Quantcast
Channel: Fortinet GURU
Viewing all 2380 articles
Browse latest View live

FortiWAN DNS Proxy

March 30, 2017, 4:06 am
$
0
0

DNS Proxy

Conceptually, FortiWAN’s DNS Proxy is a function to dynamically redirect outgoing DNS requests (UDP 53) to an appropriate DNS server according to FortiWAN’s WAN link loading. It is implemented by dynamically replacing the original destination IP address of outgoing DNS requests with another DNS server IP address. No matter what the DNS server that an internal host is configured with, for any outgoing DNS request passing through FortiWAN, DNS Proxy replaces the original destination IP address of the DNS requests with the DNS server IP address determined by a load balancing algorithm. Basically, FortiWAN’s DNS Proxy selects a WAN link with lighter traffic loading and replace original destination of the DNS query packet with another DNS server that is associated with the WAN link.

How the DNS Proxy works and its configurations

Once DNS Proxy is enabled, any DNS request (UDP 53) received on FortiWAN’s LAN and DMZports will be evaluated. DNS Proxy contains two phases; selecting a WAN link with lighter traffic loading (depends on the specified algorithm) and replacing the destination of DNS queries. Configuration of DNS Proxy contains three basic elements:

  • An algorithm used to select a WAN link l Participating WAN links
  • The DNS servers used to replace the original destination of packets

DNS Proxy determines the DNS server for replacement by selecting one of the participating WAN links.

DNS Proxy Setting Fields

Enable DNS Proxy Enable/disable DNS Proxy.
Algorithm Select an algorithm (See Load Balancing Algorithms) for selecting one of the participating WAN links:
l By Weight: select a WAN link from the participants in weighted round-robin.
l By Down Stream: always select the WAN link that has the lightest downstream traffic.
l By Up Stream: always select the WAN link that has the lightest upstream traffic.
l By Total Traffic: always select the WAN link that has the lightest total traffic.

The algorithm specified here determines a WAN link only for getting the associated DNS server to replace destination of the DNS packets. The selected WAN link is not for routing the packets. Auto Routing determines the WAN link to transfer the packets outward according to the policies.

 

WAN Select the participating WAN links by specifying the DNS servers and weight. From the drop-down menu, select a WAN link and configure the following fields Weight and Server 1 – 3. Then the WAN link becomes one of the participating WAN links for DNS Proxy selects according to the specified algorithm.

After DNS Proxy selects a WAN link for a DNS request according to the specified algorithm, the destination of the DSN packet will be replaced with the DNS server associated to the WAN link. You can associate maximum of three DNS server IP addresses to a WAN link. DNS Proxy detects availability of the specified DNS servers and chooses the first available server for every replacement. A replacement will not take place if no specified server is available.

IP addresses of DNS servers specified here can be internal or external IP addresses. DNS packets processed by DNS Proxy will be transferred toward the internal or external IP address according routing rule set in Network Setting (see Configuring your WAN and LAN Private Subnet) and Auto Routing (see Auto Routing).

No matter which algorithm is specified, if only one WAN link is configured here, DNS packets will be always processed with the DNS server associated with the WAN link. In other words, DNS Proxy redirects DNS requests to a fixed DNS server regardless of traffic loading on WAN links.
Weight Give a weight to the WAN link. This field is visible when By Weight is selected in Algorithm.
Server 1 Specify IP address of the first DNS server to the WAN link. This IP address will be used to replace the destination of a DNS packet if the associated WAN link is selected.

Getting this field configured is necessary to have a WAN link participated in DNS Proxy. A WAN link without configuring this field will not participate in DNS Proxy.
Server 2 Specify IP address of the second DNS server to the WAN link. This IP address will be used for the replacement if Server 1 is not available. This is optional.
Server 3 Specify IP address of the third DNS server on the WAN link. This IP address will be used for the replacement if Server 1 and Server 2 are not available. This is optional.
Source DNS request packets coming from the specified source will be matched. Enter a single IPv4 address, IPv4 range (in format xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx) or a IPv4 subnet (in format xxx.xxx.xxx.xxx/netmask).Keep it blank for matching any source.
Domain Name DNS requests for the specified domain name will be matched. A wildcard character is accepted for the left-most label of a domain name, e.g. *.fortinet.com or *fortinet.com.

Note that other formats such as www.*.com, www.fortinet.* or *.fortinet.* are not supported. Keep it blank for any domain name.

What DNS Proxy performs to DNS packets is only replace the destination of DNS packets; it does not involve routing for the packets. DNS Proxy select a WAN link only for the destination replacement, not for routing the packets. Auto Routing determines the route for the outgoing DNS packets (actually, Auto Routing is the only function routing for all outbound traffic, see Auto Routing). For example, although DNS Proxy selects WAN 1 for replacing destination of a DNS packet with IP of the DNS server associated with WAN 1, FortiWAN routing function might transfer it through other WAN links (WAN 2 or WAN 3) or a LAN port.

Scenario

Here is an example using algorithm By Weight to select the DNS server for the destination replacement in the weight WAN1:WAN2 = 2:1.

Algorithm  
By Weight  
  DNS Server
WAN               1               2
Weight               2               1
Server 1 211.136.28.237          202.106.0.20
Server 2               –                –
Server 3               –                –

According to the configuration, all the DNS requests received on FortiWAN’s LAN ports and DNS ports will be reworked as followings:

Packet Source Request A record

for

 Original destination Hit WAN

link

 Replaced destination
Packet 1 192.168.0.10 www.abc.com 8.8.8.8 WAN1 211.136.28.237
Packet 2 192.168.0.101 www.def.com 202.96.209.5 WAN1 211.136.28.237
Packet 3 192.168..0.66 www.ijk.com 202.96.209.133 WAN2 202.106.0.20
Packet 4 192.168.0.23 www.opq.com 211.136.150.66 WAN1 211.136.28.237
Packet 5 192.168.0.7 www.rst.com 223.5.5.5 WAN1 211.136.28.237
Packet 6 192.168.0.211 www.xyz.com 211.136.112.50 WAN2 202.106.0.20

DNS Proxy for peering issue

Actually, DNS Proxy is mainly used to resolve potential traffic congestion on single WAN link due to the usage of Optimum Route for resolving ISP peering issue (certainly, it can also be used for just redirecting DNS requests to another DNS server, which is unrelated to peering issue). As mentioned in Optimum Route Detection, Optimum Route does resolve the inefficient transmission resulted by bad peering between ISPs. No matter which detection mode is used for Optimum Route, traffic to a particular destination will be almost fixed by Optimum Route on particular WAN links (which the WAN links connect to the same ISP subnet that the particular destination is located in) if this ISP has bad peering with other ISPs (other WAN links). In real practice, most of service providers or internet content providers will not deploy their servers in only one ISP network if peering issue exists between ISPs. To provide service to users located in different ISP networks, they will logically deploy servers in several ISP networks, and maintain DNS servers (or appropriate settings on ISP’s DNS) for a common domain in each of the ISP networks. Each of the DNS servers will answer the IP address of corresponding application server that is located in the same ISP network together with the DNS server to any DNS query for the server name. In other words, asking different DNS servers (located in different ISP networks) for the same server name will be responded with different IP addresses, which belong to different ISP networks. Users in an ISP network can access the server located in the same ISP network without passing across others ISPs if they ask an appropriate DNS.

Even if FortiWAN connects to multiple ISP networks, the problem is that users behind FortiWAN are usually configured with a fixed DNS server (that is probably located in one of the connected ISP networks), which means they always ask the same DNS server for a server name and are responded with the same IP address of the server. A user will not know other IP addresses of the same server name in other ISP networks unless they change DNS configuration to others.

For example a FortiWAN transfers outbound traffic by Auto Routing with Optimum Route (see Auto Routing and Optimum Route). In the above diagram, the DNS 1 (10.10.10.100) in ISP-1 network answers 10.10.10.10 to query for server name www.abc.com, while the DNS 2 (20.20.20.100) in ISP-2 network answers 20.20.20.20 to the query for the same server name. In other words, traffic to www.abc.com will be routed to WAN 1 by Optimum Route if a client asks DNS 1 for www.abc.com, or traffic will be routed to WAN 2 by Optimum Route if the client asks DNS 2 for www.abc.com. However, the clients in LAN are configured with a static DNS address no matter manually or by DHCP. If all the clients in LAN are configured with DNS Server = 10.10.10.100, all the traffic to www.abc.com will fixedly be destined to 10.10.10.10 through WAN 1. This is what we mentioned traffic congestion on single WAN link resulted by usage of Optimum Route for resolving ISP peering issue.

For this reason, FortiWAN’s DNS Proxy is a mechanism used to detect a WAN link with lighter traffic loading and redirect a DNS query to the DNS server located in the ISP network connected by the WAN link. For example, if DNS Proxy detects WAN 2 has lighter traffic loading than WAN 1, DNS queries for www.abc.com will be redirected to DNS 2 (20.20.20.100) and the response for www.abc.com will be 20.20.20.20. With appropriate configuration on Optimum Route, traffic to www.abc.com can be routed to WAN 2. No matter what the original DNS server (destination IP) of the query is, DNS Proxy replace it with another DNS according to current WAN link loading. Therefore, accessing to the same service can to distributed into multiple WAN links with Auto Routing by Optimum Route for this case.

To use DNS Proxy with Optimum Route to improve the bad transmission efficiency resulted by bad peering between ISPs, here is the basic premise for using DNS Proxy:

  • FortiWAN connects to the bad-peering ISP networks through different WAN links.
  • Optimum Route Detection is appropriately configured, and corresponding Auto Routing policy and filters are created for routing traffic by the algorithm: By Optimum Route. Without these configurations, the basic peering issue does not get resolved, and DNS Proxy becomes meaningless for this.
  • Make sure that a service provider deploys different servers in the bad-peering ISP networks, and maintains DNS servers to answer corresponding IP address of the server that is located in the same ISP network with the DNS server. DNS Proxy will become helpless for this case if the service is only deployed in a ISP network.
  • List these particular DNS servers located in each of the ISP networks. A DNS server must be associated with a WAN link connected to the ISP network that the DNS server is located in.

Scenario

Base on the above example, make sure Optimum Route Detection and Auto Routing are configured before going on DNS Proxy. We assume that the Optimum Route Policy (see Optimum Route Detection) is configured as Static IP Table as followings:

  ISP-1 Network ISP-2 Network
Table Name ISP1 ISP2
Setting Upload the IP file of ISP 1. The IP subnet 10.10.10.0/24 is maintained in the file. Upload the IP file of ISP 2. The IP subnet 20.20.20.0/24 is maintained in the file.
Parameter Check WAN1 Check WAN2

You can also set the Optimum Route Policy as Dynamic Detect, Static & Dynamic or Dynamic & Static, see Optimum Route Detection for the details.

The Auto Routing policy and filter rule are correspondingly configured as followings (see Auto Routing for details):

Label Algorithm   Parameter  
OR_W1_W2 By Optimum Route   Check WAN1 and WAN2  
When Input Port Source Destination Service Routing Policy
All-Time Any Port Any Address WAN Any OR_W1_W2

The above settings provides the basic solution of bad peering between ISP 1 and ISP 2. In this example, servers of www.abc.com are deployed in both ISP 1 and ISP 2 networks, and the DNS server in each ISP network answers corresponding IP to requests for www.abc.com. To introduce DNS Proxy to the case to dynamically distribute sessions to www.abc.com through the two WAN links, it requires the following settings of DNS Proxy configured:

We use algorithm By Total Traffic to select the DNS server associated with the lightest-loaded WAN link for the destination replacement (you can try other algorithms).

Algorithm  
By Total Traffic  
  DNS Server
WAN             1                 2
Server 1 10.10.10.100          20.20.20.100
Server 2             –                  –
Server 3             –                  –
Proxy Domains  
www.abc.com  

The configurations guarantees that destinations of DNS packets querying for www.abc.com will be replaced with

DNS servers 10.10.10.100 or 20.20.20.100 in circular order according to weight 2:1. DNS packets processed by DNS Proxy will be transferred outward according the Auto Routing policies. In this case (bad peering exists between the two ISPs), it is better to let DNS packets destined to 10.10.10.100 be routed to WAN 1 and DNS packets destined to 20.20.20.100 be routed to WAN 2. Packets might be stuck by the bad peering if packets destined to 10.10.10.100 be routed to WAN 2. Here, with Optimum Route being used in the Auto Routing policy, DNS packets processed by DNS Proxy will be routed to appropriate WAN link to avoid the bad peering. Possible query loop

Since DNS Proxy forwards queries, you should be careful with the deployments to avoided possible query loop. Here are the two cases that DNS Proxy might cause query loops.

Case 1

If DNS Proxy is configured to forward DNS queries to a DNS server located in FortiWAN’s LAN or DMZ subnets, and this DNS server resolves queries by interacting with other DNS servers in the Internet through FortiWAN, a

 

SNMP

query loop will happen. DNS Proxy forwards the queries that the DNS server in LAN or DMZ sends to the DNS servers outside FortiWAN back to the DNS server in LAN or DMZ.

Case 2

FortiWAN’s Internal DNS (see Internal DNS) provides service on IP address 223.255.255.2 that FortiWAN uses it for internal operations. However, if the DNS server in Network Setting (System > Network Setting > DNS Server, see Set DNS server to FortiWAN) is configured, Internal DNS will forward queries to the configured DNS servers rather that resolving them itself. Now, if you configure System > Network Setting > DNS Server with DNS servers located in FortiWAN’s LAN or DMZ subnets, enable the Internal DNS, and configure Proxy DNS to forward queries to 223.255.255.2, a query loop will happen.

Community Enter the community which the SNMP belongs to.
System Name Enter a string to represent this system.

All the DNS queries are forwarded by DNS Proxy to 223.255.255.2 which is the Internal DNS, then these queries are forwarded again by Internal DNS to the DNS servers in LAN or DMZ which are configured in System > Network Setting > DNS Server. The DNS servers might resolve queries by interacting with other DNS servers in the Internet through FortiWAN. DNS Proxy forwards the queries that the DNS server in LAN or DMZ sends to the DNS servers outside FortiWAN back to Internal DNS on 223.255.255.2, and the queries are eventually forwarded back to the DNS servers in LAN or DMZ.

Search

FortiWAN SNMP

March 30, 2017, 12:06 pm
$
0
0

SNMP

SNMP (Simple Network Management Protocol) is often used in managing TCP/IP networks by providing system information and sending event notifications to a SNMP manager. A SNMP manager is typically a host running the SNMP manager application. The SNMP manager communicates with the SNMP agent running on a FortiWAN unit; sends out SNMP requests and receives incoming event notification (SNMP trap) from the SNMP agent. The agent responds FortiWAN’s system information for SNMP requests and sends SNMP traps to the SNMP manager.

To monitor your FortiWAN system via SNMP, you must:

  • Compile the FortiWAN MIB file to your SNMP manager.
  • Make sure at least one network interface is well-configured to send out SNMP traps and receive SNMP requests. The SNMP manager can communicate with a FortiWAN unit via the IP addresses configured on the localhost of a WAN port, DMZ port or LAN port (See “Network Settings”).
  • Make sure SNMP is acceptable to FortiWAN’s firewall (See “Firewall”). l Configure SNMP settings and Event Notification to FortiWAN unit.

SNMP agent configuration

To configure SNMP settings, go to Service > SNMP. Check the box Enable SNMP to enable SNMP agent on FortiWAN and select the SNMP version. FortiWAN supports SNMP v1, v2 and v3 protocols.

SNMP v1/2

SNMP

System Contact Enter a string to represent a person in charge of this system.
System Location Enter a string to represent the location of this system.

SNMP v3

Community Enter the community which the SNMP belongs to.
System Name Enter a string to represent this system.
System Contact Enter a string to represent a person in charge of this system.
System Location Enter a string to represent the location of this system.
Username Enter user name used for authentication.
Password Enter the password used for authentication.
Privacy Key Enter the privacy key code. Eg: 12345678,ABCDEFGHUI.etc.
AuthProtocol Select the authentication protocol used for transferring the authenticated password, either MD5 or SHA.
PrivProtocol Select the authentication protocol used for transferring the authenticated privacy key.
Authentication Select the authentication method for user and privacy key, either authentication with or without privacy.

SNMP trap for even notification

FortiWAN (SNMP agent) sends traps to a SNMP manager for notification when significant events occur. Enable the function by configuring the settings of Log Notification to FortiWAN (See “Notification”).

FortiWAN MIB

The FortiWAN MIB defines the structure of the management data maintained on FortiWAN. It contains the fields, information and traps that are specific to a FortiWAN units. The FortiWAN MIB file is available on the Fortinet Customer Service & Support website, https://support.fortinet.com/.

IP MAC Mapping

FortiWAN IP MAC Mapping

March 30, 2017, 8:06 pm
$
0
0

IP MAC Mapping

Users can specify the IP-MAC table by classifying periods like peak hours and idle hours. Once the IP-MAC table is set up, a packet from a certain IP address can pass through FortiWAN only when its MAC address matches the table list and time period.

FortiWAN provides log mechanism to the IP MAC Mapping service, see “Log”.

E : Enable/Disable
When : Select the time period: busy hour, idle hour and all time. All time is defined in 24-hour

system. For details, refer to [System] -> [Busyhour Settings] (See “Busyhour Settings”).
IP Address : Enter the IP address of the network interface card.
MAC Address : Enter the MAC address of the network interface card.
L : Check it to activate the rule and record results in log file. Otherwise, the rule is inactive and data will not be stored.

 

 

Statistics

March 31, 2017, 4:06 am
$
0
0

Statistics

This topic deals with FortiWAN network surveillance system. Comprehensive statistics are collected to monitor networking status, bandwidth usage of traffic class, and dynamic IP WAN link. These data offer deep insight into the network, and help detect unexpected network failures, boosting network reliability and efficiency.

Traffic

It sorts and displays real-time traffic of traffic class over WAN link. Select traffic direction (inbound/outbound) in Traffic Type to view statistics.

The table below shows 3 sorts of statistics:

  • Maximum/Minimum bandwidth allocation and priority
  • Traffic for the last 3 seconds
  • Traffic for the last minute

The statistics are analyzed based on individual WAN connection and traffic direction. To view statistics, select from Traffic Type (Inbound/Outbound), traffic direction and WAN Link number.

Traffic Type : Traffic flow direction: inbound and outbound.
WAN Link : The number of WAN links for inspection.
Automatic Refresh : Time interval to refresh statistical table.
Traffic Class : The name of the traffic class defined on Inbound/Outbound Bandwidth Management page. Among these, unclassified classes are labeled as “Default Class”.
Min. ~ Max.(Priority) : The maximum/minimum traffic volume allowed for a specific traffic class of different priority levels.
3-Second Statistics : Displays packet numbers or traffic flow volume in Kilobyte/sec for the last 3 seconds.
1-Minute Statistics : Displays packet numbers or traffic flow volume in Kilobyte/sec for the past 60 seconds.
Top 10 : Displays the data flow for the last five seconds with corresponding IP address. Statistics can be ranked by By Source and By Destination.

Bandwidth

Unlike traffic statistics in previous section that focuses on real-time monitor of network status, statistics in BM

(Bandwidth Management) is intended for long-term analysis. For particular traffic class in a given traffic direction, Persistent Routing administrators can view bandwidth usage in bar graph during the past 60 minutes, 30 hours, 50 days, and 20 months.

Traffic Type : Traffic flow direction: inbound or outbound traffic.
Traffic Class : The name of the traffic class defined on the Inbound/Outbound Bandwidth Management page or the sum of all traffic classes.
WAN Link : The number of WAN links users to inspect.
Refresh : Click to refresh statistical charts.

Persistent Routing

It shows details with respect to persistent routing status. With persistent routing, administrators can view connections and manually reset these connections as well.

Clear All: Clear all the connections via persistent routing.

Automatic Refresh: Time interval to refresh persistent routing data.

IPv4/IPv6 IP Pair

                     IP Pair Entry    : Shows connection entries that match IP Pair Rules.
                          Source IP    : Source IP of the current persistent routing connection.
                 Destination IP    : Destination IP of the current persistent routing connection.
                                  Count    : Number of connections that the current persistent routing rule applies to.
                             Timeout    : Length of time to lapse before the current connection times out.
                                    WAN    :

IPv4/IPv6 Web Service

 The WAN link through which the current persistent routing connection travels.
         Web Service Entry    : Shows connection entries that match Web Service Rules.
                          Source IP    : Source IP of the current persistent routing connection.
                                  Count    : Number of connections that the current persistent routing rule applies to.
                             Timeout    : Length of time to lapse before the current connection times out.
                                    WAN    : The WAN link through which the current persistent routing connection travels.

Note that IP Pair and Web Service show at most 50 entries respectively.

 

WAN Link Health Detection

March 31, 2017, 12:06 pm
$
0
0

WAN Link Health Detection

It shows WAN link health detection results regarding the reliability of a specific WAN connection. The data are derived based on ping results from destination IP list configurations in System > WAN Link Health Detection (See “WAN Link Health Detection”). It enables to observe the number of sent requests, number of received responses, and the success ratio for a given destination. These statistics assist administrators in further analyzing network status and user behavior.

WAN Link : The WAN link to be monitored.
Automatic Refresh : Time interval for refreshing tables.
Destination IP : The destination IP address to which ping requests will be sent.
Number of Requests : The number of requests sent to the Destination IP so far. A request indicates a ping packet if Detection Protocol is ICMP, or a TCP connection request if Detection Protocol is TCP.
Number of Replies : The number of responses received so far from the Destination IP. A reply indicates a ICMP echo reply or a time_exceed if Detection Protocol is ICMP, or a system acknowledge indicating TCP connection is established if Detection Protocol is TCP.

Both indicate the success of a single WAN link detection.
Success Ratio (%) : The percentage of responses divided by requests. The higher the percentage, the greater the reliability.

FortiWAN Dynamic IP WAN Link

March 31, 2017, 8:06 pm
$
0
0

Dynamic IP WAN Link

It shows dynamic IP WAN link details like its IP address obtained via PPPoE or DHCP. It also enables to create new IP addresses by re-establishing connections to the WAN.

Re-Connect All : Reconnect all WAN links via PPPoE or DHCP.
Automatic Refresh : Time interval to refresh table results.
WAN : WAN connected by either PPPoE or DHCP.
IP Address : IP allocated to current WAN link.
Gateway : Gateway’s IP address for current WAN link.
Netmask : Sub network mask.
DNS : Dynamic DNS Server IP.
Connected Time : Duration of WAN connectivity.
Reconnect : Reconnect a WAN link via PPPoE or DHCP.

 

FortiWAN DHCP Lease Information

April 1, 2017, 4:06 am
$
0
0

DHCP Lease Information

It shows data DHCP lease assigns, i.e. lease IP and MAC address, client-hostname, and expiration time. Once option of DHCP server is selected, a list regarding all existing DHCP servers in the network will display. Option Automatic Refresh sets the time interval to regularly update DHCP servers.

DHCP Server : Displays the DHCP server and IP range to be assigned.
Automatic Refresh : The time interval after which the table of DHCP leases information is updated.
Lease IP : WAN connected by either PPPoE or DHCP.
IP Address : Shows the IPv4 address assigned to the client’s machine.
MAC Address : Shows the MAC address of the client’s machine.
Client-Hostname : Shows the name of the client machine.
Expiration Time : Shows the time period when the IP address is valid.
DHCPv6 Server : Displays DHCPv6 server and range of IPv6 addresses which can be assigned.
Lease IP : Shows the IPv6 address assigned to client’s machine.
Client ID : Shows the ID assigned to the lease IPv6 address.
Expire Time : Shows the time period during which the IPv6 address is valid.

FortiWAN RIP & OSPF Status

April 1, 2017, 12:06 pm
$
0
0

RIP & OSPF Status

It shows RIP status based on RIP and OSPF settings in [System] -> [Network Settings] -> [LAN Private Subnet].

Data on this page are used to inspect private subnet’s Network IP, Netmask, and gateway list.

Type : Select from the list to view RIP or OSPF routing.
Automatic Refresh : Select auto-refresh interval, or disable the function.
Network IP : Shows the Network IP of the private subnet.
Netmask : Shows the Netmask of the private subnet.
Gateway : Shows the Gateway of the private subnet.

 

Search

Connection Limit

April 1, 2017, 8:06 pm
$
0
0

Connection Limit

It enables administrators to inspect the number of established connections in real-time and to justify the maximum number of connections allowed on [Service] -> [Connection Limit] page, to avoid network congestion.

Automatic Refresh : Select auto-refresh interval, or disable the function.
No. : Numbering of IP addresses based on the number of connections established.
IP : Shows the source IP of the connection.
Connections : Shows the number of connections that are established by the source IP address and still active in system. An connection in system might be a connection with traffic flow existing or a idle connection. This number varies from connections closing to newly opened connections.
Clear : System maintains necessary tables and information for connections. Clicking the button to abort the connections established by the source IP address, and release the occupied memory then. When system is under attacks with high volumes of malicious connections, FortiWAN’s Connection Limit (See “Connection Limit”) stops subsequent connections established by the malicious IP addresses, but it takes time to recover system from the bandwidth and memory occupied by those malicious connections that are already in system. The Clear button terminates them immediately.

FortiWAN Virtual Server Status

April 2, 2017, 4:06 am
$
0
0

Virtual Server Status

It displays status and statistics regarding virtual server defined in Service/Virtual Server.

Automatic Refresh : Enable it and choose time interval for refreshing.
Virtual Server Status : Green = OK; Red= Failed.
WAN IP : Displays WAN IPs defined in the rules on Service/Virtual Server page.
Service : Displays services defined in the rules on Service/Virtual Server page. These services are those available for virtual servers.
Server IP : Displays server IPs defined in the rules on Service/Virtual Server page. The server IPs denote those in real network usage.
Detect : Displays detection method, TCP or ICMP.
Status : Displays detection result.

 

FortiWAN FQDN

April 2, 2017, 12:06 pm
$
0
0

FQDN

The IPv4 and IPv6 addresses of the FQDNs that connected via FortiWAN are shown in this page.

IPv4 FQDN

FQDN : The FQDN connected via FortiWAN.
IPv4 Address

IPv6 FQDN

 : IPv4 addresses of the FQDN connected via FortiWAN. It maintains 20 addresses at most.
FQDN : The FQDN connected via FortiWAN.
IPv6 Address : IPv6 addresses of the FQDN connected via FortiWAN. It maintains 20 addresses at most.

FortiWAN Tunnel Status

April 2, 2017, 8:06 pm
$
0
0

Tunnel Status

Tunnel Status displays the connectivity of every single GRE tunnel of each tunnel group defined in Service >

Tunnel Routing (see Tunnel Routing) and statistics of the corresponding data transmission

Tunnel Group The drop-down menu lists all the tunnel groups defined in Service > Tunnel Routing. Select the tunnel group for monitoring it. The statistics of the specified tunnel group will be displayed in the Tunnel Health Status table below.
Automatic Refresh Enable automatic refresh by selecting the time interval (Every 3, 6, 9, 15, … Seconds) for refreshing the statistics, or disable it by selecting Disabled. The statistics here will be automatically refreshed periodically if it is enabled.

Tunnel Health Status

This table displays the connectivity and statistics of specified tunnel group in the following four fields.

Tunnel The GRE tunnel defined in the specified tunnel group, represented by the pair of its local and remote IP addresses.
3-Second Statistics Statistics of data transmission through this tunnel in the past 3 seconds, represented by RX Packets, RX Kbps, TX Packets and TX Kbps.
1-Minute Statistics Statistics of data transmission through this tunnel in the past 1 minute, represented by RX Packets, RX Kbps, TX Packets and TX Kbps.

Tunnel Traffic

Status Indicating the connectivity of the tunnel with color schemes:

Green indicates the tunnel is available (OK).

Red indicates the tunnel is unavailable (failed).

Moreover, round trip time (RTT) between the two endpoints of the tunnel is provided here for reference. The RTT will become blank if the tunnel is failed. You can also get the RTT of the tunnel by running Tunnel Routing’s benchmark (see Tunnel Routing – Benchmark).

Default Rule Subnets

This table lists the subnets (in the local and remote sites) that the default rules of the specified tunnel group consist of. See How to set up routing rules for Tunnel Routing for the details of default rule of a tunnel group.

Local Subnets The local subnets (subnets in the local site) of the default routing rules of the specified tunnel group. It will be blank if there is no default rule enabled.
Opposite Subnets The opposite subnets (subnets in the remote site) of the default routing rules of the specified tunnel group. It will be blank if there is no default rule enabled.

The default rule subnets listed here and corresponding page on remote Web UI are supposed to be equal for a tunnel group, just the position is switched. Local subnets here are the opposite subnets for the remote site, and the opposite subnets here are the local subnets for the remote site.

FortiWAN Tunnel Traffic

April 3, 2017, 4:06 am
$
0
0

Tunnel Traffic

It collects inbound/outbound traffic statistics regarding tunnel routing in the past 60 minutes, 24 hours, and 30 days. Statistics are displayed on chart.

Traffic Type : Traffic flow direction.
Time : Collect statistics in the past 60 minutes, 24 hours, and 30 days.
Tunnel Routing Group : Select a group from the list. Depending on N tunnels the group gets, N statistical charts will show.

FortiWAN IPSec

April 3, 2017, 12:06 pm
$
0
0

IPSec

IPSec Statistics reports the usages and states of your configured IPSec Security Associations (See “IPSec”). Go to Statistics > IPSec, a select bar and two statistics tables are displayed.

Selector

Select the combination of Mode and Phase 1 here, and then the statistics of related IPSec SAs are reported.

IPSec

Mode Select the mode, Tunnel mode or Transport mode, of the security associations that you ask for.
Phase 1 Name All the configured Phase 1 names of the mode you selected above are list in the drop-down menu. Select a Phase 1 name (ISAKMP SA) to display the statistics of the associated IPSec SAs (Phase 2).
Refresh Click to refresh the statistics page.

Statistics of the IPSec SAs associated to the ISAKMP SA you selected is displayed in two tables, Security Association Database and Security Policy Database.

Security Association Database

List information of each IPSec SA including local and remote IP addresses, negotiated encryption and authentication algorithms, timing and the states.

Local IP The local IP address of the IPSec SA.
Remote IP The remote IP address of the IPSec SA.
Encryption The encryption algorithm that the IPSec SA employs.
Authentication The authentication algorithm that the IPSec SA employs.
Used time (s) The past time since the IPSec SA is established.
Life time (s) The time interval (in seconds) that the secret key of the IPSec SA is valid during. For the expiration of a key, IKE Phase 2 is performed automatically to establish a new IPSec SA (a new key is negotiated). The value here is equal to value of Keylife of the correspondent Phase 2 configuration.
Change time (s) The time point that system starts to establish a new IPSec SA for replacing the current IPSec SA which is going to expire. New IPSec SA will be prepared in advance so that it takes over the expired IPSec SA in time. This value is related to Life time and determined by system.
Status States of the IPSec SA:
l larval: an IKE Phase 2 is in progress to establish an IPSec SA
l mature: the IPSec SA is established and still within validity
l dying: the IPSec SA is about to expire, and another IKE Phase 2 is in progress for taking over
l dead: the connectivity between two endpoints communicating through the IPSec SA is down; the peer is unavailable.

Traffic Statistics for Tunnel Routing and IPSec

Security Policy Database

List information of Quick Mode selector of each IPSec SA and the related time stamps.

Name The unique name of the IPSec SA (the name configured to the Phase 2)
Source[port] For IPSec in Tunnel mode, this is the Source and Source Port of the Quick Mode selector of the IPSec SA (the Source and Port configured to the Phase 2).

For IPSec in Transport mode, this is the source IP address of the

Tunnel Routing packets (GRE encapsulated), which is equal to the Local IP of the IPSec SA (the Local IP configured to the Phase 1).

Port information will not be list for this case.
Destination[port] For IPSec in Tunnel mode, this is the Destination and Destination Port of the Quick Mode selector of the IPSec SA (the Destination and Port configured to the Phase 2).

For IPSec in Transport mode, this is the destination IP address of the Tunnel Routing packets (GRE encapsulated), which is equal to the Remote IP of the IPSec SA (the Remote IP configured to the Phase 1). Port information will not be list for this case.
Protocol For IPSec in Tunnel mode, this is the Protocol of the Quick Mode selector of the IPSec SA (the Protocol configured to the Phase 2).

For IPSec in Transport mode, this is always “gre”.
Created time The time that the IPSec SA is established.
Last used time The time that the IPSec SA is applied last to a data packet.

For the details of parameters of IPSec, see “IPSec VPN in the Web UI”.

FortiWAN Traffic Statistics for Tunnel Routing and IPSec

April 3, 2017, 8:06 pm
$
0
0

Traffic Statistics for Tunnel Routing and IPSec

Compare with general IP transmission, traffic transferred through FortiWAN’s Tunnel Routing or IPSec is charged extra on GRE/ESP encapsulation and decapsulation (See “Tunnel Routing” and “IPSec VPN”). In order to individually allocate bandwidth to applications encapsulated in GRE and ESP packets, Tunnel Routing and IPSEC are designed to be transparent to Bandwidth Management (See “Bandwidth Management”). Bandwidth Management shapes the traffic before packet encapsulation or after packet decapsulation. FortiWAN’s traffic statistics is associated with the operation of Bandwidth Management, which implies traffic of Tunnel Routing and IPSec is partially transparent to the statistics function. FortiWAN gives the traffic statistics in three ways: BM log, statistics on Web UI and FortiWAN Reports. Traffic statistics for Tunnel Routing and IPSec in the three ways are discussed as follows.

Traffic Statistics for Tunnel Routing and IPSec

BM logs

A BM log is actually a traffic statistics (inbound-pkts, inbound-bytes, outbound-pkts, outbound-bytes, total-pkts and total-bytes) in a time period for a traffic (source IP, destination IP, source port and destination port) that matches the Bandwidth Management filter (See Log format in “Log View”). Bandwidth Management treats the traffic equally no matter whether it is later transferred through Tunnel Routing and IPSec. The BM log tells nothing directly (through the source port and destination port fields) that a transmission is actually done by Tunnel Routing, IPSec or normal IP routing. You might be aware of a Tunnel Routing and IPSec transmission through the source IP and destination IP in the logs, if you those IP addresses are already predefined just for the Tunnel Routing and IPSec transmission. The only situation that you see the GRE or ESP indicated by source port and destination fields in a BM log is when the traffic comes from other VPN devices.

Statistics on Web UI

Pages Statistics > Traffic and Statistics > BM(See “Statistics > Traffic” and “Statistics > BM”) the traffic statistics by WAN links and defined Bandwidth Management classes, which tells nothing directly about Tunnel Routing and IPSec traffic. The way to identify the traffic that is transferred through Tunnel Routing or IPSec is to create a BM class and BM filter to classify the traffic by the source IP and destination IP that are defined in Tunnel Routing’s routing rules or IPSec’s Quick Mode selectors.

Page Statistics > Tunnel Traffic (See “Statistics > Tunnel Traffic”) is the only page reports the traffic statistics about Tunnel Routing. Although traffic statistics is reported by the defined Tunnel Routing groups, statistics of the individual application in the tunnel traffic is unavailable here.

Page Statistics > IPSec (See “Statistics > IPSec”) tells nothing about traffic statistics of IPSec, only IPSec connectivity states are reported here.

FortiWAN Reports

Different from BM logs, service of traffic that is transferred through Tunnel Routing is indicated as GRE in Reports (See “Reports > Bandwidth Usage > Services”). Individual service type of the original packets encapsulated by Tunnel Routing becomes invisible in Reports. The GRE traffic passing through FortiWAN from other VPN devices and the GRE traffic generated by FortiWAN Tunnel Routing will be counted into service GRE in page Reports > Bandwidth Usage > Services, which might be confusing. Drilling it down by Internal IP, Inclass or Outclass could figure it out. As for traffic transferred through IPSec, Reports counts the traffic by individual application (the original packets before/after be ESP encapsulated/decapsulated) rather than counting it into service ESP. FortiWAN IPSec is transparent to Reports statistics.

Here are a summary of discussion above.

Traffic transferred through IPSec Tunnel mode

  Original traffic ESP encapsulated

traffic
BM Control O X
BM log O X
Reports O X

Traffic transferred through Tunnel Routing or IPSec Transport mode

Traffic Statistics for Tunnel Routing and IPSec

  Original traffic GRE encapsulated

traffic

 ESP encapsulated

traffic
BM Control O X X
BM log O X X
Reports X O X

We have a simple example to explain the difference between the statistics ways. Consider that user A generates

60MB FTP traffic and 80MB HTTP traffic and transfer them through normal IP routing, user B generates 40MB FTP traffic and 20MB HTTP traffic and transfer them through Tunnel Routing (through one tunnel group). All the traffic is controlled by Bandwidth Management, thus there will be four BM logs indicating:

  • user A (source IP) generates FTP traffic (source or destination port) in 60MB l user B (source IP) generates FTP traffic (source or destination port) in 40MB l user A (source IP) generates HTTP traffic (source or destination port) in 80MB l user B (source IP) generates HTTP traffic (source or destination port) in 20MB

From the BM logs, we have no idea which one is transferred through Tunnel Routing. The thing we know from the logs is 100MB FTP traffic and 100MB HTTP traffic passed through FortiWAN, and they are 200MB in total.

In page Statistics > Tunnel Traffic, we see 60MB tunnel traffic (parts of the 200MB) belongs to the tunnel group. However, it tells nothing about the statistics for the individual services (FTP and HTTP) in the tunnel traffic.

As for Reports > Service, statistics by service is displayed as follows: l FTP = 60MB l HTTP = 80MB l GRE = 60MB

  • Total = 200MB

All the tunnel traffic (FTP and HTTP generated by user B) is classified into GRE, and we have no idea about what the original services are in it. What we can do is drilling it down by Internal IP to identify the generator user B, or drilling it down by Inclass and Outclass to identify the individual service if the corresponding BM classes are welldefined.

Considering the IPSec transmission with the same example, user B generates the same traffic but transfer them through IPSec. We will have BM logs the same as what we discussed above, and have no idea which service is transferred through IPSec. In page Report > Service, the traffic is counted as follows: l FTP = 100MB l HTTP = 100MB l Total = 200MB

Drilling it down by Internal IP can identify the generators user A and user B, but it tells nothing about service ESP.

 

Search

FortiWAN – Log

April 5, 2017, 4:06 am
$
0
0

Log

This topic deals with how to configure logging and how to forward logs. Log records keep FortiWAN data and are capable of storing a wide variety of data concerning System, Firewall, Routing, and bandwidth management, etc. Log files can be forwarded to other servers for archiving or for notifying events via emails (see “Log Control” and “Log Notification”).

Additionally, FortiWAN offers a powerful reporting and analysis tool: Reports. The web-based analysis software that is embedded in FortiWAN or running on an independent machine enables administrators to gain insights into network traffic without manually filtering through large volumes of log data (See “Enable Reports”).

FortiWAN LOG View

April 5, 2017, 12:07 pm
$
0
0

View

View has a sub-menu of 13 log types (see the table below). Choose the desired log type, and its corresponding events will show in display window. Click the Refresh button to get the latest log records. Please be aware that this page is only for online viewing of current events. For log data pushing and archiving, see the Control in next section.

Log Type : Choose log type to view its events in display window. The log types are:
l System Log
    l Firewall Log
    l NAT Log
    l Auto & Persistent Routing Log
    l Virtual Server Log
    l BM Log
    l Connection Limit Log
    l Cache Redirect Log
    l Multihoming Log
    l Backup Line Log
    l Dynamic IP Log
    l IP-MAC Mapping Log
    l Tunnel Routing Log
    l IPSec Log
Recent Event : Log events listed in time order.
Refresh : Refresh to get the latest log events.
Clear : Clean up log records.

FortiWAN Log format

April 5, 2017, 8:06 pm
$
0
0

Log format

A log listed here consists of three parts:

{TIMESTAMP} {LOG_TYPE} {LOG_CONTENT}

The {TIMESTAMP} is in the format ‘yyyy-mm-dd HH:MM:SS’ and is always an UTC time. The details of {LOG_ TYPE} and {LOG_CONTENT} are described as follows.

Notation Conventions

{ADDRPORT} follows TCPDUMP format, for example:

  • IPv4: 8.8.8.80 l IPv6: 2001::8:8:8:8.80 {IP-5-TUPLE}
  • ICMP:PROTO=1 SRC=<ip> DST=<ip> ID=<icmpid> TYPE=<icmptype> CODE=<icmpcode> (BM log dones’t have TYPE and CODE fields, because they are bypacket)
  • TCP:PROTO=6 SRC=<{ADDRPORT}> DST=<{ADDRPORT}> l UDP:PROTO=17 SRC=<{ADDRPORT}> DST=<{ADDRPORT}> l ICMPv6:PROTO=58 SRC=<ip> DST=<ip> TYPE=<icmpv6type> CODE=<icmpv6code> l Others:PROTO=<protocol num> SRC=<ip> DST=<ip>

Firewall

FW {IP‐5‐TUPLE} ACTION=[ACCEPT|DENY] TOTLEN=<pktlen>
The first packet of session {IP‐5‐TUPLE} matching a Firewall rule triggers the log. System generates only one log for this session. This log indicates all the packets of the session {IP‐5‐TUPLE} are accepted or denied by Firewall, and the first packet size is <pktlen>. In reality, the event ACCEPT will not be logged by system.

See “Firewall” for further information.

NAT

NAT {IP‐5‐TUPLE} NEW_SRC={ADDR}
The first packet of session {IP‐5‐TUPLE} matching a NAT rule triggers the log. System generates only one log for this session. This log indicates source addresses of the packets of {IP‐5‐TUPLE} are translated to the new address {ADDR} by NAT.

See “NAT” for further information.

Auto & Persistent Routing

AR {IP‐5‐TUPLE} AR=[<widx>|NONE] TOTLEN=<pktlen>

The first packet of session {IP‐5‐TUPLE} matching a Auto Routing rule triggers the log. System generates only one log for this session. This log indicates packets of the session {IP‐5‐TUPLE} are transferred outward through WAN link <widx>, or all the WAN links defined in the routing and fail-over policies fail to transfer the packets (AR=NONE). The first packet size of the session is <pktlen>. See “Auto Routing” for further information.
PR {IP‐5‐TUPLE} PR=[<widx>|WAIT_AR|NONE] TOTLEN=<pktlen>
The first packet of session {IP‐5‐TUPLE} matching a Persistent Routing rule triggers the log. System generates only one log for this session. This log indicates packets of the session {IP‐5‐TUPLE} are transferred outward through WAN link <widx> (the persistence entry of the session is not expired), or Auto Routing determines the WAN link for the session (PR=WAIT_AR, the persistence entry of the session is expired or absent), or the action to this session is No PR (PR=NONE). The first packet size of the session is <pktlen>. See “Persistent Routing” for further information.

If a PR log that PR=WAIT_AR, the PR log and a correspondent AR log are generated in pairs.

Virtual Server

VS {IP‐5‐TUPLE} NEW_DST={ADDR} TOTLEN=<pktlen>
The first packet of session {IP‐5‐TUPLE} matching a Virtual Server rule triggers the log. System generates only one log for this session. This log indicates destination addresses of the packets of {IP‐5‐TUPLE} are translated to the new address {ADDR} by Virtual Server. The first packet size of the session is <pktlen>.

See “Virtual Server” for further information.

BM

BM {IP‐5‐TUPLE} INPKTS=<%lu> INBYTES=<%lu> OUTPKTS=<%lu> OUTBYTES=<%lu> TOTALPKTS=<%lu> TOTALBYTES=<%lu> DURATION=<%lu>SECS
Session {IP‐5‐TUPLE} matching a Bandwidth Management filter triggers the log when it is closed. System generates only one log for this session. This log indicates the traffic statistics (INPKTS, INBYTES, OUTPKTS, OUTBYTES, TOTALPKTS, TOTALBYTES and DURATION) of the session {IP‐5‐TUPLE}.

See “Bandwidth Management” for further information.

Connection Limit

Count Limit

CL SRC=<ip> DROP=<pkt_number>
This log is triggered every time-period if the number of connections generated by a source SRC=<ip> exceeds the limitation defined in Connection Limit > Count Limit. This log indicates connections generated by SRC=<ip> and passing through FortiWAN are more that the limitation, and there are <pkt_number> packets are dropped for the reason.

Rate Limit

RL RULE=<ridx> DROP=<pkt_number>
This log is triggered every time-period if a rule <ridx> of Connection Limit > Rate Limit is matched. This log indicates connections defined in the Rate Limit rule <ridx> are generated in a rate higher than the limitation, and there are <pkt_number> packets are dropped for the reason.

See “Connection Limit” for further information.

Cache Redirect
CR {IP‐5‐TUPLE} NEW_DST={ADDR‐PORT}
The first packet of session {IP‐5‐TUPLE} matching a Cache Redirect rule triggers the log. System generates only one log for this session. This log indicates destination addresses and ports of the packets of {IP‐5‐TUPLE} are translated to {ADDR} by Virtual Server. The first packet size of the session is <pktlen>.

See “Cache Redirect” for further information.

Multihoming
MH FROM=<ip> TYPE=<A|AAAA> WLINK=<widx> REPLY=<ip>
An DNS response (queried for A or AAAA records) by Multihoming triggers the log. System generates the log only for DNS queries for A and AAAA records. This log indicates a DNS query whose type is TYPE=<A|AAAA> and comes from FROM=<ip> is responded by Multihoming with REPLY=<ip>, which is the IP address of WAN link <widx>.

System generates two logs for A and AAAA records if the DNS query type is ANY.

See “Multihoming” for further information.

Dynamic IP

DHCP

DHCP WLINK=<widx> ACTION=<init|renew|rebind|expired|failed|release|stop|bind> [IP=<ip>]
System triggers the log when a DHCP WAN link <widx> is acted for ACTION. ACTION=bind and IP=<ip> must be generated in pairs for a log.

PPPoE

PPPOE WLINK=<widx> ACTION=<start|terminated|bind> [IP=<ip>]

System triggers the log when a PPPoE WAN link <widx> is acted for ACTION. ACTION=bind and IP=<ip> must be generated in pairs for a log. Three more logs are introduced when a PPPoE WAN link goes to failure:

l PPPOE config‐requests timeout l PPPOE connection no response l PPPOE authentication failed
IP-MAC Mapping
MAC {IP‐5‐TUPLE} BAD_SRC_MAC=<MAC>
The first packet of session {IP‐5‐TUPLE} blocked by IP-MAC Mapping triggers the log. System generates only one log for this session. This log indicates source MAC addresses <MAC> of the packets of {IP‐5‐TUPLE} and the MAC address defined in IP-MAC table are mismatched, and so that the packets are blocked.
MAC {IP‐5‐TUPLE} BAD_DST_MAC=<MAC>
The first packet of session {IP‐5‐TUPLE} blocked by IP-MAC Mapping triggers the log. System generates only one log for this session. This log indicates destination MAC addresses <MAC> of the packets of {IP‐5‐TUPLE} and the MAC address defined in IP-MAC table are mismatched, and so that the packets are blocked.

See “IP-MAC Mapping” for further information.

Tunnel Routing
TR {IP‐5‐TUPLE} GROUP=<group name> TOTLEN=<pktlen>
The first packet of session {IP‐5‐TUPLE} being transferred by Tunnel Routing triggers the log. System generates only one log for this session. This log indicates packets of {IP‐5‐TUPLE} are transferred through the Tunnel Group <group name>, and the first packet size of the session is <pktlen>.
TUN FROM=<ip> TO=<ip> ACTION=<start|stop|fail|recover>
This log is triggered when a single GRE tunnel FROM=<ip> TO=<ip> is acted for actions ACTION.

See “Tunnel Routing” for further information.

IPSec
ISAKMP-SA <established|expired|deleted> <LOCAL_IP_PORT>-<REMOTE_IP_PORT>
An ISAKMP SA between <LOCAL_IP_PORT> and <REMOTE_IP_PORT> is established, expired or deleted.
IPsec-SA <established|expired>: ESP/<Transport|Tunnel> <LOCAL_IP_PORT>-><REMOTE_ IP_PORT>

 

A Transport mode or Tunnel mode IPSec SA between <LOCAL_IP_PORT> and <REMOTE_IP_PORT> is established or expired.
<initiate|respond> new phase <1|2> negotiation: <LOCAL_IP_PORT><=><REMOTE_IP_ PORT>
After an ISAKMP SA or IPSec SA is expired, new IKE phase 1 or 2 negotiation between <LOCAL_IP_PORT> and <REMOTE_IP_PORT> is initiated or responded.
NOTIFY: the packet is retransmitted by <IP_PORT>
Packets of IKE negotiation are retransmitted due to the failure in authentication (pre-shared keys of the two entities might not be correspondent with each other).
<IP> INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Request for establishing IPSec SA from <IP> was queued due to the failure in phase 1 negotiation (Phase 1 proposals of the two entities might not be correspondent with each other).
<IP> INFO: received INITIAL-CONTACT
<IP> received the request for negotiation from the peer.
ERROR: phase1 negotiation failed due to time up.
A queued or retransmitted phase 1 negotiation is declared to failure because the time is up.
<IP> ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.
<IP> does not receive any proposal in the phase 2 negotiation messages (Phase 2 proposals of the two entities might not be correspondent with each other).

See “IPSec VPN” for further information.

System Admin session

  • <account> logged in from <ip> l <account> logged out from <ip> Account change
  • Administrator account <account> removed l Monitor account <account> removed
  • Administrator account <account> password successfully changed l Administrator account <account> successfully added

Monitor account <account> password successfully changed

Monitor account <account> successfully added

Access deny

  • Incorrect <account> password from <ip> l Maximum # of Administrator/<account> login reached l Maximum # of Monitor/<account> login reached UI command
  • There is no slave l Configuration synchronization finished successfully l Configuration synchronization failed l Peer information is not available l ARP caches are updated l Neighbor Discovery caches are updated l System time synchronized l No NTP servers in system settings l License key <key> is applied successfully, system rebooting…
  • License key <key> is applied successfully l Test email is sent to <receiver> l Failed to send test email to <receiver>

UI setting

  • Settings are applied for page System -> <page name> l Settings are applied for page Service -> <page name> l Settings are applied for page Log -> <page name> l Unable to add account. The maximum number of Administrator accounts have been reached. l Unable to add account. The maximum number of Monitor accounts have been reached.
  • Settings are applied for RADIUS Authentication l Error starting notification daemon l Error in starting daemon for page Service -> Internal DNS l Error in starting daemon for page Service -> Multihoming Info access error l Cannot save log/event settings Update l System firmware updated

Config

System configuration restored

Multihoming daemon file write error

Shutdown

  • System reset to factory default settings l System reboot Instant push
  • Pushing <logtype> is initiated l Failed to push <logtype>

Service error l Restarting Internal DNS Error Connection overflow l Current Connection Number(<connections>) reach <limit> Rate overflow l Current Rate Number(<connection rate>) reach <limit> Undefined code l Undefined event code <event code> VRRP

  • VRRP become master l VRRP become backup l VRRP double-check failed HA
  • Peer version changed from “<Model>” to “<Model>” l Peer serial number changed from “<Serial Number>” to “<Serial Number>” l Peer state changed from “<State>” to “<State>” l Responded to Slave’s Time Synchronization Request l Responded to Slave’s Configuration Synchronization Request l Stopped configuration synchronization due to errors l Finished configuration synchronization with the Slave l Won precedence over the booting peer. Enter the Master state. l Preceded by the booting peer. Enter the Slave state. l Master heartbeat detected. Enter the Slave state.
  • Slave heartbeat detected. Enter the Master state. Panic heartbeat detected. Enter the Master state.

No heartbeat detected. Enter the Master state.

 

Log Control

  • Won precedence over the incompatible peer. Enter the Master state.
  • Preceded by the incompatible peer. Enter the Panic state.
  • Peer heartbeat stopped. Enter the Master state to take over services. l Preceded by another Master. Reboot to enter the Slave state.
  • Too Much port down. Reboot to enter the Slave state. l Preceded by the incompatible peer. Enter the Panic state. l Peer heartbeat stopped. Enter the Master state to take over services. l Two Slaves linked at the same time. Restart HA after random delay. l Master is gone. Enter the Master state to take over services.
  • Peer heartbeat stopped l Time synchronization failed. l Configuration synchronization failed.

FortiWAN Log Control

April 6, 2017, 4:06 am
$
0
0

Log Control

Control sets to forward data from FortiWAN to servers via FTP, E-mail and Syslog (protocol) for archiving and analysis. Configure log push method one log type by another, or use “Copy Settings to All Other Log Types”. It copies and applies settings of one log type to others avoiding unnecessary duplicating of settings.

Log Type : Select log type to be forwarded to servers.

l  System Log l Firewall Log l NAT Log

l  Auto & Persistent Routing Log l Virtual Server Log l BM Log (Bandwidth Management) l Connection Limit Log l Cache Redirect Log l Multihoming Log l Backup Line Log l Dynamic IP Log l IP-MAC Mapping Log l Tunnel Routing Log l IPSec
Copy Settings to All Other Log Types : Copy and apply settings of a log type to other ones.
Method : E-Mail, FTP and Syslog
Push Now : Click this button and logs are pushed immediately.
Push Log When Out of Space : Check Enable to avoid losing data in case of space shortage.

Notification

Enable Scheduled Push    :   Check to enable pushing schedule.

Initial Time    :   Start time for scheduled push.

Period    :    Duration for scheduled push.

Methods

FortiWAN transfer logs with FTP, Email and Syslog. It either forwards logs to external FTP server, administrator’s mail account via SMTP or a remote syslog servers.

FTP

Server : FTP Server’s IP or domain name
Account : FTP user account
Password : FTP user password
Path

E-Mail

 : FTP server path
SMTP Server : SMTP server for logging
Account : Authenticated account for mail server
Password : Authenticated password for mail server
Mail From : Sender
Mail To

Syslog

 : Receiver(s). Separate receivers with “,” or “.”.
Server : IP address of remote syslog server.
Facility : Assign a facility to the logging message to specify the program type.

Note: If the Server is applied with a FQDN, then the DNS Server must be set in the Web UI [System]->[Network Settings]->[DNS Server] (See “Set DNS server for FortiWAN”).

FortiWAN Log Notification

April 6, 2017, 12:06 pm
$
0
0

Notification

Two methods are provided to send out the notifications for important system events: E-mail and SNMP trap.

Please configure the settings for the methods and select the event type to notify.

Notification

E-Mail Settings

The table below summarizes the event notification mail setup:

SMTP Server SMTP Server
SMTP Port Specify the port (465 by default) that the SSL encrypted SMTP is using if the SSL check box is checked. FortiWAN uses fixed port:25 for non-encrypted SMTP. This field becomes ineffective if the SSL is unchecked.
SSL Check to enable SMTP transfers over SSL.
Account Authenticated account for the mail server
Password Authenticated password for the mail server
Mail From Sender
Mail To Receiver(s). Separate receivers with “,” or “.”.
Send Test E-mail Now Click the button to run test for the email settings above.

Note: If the SMTP Server is applied with a FQDN, then the DNS Server must be set in the Web UI System > Network Settings > DNS Server (See “Set DNS server for FortiWAN”).

SNMP Trap Settings

Event notification can also be sent via SNMP traps. These can only be sent if there is an existing SNMP manager for receiving FortiWAN’s SNMP traps.

Destination IP The SNMP managing device IP
Community Name Community name

Notification

Types of Events to Notify

Event Types to Notify Check to select the events. Enter the threshold to number of connections, rate of connections and total WAN traffic to trigger the notification.
WAN link failure and recovery Send notification when a WAN link fails or recovers from failure. A integer used to indicate the failed or recovered WAN link.
Account change Send notification when an account is added, removed or password-changed.
HA slave failure and recovery Send notification when the slave unit in HA deployment fails or recovers from failure. Integer 1 indicates the slave unit recovered and integer 2 indicates it failed.
HA takeover Send notification when the local unit in HA deployment was took over by its slave unit. Integer 1 indicates the truth of HA takeover and integer 2 indicates the falseness of HA takeover.
VRRP takeover Send notification when the local unit in VRRP deployment was took over by its backup unit. Integer 1 indicates the truth of VRRP takeover and integer 2 indicates the falseness of VRRP takeover.
Number of connections reaches ___ Set the threshold and the number of connections being processed in system will be sent as an event notification when it exceeds the threshold.
Rate of connections reaches___ / sec Set the threshold and the number of connections established in system every second will be sent as an event notification when it exceeds the threshold.
Total WAN traffic reaches ___ Kbps Set the threshold and the number of current total WAN traffic (sum of inbound and outbound traffic of every WAN link) will be sent as an event notification when it exceeds the threshold.
                               Select All    Click to check all the event types
                                 Clear All     Click to uncheck all the event types

Enable Reports

Viewing all 2380 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>