Using the Web UI

Web UI Overview

Once you log in, you will see the operating page that is divided into three parts, the header is locate the upper side of the screen, the navigation menu is located on the left side of the screen, and the content pane is located on the center of the screen.

Header contains information and items which is unrelated to FortiWAN’s functions.

• Current login account: Display the account you login as and the IP address you login from. l System Time: Display the FortiWAN’s system time.
• Current operating page: Display the path (Main category > Page name) of the operating page displayed in Content Pane.
• Apply: The button for applying configurations. Pages for only displaying information or statistics contains no Apply button.
• Reload: The button for reloading current operating page. l Help: The button for getting the Help information of current operating page. l Logout: The button for logging out Web UI.

[System/Summary] shown above indicates page contents are displayed of [System] > [Summary], and [Administrator@125.227.251.80] indicates Administrator account log in from IP 125.227.251.80. Note that do not use your browser’s Back button to navigate, pages may not operate correctly.

Navigation Menu consists of six main categories: System, Service, Statistics, Log, Reports and Language. Each category contains sub-menu of individual functions. To expand a category, simply click it.To display the operating page of a function from a sub-menu, click the name of the function and it will display on the content pane.

• System: Contains necessary items to maintain the FortiWAN; they are Summary, Network Setting, WAN Link

Health Detection, Optimum Route Detection, Port Speed/Duplex Setting, Backup Line Setting, IP Grouping,

Service Grouping, Busyhour Setting, Diagnostic Tools, Date/Time, Remote Assistance and Administration (See “System Configurations” and “Configuring Network Interface (Network Setting)”). Administration is not available to Monitor permission, it is invisible on the menu to a Monitor account.

• Service: Contains the services the FortiWAN provides; they are Firewall, NAT, Persistent Routing, Auto Routing,

Virtual Server, Bandwidth Management, Connection Limit, Cache Redirect, Multihoming, Internal DNS, DNS Proxy, SNMP, IP-MAC Mapping and Tunnel Routing (See “Load Balancing & Fault Tolerance” & “Optional

Services”).

• Statistics: Contains basic statistics of FortiWAN’s system, services and traffic; they are Traffic, BM, Persistent Routing, WAN Link Health Detection, Dynamic IP WAN Link, DHCP Lease Information, RIP & OSPF Status, Connection Limit, Virtual Server Status, FQDN, Tunnel Status and Tunnel Traffic (See “Statistics”).
• Log: Contains managements of system logs; they are View, Control, Notification and Reports (See “Log”).
• Reports: Contain the advanced analysis and long-term statistics of FortiWAN’s system, services and traffic; they are Bandwidth, CPU, Session, WAN Traffic, WAN Reliability, WAN Status, TR Reliability, TR Status, In Class, Out Class, WAN, Service, Internal IP, Traffic Rate, Connection Limit, Firewall, Virtual Server, Multihoming, Dashboard and Settings (See “Reports”).
• Language: Support English, Traditional Chinese and Simplified Chinese for options to display Web UI in multiple languages,

Content Pane displays related items of a function specified from the left menu.

Multi-user Login

FortiWAN’s Web UI supports multiple sign-in. The maximum limit for users can log-in concurrently is 20 users, account permission (See “Administration\Administrator and Monitor Password”) insensitive. An user get failed to log-in if there have been 20 users in the Web UI concurrently. FortiWAN Web UI does not accept multiple login from the same host and the same browser. Users that attempt to login to Web UI via the same host and browser (different tabs or windows) will be logged out (including the one who is already in Web UI).

Configurations to FortiWAN applied concurrently via Web UI by the multiple users are arranged and processed in order (one by one). It takes time for system to complete every single configuration applying; therefore, when multiple configurations are in the queue to be applied, it might take a little extra time to wait for system getting previous applications complete for the users after clicking the Apply button. Configurations to different functions are queued up together to be applied. For example, an configuration to Auto Routing (made by user A) will be queued if a configuration to Multihoming (made earlier by user B) has being processed.

FortiWAN does not provide multi-thread to run concurrent Tunnel Routing Benchmark (See “Tunnel Routing Benchmark”). An alert displays to the users who try to start Tunnel Routing Benchmark Client\Server via WebUI if the Benchmark Client\Server is already running (started earlier by one user).

Basic concept to configure via Web UI

FortiWAN’s services (load balancing, fault tolerance and other optional services) are based on Policy and Filter. Policies (or called Classes as well) are specified items indicating different actions for a service. Policies are applied to different objects classified by the predefined filters. Basically, a object is classified by the combinations of When, Source, Destination and TCP/UDP/ICMP Service. A filter contains the settings of those items When, Source, Destination and Service, and also an associated Policy. Traffic that matches the filter will be applied to the specified policy.

The common operation buttons

FortiWAN manages most of its rules/filters/policies with top-down evaluation method where the rules are prioritized in descending order.

Click this button, to add a new rule below the current rule.

Click this button, to delete the rule.

Click this button, to move the rule up a row.

Click this button, to move the rule down a row.

Write a note for this rule.

The function is disabled.

The function is enabled.

This symbol indicates a default policy, rule or filter, which is unmodifiable and indelible.

Configuration on When

This is for filtering traffic by different time period which is predefined in “Busyhour Settings”.

Configuration on Source and Destination

This is for filtering the established sessions from/to specified source/destination. The options are:

IPv4/IPv6 Address         :     Matches sessions coming from or going to a single IPv4/IPv6 address. e.g. 192.168.1.4.

IPv4/IPv6 Range    :   Matches sessions coming from or going to a continuous range of IP addresses.

e.g. 192.168.1.10-192.168.1.20.

Configuration on Input Port

This is for filtering the traffic coming from specified physical ports. Input Port are the item used to evaluate outbound traffic for only Auto Routing (See “Auto Routing”) so far. Ports (normal ports, VLAN ports, redundant LAN\DMZ ports and aggregated LAN\DMZ ports) defined in [Network Setting > VLAN and Port Mapping] (See “Configurations for VLAN and Port Mapping”) are listed for options:

Configuration on Service

This is for filtering the established sessions running specified service. It contains some well-known services for options and user-defined services (TCP@, UDP@ and Protocol#):

• FTP (21) l SSH (22) l TELNET (23) l SMTP (25) l DNS (53) l GOPHER (70) l FINGER (79)
• HTTP (80) l POP3 (110) l NNTP (119) l NTP (123) l IMAP (143) l SNMP (161) l BGP (179) l WAIS (210) l LDAP (389) l HTTPS (443) l IKE (500) l RLOGIN (513) l SYSLOG (514) l RIP (520) l UUCP (540) l H323 (1720) l RADIUS (1812) l RADIUS-ACCT (1813) l pcAnywhere-D (5631) l pcAnywhere-S (5632) l X-Windows (6000-6063)
• GRE l ESP l AH l ICMP l TCP@ l UDP@
• Protocol# l Any

Console Mode Commands

This section provides further details on the Console mode commands. Before logging onto serial console via HyperTerminal, please ensure the following settings are in place: Bits per second: 9600; Data bits: 8; Parity: None; Stop bits: 1; Flow control: None (See “Connecting to the Web UI and the CLI”).

Note that for some standard utilities such as tcpdump or traceroute, the options that are not listed here are not supported by FortiWAN.

help: Displays the help menu

help [COMMAND]

Show a list of console commands.

arp: Manipulate (add and delete entries) or display the IPv4 network neighbor cache.

arp [-i <port>] -a [<hostname>] arp [-i <port>] -e

arp -i <port> -s <hostname> <hw_addr> arp -i <port> -d <hostname>

-a [<hostname>]: Display the entries of the specified hostname. All the entries will be displayed if no hostname is specified. Hostnames will be displayed in alternate BSD style output format.

-e: Display entries in default (Linux) style.

-s <hostname> <hw_addr>: Manually create an ARP entry mapping for the host hostname with the hardware address hw_addr. This requires specifying a port via -i port.

-d <hostname>: Remove the entries for the specified host hostname. This requires specifying a port via -i port.

-i <port>: Specify an network interface (port) of FortiWAN to display, create or remove entries.

<port>: Specify an network interface (port) of FortiWAN in format port#, e.g. port1, port2 and etc.

<hostname>: Specify the target IP address or domain name.

<hw_addr>: Specify the MAC address.

Note: If domain name is to be used in the hostname parameter, the DNS Server must be set in the Web UI [System]->[Network Settings]->[DNS Server].

arping: Discover and prob hosts on a network by sending ARP requests

arping <hostname> <link> <index>

Send an ARP request to ask the MAC address of an IP address and display the result.

<hostname>: Specify the target IP address or domain name (MAC address is not supported). Note that domain name is valid only if parameter <link> is specified as “wan”.

<link>: Specify the link or ports that the ARP request is sent through. The valid values are “wan”, “dmz” and “lan”.

<index>: Specify the index of a WAN link if <link> is specified as “wan”. The valid values are 1, 2, 3, …,etc. Example:

arping 192.168.2.100 lan will send an ARP request through LAN ports to ask the MAC address of host 192.168.2.100.

arping 10.10.10.10 wan 1 will send an ARP request through WAN link 1 to ask the MAC address of host

10.10.10.10.

Note: If domain name is to be used in the hostname parameter, the DNS Server must be set in the Web UI [System]->[Network Settings]->[DNS Server].

diagnose: Get diagnostic information of FortiWAN hardware

diagnose hardware deviceinfo cpu diagnose hardware deviceinfo disk diagnose hardware deviceinfo mem diagnose hardware deviceinfo nic

Get information of FortiWAN’s CPU, disk, memory and network interface controllers (NICs).

diagnose hardware ethtool

Display and change parameters of the network interface controllers (NICs) of FortiWAN by the standard Linux utility ethtool (V3.7). Execute diagnose hardware ethtool -h to get a short help message.

diagnose hardware lspci

Get information about PCI buses in FortiWAN system and the devices connected to them.

diagnose hardware smartctl

Control and monitor the storage system of FortiWAN by the standard utility smartctl (V6.3). Execute diagnose hardware smartctl -h to get a help message or refer to https://www.smartmontools.org for details.

disablefw: Disable all the firewall rules

disablefw

Disable all the configured firewall rules to allow any traffic accessing or passing through FortiWAN. This command rescues Web UI accessing from being inadvertently locked by incorrect firewall rules deployment. System will re-confirm, press [y] to proceed or [n] to cancel.

enforcearp: Force FortiWAN’s surrounding machines to update their ARP tables

enforcearp

Sytem will send gratuitous ARP packets to update their ARP tables. This is for cases where after the initial installation of FortiWAN, machines or servers sitting in the DMZ are unable to be able to connect to the internet.

export: Display configurations of NAT, Multihoming and Virtual Server

export <config_name>

Display the configurations of FortiWAN’s NAT, Multihoming and Virtual Server in the command line interface. You can export the configurations by copying the displayed content to a text file.

<config_name>: Specify the configuration to be displayed. Values of the parameter are nat, multihoming and virtual-server for options.

get: Get the version and serial number information of a FortiWAN apparatus

get sys status

Display the firmware version, serial number and BIOS version of the FortiWAN apparatus.

httpctl: Control the web server that Web UI is running on

httpctl restart httpctl showport httpctl setport <port>

System will restart the web server running on FortiWAN for the Web UI, or display the port number occupied by the web server, or specify port number to the web server. restart: Restart the web server. showport: Display the port number that web server is listening. setport: Set the port number for the web server with indicating parameter port.

<port>: Specify the port number for setport.

import: Import the configurations of NAT, Multihoming and Virtual Server

import

Type import [Enter] to import the configurations of NAT, Multihoming and Virtual Server to FortiWAN. You have to manually input the configuration in text after the command prompt “import>” line by line.

Example:

> import

Please enter configuration. terminate with a line constaining exactly: 1) ‘apply’ to apply, or 2) ‘abort’ to abort. import> nat { import> wan-array { import> wan@1 { import> rule-array { import> rule { #1 import> source 10.10.10.55-10.10.10.77 import> destination 10.12.10.55-10.12.10.70 import> translated 10.12.104.232 import> } import> } import> } import> } import> } import> apply

Start to apply configuration of nat…

Settings are applied for page Service -> Nat >

Type abort in command prompt import> to leave the prompt any time. Please refer to the exported configurations (displayed by command export or saved via Web UI. See “Configuration File” in “Administration”) for the import format.

init_reports_db: Set Reports database to factory default

init_reports_db

Set FortiWAN’s Reports database to factory default. All the report data will be deleted. Please make sure the database is backed up if it is necessary (See Reports Database Tool and Database Data Utility). Note that executing this command will bring system an automatic reboot.

jframe: Enable jumbo frames to support specified MTU size for FortiWAN’s LAN ports

jframe show

Get the port number and the MTU size of FortiWAN’s LAN ports jframe set <port> <mtu>

Enable jumbo frames on the LAN port by specifying a MTU size that is larger than 1500.

<port>: The port# of LAN port, such as port1, port2…and etc.

<mtu>: The MTU size.

Note that applying for Network Setting resets the MTU on LAN ports to 1500.

logout: Exit Console mode

logout

Exit the Console mode. The system will re-confirm, press [y] to proceed or [n] to cancel.

ping: Test network connectivity

ping <hostname> <link> <index>

Ping a HOST machine to detect the current WAN link status. HOST is the machine/device to be pinged. The LINK parameter can be WAN, LAN or DMZ. If the LINK is WAN then also specify the WAN port number.

<hostname>: The parameter in specifying the target IP address or domain name. Note that domain name is valid only if parameter <link> is specified as “wan”.

<link>: The parameter in specifying the link or ports that the ICMP PING REQUEST packets are sent through. The valid values are “wan”, “dmz” and “lan”.

<index>: The parameter in specifying the index of a WAN link if <link> is specified as “wan”. The valid values are 1, 2, 3, …,etc. (0 for private subnet).

Example:

ping www.hinet.net wan 1 to ping www.hinet.net via WAN #1.

Note: If domain name is used in the hostname parameter, DNS Server must be set in the Web UI [System]-> [Network Settings]->[DNS Server] (See “Set DNS server for FortiWAN”).

For more on ICMP related error messages please refer to other ICMP/PING materials.

reactivate: Reactivate the FortiWAN apparatus

reactivate

Reactivating the FortiWAN apparatus will:

• Reset all system configurations to factory default (See “Appendix A: Default Values” for the details) l Return the system to base-bandwidth (See “License Control” in “Administration”) l Reset Reports database to factory default. All the report data will be deleted.

Using this command will result in all system data being deleted as well as all bandwidth licenses. Before you attempt a reactivation, please make sure the following are complete:.

• Backup any configuration data (See “Configuration File” in “Administration”). l Backup Reports database (See “Reports Database Tool”).
• Locate your Bandwidth Upgrade Key if your system is not at base bandwidth, so that the bandwidth license the system had before can be activated by reentering the key.

Note that if your system is not at base bandwidth and you do not have your Bandwidth Upgrade Keys, please contact Fortinet CSS before attempting a reactivation.

reboot: Restart FortiWAN

reboot [-t <second>]

Restart FortiWAN immediately or restart it after a time period.

-t: Reboot FortiWAN after seconds. Parameter second is for this.

<second>: The parameter in specifying the time period (in second) system waits for to reboot.

Example: reboot -t 5 to restart the system after 5 seconds.

resetconfig: Reset system configurations to factory defaults

resetconfig

resetconfig <ip_address/netmask<@port>>

resetconfig <ip_address/netmask<@port>> <network_ip/netmask@gateway_ip>

Reset system configurations to factory default. This will delete all system settings including accounts of Web UI, network settings and all the other system settings and service settings (See “Appendix A: Default Values” for the details). Please backup all the configurations (See “Configuration File” in “Administration”) before executing this command. This command makes no changes to Reports database and bandwidth license, as opposed to command reactivate.

Since command resetconfig will return IP address of LAN and WAN ports to the default values such as 192.168.0.1/255.255.255.0, 192.168.1.1/255.255.255.0 and 192.168.2.1/255.255.255.0, users might need to change the IP address of their local computer to reconnect to the Web UI via the LAN or WAN port (See “Connecting to the Web UI and the CLI”). Note that resetconfig resets the port mappings to factory default, please connect to the correct network port (LAN or WAN) for accessing to Web UI (see Network interfaces and port mapping).

resetconfig provides two optional parameters, ip_address/netmask and @port, to specify a LAN port address and a LAN port mapping (map the LAN port to the specified physical port) while resetting the configurations. All the configurations will be reset to factory default and the LAN settings will be configured to the specified value, so that users can reconnect to Web UI via this port without changing network topology. Furthermore, a static routing entry can be specified to the FortiWAN appliance, so that you can access Web UI across subnets.

System will re-confirm, press [y] to proceed or [n] to cancel.

<ip_address/netmask<@port>>: The parameter in specifying the network configuration ip_ address/netmask to network port @port. The network configuration will be assigned to LAN port by default if parameter @port is not specified.

<network_ip/networkmask@gateway_ip>: The parameter in specifying the static routing entry.

Example:

Considering that the LAN port of a FortiWAN 200B appliance is mapped to the first physical port (port1), IP address 192.168.100.1/255.255.255.0 is assigned to the LAN port and a static routing rule is created to route packets destined to 192.168.200.0/255.255.255.0 to 192.168.100.254. Administrators in

192.168.100.0/255.255.255.0 and 192.168.200.0/255.255.255.0 can access Web UI via the LAN port. Here are the usages of command resetconfig in different ways:

Type “resetconfig [IP address/Netmask]” to specify IP configuration to LAN port from resetting system to factory default.

• resetconfigresets all the configurations to factory default including LAN settings. In the default port mapping, port1 is mapped to WAN and port4 is mapped to LAN. IP address of the LAN port returns to

192.168.0.1/255.255.255.0. Administrators in 192.168.100.0/255.255.255.0 and 192.168.200.0/255.255.255.0 can not access to Web UI until appropriate changes to cable installation and network topology are done manually.

• resetconfig 192.168.100.1/255.255.255.0 resets system to factory default, but set

192.168.100.1/255.255.255.0 to LAN port. However, without a specifying, port1 is mapped to WAN and port4 is mapped to LAN by default. Besides, the static routing rule for responding access requests coming from 192.168.200.0/255.255.255.0 is deleted as well. Therefore, it still requires manual changes to cable installation and network topology for administrators in 192.168.100.0/255.255.255.0 and 192.168.200.0/255.255.255.0 can access the Web UI.

• resetconfig 192.168.100.1/255.255.255.0@port1 resets system to factory default, but map port1 to LAN and set 192.168.100.1/255.255.255.0 to the LAN port. Administrators in 192.168.100.0/255.255.255.0 can access Web UI via the LAN port without any change, but administrators in 192.168.200.0/255.255.255.0 can not access the Web UI until a correct routing rule is created.
• resetconfig 192.168.100.1/255.255.255.0@port1

192.168.200.0/255.255.255.0@192.168.100.254 resets system to factory default, but map port1 to

LAN, set 192.168.100.1/255.255.255.0 to the LAN port and create a routing rule for packets destined to

192.168.200.0/255.255.255.0, where 192.168.100.254 is the router connecting subnets

192.168.100.0/255.255.255.0 and 192.168.200.0/255.255.255.0. Administrators in 192.168.100.0/255.255.255.0 and 192.168.200.0/255.255.255.0 so that can access Web UI via the LAN port without any change to network deployment.

Note that executing resetconfig without specifying the LAN port settings will reset port mapping to factory default, which implies the WAN links assigned to the default WAN ports are enabled. However, except the LAN port, there will be not port mappings set for WAN and DMZ if resetconfig is executed with specifying any parameter. In the case, there will be not default WAN and DMZ ports available (no default WAN links neither) after resetconfig, administrators have to re-login to Web UI via the LAN port to set the port mappings (see Connecting to the Web UI ).

resetpasswd: Reset FortiWAN’s Administrator and Monitor passwords to factory default

resetpasswd

System will re-confirm, press [y] to proceed or [n] to cancel.

setupport: Configure the transmission mode for all the FortiWAN port(s)

setupport show setupport change <port> auto setupport change <port> <speed> <mode>

show: Show the current transmission modes for all the network ports.

change: Change the transmission mode of the specified port to AUTO or specified speed and mode.

<port>: The parameter in specifying the port number. The valid values are 1, 2, 3, …,etc.

<speed>: The parameter in specifying the transmission speed. The valid values are 10, 100 and 1000.

<mode>: The parameter in specifying the transmission mode. The valid values are half and full.

Example:

setupport show setupport change 1 auto setupport change 2 100 full

Note:

Not all network devices support full 100M speed.

This command has no effect on fiber interface.

The port is the port number of the FortiWAN port interface; exact number varies according to product models.

shownetwork: Show the current status of all the WAN links available

shownetwork

Display WAN Type, Bandwidth, IP(s) on Local/WAN/DMZ, Netmask, Gateway, and WAN/DMZ Port.

Note: This Console command can only show the current network status. This setting can be changed in the Web UI under “Network Settings” (See “Configuring Network Interface (Network Setting)”).

showtrstat: Display tunnel status

showtrstat [TR GROUP NAME]

Display the status of specified tunnel group.

shutdown: Shut the FortiWAN system down

shutdown

This is command is used to shut FortiWAN system down, all the system processes and services will be terminated normally. Note that this command might not power the appliance off, please turn on/off the power switch or plug/unplug the power adapter to power on/off the appliance. sslcert: Set or unset SSL certificate for FortiWAN WebUI

sslcert show | sslcert set

Type sslcert show to display current SSL certificate that FortiWAN WebUI is working with. The RSA private key will not be displayed here for security issue.

Type sslcert set to set new SSL certificate for working with FortiWAN WebUI. You have to manually input the SSL private key and its correspondent certificate in text after the command prompt sslcert> line by line.

The content inputted for the private key and certificate must start with “—–BEGIN CERTIFICATE—–” and “—-BEGIN RSA PRIVATE KEY—–”, and end with “—–END CERTIFICATE—–” and “—-END RSA PRIVATE KEY—–”.

Example:

> sslcert set

Please enter the certificate. It should starts with

—–BEGIN CERTIFICATE—-and end with

—–END CERTIFICATE—–

To abort please enter an empty line: sslcert> —–BEGIN CERTIFICATE—-sslcert> …(data encoded in base64)…

sslcert> —–END CERTIFICATE—–

Please enter the private key. It should starts with

—–BEGIN RSA PRIVATE KEY—-and end with

—–END RSA PRIVATE KEY—-To abort please enter an empty line: sslcert> —–BEGIN RSA PRIVATE KEY—-sslcert> …(data encoded in base64)… sslcert> —–END RSA PRIVATE KEY—–

>

Type sslcert reset to reset to factory default, the self-signed certificate.

sysctl: Controls the system parameters

sysctl

Display the values of the system parameters.

sysctl <parameter>=<value|default>

Set the system parameter with the specified value. The system parameters are as followings:

VoIP Related – [sip-helper] and [h323-helper]

sysctl sip-helper=<0|1|default> sysctl h323-helper=<0|1|default>

sip-helper: to enable [1] or disable [0] SIP application gateway modules. Type default to set it default, which is disabled.

h323-helper: to enable [1] or disable [0] H323 application gateway modules. Type default to set it default, which is disabled.

Example:

sysctl sip-helper=0 disables the SIP application gateway modules. sysctl sip-helper=default set the SIP application gateway modules to default, which is disabled.

Note: SIP and H323 application gateway modules execute NAT transparent for SIP and H323. For some SIP and H323 devices that NAT transparent is a built-in function, it is suggested to disable the SIP or H323 gateway module in FortiWAN.

ICMP Timeout Related – [icmp-timeout] and [icmpv6-timeout]

sysctl icmp-timeout=<value|default>

Set ICMP timeout, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 3 seconds.

sysctl icmpv6-timeout=<value|default>

Set ICMPv6 timeout, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 3 seconds.

TCP Timeout Related –

sysctl tcp-timeout-close=<value|default>

Set timeout for TCP connections in CLOSING state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 10 seconds.

sysctl tcp-timeout-close-wait=<value|default>

Set timeout for TCP connections in CLOSE WAIT state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 60 seconds.

sysctl tcp-timeout-established=<value|default>

Set timeout for TCP connections in ESTABLISHED state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 43200 seconds.

sysctl tcp-timeout-fin-wait=<value|default>

Set timeout for TCP connections in FIN WAIT state where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 120 seconds.

sysctl tcp-timeout-last-ack=<value|default>

Set timeout for TCP connections in LAST ACK state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 30 seconds.

sysctl tcp-timeout-max-retrans=<value|default>

Set timeout for the TCP connections that reach three retransmission without receiving an acceptable ACK from destinations, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 300 seconds.

sysctl tcp-timeout-syn-recv=<value|default>

Set timeout for TCP connections in SYN RECV state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 60 seconds.

sysctl tcp-timeout-syn-sent=<value|default>

Set timeout for TCP connections in SYN SENT state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 120 seconds.

sysctl tcp-timeout-time-wait=<value|default>

Set timeout for TCP connections in TIME WAIT state, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 60 seconds.

sysctl tcp-timeout-unacknowledged=<value|default>

Set timeout for the segments that receive no acceptable ACKs from destinations, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 300 seconds.

UDP Timeout Related

sysctl udp-timeout=<value|default>

Set UDP timeout, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 30 seconds.

sysctl udp-timeout-stream=<value|default>

Set UDP stream timeout, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 180 seconds.

Other Timeout

sysctl frag6-timeout=<value|default>

Set timeout to keep an IPv6 fragment in memory, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 60 seconds sysctl generic-timeout=<value|default>

Set generic timeout for layer 4 unknown/unsupported protocols, where <value> is the timeout in seconds. Type default to set the timeout to default value, which is 600 seconds.

Tunnel Routing Related – [generic-receive-offload-<port>]

generic-receive-offload-<port>

sysctl generic-receive-offload-<port>=<0|1|default>

Disabling GRO (General Receive Offload) mechanism on the corresponding LAN ports and/or DMZ ports of a Tunnel Routing network can enhance the Tunnel Routing transmission performance (see How the Tunnel Routing Works and How to set up routing rules for Tunnel Routing).

generic-receive-offload-<port>: Enable [1] or disable [0] GRO (General Receive Offload) mechanism on the specified physical network interface <port>, where <port> is a variable. Type default to set the GRO on <port> to default, which is enabled.

<port>: Specify an network interface (port) of FortiWAN in format port#, e.g. port1, port2 and etc.

Example:

sysctl generic-receive-offload-port1=0 disables GRO mechanism on network interface port1.

sysctl generic-receive-offload-port2=default set GRO mechanism on network interface port2 to default, which is enabled.

Note that disabling GRO module on a network port can enhance the Tunnel Routing transmission performance on the port, but it also results in slight impact to non-Tunnel-Routing transmission on the port when the system is under heavy loading (there might be a slight decrease in transmission performance of non-Tunnel-Routing traffic through the network port). We suggest keeping GRO modules enabled on the network ports that does not participate in the Tunnel Routing transmission.

sysinfo: Display usage FortiWAN’s CPU, memory and disk

sysinfo

Get the usage of FortiWAN’s CPU, memory and disk space in percentage.

tcpdump: Dump network traffic

tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [-E algo:secret] [-i PORT] [-s snaplen] [-T type] [-y datalinktype] [expression]

<port>: The parameter in specifying an network interface (port) of FortiWAN in format port#, e.g. port1, port2 and etc.

For details of the options and parameters, please refer to http://www.tcpdump.org/tcpdump_man.html. Note that options not listed here are not supported by FortiWAN.

traceroute: Shows the packet routes between FortiWAN’s port to a specified destination

traceroute <hostname> <link> <index>

Show the packet routes between FortiWAN’s ports to the hostname.

<hostname>: The parameter in specifying the target IP address or domain name. Note that domain name is valid only if parameter <link> is specified as “wan”.

<link>: The parameter in specifying the link or ports that the traceroute packets start from. The valid values are “wan”, “dmz” and “lan”.

<index>: The parameter in specifying the index of a WAN link if <link> is specified as “wan”. The valid values are 1, 2, 3, …,etc.

Example:

traceroute www.hinet.net wan 1 showes the trace routes from WAN link1 to www.hinet.net.

Note: If domain name is to be used in the hostname parameter, the DNS Server must be set in the Web UI [System]->[Network Settings]->[DNS Server] (See “Set DNS server for FortiWAN”).

Set DNS server to FortiWAN

Configuring Network Interface (Network Setting)

As an edge router of a network site, FortiWAN is supposed to operate with connected networks, the WAN, LAN and DMZ networks. FortiWAN must guarantee general communication among the connected networks (routing), and so that can provide the advanced load balancing and fault tolerance functions. To establish connectivity between FortiWAN and the networks, you need to complete the following basic network settings:

1. Decide a FortiWAN’s network port for connecting the FortiWAN with the network. This network port can be a physical port, an aggregated, redundant or VLAN port. Whether it is a physical or logical port, you have to program it as what the type that the connected network is (WAN, LAN or DMZ). VLAN and Port Mapping is the configuration that you can create logical network ports (aggregated, redundant and VLAN ports) and define the port mapping to the physical and logical ports (see Configurations for VLAN and Port Mapping).
2. Configure the basic IP network setting and static routing information to the network port for the connected network. The settings here are necessary for FortiWAN to guarantee basic communication among the connected networks, packets can be routed correctly between the networks. According to the type of connected network, settings are divided into:
   • WAN Setting (DMZ setting is included): WAN Settings is the major part to deploy FortiWAN in various types of WAN links (see Configuring your WAN).
   • WAN/DMZ Private Subnet: This includes settings for deploying private subnets to WAN/DMZ port (see WAN/DMZ Private Subnet).
   • LAN Private Subnet: This includes settings for deploying private subnets to LAN port (see LAN Private Subnet).

Generally speaking, a network site consists of a WAN link and a private LAN network at least. WAN Setting and LAN Private Subnet are the necessary configurations for FortiWAN to connect the internal and external networks.

Some of FortiWAN’s functions, such as system time synchronization, log push, ping and trace commands, require cooperating with external servers. When FortiWAN itself (localhost) communicates with those external servers, such as NTP, FTP, SMTP servers, an appropriate DNS server is required for domain name resolving.

Configuration of DNS Server is part of the basic network setting (see Set DNS server for FortiWAN).

Briefly, network setting of a FortiWAN contains the configurations of:

1. DNS for FortiWAN’s localhost (DNS Server, see Set DNS server for FortiWAN)
2. Network port programing (VLAN and Port Mapping, see Configurations for VLAN and Port Mapping)
3. Individual network connected to FortiWAN and the relative routing information (WAN Setting, WAN/DMZ Private Subnet and LAN Private Subnet, see Configuring your WAN and DMZ, WAN/DMZ Private Subnet and LAN Private Subnet)

Set DNS server to FortiWAN

As an edge router, FortiWAN connects the external and internal networks to provide necessary valuable functions for incoming and outgoing service accesses. Among the functions, domain name resolution plays an important role for service accesses. The following is an overview about the DNS deployment on FortiWAN, according to source of the DNS query.

Set DNS server to FortiWAN

For external users who want to access your domain

If you provide network services (such as HTTP, FTP or SMTP) to Internet, no matter how you deploy the servers (deploy them in DMZ or LAN) you will need also provide the resolution of your domain name to users who want to access your services from Internet. You may manage your domain simply by a DNS hosting or FortiWAN’s Multihoming (See “Multihoming”). Multihoming is basically a DNS server providing standard name resolution to Internet users, moreover it provides load balancing and fail over to inbound traffic.

For internal users who want to access internal or external servers

It requires a DNS server for any user to resolve a external domain he want to access through Internet. Usually, this DNS server could be a ISP’s DNS server or any registered public DNS server. An user can configure the setting of DNS server on its own computer manually or automatically be allocated by DHCP. This DNS server is also necessary to FortiWAN itself for some operations. Several FortiWAN’s functions, such as sending logs and

notifications, ping and traceroute commands, require DNS resolution if the target is a FQDN (fully qualified domain name). Through Web UI System > Network Setting > DNS Server, you can manually set the DNS server to FortiWAN. FortiWAN’s DHCP (also SLAAC and DHCPv6, see “Automatic addressing within a basic subnet”) allocate the DNS servers set here to users in LAN or DMZ subnet if the users’ computers are set to automatically get DNS by DHCP.

On the other hand, if you want to maintain an internal DNS server in your site, FortiWAN provides Internal DNS

(see “Internal DNS”) for managing your domain to internal users (the users in LAN or DMZ subnet). An user in

LAN or DMZ subnet need to manually configure the DNS server on his computer for using the FortiWAN’s Internal

DNS (set DNS server as IP address of the gateway he connects to). It is unable to automatically allocate FortiWAN’s internal DNS to users by FortiWAN’s DHCP. The Internal DNS is recursive, which allows users to resolve other people’s domains (external domains). The DNS servers set here (System > Network Setting > DNS Server) will be asked by Internal DNS while it recursively resolve an unknown domain. Of cause that you can also set up a standalone internal DNS server to manage your domain for internal users, but this is the category of FortiWAN.

The last feature about DNS that FortiWAN provides is DNS Proxy, which is a mechanism to redirect outgoing DNS queries to other DNS servers according to WAN links loading. This is not the well-known DNS proxy, but is a solution for ISP peering issue (See “DNS Proxy” and “Optimum Route Detect”).

Back to System > Network Setting > DNS Server, it enables administrators to define the host name the FortiWAN in the network, the IPv4/IPv6 address of domain name servers used by FortiWAN, and the suffix of the domain name. The following is the list of FortiWAN’s functions that might require the DNS servers set here.

Configure the setting

Note: Incomplete DNS server configurations will not influence the performance of the functions listed above. Only IP address is necessary instead of the FQDN.

Aggregated, Redundant, VLAN Ports and Port Mapping

Go to System > Network Setting from the Web UI, click the label VLAN and Port Mapping in the upper-right corner to expand the configuration panel. This is a configuration that you can create logical network ports and define the port mapping to the physical and logical ports. The VLAN and Port Mapping panel consists of four tables, VLAN and Port Mapping, Redundant LAN Port, Redundant DMZ Port and Aggregated Port, which are described as followings:

VLAN and Port Mapping

As the previous description, FortiWAN’s physical network ports can be further programed as an aggregated port, a redundant port or several VLAN ports, which are generally called logical ports (see Network interfaces and port mapping). A network ports must function as a WAN, LAN or DMZ port and be connected with a corresponding network (a WAN, LAN or DMZ network), so that the FortiWAN can work correctly for the connected network. Although each of FortiWAN’s physical ports is mapped to a port type by default, the default mapping can be changed (even logical ports can be created) according to how you deploy your network site. For example, a FortiWAN 200B’s Port 1 could be programed as a LAN port, Port 2 could be programed as a DMZ port, and Port 3 ~ Port 5 could be programed as WAN ports, while Port 1 ~ Port 3 are WAN ports, Port 4 is a LAN port and Port 5 is a DMZ port by default. VLAN and Port Mapping is the configuration table for defining the port mapping and creating VLAN IDs on the ports. It consists of three elements; Port, VLAN Tag and Mapping:

Port

In the VLAN and Port Mapping table, each of the FortiWAN’s physical ports is listed in the Port column (indicated as Port1, Port2, Port3 …, corresponding to the numbers presented on the front panel of the FortiWAN device), so that port mapping can be programed and VLAN tags can be created on it. Moreover, the created aggregated ports (an logical port that is created by aggregating two physical ports, see Aggregated Port below for

more details) will also be listed here for defining mappings and VLAN tags to them. As for a FortiWAN-VM appliance, the ports listed in Port column are indicated as vNIC2, vNIC3, vNIC4 …, mapping of the ports and the vNICs is as bellow (vNIC 1 is used for HA port and can not be changed):

Mapping

For the ports listed in the table, there are four options available for mapping them to a function (click the pulldown menus of Mapping column):

Whether a physical port or a logical port (aggregated, redundant or VLAN port) is, it must be programed as one of the port types (WAN, LAN and DMZ) first to be used by other services. A port that is programmed as a WAN, LAN or DMZ port will become an option to setting items of some configurations:

• Port that is programed as a WAN port will be listed in the pull-down menus:
• [WAN Port] of WAN Setting for configuring and deploying a WAN subnet to the ports (see Configuring your WAN).
• [WAN Port] of WAN/DMZ Private Subnet for configuring and deploying a private WAN subnet to the ports (see WAN/DMZ Private Subnet).
• [Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
• [Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management). l Port that is programed as a DMZ port will be listed in the pull-down menus:
• [DMZ Port] of WAN Setting for configuring and deploying a DMZ subnet to the ports (see Configuring your WAN). l [DMZ Port] of WAN/DMZ Private Subnet for configuring and deploying a private DMZ subnet to the ports (see WAN/DMZ Private Subnet). l [Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
• [Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management).
• Port that is programed as a LAN port will be listed in the pull-down menus:
• [LAN Port] of LAN Private Subnet for configuring and deploying a LAN subnet to the ports (see Configuring your WAN). l [Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
• [Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management).

Changes to port mappings here will be updated immediately to the corresponding pull-down menus. If a port has been configured and deployed with a network, or been associated with a filter rule, a change to mapping of the port will fail the original deployments and settings. Please remember to reconfigure relative settings if a port mapping is changed.

VLAN Tag

FortiWAN supports IEEE 802.1Q, which is also known as VLAN Tagging (Cisco’s ISL is not supported). A FortiWAN’s physical port can be mapped to several VLAN ports. In a large-scale network that is segmented into smaller groups of subnets by a VLAN switch, FortiWAN allows data being exchanged between these subnets. Moreover, the VLAN switch ports can be programmed as DMZ, WAN or LAN ports. To introduce a VLAN Switch into the network working with FortiWAN, here is a example:

FortiWAN’s Port 1 is connected with the VLAN switch, and appropriate VLAN settings have been configured on the VLAN switch. Now, it requires to have VLAN tagging configured on FortiWAN to get the VLAN deployment workable. The steps are:

1. In the VLAN and Port Mapping table, click the Add button in the VLAN Tag field of Port 1 to create a new VLAN tag. A VLAN tag input will then available to replace the original string “no VLAN Tag”.
2. Enter the VLAN tag into the input field to define a VLAN to Port1.
3. This VLAN tage can be edited, deleted, moved up/down by buttons aside it.
4. Map the VLAN tag to WAN, LAN or DMZ in Mapping column.
5. Define the next VLAN to Port1 by the same processes.

After the configuration is applied, FortiWAN’s port 1 will no longer accept untagged VLAN packets. Through the VLAN switch, both Port 1.101 and port 1.102 are connected with a WAN link (Port 1.101 and Port 1.102 will be listed in the WAN Port pull-down menu for WAN Setting), while port 1.103 is connected the LAN subnet (Port 1.103 will be listed in the LAN Port pull-down menu for Private LAN Subnet setting) and port

1.104 is connected with the DMZ subnet (Port 1.104 will be listed in the DMZ Port pull-down menu for DMZ Setting). You can also define VLAN tags to an aggregated port from the table (it requires to create an aggregated port first for defining VLAN tags to it).

Note: This field (VRID) is only available when VRRP mode is enabled in LAN Private Subnet settings. The VRID indicates the virtual router identifier for every VR.

Redundant LAN/DMZ Port

A logical redundant port pairs an active and a standby physical network port. It means a logical redundant LAN port consists of two physical LAN ports, and a logical redundant DMZ port consists of two physical DMZ port. Under normal usage, the active port passes traffic and the standby port is just backup. Once the active port goes down (or unavailable), the standby port takes over the active role and starts passing traffic. Why a redundant LAN port and a redundant DMZ port are necessary? Because without the redundant ports, even if FortiWAN is working in HA mode, single point failure can still occur over connectivities between LAN/DMZ subnets and FortiWAN’s LAN/DMZ ports. Redundant ports increase the reliability of connectivity of FortiWAN’s LAN and DMZ. FortiWAN’s redundant port supports the Spanning Tree algorithm and sets the highest 0xffff as bridge priority. The configurations thus manage to avoid network failure caused by the possible packet looping.

Notices to create a redundant port

Before creating a redundant port, you need to know:

• The two member-ports of a redundant port can be two physical network ports, two VLAN tages, or a pair of one physical port and a VLAN tag.
• It requires to exactly map two member-ports to LAN or DMZ in VLAN and Port Mapping table before pairing the two ports to a logical LAN/DMZ redundant port. l VLAN tags can not be defined to an redundant port.

Creating an redundant LAN/DMZ port

To configure an redundant LAN port or redundant DMZ port, perform the following steps:

Step 1 Map two ports (two physical port, two VLAN ports, or a pair of one physical port and one VLAN port) to LAN or DMZ in VLAN and Port Mapping table.

Step 2 Create a new redundant port configuration by clicking the add button on Redundant LAN Port or Redundant DMZ Port table.

Step 3 Assign the redundant port a name by entering it in Label filed.

Step 4 Select a member-port from each of the two pull-down menus in Mapping field (the ports mapped to LAN or DMZ in VLAN and Port Mapping table are listed here for options).

Step 5 Apply the settings by clicking Apply.

Aggregated Port

FortiWAM’s port aggregation is implementation of IEEE 802.3ad active mode, which bundles two physical ports into a single logical aggregated port to provide the aggregated bandwidth of the two physical links. If single point failure occurs on connectivity of one of the physical member ports under an aggregated port, traffic will be carried within the remaining port channel. The related parameters of IEEE 802.3ad active mode are sat as follows:

Notices to create a redundant port

Before creating a redundant port, you need to know:

• The two member-ports of an aggregated port can be two physical network ports, two VLAN tages, or a pair of one physical port and a VLAN tag.
• A logical aggregated port requires two purposeless member-ports (both are mapped to None in VLAN and Port Mapping table).
• An aggregated port can only be mapped to a DMZ or LAN port. l VLAN tags can be defined to an aggregated port.

Creating an aggregated port

To configure an aggregated port, perform the following steps:

Step 1 Disable two ports (two physical port, two VLAN ports, or a pair of one physical port and one VLAN port) by mapping them to None in VLAN and Port Mapping table.

Step 2 Create a new port aggregation configuration by clicking the add button on Aggregated Port table.

Step 3 Assign the aggregated port a name by entering it in Label filed.

Step 4 Select a member-port from each of the two pull-down menus in Mapping field (the disabled ports in VLAN and Port Mapping table are listed here for options).

Step 5 The label name of the aggregated port will be listed in VLAN and Port Mapping table. Map the logical aggregated port to LAN or DMZ by selecting it from the pull-down menu in Mapping field. You can also define VLAN tags to the aggregated port in VLAN Tag field and Mapping field.

Step 6 Apply the settings by clicking Apply.

Scenarios

As illustrated in the topology below, FortiWAN port1 are mapped to WAN port. Port2 and port3 are paired to a logical redundant LAN port which is connected to Switch1, port4 and port5 are paired to a logical aggregated DMZ port which is connected to Switch2.

Step 1 To configure the settings for the deployment, you need to map Port1, Port2, Port3, Port4 and Port5 to WAN, LAN, LAN, None and None respectively in VLAN and Port Mapping table.

Step 2 Create a new redundant LAN port labeled lan23 and mapped it to Port2 and Port3 in Redundant LAN Port table.

Step 3 Create a new aggregated port labeled dmz45 and mapped it to Port4 and Port5 in Aggregated Port table.

Step 4 Map the created logical aggregated port dmz45 to DMZ in VLAN and Port Mapping table.

After the configurations are applied, labels “Bridge: lan23” and “Bonding: dmz45” will be listed respectively in LAN Port and DMZ Port pull-down menus of LAN and DMZ subnets settings (see LAN Private Subnet and Configuring your WAN) for options. Moreover, the two labels will be also listed in Input Port pull-down menu of Auto Routing and Bandwidth Management (see Auto Routing and Bandwidth Management) for your options.

You can also have the deployment configured in an advanced way. First, if you need the LAN ports being defined with several VLAN tags and also having them in redundant pairs; second, if you need the aggregated port being mapped to one LAN and one DMZ by defining it with VLAN tags, the configurations will be the following steps:

Step 1 To configure the settings for the deployment, you need to define Port2 and Port3 with VLAN tags and map all of them to LAN in VLAN and Port Mapping table. Leaving Port4 and Port5 being mapped to None as previous.

Step 2 Create a new redundant LAN port labeled lan23tag01 and mapped it to Port2.01 and Port3.01 in Redundant LAN Port table.

Step 3 Create another new redundant LAN port labeled lan23tag02 and mapped it to Port2.02 and Port3.02 in Redundant LAN Port table.

Step 4 Create a new aggregated port labeled agg45 and mapped it to Port4 and Port5 in Aggregated Port table.

Step 5 In VLAN and Port Mapping table, map the created logical aggregated port agg45 to a LAN and a DMZ by defining it with VLAN tags.

Configuring networks to FortiWAN

As the previous description, FortiWAN is an intelligent WAN load balancing device providing services to increase connection efficiency and reliability between the internal and external networks, but basically as an router it is fundamental to route IP packets among the connected networks. According to different purpose and functionality, a connected network could be one of the three types: WAN, LAN and DMZ networks. When you configure setting of a network to a FortiWAN, you are registering the network to the FortiWAN (majorly adding related routing information about the network to the FortiWAN), so that the FortiWAN can find the path to correctly route packets destined to the network. Network settings establish the necessary routing rules to FortiWAN so that the connected WAN, LAN and DMZ networks can communicate to each other. Besides setting routing rules, network setting requires other necessary information used to guarantee a well-cooperation between the connected network and FortiWAN. No matter what types those connected networks are, there are some common concepts among the settings:

Static route: basic subnets & static routing subnets

Within a network site, FortiWAN routes communication among the connected WAN (near WAN actually, see WAN, LAN and DMZ and Near WAN), LAN and DMZ networks according to established static routing entries, without WAN load balancing and fail-over being involved. Those static routing entries of connected networks are manually added to FortiWAN by network settings. A connected network can contain several subnets. Basically, FortiWAN defines two types of subnets to a connected network for it static route, basic subnet and static routing subnet:

Basic subnet: Any subnet connected directly to FortiWAN’s network port is called a basic subnet. Setting for a basic subnet tells FortiWAN the network IP, netmask of the subnet and the connected port, so that FortiWAN is aware of the network port used to directly deliver the packets destined to the subnet.

Static routing subnet: Any subnet connected directly or indirectly to a FortiWAN’s basic subnet is called a static routing subnet. Setting for a static routing subnet tells FortiWAN the network IP, netmask of the subnet and the gateway, so that FortiWAN can fine the next hop to forward packets destined to the subnet, although the static routing subnet does not connect directly to the FortiWAN.

Basically, all the network configurations in WAN Setting (see Configuring your WAN and DMZ), WAN/DMZ Private Subnet (see WAN/DMZ Private Subnet) and LAN Private Subnet (see LAN Private Subnet) contain settings of basic subnet and static routing subnet, except IPv4-based bridge-mode WAN links. FortiWAN’s basic subnets and static routing subnets are static routes, therefore, any physical change to deployment of the subnets requires corresponding modifications to the routing entries. The basic static route is supposed to be suitable for simple topologies. When you have a large-scale network with complex topologies, dynamic routing would be much suitable for it. FortiWAN supports RIP (v1 and v2), OSPF and VRRP on its LAN ports.

IPv4/IPv6 dual stack

FortiWAN supports IPv4/IPv6 dual stack, which means a FortiWAN can be configured with both IPv4 and IPv6 connectivity capabilities (FortiWAN does not support a pure IPv6 based network). None of IPv4 network and IPv6 network is dispensable for configuring a dual stack network to FortiWAN. Therefore, the required static routing information for configuring a dual stack network to a WAN, LAN or DMZ port will include IPv4 basic subnet, IPv4 static routing subnet, IPv6 basic subnet and IPv6 static routing subnet.

Auto addressing

FortiWAN supports auto addressing on each of the WAN, LAN and DMZ ports, so that hosts in any of the connected basic subnet can be automatically assigned IP addresses and relative information. FortiWAN provides the addressing mechanisms including DHCP, DHCP relay, DHCPv6 and SLAAC (see Automatic addressing within a basic subnet).

Configuring your WAN and DMZ

In this section we will talk about the configurations for WAN and DMZ network deployments. To have a FortiWAN accessing to the Internet, it requires an ISP network connected to the FortiWAN. The connectivity between a FortiWAN’s WAN port and an ISP network is called a WAN link, which is the necessary medium for accessing the Internet. FortiWAN’s DMZ is designed to be associated with a WAN link, therefore, configuration of a DMZ must be included in a WAN link.

Compared with a LAN network, there are more concerns need to be taken care of for a WAN link and its DMZ. Besides port mapping for the WAN ports on a FortiWAN, you need to decide the WAN types and the subsequent subnet deployments for a WAN link as well. Generally, ISP provides a connectivity in various ways. Here is a table telling what you will have from ISP for a connectivity in different types:

FortiWAN supports WAN links in both routing mode and bridge mode (See WAN types: Routing mode and Bridge mode).

Since ISP provides the available IP addresses in different ways for the above Internet connectivity, FortiWAN has equal mechanisms to identify the near WAN areas and define the static route. Before continuing on the topic, let us review what a near WAN is to FortiWAN first. As previous descriptions, FortiWAN defines the area that is between a FortiWAN’s WAN port and the ISP’s modem as a near WAN of the WAN link. Individual IP addresses, segments and subnets deployed within this area are considered the near WAN of a WAN link. Opposite to the WAN area (the Internet), although near WAN is located on the WAN side, it can be considered as a part of your network site, just like the LAN and DMZ areas. Within the network site, FortiWAN delivers packets among the near WAN, DMZ and LAN according to the static routes. Services of load balancing, fail-over, traffic shaping and statistics (Auto Routing, Bandwidth Management and NAT) will not be applied to those packets. Only packets that are destined to somewhere not defined in the routing table (the traffic communicating with hosts out of the site) will be handled by Bandwidth Management, Auto Routing and NAT, and forwarded to the gateway (the Internet). Note that traffic within near WAN and traffic communicating with near WAN will not be counted in outbound and inbound traffic of the WAN link, but they do occupy part of bandwidth of the WAN link. You should be careful about usage of your near WAN. A lot of near WAN traffic impacts on FortiWAN’s WAN load-balancing and traffic shaping.

Configurations of WAN links are mainly about setting the static routing information to FortiWAN for the near WAN

(and DMZ). Comparing with a LAN, setting the static route for near WAN and DMZ of a WAN link is more complex and variable. According to the distinguishing characteristics of different WAN types, FortiWAN identifies the near WAN and DMZ areas of a WAN link in different ways. Configuring a WAN link as a unsuitable type on FortiWAN will result in a mistake for near WAN identification; miscalculation and misjudgment then happen when performing traffic statistics, traffic shaping and load-balancing. The followings are the mechanisms FortiWAN uses for different WAN types:

You have to figure out the type of your link, so that you can correctly configure it to FortiWAN. The netmask and number of IP addresses indicate whether you have an complete IP subnet (routing mode) or just some IP addresses of a large-scale subnet (bridge mode). If you have ISP links belonging to Routing Mode and Bridge Mode: Multiple Static IP, you will have more than one IP address to use. The localhost of a WAN port will require one IP address, and the rest of the IP addresses are available to hosts connected to the WAN port and a DMZ port. Deploying IP addresses to WAN and DMZ are so that included in configurations of Routing Mode and Bridge Mode: Multiple Static IP. As for links belonging to Bridge Mode: One Static IP, Bridge Mode: PPPoE and Bridge Mode: DHCP Client, the only IP address must be used by the localhost of the WAN port and there will be no more IP addresses available to other hosts in WAN and DMZ.

[WAN Settings] is the major part to deploy FortiWAN in various types of WAN links. If your network has several WAN links, you have to configure one after another. Select any link from [WAN link] and check [Enable] to start a configuration of the WAN connection (See “WAN link and WAN port”). A configuration of WAN link is divided into three parts: Basic Settings, Basic Subnet and Static Routing Subnet. Before starting configuration, here are several important concepts you should know.

Configuration of a WAN link, no matter what the WAN type it is, contains the following parts:

Basic setting

The basic setting will require you to set the maximum upload/download bandwidth of a WAN link, upload/download threshold and the MTU for transmission between FortiWAN and ISP’s network. These settings are necessary for FortiWAN Bandwidth Management (see Bandwidth Management), Auto Routing (see Auto Routing) and Multihoming (Multihoming) refer to process the real WAN traffic that is between FortiWAN and the Internet (traffic between FortiWAN and its near WAN is not included).

For bridge-mode WAN links, the basic setting also contains extra fields:

Bridge Mode: One Static IP

Allocating the only IPv4/IPv6 address to localhost of the WAN port.

Bridge Mode: Multiple Static IP

Allocating the one IPv4/IPv6 address to localhost of the WAN port, and arrange others to network segments in WAN and/or DMZ if necessary. Opposite to routing-mode WAN links, ISP provides you a range of IP addresses of a large-scale network for the bridge-mode WAN link, not a network subnet. These IP addresses can be deployed in WAN and/or DMZ, and the corresponding static roue will be established as well, but it is just not a basic subnet (in routing-mode, IP addresses of a WAN link in WAN and/or DMZ are treated as )

Bridge Mode: PPPoE

The username and password for PPPoE accessing.

IPv4/IPv6 basic subnet & IPv4/IPv6 static routing subnet

As previous description, FortiWAN need the static rout to find path for traffic among LAN, DMZ and near WAN. When you configure a routing-mode WAN link or an IPv4/IPv6 dual stack link, settings of basic subnet and static routing subnet are the route to FortiWAN for IPv4/IPv6 networks connecting to WAN ports and/or DMZ ports.

Routing mode and Bridge mode: multiple static IP

Routing mode and bridge mode (multiple static IP) deploy IP addresses in WAN and DMZ in different ways. The following table lists the difference between the two modes for the WAN link deployments.

Start to configure a WAN link

To deploy a WAN link on FortiWAN, go to System > Network Setting and expand WAN Setting panel on the Web UI. Configurations of all the WAN links start from a common setting block in the panel:

WAN Type

The first step to start a WAN link configuration is deciding the WAN type (See “WAN types: Routing mode and Bridge mode”). Configuration varies on [WAN Type] in [Basic Settings]. The [WAN Type] could be one of:

l Routing Mode (See “Configurations for a WAN link in Routing Mode”) l Bridge Mode: One Static IP (See “Configurations for a WAN link in Bridge Mode: One Static IP”) l Bridge Mode: Multiple Static IP (See “Configurations for a WAN link in Bridge Mode: Multiple Static IP”) l Bridge Mode: PPPoE (See “Configurations for a WAN link in Brideg Mode: PPPoE”) l Bridge Mode: DHCP Client (See “Configurations for a WAN link in Bridge Mode: DHCP”)

See also

• WAN link and WAN port
• Configurations for a WAN link in Routing Mode
• Configurations for a WAN link in Bridge Mode: One Static IP
• Configurations for a WAN link in Bridge Mode: Multiple Static IP
• Configurations for a WAN link in Brideg Mode: PPPoE
• Configurations for a WAN link in Bridge Mode: DHCP

Routing-mode WAN link

Configuration of a routing-mode WAN link starts from selecting and enabling the WAN link on Web UI (see Start to configure a WAN link in Configuring your WAN and DMZ), and select Routing Mode from the WAN Type dropdown menu in Basic Setting panel. After that, you start configuring the following settings: IPv4-based routing-mode WAN link l Basic setting and at least one IPv4 basic subnet are necessary.

• IPv4 static routing subnet is for your option.
• IPv4/IPv6 Dual-stack routing-mode WAN link
• Basic setting, one IPv4 basic subnet and one IPv6 basic subnet are necessary.
• IPv4/IPv6 static routing subnets are for your options.

Basic Setting

Besides the WAN Type, the rest setting fields of Basic Setting of a routing-mode WAN link are as followings:

Static routing information

As mentioned previously, FortiWAN requires the correct routing information to deliver packets among the connected near WAN, DMZ and LAN networks. Configurations of basic subnets and static routing subnets of a WAN link are the routing information for the FortiWAN.

A routing-mode WAN link is attached with an IP network which should be deployed as a basic subnet to the WAN link. Since localhost of the WAN port is a part of the subnet, at least one basic subnet is necessary for configuring a routing-mode WAN link. For the reason, IP(s) on Localhost and Netmask fields of a routing-mode WAN link are contained in configuration of Basic Subnet, rather than Basic Setting.

IPv4/IPv6 Basic Subnet

Basic subnets are the subnets connecting directly to FortiWAN. A DMZ must be associated with a WAN link, therefore, basic subnet of a WAN link can be divided into four types according to combination of WAN and DMZ:

• Subnet in WAN: A subnet deployed in WAN. This type requires at least one IP for localhost of the WAN port, and the rest of the subnet can be used for hosts in WAN (near WAN).
• Subnet in DMZ: A subnet deployed in DMZ. This type requires at least one IP for localhost of the DMZ port, and the rest of the subnet can be used for hosts in DMZ.
• Subnet in WAN and DMZ: A subnet deployed in two segments, WAN and DMZ. Proxy ARP combines the two segments into a logic segment for the IP subnet (see ). Proxy ARP logically combines the specified WAN port and DMZ port into a logical port. This type requires at least one IP for localhost of the WAN port, and the rest of the subnet can be used for hosts in WAN (near WAN) and DMZ.
• Subnet on Localhost: A subnet deployed on the localhost of a WAN port (This is not supported for IPv6 basci

subnets). All the IP addresses of the subnet will be deployed on the WAN port.

A subnet in WAN and DMZ might be the most practical deployment for a routing-mode WAN link. If the ISP provides only one network with your IPv4 WAN link (this is the most general case for a routing-mode link), you can deploy it as any of the subnet types but a subnet in DMZ. Remember, at least one IP address must be assigned to localhost of a WAN port for the IPv4 link, therefore, at least one subnet must be associated with the WAN port. If you get more than one network from the ISP with the IPv4 link, you still have to deploy at least one of them as a subnet in WAN, a subnet in WAN and DMZ or a subnet on localhost, but there is not limitation to the rest networks. Briefly, if you are given only one network for the WAN link, you can not deploy it as a subnet in DMZ. As for configuring a dual stack link, similarly, it requires at least one IPv4 network and one IPv6 network get deployed individually as a subnet in WAN, a subnet in WAN and DMZ or a subnet on localhost. Next comes the configuration of basic subnet for each type:

[IPv4/IPv6 Basic Subnet]: Subnet in WAN

Click the add button on the IPv4 Basic Subnet panel or IPv6 Basic Subnet panel to add a configuration, and select Subnet in WAN from the Subnet Type drop-down menu. The rest configuration fields to deploy a IPv4/IPv6 network as a subnet in WAN are as followings:

This topology is frequently used for where cluster hosts being deployed in WAN.

In the this diagram, we have a WAN link attached with a given network that netmask is 255.255.255.248, gateway is 203.69.118.9 and the available IP addresses are 203.69.118.10 – 203.69.118.14. The WAN link is connected to FortiWAN’s Port2 (mapped to a WAN port) with IP address 203.69.118.10 being assigned to the localhost. In this case, FortiWAN will consider that the rest IP addresses 203.69.118.11 – 203.69.118.14 are located in the WAN area (actually, the near WAN) of the WAN link. The following is the configuration for this case:

Configuration of the settings implies a route to FortiWAN that any packet destined to 203.69.118.9 – 203.69.118.14 will be directly forwarded through this WAN port, without Auto Routing and Bandwidth

Management processes. In this case, subnet 203.69.118.8/29 (203.69.118.9 – 203.69.118.14) is the near WAN of the link.

[IPv4/IPv6 Basic Subnet]: Subnet in DMZ

Click the add button on the IPv4 Basic Subnet panel or IPv6 Basic Subnet panel to add a configuration, and select Subnet in DMZ from the Subnet Type drop-down menu. The rest configuration fields are as followings:

This topology is frequently used for where a cluster of hosts being deployed in DMZ. The following example for a subnet in DMZ is based on the above example that a WAN link with a subnet being deployed in WAN. Please click the [+] button on IPv4/IPv6 Basic Subnet panel to add a subnet to the WAN link. Remember a subnet in DMZ must coexist with a subnet in WAN, a subnet in WAN and DMZ or a subnet on localhost.

As described in the topology, since the cluster of hosts are deployed in DMZ. FortiWAN port5 has to be mapped to DMZ with IP address 140.112.8.9. Thus the hosts in the subnet take the default gateway as 140.112.8.9. In this case, IP addresses 203.69.118.9 – 203.69.118.14 are treated as in near WAN, while IP addresses 140.112.8.9 – 140.112.8.14 in DMZ do not belong to near WAN. Check [Enable DHCP] if hosts in the subnet in DMZ require DHCP service. And enter the starting and ending address in [DHCP Range]. If any host in the subnet uses static IP address, then in [Static Mapping], enter its IP and MAC address. Similarly, if ISP provides another LAN IPv6 subnet, you can deploy it in DMZ. The SLAAC and DHCPv6 in FortiWAN are designed to work together, which SLAAC responses router advertisement (including default gateway and DNS server) to a host and DHCPv6 responses the host an appropriate IPv6 address. Note: FortiWAN assumes that IP addresses that are unlisted in [IP(s) on Localhost] can be used for hosts in the subnet.

In the this diagram, we have another network that ISP provides to the WAN link, which the netmask is

255.255.255.248, gateway is 140.112.8.9 and the available IP addresses are 140.112.8.10 – 140.112.8.14. This network is connected to FortiWAN’s Port5 (mapped to a DMZ port) with IP address 203.69.118.10 being assigned to the localhost. In this case, FortiWAN will consider that the rest IP addresses 203.69.118.11 – 203.69.118.14 are located in the WAN area (actually, the near WAN) of the WAN link. The following is the configuration for this case:

For the details about DHCP, DHCP Relay, SLAAC and DHCPv6, see “Automatic addressing within a basic subnet”.

[IPv4/IPv6 Basic Subnet]: Subnet in WAN and DMZ

Click the add button on the IPv4 Basic Subnet panel or IPv6 Basic Subnet panel to add a configuration, and select Subnet in WAN and DMZ from the Subnet Type drop-down menu. The rest configuration fields are as followings:

This topology is frequently found where a cluster of hosts in one subnet are deployed in both WAN side and DMZ side.

As described in the topology, port2 and port5 are connected in dotted line, indicating an IP range in the same subnet 203.69.118.8/29 spreads across WAN (port2) and DMZ (port5). FortiWAN employs Proxy ARP to connect those hosts becoming in the same network segment (See “Public IP pass through (DMZ Transparent Mode)”).

Note that although IP address 203.69.118.9 has been configured as default gateway in Basic Setting table, you are still required to add it in the field [IP(s) in WAN]. When you select [Subnet in WAN and DMZ] from [Subnet Type], FortiWAN will assume the IP addresses that are unlisted in [IP(s) on Localhost] and [IP(s) in WAN] are all in DMZ. Thus, in this example, except 203.69.118.10, 203.69.118.9 and 203.69.118.11-203.69.118.12, the rest IP addresses of subnet 203.69.118.8/29 are assigned to DMZ for Public IP Pass-through. In this case, IP addresses 203.69.118.9 – 203.69.118.12 in WAN side are treated as in near WAN, while IP addresses 203.69.118.13 – 203.69.118.14 in DMZ side do not belong to near WAN.

Check [Enable DHCP] if hosts in the subnet in DMZ require DHCP service. And enter the starting and ending address in [DHCP Range]. If any host in the subnet uses static IP address, then in [Static Mapping], enter its IP and MAC address. Similarly, the configuration to deploy an IPv6 public subnet in WAN and DMZ.

For the details about DHCP, DHCP Relay, SLAAC and DHCPv6, see “Automatic addressing within a basic subnet”.

[IPv4/IPv6 Basic Subnet]: Subnet on Localhost

Click the add button on the IPv4 Basic Subnet panel (this subnet type is not supported for IPv6 basic subnets) to add a configuration, and select Subnet on Localhost from the Subnet Type drop-down menu. The rest configuration fields are as followings:

This topology is found where subnet is designated on FortiWAN to better use Virtual Server.

This deployment is much simpler than other subnet types. Except the gateway, all the IP addresses of the subnet are assigned to the WAN port of the WAN link; there is no IP addresses available for deployment in WAN and/or DMZ areas. All of the IP addresses will indicate the associated WAN link to services NAT, Multihoming and Virtual Server. For this example, the configuration just requires 203.69.118.8 and 255.255.255.248 being entered in [Network IP] and [Netmask] respectively.

Note that, for all of the subnet types described above, the IP addresses (IPv4 or IPv6) specified to field [IP(s) on

Localhost] can be used for NAT to transfer the source IP address of packets to. The first IP address on the list of [IP(s) on Localhost] will be used for the NAT default rules of the WAN link. System generates NAT default rules automatically for a WAN link so that a host with private IP address in LAN can access Internet without setting NAT rules manually. For FortiWAN V4.0.x, system does not generate NAT default rules for IPv6 WAN links, setting NAT rules manually is required (See “NAT”).

IPv4/IPv6 Static Routing Subnets

A WAN link’s static routing subnets are the subnets connected to the WAN link’s basic subnets via routers or L3 switches. The same as those basic subnets, FortiWAN needs the corresponding static route (dynamic routing protocols are not supported for WAN links’ networks), so that FortiWAN can find the path to forward packets to the static routing subnets. Configuring a static routing subnet to a WAN link here implies adding the routing information to FortiWAN. A routing-mode WAN link supports both IPv4 and IPv6 static routing subnets for pure IPv4-based WAN link and IPv4/IPv6 dual stack WAN link. According to the area a subnet deployed in, the static routing subnets of a WAN link are divided into:

• Subnet in WAN: A static routing subnet deployed in WAN, connected to a basic subnet in WAN or basic subnet in WAN and DMZ.
• Subnet in DMZ: A static routing subnet deployed in DMZ, connected to a basic subnet in DMZ or basic subnet in WAN and DMZ.

Next comes a few examples to further illustrate configurations in [Basic Subnet] and [Static Routing Subnet].

[IPv4/IPv6 Static Routing Subnet]: Subnet in WAN

Click the add button on the IPv4 Static Routing Subnet panel or IPv6 Static Routing Subnet panel to add a configuration, and select Subnet in WAN from the Subnet Type drop-down menu. The rest configuration fields are as followings:

This topology is rarely seen in actual network where static routing subnet is located on the WAN. In other words, the subnet in WAN does not connect to FortiWAN directly, but needs a router instead to transfer packets. In this example, a subnet 202.3.1.8/29 located on the WAN connects to the basic subnet 203.69.118.8/29 via a router (202.3.1.9 and 203.69.118.10). Subnet 202.3.1.8/29 is so that a static routing subnet of the WAN link. Configuration of the static routing subnet indicates the route to FortiWAN for packets destined to subnet 202.3.1.8/29.

As described in the UI, FortiWAN transfers packets to the gateway 203.69.118.10 to deliver them to subnet 202.3.1.8/255.255.255.248.

[IPv4/IPv6 Static Routing Subnet]: Subnet in DMZ

Click the add button on the IPv4 Static Routing Subnet panel or IPv6 Static Routing Subnet panel to add a configuration, and select Subnet in DMZ from the Subnet Type drop-down menu. The rest configuration fields are as followings:

This topology is very similar with the Static Routing Subnet: Subnet in WAN in last example. The only difference is, the subnet is in DMZ area.

As described in the UI, FortiWAN transfers packets to the gateway 203.69.118.14 to deliver them to subnet 139.3.1.8/255.255.255.248

See also

• WAN link and WAN port
• VLAN and port mapping
• Configurations for VLAN and Port Mapping
• Outbound Load Balancing and Failover (Auto Routing)
• Inbound Load Balancing and Failover (Multihoming)
• Scenarios to deploy subnets
• Public IP pass through (DMZ Transparent Mode)
• IPv6/IPv4 Dual Stack

Bridge-mode (multiple static IP) WAN link

Configuration of a multiple-static-IP bridge-mode WAN link starts from selecting and enabling the WAN link on

Web UI (see Start to configure a WAN link in Configuring your WAN and DMZ), and select Bridge Mode: Multiple Static IP from the WAN Type drop-down menu in Basic Setting panel. After that, you start configuring the following settings:

IPv4-based bridge-mode WAN link l Only Basic setting is necessary.

• IPv4 basic subnets and IPv4 static routing subnets are not supported here. IPv4/IPv6 Dual-stack bridge-mode WAN link l Only Basic setting is necessary.
• IPv4 basic subnets and IPv4 static routing subnets are not supported here; IPv6 basic subnets and IPv6 static routing subnets are optional.

Different from routing mode, configuration of static routing is contained in Basic Setting for a bridge-mode WAN link. Similar to routing mode, FortiWAN uses ProxyARP to combine the WAN area and DMZ area as one logical network segment.

Basic Setting

Besides the WAN Type, the rest setting fields of Basic Setting of a multiple-static-IP bridge-mode WAN link are as followings:

The SLAAC and DHCPv6 in FortiWAN are designed to work together, which the SLAAC responses router advertisement (including default gateway and DNS server) to a host and DHCPv6 responses the host an appropriate IPv6 address.

This topology can be seen where a group of valid IP addresses ranging 211.21.40.32~211.21.40.34 have been given by ISP and assigned to port1 on FortiWAN. And their default gateway is 211.21.40.254 given by ISP as well. If there are other hosts deployed on the WAN, then configure their IP addresses in [IP(s) in WAN]. And if there are hosts deployed on the DMZ, then configure their IP addresses in [IP(s) in DMZ].

Static routing information

FortiWAN assumes that the near WAN and DMZ areas of a bridge-mode WAN link (both of IPv4-based and dualstack) are parts of a large-scale network, not a complete network, with the exception of extra IPv6 subnets being available for dual-stack WAN links. Static routing information is set to FortiWAN by assigning individual IP in Basic Setting, rather than specifying a network in Basic Subnet. FortiWAN’s bridge-mode accepts complete IPv6 networks to be deployed to the DMZ. In case that ISP provides multiple IPv6 subnets for a dual-stack connectivity, it is an option for you to use. Configurations of IPv6 basic subnets and IPv6 static routing subnets are so that the routing information for the FortiWAN.

[IPv6 Basic Subnet]: Subnet in DMZ

This is the only type that FortiWAN provides for basic subnets of a bridge-mode WAN link. Click the add button on the IPv6 Basic Subnet panel to add a configuration, and select Subnet in DMZ from the Subnet Type drop-down menu. The rest configuration fields are as followings:

[IPv6 Static Routing Subnet]: Subnet in DMZ

This is the only type that FortiWAN provides for static routing subnets of a bridge-mode WAN link. Click the add button on the IPv6 Static Routing Subnet panel to add a configuration, and select Subnet in DMZ from the Subnet Type drop-down menu. The rest configuration fields are as followings:

See also

• WAN link and WAN port
• VLAN and port mapping
• Configurations for VLAN and Port Mapping
• Outbound Load Balancing and Failover (Auto Routing)
• Inbound Load Balancing and Failover (Multihoming)
• Scenarios to deploy subnets
• Public IP pass through (DMZ Transparent Mode)
• IPv6/IPv4 Dual Stack

Bridge-mode (one static IP) WAN link

Configuration of a one-static-IP bridge-mode WAN link starts from selecting and enabling the WAN link on Web UI (see Start to configure a WAN link in Configuring your WAN and DMZ), and select Bridge Mode: One Static IP from the WAN Type drop-down menu in Basic Setting panel. After that, you start configuring the following settings:

IPv4-based bridge-mode WAN link l Only Basic setting is necessary.

• IPv4 basic subnets and IPv4 static routing subnets are not supported here. IPv4/IPv6 Dual-stack bridge-mode WAN link l Only Basic setting is necessary.
• IPv4 basic subnets and IPv4 static routing subnets are not supported here; IPv6 basic subnets and IPv6 static routing subnets are optional.

Different from routing mode, configuration of static routing is contained in Basic Setting for a bridge-mode WAN link.

Basic Setting

Besides the WAN Type, the rest setting fields of Basic Setting of a one-static-IP bridge-mode WAN link are as followings:

[Bridge Mode: One Static IP] is used when ISP gives one static IPv4 address to a user. Usually, the IPv4 address a user obtained is one IP address of a C class IPv4 network; it is indicated by the netmask 255.255.255.0. The default gateway that ISP assigned is located at ISP’s network, while the ATU-R works in bridge mode.

FortiWAN’s Bridge Mode: One Static IP is suggested to apply for this case. IPv6/IPv4 dual static is supported for

FortiWAN’s Bridge Mode: One Static IP. In the dual static similar as previous case, ISP might provide you a WAN IPv6 subnet and a LAN IPv6 subnet. You can deploy the LAN IPv6 subnet as a basic subnet in DMZ. Although the deployment is under FortiWAN’s Bridge Mode, FortiWAN routes packets between WAN and DMZ for the IPv6 subnets. Basic subnets are not supported for IPv4 network deployed in Bridge Mode. The following topology is widely seen where a user gets one static IP from ISP.

See also

• WAN link and WAN port
• VLAN and port mapping
• Configurations for VLAN and Port Mapping
• Outbound Load Balancing and Failover (Auto Routing)
• Inbound Load Balancing and Failover (Multihoming)
• Scenarios to deploy subnets l IPv6/IPv4 Dual Stack

Configurations for a WAN link in Brideg Mode: PPPoE

[Bridge Mode: PPPoE] is used for PPPoE WAN link (ISP provides dynamic or static IP addresses via PPPoE). In

[Basic Settings], you shall configure upstream and downstream, user name, password and service name given by ISP. Left [IP Address] blank if you are assigned an dynamic IP address; otherwise, enter your static IP address. Select an FortiWAN WAN port to which PPPoE ADSL Modem is connected, e.g. port1. Checks [Redial Enable] to enable redial. As some ISPs automatically reconnect to the network within a certain time interval, [Redial Enable] will avoid simultaneous redialing of WAN links, which properly staggers WAN redial time. In case of connecting several DHCP/PPPoE WAN links to the same ISP, the connections might fail if they are deployed on the same physical WAN port via VLAN because the same MAC address. Via [Clone MAC Enable] you can configure MAC address clone on FortiWAN for this deployment.

Basic Setting

See also

l WAN link and WAN port l VLAN and port mapping l Configurations for VLAN and Port Mapping l Outbound Load Balancing and Failover (Auto Routing) l Inbound Load Balancing and Failover (Multihoming)

LAN Private Subnet

[LAN Private Subnet] is the second most important part for deploying FortiWAN in your network. In contrast with configurations on WAN Settings to active the WAN link transmission from FortiWAN to Internet (external network), LAN Private Subnet is the configuration for deploying the internal network on FortiWAN’s LAN ports. There are two parts for setting LAN private subnet: Basic Subnet and Static Routing Subnet, which respectively are the subnets connected directly to FortiWAN’s LAN ports and the subnets connected indirectly to FortiWAN via a router. (See “Scenarios to deploy subnets”)

Basic Subnet

Here is a simple example to demonstrate a configuration for the basic subnet in the typical LAN environment.

As the illustration, FortiWAN port3 has been mapped to LAN port via [System / Network Setting / VLAN and Port Mapping] (See “VLAN and Port Mapping”), and is assigned with private IP 192.168.34.254. Enter this IP address in the field [IP(s) on Localhost]. For hosts in LAN, port3 (192.168.34.254) serves as gateway as well. Enter the netmask (255.255.255.0) for the subnet in the field [Netmask]. Select the LAN port.

Check the field in [Enable DHCP], to allocate IP address (any of 192.168.34.175~192.168.34.199) dynamically via DHCP to PCs in LAN. If any host in LAN requires static IP addresses, then enter in [Static Mapping] the IP addresses to designate, and MAC addresses of the PCs as well. Check the field in [NAT Subnet for VS], which is an optional choice. When users in LAN or DMZ access the WAN IP of virtual server, their packets may bypass FortiWAN and flow to internal server directly. This function can translate the source IP address of the users’ packets into IP address of FortiWAN, to ensure the packets flow through FortiWAN. If no check is made, the system will determine which IP address it may translate into by itself. Similarly, to deploy an IPv6 private LAN on FortiWAN port4 which has been mapped to LAN port, with IPv6 address 2001:a:b:cd08::1 served as gateway for PCs in LAN. Check the field in [Enable SLAAC] or [Enable DHCPv6 Service] to allocate IP addresses dynamically to PCs in LAN. [NAT Subnet for VS] is not supported in IPv6 private LAN. The SLAAC and DHCPv6 in FortiWAN are designed to work together, which the SLAAC responses router advertisement (including default gateway and DNS server) to a host and DHCPv6 responses the host an appropriate IPv6 address.

For the details about DHCP, DHCP Relay, SLAAC and DHCPv6, see “Automatic addressing within a basic subnet”.

Static Routing Subnet

[Static Routing Subnet] is useful when in LAN a router .is used to cut out a separate subnet which does not connect to FortiWAN directly. The topology is similar to [Static Routing Subnet: Subnet in DMZ] mentioned previously, and the only difference is this example is set in LAN rather than in DMZ. In this topology below, a subnet 192.168.99.x is located in the LAN and connects to router 192.168.34.50, while another subnet 192.168.34.x is located on the LAN port as well, but connects to FortiWAN directly. The configurations here indicate how FortiWAN to route packets to subnet 192.168.99.x.

RIP

FortiWAN supports the Routing Information Protocol (RIP v1, v2), RIP employs hot count as the metric, and uses timer broadcast to update the router. As RIP features configuration simplicity and operation convenience, it has been widely used across all fields. RIP version 1 (v1)1 was designed to suit the dynamic routing needs of LAN technology-based IP internetworks, and to address some problems associated with RIP v1, a refined RIP, RIP version 2 (v2) was defined. RIP v2 supports sending RIP announcements to the IP multicast address and supports the use of authentication mechanisms to verify the origin of incoming RIP announcements.

Check the field in [RIP] if you have enabled RIP on your private subnet router. Check the field in [RIP v1] if you have enabled RIP v1 on your private subnet router behind FortiWAN. Thus, FortiWAN can forward packets from the RIP v1-enabled private subnet. Otherwise, check the field in [RIP v2] if you have enabled RIP v2 on your private subnet router. Thus, FortiWAN can forward RIP v2 packets. Moreover, if you have enabled RIP v2 authentication, type the password in [Password]. Otherwise, keep [Password] blank.

OSPF

Apart from RIP, FortiWAN also supports OSPF (Open Shortest Path First), to assign LAN port router with given preference. Like RIP, OSPF is designated by the Internet Engineering Task Force (IETF) as one of several Interior Gateway Protocols (IGPs). Rather than simply counting the number of hops, OSPF bases its path descriptions on “link states” that take into account additional network information. Using OSPF, a host that obtains a change to a routing table or detects a change in the network immediately multicasts the information to all other hosts in the network so that all will have the same routing table information.

FortiWAN provides statistics for the RIP & OSPF service, see “RIP & OSPF Status”.

VRRP

VRRP is a Virtual Router Redundancy Protocol that runs on a LAN port. A system can switch between VRRP or HA mode; when switched, the system will reboot first for changes to take effect. When VRRP mode is enabled, the HA mode will be automatically disabled, and also a VRID field will appear available for input in [VLAN and Port Mapping] setting page (See “VLAN and Port Mapping”). In general, VRRP is faster in detecting the master unit compared to HA mode. Although FortiWAN’s VRRP implementation is based on VRRP version 3, some restrictions may apply:

• Always in non-preempt mode. l Always in non-accept mode.
• IPv6 is not supported. l Active-active mode is not supported.

When FortiWAN switches to master mode, it automatically starts WAN link health detection. When it switches to backup mode, it automatically stops WAN link health detection and sets WAN status to “failed”.

In addition, DHCP servers in LAN and DMZ should let clients use FortiWAN virtual IP and the default gateway (as FortiWAN’s DHCP service does). If RIP and OSPF is used in LAN, FortiWAN uses real IP at OSPF and virtual IP at RIP to exchange route information. Clone-MAC settings will be ignored if VRRP function is enabled. FortiWAN doesn’t exchange NAT table with VRRP peers. When VRRP master changes, existing connection might break.

See also

• Scenarios to deploy subnets
• VLAN and Port Mapping
• Summary
• RIP & OSPF Status

WAN/DMZ Private Subnet

After having gone through public subnet configurations, let’s move to private subnet settings. This section lists a few typical topology structures for private subnet. Similarly, FortiWAN supports two different types of private subnet according to the deployment, direct or indirect connecting to FortiWAN.The two settings are configured from [Basic Subnet] and [Static Routing Subnet]. FortiWAN supports both IPv4 and IPv6 for the two private subnet types.

On its UI, [IPv4 Basic Subnet] and [IPv6 Basic Subnet] could be one of:

• Subnet in WAN l Subnet in DMZ l Subnet in WAN and DMZ
• Subnet on Localhost (Not support in [IPv6 Basci Subnet])

And [IPv4 Static Routing Subnet] and [IPv6 Static Routing Subnet] could be one of:

• Subnet in WAN l Subnet in DMZ

[Basic Subnet]: Subnet in WAN

This topology is frequently found where cluster hosts in the IPv4 private subnet are located on the WAN. In this example, FortiWAN port2 has been mapped to WAN port, with IP 192.168.3.1. Select [Subnet in WAN] from [Subnet Type] in [Basic Subnet]. Then enter 192.168.3.1 in [IP(s) on Localhost] and the netmask offered by ISP in [Netmask].

Note: FortiWAN assumes that IP addresses that are unlisted in [IP(s) on Localhost] are all in WAN.

[Basic Subnet]: Subnet in DMZ

This topology is frequently found where cluster hosts in IPv4 private subnet are located on the DMZ. In this example, FortiWAN port5 has been mapped to DMZ port, with private IP 192.168.4.254. And subnet 192.168.4.X is located on the DMZ as a whole. From UI, select [Subnet in DMZ] from [Subnet Type] in [Basic Subnet].

Check [Enable DHCP] if hosts in the subnet in DMZ require DHCP service. And enter the starting and ending address in [DHCP Range]. If any host in the subnet uses static IP address, then in [Static Mapping], enter its IP and MAC address. Note: FortiWAN assumes IP addresses that are unlisted in [IP(s) on Localhost] are all in DMZ. Thus there is no need to configure them.

[Basic Subnet]: Subnet in WAN and DMZ

This topology is found where cluster hosts in IPv4 private subnet are located in both WAN and DMZ. FortiWAN hereby assumes IP addresses that are unlisted in [IP(s) on Localhost] and [IP(s) in WAN] are all in the DMZ. Port2 and port5 are connected in dotted line, indicating the subnet spreads across WAN (port2) and DMZ (port5). FortiWAN employs Proxy ARP to connet the whole subnet togther. In this example, more than one IP addresses are needed for FortiWAN in bridging. These IP addresses therefore have to be on the same network segment.

Enter 192.168.5.20-192.168.5.30 in [IP(s) on Localhost], and 192.168.5.10-192.168.5.19 in [IP(s) in WAN].

[Basic Subnet]: Subnet on Localhost

This topology is found where a whole IPv4 private subnet is designated on FortiWAN. And the IP addresses in this subnet can be utilized by Virtual Server. An IPv6 private subnet is not supported for this subnet type.

 [Static Routing Subnet]: Subnet in WAN

This topology is found where IPv4 private static routing subnet is located on the WAN. In other words, the private subnet on the WAN does not connect to FortiWAN directly. Instead, it connects to a router which helps to transfer its packets.

Hence, in [Static Routing Subnet], [Gateway] IP address is that of the router.

 [Static Routing Subnet]: Subnet in DMZ

In this topology, in DMZ you create an IPv4 private subnet using one router (its IP, say, 192.168.34.50). But the subnet (its IP 192.168.99.0/24) does not connect to FortiWAN directly. Configure the subnet on FortiWAN to process its packets.

Automatic addressing within a basic subnet

FortiWAN functions for various network topologies which consists of connectivity of multiple subnets (basic subnet). Deployments of basic subnets varies for purposes, but they can be simply divided, according to the location, into three basic types: WAN-sided subnet, DMZ-sided subnet and LAN-sided subnet, which are supposed to connect to the WAN port, DMZ port and LAN port of FortiWAN. FortiWAN so that services the hosts in the subnets. For this reason, mechanisms to automatically address the hosts in those basic subnets are provided. FortiWAN’s automatic addressing is designed to serve the hosts in DMZ-sided and LAN-sided subnets. Hosts in WAN-sided subnets can only be addressed manually. DMZ-sided subnets are divided further into Subnet-in-DMZ, and Subnet-in-WAN-and-DMZ. FortiWAN’s automatic addressing is designed according to IPv4 network and IPv6 network, which is described as follows:

IPv4 Automatic addressing

FortiWAN provides standard DHCP and DHCP Relay to allocate IPv4 addresses to or relay DHCP messages for hosts in the following subnets or IP range:

DHCP

FortiWAN acts a DHCP server on the specified LAN port or DMZ port if checkbox Enable DHCP is checked. FortiWAN receives DHCP requests and responds related information from/to hosts (DHCP clients) in the subnets connect to the LAN or DMZ ports.

Note that IP addresses defined in DHCP Range, Static Mapping or Client ID Mapping must be also defined in filed IPv4 IP(s) in DMZ for a bridge-mode (multiple static IP) WAN link, the DMZ side of basic subnets (subnet in WAN and DMZ, and subnet in DMZ) for a routing-mode WAN link and the basic subnets of private LAN subnets.

DHCP Relay

DHCP relay is a proxy forwarding DHCP requests and responses between hosts and DHCP server across different subnets. A router called DHCP relay agent acts the proxy receiving DHCP requests from hosts in the same subnet and resending them to the DHCP server located in another subnet. The DHCP relay agent then delivers the DHCP messages responded by the DHCP server to the hosts in the subnet, so that the hosts are assigned the IP addresses and related information.

FortiWAN is the DHCP relay agent in the network once the DHCP Relay function is enable. Address allocation for multiple subnets (subnet in LAN, subnet in DMZ, subnet in WAN and DMZ and IPs in DMZ) can be managed by a centralized DHCP server. As the example below, FortiWAN relays the DHCP messages between the connected subnets and the standalone DHCP server, so that one DHCP server manages the address allocation for the three subnets, LAN 1, LAN 2 and a DMZ 1. As for subnet LAN 3, it employs FortiWAN’s DHCP server on LAN port 3. The enabled DHCP server on LAN port 3, which is independent from the standalone DHCP server, serves only subent LAN 3. Note that you can only enable either DHCP or DHCP Relay for a subnet.

To implement the deployment, you need to enable DHCP Relay for each of the subnets (enable DHCP Relay on each of the ports). In the example above, DHCP Relay is enabled on ports of LAN 1, LAN 2 and subnet in DMZ 1, and all the DHCP requests received on the ports will be forwarded to the DHCP server in the subnet DMZ 2. A LAN port or DMZ port with DHCP Relay being enabled on will forward the DHCP requests it received (coming from the subnet it connects to) to the DHCP server.

FortiWAN supports up to two DHCP servers in a DHCP relay deployment. Once two DHCP servers are configured, the relay agent will forward a DHCP request to both of the DHCP servers. The first response received by the relay agent will be first apply to the DHCP client, and the subsequent responses will be ignored then.

Next are the configurations of DHCP Relay on the LAN 1, LAN 2 and DMZ ports in the example above.

LAN 1 subnet

From the example above, we have configured the localhost of LAN 2 port with three IP addresses 192.168.10.1, 192.168.10.2 and 192.168.10.3 for subnet 192.168.10.0/24. To enable DHCP Relay on this port, you need to check the check-box “Enable DHCP Relay” on the Web UI and configure the settings as follows:

The DHCP server (10.10.10.10) recognizes the relay agent (the LAN 1 port) that relayed the DHCP message through the “DHCP Relay Agent IP” contained in the relayed message. Then according to the DHCP addressing policy, it selects an IP belongs to 192.168.10.x from its IP pool and responds to the relay agent on LAN 1 port.

LAN 2 subnet

From the example above, we have configured the localhost of LAN 1 port with three IP addresses

192.168.11.254 and 192.168.11.253 for subnet 192.168.11.0/24. To enable DHCP Relay on this port, you need to check the check-box “Enable DHCP Relay” on the Web UI and configure the settings as follows:

The DHCP server (10.10.10.10) recognizes the relay agent (the LAN 2 port) that relayed the DHCP message through the “DHCP Relay Agent IP” contained in the relayed message. Then according to the DHCP addressing policy, it selects an IP belongs to subnet 192.168.11.x from its IP pool and responds to the relay agent on LAN 2 port.

DMZ 1

As the previous description, DHCP relay agent enabled on a DMZ port forwards the DHCP messages between DMZ and a DHCP server. In FortiWAN, a DMZ can be deployed according the following WAN types:

l Routing Mode – IPv4 Basic Subnet: Subnet in DMZ l Routing Mode – IPv4 Basic Subnet: Subnet in WAN and DMZ l Bridge Mode – Multiple Static IP: IPv4 IP(s) in DMZ

No matter which WAN type a DMZ is deployed, it is necessary to configure the “IP(s) on Localhost” field to the DMZ port via Web UI. From the example above, we have configured the localhost of DMZ 1 port with three IP addresses 20.20.20.1 and 20.20.20.2. To enable DHCP Relay on this port, you need to check the check-box “Enable DHCP Relay” on the Web UI and configure the settings as follows:

The DHCP server (10.10.10.10) recognizes the relay agent (the DMZ 1 port) that relayed the DHCP message through the “DHCP Relay Agent IP” contained in the relayed message. Then according to the DHCP addressing policy, it selects an IP belongs to subnet 20.20.20.x from its IP pool and responds to the relay agent on DMZ 1 port.

Note that the DHCP server working with FortiWAN’s DHCP Replay must be a standalone server.

FortiWAN’s DHCP function is not supported to work with DHCP Relay; a port with DHCP being enabled can not cooperate with the ports that DHCP Relay is enabled on. The centralized DHCP server working in a DHCP Relay deployment must be well-configured in the IP pools for the multiple IP subnets it is managing.

DHCP Relay over FortiWAN Tunnel Routing network

FortiWAN’s DHCP Relay is capable of forwarding DHCP messages through Tunnel Routing (See “Tunnel Routing”) so that the centralized IP addressing over a FortiWAN Tunnel Routing network can be implemented. This is useful for the application that a headquarters centrally manages IP allocation to its regional branches. The following shows the example that a DHCP server located in the headquarters site (deployed in the LAN subnet) manages the IP addressing to its branches through Internet.

With Tunnel Routing connectivity, a VPN network is established among networks of the two sites. DHCP relay in the VPN network serves for the subnets just as normal. FortiWAN A (the branch) delivers the relayed DHCP requests from its private subnet 192.168.10.0/24 to the DHCP server located in remote private subnet 192.168.100.0/24 over Internet; conversely, FortiWAN B (the headquarters) delivers the DHCP responses to the branch site over Internet and FortiWAN A will forward the response to its LAN to allocate a host the IP address. DHCP messages are delivered by Tunnel Routing encapsulation and decapsulation, just like normal Tunnel

Routing transmission. The localhost of LAN port on FortWAN A is configured to 192.168.10.254. Configuration of IP pool for subnet 192.168.10.0/24 is required on the DHCP server. The related configurations on the two FortiWAN units are as follows:

Configurations on FortiWAN A

Go to Network Setting > LAN Private Subnet > IPv4 Basic Subnetand select the subnet 192.168.10.0/24 to configure.

Check the checkbox Enable DHCP Relay and configure the setting below.

Go to Service > Tunnel Routing and define a Tunnel Group with the two tunnels below:

Define the Routing Rule.

Configurations on FortiWAN B

Go to Service > Tunnel Routing and define a Tunnel Group with the two tunnels below:

Define the Routing Rule.

Note that the DHCP Relay can only work with Tunnel Routing or Tunnel Routing over IPSec Transport Mode. It does not support relaying DHCP requests through IPSec Tunnel Mode (See “IPSec VPN”).

IPv6 Automatic Addressing

FortiWAN provides stateless and stateful mechanisms to allocate IPv6 addresses to hosts in the following subnets or IP range:

Stateless Address Autoconfiguration (SLAAC) is a standard mechanism to equip hosts with IPv6 addresses and related routing information through the IPv6 router advertisements (RA). SLAAC has two properties:

• SLAAC is a stateless mechanism which is short of the IP management. SLAAC is incapable of controlling the

mapping between a host and an IPv6 address.

• DNS information is absent from the traditional Router Advertisement messages. SLAAC with options of RDNSS and DNSSL included in RA messages (what is called SLAAC RDNSS) can convey information about DNS recursive servers and DNS Search Lists.

Comparing with SLAAC, DHCPv6 takes the advantage of IP management, so that is called stateful. By specifying the IP pool and static IP mapping, administrators are able to control how the IPv6 addresses be allocated via DHCPv6. FortiWAN provides both SLAAC RDNSS and DHCPv6 for the stateless and stateful IPv6 automatic addressing

Stateless IPv6 addressing: SLAAC

Enabling the stateless IPv6 addressing for the “IPv6 Basic Subnets” or “IPv6 (IPs) in DMZ” by checking the checkbox Enable SLAAC.

Stateful IPv6 addressing: DHCPv6

To enable the stateful IPv6 addressing for the “IPv6 Basic Subnets” or “IPv6 (IPs) in DMZ”, you are required to enable and configure both SLAAC and DHCPv6 on Web UI. FortiWAN will not respond for any Router

Advertisement (RA) if it SLAAC is disabled. The stateful IPv6 addressing via DHCPv6 requires RA to discover the default gateway for hosts, and therefor hosts fail to get default gateway if SLAAC is disabled. Please enable and configure the SLAAC as the introduction above if DHCPv6 is enable and make sure the network interface of a host is sat to automatically get the IPv6 address through DHCPv6.

FortiWAN acts a DHCPv6 server on the specified LAN port or DMZ port if checkbox Enable DHCPv6 Service is checked. All the hosts running as DHCPv6 client could gain the routing and DNS information from DHCPv6 server. DHCPv6 provides configuring and management to the IPv6 addresses to be assigned, which is a shortage of SLAAC.

Note that IPv6 addresses defined in DHCP Range and Static Mapping must be also defined in filed IPv6 IP(s) in DMZ for a bridge-mode (multiple static IP) WAN link, the DMZ side of IPv6 basic subnets (subnet in WAN and DMZ, and subnet in DMZ) for a routing-mode WAN link and the IPv6 basic subnets of private LAN subnets.

Deployment Scenarios for Various WAN Types

This Section provides various network scenarios for the different WAN types and explains how FortiWAN can easily be integrated into any existing networks.

WAN Type: Bridge Mode with a Single Static IP

Single Static IP is a common and simple WAN network scenario, where the ISP provides a single public static (fixed) IP for the WAN link. Note: ISP often provides ATU-R, sometimes known as ADSL Modems with bridge model.

In this example it is assumed that WAN port 1 is connected to the bridge-mode ATU-R.

Please refer to the ATU-R User manual provided by your ISP to connect the ATU-R to FortiWAN’s WAN #1. Connect LAN to FortiWAN’s LAN port via a switch or hub. In this example, FortiWAN’s Port2 is treated as LAN port. Please map FortiWAN’s LAN port to the Port2 in [System] → [Network Setting] → [VLAN and Port Mapping]. Note: FortiWAN is treated as a normal PC when connecting to other networking equipments.

WAN configuration:

1. Enter FortiWAN’s Web-based UI.
2. Go to [System] → [Network Setting] → [WAN Settings].
3. In the WAN LINK scroll menu, select “1”, and choose “Enable” in the Basic Settings.
4. In the WAN type scroll menu, select [Bridge Mode: One static IP].
5. Select [Port 1] in the WAN Port field.
6. Enter the up/down stream bandwidth associated with this WAN link. Example: If the ADSL Line on WAN1 is 512/64, then enter [64] and [512] in the Up Stream and Down Stream fields respectively. Note: The up/down stream values entered will ONLY affect the BM and statistics reporting. Bandwidth will not increase if the values are greater than the actual bandwidth.
7. Enter [211.100.3.35] in the Localhost IP field.
8. Enter [255.255.255.0] in the Netmask field.
9. Enter [211.100.3.254] in the Default Gateway IP field.
10. Apply the bridge mode configuration.
11. If the configuration above has been correctly established, in the [System] →[Summary] page, the status color on the WAN Link State for WAN Link #1 will turn green.

LAN configuration:

1. Go to [System] → [Network Setting] → [LAN Private Subnet].
2. Enter [192.168.1.254] in the IP(s) on Localhost field.
3. Enter [255.255.255.0] in the Netmask field.
4. Select [Port2] in the LAN Port field.
5. Check NAT Subnet for VS.
6. Configuration complete.

Virtual Server Configuration:

Assume an SMTP server with IP 192.168.1.1 provides SMTP services to the outside via the virtual server. FortiWAN will perform NAT on this machine so that the outside clients can get SMTP services via FortiWAN’s public IP on WAN1. The settings for this are in [Service] → [Virtual Server].

1. Click [+] to create a new rule.
2. Check [E] to enable this rule.
3. Select [All-Time] in the “When” field.
4. Enter [211.100.3.35] in the WAN IP field.
5. Select [SMTP(25)] in the Service field.
6. Select [Round-Robin] in the Algorithm field.
7. Click [+] to create a new server in Server Pool.
8. Enter [192.168.1.1] in the Server IP field.
9. Select [SMTP(25)] in the Service field.
10. Enter [1] in the Weight field.
11. Selection of the L field is optional. (If an Administrator wishes to log Virtual Server activities, please select “L”).
12. Configuration complete.

Administrators can set up different types of services inside the LAN and use the Virtual Server to make these services available to public once the configurations are completed.

MIB fields for WAN links and VLANs

You can use SNMP manager to get information of defined WAN links and VLANs and receive notifications when a WAN link fails or recovers. Configure SNMP for your FortiWAN unit (See “SNMP”) to get the information in a MIB field via SNMP manager. Configure the SNMP manager on your FortiWAN and enable the event types “” and “” to notify (See “Notification”), then notifications will be delivered to your SNMP manager for the events. The correspondent MIB fields and OIDs are listed as following:

SNMP field names and OIDs for WAN link

SNMP field names and OIDs for VLAN

System Configurations

This topic elaborates on [System] and its submenus. Simple examples are given to illustrate how to configure [system] settings.

Summary

As soon as you log in to the web UI, you will see the [System/Summary].It shows you basic information on the system, including [System Information], [Peer Information],and [WAN Link State]. [Peer Information] is populated as soon as HA mode becomes active. As is mentioned in “FortiWAN in HA (High Availability) Mode”, HA (High Availability) is hot backup. In HA mode, one FortiWAN is the primary system while the other is the backup system.

System Information / Peer Information

System Information

During the procedure of reboot, this field displays “Rebooting“.

System panic happens, this field displays “Panic“.

Peer unit is lost (power-off or Ethernet cable disconnected), this field displays “None“.

Firmware version, FortiWAN model or throughput license is

inconsistent with the local unit, this field displays “Incompatible“.

Note1: Connections may exceed 100 when FortiWAN is started, but will return to normal in a while. This happens because FortiWAN sends out ICMP packets to test the network.

Note2: Once HA becomes active, settings of master unit will be synchronized to slave unit automatically.

WAN Link State

[WAN Link State] shows you the number of WAN links enabled and their current status. The number of WAN links available for each FortiWAN may vary depending on models. In [WAN Link State], each WAN link is color-coded to indicate its status. See the color-coding scheme below:

Get system information, peer information and WAN link state via SNMP

You can use SNMP manager to get the system information, HA peer information and WAN link state. Configure SNMP for your FortiWAN unit (See “SNMP”) and you can get the information in a MIB field via SNMP manager. The correspondent MIB fields and OIDs are listed as following:

SNMP field names and OIDs

See also

l FortiWAN in HA (High Availability) Mode l LAN Private Subnet l Configuring your WAN l Reports

Optimum Route Detection

FortiWAN’s Optimum Route is a particular load balancing algorithm which determines the best WAN link for Auto

Routing and Multihoming by involving real Internet conditions in calculation, while the other algorithms, such as By Round-Robin, By Connection and By Upstream/Downstream/Total Traffic, only focus on the loading between the FortiWAN device and ISP’s gateways. Optimum Route is used mainly to avoid the inefficient transmission due to bad peering between ISPs. Peering between two ISPs is an interconnection of administratively separated Internet networks (belonging to the two ISPs individually) for the purpose of exchanging traffic between the users in each network. It allows the two ISP to directly hand off the traffic between each other’s customers, which might be the most efficient way to communicate between two networks if it is settlement-free. However, two situations might cause the transmission between two ISP networks inefficient; l If there is no agreement by the two ISP networks to peer, the transit service, which is a method to carry that traffic across one or more third-party networks (a few exchange points), will be required.

• An ISP restricts the bandwidth for peering with another ISP on the purpose of competition in business. The peering point thus becomes a bottleneck and might make the transmission extremely slow between each other’s customers.

Although the other balancing algorithms determine a good WAN link among multiple WAN links (multiple ISP networks) for inbound and outbound traffic, they are not aware of the real situations between those ISPs. For example, two WAN links of a FortiWAN device are connected to ISP-A and ISP-B networks and the peering between each other is bad. Those non-optimum-route balancing algorithms might determine ISP-B WAN link for Auto Routing to transfer the traffic which is destined to a server located in ISP-A network (see Auto Routing). If the bad peering between ISP-A and ISP-B is the only exchange point, which is the bottleneck, for delivering the traffic, the transmission will become slow. Conversely, those balancing algorithms may also determine the IP of ISP-B WAN link for Multihoming (see Multihoming) to answer DNS queries coming from ISP-A network. Then the users in ISP-A network suffer the bad peering when accessing services on FortiWAN through ISP-B network.

Algorithm Optimum Route is just the opposite of those algorithms. It determines the optimum WAN link by going deep into the real Internet conditions in two modes: static IP table and dynamic detect.

• Static IP table: A static IP table is a set of the IP addresses of an ISP network. Optimum Route evaluates the destination IP of out-going sessions against the IP tables for Auto Routing, and evaluates the source IP of DNS queries against the IP tables for Multihoming. If the evaluated IP matches the IP table of an ISP, which implies the ISP network that the evaluated IP belongs to is recognized, this ISP WAN link will be the optimum routing. Conceptually, it directly asks traffic being delivered directly through a WAN link connected to the ISP network that traffic source or destination belong to, so that traffic will not suffer a peering. This can be also implemented by specifying the source or destination filter with IP groups (See “IP Grouping”) in Multihoming or Auto Routing rules.
• Dynamic detect: It dynamically evaluates WAN links according to the detected round-trip time (RTT) and the bandwidth loading. Bad peering brings bad RTT value.

The following configurations define how Optimum Route detect to determine an optimum WAN link. To use the

Optimum Route algorithm in Auto Routing and Multihoming, it requires specifying the algorithm “By Optimum Route” for a Auto Routing policy and A/AAAA Record policy, and applying the policy to corresponding filter rules and A/AAAA records. Without this, Optimum Route would never work even if the detection is configured. FortiWAN provides DNS Proxy to cooperate with Optimum Route to resolve an advanced issue caused by bad peering (See “DNS Proxy”).

Optimum Route Policy

Static IP-ISP Table

Enables to match the IP address entries in the table to work out the optimum route. Administrators can add, delete or inquire the desirable IP entry in the table.

The static IP-ISP tables are the reference for Optimum Route to recognize the ISP network that the source or destination IP of traffic belongs to and so that point the traffic to corresponding WAN link, which is the optimum routing. A static IP-ISP table contains the IP subnets of an ISP network. You have to maintain these IP subnets in a text file for creating an IP-ISP table. Each line of the text file indicates a IP subnet in format Network IP/Prefix, for example:

3.0.0.0/8

211.1.0.0/16

Note that it is strongly suggested that an IP file contains the IP subnets of only ISP, or Optimum Route might not run as expected. Please prepare the IP files for the IP-ISP tables. Another component of static IP-ISP table is the

WAN parameter, which indicates the FortiWAN’s WAN links connecting to the ISP’s network. Once traffic

matches the IP subnets of an IP-ISP table, Optimum Route determines a WAN link from the candidates. It is not such strictly limited that an ISP’s IP subnets can only be recorded in one IP-ISP record (just make sure an IP-ISP table contains only one ISP). The IP subnets of an ISP can be separated into multiple IP-ISP tables, just remember Optimum Route evaluates traffic against the tables top down by first match, and it picks up one of the corresponding WAN links if a table is matched.

When the source or destination IP of a packet matches an static IP-ISP table, Optimum Route determines a WAN link from the intersections of the WAN parameters here and the corresponding WAN parameters of a Auto Routing policy or Multihoming A/AAAA record policy, according to the traffic loading on the WAN ports. For example:

Auto Routing policy: Label=By_OR, Algorithm=By Optimum Route, Parameter=1,2,3 (checked)

The matched IP-ISP table: Table Name=ISP_A, Parameter=2,3,4 (checked)

Traffic matches a Auto Routing filter rule is processed by Auto Routing according to the corresponding policy “By_ OR”. Optimum Rout is set to detect network by static IP-ISP table. Packet destination IP of the traffic matches the ISP’s network of IP-ISP table “ISP_A”, which WAN links 2, 3 and 4 are connected to the ISP network. Optimum Route determines a WAN link for Auto Routing from WAN link 2 and WAN link3, which are the intersections of WAN links 1, 2, 3 (WAN parameters set in the AR policy) and WAN links 2, 3, 4 (WAN parameters set in the IP-ISP table). If traffic loading on WAN port 2 is currently heavier than WAN port 3, WAN link 3 will be the optimum link that Optimum Route decides for Auto Routing. The traffic will then be transferred through WAN link 3 by Auto Routing. For Multihoming with algorithm By Optimum Rout, the process is similar.

Here are the situations cause Optimum Route by IP-ISP table detection returning nothing to Auto Routing and Multihoming:

• Optimum Route returns nothing when the evaluated packet source and destination IP does not match any of the IPISP tables. This might because of incomplete collection of IP subnets of ISP networks. You can make the IP-ISP tables more complete by continuing IP subnets collecting and adding them to the tables. The more complete the IP subnets are, the better effect Optimum Route brings.
• Even if traffic matches an IP-ISP table, Optimum Route returns nothing when there is no intersection of Optimum Route’s WAN parameters and Auto Routing (or Multihoming) policy’s WAN parameters. Please make sure at least one intersected WAN link between the policies.

The traffic will be processes by Auto Routing according to the specified fail-over policy (see Auto Routing), if Optimum Route returns nothing to Auto Routing for the traffic. Multihoming will answer the IP address defined to the first WAN link in the A/AAAA record policy (see Multihoming), if Optimum Route returns nothing to Multihoming for the query.

Dynamic Detect

Optimum Route’s dynamic detection detects the round-trip time (RTT) of traffic targets and involves it to a dynamic calculation to determine the optimum WAN link for Auto Routing and Multihoming. Optimum Route spreads detection packets to a target through all the enabled WAN links to collect the transmission latency between the FortiWAN device and the target via each WAN link (ISP). In Optimum Route, this RTT will also represent the latency for data transmission through each WAN link between the FortiWAN device and the class C that the detection target belongs to. Fort example, if Optimum Route detects 20 ms, 30 ms and 40 ms RTTs between FortiWAN and a target 211.21.1.100 through WAN link 1, 2 and 3, a reference table as follow will be maintained and cached for a wile:

Subnet=211.21.1.0/24, WAN1=20ms, WAN2=30ms, WAN3=40ms

During the cache period, Optimum Route uses the values directly to calculate the optimum WAN link for any subsequent traffic that the target belongs to subnet 211.21.1.0/24. As for the target we are talking about, Optimum Route takes the destination IPs of out-going session packets as the targets if they matches the relevant Auto Routing policies, and takes the source IPs of DNS queries as the targets if they matches the relevant Multihoming A/AAAA record policies.

To determine an optimum WAN link, Optimum Route evaluates on availability of the candidates by calculating the weight of each WAN link. The calculation of weight involves the detected RTT and current traffic loading, which are combined in specified ratio. It seems making sense that the less the RTT is the optimum the WAN link is, but practically it is not necessarily that data transmission to a target through a WAN link with less RTT but serious traffic congestion on the WAN port is better than through a WAN link with higher RTT but the WAN port is in full-availability.

To enable dynamic detection for Optimum Route, it requires to have the following settings configured. It contains three parts:

l The protocol and procedure used for detecting RTT. l The time period for caching detected RTT. l The ratio of RTT and traffic loading for availability evaluation.

Port Speed/Duplex Settings

[Port Speed/Duplex Settings] enables to configure port speed and duplex transfer mode. Generally it is set to auto-detect by default which works properly in most cases. Manual speed/duplex mode configuration is still necessary in event that some old devices are either not supporting auto-detect, or incompatible with FortiWAN.