fortitester handbook, v2.9 - pub.kb.fortinet.com

FortiTester™ HandbookVERSION 2.9.0

FORTINET DOCUMENT LIBRARY

http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG

https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTIGATE COOKBOOK

http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER

http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: [email protected]

March 21, 2017

FortiTester Handbook 2.9.0

1st Edition

http://docs.fortinet.com/

http://video.fortinet.com/

https://blog.fortinet.com/

https://support.fortinet.com/

http://cookbook.fortinet.com/

http://training.fortinet.com/

http://www.fortiguard.com/

http://www.fortinet.com/doc/legal/EULA.pdf

mailto:[email protected]

TABLE OF CONTENTS

Change Log 5Introduction 6

Features and benefits 7What's New 8

Chapter 1 - Getting Started 10Connecting to FortiTester 10Configuring themanagement port 11Configuring system time 12Creating the admin password 13Configuring the device under test 13

Chapter 2 - Running Tests 14Test case configuration overview 14Using port binding and link aggregation 14Using 40G to 4 x 10G fan out 16Using network configuration templates 16Starting an HTTP CPS test 18Starting an HTTP RPS test 22Starting an HTTP CC test 26Starting an HTTP throughput test 30Starting an HTTPS CPS test 33Starting an HTTPS RPS test 37Starting an HTTPS CC test 41Starting an HTTPS throughput test 45Starting an IPsec remote access test 49Starting an IPsec remote accessCC test 53Starting a UDP PPS test 57Starting a UDP Payload test 60Starting an RFC 2544 base value test 63Starting an RFC 2544 throughput test 66Starting an RFC 2544 latency test 70Starting an RFC 2544 loss rate test 73Starting an RFC 2544 back to back test 76Starting a DNS latency test 80

Starting a TCP connection test 83Starting a TCP throughput test 87Starting a TurboTCP test 90Starting aMail SMTP test 93Starting aMail POP3 test 97Starting aMail IMAP test 100Starting a FTP test 104Starting an AttackReplay test 107Starting a Traffic Replay test 109Starting a DDoS single packet flood test 112Starting a DDoS TCP session flood test 115Starting a DDoS HTTP session flood test 119Starting a DDoS concurrent session flood test 122Starting an RTSP test 125Starting a packet capture test 128Starting a mixed traffic test 130Stopping tests 132Displaying test status 132Viewing test results 133Exporting/importing a test case 135Scheduling cases 135

Chapter 3 - System Administration 137Displaying system status 137Updating firmware 137Shutting down the system 138Rebooting the system 138Resetting the system 139Creating test users 139

Chapter 4 - Joining multiple appliances into a Test Center 140Changing the workmode setting 140

Chapter 5 - Using the Command-Line Interface 142Getting CLI help 142Command descriptions 143

Change Log

Change Log

Date Change Description

2017-03-21 FortiTester 2.9.0 initial release

5 FortiTester HandbookFortinet Technologies, Inc.

Introduction

Introduction

Welcome, and thank you for selecting Fortinet products for your testing environment.

FortiTester™ appliance models are powerful and easy-to-use tools that test the performance of your networkdevices.

FortiTester implements DPDK, which provides libraries and user-space NIC drivers for accelerated packetprocessing performance. The implementation allows FortiTester to offer a whole slew of line-rate testing onserver-class hardware.

This document describes how to set up your FortiTester appliance. It also describes how to use the web userinterface (web UI) and command-line interface (CLI).


Features and benefits Introduction

Features and benefits

FortiTester is a network traffic test tool that is based on Fortinet's specialized hardware and software platform. Itprovides the following types of tests:

l HTTP/HTTPSCPS testFortiTester can test new connections per second (CPS) performance by simulating multiple clients thatgenerate HTTP or HTTPS traffic.

l HTTP/HTTPSRPS testFortiTester can test requests per second (RPS) performance by simulating multiple clients that generate HTTPor HTTPS traffic.

l HTTP/HTTPSCC testFortiTester can test HTTP or HTTPS concurrent connection (CC) performance by simulating multiple clientsthat generate HTTP or HTTPS traffic.

l HTTP/HTTPS throughput testFortiTester can test HTTP or HTTPS throughput performance of a Device Under Test (DUT) by simulatingmultiple clients that generate HTTP or HTTPS traffic.

l IPsecFortiTester can test IPsec gateway performance by measuring IPsec and HTTP connections per second fromsimulated IPsec clients to an HTTP server behind the DUT’s IPsec gateway.

l TCP throughput testFortiTester can test TCP throughput performance of a DUT by generating a specified volume of two-way TCPtraffic flows via specified ports.

l TCP connection testFortiTester can test TCP concurrent connections performance by generating a specified volume of two-wayTCP traffic flow via specified ports.

l TurboTCP testFortiTester can test new connections per second (CPS) performance by generating a specified volume of two-way TurboTCP traffic flows via specified ports.

l UDPPPS testFortiTester can test UDP throughput performance by sending a specified size of UDP frames at a maximum orlimited speed from simulated clients to simulated servers.

l UDPPayload testFortiTester system can test UDP payload by sending UDP frames with a user-specified payload.

l RFC 2544FortiTester implements RFC 2544 throughput, latency, data loss, and back to back test cases for UDPperformance.

l Mail tests

FortiTester HandbookFortinet Technologies, Inc.

7

Introduction What's New

FortiTester can test SMTP, POP3, and IMAP performance by simulating a specified volume of clients to eachsend or receive one message

l Attack Replay testFortiTester can test security systems by replaying a predefined set of attack traffic or pcaps that you upload.The predefined set covers 100 types of attacks.

l Traffic Replay testFortiTester can test user-defined scenarios by replaying any pcap file. Typically, pcap files are generated byprograms like tcpdump or Wireshark.

l DDos testFortiTester can send multiple types of distributed denial of service (DDoS) attack traffic to test DDoSdetection/prevention systems.

l DNS Latency testFortiTester can send DNS query traffic to test latency to a server or through a gateway.

l RTSP testFortiTester can test RTSP connections by generating two-way traffic flow.

l Packet Capture testFortiTester can test packet capture by capturing packets received from the network adapter.

l Mixed traffic testFortiTester can burst all types (except HTTPS) of traffic simultaneously.

l 40G to 4 x 10G fan out for FortiTester 3000EFortiTester can be configured for 4 x 10G fan out.

What's New

The following features are introduced in 2.9.0:

l Support for 40G to 4 x 10G fan out for FortiTester-3000E.l Added a new test case for RTSP/RTP testing.l Added a new test case for IPsec tunnel concurrency testing.l Added a new test case, PacketCapture, for packet capture and analysis on physical ports, which can be used as a

reference when creating mixed-traffic test cases.l Added object management for network profiles, certificates and payloads, which can be selected as templates in

test cases.l Protocol distribution, in terms of percentage of bandwidth allocation, can now be configured for the Mixed Traffic

test case.l FortiTester now allows the same subnet to be configured on multiple ports.l FortiTester now supports port binding for all UDP test cases, such as DNS / PPS / PAYLOAD / RFC2544.l Support for 802.3AD bond mode.l Users can now filter search results from the "History" page, as well as look at detailed results of previous tests.l Users can now start and stop a packet capture from the test summary page while the test is running.


What's New Introduction


9

Chapter 1 - Getting Started Connecting to FortiTester

Chapter 1 - Getting Started

This chapter provides the procedures for getting started with FortiTester.

Connecting to FortiTester

A basic network connection topology for FortiTester is shown in Figure 1.

Figure 1: A basic network connection topology

A FortiTester appliance has multiple network ports. In most cases, one port is for management and the others arefor testing. The management port (usually mgmt or port1) connects to a local network to enable the user toaccess the FortiTester appliance via the web UI.

The test ports are divided into client ports and server ports that connect to the device under test (DUT). Clientports simulate multiple client devices that access the simulated server devices via server ports. Use the providedcables to connect the FortiTester to the DUT.

When you use one FortiTester appliance in standalone work mode, the test ports on the standalone appliance aredivided between client and server. Figure 2 shows the distribution of ports in a standalone environment. Port 1, aclient port, is paired with port 3, a server port; port 2, a client port, is paired with port 4, a server port.

Figure 2: Test ports in standalone work mode

If your tests require more ports, you can join up to 4 pairs of FortiTester appliances in a Test Center. Figure 3shows the distribution of ports in a Test Center environment with two FortiTester appliances. Ports 1-4 of the firstappliance are client ports; ports 1-4 of the second appliance are server ports. Port 1 on the first appliance is pairedwith port 1 on the second appliance.


Configuring the management port Chapter 1 - Getting Started

Figure 3: Test ports in Test Center / Slave work mode

For information on configuring a Test Center, see Chapter 4 - Joiningmultiple appliances into a Test Center.

Configuring the management port

The management port must be connected to the same switch as the administrator client computer. Use theethernet cord provided with the FortiTester.

The following procedure assumes that the default management port IP address (192.168.1.99) is not on thesame subnet as your client computer.

To configure the management port:

1. Configure your computer to match the FortiTester default management port subnet.For example, from the Windows 7 Control Panel, go to Network and Sharing Center. Click the LocalArea Connection link, and then click the Properties button. Select Internet Protocol Version 4(TCP/IPv4) and then click itsProperties button. Select Use the following IP address, and then enter thefollowing settings:

l IP address: 192.168.1.2l Subnet mask: 255.255.255.0

2. To connect to the web UI, start a web browser and go to http://192.168.1.99, or https://192.168.1.99.3. Type admin in the Username field, enter the password, and then click Login.4. In the top banner, click the icon to display the System settings page.5. Click the Device Ports tab.6. For the management port, change its IP address, netmask, and default gateway.

The following example changes the management IP address to 192.168.1.199.


11

Chapter 1 - Getting Started Configuring system time

Figure 4: Set management port

7. ClickApply to complete configuration of the management port.8. Click the DNS Server tab.9. ClickAdd DNS, enter the IP address for the DNS server, and then clickApply. Note you can add more than one

DNS server.10. Change the IP address of your client PC to the same network segment used by the management port IP address.11. To log into the web UI again, enter the new management IP address in a web browser.

Configuring system time

You can use the System page to change the system time. You can manually modify the time or synchronize thesystem time with an NTP server.

To configure system time:

1. In the top banner, click the icon to display the System settings page.2. Under System Time, click the Change link to display the Time Settings dialog box.3. Set the system time or synchronize time with a NTP server, as described in Table 1.4. Save the configuration.

Table 1: System Time

Settings Guidelines

Time Zone Select the time zone where the FortiTester appliance is installed.

System Time The text boxes are populated with the current settings for the system date and time.You can change these manually.

Synchronize withNTP Server

Enter the IP address or domain name of an NTP server. To find an NTP server that youcan use, see http://www.ntp.org. The time is not synched at a regular interval, onlywhen you click the Save button.


http://www.ntp.org/

Creating the admin password Chapter 1 - Getting Started

Creating the admin password

FortiTester has a default user admin. By default, there is no password.

To change the password for the admin account:

1. In the top banner, click the admin link.2. Select Modify Password from the drop down menu.3. Enter the old password, the new password, and save the configuration.

Configuring the device under test

The DUT must be configured to connect with FortiTester before tests can be run.

If the DUT is a FortiGate appliance, you generally need to configure interfaces, routes, and a firewall policy.Gateways for the test case are typically set as the IP address of the FortiGate's interfaces. If the client and serversubnets are not on the same network as the gateway addresses, routes must be added.

Refer to the user guide for the specific DUT for instructions on how to configure it for testing.


13

Chapter 2 - Running Tests Test case configuration overview

Chapter 2 - Running Tests

This chapter provides procedures for running tests and viewing test results.

Test case configuration overview

The test case configuration workflow includes the following standard elements:

l Test type—The test template to use. It determines the mandatory and optional settings for specific cases.l Case options—IP version, DUT role, DUT mode, network configuration, optional port binding, VLAN and Client

Virtual Router.l Interface ports—Client and server interface port configuration.l Optional elements—Enable or disable packet capture, scheduling and MACmasquerade.l Test case specifics—Variables that determine the test parameters, such as load, rates/limits, and client/server

profiles and actions.

The first four items set up the basic test environment. Once you become familiar with them, you can assume theycan be configured in the same manner for each test. The Client Virtual Router will simulate a router betweenFortiTester's client subnets and the connected DUT.

The test case specifics are key to testing the performance of the device under test (DUT). We recommend youbecome familiar with guidelines for test case specifics whenever you get started with a new test case type.

Using port binding and link aggregation

FortiTester system can bind multiple physical ports as one logical port. We call this feature port binding. Thephysical ports in one logical port share one network configuration, such as IP address, netmask, and gateway.

This feature is useful in the following scenarios:

l To test the link aggregation feature of a DUT. A DUT might also support port binding (also called link aggregation orTRUNK). In that case, FortiTester can test this feature and its performance.

l To test 40G/100G ports of DUT. A DUT might have some ports that have bandwidth greater than a singleFortiTester port. To test such port performance, we can bind multiple FortiTester ports as one logical port andconnect to a switch to transfer traffic with a DUT. For example, a FortiTester appliance can bind 4 10G ports as oneto test a 40G port in DUT via a 10G/40G switch.

FortiTester averages traffic on physical ports that belong to one logical port.

Note: Only the DNS, TCP, UDP, RFC2544, HTTP, and HTTPS tests support port binding.

To change the port binding:

1. Click on theOptional Port Binding link.


Using port binding and link aggregation Chapter 2 - Running Tests

Figure 5: Optional Port Binding

2. ClickAdd, under Network Settings.3. Configure the settings. You can configure the number of bond interfaces and member ports, as well a the bond

type.4. ClickSave.

Figure 6: Optional Port Binding Configuration


15

Chapter 2 - Running Tests Using 40G to 4 x 10G fan out

Using 40G to 4 x 10G fan out

FortiTester 2.9.0 comes with support for 40G to 4 x 10G fan out. This feature splits the 40G port into 4 separate10G ports. Use the corresponding cable to link the 10G ports to the DUT.

To enable fan out:

1. Go to System > Device Ports.2. Switch 40G fan out 4x10G to Enabled.3. ClickOk.4. Wait for the system to reboot.

After you have rebooted the system, the fan out should be enabled. You can check by going to System >DevicePorts.

Using network configuration templates

Many test cases you may want to run will have the same basic network setup. To simplify configuration, you cancreate a network configuration template and then import it when you initially configure test case settings. Thetemplate settings are used to populate the network settings for the new test case configuration.

The network configuration template specifies the IP address type, DUT working mode, client/server port settings,subnet settings, port binding and VLAN settings.

You can only import template settings if the IP address type and DUT working mode you select in the new testcase popup dialog box match the settings in the network configuration template.

After the settings have been imported, you can modify client/server port settings, subnet settings, port bindingand VLAN settings if necessary.

To create a network configuration template:

1. Go to Cases > Config Object.2. ClickAdd to display the configuration page.3. In the popup dialog, configure the following settings:

l IP Version—IPv4, IPv6 or Mixed.l DUT Role—Network Gateway or Application Server. If you want to test an application server, the

FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as bothclient and server.

l DUT Working Mode—Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, theDUT does not change the IP address of the packet. In NAT mode, the device is considered to be a routerhop and the IP addresses can be translated. In Web Proxy mode, the proxy address is used. If the DUT isconfigured in Web Proxy mode (e.g. a WAF), selectWeb Proxy. Note: This setting will be shown onlywhen DUT role is Network Gateway.

l Tester and Application Server—Specify that the FortiTester appliance and the application server are in thesame subnet or route by a gateway to send/receive traffic. Note: This setting will be shown only whenDUT role is Application Server.


Using network configuration templates Chapter 2 - Running Tests

l Port Binding—Optional. Port binding aggregates two or more physical ports into one logical port.l Support SNAT/DNAT Policy—Optional. Select this to allow DUT to do source and destination NAT on the

same session.l Note: If the DUT performs SNAT/DNAT on the data traffic, use the Translated To field to change

the IP address before starting the run.l Support VLAN—Optional. Set VLAN ID to the traffic.l Virtual Router—Optional. This option allows the clients and/ or servers to be on subnets different from the

DUTs interfaces and all traffic to/ from the DUTs uses the virtual routers MAC address.4. ClickOK to continue.5. Complete the configuration as described in Table 2.6. Save the configuration.After you have created a network configuration template, you can extend it (which means making a copy), orexport it as a zip file and import the zip file later.

Table 2: Network configuration object settings

Settings Guidelines

Basic Information

Name Specify a configuration name, or use the default. The name appears in the NetworkConfig drop-down list when you configure test cases.

Network Settings

Client Ports,Server Ports

The page lists all the test ports for client-side and server-side connections. The clientports simulate the behavior of clients; the server ports simulate the behavior of serv-ers. FortiTester builds the TCP connections between client ports and server ports (andthrough the DUT, of course).

You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon. The same port on the server

side is no longer available.

Note: You don’t need to select the server port if you've selected the DUT role as Applic-ation Server.

MAC Masquerade

MACMasquerade Specify the first two bytes of a MAC address for the traffic.

Virtual Router

IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.


17

Chapter 2 - Running Tests Starting an HTTPCPS test

Settings Guidelines

Subnet

IP Address orRange

Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.

Translated To NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address.

Netmask Specify a netmask between 1 and 31.

VLAN ID Specify a VLAN ID between 1 and 4095.

Server IP When the DUT role is an application server, specify a single IP address in the standardformat.

Gateway Specify the gateway IP address when the DUT role is an application server or the DUTworking mode is in NAT mode.

Peer Network NAT mode only. Specify the peer network subnet address. If the DUT usesSNAT/DNAT, use the translated IP address.

Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.

Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.

Starting an HTTP CPS test

FortiTester tests HTTP new connections per second (CPS) performance by simulating multiple clients thatgenerate HTTP traffic.

The traffic generated for each connection includes the TCP three-way handshake, HTTP request and HTTPresponse (complete HTTP transaction), and the TCP connection close (FIN, ACK, FIN, ACK). Each TCP packethas one HTTPGET request. The traffic is HTTP1.0 without HTTP persistent connections (HTTP keep-alive).

Note the following limitations:

l You cannot modify the HTTP request or HTTP response headers.

To start an HTTP CPS test:

1. Go to Cases > HTTP > CPS to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on

page 16.4. ClickOK to continue.5. Configure the test case options described in Table 3.6. ClickStart to run the test case.


Starting an HTTPCPS test Chapter 2 - Running Tests

FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.

Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.

Table 3: HTTP CPS Test Case configuration

Settings Guidelines

Basic Information

Name Specify the case name, or just use the default. The name appears in the list of testcases.

Ping ServerTimeout

If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.

Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.

Number ofSamples

Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.

Network Settings


The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).

You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added

below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.

Capture Packets


19

Chapter 2 - Running Tests Starting an HTTPCPS test

Settings Guidelines

Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.

Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.

MAC Masquerade


Virtual Router


Subnet

Subnet IP Addressor Range




Gateway NAT mode only. Specify the gateway IP address.

Peer Network NAT mode only. Specify the peer network subnet address.



Load


Starting an HTTPCPS test Chapter 2 - Running Tests

Settings Guidelines

Simulated Users Number of users to simulate.

Standalone mode: The default is 256. The valid range is from 1 to 1024.

Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.

Speed Limit Rate of new transactions per second. The default is 0, which means the device willsend traffic as fast as possible.

Standalone mode: The valid range is 1,000 to 850,000 transactions per second (or thespecial value 0).

Test Center mode: The valid range is 1,000 to 1,700,000, for example, for an envir-onment with two FortiTester appliances.

Ramp UP Seconds Time in seconds for traffic to ramp up when you start the test.

Ramp DownSeconds

Time in seconds for traffic to ramp down when you stop the test.

Network

MTU Preset to 1500. Not configurable.

Profile (Client)

Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.

Client Close Mode Select the connection close method: 3Way_Fin orReset.

IP ChangeAlgorithm /Port ChangeAlgorithm

Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.

Request Header Preset to UserAgent: Firefox/41.0. Click the Add Header button to specifymore headers.

Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individualframe. Not configurable.

Profile (Server)

Server Port Preset to 80. Not configurable.


21

Chapter 2 - Running Tests Starting an HTTPRPS test

Settings Guidelines

Response Header Preset to Server: nginx/1.9.5Content-Type:text/html. Click the AddHeader button to specify more headers.

Piggybacking Enabled. Not configurable.

Action

Get page Select the file that the simulated clients access. The default is “index.html” with 4bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB.

Post page Select the file that simulated servers send. The default is "index.php" with 4 bytes. Youcan edit the post parameters. The file size limit is 10MB.

Starting an HTTP RPS test

FortiTester tests requests per second (RPS) performance by simulating multiple clients that generate HTTPtraffic.

All requests include a TCP three-way handshake, one HTTP request and response, and a TCP connection close(FIN, ACK, FIN, ACK). There are 10 HTTPGET requests per TCP connection and 100 HTTPGET requests perTCP connection for Layer4/HTTPS testing.



To start an HTTP RPS test:

1. Go to Cases > HTTP > RPS to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on

page 16.4. ClickOK to continue.5. Configure the test case options described in Table 4.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.


Table 4: HTTP RPS Test Case configuration


Starting an HTTPRPS test Chapter 2 - Running Tests

Settings Guidelines

Basic Information


Ping ServerTimeout


Duration Test duration. The default is 10 minutes. The test stops automatically after the dur-ation you specify.

Number ofSamples


Network Settings





Capture Packets



MAC Masquerade


Virtual Router


23

Chapter 2 - Running Tests Starting an HTTPRPS test

Settings Guidelines

IP Address Web Proxy only. Specify the IP address to the virtual router. This IP addresses is usedto connect to a DUT, therefore it must be in the same subnet with the connected portof the DUT. Please make sure the corresponding routing rules are set on the DUT, sothat DUT correctly forwards traffic to the virtual router. Only a single IP address informat xxx.xxx.xxx.xxx is accepted here.

Subnet









Load




Requests per Con-nection

Number of HTTP requests per connection. The default is 0, which means as many aspossible. The valid range is 0 to 50,000.

Speed Limit Rate of requests per second. The default is 0, which means the device will send trafficas fast as possible.

Standalone mode: The valid range is 1,000 to 1,600,000 requests per second (or thespecial value 0).



Starting an HTTPRPS test Chapter 2 - Running Tests

Settings Guidelines


Ramp DownSeconds


Network


Profile (Client)

Source Port Range Client port range. The valid range is 10,000 to 65,535, which is also the default.

Client Close Mode Select the connection close method: 3Way_Fin orReset.





Profile (Server)




Action

Get Page Select the file that the simulated clients access. The default is “index.html” with 4bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB.



25

Chapter 2 - Running Tests Starting an HTTPCC test

Starting an HTTP CC test

FortiTester tests HTTP concurrent connection (CC) performance by simulating multiple clients that generateHTTP traffic. All connections include a TCP three-way handshake, a loop of HTTP requests and responses(complete HTTP transaction), and close the connection with TCP FIN.



To start an HTTP CC test:

1. Go to Cases > HTTP > CC to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on




Starting an HTTPCC test Chapter 2 - Running Tests

Table 5: HTTP CC Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Number ofSamples



Network Settings





Capture Packets



MAC Masquerade



27

Chapter 2 - Running Tests Starting an HTTPCC test

Settings Guidelines

Virtual Router


Subnet









Load




Concurrent Con-nections

Number of concurrent connections.

Standalone mode: The default is 6,000,000. The valid range is 5,000 to 6,000,000.

Test Center mode: The default is 12,000,000, and the valid range is 5,000 to12,000,000, for example, for a an environment with two FortiTester appliances.


Starting an HTTPCC test Chapter 2 - Running Tests

Settings Guidelines

Concurrent Close Number of connections to close at any given time. To avoid the DUT lost packet, theconnection close operation will be performed batch by batch.

Standalone mode: The default is 256, and the valid range is 1 to 10,000.

Test Center mode: The default is 512, and the valid range is 1 to 10,000.


Standalone mode: The valid range is 256 to 600,000 transactions per second (or thespecial value 0).

Test Center mode: The valid range is 256 to 1,200,000, for example, for an envir-onment with two FortiTester appliances.

Think Time Seconds that a simulated user waits between HTTP requests. The default is 5seconds.

Network


Profile (Client)


Client Close Mode Select the connection close method: 3Way_Fin or Reset.

IP Change Algorith-m/Port ChangeAlgorithm

Select a change algorithm: Increment or Random. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.



Profile (Server)



29

Chapter 2 - Running Tests Starting an HTTP throughput test

Settings Guidelines



Action



Starting an HTTP throughput test

FortiTester tests HTTP throughput performance by simulating multiple clients that generate HTTP traffic.



To start an HTTP throughput test:

1. Go to Cases > HTTP > Throughput to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on

page 16.4. ClickOK to continue.5. Configure the test case options described in Table 6.6. ClickStart to run the test case.FortiTester saves the configuration automatically, so you can run the test again later. You can also clickSave tosave the test case without running it.



Starting an HTTP throughput test Chapter 2 - Running Tests

Table 6: HTTP Throughput Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout



Number ofSamples


Network Settings





Capture Packets


Note: The system allocates temporary disk space for packet captures. The limit is200,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.

MAC Masquerade



31

Chapter 2 - Running Tests Starting an HTTP throughput test

Settings Guidelines

Virtual Router


Subnet









Load





Standalone mode: The valid range is 100 to 1,600,000 requests per second (or thespecial value 0).




Starting an HTTPSCPS test Chapter 2 - Running Tests

Settings Guidelines

Ramp DownSeconds


Network

Network MTU Preset to 1500. Not configurable.

Profile (Client)

Source Port Range Client port range. The valid range is from 10,000 to 65,535, which is also the default.

Client Close Mode Preset to Reset. Not configurable.


Select a change algorithm: Increment or Random. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.



Profile (Server)




Action

Get page Select the file that the simulated clients access. The default is “index.html” with50,000 bytes. Optionally, you can upload a customized HTML file. The file size limit is10 MB.


Starting an HTTPS CPS test

The HTTPSCPS test is the same as the HTTPCPS test, except it uses HTTPS traffic, does not have the SpeedLimit option, and the MTU is editable.


33

Chapter 2 - Running Tests Starting an HTTPSCPS test

To start an HTTPS CPS test:

1. Go to Cases > HTTPS > CPS to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on



Table 7: HTTPS CPS Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout

If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600. Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.


Number ofSamples


Network Settings


Starting an HTTPSCPS test Chapter 2 - Running Tests

Settings Guidelines





Capture Packets



MAC Masquerade


Virtual Router


Subnet








35

Chapter 2 - Running Tests Starting an HTTPSCPS test

Settings Guidelines



Load



Test Center mode: The default is 512 and the valid range is from 1 to 1,800, forexample, for an environment with two FortiTester appliances.


Standalone mode: The valid range is 100 to 100,000 transactions per second (or thespecial value 0).

Test Center mode: The valid range is 100 to 200,000, for example, for an envir-onment with two FortiTester appliances.

Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test.

Ramp DownSeconds


Network

Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.

Profile (Client)

Source Port Range Preset to 10000- 65535. Not configurable.



Determines how the system changes source/destination IP addresses and ports to sim-ulate multiple client requests. Preset to Random. Not configurable. The Randomoption selects an IP address or port in the range randomly.


Starting an HTTPSRPS test Chapter 2 - Running Tests

Settings Guidelines


Piggybacking Default enabled.

Quiet Shutdown Enable to apply safe shutdown procedure to SSL connections by sending SSL alert tothe peer.

Allowed SSL Ver-sions

Supported SSL versions: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default isTLSv1.2.

SSL Ciphers Select one or more SSL ciphers from the list.

Profile (Server)

Server Port Preset to 80, 443. Not configurable.

Server Certificate Length of SSL key for encryption/decryption. The default is 1024. The valid range isfrom 1024 to 2048.



Action



Starting an HTTPS RPS test

The HTTPSRPS test is the same as the HTTPRPS test, except it uses HTTPS traffic, does not have the SpeedLimit option, and the MTU is editable.

To start an HTTPS RPS test:

1. Go to Cases > HTTPS > RPS to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on

page 16.4. ClickOK to continue.5. Configure the test case options described in Table 8.6. ClickStart to run the test case.


37

Chapter 2 - Running Tests Starting an HTTPSRPS test



Table 8: HTTPS RPS Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout



Number ofSamples


Network Settings





Capture Packets


Starting an HTTPSRPS test Chapter 2 - Running Tests

Settings Guidelines


Note: The system allocates temporary disk space for packet captures. The limit is200,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.

MAC Masquerade


Virtual Router


Subnet









Load


39

Chapter 2 - Running Tests Starting an HTTPSRPS test

Settings Guidelines



Test Center mode: The default is 512, and the valid range is from 1 to 1,800, forexample, for an environment with two FortiTester appliances.

Requests per Con-nection

The number of HTTP requests per connection. The default is 200. The valid range is 0to 50,000.





Ramp DownSeconds


Network


Profile (Client)

Source Port Range Preset to 10000-65535. Not configurable.




Piggybacking Enable to apply piggyback to SSL connections issued by client side. This is enabled bydefault.


Starting an HTTPSCC test Chapter 2 - Running Tests

Settings Guidelines


Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 (default).


Profile (Server)




Piggybacking Enable to apply piggyback to SSL connections issued by server side. This is enabledby default.

Action

Get page Select the file that the simulated clients access. The default is “index.html” with50,000 bytes. Optionally, you can upload a customized HTML file. The file size limit is10 MB


Starting an HTTPS CC test

The HTTPSCC test is the same as the HTTPCC test, except that it uses HTTPS traffic and the MTU is editable.

To start an HTTPS CC test:

1. Go to Cases > HTTPS > CC to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on

page 16.4. ClickOK to continue.5. Configure the test case options as described in Table 9.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.


41

Chapter 2 - Running Tests Starting an HTTPSCC test


Table 9: HTTPS CC Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout



Number ofSamples


Network Settings





Capture Packets


Starting an HTTPSCC test Chapter 2 - Running Tests

Settings Guidelines



MAC Masquerade


Virtual Router


Subnet









Load


43

Chapter 2 - Running Tests Starting an HTTPSCC test

Settings Guidelines




Concurrent Con-nections


Standalone mode: The default is 200,000. The valid range is 5,000 to 200,000.

Test Center mode: The default is 400,000, and the valid range is 5,000 to 400,000,for example, for a an environment with two FortiTester appliances.

Concurrent Close Number of connections to close at any given time. To avoid the DUT lost packet, theconnection close operation will be performed batch by batch.

Standalone mode: The default is 256, and the valid range is 1 to 10,000.

Test Center mode: The default is 512, and the valid range is 1 to 10,000.




Think Time The time in seconds that a simulated user waits between HTTP requests. The defaultis 5 seconds.

Network

Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limit for packet size. The default is1500. The valid range is from 1,280 to 9,000.

Profile (Client)


Client Port Mode Select the connection close method: 3Way_Fin or Reset.


Starting an HTTPS throughput test Chapter 2 - Running Tests

Settings Guidelines


Determines how the system changes source/destination IP addresses and ports tosim- ulate multiple client requests. Preset to Random. Not configurable. The Randomoption selects an IP address or port in the range randomly.





Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default isTLSv1.2.


Profile (Server)





Action

Get page Select the file that the simulated clients access. The default is “index.html” with 4bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB


Starting an HTTPS throughput test

The HTTPS Throughput test is the same as the HTTP Throughput test, except that it uses HTTPS traffic and theMTU is editable.

To start an HTTPS Throughput test:

1. Go to Cases > HTTPS > Throughput to display the test case summary page.2. ClickAdd to display the Case Options dialog box.


45

Chapter 2 - Running Tests Starting an HTTPS throughput test

3. In the popup dialog, configure the network settings as described in "Using network configuration templates" onpage 16.

4. ClickOK to continue.5. Configure the test case options as described in Table 10.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.


Table 10: HTTPS Throughput Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout



Number ofSamples


Network Settings





Capture Packets


Starting an HTTPS throughput test Chapter 2 - Running Tests

Settings Guidelines



MAC Masquerade


Virtual Router


Subnet









Load


47

Chapter 2 - Running Tests Starting an HTTPS throughput test

Settings Guidelines







Ramp Up Seconds Time (in seconds) for traffic to ramp up when you start the test.

Ramp DownSeconds

Time (in seconds) for traffic to ramp down when you stop the test.

Network


Profile (Client)


Client Port Mode Select the connection close method: 3Way_Fin or Reset.







Starting an IPsec remote access test Chapter 2 - Running Tests

Settings Guidelines


Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default isTLSv1.2.


Profile (Server)





Action

Get page Select the file that the simulated clients access. The default is “index.html” with 4bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB


Starting an IPsec remote access test

FortiTester tests IPSec remote access by establishing a remote access IPSec tunnel, completes a full set ofHTTP transaction (TCP connection, HTTP request, HTTP response, and closes the TCP connection) through thetunnel, and terminates the tunnel.

To start a remote access test:

1. Go to Cases > IPSec > Remote Access to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on


Below is a sample FortiGate IPsec configuration for the VPN gateway. FortiTester uses Fortitester as its ID,however in this configuration the VPN gateway uses IKE version 1 Aggressive mode, and is configured to accept


49

Chapter 2 - Running Tests Starting an IPsec remote access test

any peer ID. The VPN gateway IP is configured as a secondary IP address and this is used as the local gateway inthe phase 1 config.

config system interfaceedit "port33"

set ip 1.0.0.254 255.255.0.0set allowaccess pingset secondary-IP enableconfig secondaryip

edit 1set ip 1.0.0.253 255.255.0.0set allowaccess ping

nextend

nextendconfig system interface

edit "port35"set ip 2.0.0.254 255.255.0.0set allowaccess ping

nextendconfig vpn ipsec phase1-interface

edit "tester"set type dynamicset interface "port33"set ike-version 2set local-gw 1.0.0.253set peertype anyset psksecret fortinet


edit "tester"set phase1name "tester"

nextendconfig firewall policy

edit 1set srcintf "any"set dstintf "any"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set logtraffic disable

nextend



Starting an IPsec remote access test Chapter 2 - Running Tests

Table 11: IPSec Remote Access Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout



Number ofSamples


Network Settings





Capture Packets



MAC Masquerade



51

Chapter 2 - Running Tests Starting an IPsec remote access test

Settings Guidelines

Subnet





VPN Gateway NAT mode only. Specify the gateway IP address.


Load




Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1 to 1000 connections per second (or thespecial value 0).

Test Center mode: The valid range is from 2 to 2000, for example, for an environmentwith two FortiTester appliances.

IKE Version Select either 1 or 2 for the version.

AuthenticationMethod

Select either PSK (Pre-shared Key) or Signature. If using a Signature you will need toimport a client and server certificate.

Pre-shared Key This field is required

Network



Starting an IPsec remote access CC test Chapter 2 - Running Tests

Settings Guidelines

Profile (Client)




Profile (Server)


Action

Request Page Select either System Pages with Fixed File Name and Content. Custom, User upload-ing pages

Starting an IPsec remote access CC test

FortiTester tests IPSec remote access tunnel concurrent connections (CC) by establishing a remote access IPSectunnel, completes a full set of HTTP transaction (TCP connection, HTTP request, HTTP response, and closes theTCP connection) through the tunnel, and terminates the tunnel.

To start a remote access CC test:

1. Go to Cases > IPSec > Remote Access CC to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on

page 16.4. ClickOK to continue.5. Configure the test case options described in #IPSec_cc.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.

Below is a sample FortiGate IPsec configuration for the VPN gateway. FortiTester uses Fortitester as its ID,however in this configuration the VPN gateway uses IKE version 1 Aggressive mode, and is configured to acceptany peer ID. The VPN gateway IP is configured as a secondary IP address and this is used as the local gateway inthe phase 1 config.

config system interfaceedit "port33"

set ip 1.0.0.254 255.255.0.0set allowaccess pingset secondary-IP enable


53

Chapter 2 - Running Tests Starting an IPsec remote access CC test

config secondaryipedit 1

set ip 1.0.0.253 255.255.0.0set allowaccess ping

nextend

nextendconfig system interface

edit "port35"set ip 2.0.0.254 255.255.0.0set allowaccess ping


edit "tester"set type dynamicset interface "port33"set ike-version 2set local-gw 1.0.0.253set peertype anyset psksecret fortinet


edit "tester"set phase1name "tester"

nextendconfig firewall policy

edit 1set srcintf "any"set dstintf "any"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set logtraffic disable

nextend


Table 12: IPSec Remote Access Test Case configuration

Settings Guidelines

Basic Information


Starting an IPsec remote access CC test Chapter 2 - Running Tests

Settings Guidelines


Ping ServerTimeout



Number ofSamples


Network Settings





Capture Packets



MAC Masquerade


Subnet


55

Chapter 2 - Running Tests Starting an IPsec remote access CC test

Settings Guidelines





VPN Gateway NAT mode only. Specify the gateway IP address.


Load

Tunnel ConcurrentConnections

Number of tunnel concurrent connections.

Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1,000 to 20,000 connections per second (orthe special value 0).

Test Center mode: The valid range is from 1,000 to 20,000, for example, for an envir-onment with two FortiTester appliances.

IKE Version Select either 1 or 2 for the version.

AuthenticationMethod

Select either PSK (Pre-shared Key) or Signature. If using a Signature you will need toimport a client and server certificate.

Pre-shared Key This field is required

Network


Profile (Client)



Starting a UDP PPS test Chapter 2 - Running Tests

Settings Guidelines



Profile (Server)


Action

Request Page Select either System Pages with Fixed File Name and Content. Custom, User upload-ing pages

Starting a UDP PPS test

FortiTester tests UDP throughput by sending a specified size of UDP frames at a maximum or limited speed fromsimulated clients to simulated servers.

To start a UDP PPS test:

1. Go to Cases > UDP > PPS to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog,configure the network settings as described in "Using network configuration templates" on



Table 13: UDP PPS Test Case configuration

Settings Guidelines

Basic Information


57

Chapter 2 - Running Tests Starting a UDP PPS test

Settings Guidelines


Ping ServerTimeout



Number ofSamples


Network Settings





Capture Packets



MAC Masquerade


Virtual Router


Starting a UDP PPS test Chapter 2 - Running Tests

Settings Guidelines


Subnet







Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create UDP connections and transfer data.

Load




UDP Package Size The default is 64 bytes. The valid range is 64 to 1518.

Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps.

Standalone mode: The valid range is 10 to 20,000 (or the special value 0).

Test Center mode: The valid range is 10 to 40,000, for example, for an environmentwith two FortiTester appliances.


Ramp DownSeconds



59

Chapter 2 - Running Tests Starting a UDP Payload test

Settings Guidelines

Dual Traffic Mode When disabled (and also by default), traffic will only be sent out from the client side tothe server side; but when enabled, traffic will also be sent out from the server side tothe client side. Enable to generate bidirectional UDP traffic between client and serversides. Each side generates and receives UDP packets.

Network


Profile (Client)



Determines how the system changes source/destination IP addresses and ports to sim-ulate multiple client requests. Preset to Increment. Not configurable. The Incrementoption uses the next IP address or port in the range, for example: 10.11.12.1 ->10.11.12.2; port 10000 -> 10001.

IP Option DSCP Provide quality of service (QoS)

Profile (Server)

Server Port The default is 6,001. The valid range is from 0 to 65,535.


Starting a UDP Payload test

FortiTester tests UDP payload by sending UDP frames with the specified payload from the client ports to theserver ports.

To start a UDP payload test:

1. Go to Cases > UDP > Payload to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on



Starting a UDP Payload test Chapter 2 - Running Tests


Table 14: UDP Payload Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout



Number ofSamples


Network Settings





Capture Packets


61

Chapter 2 - Running Tests Starting a UDP Payload test

Settings Guidelines



MAC Masquerade


Virtual Router


Subnet







Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create UDP connections and transfer data.

Load

Payload Use the plain text predefined format to specify the payload.


Starting an RFC 2544 base value test Chapter 2 - Running Tests

Settings Guidelines






Test Center mode: The valid range is 10 to 40,000, for example, for an environmentwith two FortiTester appliances.


Ramp DownSeconds


Network


Profile (Client)



Determines how the system changes source/destination IP addresses and ports to sim-ulate multiple client requests. Preset to Increment. Not configurable. The Incrementoption uses the next IP address or port in the range, for example: 10.11.12.1 ->10.11.12.2; port 10000 -> 10001.


Profile (Server)

Server Port The default is 514. The valid range is 0 to 65,535.


Starting an RFC 2544 base value test

Before starting an RFC 2544 test, determine the performance and limitations for your specific network topologyand use this information to begin testing.


63

Chapter 2 - Running Tests Starting an RFC 2544 base value test

To start an RFC 2544 base value test:

1. Go to Cases > RFC 2544 > Base Value to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on



Table 15: RFC 2544 Base Value Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Network Settings





Capture Packets


Starting an RFC 2544 base value test Chapter 2 - Running Tests

Settings Guidelines



MAC Masquerade


Subnet





Load




Latency Adds a little traffic from server to client for packet latency counting in Unidirectionalmode.

Traffic Direction Specify the direction of traffic flow

Frame Size Unit: bytes

Traffic CycleSecond

Traffic burst duration in seconds for each frame size. (minimum of 10)

Traffic Stop WaitSecond

Wait time for packet transmitting in seconds after traffic stop. (range: 2 - 300)


65

Chapter 2 - Running Tests Starting an RFC 2544 throughput test

Settings Guidelines

Maximum TrafficCycle

Maximum traffic cycle for each frame size. (minimum 1)

Maximum SendSpeed

Range: 0 means throughput speed copy from BaseValue case, 0 - 10000. (unit: Mbps)

Network


Profile (Client)





Profile (Server)



Starting an RFC 2544 throughput test

FortiTester tests the ability of DUT to handle different types of RFC 2544 throughput. According to RFC2544,throughput is the fastest rate for the number of test frames transmitted by the DUT, which is equal to the numberof test frames sent to it by the test equipment.

To start a throughput test:

1. Go to Cases > RFC 2544 > Throughput to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. Select the base value test case results to use for calculating the performance of DUT in this test.4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all

the other options with values taken from the selected base value test.5. ClickOK to continue.6. Configure the test case options described in Table 16.7. ClickStart to run the test case.


Starting an RFC 2544 throughput test Chapter 2 - Running Tests



Table 16: RFC 2544 Throughput Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Network Settings





Capture Packets



MAC Masquerade


67

Chapter 2 - Running Tests Starting an RFC 2544 throughput test

Settings Guidelines


Virtual Router


Subnet





Load




DDoS Type DDoS attack traffic: TCP Session Flood. After you select a type, selection boxes forsubtypes are displayed below. To change the percentage mix of subtypes, double-clickthe pie chart and adjust the percentages.




Starting an RFC 2544 throughput test Chapter 2 - Running Tests

Settings Guidelines

Concurrent Con-nection

Applies only when DDoS type is Concurrent Session Flood. Number of concurrent con-nections.

Standalone mode: The default is 6,000,000. The valid range is from 10,000 to6,000,000.

Test Center mode: The default is 12,000,000, and the valid range is 10,000 to12,000,000, for example, for an environment with two FortiTester appliances.

Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test. Not available for Con-current Session Flood test.

Ramp DownSeconds

Time in seconds for traffic to ramp down when you stop the test. Not available for Con-current Session Flood test.

Network


Profile (Client)




Piggybacking Disabled, meaning an acknowledgment is sent in an individual frame. Not con-figurable.


Profile (Server)





69

Chapter 2 - Running Tests Starting an RFC 2544 latency test

Starting an RFC 2544 latency test

FortiTester tests the ability of the DUT to handle different types of RFC 2544 latency. According to RFC1242, forstore and forward devices, latency is the time interval starting when the last bit of the input frame reaches theinput port and ending when the first bit of the output frame is seen on the output port.

To start a latency test:

1. Go to Cases > RFC 2544 > Latency to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. Select the base value test case results to use for calculating the performance of DUT in this test.4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all

the other options with values taken from the selected base value test.5. ClickOK to continue.6. Configure the test case options described in Table 17.7. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.


Table 17: RFC 2544 Latency Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Network Settings


Starting an RFC 2544 latency test Chapter 2 - Running Tests

Settings Guidelines





Capture Packets



MAC Masquerade


Virtual Router


Subnet





Load


71

Chapter 2 - Running Tests Starting an RFC 2544 latency test

Settings Guidelines












Ramp DownSeconds


Network


Profile (Client)



Starting an RFC 2544 loss rate test Chapter 2 - Running Tests

Settings Guidelines





Profile (Server)




Starting an RFC 2544 loss rate test

FortiTester tests the ability of the DUT to handle different types of RFC 2544 loss rate. According to RFC2544, todetermine the frame loss rate, as defined in RFC1242 of a DUT throughout the entire range of input data ratesand frame sizes.

To start a loss rate test:

1. Go to Cases > RFC 2544 > Loss Rate to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. Select the base value test case results to use for calculating the performance of DUT in this test.4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all

the other options with values taken from the selected base value test.5. ClickOK to continue.6. Configure the test case options described in Table 18.7. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.


Table 18: RFC 2544 Loss Rate Test Case configuration


73

Chapter 2 - Running Tests Starting an RFC 2544 loss rate test

Settings Guidelines

Basic Information


Ping ServerTimeout


Network Settings





Capture Packets



MAC Masquerade


Virtual Router



Starting an RFC 2544 loss rate test Chapter 2 - Running Tests

Settings Guidelines

Subnet





Load












Ramp DownSeconds



75

Chapter 2 - Running Tests Starting an RFC 2544 back to back test

Settings Guidelines

Network


Profile (Client)






Profile (Server)




Starting an RFC 2544 back to back test

FortiTester tests the ability of the DUT to handle different types of RFC 2544 back to back. According to RFC2544, to characterize the ability of a DUT to process back-to-back frames as defined in RFC 1242.

To start an RFC 2544 back to back test:

1. Go to Cases > RFC 2544> Back to Back to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. Select the base value test case results to use for calculating the performance of DUT in this test.4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all

the other options with values taken from the selected base value test.5. ClickOK to continue.6. Configure the test case options described in Table 19.7. ClickStart to run the test case.


Starting an RFC 2544 back to back test Chapter 2 - Running Tests



Table 19: RFC 2544 back to back Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Network Settings





Capture Packets



MAC Masquerade


77

Chapter 2 - Running Tests Starting an RFC 2544 back to back test

Settings Guidelines


Virtual Router


Subnet





Load








Starting an RFC 2544 back to back test Chapter 2 - Running Tests

Settings Guidelines






Ramp DownSeconds


Network


Profile (Client)






Profile (Server)





79

Chapter 2 - Running Tests Starting a DNS latency test

Starting a DNS latency test

FortiTester tests the latency of DUT to handle DNS query requests. A DUT could be a gateway device or a DNSserver. This test traffic sends DNS requests to a DNS server and measures latency.

To start a DNS test:

1. Go to Cases > DNS > Latency to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on



Table 20: DNS Latency Test Case configuration

Settings Guidelines

Basic Information

Name Specify the case name, or just use the default. The name appears in the list oftest cases.

Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a pingtimeout, resulting in the test case failing to run. If this occurs, increase thetimeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can dis-able this end-to-end connectivity test by entering a setting of 0. If the DUT isunable to return packets, it is recommended you do so.

Number of Samples Select the number of samples. The default is 20, which means the web UI willshow the last 20 sample data (about 20 seconds) in the test case running page.You can select 20, 60, or 120.

Duration Specify the test duration. The default is 10 minutes. The test stops automaticallyafter the duration you specify.

Network Settings


Starting a DNS latency test Chapter 2 - Running Tests

Settings Guidelines


The graphic depicts the test ports for client-side and server-side connections.The client ports simulate the behavior of clients; the server ports simulate thebehavior of servers. FortiTester builds the TCP connections between client portsand server ports (and through the DUT, of course).

You must select at least one client port and one server port. After you select aport for client, a (check mark) is displayed on the port icon, and a tab for the

port is added below the graphic. Use the tabs to toggle the Capture Packets andSubnet settings controls for each port.

Capture Packets

Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port.You can capture all packets or specify a number. You can set packet capture fil-ters for host IP/port and protocol.

Note: The system allocates temporary disk space for packet captures. The limitis 6,000,000 packets. The packets are saved to a temporary file that you candownload from the running test case page. The filename indicates whether it isclient or server communication and the interface port number. For example, cli-ent_port1.pcap. When a subsequent test case with packet capture enabled usesthe same interface port as a previous one, the previous file is overwritten.

MAC Masquerade


Virtual Router

IP Address Specify the IP address to the virtual router. This IP addresses is used to connectto a DUT, therefore it must be in the same subnet with the connected port of theDUT. Please make sure the corresponding routing rules are set on the DUT, sothat DUT correctly forwards traffic to the virtual router. Only a single IP addressin format xxx.xxx.xxx.xxx is accepted here.

Subnet

Subnet IP Address orRange

Specify a single IP address with standard format (for example, 10.1.2.1) or anaddress range like 10.1.2.1-10.1.2.99.






81

Chapter 2 - Running Tests Starting a DNS latency test

Settings Guidelines

Load


Standalone mode: The default is 256. The valid range is from 1 to 250,000.

Test Center mode: The default is 512, and the valid range is from 1 to 500,000,for example, for an environment with two FortiTester appliances.





Ramp Down Seconds Time in seconds for traffic to ramp down when you stop the test.

DNSRenew Socket SpecifyYes orNo. If Yes, the client side renews a socket to send out the nextquery (note if the client profile “Domain Policy” is set as List, all queries for thenames in the domain list will use the same socket; after that a new socket will becreated for next batch of queries). If No, use the old socket.

DNSQuery Timeout The default is 1000 milliseconds.

Network


Profile (Client)


IP Change Algorithm /Port Change Algorithm

Select a change algorithm: Increment orRandom. This setting determines howthe system changes source/destination IP addresses and ports to simulate mul-tiple client requests. The Increment option uses the next IP address or port in therange, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Ran-dom option selects an IP address or port in the range randomly.

Domain Policy Random or List. If Random is selected, FortiTester generates random domainnames for queries. If List is select, FortiTester uses queries in the specified list.


Starting a TCP connection test Chapter 2 - Running Tests

Settings Guidelines

Domain List If Domain Policy is List, specify a list of domain name records. For example:

fortinet.com:A,www.fortinet.com:A,fortitester.com:MX

A name followed with a “:A” means it’s an address record, while a “:MX” means amail exchange record.


Profile (Server)

Server Port The DNS server access port. The default is 53. The valid range is 0 to 65,535.


Starting a TCP connection test

FortiTester tests TCP concurrent connection performance by generating a specified volume of two-way TCPtraffic flow via specified ports.

To start a TCP connection test:

1. Go to Cases > TCP > Connection to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on



Table 21: TCP Connection Test Case configuration

Settings Guidelines

Basic Information


83

Chapter 2 - Running Tests Starting a TCP connection test

Settings Guidelines


Ping ServerTimeout


Number ofSamples



Network Settings





Capture Packets



MAC Masquerade


Virtual Router


Starting a TCP connection test Chapter 2 - Running Tests

Settings Guidelines

IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that the DUTcorrectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.

Subnet








Load






Standalone mode: The default is 5,000,000. The valid range is 5,000 to 5,000,000.


Concurrent Close Number of connections to close once a time. To avoid the DUT lost packet, the con-nection close operation will be performed batch by batch. Standalone mode: Thedefault is 256, and the valid range is 1 to 10,000. Test Center mode: The default is512, and the valid range is 1 to 10,000.


85

Chapter 2 - Running Tests Starting a TCP connection test

Settings Guidelines

Speed Limit Rate of new connections per second. The default is 0, which means the device will cre-ate connections as fast as possible.

Standalone mode: The valid range is 256 to 600,000 connections per second (or thespecial value 0).


Network


Profile (Client)



IP Change Algorith-m/Port ChangeAlgorithm



Piggybacking Disabled. Not configurable.

Send Size Specify the buffer size to send out from the client side. The default is 800 bytes. Thevalid range is from 1 to 100,000.

Receive Size Specify the buffer size to receive from the server side. The default is 1,000 bytes. Thevalid range is from 1 to 100,000.

Profile (Server)


Server Close Mode Preset to 3Way_Fin. Not configurable.


Piggybacking Enabled, meaning an acknowledgment is sent on the data frame, not in an individualframe. Not configurable.


Starting a TCP throughput test Chapter 2 - Running Tests

Starting a TCP throughput test

FortiTester tests TCP throughput by generating a specified volume of two-way TCP traffic flow via specifiedports.

To start a TCP throughput test:

1. Go to Cases > TCP > Throughput to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on



Table 22: TCP Throughput Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Number ofSamples



Network Settings


87

Chapter 2 - Running Tests Starting a TCP throughput test

Settings Guidelines





Capture Packets



MAC Masquerade


Virtual Router


Subnet

IP Address orRange







Starting a TCP throughput test Chapter 2 - Running Tests

Settings Guidelines


Load




Bandwidth Limit TCP data load. The default is the special value 0, which means to transfer as muchdata as FortiTester can generate. For all other values, the unit is Mbit per second.

Standalone mode: The valid range is 10 to 20,000.

Test Center mode: The valid range is 10 to 40,000.


Ramp DownSeconds


Network

Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. Fortinet recommends that you use the default.

Throughput BufferSize

TCP buffer size. The bigger buffer, the better throughput. The default is 1460 bytes.The valid range is 64 to 10M.

Profile (Client)


IP ChangeAlgorithm / PortChange Algorithm


Client Close Mode Preset to Reset. Not configurable.


89

Chapter 2 - Running Tests Starting a TurboTCP test

Settings Guidelines



Profile (Server)


Server Close Mode Preset to Reset. Not configurable.



Starting a TurboTCP test

FortiTester tests TurboTCP connections per second (CPS) performance by generating a specified volume of two-way TCP traffic flow via specified ports.

The traffic generated for each connection includes the TCP three-way handshake and the TCP connection close(Reset).

To start a TurboTCP test:

1. Go to Cases > TCP > TurboTCP to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on



Table 23: TurboTCP Test Case configuration


Starting a TurboTCP test Chapter 2 - Running Tests

Settings Guidelines

Basic Information


Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a pingtimeout, resulting in the test case failing to run. If this occurs, increase the timeout.The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return pack-ets, it is recommended you do so.

Number of Samples Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.

Duration Specify the test duration. The default is 10 minutes. The test stops automaticallyafter the duration you specify.

Network Settings





Capture Packets

Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port.You can capture all packets or specify a number. You can set packet capture filtersfor host IP/port and protocol.

Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap.When a subsequent test case with packet capture enabled uses the same interfaceport as a previous one, the previous file is overwritten.

MAC Masquerade


Virtual Router


91

Chapter 2 - Running Tests Starting a TurboTCP test

Settings Guidelines

IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUTcorrectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.

Subnet

Subnet IP Address orRange

Specify a single IP address with standard format (for example, 10.1.2.1) or anaddress range like 10.1.2.1-10.1.2.99.







Load




Speed Limit Rate of new connections per second. The default is 0, which means the device willcreate connections as fast as possible.

Standalone mode: The valid range is 1,000 to 2,000,000 connections per second (orthe special value 0).




Starting a Mail SMTP test Chapter 2 - Running Tests

Settings Guidelines

Ramp DownSeconds


Network

MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.

Profile (Client)


IP Change Algorithm/ Port ChangeAlgorithm

Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple cli-ent requests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random optionselects an IP address or port in the range randomly.

Piggybacking Disabled. Not configurable.


Profile (Server)

Server Port Preset to 6000. The valid range is from 0 to 65,535

Server Close Mode Preset to Reset. Not configurable.



Starting a Mail SMTP test

FortiTester tests performance of a target device under SMTP traffic by simulating a volume of clients to generateSMTP traffic.

To start an SMTP test:

1. Go to Cases > Mail > SMTP to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on

page 16.4. ClickOK to continue.


93

Chapter 2 - Running Tests Starting a Mail SMTP test

5. Configure the test case options described in Table 24.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.


Table 24: Mail SMTP Test Case configuration

Settings Guidelines

Basic Information

Name Specify the case name, or just use the default. The nameappears in the list of test cases.

Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switchmight cause a ping timeout, resulting in the test case failingto run. If this occurs, increase the timeout. The default is 15seconds. The valid range is 0 to 600. Note:You can disablethis end-to-end connectivity test by entering a setting of 0. Ifthe DUT is unable to return packets, it is recommended youdo so.

Number of Samples Select the number of samples. The default is 20, whichmeans the web UI will show the last 20 sample data (about20 seconds) in the test case running page. You can select20, 60, or 120.

Duration Specify the test duration. The default is 10 minutes. The teststops automatically after the duration you specify.

Network Settings


The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior ofclients; the server ports simulate the behavior of servers.FortiTester builds the TCP connections between client portsand server ports (and through the DUT, of course).

You must select at least one client port and one server port.After you select a port for client, a (check mark) is dis-

played on the port icon, and a tab for the port is added belowthe graphic. Use the tabs to toggle the Capture Packets andSubnet settings controls for each port.


Starting a Mail SMTP test Chapter 2 - Running Tests

Settings Guidelines

Capture Packets

Capture Packets Optional. Set packet capture options if you want to capturethe traffic of this port. You can capture all packets or specifya number. You can set packet capture filters for host IP/portand protocol.

Note: The system allocates temporary disk space for packetcaptures. The limit is 6,000,000 packets. The packets aresaved to a temporary file that you can download from the run-ning test case page. The filename indicates whether it is cli-ent or server communication and the interface port number.For example, client_port1.pcap. When a subsequent testcase with packet capture enabled uses the same interfaceport as a previous one, the previous file is overwritten.

MAC Masquerade


Virtual Router

IP Address Specify the IP address to the virtual router. This IP addressesis used to connect to a DUT, therefore it must be in the samesubnet with the connected port of the DUT. Please makesure the corresponding routing rules are set on the DUT, sothat DUT correctly forwards traffic to the virtual router. Only asingle IP address in format xxx.xxx.xxx.xxx is accepted here.

Subnet

Subnet IP Address or Range Specify a single IP address with standard format (forexample, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99.


Add Subnet If necessary, click +Add Subnet to display additional subnetconfiguration controls. An interface port can have multiplesubnets. FortiTester uses all IP addresses in the specifiedsubnets to create UDP connections and transfer data.

Load


95

Chapter 2 - Running Tests Starting a Mail SMTP test

Settings Guidelines


Standalone mode: The default is 256. The valid range isfrom 1 to 1024.

Test Center mode: The default is 512, and the valid range isfrom 1 to 2048, for example, for an environment with twoFortiTester appliances.

Mail Set mail content for the simulated SMTP traffic . This is edit-able.

SMTP Email Address The email sender address. The default is “[email protected]”.

SMTP Email To The email receiver address. The default is “[email protected]”.

SMTP Email Password The password of email sender. The default is “tester@fts”.

Limit

Mail Send Limit Rate for sending mails per second. The default is 0, whichmeans the maximum possible.

Standalone mode: The valid range is 100 to 180,000 (or thespecial value 0).

Test Center mode: The valid range is 100 to 360,000, forexample, for an environment with two FortiTester appli-ances.

Ramp Up Seconds Time in seconds for traffic to ramp up when you start thetest.

Ramp Down Seconds Time in seconds for traffic to ramp down when you stop thetest.

Network

MTU Maximum Transmission Unit for a data packet. FortiTesterdoes not send out data packets larger than this value. MostDUTs have a limitation for packet size. The default is 1500.The valid range is 1,280 to 9,000.

Profile (Client)


Starting a Mail POP3 test Chapter 2 - Running Tests

Settings Guidelines

Source Port Range Specify a client port range. The valid range is 10,000 to65,535, which is also the default.

Client Close Mode Preset to 3Way_Fin. Not configurable.

IP Change Algorithm /Port Change Algorithm

Determines how the system changes source/destination IPaddresses and ports to simulate multiple client requests. Pre-set to Increment. Not configurable. The Increment optionuses the next IP address or port in the range, for example:10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Randomoption selects an IP address or port in the range randomly.


Profile (Server)



Starting a Mail POP3 test

FortiTester tests the ability of the DUT to handle different types of mail POP3. This test traffic establishes a TCPconnection (three-way handshake), receives one mail by POP3 and closes the TCP connection.

To start a POP3 test:

1. Go to Cases > Mail > POP3 to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on



Table 25: Mail POP3 Test Case configuration


97

Chapter 2 - Running Tests Starting a Mail POP3 test

Settings Guidelines

Basic Information


Ping ServerTimeout


Number ofSamples



Network Settings





Capture Packets



MAC Masquerade


Virtual Router


Starting a Mail POP3 test Chapter 2 - Running Tests

Settings Guidelines


Subnet







Load

Mail Set mail content for the simulated SMTP traffic . This is editable.




Pop3 EmailAddress

The email sender address. The default is “[email protected]”.

Pop3 Email Pass-word

The password of email sender. The default is “tester@fts”.

Limit

Mail Receive Limit Rate for sending mails per second. The default is 0, which means the maximum pos-sible.





99

Chapter 2 - Running Tests Starting a Mail IMAP test

Settings Guidelines

Ramp DownSeconds


Network


Profile (Client)





Profile (Server)



Starting a Mail IMAP test

FortiTester tests the ability of the DUT to handle different types of mail IMAP. This test establishes a TCPconnection (three-way handshake), receives one email by IMAP and closes the TCP connection.

To start a IMAP test:

1. Go to Cases > Mail > IMAP to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on



Starting a Mail IMAP test Chapter 2 - Running Tests


Table 26: Mail IMAP Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Number ofSamples



Network Settings





Capture Packets


101

Chapter 2 - Running Tests Starting a Mail IMAP test

Settings Guidelines



MAC Masquerade


Virtual Router


Subnet







Load

Mail Set mail content for the simulated SMTP traffic . This is editable.





Starting a Mail IMAP test Chapter 2 - Running Tests

Settings Guidelines

IMAP EmailAddress

The email sender address. The default is “[email protected]”.

IMAP Email Pass-word

The password of email sender. The default is “tester@fts”.

Limit

Mail Receive Limit Rate for sending mails per second. The default is 0, which means the maximum pos-sible.


Test Center mode: The valid range is 100 to 360,000, for example, for an envir-onment with two FortiTester appliances


Ramp DownSeconds


Network


Profile (Client)





Profile (Server)

Server Port Preset to 143. Range: 0 - 65535



103

Chapter 2 - Running Tests Starting a FTP test

Starting a FTP test

This FortiTester test establishes a TCP connection (three-way handshake), transfers one file by FTP, and thencloses the TCP.

To start a FTP test:

1. Go to Cases > FTP > FTP to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on



Table 27: FTP Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Number ofSamples



Network Settings


Starting a FTP test Chapter 2 - Running Tests

Settings Guidelines





Capture Packets



MAC Masquerade


Virtual Router


Subnet








105

Chapter 2 - Running Tests Starting a FTP test

Settings Guidelines

Load





Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1,000 to 1,050,000 connections per second(or the special value 0).

Test Center mode: The valid range is from 1,000 to 1,050,000, for example, for anenvironment with two FortiTester appliances.






Ramp DownSeconds


Network


Profile (Client)


Starting an Attack Replay test Chapter 2 - Running Tests

Settings Guidelines






Profile (Server)



Server Close Mode Set to 3 Way Fin by default. Not configurable.


Starting an Attack Replay test

FortiTester can test security systems by replaying a predefined or customized set of attack traffic. The predefinedset covers 100 types of attacks. The test result shows the CVE-ID for every type of attack. You can also see theattack list in the Cases > Replay > Attack page.

Note: The Attack Replay test is available only in Standalone work mode.

Before you begin:

l Optional. If you want to test custom attack traffic, you must create a package of pcap files that can be replayed.Only IPv4 traffic is supported. Follow the file naming convention: Description[_CVE-$CVEID].pcap. Here []means optional. The file type can be .pcap, .tgz, .tar.gz, or .zip. A .tgz, .tar.gz, or .zip file includes a group of .pcapfiles. Maximum file size is 200MB. You can upload it, put it into a default or customized group, and the select thegroup of attack files you want to replay later.

To start an Attack Replay test:

1. Go to Cases > Replay > Attack to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on

page 16.4. ClickOK to continue.


107

Chapter 2 - Running Tests Starting an Attack Replay test

5. Configure the test case options described in Table 28.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.


Table 28: Attack Replay Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Network Settings





Capture Packets




Starting a Traffic Replay test Chapter 2 - Running Tests

Settings Guidelines

Subnet






Load

Peer ReceivingTimeout

This timeout specifies how long the client waits for a response from the server. If theclient does not receive a response within the timeout, it considers the packet lost. Thedefault value is 2 milliseconds.

Break Once PacketLost

Select Yes orNo. The Yes option means when the system identifies packet loss (theserver side has not received the packet that client sent out), it stops the current trafficreplay (pcap file), and continues the test with the next traffic file. The No option (thedefault) means a break is not set; the current replay continues.

Network


Action

Enable SystemAttack List

Enable/disable the system attack list. There are 100 types of attacks in the systemattack list.

User Intrusion Optional. Select attacks from the user-defined attack list. Before you can select them,you must upload pcap files that contain your customized attack traffic. At the top of thecase list, clickUser Attack Management and then upload your file.

Starting a Traffic Replay test

FortiTester tests user-defined scenarios by replaying pcap files. Typically, pcap files are generated by programslike tcpdump or Wireshark.

Note: The Traffic Replay test is available only in Standalone work mode.

Before you begin:

l You must create pcap files that can be replayed. Only IPv4 traffic is supported. Maximum file size is 200MB.


109

Chapter 2 - Running Tests Starting a Traffic Replay test

To start a Traffic Replay test:

1. Go to Cases > Replay > Traffic to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on



Table 29: Traffic Replay Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Number ofSamples



Network Settings


Starting a Traffic Replay test Chapter 2 - Running Tests

Settings Guidelines





Capture Packets



Subnet






Load

Bandwidth Limit The default is 0, which means the maximum possible. The valid range is 10 to 10,000Mbps (or the special value 0).

Loops Number of times to play the pcap file. The default is 10,000. 0 means as many as pos-sible.

Input Pcap You can upload pcap files from your PC and select one to send. Note the uploadedfiles can be used for future cases.

Network



111

Chapter 2 - Running Tests Starting a DDoS single packet flood test

Starting a DDoS single packet flood test

FortiTester tests the ability of DUT to handle different types of DDoS attacks. This test attempts to deplete theDUT resources by flooding the DUT with non-session based attacks.

To start a single packet flood test:

1. Go to Cases > DDoS > Single Packet Flood to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on



Table 30: DDoS Single Packet Flood Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Number ofSamples



Network Settings


Starting a DDoS single packet flood test Chapter 2 - Running Tests

Settings Guidelines





Capture Packets



MAC Masquerade


Virtual Router


Subnet








113

Chapter 2 - Running Tests Starting a DDoS single packet flood test

Settings Guidelines

Load




DDoS Type DDoS attack traffic: Single Packet Flood. After you select a type, selection boxes forsubtypes are displayed below. To change the percentage mix of subtypes, double-clickthe pie chart and adjust the percentages.








Ramp DownSeconds


Network


Profile (Client)


Starting a DDoS TCP session flood test Chapter 2 - Running Tests

Settings Guidelines






Profile (Server)




Starting a DDoS TCP session flood test

FortiTester tests the ability of DUT to handle different types of DDoS attacks. This test attempts to deplete theDUT resources by flooding the DUT with TCP attacks.

To start a TCP session flood test:

1. Go to Cases > DDoS > TCP Session Flood to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on



Table 31: DDoS TCP Session Flood Test Case configuration


115

Chapter 2 - Running Tests Starting a DDoS TCP session flood test

Settings Guidelines

Basic Information


Ping ServerTimeout


Number ofSamples



Network Settings





Capture Packets



MAC Masquerade


Virtual Router


Starting a DDoS TCP session flood test Chapter 2 - Running Tests

Settings Guidelines


Subnet







Load








117

Chapter 2 - Running Tests Starting a DDoS TCP session flood test

Settings Guidelines






Ramp DownSeconds


Network


Profile (Client)






Profile (Server)





Starting a DDoSHTTP session flood test Chapter 2 - Running Tests

Starting a DDoS HTTP session flood test

FortiTester test attempts to deplete the DUT's resources by flooding the DUT with HTTP attacks.

To start a HTTP session flood test:

1. Go to Cases > DDoS > HTTP Session Flood to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on



Table 32: DDoS HTTP Session Flood Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Number ofSamples



Network Settings


119

Chapter 2 - Running Tests Starting a DDoSHTTP session flood test

Settings Guidelines





Capture Packets



MAC Masquerade


Virtual Router


Subnet








Starting a DDoSHTTP session flood test Chapter 2 - Running Tests

Settings Guidelines

Load




DDoS Type DDoS attack traffic: Concurrent Session Flood. After you select a type, selection boxesfor subtypes are displayed below. To change the percentage mix of subtypes, double-click the pie chart and adjust the percentages.








Ramp DownSeconds


Network


Profile (Client)


121

Chapter 2 - Running Tests Starting a DDoS concurrent session flood test

Settings Guidelines






Profile (Server)




Starting a DDoS concurrent session flood test

FortiTester tests the attempts to deplete the DUT's resources by flooding the DUT with HTTP attacks and putsthe session on hold for an extended period of time.

To start a concurrent session flood test:

1. Go to Cases > DDoS> Concurrent Session Flood to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on



Table 33: DDoS Concurrent Session FloodTest Case configuration


Starting a DDoS concurrent session flood test Chapter 2 - Running Tests

Settings Guidelines

Basic Information


Ping ServerTimeout


Number ofSamples



Network Settings





Capture Packets



MAC Masquerade


Virtual Router


123

Chapter 2 - Running Tests Starting a DDoS concurrent session flood test

Settings Guidelines


Subnet







Load









Network



Starting an RTSP test Chapter 2 - Running Tests

Settings Guidelines

Profile (Client)






Profile (Server)




Starting an RTSP test

The RTSP test establishes a TCP connection with a three-way handshake, controls media sessions between endpoints, and closes the TCP connection. This test also tests the firewall's ability to open and close pinholes.

To start an RTSP test:

1. Go to Cases > RTSP > RTSP to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on

page 16.4. ClickOK to continue.5. Configure the test case options as described in Table 34.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.



125

Chapter 2 - Running Tests Starting an RTSP test

Table 34: RTSP Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout



Number ofSamples


Network Settings





Capture Packets



MAC Masquerade



Starting an RTSP test Chapter 2 - Running Tests

Settings Guidelines

Virtual Router


Subnet









Load





Standalone mode: The valid range is 100 to 180,000 requests per second (or the spe-cial value 0).



127

Chapter 2 - Running Tests Starting a packet capture test

Settings Guidelines


Ramp DownSeconds


Network


Profile (Client)




Profile (Server)


Starting a packet capture test

The packet capture test captures packets received from the network adapter.

To start a packet capture test:

1. Go to Cases > Packet Capture > Packet Capture to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. Configure the test case options as described in Table 35.4. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.



Starting a packet capture test Chapter 2 - Running Tests

To start /stop a packet capture test while another test is running:

From the run page of the other test, follow the steps below.

1. Go to Capture > Client.2. ClickRestart, under status.3. Configure the desired settings.4. ClickStart to run the packet capture test.

Table 35: Packet Capture Test Case configuration

Settings Guidelines

Basic Information



Number ofSamples


Network Settings

Client Ports The graphic depicts the test ports for client-side connections. The client ports simulatethe behavior of clients.

You must select at least one client port. After you select a port for client, a (check

mark) is displayed on the port icon, and a tab for the port is added below the graphic.Use the tabs to toggle the Capture Packets controls for each port.

Capture Packets

Capture Packets Set packet capture options if you want to capture the traffic of this port. You can cap-ture all packets or specify a number. You can set packet capture filters for host IP/portand protocol.


Load

Packet Analysis Select Yes to analyze bandwidth percentage for each protocol.


129

Chapter 2 - Running Tests Starting a mixed traffic test

Settings Guidelines

Network


Starting a mixed traffic test

FortiTester tests mixed traffic performance by simulating multiple clients that burst all types of trafficsimultaneously.

To start a Mixed Traffic test:

1. Go to Cases > Mixed Traffic > Mixed Traffic to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on

page 16.4. Select the types of traffic to mix in the test.5. ClickOK to continue.6. Configure the proportions of the mixed traffic.7. Configure the test case options as described in Table 36.8. ClickStart to run the test case.9. For specific settings, refer to the section for that specific test.FortiTester saves the configuration automatically, so you can run the test again later. You can also clickSave tosave the test case without running it.



Starting a mixed traffic test Chapter 2 - Running Tests

Table 36: Mixed Traffic Test Case configuration

Settings Guidelines

Basic Information


Ping ServerTimeout


Number ofSamples



Network Settings





Capture Packets



MAC Masquerade



131

Chapter 2 - Running Tests Stopping tests

Settings Guidelines

Virtual Router


Subnet









Stopping tests

There are two ways to stop a running test:

l In the test configuration, specify an automatic stop after a specified duration.l Click the Stop button on the running page of a test that is in progress.

Displaying test status

A few seconds after you start a test, the page automatically switches to a test status page.

You can also navigate to the status page by clicking the icon in the top navigation menu.

The following example shows status displayed on the Summary tab of an HTTPCPS test.


Viewing test results Chapter 2 - Running Tests

Figure 7: Test status Summary tab

The following figure shows the Client tab. You can use its subtabs to review results by port or network layer.

Figure 8: Test status Client tab

Viewing test results

When you start a test, a status page is displayed showing results.

The data is updated every second. It includes Layer 2, Layer 3, and Layer 4 data. HTTP/HTTPS test cases alsoinclude Layer 7 data.

l Layer 2 data represents the throughput for every port and a total summary. The throughput includes inbound trafficand outbound traffic for every port.

l Layer 3 data represents the packets sent and received for every port and a total summary.


133

Chapter 2 - Running Tests Viewing test results

l Layer 4 data represents the number of sessions.l Layer 7 data represents the number of requests and connections.

You can click the icon in the top banner to display a list of all the test cases on the left side of the page.This list includes cases that are stopped (either normally or abnormally) and are ordered by test start time. Click atest case to view its result. You can also use the search function, at the top, to search for test cases.

The following example shows results for an HTTPCPS test.

Figure 9: HTTP CPS test results

The following figure shows results for an Attack Replay test.


Exporting/importing a test case Chapter 2 - Running Tests

Figure 10: Attack Replay results

For Attack Replay tests, the results show status for every attack traffic file and a summary count for packets withthe following statuses: Peer Received, Packet Lost, or Illegal Packet. Peer Received means the server hasreceived all the packets sent out by the client. Packet Lost means the server has not received all the packets sentout by the client; one or more packets were lost after the traffic passed through the DUT. Illegal Packet meansthe FortiTester system encountered a packet larger than the MTU (the default is 1500) and has stopped thereplay of that pcap file.

Exporting/importing a test case

After you clickStart or Save, FortiTester automatically saves the test configuration. You can edit or make a copyof a test configuration before you run it.

You can use the Export/Import utilities to export a test case configuration (as a .zip file) and then import it intoanother FortiTester appliance.

In the top banner, click the icon to display the list of saved test cases. Cases are categorized by test type.

Scheduling cases

You can schedule a test case to run automatically at a time you specify. You can also specify a repeat interval(once, hourly, daily, weekly, monthly).


135

Chapter 2 - Running Tests Scheduling cases

To configure a schedule:

1. Go to Cases > Config Schedule.2. ClickAdd to display the configuration page.3. Select the case type and select an existing case.4. Set the start date and time.5. Select a repeat option.6. Save the schedule configuration.

Tip: To set up a schedule from the case list, click the icon to display the schedule configuration page.


Chapter 3 - System Administration Displaying system status

Chapter 3 - System Administration

This chapter provides procedures for common system administration tasks.

Displaying system status

The System page displays the system version and serial number of the appliance. You can also see theinformation of log disk usage.

If the appliance comes installed with an SSL Accelerator card, you will see it and can enable/disable it.

Note: The SSL acceleration feature works only when the FortiTester appliance works as the server side. Enablingor disabling it will not influence the performance ofthe client side when performing an HTTPS test.

The figure below shows the System Information portlet.

Figure 11: System Information

Updating firmware

You can use the web UI to upgrade the firmware image.

Before you begin:


Shutting down the system Chapter 3 - System Administration

l Download the firmware file from the Fortinet support website.l Read the release notes for the version you plan to install.l You must be logged in as the user admin to upgrade firmware.

To upgrade firmware:

1. Go to the System page.2. Click the Upgrade link in the system information section.3. ClickBrowse to locate and select the image file.4. Click to upload the firmware and reboot.The system replaces the firmware on the active partition and reboots.

Shutting down the system

Always properly shut down the FortiTester appliance operating system before turning off the power switch orunplugging the appliance. This causes it to finish writing buffered data, and to slow and park the hard disks.

Do not unplug or switch off the FortiTester appliance before halting the operating system. Failure to shut downcorrectly could cause data loss and hardware problems.

To power off the appliance via the web UI:

1. Go to the System page.2. Click the Shutdown button.

The appliance becomes quieter when it stops its hardware and operating system, indicating that it is readyfor power to be disconnected.

3. Disconnect the power cable from the power supply.

To power off the appliance via the CLI:

1. Connect to the CLI using a terminal emulator.2. Enter the following command:

execute shutdown

The appliance becomes quieter when it stops its hardware and operating system, indicating that it is readyfor power to be disconnected.

3. Disconnect the power cable from the power supply.

Rebooting the system

Rebooting the appliance is similar to shutting down. To reboot, do one of the following:

l Go to the System page, click the Reboot button.l Enter the execute reboot command via the CLI.


138

Chapter 3 - System Administration Resetting the system

Resetting the system

To restore the appliance to its initial state, click the Config reset button on the System page.

Warning: This operation clears all the data and cannot be canceled, so use it carefully. Before you reset thesystem, you can export system configuration data so that you can later import it. The configuration data includesall the test case settings and test results, user accounts, and test HTML pages for HTTP/HTTPS test cases.

Creating test users

The FortiTester system has one default administrative account named "admin". It also allows you to create otheradministrative or tester user accounts.

The default “admin” account is the super administrator, which can create and delete all other accounts, whereasthe other administrative accounts can only create administrative/tester accounts and delete tester accounts.

The administrative user can perform a test, create and delete a tester, and set the system configuration.

A tester user can only perform tests and view test results. If a user logs in with a tester role, the UserManagement menu is not shown, and the contents in the System page is read-only.

To create a test user:

1. Go to the drop-down menu under the admin login in the top navigation bar.2. Select User Management.3. ClickAdd to display the configuration page.4. Complete the username and password settings.5. Select a role and set the username and password.6. Save the configuration.


Chapter 4 - Joining multiple appliances into a Test Center Changing the work mode setting

Chapter 4 - Joining multiple appliances into a Test Center

This chapter provides procedures for joining multiple appliances into a Test Center.

Changing the work mode setting

The work mode setting determines whether the FortiTester operates as a standalone appliance or is joined withother FortiTester appliances to form a Test Center.

By default, FortiTester appliances operate in Standalone work mode.

If your test plans require more interfaces than provided by a single FortiTester, you can join the appliances intowhat is called a Test Center. One appliance is the Test Center master appliance; the others are Test Centerslaves. You manage test cases from the Test Center appliance management interface; the web UI is notavailable for an appliance in Test Slave work mode. When you enter the web UI address for the Test Slaveappliance, it displays the following page instead.

Figure 12: Slave Mode

To set up a Test Center:

1. Log into the web UI of one FortiTester (e.g. 172.22.4.217).2. Go to the System page.3. Click theWork Mode tab.4. The appliance is in Standalone work mode by default.5. Click Test Center to make it the Test Center master. The System page shows the current work mode of this

appliance is TestCenter, and a table is shown that lists the appliances that are under control of this one.6. Log into another FortiTester (e.g. 172.22.4.218).7. Go to the System page.8. Click the Work Mode tab.9. Click Test Slave. The system displays a popup, prompting you to specify the Test Center master IP address.10. Enter the IP address of the Test Center master and clickConnect.11. Return to the System page on the master and clickRefresh. You will see 172.22.4.218 is in the table.


Changing the work mode setting Chapter 4 - Joining multiple appliances into a Test Center

Figure 13: TestCenter

You can click the X to disconnect the slave appliance or click the Disconnect button in the slave Web GUI toreturn to Standalone mode.

When the appliances have been added to the Test Center, you can select one or more FortiTester appliances towork as clients and others to work as servers when you create test cases. In this example, 172.22.4.217 has theclient ports; 172.22.4.218 has the server ports. You can add up to four pairs of appliances to a Test Center.


141

Chapter 5 - Using the Command-Line Interface Getting CLI help

Chapter 5 - Using the Command-Line Interface

You can configure some settings through a connection to the command-line interface (CLI).

Requires: Terminal emulator such as PuTTY, TeraTerm, or a terminal server.

To connect to the CLI via serial console:

1. Using the console cable, connect the appliance console port to your terminal server or computer.2. On your computer or terminal server, start the terminal emulator. Use these settings:

l Baud rate: 9600l Data bits: 8l Parity: Nonel Stop bits: 1l Flow control: None

3. Press Enter on your keyboard to connect to the CLI.Note: After you configure the management port, you can connect to the management port and use the CLIremotely using SSH or Telnet.

Getting CLI help

You can enter the help command or ? to display CLI command and setting information. For example:

help Help.

? Help.

get system status System status.

show system interface Show network interfaces and configurations.

show system route Show default route.

show system setting Show system setting.

show system memsize Show total memory size.

config system hostname Configure hostname.

config system interface Configure interfaces.

config system route Configure route.

config system setting Configure system settings. (Maintainer Login,Telent Daemon...)

execute ping PING command.

execute time <hh:mm:ss> Set time.

execute date <yyyy-mm-dd> Set date.

execute reboot Reboot FortiTester.


Command descriptions Chapter 5 - Using the Command-Line Interface

execute shutdown Shutdown FortiTester.

execute factoryreset Factory reset FortiTester.

execute formatlogdisk Format storage.

exit Exit the CLI.

sysctl ash Debug mode.

The following examples show how to configure the management interface, the default gateway, and theappliance hostname.

config system interfaceedit mgmt

set ip 172.173.1.217 255.255.0.0next

end

config system routeset gateway 192.168.1.1

end

config system hostnameset hostname <string>

end

Command descriptions

The following table describes the commonly used CLI commands.

Command Description

help Shows help information.

? Shows help information.

get system status Shows the system version, serial number, hostname, time, and system uptime.

show system interface Shows information about the configured network interfaces.

config system interfaceedit mgmt

set ip 172.173.1.124 255.255.0.0 next

end


143

Chapter 5 - Using the Command-Line Interface Command descriptions

Command Description

show system route Shows the gateway address for management port.

Default gateway: 192.168.1.1

show system setting Shows whether the common mode for HTTPCPS/RPS and TCP throughput isenabled or not. The default is disabled. Also shows whether the system allowslogin with the maintainer account The default is enabled

show system memsize shows the size of the system's memory.

config system hostname Set the host name for this appliance.

config system interface Configures network interfaces.

config system route Configures the gateway address for the management port.

config system route set gateway 172.173.1.248

end

config system setting Enable/disable the common mode and maintainer login.

execute ping Execute a ping command.

execute time Sets the system time. The time format is hh:mm:ss.

execute date Set the system date. The date format is yyyy-mm-dd.

execute reboot Reboots the system.

execute shutdown Shuts down the system.

execute factoryreset Reset the system into an initial state. Note this operation will clear all existingdata/configuration.

execute formatlogdisk Execute a format disk command for log storage.

exit Exits the current session.

sysctl ash

Enter the debug mode for troubleshooting.


Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or companynames may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, andactual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing hereinrepresents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding writtencontract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identifiedperformancemetrics and, in such event, only the specific performancemetrics expressly identified in such binding written contract shall be binding on Fortinet. Forabsolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make anycommitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,transfer, or otherwise revise this publication without notice, and themost current version of the publication shall be applicable.

fortitester handbook, v2.9 - pub.kb.fortinet.com

Documents