local Out Setting.

The Edit Local Out Setting pane opens.


3. Configure the settings for Outgoing interface and Source IP.

4. Click OK.

FortiOS 7.2.1 Administration Guide 639


Fortinet Inc.
SD-WAN

To edit multiple entries concurrently:

1. Go to Network > Local Out Routing.


2. If applicable, select IPv4 or IPv6. IPv4+IPv6 does not support multi-select.
3. Click Multi-Select Mode. All of the local out settings that can be edited concurrently are shown.
4. Select the specific entries, or click Select All to select all of the entries.

5. Click Edit and configure the local out settings as required.

6. Click OK.
7. Click Exit Multi-Select Mode to return to the normal view.

Configuring local out routing in the CLI

Some local out routing settings can only be configured using the CLI.

PING

IPv4 and IPv6 pings can be configured to use SD-WAN rules:


execute ping-options use-sdwan {yes | no}
execute ping6-options use-sd-wan {yes | no}

Traceroute

IPv4 traceroute can be configured to use SD-WAN rules:


execute traceroute-options use-sdwan {yes | no}

Central management

Central management traffic can use SD-WAN rules or a specific interface:


config system central-management
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

FortiOS 7.2.1 Administration Guide 640


Fortinet Inc.
SD-WAN

NTP server

NTP server traffic can use SD-WAN rules or a specific interface:


config system ntp
config ntpserver
edit <id>
set interface-select-method {auto | sdwan | specify}
set interface <interface>
next
end
end

DHCP proxy

DHCP proxy traffic can use SD-WAN rules or a specific interface:


config system settings
set dhcp-proxy-interface-select-method {auto | sdwan | specify}
set dhcp-proxy-interface <interface>
end

dhcp-proxy-interface-select- Select the interface selection method:


method {auto | sdwan | l auto: Set the outgoing interface automatically (default).

specify} l sdwan: Set the interface by SD-WAN or policy routing rules.

l specify: Set the interface manually.

dhcp-proxy-interface Specify the outgoing interface. This option is only available and must be
<interface> configured when interface-select-method is specify.

DHCP relay

DHCP relay traffic can use SD-WAN rules or a specific interface:


config system interface
edit <interface>
set dhcp-relay-interface-select-method {auto | sdwan | specify}
set dhcp-relay-interface <interface>
next
end

dhcp-relay-interface-select- Select the interface selection method:


method {auto | sdwan | l auto: Set the outgoing interface automatically (default).

specify} l sdwan: Set the interface by SD-WAN or policy routing rules.

l specify: Set the interface manually.

dhcp-relay-interface Specify the outgoing interface. This option is only available and must be
<interface> configured when interface-select-method is specify.

CA and local certificate renewal with SCEP

Certificate renewal with SCEP traffic can use SD-WAN rules or a specific interface:
config vpn certificate setting
set interface-select-method {auto | sdwan | specify}

FortiOS 7.2.1 Administration Guide 641


Fortinet Inc.
SD-WAN

set interface <interface>


end

IPS TLS protocol active probing

TLS active probing can use SD-WAN rules or a specific interface:


config ips global
config tls-active-probe
set interface-selection-method {auto | sdwan | specify}
set interface <interface>
set vdom <VDOM>
set source-ip <IPv4 address>
set source-ip6 <IPv6 address>
end
end

interface-select-method {auto | Select the interface selection method:


sdwan | specify} l auto: Set the outgoing interface automatically (default).

l sdwan: Set the interface by SD-WAN or policy routing rules.

l specify: Set the interface manually.

interface <interface> Specify the outgoing interface. This option is only available and must be
configured when interface-select-method is specify.

vdom <VDOM> Specify the VDOM. This option is only available and must be configured when
interface-select-method is sdwan or specify.

source-ip <IPv4 address> Specify the source IPv4 address. This option is only available and must be
configured when interface-select-method is sdwan or specify.

source-ip6 <IPv6 address> Specify the source IPv6 address. This option is only available and must be
configured when interface-select-method is sdwan or specify.

Netflow and sflow

Netflow and sflow can use SD-WAN rules or a specific interface:


config system {netflow | sflow | vdom-netflow | vdom-sflow}
set interface-select-method {auto | sdwan | specify}
set interface <interface>
end

interface-select-method {auto | Select the interface selection method:


sdwan | specify} l auto: Set the outgoing interface automatically (default).

l sdwan: Set the interface by SD-WAN or policy routing rules.

l specify: Set the interface manually.

interface <interface> Specify the outgoing interface. This option is only available and must be
configured when interface-select-method is specify.

FortiOS 7.2.1 Administration Guide 642


Fortinet Inc.
SD-WAN

Using BGP tags with SD-WAN rules

SD-WAN rules can use Border Gateway Protocol (BGP) learned routes as dynamic destinations.

In this example, a customer has two ISP connections, wan1 and wan2. wan1 is used primarily for direct access to
internet applications, and wan2 is used primarily for traffic to the customer's data center.
The customer could create an SD-WAN rule using the data center's IP address range as the destination to force that
traffic to use wan2, but the data center's IP range is not static. Instead, a BGP tag can be used.
For this example, wan2's BGP neighbor advertises the data center's network range with a community number of 30:5.
This example assumes that SD-WAN is enabled on the FortiGate, wan1 and wan2 are added as SD-WAN members in
the virtual-wan-link SD-WAN zone, and a policy and static route have been created. See SD-WAN quick start on page
518 for details.

FortiOS supports IPv4 and IPv6 route tags.

To configure BGP tags with SD-WAN rules:

1. Configure the community list:


config router community-list
edit "30:5"
config rule
edit 1
set action permit
set match "30:5"
next
end
next
end

2. Configure the route map:


config router route-map
edit "comm1"
config rule
edit 1
set match-community "30:5"
set set-route-tag 15
next

FortiOS 7.2.1 Administration Guide 643


Fortinet Inc.
SD-WAN

end
next
end

3. Configure BGP:
config router bgp
set as xxxxx
set router-id xxxx
config neighbor
edit "10.100.20.2"
set soft-reconfiguration enable
set remote-as xxxxx
set route-map-in "comm1"
next
end
end

4. Configure a firewall policy:


config firewall policy
edit 1
set name "1"
set srcintf "dmz"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

5. Edit the SD-WAN configuration:


config system sdwan
set status enable
config members
edit 1
set interface "wan1"
set gateway 172.16.20.2
next
edit 2
set interface "wan2"
next
end
config service
edit 1
set name "DataCenter"
set mode manual
set route-tag 15
set priority-members 2
next
end
end

FortiOS 7.2.1 Administration Guide 644


Fortinet Inc.
SD-WAN

Troubleshooting BGP tags with SD-WAN rules

Check the network community

Use the get router info bgp network command to check the network community:
# get router info bgp network
BGP table version is 5, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path


*> 0.0.0.0/0 10.100.1.5 32768 0 ?
*> 1.1.1.1/32 0.0.0.0 32768 0 ?
*> 10.1.100.0/24 172.16.203.2 32768 0 ?
*> 10.100.1.0/30 0.0.0.0 32768 0 ?
*> 10.100.1.4/30 0.0.0.0 32768 0 ?
*> 10.100.1.248/29 0.0.0.0 32768 0 ?
*> 10.100.10.0/24 10.100.1.5 202 10000 15 20 e
*> 172.16.200.0/24 0.0.0.0 32768 0 ?
*> 172.16.200.200/32
0.0.0.0 32768 0 ?
*> 172.16.201.0/24 172.16.200.4 32768 0 ?
*> 172.16.203.0/24 0.0.0.0 32768 0 ?
*> 172.16.204.0/24 172.16.200.4 32768 0 ?
*> 172.16.205.0/24 0.0.0.0 32768 0 ?
*> 172.16.206.0/24 0.0.0.0 32768 0 ?
*> 172.16.207.1/32 0.0.0.0 32768 0 ?
*> 172.16.207.2/32 0.0.0.0 32768 0 ?
*> 172.16.212.1/32 0.0.0.0 32768 0 ?
*> 172.16.212.2/32 0.0.0.0 32768 0 ?
*> 172.17.200.200/32
0.0.0.0 32768 0 ?
*> 172.27.1.0/24 0.0.0.0 32768 0 ?
*> 172.27.2.0/24 0.0.0.0 32768 0 ?
*> 172.27.5.0/24 0.0.0.0 32768 0 ?
*> 172.27.6.0/24 0.0.0.0 32768 0 ?
*> 172.27.7.0/24 0.0.0.0 32768 0 ?
*> 172.27.8.0/24 0.0.0.0 32768 0 ?
*> 172.29.1.0/24 0.0.0.0 32768 0 ?
*> 172.29.2.0/24 0.0.0.0 32768 0 ?
*> 192.168.1.0 0.0.0.0 32768 0 ?

Total number of prefixes 28

# get router info bgp network 10.100.11.0


BGP routing table entry for 10.100.10.0/24
Paths: (2 available, best 1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
172.10.22.2
20
10.100.20.2 from 10.100.20.2 (6.6.6.6)
Origin EGP metric 200, localpref 100, weight 10000, valid, external, best
Community: 30:5 <<<<===========================
Last update: Wen Mar 20 18:45:17 2019

FortiOS 7.2.1 Administration Guide 645


Fortinet Inc.
SD-WAN

Check dynamic BGP addresses

Use the get router info route-map-address command to check dynamic BGP addresses:
# get router info route-map-address
Extend-tag: 15, interface(wan2:16)
10.100.11.0/255.255.255.0

Check dynamic BGP addresses used in policy routes

Use the diagnose firewall proute list command to check dynamic BGP addresses used in policy routes:
# diagnose firewall proute list
list route policy info(vf=root):

id=4278779905 vwl_service=1(DataCenter) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0


sport=0:65535 iif=0 dport=1-65535 oif=16
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 10.100.11.0/255.255.255.0

BGP multiple path support

BGP supports multiple paths, allowing an ADVPN to advertise multiple paths. This allows BGP to extend and keep
additional network paths according to RFC 7911.
In this example, Spoke1 and Spoke2 each have four VPN tunnels that are connected to the Hub with ADVPN. The
Spoke-Hub has established four BGP neighbors on all four tunnels.

Spoke 1 and Spoke 2 can learn four different routes from each other.

To configure the hub:

config router bgp


set as 65505
set router-id 11.11.11.11
set ibgp-multipath enable
set additional-path enable

FortiOS 7.2.1 Administration Guide 646


Fortinet Inc.
SD-WAN

set additional-path-select 4
config neighbor-group
edit "gr1"
set capability-default-originate enable
set remote-as 65505
set additional-path both
set adv-additional-path 4
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.10.0.0 255.255.0.0
set neighbor-group "gr1"
next
end
config network
edit 12
set prefix 11.11.11.11 255.255.255.255
next
end
end

To configure a spoke:

config router bgp


set as 65505
set router-id 2.2.2.2
set ibgp-multipath enable
set additional-path enable
set additional-path-select 4
config neighbor
edit "10.10.100.254"
set soft-reconfiguration enable
set remote-as 65505
set additional-path both
set adv-additional-path 4
next
edit "10.10.200.254"
set soft-reconfiguration enable
set remote-as 65505
set additional-path both
set adv-additional-path 4
next
edit "10.10.203.254"
set soft-reconfiguration enable
set remote-as 65505
set additional-path both
set adv-additional-path 4
next
edit "10.10.204.254"
set soft-reconfiguration enable
set remote-as 65505
set additional-path both
set adv-additional-path 4
next

FortiOS 7.2.1 Administration Guide 647


Fortinet Inc.
SD-WAN

end
config network
edit 3
set prefix 22.1.1.0 255.255.255.0
next
end
end

To view the BGP routing table on a spoke:

Spoke1 # get router info routing-table bgp


Routing table for VRF=0
B* 0.0.0.0/0 [200/0] via 10.10.200.254, vd2-2, 03:57:26
[200/0] via 10.10.203.254, vd2-3, 03:57:26
[200/0] via 10.10.204.254, vd2-4, 03:57:26
[200/0] via 10.10.100.254, vd2-1, 03:57:26
B 1.1.1.1/32 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51
[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51
[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51
[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51
B 11.11.11.11/32 [200/0] via 10.10.200.254, vd2-2, 03:57:51
[200/0] via 10.10.203.254, vd2-3, 03:57:51
[200/0] via 10.10.204.254, vd2-4, 03:57:51
[200/0] via 10.10.100.254, vd2-1, 03:57:51
B 33.1.1.0/24 [200/0] via 10.10.204.3, vd2-4, 03:57:26
[200/0] via 10.10.203.3, vd2-3, 03:57:26
[200/0] via 10.10.200.3, vd2-2, 03:57:26
[200/0] via 10.10.100.3, vd2-1, 03:57:26
[200/0] via 10.10.204.3, vd2-4, 03:57:26
[200/0] via 10.10.203.3, vd2-3, 03:57:26
[200/0] via 10.10.200.3, vd2-2, 03:57:26
[200/0] via 10.10.100.3, vd2-1, 03:57:26
[200/0] via 10.10.204.3, vd2-4, 03:57:26
[200/0] via 10.10.203.3, vd2-3, 03:57:26
[200/0] via 10.10.200.3, vd2-2, 03:57:26
[200/0] via 10.10.100.3, vd2-1, 03:57:26
[200/0] via 10.10.204.3, vd2-4, 03:57:26
[200/0] via 10.10.203.3, vd2-3, 03:57:26
[200/0] via 10.10.200.3, vd2-2, 03:57:26
[200/0] via 10.10.100.3, vd2-1, 03:57:26

Controlling traffic with BGP route mapping and service rules

SD-WAN allows you to select different outbound WAN links based on performance SLAs. It is important that BGP
neighbors are aware of these settings, and changes to them.
BGP can adapt to changes in SD-WAN link SLAs in the following ways:
l Applying different route-maps based on the SD-WAN's health checks. For example, different BGP community
strings can be advertised to BGP neighbors when SLAs are not met.
l Traffic can be selectively forwarded based on the active BGP neighbor. If the SD-WAN service's role matches the
active SD-WAN neighbor, the service is enabled. If there is no match, then the service is disabled.

FortiOS 7.2.1 Administration Guide 648


Fortinet Inc.
SD-WAN

Example

In this topology, a branch FortiGate has two SD-WAN gateways serving as the primary and secondary gateways. The
gateways reside in different datacenters, but have a full mesh network between them.

This example shows how route-maps and service rules are selected based on performance SLAs and the member that
is currently active. Traffic flows through the primary gateway unless the neighbor's health check is outside of its SLA. If
that happens, traffic routes to the secondary gateway.
BGP NBR1 is the primary neighbor and BGP NBR2 is the secondary neighbor.
The branch FortiGate's wan1 and wan2 interfaces are members of the SD-WAN. When the SD-WAN neighbor status is
primary, it will advertise community 20:1 to BGP NBR1 and 20:5 to BGP NBR2. When the SD-WAN neighbor status is
secondary, it will advertise 20:5 to BGP NBR1 and 20:2 to BGP NBR2.
Only one of the primary or secondary neighbors can be active at one time. The SD-WAN neighbor status is used to
decide which neighbor is selected:
l Primary: The primary neighbor takes precedence if its SLAs are met.
l Secondary: If the primary neighbor's SLAs are not met, the secondary neighbor becomes active if its SLAs are met.
l Standalone: If neither the primary or secondary neighbor's SLAs are met, the SD-WAN neighbor status becomes
standalone.

Route map

SD-WAN is configured to let BGP advertise different communities when the SLA status changes. When the SLA is
missed, it triggers BGP to advertise a different community to its BGP neighbor based on its route-map. The BGP
neighbors can use the received community string to select the best path to reach the branch.

To configure BGP route-maps and neighbors:

1. Configure an access for the routes to be matched:


config router access-list
edit "net192"
config rule
edit 1
set prefix 192.168.20.0 255.255.255.0
next

FortiOS 7.2.1 Administration Guide 649


Fortinet Inc.
SD-WAN

end
next
end

2. Configure the primary neighbor's preferred route-map:


config router route-map
edit "comm1"
config rule
edit 1
set match-ip-address "net192"
set set-community "20:1"
next
end
next
end

3. Configure the secondary neighbor's preferred route-map:


config router route-map
edit "comm2"
config rule
edit 1
set match-ip-address "net192"
set set-community "20:2"
next
end
next
end

4. Configure the failed route-map:


config router route-map
edit "comm5"
config rule
edit 1
set match-ip-address "net192"
set set-community "20:5"
next
end
next
end

5. Configure BGP neighbors:


config router bgp
set as 65412
set router-id 1.1.1.1
set ibgp-multipath enable
config neighbor
edit "10.100.1.1"
set soft-reconfiguration enable
set remote-as 20
set route-map-out "comm5"
set route-map-out-preferable "comm1"
next
edit "10.100.1.5"
set soft-reconfiguration enable
set remote-as 20

FortiOS 7.2.1 Administration Guide 650


Fortinet Inc.
SD-WAN

set route-map-out "comm5"


set route-map-out-preferable "comm2"
next
end
end

When SLAs are met, route-map-out-preferable is used. When SLAs are missed, route-map-out is used.

To configure SD-WAN:

1. Configure the SD-WAN members:


config system sdwan
set status enable
config members
edit 1
set interface "port1"
next
edit 2
set interface "port2"
next
end
end

2. Configure health checks for each member:


config system sdwan
config health-check
edit "ping"
set server "10.100.2.22"
set members 1
config sla
edit 1
set link-cost-factor packet-loss
set packetloss-threshold 1
next
end
next
edit "ping2"
set server "10.100.2.23"
set members 2
config sla
edit 1
set link-cost-factor packet-loss
set packetloss-threshold 1
next
end
next
end
end

3. Configure the SD-WAN neighbors and assign them a role and the health checks used to determine if the neighbor
meets the SLA:
SD-WAN neighbors can only be configured in the CLI.
config system sdwan
config neighbor
edit "10.100.1.1"

FortiOS 7.2.1 Administration Guide 651


Fortinet Inc.
SD-WAN

set member 1
set role primary
set health-check "ping"
set sla-id 1
next
edit "10.100.1.5"
set member 2
set role secondary
set health-check "ping2"
set sla-id 1
next
end
end

Service rules

Create SD-WAN service rules to direct traffic to the primary neighbor when its SLAs are met, and to the secondary
neighbor when the primary neighbor's SLAs are missed.

To configure the SD-WAN service rules:

config system sdwan


config service
edit 1
set name "Primary-Out"
set role primary
set dst "all"
set src "all"
set priority-members 1
next
edit 2
set name "Secondary-Out"
set role secondary
set dst "all"
set src "all"
set priority-members 2
next
end
end

If neither the primary nor secondary neighbors are active, the SD-WAN neighbor status
becomes standalone. Only service rules with standalone-action enabled will continue to
pass traffic. This option is disabled by default.

Verification

To verify when the primary neighbor is passing traffic:

1. Verify the health check status:


FortiGate-Branch # diagnose sys sdwan health-check
Health Check(ping):
Seq(1 port1): state(alive), packet-loss(0.000%) latency(0.569), jitter(0.061) sla_

FortiOS 7.2.1 Administration Guide 652


Fortinet Inc.
SD-WAN

map=0x1
Health Check(ping2):
Seq(2 port2): state(alive), packet-loss(0.000%) latency(3.916), jitter(2.373) sla_
map=0x1

2. Verify SD-WAN neighbor status:


FortiGate-Branch # diagnose sys sdwan neighbor
SD-WAN neighbor status: hold-down(disable), hold-down-time(0), hold_boot_time(0)
Selected role(primary) last_secondary_select_time/current_time in seconds 0/572
Neighbor(10.100.1.1): member(1) role(primary)
Health-check(ping:1) sla-pass selected alive
Neighbor(10.100.1.5): member(2) role(secondary)
Health-check(ping2:1) sla-pass alive

3. Verify service rules status:


FortiGate-Branch # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0


Gen(3), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service role: primary
Members:
1: Seq_num(1 port1), alive, selected
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

Service(2): Address Mode(IPV4) flags=0x0


Gen(6), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service role: secondary, disabled by unselected.
Members:
1: Seq_num(2 port2), alive, selected
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

4. Verify neighbor routers:


a. Primary neighbor router:
FGT-NBR1 # get router info bgp network 192.168.20.0
BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
64512
10.100.1.2 from 10.100.1.2 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 20:1
Last update: Thu Apr 30 13:41:40 2020

b. Secondary neighbor router:


FGT-NBR2 # get router info bgp network 192.168.20.0
VRF 0 BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)

FortiOS 7.2.1 Administration Guide 653


Fortinet Inc.
SD-WAN

Not advertised to any peer


Original VRF 0
64512
10.100.1.6 from 10.100.1.6 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 20:5
Last update: Thu Apr 30 13:41:39 2020

To verify when the secondary neighbor is passing traffic:

1. Verify the health check status:


FortiGate-Branch # diagnose sys sdwan health-check
Health Check(ping):
Seq(1 port1): state(dead), packet-loss(54.000%) sla_map=0x0
Health Check(ping2):
Seq(2 port2): state(alive), packet-loss(0.000%) latency(4.339), jitter(3.701) sla_
map=0x1

2. Verify SD-WAN neighbor status:


FortiGate-Branch # diagnose sys sdwan neighbor
SD-WAN neighbor status: hold-down(disable), hold-down-time(0), hold_boot_time(0)
Selected role(secondary) last_secondary_select_time/current_time in seconds
936/936
Neighbor(10.100.1.1): member(1) role(primary)
Health-check(ping:1) sla-fail dead
Neighbor(10.100.1.5): member(2) role(secondary)
Health-check(ping2:1) sla-pass selected alive

3. Verify service rules status:


FortiGate-Branch # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0


Gen(4), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service role: primary, disabled by unselected.
Members:
1: Seq_num(1 port1), alive, selected
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

Service(2): Address Mode(IPV4) flags=0x0


Gen(7), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Service role: secondary
Members:
1: Seq_num(2 port2), alive, selected
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

FortiOS 7.2.1 Administration Guide 654


Fortinet Inc.
SD-WAN

4. Verify neighbor routers:


a. Primary neighbor router:
FGT-NBR1 # get router info bgp network 192.168.20.0
BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
64512
10.100.1.2 from 10.100.1.2 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 20:5
Last update: Thu Apr 30 15:41:58 2020

b. Secondary neighbor router:


FGT-NBR2 # get router info bgp network 192.168.20.0
VRF 0 BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
64512
10.100.1.6 from 10.100.1.6 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 20:2
Last update: Thu Apr 30 15:42:07 2020

Applying BGP route-map to multiple BGP neighbors

Controlling traffic with BGP route mapping and service rules explained how BGP can apply different route-maps to the
primary and secondary SD-WAN neighbors based on SLA health checks.
In this example, SD-WAN neighbors that are not bound to primary and secondary roles are configured.

The FortiGate has multiple SD-WAN links and has formed BGP neighbors with both ISPs.
ISP1 is used primarily for outbound traffic, and has an SD-WAN service rule using the lowest cost algorithm applied to it.
When SLAs for ISP1 are not met, it will fail over to the MPLS line.
Inbound traffic is allowed by both WAN links, with each WAN advertising a community string when SLAs are met. When
SLAs are not met, the WAN links advertise a different community string.
This example uses two SD-WAN links. The topology can be expanded to include more links as needed.

FortiOS 7.2.1 Administration Guide 655


Fortinet Inc.
SD-WAN

To configure BGP route-maps and neighbors:

1. Configure an access list for routes to be matched:


config router access-list
edit "net192"
config rule
edit 1
set prefix 192.168.20.0 255.255.255.0
next
end
next
end

2. Configure route-maps for neighbor ISP1:


config router route-map
edit "comm1"
config rule
edit 1
set match-ip-address "net192"
set set-community "64511:1"
next
end
next
edit "comm-fail1"
config rule
edit 1
set match-ip-address "net192"
set set-community "64511:5"
next
end
next
end

3. Configure route-maps for neighbor ISP2:


config router route-map
edit "comm2"
config rule
edit 1
set match-ip-address "net192"
set set-community "64522:1"
next
end
next
edit "comm-fail2"
config rule
edit 1
set match-ip-address "net192"
set set-community "64522:5"
next
end
next
end

FortiOS 7.2.1 Administration Guide 656


Fortinet Inc.
SD-WAN

4. Configure the BGP neighbors:


config router bgp
set as 64512
set keepalive-timer 1
set holdtime-timer 3
config neighbor
edit "192.168.2.1"
set soft-reconfiguration enable
set remote-as 64511
set route-map-out "comm-fail1"
set route-map-out-preferable "comm1"
next
edit "172.31.0.1"
set soft-reconfiguration enable
set remote-as 64522
set route-map-out "comm-fail2"
set route-map-out-preferable "comm2"
next
end
config network
edit 1
set prefix 192.168.20.0 255.255.255.0
next
end
end

When SLAs are met, route-map-out-preferable is used. When SLAs are missed, route-map-out is used.

To configure SD-WAN:

1. Configure the SD-WAN members:


config system sdwan
set status enable
config members
edit 1
set interface "port1"
set gateway 192.168.2.1
next
edit 2
set interface "MPLS"
set cost 20
next
end
end

2. Configure the health checks that must be met:


config system sdwan
config health-check
edit "pingserver"
set server "8.8.8.8"
set members 2 1
config sla
edit 1
set link-cost-factor packet-loss
set packetloss-threshold 2

FortiOS 7.2.1 Administration Guide 657


Fortinet Inc.
SD-WAN

next
end
next
end
end

3. Configure the SD-WAN neighbors and assign them a role and the health checks used to determine if the neighbor
meets the SLA:
When no role is defined, the default role, standalone, is used.
config system sdwan
config neighbor
edit "192.168.2.1"
set member 1
set health-check "pingserver"
set sla-id 1
next
edit "172.31.0.1"
set member 2
set health-check "pingserver"
set sla-id 1
next
end
end

Service rules

Create SD-WAN service rules to direct traffic to the SD-WAN links based on the lowest cost algorithm The same SLA
health check and criteria that are used for the SD-WAN neighbor are used for this SD-WAN service rule.
When no roles are defined in the service rule, the default role, standalone, is used.

To configure the SD-WAN service rule:

config system sdwan


config service
edit 1
set name "OutboundAll"
set mode sla
set dst "all"
set src "all"
config sla
edit "pingserver"
set id 1
next
end
set priority-members 1 2
next
end
end

FortiOS 7.2.1 Administration Guide 658


Fortinet Inc.
SD-WAN

Verification

To verify that when both SLAs are met, port1 is selected due to its lower cost:

1. Verify the health check status:


FortiGate-Branch # diagnose sys sdwan health-check
Health Check(pingserver):
Seq(2 MPLS): state(alive), packet-loss(0.000%) latency(24.709), jitter(14.996) sla_
map=0x1
Seq(1 port1): state(alive), packet-loss(0.000%) latency(28.771), jitter(14.840) sla_
map=0x1

2. Verify SD-WAN neighbor status:


FortiGate-Branch # diagnose sys sdwan neighbor
Neighbor(192.168.2.1): member(1) role(standalone)
Health-check(pingserver:1) sla-pass selected alive
Neighbor(172.31.0.1): member(2) role(standalone)
Health-check(pingserver:1) sla-pass selected alive

3. Verify service rules status:


Because the service role is standalone, it matches both neighbors. The mode (SLA) determines that port1 is
lower cost.
FortiGate-Branch # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0


Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Service role: standalone
Members:
1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2 MPLS), alive, sla(0x1), cfg_order(1), cost(20), selected
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

4. Verify neighbor routers:


a. Primary neighbor router:
FGT-NBR1 # get router info bgp network 192.168.20.0
BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
64512
192.168.2.5 from 192.168.2.5 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 64511:1
Last update: Thu Apr 30 23:59:05 2020

b. Secondary neighbor router:


FGT-NBR2 # get router info bgp network 192.168.20.0
VRF 0 BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0

FortiOS 7.2.1 Administration Guide 659


Fortinet Inc.
SD-WAN

64512
172.31.0.2 from 172.31.0.2 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 64522:1
Last update: Fri May 1 00:11:28 2020

To verify that when neighbor ISP1 misses SLAs, MPLS is selected and BGP advertises a different
community string for ISP1:

1. Verify the health check status:


FortiGate-Branch # diagnose sys sdwan health-check
Health Check(pingserver):
Seq(2 MPLS): state(alive), packet-loss(0.000%) latency(25.637), jitter(17.820) sla_
map=0x1
Seq(1 port1): state(dead), packet-loss(16.000%) sla_map=0x0

2. Verify SD-WAN neighbor status:


FortiGate-Branch # diagnose sys sdwan neighbor
Neighbor(192.168.2.1): member(1) role(standalone)
Health-check(pingserver:1) sla-fail dead
Neighbor(172.31.0.1): member(2) role(standalone)
Health-check(pingserver:1) sla-pass selected alive

3. Verify service rules status:


As SLA failed for neighbor ISP1, MPLS is preferred.
FortiGate-Branch # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0


Gen(3), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Service role: standalone
Members:
1: Seq_num(2 MPLS), alive, sla(0x1), cfg_order(1), cost(20), selected
2: Seq_num(1 port1), dead, sla(0x0), cfg_order(0), cost(0)
Src address:
0.0.0.0-255.255.255.255

Dst address:
0.0.0.0-255.255.255.255

4. Verify neighbor routers:


The community received on ISP1 is updated.
a. Primary neighbor router:
FGT-NBR1 # get router info bgp network 192.168.20.0
BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
64512
192.168.2.5 from 192.168.2.5 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 64511:5
Last update: Fri May 1 00:33:26 2020

FortiOS 7.2.1 Administration Guide 660


Fortinet Inc.
SD-WAN

b. Secondary neighbor router:


FGT-NBR2 # get router info bgp network 192.168.20.0
VRF 0 BGP routing table entry for 192.168.20.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
64512
172.31.0.2 from 172.31.0.2 (192.168.122.98)
Origin IGP metric 0, localpref 100, valid, external, best
Community: 64522:1
Last update: Fri May 1 00:22:42 2020

Using multiple members per SD-WAN neighbor configuration

SD-WAN BGP neighbor configurations are used to define the SLA health check in which an SD-WAN member must
meet to qualify as being up. When the SD-WAN member meets the SLA threshold, the FortiGate will apply the route map
defined in the BGP neighbor's route-map-out-preferable option. If the SD-WAN member fails to meet the SLA,
the FortiGate will apply the route map defined in the BGP neighbor's route-map-out option instead. This allows the
FortiGate to advertise the health of the SD-WAN member to its BGP neighbor by advertising different community strings
based on its SLA status.

For more information, refer to the following BGP examples: Controlling traffic with BGP route
mapping and service rules on page 648 and Applying BGP route-map to multiple BGP
neighbors on page 655.

Selecting multiple SD-WAN members allows the SD-WAN neighbor feature to support topologies where there are
multiple SD-WAN overlays and/or underlays to a neighbor. The minimum-sla-meet-members option is used to
configure the minimum number of members that must be in an SLA per neighbor for the preferable route map to be used.
config system sdwan
config neighbor
edit <ip>
set member {<seq-num_1>} [<seq-num_2>] ... [<seq-num_n>]
set minimum-sla-meet-members <integer>
next
end
end

member {<seq-num_1>} Enter the member sequence number list. Multiple members can be defined.
[<seq-num_2>] ...
[<seq-num_n>]
minimum-sla-meet-members Set the minimum number of members that meet SLA when the neighbor is
<integer> preferred (1 - 255, default = 1).
l If the number of in SLA members is less than the minimum-sla-meet-

members value, the default route map will be used.


l If the number of in SLA members is equal or larger than the minimum-sla-

meet-members value, the preferable route map will be used.

FortiOS 7.2.1 Administration Guide 661


Fortinet Inc.
SD-WAN

Example

In the following example, the spoke FortiGate has four tunnels: two tunnels to Hub_1 and two tunnels to Hub_2. The
spoke has two BGP neighbors: one to Hub_1 and one to Hub-2. BGP neighbors are established on loopback IPs.
The SD-WAN neighbor plus route-map-out-preferableconfiguration is deployed on the spoke to achieve the
following:
l If any tunnel to Hub_1 or Hub_2 is in SLA, the preferable route map will be applied on the BGP neighbor to Hub_1 or
Hub_2.
l If both tunnels to Hub_1 or Hub_2 are out of SLA, the default route map will be applied on the BGP neighbor to Hub_
1 or Hub_2.
The preferable route map and default route map are used to set different custom BGP communities as the spoke
advertises its LAN routes to the hub. Each hub can translate communities into different BGP MED or AS prepends and
signal them to the external peers to manipulate inbound traffic, thereby routing traffic to the spoke only when the SLAs
are met on at least one of two VPN overlays. In this example, community string 10:1 signals to the neighbor that SLAs
are met, and 10:2 signals that SLAs are not met.

To configure the BGP route maps and neighbors:

1. Configure an access list of prefixes to be matched:


config router access-list
edit "net10"
config rule
edit 1
set prefix 10.0.3.0 255.255.255.0
next
end
next
end

FortiOS 7.2.1 Administration Guide 662


Fortinet Inc.
SD-WAN

2. Configure route maps for neighbors in SLA (preferable) and out of SLA (default):
config router route-map
edit "in_sla"
config rule
edit 1
set match-ip-address "net10"
set set-community "10:1"
next
end
next
edit "out_sla"
config rule
edit 1
set match-ip-address "net10"
set set-community "10:2"
next
end
next
end

3. Configure the BGP neighbors:


config router bgp
set router-id 172.31.0.65
config neighbor
edit "172.31.0.1"
set route-map-out "out_sla"
set route-map-out-preferable "in_sla"
set update-source "Loopback0"
next
edit "172.31.0.2"
set route-map-out "out_sla"
set route-map-out-preferable "in_sla"
set update-source "Loopback0"
next
end
config network
edit 1
set prefix 10.0.3.0 255.255.255.0
next
end
end

To configure SD-WAN:

1. Configure the SD-WAN members:


config system sdwan
set status enable
config members
edit 1
set interface "H1_T11"
set source 172.31.0.65
next
edit 4
set interface "H1_T22"

FortiOS 7.2.1 Administration Guide 663


Fortinet Inc.
SD-WAN

set source 172.31.0.65


next
edit 6
set interface "H2_T11"
set source 172.31.0.65
next
edit 9
set interface "H2_T22"
set source 172.31.0.65
next
end
end

2. Configure the health check that must be met:


config system sdwan
config health-check
edit "HUB"
set server "172.31.100.100"
set members 0
config sla
edit 1
set link-cost-factor latency
set latency-threshold 100
next
end
next
end
end

3. Configure the SD-WAN neighbors:


config system sdwan
config neighbor
edit "172.31.0.1"
set member 1 4
set health-check "HUB"
set sla-id 1
set minimum-sla-meet-members 1
next
edit "172.31.0.2"
set member 6 9
set health-check "HUB"
set sla-id 1
set minimum-sla-meet-members 1
next
end
end

To verify that when two members to Hub_1/Hub_2 are in SLA, the preferable route map is be applied on
BGP neighbors to Hub_1/Hub_2:

Branch1_A_FGT (root) # diagnose sys sdwan health-check


Health Check(HUB):
Seq(1 H1_T11): state(alive), packet-loss(0.000%) latency(0.209), jitter(0.017), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999999), bandwidth-bi(1999998) sla_map=0x1
Seq(4 H1_T22): state(alive), packet-loss(0.000%) latency(0.171), jitter(0.004), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x1

FortiOS 7.2.1 Administration Guide 664


Fortinet Inc.
SD-WAN

Seq(6 H2_T11): state(alive), packet-loss(0.000%) latency(0.175), jitter(0.014), mos(4.404),


bandwidth-up(999999), bandwidth-dw(999999), bandwidth-bi(1999998) sla_map=0x1
Seq(9 H2_T22): state(alive), packet-loss(0.000%) latency(0.176), jitter(0.019), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x1

# diagnose sys sdwan neighbor


Neighbor(172.31.0.1): member(1 4 )role(standalone)
Health-check(HUB:1) sla-pass selected alive
Neighbor(172.31.0.2): member(6 9 )role(standalone)
Health-check(HUB:1) sla-pass selected alive

On Hub_1 and Hub_2, the expected communities have been attached into the spoke's LAN route:
Hub_1_FGT (root) # get router info bgp network 10.0.3.0/24
VRF 0 BGP routing table entry for 10.0.3.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
Local, (Received from a RR-client)
172.31.0.65 from 172.31.0.65 (172.31.0.65)
Origin IGP metric 0, localpref 100, valid, internal, best
Community: 10:1
Last update: Wed Dec 29 22:38:29 2021

Hub_2_FGT (root) # get router info bgp network 10.0.3.0/24


VRF 0 BGP routing table entry for 10.0.3.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
Local, (Received from a RR-client)
172.31.0.65 from 172.31.0.65 (172.31.0.65)
Origin IGP metric 0, localpref 100, valid, internal, best
Community: 10:1

Last update: Wed Dec 29 22:43:10 2021

If one member for each neighbor becomes out of SLA, the preferable route map is still applied:
Branch1_A_FGT (root) # diagnose sys sdwan health-check
Health Check(HUB):
Seq(1 H1_T11): state(alive), packet-loss(0.000%) latency(120.207), jitter(0.018), mos
(4.338), bandwidth-up(999999), bandwidth-dw(999997), bandwidth-bi(1999996) sla_map=0x0
Seq(4 H1_T22): state(alive), packet-loss(0.000%) latency(0.182), jitter(0.008), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x1
Seq(6 H2_T11): state(alive), packet-loss(0.000%) latency(120.102), jitter(0.009), mos
(4.404), bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x0
Seq(9 H2_T22): state(alive), packet-loss(0.000%) latency(0.176), jitter(0.009), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999997), bandwidth-bi(1999996) sla_map=0x1

# diagnose sys sdwan neighbor


Neighbor(172.31.0.1): member(1 4 )role(standalone)
Health-check(HUB:1) sla-pass selected alive
Neighbor(172.31.0.2): member(6 9 )role(standalone)
Health-check(HUB:1) sla-pass selected alive

Hub_1_FGT (root) # get router info bgp network 10.0.3.0/24


VRF 0 BGP routing table entry for 10.0.3.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer

FortiOS 7.2.1 Administration Guide 665


Fortinet Inc.
SD-WAN

Original VRF 0
Local, (Received from a RR-client)
172.31.0.65 from 172.31.0.65 (172.31.0.65)
Origin IGP metric 0, localpref 100, valid, internal, best
Community: 10:1
Last update: Thu Dec 30 10:44:47 2021

Hub_2_FGT (root) # get router info bgp network 10.0.3.0/24


VRF 0 BGP routing table entry for 10.0.3.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
Local, (Received from a RR-client)
172.31.0.65 from 172.31.0.65 (172.31.0.65)
Origin IGP metric 0, localpref 100, valid, internal, best
Community: 10:1
Last update: Wed Dec 29 22:43:10 2021

If both members for Hub_1 become out of SLA, the default route map is applied:
Branch1_A_FGT (root) # diagnose sys sdwan health-check
Health Check(HUB):
Seq(1 H1_T11): state(alive), packet-loss(0.000%) latency(120.194), jitter(0.018), mos
(4.338), bandwidth-up(999999), bandwidth-dw(999997), bandwidth-bi(1999996) sla_map=0x0
Seq(4 H1_T22): state(alive), packet-loss(0.000%) latency(120.167), jitter(0.006), mos
(4.338), bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x0
Seq(6 H2_T11): state(alive), packet-loss(0.000%) latency(120.180), jitter(0.012), mos
(4.338), bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x0
Seq(9 H2_T22): state(alive), packet-loss(0.000%) latency(0.170), jitter(0.005), mos(4.404),
bandwidth-up(999999), bandwidth-dw(999997), bandwidth-bi(1999996) sla_map=0x1

# diagnose sys sdwan neighbor


Neighbor(172.31.0.1): member(1 4 )role(standalone)
Health-check(HUB:1) sla-fail alive
Neighbor(172.31.0.2): member(6 9 )role(standalone)
Health-check(HUB:1) sla-pass selected alive

Hub_1_FGT (root) # get router info bgp network 10.0.3.0/24


VRF 0 BGP routing table entry for 10.0.3.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
Local, (Received from a RR-client)
172.31.0.65 from 172.31.0.65 (172.31.0.65)
Origin IGP metric 0, localpref 100, valid, internal, best
Community: 10:2
Last update: Thu Dec 30 10:57:33 2021

Hub_2_FGT (root) # get router info bgp network 10.0.3.0/24


VRF 0 BGP routing table entry for 10.0.3.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
Local, (Received from a RR-client)
172.31.0.65 from 172.31.0.65 (172.31.0.65)
Origin IGP metric 0, localpref 100, valid, internal, best
Community: 10:1
Last update: Wed Dec 29 22:43:10 2021

FortiOS 7.2.1 Administration Guide 666


Fortinet Inc.
SD-WAN

VPN overlay

The following topics provide instructions on SD-WAN VPN overlays:


l ADVPN and shortcut paths on page 667
l SD-WAN monitor on ADVPN shortcuts on page 680
l Hold down time to support SD-WAN service strategies on page 681
l SD-WAN integration with OCVPN on page 683
l Adaptive Forward Error Correction on page 690
l Dual VPN tunnel wizard on page 694
l Duplicate packets on other zone members on page 695
l Duplicate packets based on SD-WAN rules on page 698
l Speed tests run from the hub to the spokes in dial-up IPsec tunnels on page 699
l Interface based QoS on individual child tunnels based on speed test results on page 706
l Use SSL VPN interfaces in zones on page 709
l SD-WAN in large scale deployments on page 713

ADVPN and shortcut paths

This topic provides an example of how to use SD-WAN and ADVPN together.
ADVPN (Auto Discovery VPN) is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish
dynamic, on-demand, direct tunnels between each other to avoid routing through the topology's hub device. The primary
advantage is that it provides full meshing capabilities to a standard hub-and-spoke topology. This greatly reduces the
provisioning effort for full spoke-to-spoke low delay reachability, and addresses the scalability issues associated with
very large fully meshed VPN networks.
If a customer's head office and branch offices all have two or more internet connections, they can build a dual-hub
ADVPN network. Combined with SD-WAN technology, the customer can load-balance traffic to other offices on multiple
dynamic tunnels, control specific traffic using specific connections, or choose better performance connections
dynamically.

SD-WAN load-balance mode rules (or services) do not support ADVPN members. Other
modes' rules, such as SLA and priority, support ADVPN members.

This topic covers three parts:


1. Configure dual-hub ADVPN with multiple branches.
2. Configure BGP to exchange routing information among hubs and spokes.
3. Configure SD-WAN on spoke to do load-balancing and control traffic.

FortiOS 7.2.1 Administration Guide 667


Fortinet Inc.
SD-WAN

Configuration example

A typical ADVPN configuration with SD-WAN usually has two hubs, and each spoke connects to two ISPs and
establishes VPN tunnels with both hubs.
This example shows a hub-and-spoke configuration using two hubs and one spoke:
l Hub1 and Hub2 both use wan1 to connect to the ISPs and port10 to connect to internal network.
l Spoke1 uses wan1 to connect to ISP1 and wan2 to connect to ISP2.
l wan1 sets up VPN to hub1.
l wan2 sets up VPN to hub2.
The SD-WAN is configured on the spoke. It uses the two VPN interfaces as members and two rules to control traffic to
headquarters or other spokes using ADVPN VPN interfaces. You can create more rules if required.
For this example:
l Use SD-WAN member 1 (via ISP1) and its dynamic shortcuts for financial department traffic if member 1 meets SLA
requirements. If it doesn't meet SLA requirements, it will use SD-WAN member 2 (via ISP2).
l Use SD-WAN member 2 (via ISP2) and its dynamic shortcuts for engineering department traffic.
l Load balance other traffic going to hubs and other spokes between these two members.
l Set up all other traffic to go with their original ISP connection. All other traffic does not go through SD-WAN.
l Set up basic network configuration to let all hubs and spokes connect to their ISPs and the Internet.

FortiOS 7.2.1 Administration Guide 668


Fortinet Inc.
SD-WAN

Hub internal network 172.16.101.0/24

Spoke1 internal network 10.1.100.0/24

ADVPN 1 network 10.10.100.0/24

ADVPN 2 network 10.10.200.0/24

Hub1 wan1 IP 11.1.1.11

Hub2 wan1 IP 11.1.2.11

Hub1 VPN IP 10.10.100.254

Hub2 VPN IP 10.10.200.254

Spoke1 to hub1 VPN IP 10.10.100.2

Spoke1 to hub2 VPN IP 10.10.200.2

Ping server in Headquarters 11.11.11.11

Internal subnet of spoke1 22.1.1.0/24

Internal subnet of spoke2 33.1.1.0/24

Firewall addresses Configure hub_subnets and spoke_subnets before using in policies. These can
be customized.

The GUI does not support some ADVPN related options, such as auto-discovery-sender, auto-discovery-receiver, auto-
discovery-forwarder, and IBGP neighbor-group setting, so this example only provides CLI configuration commands.

Hub1 sample configuration

To configure the IPsec phase1 and phase2 interface:

config vpn ipsec phase1-interface


edit "hub-phase1"
set type dynamic
set interface "wan1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-
sha1
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set psksecret sample
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "hub-phase2"
set phase1name "hub-phase1"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-
sha256
next
end

FortiOS 7.2.1 Administration Guide 669


Fortinet Inc.
SD-WAN

When net-device is disabled, a tunnel ID is generated for each dynamic tunnel. This ID, in
the form of an IP address, is used as the gateway in the route entry to that tunnel. The
tunnel-search option is removed in FortiOS 7.0.0 and later.

To configure the VPN interface and BGP:

config system interface


edit "hub-phase1"
set ip 10.10.100.254 255.255.255.255
set remote-ip 10.10.100.253 255.255.255.0
next
end
config router bgp
set as 65505
config neighbor-group
edit "advpn"
set link-down-failover enable
set remote-as 65505
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.10.100.0 255.255.255.0
set neighbor-group "advpn"
next
end
config network
edit 1
set prefix 172.16.101.0 255.255.255.0
next
edit 2
set prefix 11.11.11.0 255.255.255.0
next
end
end

To configure the firewall policy:

config firewall policy


edit 1
set name "spoke2hub"
set srcintf "hub-phase1"
set dstintf "port10"
set srcaddr "spoke_subnets"
set dstaddr "hub_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow traffic from spokes to headquarter"
next
edit 2
set name "spoke2spoke"
set srcintf "hub-phase1"

FortiOS 7.2.1 Administration Guide 670


Fortinet Inc.
SD-WAN

set dstintf "hub-phase1"


set srcaddr "spoke_subnets"
set dstaddr "spoke_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow traffic from spokes to spokes"
next
edit 3
set name "internal2spoke"
set srcintf "port10"
set dstintf "hub-phase1"
set srcaddr "hub_subnets"
set dstaddr "spoke_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow traffic from headquarter to spokes"
next
end

Hub2 sample configuration

Hub2 configuration is the same as hub1 except the wan1 IP address, VPN interface IP address, and BGP neighbor-
range prefix.

To configure the IPsec phase1 and phase2 interface:

config vpn ipsec phase1-interface


edit "hub-phase1"
set type dynamic
set interface "wan1"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-
sha1
set add-route disable
set dpd on-idle
set auto-discovery-sender enable
set psksecret sample
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "hub-phase2"
set phase1name "hub-phase1"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-
sha256
next
end

To configure the VPN interface and BGP:

config system interface


edit "hub-phase1"

FortiOS 7.2.1 Administration Guide 671


Fortinet Inc.
SD-WAN

set ip 10.10.200.254 255.255.255.255


set remote-ip 10.10.200.253 255.255.255.0
next
end
config router bgp
set as 65505
config neighbor-group
edit "advpn"
set link-down-failover enable
set remote-as 65505
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.10.200.0 255.255.255.0
set neighbor-group "advpn"
next
end
config network
edit 1
set prefix 172.16.101.0 255.255.255.0
next
edit 2
set prefix 11.11.11.0 255.255.255.0
next
end
end

To configure the firewall policy:

config firewall policy


edit 1
set name "spoke2hub"
set srcintf "hub-phase1"
set dstintf "port10"
set srcaddr "spoke_subnets"
set dstaddr "hub_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow traffic from spokes to headquarter"
next
edit 2
set name "spoke2spoke"
set srcintf "hub-phase1"
set dstintf "hub-phase1"
set srcaddr "spoke_subnets"
set dstaddr "spoke_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow traffic from spokes to spokes"
next
edit 3
set name "internal2spoke"

FortiOS 7.2.1 Administration Guide 672


Fortinet Inc.
SD-WAN

set srcintf "port10"


set dstintf "hub-phase1"
set srcaddr "hub_subnets"
set dstaddr "spoke_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow traffic from headquarter to spokes"
next
end

Spoke1 sample configuration

To configure the IPsec phase1 and phase2 interface:

config vpn ipsec phase1-interface


edit "spoke1-phase1"
set interface "wan1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set remote-gw 11.1.1.11
set psksecret sample
set dpd-retryinterval 5
next
edit "spoke1-2-phase1"
set interface "wan2"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set auto-discovery-receiver enable
set remote-gw 11.1.2.11
set psksecret sample
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "spoke1-phase2"
set phase1name "spoke1-phase1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm
chacha20poly1305
set auto-negotiate enable
next
edit "spoke1-2-phase2"
set phase1name "spoke1-2-phase1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm
chacha20poly1305
set auto-negotiate enable
next
end

FortiOS 7.2.1 Administration Guide 673


Fortinet Inc.
SD-WAN

To configure the VPN interface and BGP:

config system interface


edit "spoke1-phase1"
set ip 10.10.100.2 255.255.255.255
set remote-ip 10.10.100.254 255.255.255.0
next
edit "spoke1-2-phase1"
set ip 10.10.200.2 255.255.255.255
set remote-ip 10.10.200.254 255.255.255.0
next
end
config router bgp
set as 65505
config neighbor
edit "10.10.100.254"
set advertisement-interval 1
set link-down-failover enable
set remote-as 65505
next
edit "10.10.200.254"
set advertisement-interval 1
set link-down-failover enable
set remote-as 65505
next
end
config network
edit 1
set prefix 10.1.100.0 255.255.255.0
next
end
end

To configure SD-WAN:

config system sdwan


set status enable
config members
edit 1
set interface "spoke1-phase1"
next
edit 2
set interface "spoke1-2-phase1"
next
end
config health-check
edit "ping"
set server "11.11.11.11"
set members 1 2
config sla
edit 1
set latency-threshold 200
set jitter-threshold 50
set packetloss-threshold 5
next
end

FortiOS 7.2.1 Administration Guide 674


Fortinet Inc.
SD-WAN

next
end
config service
edit 1
set mode sla
set dst "financial-department"
config sla
edit "ping"
set id 1
next
end
set priority-members 1 2
next
edit 2
set priority-members 2
set dst "engineering-department"
next
end
end

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

To configure the firewall policy:

config firewall policy


edit 1
set name "outbound_advpn"
set srcintf "internal"
set dstintf "virtual-wan-link"
set srcaddr "spoke_subnets"
set dstaddr "spoke_subnets" "hub_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow internal traffic going out to headquarter and other spokes"
next
edit 2
set name "inbound_advpn"
set srcintf "virtual-wan-link"
set dstintf "internal"
set srcaddr "spoke_subnets" "hub_subnets"
set dstaddr "spoke_subnets"
set action accept
set schedule "always"
set service "ALL"
set comments "allow headquarter and other spokes traffic coming in"
next
end

FortiOS 7.2.1 Administration Guide 675


Fortinet Inc.
SD-WAN

Troubleshooting ADVPN and shortcut paths

Before spoke vs spoke shortcut VPN is established

Use the following CLI commands to check status before spoke vs spoke shortcut VPN is established.
# get router info bgp summary
BGP router identifier 2.2.2.2, local AS number 65505
BGP table version is 13
3 BGP AS-PATH entries
0 BGP community entries

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd


10.10.100.254 4 65505 3286 3270 11 0 0 00:02:15 5
10.10.200.254 4 65505 3365 3319 12 0 0 00:02:14 5

Total number of neighbors 2

# get router info routing-table bgp

Routing table for VRF=0


B* 0.0.0.0/0 [200/0] via 10.10.200.254, spoke1-2-phase1, 00:00:58
[200/0] via 10.10.100.254, spoke1-phase1, 00:00:58
B 1.1.1.1/32 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:01:29
[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:01:29
B 11.11.11.0/24 [200/0] via 10.10.200.254, spoke1-2-phase1, 00:01:29
[200/0] via 10.10.100.254, spoke1-phase1, 00:01:29
B 33.1.1.0/24 [200/0] via 10.10.200.3, spoke1-2-phase1, 00:00:58
[200/0] via 10.10.100.3, spoke1-phase1, 00:00:58
[200/0] via 10.10.200.3, spoke1-2-phase1, 00:00:58
[200/0] via 10.10.100.3, spoke1-phase1, 00:00:58

# diagnose vpn tunnel list


list all ipsec tunnel in vd 3
------------------------------------------------------
name=spoke1-phase1 ver=1 serial=5 12.1.1.2:0->11.1.1.11:0 tun_id=11.1.1.11 dst_mtu=15324
bound_if=48 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev
frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=22 ilast=0 olast=0 ad=r/2


stat: rxp=1 txp=185 rxb=16428 txb=11111
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=spoke1 proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=15262 expire=42820/0B replaywin=2048
seqno=ba esn=0 replaywin_lastseq=00000002 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=03e01a2a esp=aes key=16 56e673f0df05186aa657f55cbb631c13
ah=sha1 key=20 b0d50597d9bed763c42469461b03da8041f87e88
enc: spi=2ead61bc esp=aes key=16 fe0ccd4a3ec19fe6d520c437eb6b8897
ah=sha1 key=20 e3e669bd6df41b88eadaacba66463706f26fb53a
dec:pkts/bytes=1/16368, enc:pkts/bytes=185/22360
npu_flag=03 npu_rgwy=11.1.1.11 npu_lgwy=12.1.1.2 npu_selid=0 dec_npuid=1 enc_npuid=1
------------------------------------------------------
name=spoke1-2-phase1 ver=1 serial=6 112.1.1.2:0->11.1.2.11:0 tun_id=11.1.2.11 dst_mtu=15324

FortiOS 7.2.1 Administration Guide 676


Fortinet Inc.
SD-WAN

bound_if=90 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev


frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=21 ilast=0 olast=0 ad=r/2


stat: rxp=1 txp=186 rxb=16498 txb=11163
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=74
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=spoke1-2 proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=15262 expire=42818/0B replaywin=2048
seqno=bb esn=0 replaywin_lastseq=00000002 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=03e01a2b esp=aes key=16 fe49f5042a5ad236250bf53312db1346
ah=sha1 key=20 5dbb15c8cbc046c284bb1c6425dac2b3e15bec85
enc: spi=2ead61bd esp=aes key=16 d6d97be52c3cccb9e88f28a9db64ac46
ah=sha1 key=20 e20916ae6ea2295c2fbd5cbc8b8f5dd8b17f52f1
dec:pkts/bytes=1/16438, enc:pkts/bytes=186/22480
npu_flag=03 npu_rgwy=11.1.2.11 npu_lgwy=112.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0


TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)
Member sub interface:
Members:
1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(0), selected
Dst address: 33.1.1.1-33.1.1.100

Service(2): Address Mode(IPV4) flags=0x0


TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Member sub interface:
Members:
1: Seq_num(2), alive, selected
Dst address: 33.1.1.101-33.1.1.200

# diagnose firewall proute list


list route policy info(vf=vd2):

id=2132869121 vwl_service=1 vwl_mbr_seq=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_


mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=70 oif=71
destination(1): 33.1.1.1-33.1.1.100
source wildcard(1): 0.0.0.0/0.0.0.0

id=2132869122 vwl_service=2 vwl_mbr_seq=2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_


mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=71
destination(1): 33.1.1.101-33.1.1.200
source wildcard(1): 0.0.0.0/0.0.0.0

After spoke vs spoke shortcut VPN is established

Use the following CLI commands to check status after spoke vs spoke shortcut VPN is established.
# get router info routing-table bgp

Routing table for VRF=0

FortiOS 7.2.1 Administration Guide 677


Fortinet Inc.
SD-WAN

B* 0.0.0.0/0 [200/0] via 10.10.200.254, spoke1-2-phase1, 00:01:33


[200/0] via 10.10.100.254, spoke1-phase1, 00:01:33
B 1.1.1.1/32 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:02:04
[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 00:02:04
B 11.11.11.0/24 [200/0] via 10.10.200.254, spoke1-2-phase1, 00:02:04
[200/0] via 10.10.100.254, spoke1-phase1, 00:02:04
B 33.1.1.0/24 [200/0] via 10.10.200.3, spoke1-2-phase1_0, 00:01:33
[200/0] via 10.10.100.3, spoke1-phase1_0, 00:01:33
[200/0] via 10.10.200.3, spoke1-2-phase1_0, 00:01:33
[200/0] via 10.10.100.3, spoke1-phase1_0, 00:01:33

# diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x0


TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)
Member sub interface:
1: seq_num(1), interface(spoke1-phase1):
1: spoke1-phase1_0(111)
2: seq_num(2), interface(spoke1-2-phase1):
1: spoke1-2-phase1_0(113)
Members:
1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(0), selected
Dst address: 33.1.1.1-33.1.1.100

Service(2): Address Mode(IPV4) flags=0x0


TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
Member sub interface:
1: seq_num(2), interface(spoke1-2-phase1):
1: spoke1-2-phase1_0(113)
Members:
1: Seq_num(2), alive, selected
Dst address: 33.1.1.101-33.1.1.200

# diagnose vpn tunnel list


list all ipsec tunnel in vd 3
------------------------------------------------------
name=spoke1-phase1 ver=1 serial=5 12.1.1.2:0->11.1.1.11:0 tun_id=11.1.1.11 dst_mtu=15324
bound_if=48 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev
frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=20 ilast=0 olast=0 ad=r/2


stat: rxp=1 txp=759 rxb=16428 txb=48627
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vd2-1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=15262 expire=42536/0B replaywin=2048
seqno=2f8 esn=0 replaywin_lastseq=00000002 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42898/43200
dec: spi=03e01a42 esp=aes key=16 1f131bda108d33909d49fc2778bd08bb
ah=sha1 key=20 14131d3f0da9b741a2fd13d530b0553aa1f58983
enc: spi=2ead61d8 esp=aes key=16 81ed24d5cd7bb59f4a80dceb5a560e1f
ah=sha1 key=20 d2ccc2f3223ce16514e75f672cd88c4b4f48b681
dec:pkts/bytes=1/16360, enc:pkts/bytes=759/94434
npu_flag=03 npu_rgwy=11.1.1.11 npu_lgwy=12.1.1.2 npu_selid=0 dec_npuid=1 enc_npuid=1

FortiOS 7.2.1 Administration Guide 678


Fortinet Inc.
SD-WAN

------------------------------------------------------
name=spoke1-2-phase1 ver=1 serial=6 112.1.1.2:0->11.1.2.11:0 tun_id=11.1.2.11 dst_mtu=15324
bound_if=90 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev
frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=0 olast=0 ad=r/2


stat: rxp=1 txp=756 rxb=16450 txb=48460
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=74
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vd2-2 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=15262 expire=42538/0B replaywin=2048
seqno=2f5 esn=0 replaywin_lastseq=00000002 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42900/43200
dec: spi=03e01a43 esp=aes key=16 7fc87561369f88b56d08bfda769eb45b
ah=sha1 key=20 0ed554ef231c5ac16dc2e71d1907d7347dda33d6
enc: spi=2ead61d9 esp=aes key=16 00286687aa1762e7d8216881d6720ef3
ah=sha1 key=20 59d5eec6299ebcf038c190860774e2833074d7c3
dec:pkts/bytes=1/16382, enc:pkts/bytes=756/94058
npu_flag=03 npu_rgwy=11.1.2.11 npu_lgwy=112.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1
------------------------------------------------------
name=spoke1-phase1_0 ver=1 serial=55 12.1.1.2:0->13.1.1.3:0 tun_id=13.1.1.3 dst_mtu=15324
bound_if=48 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu
create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1

parent=vd2-1 index=0
proxyid_num=1 child_num=0 refcnt=18 ilast=8 olast=8 ad=r/2
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vd2-1 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=1a227 type=00 soft=0 mtu=15262 expire=42893/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=03e01a44 esp=aes key=16 c3b77a98e3002220e2373b73af14df6e
ah=sha1 key=20 d18d107c248564933874f60999d6082fd7a78948
enc: spi=864f6dba esp=aes key=16 eb6181806ccb9bac37931f9eadd4d5eb
ah=sha1 key=20 ab788f7a372877a5603c4ede1be89a592fc21873
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=13.1.1.3 npu_lgwy=12.1.1.2 npu_selid=51 dec_npuid=0 enc_npuid=0
------------------------------------------------------
name=spoke1-2-phase1_0 ver=1 serial=57 112.1.1.2:0->113.1.1.3:0 tun_id=113.1.1.3 dst_
mtu=15324
bound_if=90 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu
create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1

parent=vd2-2 index=0
proxyid_num=1 child_num=0 refcnt=17 ilast=5 olast=5 ad=r/2
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vd2-2 proto=0 sa=1 ref=3 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0

FortiOS 7.2.1 Administration Guide 679


Fortinet Inc.
SD-WAN

dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=1a227 type=00 soft=0 mtu=15262 expire=42900/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=03e01a45 esp=aes key=16 0beb519ed9f800e8b4c0aa4e1df7da35
ah=sha1 key=20 bc9f38db5296cce4208a69f1cc8a9f7ef4803c37
enc: spi=864f6dbb esp=aes key=16 1d26e3556afcdb9f8e3e33b563b44228
ah=sha1 key=20 564d05ef6f7437e1fd0a88d5fee7b6567f9d387e
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=113.1.1.3 npu_lgwy=112.1.1.2 npu_selid=53 dec_npuid=0 enc_npuid=0

# diagnose firewall proute list


list route policy info(vf=vd2):

id=2132869121 vwl_service=1 vwl_mbr_seq=1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_


mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=111 oif=70 oif=113 oif=71
destination(1): 33.1.1.1-33.1.1.100
source wildcard(1): 0.0.0.0/0.0.0.0

id=2132869122 vwl_service=2 vwl_mbr_seq=2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_


mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=113 oif=71
destination(1): 33.1.1.101-33.1.1.200
source wildcard(1): 0.0.0.0/0.0.0.0

SD-WAN monitor on ADVPN shortcuts

SD-WAN monitors ADVPN shortcut link quality by dynamically creating link monitors for each ADVPN link. The dynamic
link monitor on the spoke will use ICMP probes and the IP address of the gateway as the monitored server. These ICMP
probes will not be counted as actual user traffic that keeps the spoke-to-spoke tunnel alive.

l When no shortcut is established:


# diagnose sys sdwan health-check
Health Check(ping):
Seq(1 tunnel-1): state(alive), packet-loss(0.000%) latency(0.038), jitter(0.006) sla_
map=0x3
Seq(2 tunnel-2): state(alive), packet-loss(0.000%) latency(0.035), jitter(0.004) sla_
map=0x3

FortiOS 7.2.1 Administration Guide 680


Fortinet Inc.
SD-WAN

l When one shortcut is established:


# diagnose sys sdwan health-check
Health Check(ping):
Seq(1 tunnel-1): state(alive), packet-loss(0.000%) latency(0.039), jitter(0.003) sla_
map=0x3
Seq(1 tunnel-1_0): state(alive), packet-loss(0.000%) latency(0.060), jitter(0.023) sla_
map=0x3
Seq(2 tunnel-2): state(alive), packet-loss(0.000%) latency(0.035), jitter(0.002) sla_
map=0x3

l When more than one shortcut is established:


# diagnose sys sdwan health-check
Health Check(ping):
Seq(1 tunnel-1): state(alive), packet-loss(0.000%) latency(0.036), jitter(0.004) sla_
map=0x3
Seq(1 tunnel-1_0): state(alive), packet-loss(0.000%) latency(0.041), jitter(0.009) sla_
map=0x3
Seq(2 tunnel-2): state(alive), packet-loss(0.000%) latency(0.030), jitter(0.005) sla_
map=0x3
Seq(2 tunnel-2_0): state(alive), packet-loss(0.000%) latency(0.031), jitter(0.004) sla_
map=0x3

Hold down time to support SD-WAN service strategies

In a hub and spoke SD-WAN topology with shortcuts created over ADVPN, a downed or recovered shortcut can affect
which member is selected by an SD-WAN service strategy. When a downed shortcut tunnel recovers and the shortcut is
added back into the service strategy, the shortcut is held at a low priority until the hold down time has elapsed.
By default, the hold down time is zero seconds. It can be set to 0 - 10000000 seconds.

To configure the hold down time:

config system sdwan


config service
edit 1
set hold-down-time <integer>
next
end
end

Example

In this example, the hold down time is set to 15 seconds, and then the SD-WAN service is looked at before and after the
hold down elapses after a downed shortcut recovers.

FortiOS 7.2.1 Administration Guide 681


Fortinet Inc.
SD-WAN

To configure the hold down time:

config system sdwan


config service
edit 1
set hold-down-time 15
next
end
end

To view which SD-WAN member is selected before and after the hold down time elapses:

Before the hold down time has elapsed:


# diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x200
Gen(34), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(packet-
loss), link-cost-threshold(0), heath-check(ping)
Hold down time(15) seconds, Hold start at 2003 second, now 2010
Member sub interface(4):
1: seq_num(1), interface(vd2-1):
1: vd2-1_0(86)
3: seq_num(2), interface(vd2-2):
1: vd2-2_0(88)

Members(4):
1: Seq_num(1 vd2-1), alive, packet loss: 27.000%, selected
2: Seq_num(2 vd2-2_0), alive, packet loss: 0.000%, selected
3: Seq_num(2 vd2-2), alive, packet loss: 0.000%, selected
4: Seq_num(1 vd2-1_0), alive, packet loss: 61.000%, selected
Dst address(1):
33.1.1.101-33.1.1.200

After the hold down time has elapsed:


# diagnose sys sdwan service
Service(1): Address Mode(IPV4) flags=0x200
Gen(35), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(packet-
loss), link-cost-threshold(0), heath-check(ping)
Hold down time(15) seconds, Hold start at 2018 second, now 2019

FortiOS 7.2.1 Administration Guide 682


Fortinet Inc.
SD-WAN

Member sub interface(4):

2: seq_num(2), interface(vd2-2):
1: vd2-2_0(88)
3: seq_num(1), interface(vd2-1):
1: vd2-1_0(86)
Members(4):
1: Seq_num(2 vd2-2_0), alive, packet loss: 0.000%, selected
2: Seq_num(2 vd2-2), alive, packet loss: 0.000%, selected
3: Seq_num(1 vd2-1), alive, packet loss: 24.000%, selected
4: Seq_num(1 vd2-1_0), alive, packet loss: 44.000%, selected
Dst address(1):
33.1.1.101-33.1.1.200\

SD-WAN integration with OCVPN

OCVPN has the capability to enable SD-WAN in order to dynamically add its tunnel interfaces as SD-WAN members.
Users can configure SD-WAN health checks and service rules to direct traffic over the OCVPN tunnels.
The following example uses a dual hub and spoke topology. Each hub and spoke has two WAN link connections to the
ISP. The spokes generate two IPsec tunnels to each hub (four tunnels in total). BGP neighbors are established over
each tunnel and routes from the hubs and other spokes learned from all neighbors, which forms an ECMP scenario. All
tunnels are placed as SD-WAN members, so traffic can be distributed across tunnels based on the configured SD-WAN
service rules.

To integrate SD-WAN with OCVPN in the GUI:

1. Configure the primary hub:


a. Go to VPN > Overlay Controller VPN and set the Status to Enable.
b. For Role, select Primary Hub.

FortiOS 7.2.1 Administration Guide 683


Fortinet Inc.
SD-WAN

c. Enter the WAN interfaces (port15 and port16) and tunnel IP allocation block (10.254.0.0/16).

The WAN interface is position sensitive, meaning a tunnel will be created with the first
position interface on the hub to the first position interface on the spoke, and so on. In
this example, FGT_A (primary hub) will create two tunnels with FGT_C (spoke):
l FGT_A port15 <==> FGT_C internal1

l FGT_A port16 <==> FGT_C internal2

d. Enable Auto-discovery shortcuts.


e. Enable Add OCVPN tunnels to SD-WAN. The IPsec tunnels will be added automatically to the SD-WAN
members if SD-WAN is enabled.
2. Configure the overlays on the primary hub:
a. In the Overlays section, click Create New.
b. Enter a name and add the local interface (port2). Note the overlay is either based on local subnets or local
interfaces, but not both.
By default, inter-overlay traffic is not enabled. Toggle Allow traffic from other overlays to enable it.
c. Click OK and repeat these steps to create the second overlay (loop1).

d. Click Apply.
3. Configure the secondary hub with the same settings as the primary hub.
4. Configure the spoke:
a. Go to VPN > Overlay Controller VPN and set the Status to Enable.
b. For Role, select Spoke.
c. Enter the WAN interfaces (internal1 and internal2).
d. Enable Auto-discovery shortcuts.
e. Enable Add OCVPN tunnels to SD-WAN. The IPsec tunnels will be added automatically to the SD-WAN
members if SD-WAN is enabled.
f. Configure the overlays.

The overlay names on the spokes must match the names on the hub for the traffic to be
allowed through the same overlay.

g. Click Apply.

FortiOS 7.2.1 Administration Guide 684


Fortinet Inc.
SD-WAN

5. Configure the other spoke with the same settings.


6. On a spoke, go to Network > SD-WAN and select the SD-WAN Zones tab to view the configuration generated by
OCVPN.

Firewall policies will be automatically generated by OCVPN between the local interfaces and the SD-WAN interface.
Each policy will define the proper local and remote networks for its source and destination addresses.

To integrate SD-WAN with OCVPN in the CLI:

1. Configure the primary hub:


config vpn ocvpn
set role primary-hub
set sdwan enable
set wan-interface "port15" "port16"
set ip-allocation-block 10.254.0.0 255.255.0.0
config overlays
edit "overlay1"
config subnets
edit 1
set type interface
set interface "port2"
next
end
next
edit "overlay2"
config subnets
edit 1
set type interface
set interface "loop1"
next
end
next
end
end

2. Configure the secondary hub with the same settings as the primary hub.
3. Configure the spoke:
config vpn ocvpn
set status enable
set sdwan enable
set wan-interface "internal1" "internal2"
config overlays
edit "overlay1"
config subnets

FortiOS 7.2.1 Administration Guide 685


Fortinet Inc.
SD-WAN

edit 1
set type interface
set interface "wan2"
next
end
next
edit "overlay2"
config subnets
edit 1
set type interface
set interface "loop1"
next
end
next
end
end

4. Configure the other spoke with the same settings.


5. Configure SD-WAN:
config system sdwan
set status enable
config members
edit 1
set interface "_OCVPN2-0a"
next
edit 2
set interface "_OCVPN2-0b"
next
edit 3
set interface "_OCVPN2-1a"
next
edit 4
set interface "_OCVPN2-1b"
next
end
end

Firewall policies will be automatically generated by OCVPN between the local interfaces and the SD-WAN interface.
Each policy will define the proper local and remote networks for its source and destination addresses.

If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone.

To verify the integration is working after the ADVPN shortcut is triggered:

1. Check the routing table on the spoke:


FGT_C # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

FortiOS 7.2.1 Administration Guide 686


Fortinet Inc.
SD-WAN

* - candidate default

Routing table for VRF=0


S* 0.0.0.0/0 [10/0] via 172.16.17.2, internal1
[10/0] via 172.16.18.2, internal2
B 10.1.100.0/24 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:24
[200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:24
B 10.1.200.0/24 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:24
[200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:24
B 10.2.100.0/24 [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
[200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
B 10.2.200.0/24 [200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
[200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
B 10.254.0.0/16 [200/0] via 10.254.7.254, _OCVPN2-0a, 00:10:15
[200/0] via 10.254.15.254, _OCVPN2-0b, 00:10:15
[200/0] via 10.254.71.254, _OCVPN2-1a, 00:10:15
[200/0] via 10.254.79.254, _OCVPN2-1b, 00:10:15
C 10.254.0.0/21 is directly connected, _OCVPN2-0a
C 10.254.0.1/32 is directly connected, _OCVPN2-0a
C 10.254.8.0/21 is directly connected, _OCVPN2-0b
C 10.254.8.1/32 is directly connected, _OCVPN2-0b
C 10.254.64.0/21 is directly connected, _OCVPN2-1a
C 10.254.64.1/32 is directly connected, _OCVPN2-1b_0 <==shortcut tunnel
C 10.254.64.2/32 is directly connected, _OCVPN2-1a
C 10.254.72.0/21 is directly connected, _OCVPN2-1b
C 10.254.72.2/32 is directly connected, _OCVPN2-1b
is directly connected, _OCVPN2-1b_0
C 172.16.17.0/24 is directly connected, internal1
C 172.16.18.0/24 is directly connected, internal2
C 172.16.200.0/24 is directly connected, wan1
C 192.168.1.0/24 is directly connected, internal
C 192.168.4.0/24 is directly connected, wan2
B 192.168.5.0/24 [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
[200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
[200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
[200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
[200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
[200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
[200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
[200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
C 192.168.44.0/24 is directly connected, loop1
B 192.168.55.0/24 [200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
[200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
[200/0] via 10.254.0.2, _OCVPN2-0a, 00:00:10
[200/0] via 10.254.8.2, _OCVPN2-0b, 00:00:10
[200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
[200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10
[200/0] via 10.254.64.1, _OCVPN2-1b_0, 00:00:10
[200/0] via 10.254.72.1, _OCVPN2-1b, 00:00:10

2. Check the VPN tunnel state:


FGT_C # diagnose vpn tunnel list

list all ipsec tunnel in vd 0


------------------------------------------------------
name=_OCVPN2-1b_0 ver=2 serial=1c 172.16.18.3:0->172.16.15.4:0 tun_id=172.16.15.4 dst_

FortiOS 7.2.1 Administration Guide 687


Fortinet Inc.
SD-WAN

mtu=1500
bound_if=9 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu
create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1 overlay_id=4

parent=_OCVPN2-1b index=0
proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=r/2
stat: rxp=641 txp=1025 rxb=16436 txb=16446
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1b proto=0 sa=1 ref=3 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=42650/0B replaywin=1024
seqno=407 esn=0 replaywin_lastseq=00000280 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43186/43200
dec: spi=90f03d9d esp=aes key=16 6cb33685bbc67d5c85488e0176ecf7b0
ah=sha1 key=20 7d11b3babe62c840bf444b7b1f637b4324722a71
enc: spi=7bc94bda esp=aes key=16 b4d8fc731d411eb24448b4077a5872ca
ah=sha1 key=20 b724064d827304a6d80385ed4914461108b7312f
dec:pkts/bytes=641/16368, enc:pkts/bytes=2053/123426
npu_flag=03 npu_rgwy=172.16.15.4 npu_lgwy=172.16.18.3 npu_selid=1f dec_npuid=1 enc_
npuid=1
------------------------------------------------------
name=_OCVPN2-0a ver=2 serial=18 172.16.17.3:0->172.16.13.1:0 tun_id=172.16.17.3 dst_
mtu=1500
bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_
dev frag-rfc accept_traffic=1 overlay_id=1

proxyid_num=1 child_num=0 refcnt=20 ilast=0 olast=0 ad=r/2


stat: rxp=1665 txp=2922 rxb=278598 txb=70241
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=7
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0a proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41599/0B replaywin=1024
seqno=890 esn=0 replaywin_lastseq=00000680 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42899/43200
dec: spi=90f03d95 esp=aes key=16 a6ffcc197bb1b46ec745d0b595cdd69a
ah=sha1 key=20 8007c134e41edf282f95daf9c9033d688ef05ccc
enc: spi=a1bf21bf esp=aes key=16 ead05be389b0dec222f969e2f9c46b1d
ah=sha1 key=20 b04105d34d4b0e61b018f2e60591f9b1510783bb
dec:pkts/bytes=1665/278538, enc:pkts/bytes=4237/265074
npu_flag=03 npu_rgwy=172.16.13.1 npu_lgwy=172.16.17.3 npu_selid=1b dec_npuid=1 enc_
npuid=1
------------------------------------------------------
name=_OCVPN2-1a ver=2 serial=1a 172.16.17.3:0->172.16.11.1:0 tun_id=172.16.11.1 dst_
mtu=1500
bound_if=8 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_
dev frag-rfc accept_traffic=1 overlay_id=3

proxyid_num=1 child_num=0 refcnt=17 ilast=0 olast=0 ad=r/2


stat: rxp=1 txp=2913 rxb=16376 txb=69642
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=5
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1a proto=0 sa=1 ref=28 serial=1 auto-negotiate adr

FortiOS 7.2.1 Administration Guide 688


Fortinet Inc.
SD-WAN

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41653/0B replaywin=1024
seqno=887 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42900/43200
dec: spi=90f03d9b esp=aes key=16 ee03f5b0f617a26c6177e91d60abf90b
ah=sha1 key=20 f60cbbc4ebbd6d0327d23137da707b7ab2dc49e6
enc: spi=a543a7d3 esp=aes key=16 1d37efab13a5c0347b582b2198b15cb8
ah=sha1 key=20 427ee4c82bac6f26f0bcabfe04328c7f57ce682e
dec:pkts/bytes=1/16316, enc:pkts/bytes=4229/264036
npu_flag=03 npu_rgwy=172.16.11.1 npu_lgwy=172.16.17.3 npu_selid=1d dec_npuid=1 enc_
npuid=1
------------------------------------------------------
name=_OCVPN2-0b ver=2 serial=19 172.16.18.3:0->172.16.14.1:0 tun_id=172.16.14.1 dst_
mtu=1500
bound_if=9 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_
dev frag-rfc accept_traffic=1 overlay_id=2

proxyid_num=1 child_num=0 refcnt=20 ilast=0 olast=0 ad=r/2


stat: rxp=1665 txp=2917 rxb=278576 txb=69755
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=7
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0b proto=0 sa=1 ref=4 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41599/0B replaywin=1024
seqno=88b esn=0 replaywin_lastseq=00000680 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42899/43200
dec: spi=90f03d96 esp=aes key=16 9d7eb233c1d095b30796c3711d53f2fd
ah=sha1 key=20 d8feacd42b5e0ba8b5e38647b2f2734c94644bd1
enc: spi=a1bf21c0 esp=aes key=16 d2c0984bf86dc504c5475230b24034f0
ah=sha1 key=20 3946e4033e1f42b0d9a843b94448f56fd5b57bee
dec:pkts/bytes=1665/278516, enc:pkts/bytes=4233/264411
npu_flag=03 npu_rgwy=172.16.14.1 npu_lgwy=172.16.18.3 npu_selid=1c dec_npuid=1 enc_
npuid=1
------------------------------------------------------
name=_OCVPN2-1b ver=2 serial=1b 172.16.18.3:0->172.16.12.1:0 tun_id=172.16.12.1 dst_
mtu=1500
bound_if=9 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_
dev frag-rfc accept_traffic=1 overlay_id=4

proxyid_num=1 child_num=1 refcnt=19 ilast=1 olast=0 ad=r/2


stat: rxp=1 txp=2922 rxb=16430 txb=70173
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1b proto=0 sa=1 ref=28 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=41656/0B replaywin=1024
seqno=890 esn=0 replaywin_lastseq=00000002 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=90f03d9c esp=aes key=16 a655767c1ed6cff4575857eb3981ad81
ah=sha1 key=20 bfc2bccd7103a201be2641d4c6147d437d2c3f70
enc: spi=a543a7d4 esp=aes key=16 7221b814e483165b01edfdc8260d261a
ah=sha1 key=20 d54819643c2f1b20da2aea4282d50a1f1bc1d72a
dec:pkts/bytes=1/16370, enc:pkts/bytes=4238/265164

FortiOS 7.2.1 Administration Guide 689


Fortinet Inc.
SD-WAN

npu_flag=03 npu_rgwy=172.16.12.1 npu_lgwy=172.16.18.3 npu_selid=1e dec_npuid=1 enc_


npuid=1

3. Check the SD-WAN state:


FGT_C # diagnose sys sdwan health-check
Health Check(Default_DNS):
Health Check(Default_Office_365):
Health Check(Default_Gmail):
Health Check(Default_AWS):
Health Check(Default_Google Search):
Health Check(Default_FortiGuard):
Health Check(ocvpn):
Seq(1 _OCVPN2-0a): state(alive), packet-loss(0.000%) latency(0.364), jitter(0.028) sla_
map=0x0
Seq(2 _OCVPN2-0b): state(alive), packet-loss(0.000%) latency(0.287), jitter(0.026) sla_
map=0x0
Seq(3 _OCVPN2-1a): state(dead), packet-loss(100.000%) sla_map=0x0
Seq(4 _OCVPN2-1b): state(dead), packet-loss(100.000%) sla_map=0x0
Seq(4 _OCVPN2-1b_0): state(alive), packet-loss(0.000%) latency(0.289), jitter(0.029)
sla_map=0x0

Adaptive Forward Error Correction

Forward Error Correction (FEC) is used to control and correct errors in data transmission by sending redundant data
across the VPN in anticipation of dropped packets occurring during transit. The mechanism sends out x number of
redundant packets for every y number of base packets.
Adaptive FEC considers link conditions and dynamically adjusts the FEC packet ratio:
l The FEC base and redundant packet relationship is dynamically adjusted based on changes to the network SLA
metrics defined in the SD-WAN SLA health checks. For example, when there is no or low packet loss in the network,
FEC can work on a low redundant level sending only one redundant packet for every 10 base packets. As packet
loss increases, the number of redundant packets sent can rise accordingly.
l FEC can be applied only to streams that are sensitive to packet loss. For Example, policies that allow the UDP
based VoIP protocol can enable FEC, while TCP based traffic policies do not. This reduces unnecessary bandwidth
consumption by FEC.
l Because FEC does not support NPU offloading, the ability to specify streams and policies that do not require FEC
allows those traffic to be offloaded. This means that all traffic suffers a performance impact.
In this example, an IPsec tunnel is configured between two FortiGates that both have FEC enabled. The tunnel is an SD-
WAN zone, and an SLA health-check is used to monitor the quality of the VPN overlay. The intention is to apply FEC to
UDP traffic that is passing through the VPN overlay, while allowing all other traffic to pass through without FEC. An FEC
profile is configured to adaptively increase redundant levels if the link quality exceeds a 10% packet loss threshold, or
the bandwidth exceeds 950 Mbps.
The DMZ interface and IPsec tunnel vd1-p1 are SD-WAN members. FEC is enabled on vd1-p1, and health-check works
on vd1-p1.

FortiOS 7.2.1 Administration Guide 690


Fortinet Inc.
SD-WAN

To configure the FortiGates:

1. On both FortiGates, enable FEC and NPU offloading on the IPsec tunnel vd1-p1:
config vpn ipsec phase1-interface
edit "vd1-p1"
set npu-offload enable
set fec-egress enable
set fec-ingress enable
next
end

2. On FortiGate A, configure SD-WAN:


The VPN overlay member (vd1-p1) must be included in the health-check and configured as the higher priority
member in the SD-WAN rule.
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "dmz"
set gateway 172.16.208.2
next
edit 2
set interface "vd1-p1"
next
end
config health-check
edit "1"
set server "2.2.2.2"
set members 2
config sla
edit 1
next
end
next
end
config service
edit 1
set name "1"
set dst "all"
set src "172.16.205.0"
set priority-members 2 1

FortiOS 7.2.1 Administration Guide 691


Fortinet Inc.
SD-WAN

next
end
end

3. On FortiGate A, create a policy to specify performing FEC on UDP traffic, and a policy for other traffic:
config firewall policy
edit 1
set srcintf "port5"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "172.16.205.0"
set dstaddr "all"
set schedule "always"
set service "ALL_UDP"
set fec enable
next
edit 2
set srcintf "any"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end

4. On FortiGate A, configure FEC mapping to bind network SLA metrics and FEC base and redundant packets:
config vpn ipsec fec
edit "m1"
config mappings
edit 1
set base 8
set redundant 2
set packet-loss-threshold 10
next
edit 2
set base 9
set redundant 3
set bandwidth-up-threshold 950000
next
end
next
end

The mappings are matched from top to bottom: packet loss greater than 10% with eight base and two redundant
packets, and then uploading bandwidth greater than 950 Mbps with nine base and three redundant packets.
5. On FortiGate A, apply the FEC mappings on vd1-p1:
config vpn ipsec phase1-interface
edit "vd1-p1"
set fec-health-check "1"
set fec-mapping-profile "m1"
set fec-base 10
set fec-redundant 1

FortiOS 7.2.1 Administration Guide 692


Fortinet Inc.
SD-WAN

next
end

The FEC base and redundant values are used when the link quality has not exceeded the limits specified in the FEC
profile mapping. If fec-codec is set to xor the base and redundant packet values will not be updated.

To verify the results:

1. Send TCP and UDP traffic from PC1 to PC2, then check the sessions on FortiGate A:
# diagnose sys session list

session info: proto=6 proto_state=01 duration=12 expire=3587 timeout=3600 flags=00000000


socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=112/2/1 reply=112/2/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=15->102/102->15
gwy=172.16.209.2/172.16.205.11
hook=pre dir=org act=noop 172.16.205.11:39176->10.1.100.22:5001(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.100.22:5001->172.16.205.11:39176(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 pol_uuid_idx=719 auth_info=0 chk_client_info=0 vd=0
serial=00020f7a tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=2 sdwan_service_id=1
rpdb_link_id=ff000001 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x5000c00
npu info: flag=0x82/0x81, offload=8/8, ips_offload=0/0, epid=249/74, ipid=74/86,
vlan=0x0000/0x0000
vlifid=74/249, vtag_in=0x0000/0x0001 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=5/5

session info: proto=17 proto_state=00 duration=0 expire=180 timeout=0 flags=00000000


socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty fec
statistic(bytes/packets/allow_err): org=100366/67/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=15->102/102->15 gwy=172.16.209.2/0.0.0.0
hook=pre dir=org act=noop 172.16.205.11:49052->10.1.100.22:5001(0.0.0.0:0)
hook=post dir=reply act=noop 10.1.100.22:5001->172.16.205.11:49052(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=593 auth_info=0 chk_client_info=0 vd=0
serial=000210fa tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=2 sdwan_service_id=1
rpdb_link_id=ff000001 rpdb_svc_id=0 ngfwid=n/a
npu_state=0x5040000
no_ofld_reason: non-npu-intf

Non-FEC protected TCP traffic is offloaded, while FEC protected UDP traffic is not offloaded
2. On FortiGate A, check the health-check result and the corresponding FEC base and redundant packets:

FortiOS 7.2.1 Administration Guide 693


Fortinet Inc.
SD-WAN

# diagnose sys sdwan health-check


Health Check(1):
Seq(2 vd1-p1): state(alive), packet-loss(0.000%) latency(0.168), jitter(0.021),
bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x1

Because bandwidth-up is more than 950000kbps, base and redundant are set to 9 and 3:
# diagnose vpn tunnel fec vd1-p1
egress:
enabled=1 base=9 redundant=3 codec=0 timeout=10(ms)
encode=6621 encode_timeout=6621 encode_fail=0
tx_data=6880 tx_parity=18601
ingress:
enabled=1 timeout=50(ms)
fasm_cnt=0 fasm_full=0
ipsec_fec_chk_fail=0 complete=0
rx_data=0 rx_parity=0
recover=0 recover_timeout=0 recover_fail=0
rx=0 rx_fail=0

3. Make packet loss more than 10%, then check the health-check result and the corresponding FEC base and
redundant packets again:
# diagnose sys sdwan health-check
Health Check(1):
Seq(2 vd1-p1): state(alive), packet-loss(15.000%) latency(0.168), jitter(0.017),
bandwidth-up(999999), bandwidth-dw(999998), bandwidth-bi(1999997) sla_map=0x0

Because packet loss is more than 10%, entry one in FEC mapping is first matched, and base and redundant are set
to 8 and 2:
# diagnose vpn tunnel fec vd1-p1
egress:
enabled=1 base=8 redundant=2 codec=0 timeout=10(ms)
encode=6670 encode_timeout=6670 encode_fail=0
tx_data=6976 tx_parity=18748
ingress:
enabled=1 timeout=50(ms)
fasm_cnt=0 fasm_full=0
ipsec_fec_chk_fail=0 complete=0
rx_data=0 rx_parity=0
recover=0 recover_timeout=0 recover_fail=0
rx=0 rx_fail=0

Dual VPN tunnel wizard

This wizard is used to automatically set up multiple VPN tunnels to the same destination over multiple outgoing
interfaces. This includes automatically configuring IPsec, routing, and firewall settings, avoiding cumbersome and error-
prone configuration steps.

FortiOS 7.2.1 Administration Guide 694


Fortinet Inc.
SD-WAN

To create a new SD-WAN VPN interface using the tunnel wizard:

1. Go to Network > SD-WAN, select the SD-WAN Zones tab, and click Create New > SD-WAN Member.
2. In the Interface drop-down, click +VPN. The Create IPsec VPN for SD-WAN members pane opens.

3. Enter the required information, then click Next.


4. Review the settings then click Create.
5. Click Close to return to the SD-WAN page.
The newly created VPN interface will be highlighted in the Interface drop-down list.
6. Select the VPN interface to add it as an SD-WAN member, then click OK.

Duplicate packets on other zone members

When duplication rules are used, packets are duplicated on other good links within the SD-WAN zone and de-duplicated
on the destination FortiGate. Use force mode to force duplication on other links within the SD-WAN zone, or use on-
demand mode to trigger duplication only when SLA fails on the selected member.
The duplication rule is configured in the CLI by using the config duplication command. The following options can
be configured:

FortiOS 7.2.1 Administration Guide 695


Fortinet Inc.
SD-WAN

Parameter Description

srcaddr Source address or address group names.

dstaddr Destination address or address group names.

srcaddr6 Source IPv6 address or IPv6 address group names.

dstaddr6 Destination IPv6 address or IPv6 address group names.

srcintf Incoming (ingress) interfaces or zones.

dstintf Outgoing (egress) interfaces or zones.

service Service and service group names.

packet-duplication Configure packet duplication method.


l disable: Disable packet duplication (default).

l force: Duplicate packets across all interface members of the SD-WAN zone.

l on-demand: Duplicate packets across all interface members of the SD-WAN

zone based on the link quality.

packet-de-duplication Enable/disable discarding of packets that have been duplicated (default =


disable).

The duplication-max-num <integer> option under config system sdwan is the maximum number of
interface members that a packet is duplicated on in the SD-WAN zone (2 - 4, default = 2). If this value is set to 3, the
original packet plus two more copies are created. If there are three member interfaces in the SD-WAN zone and the
duplication-max-num is set to 2, the packet duplication follows the configuration order, so the packets are
duplicated on the second member.

Example

The packet duplication feature works best in a spoke-spoke or hub-and-spoke topology. In this example, a hub-and-
spoke ADVPN topology is used. Before shortcuts are established, Hub 1 forwards the duplicate packets from Spoke 1 to
Spoke 2. Once shortcuts are established, Hub 1 is transparent, and duplicate packets are exchanged directly between
the spokes.

FortiOS 7.2.1 Administration Guide 696


Fortinet Inc.
SD-WAN

To configure packet duplication between Spoke 1 and Spoke 2:

1. Configure Spoke 1:
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "sdwanzone_v4"
next
end
config members
edit 1
set interface "t1"
set zone "sdwanzone_v4"
next
edit 4
set interface "t21"
set zone "sdwanzone_v4"
next
edit 2
set interface "t2"
set zone "sdwanzone_v4"
next
end
config health-check
edit "h1"
set server "10.34.1.1"
set interval 1000
set failtime 10
set members 1 2
config sla
edit 1
set packetloss-threshold 40
next
end
next
end
config duplication
edit 1
set srcaddr "all"
set dstaddr "all"
set srcintf "port1"
set dstintf "sdwanzone_v4"
set service "ALL"
set packet-duplication force
set packet-de-duplication enable
next
end
end

2. Configure Spoke 2 with similar settings.

FortiOS 7.2.1 Administration Guide 697


Fortinet Inc.
SD-WAN

Duplicate packets based on SD-WAN rules

SD-WAN duplication rules can specify SD-WAN service rules to trigger packet duplication. This allows the duplication to
occur based on an SD-WAN rule instead of the source, destination, and service parameters in the duplication rule.
1. Packets can be forced to duplicate to all members of the same SD-WAN zone. See Duplicate packets on other zone
members on page 695 for details.
For example, in Spoke 1 set packet-duplication to force so that when a client sends a packet to the server, it
is duplicated to all members of the same zone as long as its health check is alive. If a members health check is
dead, then the member is removed from the SD-WAN duplication zone.
2. Packets can be duplicated to other members of the SD-WAN zone on-demand only when the condition of the link is
not good enough.
Set packet-duplication to on-demand. If sla-match-service is disabled, when all the SLAs of the
member exceed threshold (sla_map=0), the packet is duplicated. But when the SLAs are within threshold (sla_
map!=0), the packet is not duplicated.
If sla-match-service is enabled, then only the SLA health checks and targets used in the service rule need to
exceed threshold in order to trigger packet duplication.
3. Packets can be duplicated to all members of the same SD-WAN zone when the traffic matches one or more regular
SD-WAN service rules.
The following example shows the third type of packet duplication.

In this example, SD-WAN is configured with three members: vpn1, vpn2, and vpn3. Service rule 1 controls all traffic from
10.100.20.0/24 to 172.16.100.0/24 using member 1.
To send a duplicate of the traffic that matches service rule 1 using member 2, members 1 and 2 are added to the same
SD-WAN zone, and a duplication rule is configured with service-id set to 1.

To send a duplicate of the traffic that matches service rule 1 using member 2:

config system sdwan


set status enable
config zone
edit "virtual-wan-link"
next
edit "zone2"

FortiOS 7.2.1 Administration Guide 698


Fortinet Inc.
SD-WAN

next
end
config members
edit 1
set interface "vpn1"
next
edit 2
set interface "vpn2"
next
edit 3
set interface "vpn3"
set zone "zone2"
next
end
config service
edit 1
set dst "172.16.100.0"
set src "10.100.20.0"
set priority-members 1
next
end
config duplication
edit 1
set service-id 1
set packet-duplication force
next
end
end

Speed tests run from the hub to the spokes in dial-up IPsec tunnels

In a hub and spoke SD-WAN topology that uses dial-up VPN overlays, QoS can be applied on individual tunnels based
on the measured bandwidth between the hub and spokes. The FortiGate can use the built in speed test to dynamically
populate the egress bandwidth to individual dial-up tunnels from the hub.
SD-WAN members on a spoke can switch routes when the speed test is running from the hub to the spoke. The speed
test results can be cached for reuse when a tunnel comes back after going down.

CLI commands

Allow upload speed tests to be run from the hub to spokes on demand for dial-up IPsec tunnel:

config system speed-test-schedule


edit <interface>
set dynamic-server {enable | disable}
next
end

<interface> The dial-up IPsec tunnel interface on the hub.


dynamic-server {enable | Enable/disable the dynamic speed test server (default = disable).
disable}

FortiOS 7.2.1 Administration Guide 699


Fortinet Inc.
SD-WAN

To limit the maximum and minimum bandwidth used in the speed test, enable set update-
inbandwidth and set update-outbandwidth. See Scheduled interface speedtest on
page 558 for more information.

config system global


set speedtest-server {enable | disable}
end

speedtest-server {enable Enable/disable the speed test server on the spoke (default = disable). This setting
| disable} must be enabled on spoke FortiGates. This enables iPerf in server mode, which
listens on the default iPerf TCP port 5201.

Allow an SD-WAN member on the spoke to switch routes when it is on speed test from the hub to
spokes:

config system sdwan


set speedtest-bypass-routing {enable | disable}
config neighbor
edit <bgp neighbor>
set mode speedtest
next
end
end

speedtest-bypass-routing Enable/disable bypass routing when doing a speed test on an SD-WAN member
{enable | disable} (default = disable).
set mode speedtest Use the speed test to select the neighbor.

Manually run uploading speed test on the physical interfaces of each tunnel of an dial-up IPsec
interface:

execute speed-test-dynamic <interface> <tunnel_name> <'y'/'n'> <max-out> <min-out>

<interface> IPsec phase1 interface name.


<tunnel_name> The tunnel name, or all for all tunnels.
<'y'/'n'> Apply the result to the tunnels' shaper or not.
<max-out> The maximum speed used in a speed test, in kbps.
<min-out> The minimum speed used in a speed test, in kbps.

Manually run a non-blocking uploading speed test:

diagnose netlink interface speed-test-tunnel <interface> <tunnel_name>

FortiOS 7.2.1 Administration Guide 700


Fortinet Inc.
SD-WAN

Debug and test commands:

diagnose debug application Enable debug of the speed test module in the forticron daemon.
speedtest <int>
diagnose debug application Enable debug of the speed test server daemon.
speedtestd <int>
diagnose test application forticron List the scheduled speed tests.
9
diagnose test application forticron Show the cached speed test results.
10
diagnose test application forticron Write the cached speed test results to disk.
11
diagnose test application forticron Load the speed test results from disk.
12
diagnose test application forticron Cancel all pending speed tests.
99

Example

In this example, the hub is configured as a VPN dial-up server and both of the spokes are connected to the hub. It is
assumed that the VPN configuration is already done, with a dynamic gateway type and kernel device creation (net-
device) disabled. Only one SD-WAN interface is used, so there is only one VPN overlay member in the SD-WAN zone.
Multiple WAN interfaces and VPN overlays could be used.
The VPN interfaces and IP addresses are:

FortiGate Interface IP Address

FGT_A (Hub) hub-phase1 10.10.100.254

FGT_B (Spoke) spoke11-p1 10.10.100.2

FGT_D (Spoke) spoke21-p1 10.10.100.3

A recurring speed test is configured that runs on the hub over the dial-up interfaces. The speed tests are performed over
the underlay interface from the hub to the spoke. Each spoke is configured to operate as a speed test server and to allow
the speed test to run on its underlay interface. The spokes establish BGP peering with the hub over the VPN interface,
and advertises its loopback network to the hub. The specific configuration is only shown for FGT_B.

FortiOS 7.2.1 Administration Guide 701


Fortinet Inc.
SD-WAN

When the speed test is running, routing through the VPN overlay can be bypassed, and route maps are used to filter the
routes that are advertised to peers. The spoke's route map does not advertise any routes to the peer, forcing the hub to
use others paths to reach the spoke's network.
When no speed tests are running, the spoke's route map allows its network to be advertised on the hub.
When the speed test is complete, the measured egress bandwidth is dynamically applied to the VPN tunnel on the hub,
and the result is cached for future use, in case the tunnel is disconnected and reconnected again.

To configure the hub FortiGate (FGT_A):

1. Configure a shaping profile:


config firewall shaping-profile
edit "profile_1"
config shaping-entries
edit 1
set class-id 2
set priority low
set guaranteed-bandwidth-percentage 10
set maximum-bandwidth-percentage 10
next
end
set default-class-id 2
next
end

Three classes are used in the profile for low, medium, and high priority traffic. Each class is assigned a guaranteed
and maximum bandwidth as a percentage of the measured bandwidth from the speed test.
2. Use the shaping profile in the interface:
config system interface
edit "hub-phase1"
set egress-shaping-profile "profile_1"
next
end

3. Configure a schedule to use for the speed tests:


config firewall schedule recurring
edit "speedtest_recurring"
set start 01:00
set end 23:00
set day monday tuesday wednesday thursday friday saturday
next
end

4. Configure the speed test schedule:


config system speed-test-schedule
edit "hub-phase1"
set schedules "speedtest_recurring"
set dynamic-server enable
next
end

FortiOS 7.2.1 Administration Guide 702


Fortinet Inc.
SD-WAN

To configure the spoke FortiGates (FGT_B and FGT_D):

1. Enable the speed test daemon:


config system global
set speedtest-server enable
end

2. Allow speed tests on the interface:


config system interface
edit "port1"
append allowaccess speed-test
next
end

3. Configure SD-WAN with bypass routing enabled for speed tests on member spoke11-p1:
config system sdwan
set speedtest-bypass-routing enable
config members
edit 1
set interface "spoke11-p1"
next
end
config neighbor
edit "10.10.100.254"
set member 1
set mode speedtest
next
end
end

4. Configure BGP routing:


config router route-map
edit "No_Speed-Test"
config rule
edit 1
set action permit
next
end
next
edit "Start_Speed-Test"
config rule
edit 1
set action deny
next
end
next
end

config router bgp


set as 65412
config neighbor
edit "10.10.100.254"
set remote-as 65412
set route-map-out "Start_Speed-Test"
set route-map-out-preferable "No_Speed-Test"

FortiOS 7.2.1 Administration Guide 703


Fortinet Inc.
SD-WAN

next
end
config network
edit 1
set prefix 2.2.2.2 255.255.255.255
next
edit 2
set prefix 10.1.100.0 255.255.255.0
next
end
end

To manually run the speed test:

# execute speed-test-dynamic hub-phase1 all y 1000 100


Start testing the speed of each tunnel of hub-phase1
[6400d9] hub-phase1_0: physical_intf=port1, local_ip=172.16.200.1, server_ip=172.16.200.2
Wait for test 6400d9 to finish...
Speed-test result for test ID 6400d9:
Completed
measured upload bandwidth is 1002 kbps
measured time Sun Jun 20 15:56:34 2021

The tested out-bandwidth is more than the set maximum accepted value 1000. Will update the
tunnel's shaper by the set update-outbandwidth-maximum.
Apply shaping profile 'profile_1' with bandwidth 1000 to tunnel hub-phase1_0 of interface
hub-phase1
[6400e0] hub-phase1_1: physical_intf=port1, local_ip=172.16.200.1, server_ip=172.16.200.4
Wait for test 6400e0 to finish...
Speed-test result for test ID 6400e0:
Completed
measured upload bandwidth is 1002 kbps
measured time Sun Jun 20 15:56:39 2021

The tested out-bandwidth is more than the set maximum accepted value 1000. Will update the
tunnel's shaper by the set update-outbandwidth-maximum.
Apply shaping profile 'profile_1' with bandwidth 1000 to tunnel hub-phase1_1 of interface
hub-phase1

# diagnose netlink interface speed-test-tunnel hub-phase1 all


send speed test request for tunnel 'hub-phase1_0' of 'hub-phase1': 172.16.200.1 ->
172.16.200.2
send speed test request for tunnel 'hub-phase1_1' of 'hub-phase1': 172.16.200.1 ->
172.16.200.4

Results

1. Before the speed test starts, FGT_A can receive the route from FGT_B by BGP:
# get router info routing-table bgp
Routing table for VRF=0
B 2.2.2.2/32 [200/0] via 10.10.100.2 (recursive via 172.16.200.2, hub-phase1),
00:00:10
B 10.1.100.0/24 [200/0] via 10.10.100.2 (recursive via 172.16.200.2, hub-phase1),
00:00:10

2. At the scheduled time, the speed test starts for the hub-phase1 interface from hub to spoke:

FortiOS 7.2.1 Administration Guide 704


Fortinet Inc.
SD-WAN

# diagnose test application forticron 9


Speed test schedules:
Interface Server Update Up/Down-limit (kbps) Days
H:M TOS Schedule
----------------------------------------------------------------------------------------
-----------------------------------
hub-phase1 dynamic 1111111
14:41 0x00 speedtest_recurring
Active schedules:
64002f: hub-phase1(port1) 172.16.200.2 hub-phase1_1
64002e: hub-phase1(port1) 172.16.200.4 hub-phase1_0

The diagnose debug application speedtest -1 command can be used on both the hub and spokes to
check the speed test execution.
3. While the speed test is running, FGT_A does not receive the route from FGT_B by BGP:
# get router info routing-table bgp
Routing table for VRF=0

4. Speed tests results can be dynamically applied to the dial-up tunnel for egress traffic shaping:
# diagnose vpn tunnel list
------------------------------------------------------
name=hub-phase1_0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 dst_
mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
...
egress traffic control:
bandwidth=737210(kbps) lock_hit=0 default_class=2 n_active_class=3
class-id=2 allocated-bandwidth=73720(kbps) guaranteed-
bandwidth=73720(kbps)
max-bandwidth=73720(kbps) current-bandwidth=0(kbps)
priority=low forwarded_bytes=52
dropped_packets=0 dropped_bytes=0
class-id=3 allocated-bandwidth=221163(kbps) guaranteed-
bandwidth=221162(kbps)
max-bandwidth=294883(kbps) current-bandwidth=0(kbps)
priority=medium forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
class-id=4 allocated-bandwidth=442325(kbps) guaranteed-
bandwidth=147441(kbps)
max-bandwidth=442325(kbps) current-bandwidth=0(kbps)
priority=high forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
------------------------------------------------------
name=hub-phase1_1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 tun_id=172.16.200.2 dst_
mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
...
egress traffic control:
bandwidth=726813(kbps) lock_hit=0 default_class=2 n_active_class=3
class-id=2 allocated-bandwidth=72681(kbps) guaranteed-
bandwidth=72681(kbps)
max-bandwidth=72681(kbps) current-bandwidth=0(kbps)
priority=low forwarded_bytes=123
dropped_packets=0 dropped_bytes=0
class-id=3 allocated-bandwidth=218044(kbps) guaranteed-
bandwidth=218043(kbps)
max-bandwidth=290725(kbps) current-bandwidth=0(kbps)

FortiOS 7.2.1 Administration Guide 705


Fortinet Inc.
SD-WAN

priority=medium forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
class-id=4 allocated-bandwidth=436087(kbps) guaranteed-
bandwidth=145362(kbps)
max-bandwidth=436087(kbps) current-bandwidth=0(kbps)
priority=high forwarded_bytes=0
dropped_packets=0 dropped_bytes=0

5. Speed test results can be cached, indexed, and written to disk:


# diagnose test application forticron 10
Speed test results:
1: vdom=root, phase1intf=hub-phase1, peer-id='spoke11-p1', bandwidth=737210, last_
log=1624226603
2: vdom=root, phase1intf=hub-phase1, peer-id='spoke21-p1', bandwidth=726813, last_
log=1624226614

# diagnose test application forticron 11


Write 2 logs to disk.

# diagnose test application forticron 12


load 2 results.

Disable then reenable the IPsec VPN tunnel and the cached speed test results can be applied to the tunnel again:
# diagnose vpn tunnel list
------------------------------------------------------
name=hub-phase1_0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 dst_
mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
...
egress traffic control:
bandwidth=737210(kbps) lock_hit=0 default_class=2 n_active_class=3
------------------------------------------------------
name=hub-phase1_1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 tun_id=172.16.200.2 dst_
mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
...
egress traffic control:
bandwidth=726813(kbps) lock_hit=0 default_class=2 n_active_class=3

Interface based QoS on individual child tunnels based on speed test results

In a hub and spoke SD-WAN topology that uses dial-up VPN overlays, QoS can be applied on individual tunnels based
on the measured bandwidth between the hub and spokes. The FortiGate can use the built in speed test to dynamically
populate the egress bandwidth to individual dial-up tunnels from the hub.
A bandwidth limit, derived from the speed test, and a traffic shaping profile can be applied on the dial-up IPsec tunnel
interface on the hub. A class ID and percentage based QoS settings can be applied to individual child tunnels using a
traffic shaping policy and profile.

CLI commands

If the interface is an IPsec dial-up server, then egress shaping profile type can only be set to policing; it cannot be set
to queuing:
config firewall shaping-profile
edit <profile-name>

FortiOS 7.2.1 Administration Guide 706


Fortinet Inc.
SD-WAN

set type policing


next
end

The outbandwidth value is dynamically obtained from the speed test results for each individual child tunnel, and should
not be set manually:
config system interface
edit <dialup-server-phase1-name>
set egress-shaping-profile <profile-name>
set outbandwidth <bandwidth>
next
end

Example

In this example, the hub is configured as a VPN dial-up server and both of the spokes are connected to the hub. It is
assumed that the VPN configuration is already done, with a dynamic gateway type and kernel device creation (net-
device) disabled. Only one SD-WAN interface is used, so there is only one VPN overlay member in the SD-WAN zone.
Multiple WAN interfaces and VPN overlays could be used.
The VPN interfaces and IP addresses are:

FortiGate Interface IP Address

FGT_A (Hub) hub-phase1 10.10.100.254

FGT_B (Spoke) spoke11-p1 10.10.100.2

FGT_D (Spoke) spoke21-p1 10.10.100.3

The hub VPN has two child tunnels, one to each spoke.
The speed test configuration is shown in Speed tests run from the hub to the spokes in dial-up IPsec tunnels on page
699. This example shows applying a shaping profile to the hub's tunnel interface in order to apply interface based traffic
shaping to the child tunnels.
A traffic shaping policy is used to match and assign traffic to the classes in the shaping profile.

To configure the hub FortiGate (FGT_A) and check the results:

1. Configure the hub FortiGate (FGT_A) as in Speed tests run from the hub to the spokes in dial-up IPsec tunnels on
page 699.

FortiOS 7.2.1 Administration Guide 707


Fortinet Inc.
SD-WAN

2. Configure the shaping profile:


config firewall shaping-profile
edit "profile_1"
config shaping-entries
edit 1
set class-id 2
set priority low
set guaranteed-bandwidth-percentage 10
set maximum-bandwidth-percentage 10
next
edit 2
set class-id 3
set priority medium
set guaranteed-bandwidth-percentage 30
set maximum-bandwidth-percentage 40
next
edit 3
set class-id 4
set priority high
set guaranteed-bandwidth-percentage 20
set maximum-bandwidth-percentage 60
next
end
set default-class-id 2
next
end

3. Configure a traffic shaping policy:


config firewall shaping-policy
edit 2
set service "ALL"
set schedule "always"
set dstintf "hub-phase1"
set class-id 3
set srcaddr "all"
set dstaddr "all"
next
end

In this example, all traffic through the hub-phase1 interface is put into class ID 3. Class IDs an be assigned based on
your traffic requirements.
4. At the schedules time, the speed test will start for the hub-phase1 interface from the hub to the spokes. The speed
test results can then be dynamically applied on individual child tunnels as egress traffic shaping, and the class ID
percentage based QoS settings is applicable on them as templates.
# diagnose vpn tunnel list
------------------------------------------------------
name=hub-phase1_0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 tun_id=172.16.200.4 dst_
mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
...
egress traffic control:
bandwidth=737210(kbps) lock_hit=0 default_class=2 n_active_class=3
class-id=2 allocated-bandwidth=73720(kbps) guaranteed-
bandwidth=73720(kbps)
max-bandwidth=73720(kbps) current-bandwidth=0(kbps)

FortiOS 7.2.1 Administration Guide 708


Fortinet Inc.
SD-WAN

priority=low forwarded_bytes=52
dropped_packets=0 dropped_bytes=0
class-id=3 allocated-bandwidth=221163(kbps) guaranteed-
bandwidth=221162(kbps)
max-bandwidth=294883(kbps) current-bandwidth=0(kbps)
priority=medium forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
class-id=4 allocated-bandwidth=442325(kbps) guaranteed-
bandwidth=147441(kbps)
max-bandwidth=442325(kbps) current-bandwidth=0(kbps)
priority=high forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
------------------------------------------------------
name=hub-phase1_1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 tun_id=172.16.200.2 dst_
mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
...
egress traffic control:
bandwidth=726813(kbps) lock_hit=0 default_class=2 n_active_class=3
class-id=2 allocated-bandwidth=72681(kbps) guaranteed-
bandwidth=72681(kbps)
max-bandwidth=72681(kbps) current-bandwidth=0(kbps)
priority=low forwarded_bytes=123
dropped_packets=0 dropped_bytes=0
class-id=3 allocated-bandwidth=218044(kbps) guaranteed-
bandwidth=218043(kbps)
max-bandwidth=290725(kbps) current-bandwidth=0(kbps)
priority=medium forwarded_bytes=0
dropped_packets=0 dropped_bytes=0
class-id=4 allocated-bandwidth=436087(kbps) guaranteed-
bandwidth=145362(kbps)
max-bandwidth=436087(kbps) current-bandwidth=0(kbps)
priority=high forwarded_bytes=0
dropped_packets=0 dropped_bytes=0

The guaranteed and maximum bandwidths equal 10% of the speed test result, as expected.

Use SSL VPN interfaces in zones

SSL VPN interfaces can be used in zones, simplifying firewall policy configuration in some scenarios.

Example

In this example, a zone is created that includes a physical interface (port4) and an SSL VPN interface. The zone is used
as the source interface in a firewall policy. PC1 is used for regular access with a firewall policy, and PC2 uses the SSL
VPN for access.

FortiOS 7.2.1 Administration Guide 709


Fortinet Inc.
SD-WAN

To create a zone that includes the port4 and ssl.root interfaces in the GUI:

1. Go to Network > Interfaces and click Create New > Zone.


2. Set the name of the zone, such as zone_sslvpn_and_port4.
3. Add port4 and ssl.root to the Interface members.

4. Click OK.

To configure SSL VPN settings in the GUI:

1. Go to VPN > SSL-VPN Settings.


2. Set Listen on Interface(s) to port2.
3. Set Listen on Port to 1443.
4. Configure the remaining settings as required.

5. Click Apply.

FortiOS 7.2.1 Administration Guide 710


Fortinet Inc.
SD-WAN

To configure a firewall policy with the zone as the source interface in the GUI:

1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Set the policy name, such as policy_to_sslvpn_tunnel.
3. Set Incoming Interface to zone_sslvpn_and_port4.
4. Set Outgoing Interface to port1.
5. Configure the remaining settings as required.

6. Click OK.

To configure the zone, SSL VPN, and policy in the CLI:

1. Create a zone that includes the port4 and ssl.root interfaces:


config system zone
edit "zone_sslvpn_and_port4"
set interface "port4" "ssl.root"
next
end

2. Configure SSL VPN settings with port2 as the source interface:


config vpn ssl settings
set servercert "fgt_gui_automation"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set dns-server1 8.8.8.8
set dns-server2 8.8.4.4
set port 1443
set source-interface "port2"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
end

3. Configure a firewall policy with the zone as the source interface:


config firewall policy
edit 2
set name "policy_to_sslvpn_tunnel"
set srcintf "zone_sslvpn_and_port4"
set dstintf "port1"

FortiOS 7.2.1 Administration Guide 711


Fortinet Inc.
SD-WAN

set action accept


set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set users "u1"
next
end

To test the configuration:

1. On PC1, open a browser and try to access the server at 172.16.200.44.


You are redirected to the authentication page.

2. Enter the Username and Password, then click Continue.


You are redirected back to the server.
3. On PC2, access the SSL VPN web portal.

4. Enter the Username and Password, then click Login.

FortiOS 7.2.1 Administration Guide 712


Fortinet Inc.
SD-WAN

5. Access the server using the bookmark.

SD-WAN in large scale deployments

Phase 2 selectors can be used to inject IKE routes on the ADVPN shortcut tunnel. When configuration method (mode-
cfg) is enabled in IPsec phase 1 configuration, enabling mode-cfg-allow-client-selector allows custom phase
2 selectors to be configured. By also enabling the addition of a route to the peer destination selector (add-route) in the
phase 1 configuration, IKE routes based on the phase 2 selectors can be injected. This means that routes do not need to
be reflected on the hub to propagate them between spokes, avoiding possible BGP daemon process load issues and
improving network scalability in a large-scale ADVPN network.
Route map rules can apply priorities to BGP routes. On the hub, priorities can be set in a route map's rules, and the route
map can be applied on BGP routes. This allows the hub to mark the preferred path learned from the spokes with a higher
priority, instead of using multiple SD-WAN policy routes on the hub. When a preferred outbound route map (route-
map-out-preferable) is also configured in an SD-WAN neighbor on the spoke, deploying SD-WAN rules on the hub
to steer traffic from the hub to a spoke is unnecessary.
SD-WAN members' local cost can be exchanged on the ADVPN shortcut tunnel so that spokes can use the remote cost
as tiebreak to select a preferred shortcut. If multiple shortcuts originate from the same member to different members on
the same remote spoke, then the remote cost on the shortcuts is used as the tiebreak to decide which shortcut is
preferred.

In this example, SD-WAN is configured on an ADVPN network with a BGP neighbor per overlay.
Instead of reflecting BGP routes with the route-reflector on the hub, when the shortcuts are triggered, IKE routes on the
shortcuts are directly injected based on the configured phase 2 selectors to allow routes to be exchanged between
spokes.

FortiOS 7.2.1 Administration Guide 713


Fortinet Inc.
SD-WAN

Routes between the hub and the spokes are exchanged by BGP, and the spokes use the default route to send spoke-to-
spoke traffic to the hub and trigger the shortcuts.
Instead of configuring SD-WAN rules on the hub, different priorities are configured on the BGP routes by matching
different BGP communities to steer traffic from the hub to the spokes.

To configure Spoke 1:

1. Configure phase 1:
config vpn ipsec phase1-interface
edit "spoke11-p1"
...
set ike-version 2
set net-device enable
set add-route enable
set mode-cfg enable
set auto-discovery-receiver enable
set mode-cfg-allow-client-selector enable
set link-cost 11
...
next
edit "spoke12-p1"
...
set ike-version 2
set net-device enable
set add-route enable
set mode-cfg enable
set auto-discovery-receiver enable
set mode-cfg-allow-client-selector enable
set link-cost 21
next
end

2. Configure phase 2:
config vpn ipsec phase2-interface
edit "spoke11-p2"
...
set src-name "LAN_Net"
set dst-name "all"
next
edit "spoke12-p2"
...
set src-name "LAN_Net"
set dst-name "all"
next
end

3. Configure an address group:


Spoke 1 uses LAN subnet 10.1-3.100.0/24.
config firewall addrgrp
edit "LAN_Net"
set member "10.1.100.0" "10.2.100.0" "10.3.100.0"
next
end

FortiOS 7.2.1 Administration Guide 714


Fortinet Inc.
SD-WAN

4. Configure route maps:


l If overlay 1 to the hub is in SLA, attach "65000:1" to the BGP routes advertised to the hub over overlay 1.
l If overlay 2 to the hub is in SLA, attach "65000:2" to the BGP routes advertised to the hub over overlay 2.
l If any overlay to the hub is out of SLA, attach "65000:9999" to the BGP routes advertised to the hub over any
overlay.
config router route-map
edit "HUB_CARRIER1"
config rule
edit 1
set set-community "65000:1"
...
next
end
...
next
edit "HUB_CARRIER2"
config rule
edit 1
set set-community "65000:2"
...
next
end
...
next
edit "HUB_BAD"
config rule
edit 1
set set-community "65000:9999"
...
next
end
...
next
end

5. Configure BGP and SD-WAN members and neighbors:


config router bgp
set as 65412
config neighbor
edit "10.10.15.253"
set remote-as 65412
set route-map-out "HUB_BAD"
set route-map-out-preferable "HUB_CARRIER1"
...
next
edit "10.10.16.253"
set remote-as 65412
set route-map-out "HUB_BAD"
set route-map-out-preferable "HUB_CARRIER2"
...
next
end
end

FortiOS 7.2.1 Administration Guide 715


Fortinet Inc.
SD-WAN

config system sdwan


config members
edit 1
set interface "spoke11-p1"
set cost 10
next
edit 2
set interface "spoke12-p1"
set cost 20
next
end
config neighbor
edit "10.10.15.253"
set member 1
set health-check "1"
set sla-id 1
next
edit "10.10.16.253"
set member 2
set health-check "11"
set sla-id 1
next
end
end

To configure Spoke 2:

1. Configure phase 1:
config vpn ipsec phase1-interface
edit "spoke21-p1"
...
set ike-version 2
set net-device enable
set add-route enable
set mode-cfg enable
set auto-discovery-receiver enable
set mode-cfg-allow-client-selector enable
set link-cost 101
...
next
edit "spoke22-p1"
...
set ike-version 2
set net-device enable
set add-route enable
set mode-cfg enable
set auto-discovery-receiver enable
set mode-cfg-allow-client-selector enable
set link-cost 201
next
end

2. Configure phase 2:
config vpn ipsec phase2-interface
edit "spoke21-p2"

FortiOS 7.2.1 Administration Guide 716


Fortinet Inc.

You might also like