Skip to content
Office: (416) 621-6611
Emergency: (855) 561-4675
info@balanced.plus
Submit Support Ticket

Author: Paul Thresher

How to perform bandwidth tests on FortiGate

Posted on by Paul Thresher

The fortigate firewalls have a little know feature for checking the bandwidth performance between local interfaces and can also can check internet bandwidth by using public iperf servers.

For the firewall to determine bandwidth it uses a built-in iperf client and embedded iperf server which can be used in order to measure bandwidth.
Note: iperf server on the FortiGate cannot be used as a full-featured iperf server. It can be used only for the bandwidth test between FortiGates ports.

Before you perform a bandwith test, its important to ask if you’re using the right FortiGate for the needs of your business. Take out short quiz to find out:

Struggling To Choose The Right Fortigate?

Take our quick quiz to get a personalized suggestion for your business.

Start Quiz
Modern abstract graphic representing potential or growth

To preform the Bandwidth tests the command traffictest is used.

To test bandwidth from port1 to port2 on the FortiGate, follow these steps:

#diag traffictest server-intf port2 <Define server interface
#diag traffictest client-intf port1 <Define client interface
#diag traffictest run <Run iperf

Below is what the output should look like:

Fortigate # diag traffictest run
Connecting to host 216.191.95.14, port 162
[ 8] local 192.168.0.1 port 20692 connected to 216.191.95.14 port 162
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 8] 0.00-1.00 sec 347 MBytes 2.90 Gbits/sec 0 352 KBytes
[ 8] 1.00-2.00 sec 356 MBytes 2.99 Gbits/sec 0 352 KBytes
[ 8] 2.00-3.00 sec 360 MBytes 3.01 Gbits/sec 0 352 KBytes
[ 8] 3.00-4.00 sec 358 MBytes 3.00 Gbits/sec 0 368 KBytes
[ 8] 4.00-5.00 sec 359 MBytes 3.01 Gbits/sec 0 368 KBytes
[ 8] 5.00-6.00 sec 361 MBytes 3.02 Gbits/sec 0 368 KBytes
[ 8] 6.00-7.00 sec 354 MBytes 2.98 Gbits/sec 0 368 KBytes
[ 8] 7.00-8.00 sec 353 MBytes 2.96 Gbits/sec 0 432 KBytes
[ 8] 8.00-9.00 sec 357 MBytes 2.99 Gbits/sec 0 448 KBytes
[ 8] 9.00-10.00 sec 356 MBytes 2.99 Gbits/sec 0 448 KBytes

[ ID] Interval Transfer Bandwidth Retr
[ 8] 0.00-10.00 sec 3.48 GBytes 2.99 Gbits/sec 0 sender
[ 8] 0.00-10.00 sec 3.48 GBytes 2.99 Gbits/sec receiver

iperf Done.
iperf3: interrupt the server has terminated

To test bandwidth from the fortigate to a public iperf server you will need the IP address and port used for the iperf server.
Below is a URL to list of publicly available iperf servers.
https://iperf.fr/iperf-servers.php

The are some options for the iperf test on the fortiagte which can be seen by using the command below.
#diag traffictest run -h
One very useful option is the -R which runs the test in reverse mode (server sends, client receives) by default the fortigate sends to the remote server.

Below are the commands to run against a public iperf server.

#diag traffictest client-intf wan1 <Define client interface
#diag traffictest port 5201 <Define iperf port running on the iperf server
#diag traffictest run -c 216.218.207.42 <Run iperf against 216.218.207.42 iperf server (iperf.he.net

To run in reverse mode use the following command.

#diag traffictest run -c 216.218.207.42 -R

Output from the default mode will look like the below example. (fortigate sends, server receives)

Bialik-Viewmount # diag traffictest run -c 216.218.207.42
Connecting to host 216.218.207.42, port 5201
[ 8] local 216.191.95.14 port 5744 connected to 216.218.207.42 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 8] 0.00-1.01 sec 820 KBytes 6.65 Mbits/sec 0 141 KBytes
[ 8] 1.01-2.00 sec 3.08 MBytes 26.1 Mbits/sec 0 389 KBytes
[ 8] 2.00-3.00 sec 6.21 MBytes 52.1 Mbits/sec 0 628 KBytes
[ 8] 3.00-4.00 sec 8.79 MBytes 73.7 Mbits/sec 0 885 KBytes
[ 8] 4.00-5.00 sec 12.3 MBytes 104 Mbits/sec 0 1.17 MBytes
[ 8] 5.00-6.00 sec 13.7 MBytes 115 Mbits/sec 0 1.33 MBytes
[ 8] 6.00-7.00 sec 15.0 MBytes 126 Mbits/sec 0 1.33 MBytes
[ 8] 7.00-8.00 sec 15.0 MBytes 126 Mbits/sec 0 1.33 MBytes
[ 8] 8.00-9.00 sec 15.0 MBytes 126 Mbits/sec 0 1.33 MBytes
[ 8] 9.00-10.00 sec 15.0 MBytes 126 Mbits/sec 0 1.33 MBytes

[ ID] Interval Transfer Bandwidth Retr
[ 8] 0.00-10.00 sec 105 MBytes 88.0 Mbits/sec 0 sender
[ 8] 0.00-10.00 sec 105 MBytes 88.0 Mbits/sec receiver

Output from the Reverse mode will look like the below example. (Server sends, Fortigate receives)

Bialik-Viewmount # diag traffictest run -c 216.218.207.42 -R
Connecting to host 216.218.207.42, port 5201
Reverse mode, remote host 216.218.207.42 is sending
[ 8] local 216.191.95.14 port 1787 connected to 216.218.207.42 port 5201
[ ID] Interval Transfer Bandwidth
[ 8] 0.00-1.00 sec 6.98 MBytes 58.5 Mbits/sec
[ 8] 1.00-2.00 sec 45.7 MBytes 383 Mbits/sec
[ 8] 2.00-3.00 sec 47.8 MBytes 402 Mbits/sec
[ 8] 3.00-4.00 sec 48.2 MBytes 405 Mbits/sec
[ 8] 4.00-5.00 sec 48.4 MBytes 406 Mbits/sec
[ 8] 5.00-6.00 sec 48.2 MBytes 405 Mbits/sec
[ 8] 6.00-7.00 sec 48.1 MBytes 404 Mbits/sec
[ 8] 7.00-8.00 sec 48.4 MBytes 406 Mbits/sec
[ 8] 8.00-9.00 sec 48.3 MBytes 405 Mbits/sec
[ 8] 9.00-10.00 sec 48.4 MBytes 406 Mbits/sec

[ ID] Interval Transfer Bandwidth Retr
[ 8] 0.00-10.00 sec 451 MBytes 379 Mbits/sec 0 sender
[ 8] 0.00-10.00 sec 443 MBytes 371 Mbits/sec receiver

iperf Done.
iperf3: interrupt the server has terminated

The fortigate firewalls have a little know feature for checking the bandwidth performance between local interfaces and can also can check internet bandwidth by using public iperf servers.

For the firewall to determine bandwidth it uses a built-in iperf client and embedded iperf server which can be used in order to measure bandwidth.
Note: iperf server on the FortiGate cannot be used as a full-featured iperf server. It can be used only for the bandwidth test between FortiGates ports.

To preform the Bandwidth tests the command traffictest is used.

To test bandwidth from port1 to port2 on the FortiGate, follow these steps:

#diag traffictest server-intf port2 <Define server interface
#diag traffictest client-intf port1 <Define client interface
#diag traffictest run <Run iperf

Below is what the output should look like:

Fortigate # diag traffictest run
Connecting to host 216.191.95.14, port 162
[ 8] local 192.168.0.1 port 20692 connected to 216.191.95.14 port 162
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 8] 0.00-1.00 sec 347 MBytes 2.90 Gbits/sec 0 352 KBytes
[ 8] 1.00-2.00 sec 356 MBytes 2.99 Gbits/sec 0 352 KBytes
[ 8] 2.00-3.00 sec 360 MBytes 3.01 Gbits/sec 0 352 KBytes
[ 8] 3.00-4.00 sec 358 MBytes 3.00 Gbits/sec 0 368 KBytes
[ 8] 4.00-5.00 sec 359 MBytes 3.01 Gbits/sec 0 368 KBytes
[ 8] 5.00-6.00 sec 361 MBytes 3.02 Gbits/sec 0 368 KBytes
[ 8] 6.00-7.00 sec 354 MBytes 2.98 Gbits/sec 0 368 KBytes
[ 8] 7.00-8.00 sec 353 MBytes 2.96 Gbits/sec 0 432 KBytes
[ 8] 8.00-9.00 sec 357 MBytes 2.99 Gbits/sec 0 448 KBytes
[ 8] 9.00-10.00 sec 356 MBytes 2.99 Gbits/sec 0 448 KBytes

[ ID] Interval Transfer Bandwidth Retr
[ 8] 0.00-10.00 sec 3.48 GBytes 2.99 Gbits/sec 0 sender
[ 8] 0.00-10.00 sec 3.48 GBytes 2.99 Gbits/sec receiver

iperf Done.
iperf3: interrupt the server has terminated

To test bandwidth from the fortigate to a public iperf server you will need the IP address and port used for the iperf server.
Below is a URL to list of publicly available iperf servers.
https://iperf.fr/iperf-servers.php

The are some options for the iperf test on the fortiagte which can be seen by using the command below.
#diag traffictest run -h
One very useful option is the -R which runs the test in reverse mode (server sends, client receives) by default the fortigate sends to the remote server.

Below are the commands to run against a public iperf server.

#diag traffictest client-intf wan1 <Define client interface
#diag traffictest port 5201 <Define iperf port running on the iperf server
#diag traffictest run -c 216.218.207.42 <Run iperf against 216.218.207.42 iperf server (iperf.he.net

To run in reverse mode use the following command.

#diag traffictest run -c 216.218.207.42 -R

Output from the default mode will look like the below example. (fortigate sends, server receives)

Bialik-Viewmount # diag traffictest run -c 216.218.207.42
Connecting to host 216.218.207.42, port 5201
[ 8] local 216.191.95.14 port 5744 connected to 216.218.207.42 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 8] 0.00-1.01 sec 820 KBytes 6.65 Mbits/sec 0 141 KBytes
[ 8] 1.01-2.00 sec 3.08 MBytes 26.1 Mbits/sec 0 389 KBytes
[ 8] 2.00-3.00 sec 6.21 MBytes 52.1 Mbits/sec 0 628 KBytes
[ 8] 3.00-4.00 sec 8.79 MBytes 73.7 Mbits/sec 0 885 KBytes
[ 8] 4.00-5.00 sec 12.3 MBytes 104 Mbits/sec 0 1.17 MBytes
[ 8] 5.00-6.00 sec 13.7 MBytes 115 Mbits/sec 0 1.33 MBytes
[ 8] 6.00-7.00 sec 15.0 MBytes 126 Mbits/sec 0 1.33 MBytes
[ 8] 7.00-8.00 sec 15.0 MBytes 126 Mbits/sec 0 1.33 MBytes
[ 8] 8.00-9.00 sec 15.0 MBytes 126 Mbits/sec 0 1.33 MBytes
[ 8] 9.00-10.00 sec 15.0 MBytes 126 Mbits/sec 0 1.33 MBytes

[ ID] Interval Transfer Bandwidth Retr
[ 8] 0.00-10.00 sec 105 MBytes 88.0 Mbits/sec 0 sender
[ 8] 0.00-10.00 sec 105 MBytes 88.0 Mbits/sec receiver

Output from the Reverse mode will look like the below example. (Server sends, Fortigate receives)

Bialik-Viewmount # diag traffictest run -c 216.218.207.42 -R
Connecting to host 216.218.207.42, port 5201
Reverse mode, remote host 216.218.207.42 is sending
[ 8] local 216.191.95.14 port 1787 connected to 216.218.207.42 port 5201
[ ID] Interval Transfer Bandwidth
[ 8] 0.00-1.00 sec 6.98 MBytes 58.5 Mbits/sec
[ 8] 1.00-2.00 sec 45.7 MBytes 383 Mbits/sec
[ 8] 2.00-3.00 sec 47.8 MBytes 402 Mbits/sec
[ 8] 3.00-4.00 sec 48.2 MBytes 405 Mbits/sec
[ 8] 4.00-5.00 sec 48.4 MBytes 406 Mbits/sec
[ 8] 5.00-6.00 sec 48.2 MBytes 405 Mbits/sec
[ 8] 6.00-7.00 sec 48.1 MBytes 404 Mbits/sec
[ 8] 7.00-8.00 sec 48.4 MBytes 406 Mbits/sec
[ 8] 8.00-9.00 sec 48.3 MBytes 405 Mbits/sec
[ 8] 9.00-10.00 sec 48.4 MBytes 406 Mbits/sec

[ ID] Interval Transfer Bandwidth Retr
[ 8] 0.00-10.00 sec 451 MBytes 379 Mbits/sec 0 sender
[ 8] 0.00-10.00 sec 443 MBytes 371 Mbits/sec receiver

iperf Done.
iperf3: interrupt the server has terminated

What is Next-Generation Antivirus?

Posted on by Paul Thresher

Next Generation Antivirus (#NGAV)

So, you have your long-trusted ANTIVIRUS (AV) software and think your system is as safe as all the gold in Fort Knox and no hacker is getting through to your most valuable information. You may believe theres no need to spend any more money on updating your AV software. Well if that is the case, you are basically a caveman of the internet while the hackers are futuristic, profit driven beings that can easily invade your primitive defenses with ease! Thats right. Todays hacking criminals of the web are smarter, more sophisticated and determined than ever before and your trusty old AV software is just no longer able to fully prevent intrusions as it has in the past.

AND HERES WHY

Traditional AV software matches malicious software to a pre-defined set of signatures and heuristics. This method of protection surprisingly only stops half of all of todays attacks. If you are still using your traditional AV software, you still have a 50% chance of being successfully attacked.

ENTER THE EVOLUTION OF AV!

Today there is a new means of protection that is a critical piece of the security puzzle and it can take your systems defenses into the future and protect your precious and sensitive information better welcome NEXT GENERATION ANTI-VIRUS (#NGAV). This is not just a new way to sell an old concept. NGAV software is a much more powerful tool than regular traditional signature based AV software. It provides more protection, time efficiency and resources to monitor your systems.

HERES HOW NGAV WORKS

NGAV examines every process at every endpoint to detect and block any malicious tools, procedures, tactics or other means that hackers use to easily bypass normal AV protection. Constantly examining registries, network activity and more, NGAV software is always watching and learning whereas traditional AV software just sits back and waits for a signature update before responding. NGAV software is proactive in its fight against cyber-attacks. Basically, its turned the Hunted system into the Hunter.

RANSOMWARE.

Ransomware is the number one malware attack affecting organizations today. It encrypts your files and holds them hostage until the ransom is paid, causing massive disruption to business productivity. NGAV prevents the malicious spontaneous encryption of data by ransomwareeven trusted files or processes that have been hijacked. And once ransomware gets intercepted, NGAV can revert your files back to their safe states.

ITS TIME TO ADVANCE INTO THE FUTURE

Every day we hear more and more about companies, businesses, institutions and even governments getting hacked due to the ingenuity of attackers and the outdated protection so many of us rely on. The time has come to get out of the stone age and into the future! When it comes to protecting our most valuable information on our systems, NGAV software has arrived to do just that. Now, many big-name companies and smaller entrepreneurs with new business ventures are all considering the newest way to protect their information.

Stay Protected

To safeguard your valuable information and stay ahead of cyber threats, we recommend trying out BALANCED+ cybersecurity services. Our team of experts specializes in providing advanced cybersecurity solutions that can help protect your network, data, and business against cybercriminals. Contact us today to learn more about our services and how we can help you protect your systems and data from cyber attacks.

Fortinet Fortigate Multi Wan Basic Setup and Tips

Posted on by Paul Thresher

Fortinet FortiGate firewalls offer multiple Internet support with flexibility in how the different Internet connections are utilized.

There are 2 different ways to configure a multi WAN setup on the firewall which is determined by what is required for the Internet connections.

The first way to configure a multi WAN is for a redundant scenario in which the secondary Internet connection is only used when the primary goes down. In this scenario the secondary Internets static route (gateway) would have a higher metric than the primary so that it is not active when the primary is up. In order to configure a multi WAN setup for Internet redundancy a few steps must be performed which are listed below.

  1. Configure the interface to be used for the secondary Internet connection (i.e. Ip address, netmask, administrative access options, etc.)
  2. Configure the static route for the secondary Internets gateway with a metric that is higher than the primary Internet connection. If the secondary Internet is not a manual connection (i.e. DHCP or PPPoE) you will need to set the metric/distance within the interface settings.
  3. Create dead gateway detection entries. These are required when using multiple Internet connections in order for the firewall to know what Internet connections are up/available. The setup for the dead gateway detection is quite simple; add an upstream IP address to be pinged by the FortiGate which will tell the firewall if the connection is up or down. **see tip below.
  4. Configure/copy all the required firewall rules that are needed for the secondary Internet connection, if the primary is WAN1 and the secondary is WAN2 then most or all of the firewall rules for WAN1 will need to be recreated for WAN2 in order to allow traffic when the WAN2 Internet connection is active.

The second type of mutli WAN setup is having both Internet connections active at the same time in order to utilize both connections simultaneously and still have redundancy.

When using both Internet connections at the same time a ECMP (Equal Cost Multi-Path) load balancing method must be selected. The options are Source IP based Weighted load balance or Spillover.

Source IP based is the default load balance method which works by using a round robin method based on source IP addresses. The first outgoing session is routed out of the WAN1 while the second outgoing session from a different source IP address is routed out of the WAN2 Internet connection, then the next connection with a different source IP is routed out the WAN1 and so on for all new connections with different source IPs.

Weighted load balance is used to control which Internet connection will be used more based on weights. For example if WAN1 has a weight of 10 and WAN2 has a weight of 20 then WAN2 would get more sessions as it has the higher value.

Spillover is used to control outgoing traffic based on bandwidth usage. For example if WAN1 has been configured with a spillover threshold of 5 Mbit then it will handle all traffic until the bandwidth usage hits 5 Mbit then it will start sending new sessions out of the WAN2 connection until the WAN1 bandwidth usages goes below 5 Mbit then it will send connections out the WAN1 again.

  1. Configure the interface to be used for the secondary Internet connection (i.e. IP address, netmask, administrative access options, etc.)
  2. Configure the static route for the secondary Internets gateway with a metric that is the same as the primary Internet connection. If the secondary Internet is not a manual connection (i.e. DHCP or PPPoE) you will need to set the metric/distance within the interface settings.

Tip Using priority within the static route will tell the FortiGate which connection has higher priority when the distance/metric are the same. Use the default value of 0 for the priority of the connection you wish to be the primary and a higher priority for the secondary connection. The lower priority primary connection will be used when the FortiGate is not sure which default gateway to use for an outbound connection.

  1. Create dead gateway detection entries. These are required when using multiple Internet connections in order for the firewall to know what Internet connections are up/available. The setup for the dead gateway detection is quite simple; add an upstream IP address to be pinged by the FortiGate which will tell the firewall if the connection is up or down. **see tip below.
  2. Configure/copy all the required firewall rules that are needed for the secondary Internet connection, if the primary is WAN1 and the secondary is WAN2 then most or all of the firewall rules for WAN1 will need to be recreated for WAN2 in order to allow traffic when the WAN2 Internet connection is active.

Tip To force outgoing traffic through one of the Internet connections regardless of what equal cost load balancing method is being used is accomplished by using policy routes.

Policy routes are very powerful and are checked even before the active route table so any mistakes made can disrupt traffic flows. Basically how they work is by matching all of the configured values within the policy route which can be source IP/network, destination IP/network, protocol, etc. then if a match is made the FortiGate checks for a firewall policy that will allow the traffic. Also if there were policy routes for WAN2 and WAN2 is currently down, then the FortiGate does not try to make any matches for policy routes going out WAN2.

Tip When creating dead gateway detection entries, ensure that the ping server IP being used is not the default gateway as default gateway routers are usually directly connected to the FortiGate and the FortiGate will think the connection is always up even if the Internet connection is actually down. This happens because the FortiGate is pinging a local device and not an upstream device through the Internet connection.

In conclusion, Fortinet FortiGate firewalls offer businesses the flexibility to support multiple Internet connections, which can be configured in two ways: for Internet redundancy or for utilizing both connections simultaneously while still having redundancy. Both configurations require setting up the interface, configuring the static route, creating dead gateway detection entries, and configuring the firewall rules. Additionally, when utilizing both connections simultaneously, an ECMP load balancing method must be selected, which includes “Source IP based,” “Weighted load balance,” and “Spillover” options. By following these steps, businesses can ensure that their Internet connections are reliable, and their traffic is optimized for both performance and redundancy.