How to set up routing rules for Tunnel Routing

To perform Tunnel Routing, symmetric FortiWAN deployment is a basic requirement. Therefore, symmetric routing rules are also required for two-way data transmission. A routing rule here contains three basic elements that are

What is the traffic to be transferred by Tunnel Routing? Tunnel Routing filter traffic by Source, Destination and Service.

Which Tunnel Group is employed to transfer the traffic? Apply a predefined tunnel group to the specified traffic, then it will be transferred according to the how the tunnel group is defined; the balancing algorithm, the tunnels, the weight, the encryption and DSCP.

What to do if the Tunnel Group fails? A failed tunnel group means all the tunnels defined in the tunnel group are disconnected (detected by Tunnel Routing’s tunnel healthy detection mechanism). Therefore, it is necessary to specify another way for the traffic. Note that as long as one tunnel in a tunnel group remains connected, Tunnel Routing keeps employing the tunnel group for transmission.

Next we introduce the two ways, Routing Rule and Default Rule, to establish the routing rules for Tunnel Routing.

Routing Rules

This is the general way to set routing rules for Tunnel Routing. A routing rule contains the three basic elements above, which evaluates traffic by Source, Destination, Service, (Tunnel) Group and Fail-Over. Note that a routing rule sat on a FortiWAN site is required symmetrically for the opposite FortiWAN site, so that the bidirectional transmission is achieved.

If your TR network deployment requires more than 100 TR routing rules, replacing the TR routing rules with TR default rules will be suggested for better performance.

Tunnel Routing – Benchmark

To guarantee a performance aggregation transferring TR packets, FortiWAN requires equal quality for the WAN links employed in a tunnel group. The Benchmark here provides evaluation of WAN link quality for every single tunnel. Tunnels are judged in run trip time, packet loss and bandwidth. It is not suggested to employ a WAN link that is worse than others in a tunnel group.

Tunnel Routing’s Benchmark works as Client/Server mode. Test traffic is sent from the client site to the server site via every single configured tunnel, and then the benchmark results are reported at client site. Two steps to start Tunnel Routing’s Benchmark between two FortiWAN appliances (make sure the Tunnel Routing network is established between the two FortiWANs),

1. Specify one of the FortiWANs to be the benchmark server.
2. Start benchmark traffic from the benchmark client, the ForiWAN opposite to the benchmark server.

Start a benchmark server

From the WeB UI, the Tunnel Routing page, all the configured tunnel groups are listed in the Benchmark panel. To start the benchmark server on a FortiWAN for a tunnel group, you need:

1. Specify the port number on the Test Port field for sending/receiving the testing traffic. Note that the port number on both benchmark sites (Client/Server) must be identical. It will fail to receive testing packets if unequal port numbers are used by the two sites.
2. Click the button Start Test Server of the tunnel group that you want to test from the list (in Test Client Status block). This button will be switched to Stop Test Server while benchmark server is running; click it to stop the server.

While the benchmark server is running, a message Test server is running. Please do not change to another page or close browser will display and occupy the main page of Web UI. For all the administrator accounts, it become unable to apply new configurations to Tunnel Routing (the Apply button on Web UI becomes ineffective) during benchmark server is running. Web UI will allow apply configurations to other functions during benchmark server is running, but we suggest not to do this since changes to some functions such as Network Setting, Firewall or IPSec might interrupt benchmark server. During benchmark server running, you can switch Web UI main page to other functions, but a message Test server is running. Please stop it first displays when you turn the main page back to Tunnel Routing. This message reminds you the benchmark server is still running, and the Apply button of Tunnel Routing remains ineffective until you stop the server. Note that the benchmark server can work for only one tunnel group anytime; stop the server on one tunnel group to start it for another.

Start testing traffic from the benchmark client

For the symmetric FortiWAN sites of a tunnel routing network, benchmark client, the site that is opposite to the benchmark server, triggers the testing traffic. Similarly, all the configured tunnel groups are listed in Benchmark panel. To start benchmark traffic on the site you need:

1. Specify the port number on the Test Port field for sending/receiving the test traffic. Note that the port number on both benchmark sites (Client/Server) must be identical. It will fail to receive testing packets if unequal port numbers are used by the two sites.
2. Click the button Test of the same tunnel group that the opposite benchmark server is working for. You will be direct to a management panel to start benchmark testing. For a disable tunnel group, a error message This group is not enabled
3. In the testing management panel, you see all the tunnels of the tunnel group listed (IP addresses of the two endpoints of a tunnel), and two test cases provided:
   1. Single tunnel test: Click the Test button of a tunnel, testing traffic will be generated and sent to the opposite (the server side) of the tunnel. All the packets of the testing session will be sent through only the specified tunnel. This will bring out a testing result for evaluating performance of the specified tunnel.
   2. Tunnel group test: Click the Test button of the last item All Tunnels in Group (at the bottom of the table), testing traffic will be generated and sent to the opposite (the server side) of the tunnel group. All the packets of the testing session will be distributed over the tunnels of the tunnel group according to the configured algorithm of the tunnel group. This will bring out a testing result for evaluating performance of the tunnel group.
4. On the upper right corner of the table, there is a button Test All used to perform every Single Tunnel Testing and the Tunnel Group Testing one by one in a top-down order.
5. You can click Close to stop and leave the benchmark management panel.

Virtual Server & Server Load Balancing

Virtual Server is a method for single gateway machine to act as multiple servers while the real servers sit inside corporate network to process requests passed in from the gateway machine. Inbound traffic does not have to know where the real servers are, or whether there are just one or many servers. This method prevents direct access by users and therefore increases security and flexibility.

FortiWAN has built in virtual server and is capable of supporting various virtual server mapping methods. For example, different public IP addresses can be mapped to various real servers in LAN or DMZ. Or ports can be mapped to public IP address on different servers.

Virtual server are configured by designating and adjusting virtual server rules. Each rule specifies a mapping condition. It maps WAN IP address and a service (port or ports) to an internal server IP. The order of virtual server rules is like any other rule tables in FortiWAN as it also uses the “first match scheme”, viz. the first rule of request matched is the rule to take effect.

For example, a public IP address 211.21.48.196 and wants a web server on 192.168.123.16 to handle all the web page requests coming to this public IP address. To do this, a virtual server rule must be created with 211.21.48.196 to be its WAN IP, 192.168.123.16 to be its Server IP, and HTTP(80) to be its Service.

Virtual Server makes intranet (LAN) servers accessible for the internet (WAN). The private IP addresses assigned to intranet servers will become invisible to the external environment, making services accessible for users outside the network. Then FortiWAN is available to redirect these external requests to the servers in LAN or DMZ. Whenever an external request arrives, FortiWAN will consult the Virtual Server table and redirect the packet to the corresponding server in LAN or DMZ. The rules of Virtual Server tables are prioritized top down. If one rule is similar to another in the table, only the higher ranked one will be applied, and the rest will be ignored. In addition, Virtual Server enables to balance load on multiple servers, which is to distribute traffic over a group of servers (server cluster), making services highly accessible.

Virtual Server & Server Load Balancing

FortiWAN provides mechanisms to record, notify and analysis on events refer to the Virtual Server service, see “Log”, “Statistics: Virtual Server Status” and “Report: Virtual Server”.

IPv4 Virtual Server

IPv6 Virtual Server

Example 1

The settings for virtual servers look like:

• Assign IP address 211.21.48.194 to WAN1. Refer to [System] -> [Network Settings] -> [WAN Settings] for more regarding WAN IP configurations. l Assign IP address 211.21.33.186 to WAN2.

Virtual Server & Server Load Balancing

• Forward all HTTP requests (port 80) through WAN1 or WAN2 to the two HTTP servers 192.168.0.100 and 192.168.0.101 in LAN.
• Forward all FTP requests (port 21) through WAN1 or WAN2 to two FTP servers 192.168.0.200 and 192.168.0.201 in LAN.
• Assign 211.21.48.195 and 211.21.33.189 to WAN 1 and WAN2. Forward all requests to 211.21.48.195 or 211.21.33.189 to two SMTP servers 192.168.0.200 and 192.168.0.201 in LAN. l Forward all requests from 211.21.48.197 to 192.168.0.15 in LAN.

Note:

1. FortiWAN can auto-detect both active and passive FTP servers.
2. All public IPs must be assigned to WAN 1. To configure these IPs, go to “IP(s) on Localhost of the Basic Subnet” table in [System] -> [Network Settings] -> [WAN Settings] -> [WAN Link 1].
3. 21.48.197 does not belong to any physical host, and it must be assigned to WAN port.

Virtual server table for the above settings:

Example 2

The settings for virtual servers look like:

• Forward all the TCP port 1999 requests established between external network and public IP 211.21.48.194 to FTP Server@ TCP port 1999 at 192.168.0.100 in LAN.
• Note: Due to the nature of ftp protocol, in port style ftp-data connection, when ftp-control is used in port 1999, port 1998 will be taken by ftp-data.
• Enable external users to access WAN IP 211.21.33.186, and connect PcAnywhere to .LAN hosts. l Note: PcAnywhere uses TCP port 5631 and UDP port 5632. Refer to PcAnywhere software manual for more details.
• Enable external users to access WAN IP 211.21.48.194, and forward packets of TCP/UDP range 2000-3000 to host 192.168.0.15.

Note: Port range redirecting is supported as well.

Virtual server table for the settings above:

WAN Link Health Detection

WAN Link Health Detection

[WAN Link Health Detection] offers you insight into the health status of WAN links. It allows you to set up specific health detection criteria against each individual WAN link in network of multiple links. FortiWAN detects the connection status of the WAN link by sending out ICMP and TCP packets to targets, and determines the connection quality with data that reports back. [WAN Link Detection] lists a few fields to fulfill. Concerning about detection packets flooding, FortiWAN determines a WAN link alive without sending detection packets if inbound traffic on the WAN link is detected. The ICMP and TCP detection packets are sent only if no inbound traffic is detected.

For a single detection via ICMP / TCP packets, FortiWAN sends a ICMP or TCP packet (defineded in “Detection Protocol”) individually to multiple targets (defined in “Ping List / TCP Connect List” and “Number of Hosts Picked out per Detection”) via a WAN link (defined in “WAN Link”). FortiWAN determines the WAN link alive if receiving response from at least one of those targets in a time period (defined in “Detection timeout in milliseconds”), otherwise this detection is consider failed (FortiWAN will not judge whether a WAN link is down by just one detection failure). No matter whether a single detection succeed, FortiWAN continues the detection after seconds (defined in “Detection Period in Second”). The WAN link is determined as down only if multiple detections fail continually (defined in “Number of Retries”). WAN link health detection monitors the WAN links status which FortiWAN’s Summary, Auto Routing, Multihoming and Statistics will refer to.

WAN Link Health Detection

In ICMP packet detection, the optional list is:

Ping List: Lists the data of hosts (Destination IP: IPv4 or IPv6) available to ping detection. Each detection sends one ping packet to the IP address of a host that has been picked out randomly from the list. The TTL (Time to Live) of the ping packet is determined by Hops and generally defined as “3”. FortiWAN takes the TTL expired message as a legal response for a ICMP detection, even the detection packet is not delivered to the destination.

Note that always employ real external IP addresses (hosts in Internet) for the Ping List, gateway and hosts in near WAN are not appropriate destinations for the detection.

In TCP packet detection, the optional list is:

TCP Connect List: Lists the data of hosts (Destination IP: IPv4 or IPv6) available to TCP connect detection. Each detection performs TCP connect test for a host that has been picked out randomly from the list, and assigns a value to the TCP port.

A WAN link is determined alive if:

l A single detection succeeds. l Value of field “Number of hosts picked per detection” is sat to zero or “Ping List / TCP Connect List” is leaved blank. l “Ignore Inbound Traffic” is disable and inbound traffic on the WAN link is detected.

A WAN link is determined down if:

• All the detection retries fail. l No carrier signal detected (failures on cables or physical ports).

WAN Link Health Detection

• The WAN link is disable or a sleeping backup line. l A PPPoE or DHCP WAN link which fails to get a dynamic IP address.

FortiWAN provides statistics to the WAN Link Health Detection service, see “Statistics: WAN Link Health Detection”.

IPSec

FortiWAN’s IPSec VPN is based on the standard two-phase Internet Key Exchange (IKE) protocol, and two communication modes: tunnel mode and transport mode. IPSec is one of the popular standards for establishing a site-to-site VPN network. It contains the tunneling technology and strict security mechanisms. Different from the tunneling of IPSec VPN, FortiWAN’s Tunnel Routing has the advantages of bandwidth aggregation and fault tolerance. By integrating IPSec and Tunnel Routing, FortiWAN is fit for the requirement that an IPSec VPN with ability of bandwidth aggregation and fault tolerance.

We start the topic with IPSec VPN Concepts, which includes the descriptions of IPSec VPN overview, IPSec key exchange and How IPSec VPN works. The next topic describes how to set up FortiWAN IPSec VPN, see IPSec set up. IPSec VPN installation is divided into the stages as follows:

• The specifications of FortiWAN IPSec, see About FortiWAN IPSec VPN.
• Concern of planning a VPN deployment, see Planning your VPN. l Operations and configurations on Web UI, see IPSec VPN in the Web UI. l Necessary routing policies for the VPN (with scenarios), see Define routing policies for an IPSec VPN. l Basic setting for establishing IPSec VPN with FortiGate, see Establish IPSec VPN with FortiGate.

If you already have Tunnel Routing running and desire IPSec protection (IPSec Transport mode) on it, you could refer to the descriptions in IPSec VPN in the Web UI and the examples in Define routing policies for an IPSec VPN directly.

IPSec VPN Concepts

As we know, a private network (deployment of private IP addresses) is invisible, closed to public network (usually the Internet). Two private networks in geographically different location can not directly access each other through Internet. Virtual Private Network (VPN) is a concept that connects local and remote private networks over Internet to logically become one private network. An user in a local private network is capable to have accesses to resource in remote private network in a secure way through Internet, such as the access to remote private network of the headquarters office from (branch) local private network. Users of the two private networks access to each other without being aware of the VPN transmissions, just like they are physically in the same network.

The VPN concept implies two critical elements, a tunnel connecting two private networks over an intermediate network and a secure way transferring data through the tunnel (over an untrusted network), which make the virtual private network matches the properties of a physical private network, accesses among private IP address and invisibility to public network (data privacy). IPSec is just the technology designed to implement the two properties of VPN concept. A VPN network established by IPSec can be called IPSec VPN. It not only gives the tunneling implementation for connectivity of two incompatible networks, but also put emphasis on the strict security definitions.

IPSec VPN overview

VPN Tunnels

Tunneling is a technique to perform data transmission for a foreign protocol over a incompatible network; such as running IPv6 over IPv4, and the transmission of data for use within a private, corporate network through a public network. Tunneling is done by encapsulating and decapsulating data and information of the particular protocol within the incompatible transmission units symmetrically. IPSec protocol sets define the processes, which is the Tunnel Mode we will introduce later (See Modes of IPSec VPN data transmission), to deliver encryption protected data between incompatible networks by tunneling through an intermediate network. IPSec offers another option to deliver protected data end-to-end without tunneling, which is called Transport Mode (See Modes of IPSec VPN data transmission). It provides the flexibility to integrate other tunneling protocols with IPSec to establish a VPN network.

Secure data transmission

IPSec employs encryption and authentication of data packets for VPN transmission to ensures that any third-party from public network who intercepts the packets can not access the data and impersonate each endpoint. It protects the communications between two endpoints against malicious attacks from intermediate, untrusted network, so that privacy and authenticity are guaranteed to the communications. However, it is concerned that how the two endpoints securely share the encryption and authentication methods, and the correspondent secret key without compromising them to others. This is the major object that IPSec functions for. Once these security parameters are shared securely between the two entities, which is called a establishment of Security Association (See IPSec key exchange), the privacy and authentication of data transmission are guaranteed.

Basic IPSec VPN scenario

To connect two incompatible networks within an IPSec VPN network over an intermediate network, an IPSec VPN device is required to be deployed in front of each the network. The IPSec VPN devices (the FortiWAN units) establish an IPSec VPN tunnel with each other. Each of the IPSec VPN devices performs the processes to encrypt and encapsulate, or decapsulate and decrypt the incoming packets (from the network behind it or the opposite IPSec VPN device), and then forwards the packets to the destination (the opposite IPSec VPN device or the network behind it). The two incompatible networks, therefore, have the secure access to each other through the two IPSec VPN devices (the IPSec VPN tunnel established between the two devices). A host in the network communicates with a opposite host (in the opposite network) without running any IPSec VPN software; what they do is like performing a communication in the same network as usual. All the processes and details for a IPSec VPN communication are taken by the two IPSec VPN devices; hosts are not aware of this. The IPSec VPN devices are so-called IPSec VPN gateways, and this is the typical site-to-site VPN.

VPN tunnel between two private networks

The above diagram shows an IPSec VPN connection between two private networks, which two FortiWAN units (two endpoints of the VPN tunnel) functions as the IPSec VPN gateways for. The IPSec VPN tunnel is established through public IP addresses (for example 1.1.1.1 and 2.2.2.2) of FortiWAN’s WAN interfaces. FortiWAN A receives packets from site A network (192.168.1.0/24) with source IP 192.168.1.10 and destination IP 192.168.2.10 (site B network), and then performs:

• encrypt packets with shared security parameters (algorithms and secret keys) l encapsulate packets with a new IP header that source IP is 1.1.1.1 and destination IP is 2.2.2.2. l forward packets to the site B network (FortiWAN B) FortiWAN B receives the packets and performs:
• recover the encrypted packets by decapsulation l recover the original data and IP header by decryption l forward packets to host 192.168.2.10

Processes for traffic in the opposite direction are the same. From the standpoint of FortiWAN A, FortiWAN A is local unit and FortiWAN B is the remote unit, vice versa.

IPSec key exchange

After the basic concept of IPSec VPN introduced above, here comes the details of IPSec’s key exchange processes which is the major part to configure an IPSec VPN. As the previous discussion, IPSec performs data encryption and authentication for the VPN communications. The way to securely distribute a common secret key to each endpoint is essential to make the secure data transmission complete. After all, a encrypted data is no longer secure if its secret key is not safe or compromised. Before we take look into IPSec’s key exchange, a basic concept of encryption and authentication is introduced first.

Encryption

Encryption mathematically transforms data to meaningless random numbers. The original data is called plaintext and the encrypted data is called ciphertext. The opposite process, called decryption, performs the inverse operation to recover the original plaintext from the ciphertext. The process by which the plaintext is transformed to ciphertext and back again is called an algorithm. All algorithms use a small piece of information, a key, in the arithmetic process of converted plaintext to ciphertext, or vice-versa. IPSec uses symmetrical algorithms, which the same key is used for both encrypt and decrypt the data. The length of the key is one of the factors determining the security of an encryption algorithm. FortiWAN IPsec VPNs offer the following encryption algorithms, in descending order of security:

Authentication

In Information Security (or Cryptography), Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In authentication, one has to prove its identity to the remote one, and the identity will be verified by the remote one. A typical providing proof can be a certificate or username and password. In cryptography, a message authentication code (MAC) is a short piece of information used to authenticate a message—in other words, to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances affirm the message’s origin. A MAC algorithm, sometimes called a keyed (cryptographic) hash function (however, cryptographic hash function is only one of the possible ways to generate MACs), accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message’s data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content. As with any MAC, it may be used to simultaneously verify both the data integrity and the authentication of a message. FortiWAN IPsec VPNs offer the following MAC algorithms, in descending order of security:

Security Association

To support secure communications (data encryption and authentication) between two VPN gateways, the common security attributes must be shared in advance, which are the cryptographic and authentication algorithms, encryption secret key and other necessary parameters. A common set of the security attributes maintained by two IPSec VPN gateways for an IPSec VPN tunnel is what called Security Association (SA), which is used to provide a secure channel and protect the communications between the two site networks. Each of the two IPSec VPN gateways encrypts/decrypts data according to the established Security Association. The process to establish a Security Association involves sharing and negotiation of the security attributes.

IKE key exchange

Internet Key Exchange (IKE) is the protocol used to establish a Security Association (SA), which is included in the IPSec protocol suite. The purposes of IKE are to l Negotiate an encrypt algorithm and an authentication algorithm l Generate a shared secret key to encrypt/decrypt IPSec VPN communications (data transmission).

Both are used by IPSec VPN to provide secure communications between two endpoints.

IKE consists of two phases, Phase 1 and Phase 2. The purpose of IKE Phase 1 is to establish a secure and authenticated channel, which is actually a Security Association (called ISAKMP SA as well), between two entities for further IKE Phase 2 negotiations. With the protection of ISAKMP SA, Phase 2 will then be performed to establish the final Security Association (called IPSec SA as well) used to protect the VPN communications (data transmission) between two sites. In other words, before users’ VPN communication starts (data packet being transferred to each other), the corresponding IKE Phase 1 and Phase 2 must be done to establish the SAs between the two VPN gateways. With the established SA between two VPN gateways, privacy and authenticity are so that guaranteed to the VPN communications (by encryption and authentication). Basically, IKE Phase 1 authenticates a remote peer and sets up a secure channel for going forward Phase 2 negotiations to establish the IPSec SA.

IKE Phase 1

Before we talk about the details of IKE Phase 1, let us have an overview on Phase 1’s Identity Verification (Authentication). The endpoint who begins the IKE Phase1 negotiation makes a declaration of who it is to the opposite endpoint, and the opposite endpoint verifies the identity. FortiWAN’s IPSec employs a pre-shared key to achieve the identity verification. The pre-shared key is a common key (similar to a password) pre-shared between the two entities who join in the Phase 1 negotiations. This pre-shared key is used for verification of the declared identity in a cryptographic system (MAC calculation of the identity). This mechanism is on the premise that the pre-shared key is never compromised to the third-party. Although it looks like a password, the pre-shared key, also known as a shared secret, is never sent by either endpoint during the processes of authentication. Actually, the pre-shared key is involved in the calculations of encryption keys, which is actually used for the authentication, at each endpoint.Unmatched pre-shared keys result in unmatched encryption keys, and indirectly cause the authentication in IKE Phase 1 failed.

Now back to the IKE Phase 1. Phase 1 achieves the following objectives to establish ISAKMP Security Association:

IKE Proposals negotiation

An IKE proposal is a set of necessary parameters for negotiations to establish a Security Association. The negotiation initiator offers opposite endpoint the proposals of the suggested encryption and authentication algorithms, the time-period that keys should remain active, and the strength of the keys used in Diffie-Hellman key exchange process. The opposite endpoint chooses an appropriate proposal and responds it to the initiator, so that the algorithms and other parameters used to protect data transmission between two endpoints are determined.

Generate the secret key for encryption

A secret key is necessary for the established ISAKMP Security Association to work with the determined encryption and authentication protocols. Therefore, except the negotiations of IKE proposals, a secret key must be determined and shared between the two entities during IKE Phase 1 negotiations. However, it is insecure to send a secret key directly to the opposite endpoint over the public network (no SA protection is offered during Phase 1 negotiations). Diffie-Hellman key exchange, which is a method used to securely exchange cryptographic keys over a public channel, is introduced to IKE to generate the secret key. The two entities running a Diffie-Hellman key exchange will start by exchanging key materials, which are public to third-party, via the public network. With the key materials, calculation of Diffie-Hellman key exchange performed on each of the endpoints derives a common value, which is a seed to generate the secret key we need. With the private and common seed, the two endpoints further calculate the common secret key, and so that the secret key is securely shared. Actually, the pre-shared key used for identity authentication is involved in the final calculations generating the secret key.

Authentication

Identity protection

The two endpoints running the Phase 1 processes declare its identity to each other. A pre-shared key between the two entities is used to verify the declared identity and thus prevent malicious attacks from counterfeit identity. With cryptographic method and the pre-shared key, one can prove its identity to the opposite end. Although it looks like a password, the pre-shared key, also known as a shared secret, is never sent by either gateway. Actually, it is involved in the generation of encryption secret key.

Message integrity

A message authentication code (MAC) not only verifies identity but also provides integrity and authenticity assurances on the exchanged messages. The MAC value protects both a message’s data integrity as well as its authenticity against man-in-the-middle attacks or tampering.

Main mode and Aggressive mode

Phase 1 parameters are exchanged in either Main mode or Aggressive mode:

In Main mode, the processes of IKE Phase 1 consists of six message exchanges. An IKE Phase 1 session begins with IKE proposals negotiations between initiator and responder (as the previous description). In the next two message exchanges, the necessary keying materials are exchanged to calculate the common secret key at both ends. For the last two exchanges, encrypted authentication information is exchanged to verify the identity and message integrity on each end.

In Aggressive mode, the processes of IKE Phase 1 is squeezed into three message exchanges. All data required for IKE proposal negotiation and Diffie-Hellman key exchange passed by the initiator and responder in the first two message exchanges. Unencrypted authentication information for sessions passed in the second and third message exchanges. Comparing with main mode, aggressive mode might not be such secure (weak identity protection and risk of pre-shared key crack), the advantage to aggressive mode is that it is faster than Main mode however. FortiWAN’s IPSec, however, does not support IKE Phase 1 in Aggressive mode, only Main mode is available.

The successful outcome of Phase 1 negotiations (either aggressive mode or main mode) establishes the ISAKMP Security Association, and the Phase 2 negotiation begins immediately. Phase 2 negotiations will be protected (encryption) within the ISAKMP Security Association.

IKE Phase 2

Under the protection of ISAKMP Security Association, IKE Phase 2 performs parameters negotiations to establish the IPsec Security Association which protects the subsequent IPSec VPN communications. IKE Phase 2 is processed in one mode called Quick Mode (New Group Mode is not supported by FortiWAN). Similar to Phase 1, in IKE Phase 2, another proposal of encryption and authentication algorithms is negotiated, shared secret keys are derived, and the negotiation sessions are authenticated. The negotiated encryption and authentication algorithms, derived secret keys and other necessary parameters, which are the successful outcome of IKE Phase 2, constitute the IPSec Security Association. So that the security association between two IPSec VPN gateways is established, and the VPN communications are so that protected.

Perfect Forward Secrecy, PFS

Perfect Forward Secrecy is a property of communication security that past session keys can not be compromised by the compromise of long-term keys if a session key is associated to the long-term key in some way. Actually, the shared secret key we introduced in IKE Phase 2 is derived by calculation with the secret key derived in IKE Phase 1 and some insecure (is public to any third-party) parameters (a Diffie-Hellman exchange is not involved in the calculation), if PFS is not enabled for IKE Phase 2. Once the secret key of IKE Phase 1 is compromised to an attacker, all the secret session keys derived in IKE Phase 2 might become compromised. With enabling PFS, the calculation of secret keys involves a new Diffie-Hellman exchange. The private key material of Diffie-Hellman exchange protects the session secret keys of IKE Phase 2 from the compromise of IKE Phase 1’s keys. However, system performance might be concerned if Diffie-Hellman exchange is performed twice (Phase 1 and Phase 2 individually) for a establishment of IPsec Security Association.

How IPSec VPN Works

So far we have a overview of IPSec concept and how the Security Associations are established. Before a further discussion, here is the IPSec VPN’s operation broken down into five main steps:

1. The initial packet matching correspondent IPSec VPN policies and attempting to pass through the IPSec VPN gateway triggers the IKE processes to establish Security Associations.
2. During IKE Phase 1, IKE proposals are negotiated, secret keys are shared and the two IPSec endpoints are authenticated. The ISAKMP SA is established for IKE Phase 2.
3. IKE Phase 2 negotiates new parameters and calculates new secret keys. The IPSec SA is established for VPN communications.
4. Communications over the two IPSec VPN gateways are protected according on the security parameters and keys stored in Security Association database. Data packets are encapsulated with ESP header and new IP header,and transferred over the IPSec VPN tunnel.
5. IPSec SAs terminate by timing out.

Modes of IPSec VPN data transmission

IPSec transfers the encrypted or authenticated IP packets (ESP or AH encapsulated packets) in a host-to-host transport mode, as well as in a tunneling mode. Packet exchanges during IKE Phase 1 and Phase 2 are nothing about the two modes.

Tunnel mode

IPSec Tunnel mode is commonly used for site-to-site communications by tunneling through incompatible networks. For example, it delivers protected communications between two private networks through Internet, which is a typical IPSec VPN. In IPSec tunnel mode, the original IP packet is entirely encrypted (not only the payload data but also the routing information are encrypted), and is encapsulated with a new IP header. With the new IP header encapsulation and decapsulation, two incompatible networks deliver encrypted packets to each other by tunneling through Internet.

Transport mode

IPSec Transport mode is used for communications between two end-stations (host-to-host). An end-station can be a IPSec gateway or just a host running IPSec server/client. Both are actually the destination to each other while communicating. The basic concept of IPsec Transport mode is that the original IP header is intact; the routing is neither modified nor encrypted. Transport mode only provides protection of the payload of the original IP packet by encryption. The two endpoints are supposed to be accessible to each other originally. Usually, Transport mode is applied to other tunneling protocols to provide protection of GRE/L2TP encapsulated IP data packets ( GRE/L2TP transmission over IPSec protection). FortiWAN IPSec Transport mode is only available for Tunnel Routing.

IPSec set up

After basic concept of IPSec introduced previously, this section focus on the introduction of FortiWAN’s IPSec and the configurations to set up FortiWAN’s IPSec. FortiWAN provides a complete VPN solution through the cooperation of Tunnel Routing and IPSec. FortiWAN’s Tunnel Routing is used to build a site-to-site VPN with bandwidth aggregation and fault tolerance over multiple WAN links. Moreover, with FortiWAN’s IPSec protection, Tunnel Routing delivers packets over secure channels.

About FortiWAN IPSec VPN

Specifications of FortiWAN’s IPsec VPN

Since FortiWAN’s IPSec is designed for applications of site-to-site VPN, it is functionally-limited comparing with standard IPSec protocol suite. However, FortiWAN’s IPsec still provides basic protections for tunneling communications. The specifications is listed as following:

Tunnel mode, Transport mode and Tunnel Routing

FortiWAN provides standard Tunnel mode to build IPSec VPN as the previous descriptions. By encapsulating the encrypted packet with a new IP header, a tunnel is established between two FortiWAN units so that IPSec packets can be delivered to the private networks deployed behind the two units through Internet (the public and untrusted network). This is what called IPsec VPN typically. Compare with FortiWAN’s Tunnel Routing, IPSec Tunnel mode can also establish multiple tunnels through different WAN ports (WAN interfaces) between two FortiWAN units, but bandwidth aggregation and fault tolerance are not available for the IPSec VPN transmission. It is unable to distribute the IPSec packets of a connection or the connections of a specified group over multiple IPSec tunnels; they are delivered through one of the tunnels fixedly.

Although FortiWAN’s Tunnel Routing (See “Tunnel Routing”) is the technology to distribute packets of one tunneling connection over multiple tunnels (bandwidth aggregation and fault tolerance are so that supported), it does not provide strict protection to the tunneling communications (the encryption function built-in Tunnel Routing is very simple and low security). For this reason, the major purpose of FortiWAN’s IPSec Transport mode is to provide Tunnel Routing transmissions an IPSec protection. Actually, the FortiWAN’s IPSec Transport mode is designed for Tunnel Routing only; an Transport mode IPSec SA can not be applied to the traffic except Tunnel Routing. By establishing an IPSec SA on every TR tunnel, Tunnel Routing’s GRE packets will be encrypted (ESP encapsulated) and be transferred through the specified interface (according to the specified TR algorithm) in IPSec Transport mode (the original routing of the GRE packet remains intact as the previous description). The ESP packets are decrypted on the opposite FortiWAN unit to recover the original GRE packets, and the subsequence is the normal Tunnel Routing processes, packet decapsulation, reassembly and forwarding (to the hosts behind the FortiWAN). The way for IPSec Transport mode to protect Tunnel Routing transmission is very flexible. For every TR tunnel of a tunnel group, it is your options to establish a IPSec SA protecting the TR tunnel or not. Tunnel Routing works normally under full and partial IPSec protection (full protection: each TR tunnel of a tunnel group is protected by a IPSec SA; partial protection: parts of the TR tunnels of a tunnel group are protected by IPSec SAs).

In conclusion, FortiWAN provides three methods to build a VPN network, which are Tunnel Routing, IPSec Tunnel mode and Tunnel Routing over IPSec Transport mode. Note that Tunnel Routing can not support dynamic IP and NAT pass-through (one of the features of Tunnel Routing, see “Dynamic IP addresses and NAT pass through” in “Tunnel Routing > How the Tunnel Routing Works”), if it is protected by IPSec.

Limitation in the IPSec deployment

FortiWAN IPsec has an intrinsic limitation in establishing ISAKMP Security Associations. For the establishment of ISAKMP SA between any two devices, one IP address of a WAN link of a FortiWAN device is restricted to participate in only one ISAKMP SA. The mapping of WAN link IP addresses for establishing ISAKMP SAs between any two devices must be one-to-one. The negotiations of ISAKMP SAs go to failure (the subsequent negotiations of IPSec SAs abort so that) if those Phase 1 configurations on any two FortiWAN devices contain a common WAN link IP address, no matter on the local side or remote side. The following diagrams give the clear explanation of this in details.

In the example above, the WAN link IP address mapping of ISAKMP SA 1 between FortWAN 1 and FortiWAN 2 is typical and correct. Both the WAN link IP addresses, 2.2.2.2 and 4.4.4.4, participate in only one ISAKMP SA, the ISAKMP SA 1. As for WAN link 3 on FortiWAN 2, its IP address 3.3.3.3 participates in ISAKMP SA 2 and ISAKMP SA 3 (more than one ISAKMP SA), which causes failure to establish ISAKMP SA 2 and ISAKMP SA 3. IPSec connections thus can not be established.

The above example indicates a valid IPSec deployment. The mapping of WAN link IP address for all the ISAKMP SAs between the two devices are in one-to-one relationship:

• ISAKMP SA 1: 2.2.2.2 – 4.4.4.4 l ISAKMP SA 2: 3.3.3.3 – 5.5.5.5 l ISAKMP SA 3: 1.1.1.1 – 6.6.6.6

The above diagram is anther example of valid IPSec deployment. There are three IPs deployed on FortiWAN 2’s WAN link 2 (See “Configuring your WAN”), and each IP address participates in only one ISAKMP SA.

• ISAKMP SA 1: 2.2.2.1 – 4.4.4.4 l ISAKMP SA 2: 2.2.2.2 – 5.5.5.5 l ISAKMP SA 3: 2.2.2.3 – 6.6.6.6

Considering the IPSec deployment among more than two FortiWAN devices as the above example.

Between any two FortiWANs, we cannot terminate traffic through multiple IPSec connections on the same local or remote IP address. This limitation exists in both of the IPSec types: IPSec Tunnel mode and IPSec Transport mode, so that Tunnel Routing over IPSec Transport mode is involved indirectly. You have to give careful consideration to the issue when planing how to deploy the IPSec VPN (and Tunnel Routing) between multiple FortiWANs.

Planning your VPN

Building a VPN between sites might involve complex association with sites and confusing configurations. Beginning hastily to configure settings without a comprehensive plan usually causes failure. Making a plan in advance for your VPN topology is a great help to the next VPN configurations. The following considerations help you determine the VPN topology and necessary information for configurations.

The locations of the sites that the site-to-site traffic originates from and needs to be delivered to l Choose the network sites that they need to communicate to each other through the VPN and define what kind of communication it is (what kind of services provided in a network site and what kind of services that users in a network site need to access).

The networks, individual hosts or server frames participating in the VPN communications l A network site consists of hosts, servers, and/or networks (private IP addresses deployment). You need to determine the participating private IP addresses (the source and destination of traffic) and make policies to permit traffic to pass through the VPN.

The VPN devices used to build the VPN

• A site-to-site VPN (tunnels) between two FortiWAN units, or a FortiWAN unit and a FortiGate unit. The network interfaces that two VPN devices communicate through l For any VPN tunnel between two VPN devices, you need to determine the participating network interface for each end-point. This implies the public IP addresses (local IP and remote IP) used to establish a VPN tunnel through Internet. Note that only static IP addresses are supported.
• One WAN interface cannot serve for more than one IPSec connectivity between any two FortiWAN devices. You need to take this for consideration when you determine the topology. See “Limitation in the IPSec deployment” for the details.

The VPN device interfaces that a private network accesses the VPN through l The private IP addresses associated with the VPN device interfaces to the private networks. Hosts in the private network behind the VPN device access VPN through these interface. Traffic is forwarded between the VPN tunnels and the private networks on each site. The types used to build the VPN l IPSec protected VPN without bandwidth aggregation and fault tolerance: IPSec Tunnel mode.

• IPSec protected VPN with bandwidth aggregation and fault tolerance: Tunnel Routing over IPSec Transport mode. l VPN with bandwidth aggregation and fault tolerance: Tunnel Routing (See “Tunnel Routing”).

IPSec VPN in the Web UI

The configurations introduced in this section are based on the deployment of FortiWAN-to-FortiWAN. For the IPSec VPN established between a FortiWAN unit and a FortiGate unit, see “Establish IPSec VPN with FortiGate”. This section focus on the configurations of IPSec protected VPN, IPSec Tunnel mode and Tunnel Routing over IPSec Transport mode. For configurations of Tunnel Routing, see “Tunnel Routing”.

To set up the IPSec VPN between two FortiWAN units, the following steps are necessary for each of the endpoints.

1. Define IKE Phase 1 parameters for establishment of ISAKMP Security Association with authenticated a remote peer.
2. Define IKE Phase 2 parameters for establishment of IPSec Security Association with authenticated a remote peer.
3. Create correspondent policies of NAT, Auto Routing (AR) and Tunnel Routing (TR) to correctly route the packets of IKE negotiations and IPSec VPN communications (will be discussed in next section, see “Define routing policies for an IPSec VPN”).

Configurations of IKE Phase 1

An IPSec VPN tunnel involves the connection of two FortiWAN units. Most of the settings used to establish an IPSec VPN tunnel are required to be corresponding on the both endpoints. Therefore, it is better to collect enough information in preparation for the configurations of an IPSec VPN tunnel.

Here are the items and information that you need to determine for IKE Phase 1 settings:

Defining the remote and local ends of the IPSec VPN tunnel

Basically, this is to specify the public IP addresses for the two ends (a local FortiWAN unit and a remote FortiWAN unit) of the IPSec VPN tunnel. The IPSec VPN tunnel is established through connection of the two public IP addresses. You need to determine the WAN link of a FortiWAN unit to connect with each other for an IPSec VPN tunnel; and the IP addresses deployed on the two WAN ports are actually the two ends (local IP and remote IP) of the IPSec VPN tunnel. FortiWAN’s IPSec VPN does not support dynamic IP addresses; it is only available for the WAN links that are deployed as Routing Mode, Bridge Mode: One Static IP or Bridge Mode: Multiple Static IP (see “Configuring your WAN” for details). For the settings of a IPSec VPN tunnel configured on the two endpoints, the Local IP of a FortiWAN unit becomes the Remote IP of the opposite FortiWAN unit and vice versa. An IPSec VPN tunnel consists of the IKE negotiations (for the security associations, SAs) and the data transmission tunnel; both are established through the two public IP addresses. You also have to give consideration to the limitation that we cannot deploy multiple IPSec connections between any two FortiWANs on the same local or remote IP address. See “Limitation in the IPSec deployment” for details.

A pre-shared key used to authenticate the FortiWAN unit to the remote unit

During the IKE Phase 1 negotiations, a FortiWAN unit need to authenticate itself to the remote unit by a preshared key. The two endpoints of an IPSec VPN tunnel share a common key in advance, so that they can authenticate itself to each other with the common key, like a password. You need to distribute the pre-shared key in a secure way. The pre-shared key configured on the two endpoints of a IPSec VPN tunnel must be equal, or the establishment of IPSec Security Association goes to failure (failed authentication results in failure of IKE Phase 1

and Phase 2.

The modes for parameters exchanging, Main mode and Aggressive mode, used for IKE Phase 1 negotiations

A FortiWAN unit exchange Phase 1 parameters with the remote unit in only Main mode. In Main mode, the Phase 1 parameters are exchanged in six messages with encrypted authentication information. As the previous introductions, Main mode gives securer authentication by a encryption with the negotiated secret key. By comparison, Aggressive mode is weak in authentication since the lack of encryption. However, with the simplified exchanging process, Aggressive mode is faster than Main mode indeed. Security and efficiency are the considerations you need to evaluate for IKE Phase 1 negotiations. Once it is determined, both the two endpoints must be configured with the same mode.

Enable Dead Peer Detection (DPD) or not

The connectivity between two endpoints communicating through IPSec may goes down unexpectedly due to routing problems, hardware broken, host rebooting, etc. In the situation, however, the IPSec entities are not aware of the loss of peer connectivity (availability of peer), and the security associations (SAs) of each peer remains. Packets of communication will continue being sent to oblivion, and reestablishment goes to failure. Dead Peer Detection (DPD) is such a method, by sending periodic HELLO/ACK messages, to confirm the availability of an IPSec endpoint, recognize a disconnection, reclaim the lost resources (SAs) and reestablish IKE negotiations automatically. When a disconnection is detected, the active ISAKMP SA and the correspondent IPSec SAs are removed and renegotiated immediately whether the secret keys expire or not.FortiWAN’s IPSec DPD is performed in the Always Send mode, which the detection messages are sent at configured intervals regardless of traffic activity between the peers (some products probe for a idle tunnel before sending DPD detection messages, but FortiWAN does not). Related SAs would be removed once a disconnection is recognized by FortiWAN’s IPSec DPD, but FortiWAN would not automatically perform the reestablishment (new establishment of the SAs is triggered only if an outgoing packets of the IPSec communication arrive at the FortiWAN unit).

Establish IPSec VPN with FortiGate

FortiWAN supports the IPSec VPN established with a FortiGate unit. However, the deployment of IPSec VPN established between FortiWAN and FortiGate is limited by the Spec. of FortiWAN’s IPSec (See “About FortiWAN IPSec VPN”). For example, IPSec Transport mode, IKE v2, authentication with certificates, IKE phase 1 aggressive mode, NAT traversal, dynamic IP address, and some algorithms are not supported for this deployment. An example for explaining how to set up a simple IPSec VPN (Tunnel mode) between a FortiWAN and a FortiGate is introduced below:

In this example, the common parameters for establishing IPSec SAs between the two units are as follows:

l Authentication Method: Pre-shared Key l Phase 1 Mode: Main (ID protection) l Dead Peer Detection: disable l Phase 1 Encryption: DES l Phase 1 Authentication: MD5 l Phase 1 DH Group: 5 l Phase 1 Keylife: 1200 Secs l Phase 2 Encryption: DES l Phase 2 Authentication: MD5 l Perfect Forward Secrecy (PFS): enable l Phase 2 DH Group: 5 l Phase 2 Keylife: 120 Secs

Configurations on FortiWAN

To set up the IPSec VPN, configurations of Network Setting, Auto Routing, NAT and IPSec are required on FortiWAN (See “Define routing policies for an IPSec VPN”).

Network Setting

WAN settings

Go to System > Network Setting > WAN Setting, and create a WAN link configuration:

For the details of WAN link setting, see “Configurations for a WAN link in Routing Mode”, “Configurations for a WAN link in Bridge Mode: One Static IP” and “Configurations for a WAN link in Bridge Mode: Multiple Static IP”.

LAN private subnets

Go to System > Network Setting > LAN Private Subnet, and create a LAN subnet configuration:

For the details of LAN private subnet setting, see “LAN Private Subnet”.

Auto Routing

Go to Service > Auto Routing, and create a policy and two IPv4 filters for IKE negotiations and IPSec communication.

Policy

IPv4 Filter

Two IPv4 filters: one for IKE negotiations, and another for general IPSec communication.

For the details of Auto Routing, see “Auto Routing”.

NAT

Go to Service > NAT, and create a NAT rule:

For the details of NAT, see “NAT”.

IPSec

Go to Service > IPSec, and create a Tunnel Mode:

Phase 1

Phase 2

So far, it is complete to set up the IPSec VPN on the FortiWAN side, configurations on the FortiGate side are introduced next. For the details of IPSec parameters, see “IPSec VPN in the Web UI”.

Configurations on FortiGate

To set up the IPSec VPN, configurations of Network, Router and VPN are required on FortiGate. For further information of FortiGate configurations, see FortiOS Handbook on Fortinet document site.

Network

Go to System > Network > Interface. Configure the setting for WAN 1 with IP address 10.12.136.180 on a physical interface.

VPN

Go to VPN > IPsec > Tunnels and click Create New.

Select “Custom VPN Tunnel (No Template)” and click Next to configure the settings as follows: Network

Authentication

Phase 1 Proposal

XAUTH

Phase 2 Selectors

Phase 2 Proposal

Router

Go to Router > Static > Static Routes, and click Create New to create two rules for WAN1 and the IPSec tunnel – IPSec_to_FWN_P1:

Firewall

Optional Services

As an edge device, FortiWAN provides other functions except the major traffic load balancing and fault tolerance. These optional functions are helpful to manage the network in all the ways.

Firewall

This section introduces how to set up the firewall. Unlimited number of rules can be added to the firewall rule list. The rules are prioritized from top to bottom that is rules at the top of the table will be given higher precedence over lower ranked ones. [IPv4 Rules] and [IPv6 Rules] are for configurations of IPv4 and IPv6 respectively.

FortiWAN provides mechanisms to record, notify and analysis on events refer to the Firewall service, see “Log” and “Reports: Firewall”.

Default rules

By default, FortiWAN’s firewall enables the following IPv4/IPv6 rules to deny some accesses coming from the Internet, which might cause general security issues:

1. When=All-Time & Source=WAN & Destination=Localhost & Service=HTTP(80) & Action=Deny
2. When=All-Time & Source=WAN & Destination=Localhost & Service=HTTPS(443) & Action=Deny
3. When=All-Time & Source=WAN & Destination=Localhost & Service=SSH(22) & Action=Deny
4. When=All-Time & Source=WAN & Destination=Localhost & Service=SNMP(61) & Action=Deny

Firewall

5. When=All-Time & Source=WAN & Destination=Localhost & Service=RIP(520) & Action=Deny
6. When=All-Time & Source=WAN & Destination=Any Address & Service=TCP@139 & Action=Deny
7. When=All-Time & Source=WAN & Destination=Any Address & Service=TCP@445 & Action=Deny
8. When=All-Time & Source=WAN & Destination=Localhost & Service=TCP@5432 & Action=Deny
9. When=All-Time & Source=Any Address & Destination=Any Address & Service=Any & Action=Accept

The ninth rule is fixed to be the last rule at the bottom for evaluation. Packets that do not match any other rule will match this rule and be accepted. This rule is unmodifiable. The second rule denies any HTTPS access to FortiWAN’s localhost from the Internet, which means it is unable to access to the Web UI through any WAN port. You can disable this rule or change Action to Accept to allow Web UI accessing throught WAN ports if no security issues are concerned. The sixth, seventh and eighth rules deny any access (coming from the Internet) of NetBIOS, Microsoft-DS Active Directory, Windows shares and Microsoft-DS SMB file sharing, and the Postgre SQL database system that FortiWAN uses for Reports.

Example 1

Rules for Filtering Packets l The users from the internet (WAN) can only access FTP Server 211.21.48.195 through port 21.

• The users from LAN can access all servers and hosts on the internet (WAN) through port 25 (SMTP), port 80 (HTTP), port 21 (FTP), and port 110 (POP3).
• All other packets are blocked.

The rules table for the example will look like this:

Firewall

Example 2

Rules for Filtering Packets l The users from the internet (WAN) can access server 211.21.48.195 inside DMZ through TCP port 7000. l The hosts 192.168.0.100 – 192.168.0.150 in the LAN can access the Internet (WAN) but the others cannot.

• Users from the Internet (WAN) cannot connect to the port 443 on FortiWAN (i.e. Web Administration on FortiWAN). Note: “Localhost” represents the address of FortiWAN host machine. l Users from LAN can access FTP server 192.192.10.1 through port 21.
• Users from the internet cannot ping FortiWAN . Note: To intercept ping messages, users can deny “ICMP” protocol in service type because ping is a type of “ICMP”. l Users from the LAN cannot access DMZ. l Users from the internet (WAN) cannot access LAN and DMZ.

The rules table for the example will look like this:

See also

l Busyhour Settings l Using the web UI l Reports: Firewall

NAT

FortiWAN is an edge server that is usually placed on the boundary between WAN and LAN. When a connection is established from a private IP address (in LAN or DMZ) to the internet (WAN), it is necessary to translate the private IP address into one of the public IP addresses assigned to the FortiWAN’s WAN link. This process is called NAT (Network Address Translation). FortiWAN provides the typical NAT (called S-NAT also) for sessions established from internal area. Once the private source IP address of outgoing packet of a session is translated to a public IP address, the mapping is kept in translation table and therefore the inbound traffic (from public area) of the session can be accepted and forwarded to the internal host who established the session.

With the typical NAT, two-way data transmission between an internal host and an external host is achieved, only if the internal host starts the sessions. An external host is unable to starts a session with an internal host via the typical NAT. FortiWAN’s 1-to-1 NAT gives the availability of two-way transmission between an internal host and an external host not only for sessions starting from the internal host but also for sessions starting from the external host.

FortiWAN provides log mechanism to the NAT service, see “Log”.

Default Rules

FortiWAN’s NAT Default Rules are the NAT rules (and IPv6 NAT rules) generated automatically by system according to the Network Setting of WAN links. Once a WAN link is sat up (See “Configuring your WAN”), the default rules are generated at the same time so that FortiWAN performs NAT automatically to packets coming from anywhere (except subnets in WAN or/and DMZ and static routing subnets of the WAN link) and going to be transferred via the WAN link. NAT default rules are varies according to how the WAN link is deployed. For example,

WAN link 1: Routing mode with a basic subnet (125.227.251.0/255.255.255.0) in WAN and DMZ, and the IP(s) on localhost are 128.227.251.80 and 128.227.251.81. System adds the default rules to WAN link 1 as following:

When = All-Time, Source = 125.227.251.0/255.255.255.0, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 128.227.251.80

WAN link 2: Bridge mode: One Static IP, the IP on localhost is 125.227.250.10. System adds the default rules to WAN link 2 as following:

When = All-Time, Source = 125.227.250.10, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 128.227.250.10

WAN link 3: Bridge mode: Multiple Static IP, 125.227.252.100-125.227.252.101 are deployed on localhost, 125.227.252.102-125.227.252.103 are deployed in WAN, 125.227.252.104-125.227.252.105 are deployed in DMZ. System adds the default rules to WAN link 3 as following:

When = All-Time, Source = 125.227.252.100-125.227.252.101, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = 125.227.252.104-125.227.252.105, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 128.227.252.100

WAN link 4: Bridge mode: PPPoE, system adds the default rule to WAN link 4 as following:

When = All-Time, Source = Any Address, Destination = Any Address, Service =

Any, Translated = DynamicIP(DHCP/PPPoE)

The last rule translates source IP address of all packets into an IP address (localhost) of the WAN link. The second (or third) rule from the bottom ignores NAT to packets coming from subnets of the WAN link. Those default rules are added as the bottom rules to the top-down rule table. They are unable to be deleted and edited, unless the correspondent deployment of the WAN link changes. The default rules will translate source IP address of a matched packet into the first of the IP addresses that are assigned to localhost of the WAN link, which normally is a public IPv4 address or global IPv6 address. Therefore, packets with private source address (IPv4) or Link-Local source address (IPv6) are acceptable to Internet after the NAT process. However, even a packet comes with public source address (IPv4) or Global source address (IPv6), NAT is also performed if it matches the last rule. NAT default rules are based on deployment of a WAN link, deployment of LAN is regardless. Set NAT rules manually for advanced applications.

Similarly, system generates default rules for IPv6/IPv4 dual stack WAN links. Take the WAN link 1 above as example, if a IPv6 basic subnet 2001::/64 is deployed on WAN link 1 and the localhost is 2001::1, system adds the IPv6 default rules to WAN link 1 as following:

When = All-Time, Source = 2001::/64, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 2001::1

Note that for FortiWAN V4.0.x, system does note generate IPv6 default rules for IPv6/IPv4 dual stack WAN link. It is necessary to add IPv6 default rules manually, or the IPv6 transmission might fail if its source IP address is a Link-Local address. Please refer to the examples above for this.

Non-NAT

Non-NAT is used for Private Network and MPLS Network where the host in WAN can directly access the host in DMZ, and where FortiWAN is used to balance VPN load and backup lines.

FortiWAN’s inbound and outbound load balancing (Auto Routing and Multihoming) distribute session over multiple WAN links. It’s necessary to make sure the correct NAT rules are applied to every enabled WAN link.

NAT Rules

As the previous description, FortiWAN provides typical NAT for out-going session (established from internal host to external host). Here we describe the NAT rules which specified how to translate source IP address of a outgoing packet into specified IP address of the WAN link. Incoming packets from a external host can be accepted and forwarded to the correct internal host only if a out-going packet has already be translated and transferred to the same external host. NAT rules are separated into IPv4 NAT rules and IPv6 NAT rules, which are used to translate a IPv4 address to another IPv4 address and translate a IPv6 address to another IPv6 address respectively. You will see the default rules at the bottom of the two rule tables, if IPv4 and/or IPv6 addresses are deployed on localhost of the WAN link.

IPv4 NAT Rules

Customized rules for IPv4-to-IPv4 NAT on a specified WAN link (select from the drop-down menu WAN above).

IPv6 NAT Rules

Customized rules for IPv6-to-IPv6 NAT on a specified WAN link (select from the drop-down menu WAN above).

1-to-1 NAT Rules

1-to-1 NAT maintains a fixed 1-to-1 mapping (binding) between internal IP addresses and the IP addresses of a WAN link’s localhost (also called external addresses here), which requires the same amount of IP addresses on both sides. Therefore, both a internal host and external host can launch sessions to each other. 1-to-1 NAT supports translation for IPv4 only.

For any out-going packet (no matter a internal or a external host launch the session), if the packet matches a 1-to1 NAT rule on When, Internal Address (Source) and Service, source IP address of the packet will be translate to correspondent external address specified in the rule. For any in-coming packet (no matter a internal or a external host launch the session), if the packet matches a 1-to-1 NAT rule on When, External Address (Destination) and Service, destination IP address of the packet will be translate to correspondent internal address specified in the rule.

Enable NAT

Example: To translate packets from local machine 192.168.123.100 to public IP address 172.31.5.51, check “Enable NAT”, and select WAN #1, then check “Enable”. The NAT rule settings look like:

Disable NAT

Disable NAT sets FortiWAN to Non-NAT mode whereby all the WAN hosts can acccess DMZ hosts directly with proper routing setup. In this mode, FortiWAN acts as a router connecting multiple subnets.

Note: Once NAT is disabled, it is disabled on all the WAN Links.

Example: Non-NAT Settings

Persistent Routing

Non-NAT is commonly used on Private Network and MPLS network, which makes possible for the hosts of the branch office to directly access the headquarters. In case that ISP 1 is down, FortiWAN will automatically route the link to ISP 2, and, accordingly, serve as VPN load balancer based on the status of each link.

Persistent Routing

Persistent routing is used to secure subsequent connections of source and destination pairs that are first determined by Auto-Routing in FortiWAN. It is useful for applications require secure connection between the server and client whereby client connection will be dropped if server detects different source IP addresses for the same client during an authenticated and certified session. PR ensures that the source IP address remains unchanged in the same session.

Timeout: For every session (pair of source and destination), if there is no packets occured during the timeout period, records of persistent route of the session will be cleared. That means the next coming connection of the session will be routed by the auto-routing rules first.

FortiWAN provides mechanisms to record, notify and analysis on events refer to the Persistent Routing service, see “Log” and “Statistics: Persistent Routing”.

IPv4/IPv6 Web Service Rules

Sets persistent routing rules on Web services. Enable this function, and all the http and https connections established from source IP specified below to destination port 80 and port 443 are governed by Web Service Rules.

IPv4/IPv6 IP Pair Rules

Sets persistent routing rules on IPv4/IPv6 addresses. Enable this function, and all connections established from the source IPv4/IPv6 to destination IPv4/IPv6 specified below are governed by IPv4/IPv6 IP Pair Rules.

E    :   Check the box to enable the rule.

When    :   Options: Busy hour, Idle hour, and All-Time (See “Busyhour Settings”).

Source    :  Established connections from the specified source will be matched (See “Using the web UI”).

Persistent Routing

Persistent routing is often used when destination servers check source IP. The function is performed on most secure connections (e.g. HTTPS and SSH). To prevent the connections from being dispatched over a diverse range of WAN links, persistent routing serves the best solution for maintaining connections over a fixed WAN link.

See below for how auto-routing is related to persistent-routing:

Once a connection is established, auto-routing rules are applied to determine the WAN link to be used.

Subsequent connections with the same destination and source pair obey the rules formulated in the persistent routing table. Note that the device will consult the rule table whenever established connections are to be sent to new destinations.

Auto-routing will be reactivated once in persistent routing the interval between two successive connections are longer than timeout period. A second connection will be considered as a “new” one. Then auto-routing will secure the connection to go through a different WAN link.

Example 1

The persistent routing policies to be established accordingly:

• In LAN, established connections from IP address 192.168.0.100 to 192.168.10.100 are NOT to be routed persistently. l Established connections from DMZ to LAN are NOT to be routed persistently.
• Established connections from LAN to the host IP ranging from 10.10.1.1 ~ 10.10.1.10 are NOT to be routed persistently. l Since the default action by IP Pair rules is Do PR, if no rule is added, all connections will use persistent routing.

Then persistent routing table will look like:

Example 2

The persistent routing policies to be established accordingly:

HTTP and HTTPs connections from the subnet 192.168.0.0/24 in LAN use persistent routing.

HTTP and HTTPs connections from WAN use persistent routing.

Persistent Routing

As there is no default action set by Web Service Rules, if no rule is added, all connections will be based on IP Pair Rules to determine whether to use persistent routing.

The persistent routing table should look like:

Example 3

The persistent routing policies to be established accordingly:

HTTP and HTTPs connections from LAN hosts with IP range 192.168.0.10~192.168.0.20 use persistent routing, but this does not apply to other services except IP address 192.168.0.15.

HTTP and HTTPs connections from subnet 192.168.10.0/24 to 192.192.10.100 use persistent routing. But this does not apply to other connections.

Connections from IP address 211.21.48.196 in DMZ to the WAN subnet 10.10.1.0/24 in WAN do NOT use persistent routing.

Since the default action by IP Pair Ruels is Do PR, if no rule is added, all connections will use persistent routing.

Then persistent routing table will look like:

Note: Rules are matched top down. Once one rule is matched, the rest will be ignored. In this case, the connections from 192.168.0.15 may meet the criteria of the first and second IP Pair rules, only the first rule will be applied. Hence the rules will not perform NoPR on 192.168.0.15 even though it matches the second rule.It shall be noted that Web Service Rules are prioritized over IP Pair Rules. As 192.168.10.0/255.255.255.0 is configured to be NoPR in IP Pair Rules, but DoPR in Web Service Rules, HTTP connections will still apply persistent routing.

Bandwidth Management

Bandwidth Management (BM) allocates bandwidth to applications. To secure the bandwidth of critical applications, FortiWAN Bandwidth Management (BM) defines inbound and outbound bandwidth based on traffic direction, i.e. take FortiWAN as the center, traffic flows from WAN to LAN is inbound traffic, otherwise, it is outbound traffic. No matter which direction a connection is established in, a connection must contain inbound traffic and outbound traffic. The section will mainly explain how to guarantee bandwidth based on priority settings, and how to manage inbound and outbound traffic by configuring busy/idle hours, data source/destination, and service type, etc.

Bandwidth Management consists of Classes and Filters (IPv4/IPv6). Click “Expand Link Settings” or “Collapse Link Settings” to show or hide configuration details of links and bandwidth limit.

FortiWAN provides mechanisms to record, notify and analysis on events refer to the Bandwidth Management service, see “Log”, “Statistics: Bandwidth” and “Report: Bandwidth Usage”.

Inbound BM and Outbound BM

Bandwidth Management is divided into inbound BM and outbound BM, which are used to control the inbound traffic and outbound traffic respectively on each WAN port. Packets (network streams) that are transferred inward (from WAN to LAN, DMZ or localhost) on a WAN port are counted to inbound traffic; packets that are transferred outward (from LAN, DMZ or localhost to WAN) on a WAN port are counted to outbound traffic. Therefor, both inbound BM and outbound BM are required if you would like to control a connection in the two ways (Bandwidth Management ignores the direction of a connection, the initiator of the connection). BM policy consists of BM classes and filters. A BM class defines the bandwidth to allocate applications on each WAN port, while a BM filter defines the associated application by source, destination and service of the packets. According to the associated inbound/outbound classes, bandwidth is allocated to the inbound/outbound traffic that is defined in an inbound/outbound filter.

Inbound & Outbound Classes

An inbound/outbound class defines how to allocate bandwidth to the specified traffic. Specified traffic associated with the class can be controlled according to the WAN link it passes through and the time it is generated, and bandwidth is allocated according to settings of Guarantee, Max and Priority.

Inbound & Outbound IPv4/IPv6 Filter

A filter is used to evaluate the traffic passing through FortiWAN by its source, destination and service. Traffic matches the filter will be associated to the corresponding BM class, so that the traffic is shaped according to the bandwidth allocation of the class. The source and destination here mean the actual initiator and terminator of the inbound/outbound traffic, no matter whether the traffic is processed by NAT or Virtual Server.

Managing Bandwidth for Tunnel Routing and IPsec

Bandwidth Management is capable to control the original traffic that is encapsulated by Tunnel Routing or IPSec

VPN. Traffic that is going to be transferred outward through Tunnel Routing or IPSec VPN will be processed by

Bandwidth Management before encapsulating, and traffic that is transferred inward through Tunnel Routing or IPSec VPN is controlled by Bandwidth Management after decapsulating. In other words, FortiWAN’s Tunnel Routing and IPSec are transparent to Bandwidth Management (and the corresponding BM log and statistics). Bandwidth Management can only recognize the original applications (by matching a filter on the Service) that is going to be encapsulated or has been decapsulated by Tunnel Routing or IPSec. The GRE and ESP packets generated by FortiWAN are invisible to Bandwidth Management.

To control Tunnel Routing or IPSec transmission by Bandwidth Management, please make sure a Bandwidth Management filter is defined correctly (on the source, destination and service) to match its original packets. If you would like to control the overall Tunnel Routing or IPSec transmission no matter what the original services it is, try to classify the traffic by its Source and Destination; the Source and Destination of the Routing Rules of Tunnel Routing, or the Source and Destination of the Quick Mode selectors of IPSec Tunnel mode (See “How to set up routing rules for Tunnel Routing” and “IPSec VPN in the Web UI”).

Traffic shaping by Bandwidth Manage takes place before Tunnel Routing and IPSec encapsulations. Traffic of an application is counted together in BM logs no matter whether it is transferred through Tunnel Routing and IPSec, thus you cannot recognize the traffic statistics as a Tunnel Routing (includes Tunnel Routing over IPSec Transport mode), IPSec (Tunnel mode) or general transmission from the BM logs by the PROTO field (See “Log > View”). As for FortiWAN Reports, statistics of the traffic that is transferred through Tunnel Routing is indicated as GRE in the reports but it is unable to drill down to the individual services. On the other hand, you cannot recognize a traffic as FortiWAN’s IPSec in the service report pages, traffic that is transferred through FortiWAN

IPSec is separated into individual services. See “Traffic Statistics for Tunnel Routing and IPSec” for the details.

Note that during the period system applying the configurations of Bandwidth Management (click the Apply button on Web UI), traffic passing through FortiWAN will be blocked for a while.

Scenarios

Example 1 Inbound BM

The maximum bandwidth limited for internet users to transfer emails to mail server 211.21.48.197 in DMZ during both busy and idle periods is 128K on WAN1, 64K on WAN2, and 128K on WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero.

The maximum bandwidth limited for hosts in LAN zone to download data from internet web servers during both busy and idle periods is 128K on WAN1, 64K on WAN2, and 64K on WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero.

During the busy period, the maximum bandwidth limited for 192.168.0.100 to download data from internet FTP servers is 50K on WAN1, 30K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is 20K, and zero on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for 192.168.0.100 to download data from internet FTP servers is 50K on WAN1, 200K on WAN2 and WAN3. The guaranteed bandwidth is 20K on WAN1, 100K on WAN2 and WAN3. The bandwidth is prioritized as “High” during both busy and idle periods.

During the busy period, the maximum bandwidth limited for internet users to upload data to FTP server

211.21.48.198 in DMZ is 500K on WAN1, 256K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is

200K, and zero on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for internet users to upload data to FTP server 211.21.48.198 in DMZ is 500K on WAN1, 300K on WAN2 and WAN3. The guaranteed bandwidth is 200K on WAN1, WAN2 and WAN3. The bandwidth is prioritized as “Low” during both busy and idle periods.

Filter Settings

There are two possible scenarios for inbound data. One is local host downloading data from a remote FTP server in WAN, the other is a remote user in WAN uploading data to FTP in LAN. In both two scenarios data are sent from WAN to LAN. Thus it is necessary to configure BM rules for the scenarios on the Inbound BM page.

Example 2 Inbound BM

During the busy period, the maximum bandwidth limited for hosts in LAN zone to download data from FTP server 192.192.10.10 is 128K on WAN1, 128K on WAN2, and 64K on WAN3. During the idle period, the maximum bandwidth limited for hosts in LAN zone to download data from FTP server 192.192.10.10 is 512K on WAN1, WAN2 and WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero during both busy and idle periods.

During the busy period, the maximum bandwidth limited for hosts 192.168.0.10 ~ 192.168.0.50 in LAN zone to download data from internet web servers is 128K on WAN1, 256K on WAN2 and WAN3. The gauranteed bandwidth is zero on WAN1, 128K on WAN2 and 64K on WAN3. During the idle period, the maximum bandwidth limited for hosts 192.168.0.10 ~ 192.168.0.50 in LAN zone to download data from internet web servers is 128K on WAN1, 512K on WAN2 and WAN3. The guaranteed bandwidth is zero on WAN1, WAN2 and WAN3. The bandwidth is prioritized as “Low” on WAN2 and WAN3 during both busy and idle periods.

During the busy period, the maximum bandwidth limited for hosts in a subnet 192.168.100.0/24 in LAN to download data from internet FTP servers is 50K on WAN1, 64K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is 20K, and zero on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for hosts in a subnet 192.168.100.0/24 in LAN to download data from internet FTP servers is 20K on WAN1, 128K on WAN2 and WAN3. The guaranteed bandwidth is 20K on WAN1, 32K on WAN2 and WAN3. The bandwidth is prioritized as “High” during both busy and idle periods.

Configuring inbound BM class table

Filter Settings

Example 3 Outbound BM

During the busy period, the maximum bandwidth limited for internet users to download data from FTP server 211.21.48.198 in DMZ is 128K on WAN1 and WAN2, and 64K on WAN3. During the idle period, the maximum bandwidth limited for internet users to download data from FTP server 211.21.48.198 in DMZ is 512K on WAN1, WAN2 and WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero during both busy and idle period.

During the busy period, the maximum bandwidth limited for internet users to receive emails from mail server 211.21.48.197 in DMZ is 128K on WAN1 and WAN2, and 256K on WAN3. During the idle period, the maximum bandwidth limited for internet users to receive emails from mail server 211.21.48.197 in DMZ is 128K on WAN1 and WAN2, and 512K on WAN3. The guaranteed bandwidth on WAN1, WAN2 and WAN3 is zero. The bandwidth is prioritized as “Low” during both busy and idle periods.

During the busy period, the maximum bandwidth limited for internet users to download data from a virture FTP server 192.168.0.100 in LAN is 200K on WAN1, 100K on WAN2 and WAN3. The guaranteed bandwidth on WAN1 is 100K, and 50K on WAN2 and WAN3. During the idle period, the maximum bandwidth limited for internet users to download data from a virture FTP server 192.168.0.100 in LAN is 512K on WAN1, WAN2 and WAN3. The guaranteed bandwidth is on WAN1, WAN2 and WAN3 is zero. Note: When configuring filters on virtual servers, specify the private IP assigned to the virtual server and not the translated public IP.

During the busy period, the maximum bandwidth limited for hosts in a remote subnet 10.10.10.0/24 to download data from FTP server 211.21.48.198 in DMZ is 128K on WAN1 and WAN2 and 256K on WAN3. During the idle period, the maximum bandwidth limited for hosts in a remote subnet 10.10.10.0/24 to download data from FTP server 211.21.48.198 in DMZ is 256K on WAN1 and WAN2, and 512K on WAN3. The guaranteed bandwidth is zero on WAN1, WAN2 and WAN3, and the bandwidth is prioritized as “Low” during both busy and idle periods.

Settings for BM classes above

Filter Settings

Connection Limit

Two possible scenarios for upstream data: e.g. FTP (scenario 1), is that local host uploads data from a remote

FTP server in the WAN. The other scenario is a remote user in WAN downloads data from a FTP server in the LAN. Both of these scenarios are sending data from LAN to WAN. Thus configuring BM rules for these two scenarios on the inbound BM page is necessary.

See also:

• Busyhour Settings l Using the web UI l Log
• Statistics: Bandwidth l Report: Bandwidth Usage

Connection Limit

Connection Limit is a feature that restricts the number of connections to remain below a certain specified limit. When the number of connections exceeds that limit, the system will automatically log the event (if logging is enabled). Connection limit can detect exceptionally high volumes of traffic caused by malicious attacks. FortiWAN protects the network by rejecting connections above the threshold.

Configurations of Connection Limit are divided into 2 sections: Count Limit and Rate Limit. Configuration of Count Limit is aimed to limit the number of total connections biult by one IP address simultaneously; that is to say the request of new connection via this IP address will be denied, once the count of connections reaches the connection number specified in this section. On the other hand, configuration of Rate Limit is aimed to restrict the number of connections built by one IP address every second. The source of connection can be from any of the following options: IP address, IP Range, Subnet, WAN, LAN, DMZ, Localhost, and any specific IP address.

FortiWAN provides mechanisms to record, notify and analysis on events refer to the Connection Limit service, see “Log”, “Statistics: Connection Limit” and “Report: Connection Limit”.

Log Interval

Log Interval         :     The log interval determines how often the system records when the number of the connections exceeds the limit defined in the rules table.

Rules – Count Limit

Source    :   Match connections from a specified source (See “Using the web UI”).

Count    :    Set the limit for maximum number of the connections.

Cache Redirect

L         :     Check to enable logging. If the box is checked, logging will be enabled. Whenever the rule is matched, the system will record the event to the log file.

Rules – Rate Limit

Cache Redirect

FortiWAN is capable of working with external cache servers. When a user requests a page from a web server on the internet, FortiWAN will redirect the request to the cache server. If the requested web page is already on the cache server, it will return the page to the user, thus saving time on data retrieval. Cache servers are configured here. However, cache servers have to support caching in transparent mode. Note: Cache Server can be in DMZ.

FortiWAN provides log mechanisms on events refer to the Connection Limit service, see “Log”.

Cache Group

The first table configures cache server groups. Multiple groups can have different sets of rules which are then created on the second table. In addition, the number of cache servers is not limited to one. Therefore it is possible to have multiple cache servers with different weights in the cache server group.

Cache Redirect

Redirect Rule

Redirect rules can be established to match requests that will be redirected to the specific cache server group.

Cache Redirect

Example 1 The Requested Web Page is NOT on the Cache Server

When FortiWAN receives a request from a client, the request will be redirected to the cache server. The cache server will determine if the data requested already exists or not. If not, then the request will be performed on behalf of the client with the data returned from the web server to the client.

Internal DNS

Example 2 The Requested Web Page is on the Cache Server

When FortiWAN receives a request from a client, the request will be redirected to the cache server. In this case, the data requested already exists on the cache server. Therefore it will return the data requested to the client without passing the actual request to the internet.

Internal DNS

Internal DNS is the DNS server built in FortiWAN used to manage your domain for internal users. Internal DNS resolve domain name for DNS requests coming from LAN or DMZ subnets. FortiWAN’s Internal DNS is recursive DNS, which allows users to resolve other people’s domains. The DNS servers set in System > Network Setting > DNS Server will be asked by Internal DNS while it recursively resolve an unknown domain (See “Set DNS server to FortiWAN”). In case that all the set DNS servers are not available or the DNS server is not configured, Internal DNS will ask the root domain name server for resolving the domain. Allocate the Internal DNS to users in LAN and DMZ subnets by manually set the DNS server on their computers to the gateways, which are LAN ports or DMZ ports. It is unable to automatically allocate FortiWAN’s internal DNS to users by FortiWAN’s DHCP. An user in LAN or DMZ subnet need to manually configure the DNS server on its computer to the gateway it connects to for using FortiWAN’s Internal DNS. Activate DNS function by configuring fields below:

Global Settings: IPv4 / IPv6 PTR Record

Internal DNS

Domain Settings

NS Record

A/AAAA Record

Internal DNS

CName Record

SRV Record

MX Record

External Subdomain Record