fortitester handbook, v2.9 - pub.kb.fortinet.com
TRANSCRIPT
FortiTester™ HandbookVERSION 2.9.0
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
March 21, 2017
FortiTester Handbook 2.9.0
1st Edition
TABLE OF CONTENTS
Change Log 5Introduction 6
Features and benefits 7What's New 8
Chapter 1 - Getting Started 10Connecting to FortiTester 10Configuring themanagement port 11Configuring system time 12Creating the admin password 13Configuring the device under test 13
Chapter 2 - Running Tests 14Test case configuration overview 14Using port binding and link aggregation 14Using 40G to 4 x 10G fan out 16Using network configuration templates 16Starting an HTTP CPS test 18Starting an HTTP RPS test 22Starting an HTTP CC test 26Starting an HTTP throughput test 30Starting an HTTPS CPS test 33Starting an HTTPS RPS test 37Starting an HTTPS CC test 41Starting an HTTPS throughput test 45Starting an IPsec remote access test 49Starting an IPsec remote accessCC test 53Starting a UDP PPS test 57Starting a UDP Payload test 60Starting an RFC 2544 base value test 63Starting an RFC 2544 throughput test 66Starting an RFC 2544 latency test 70Starting an RFC 2544 loss rate test 73Starting an RFC 2544 back to back test 76Starting a DNS latency test 80
Starting a TCP connection test 83Starting a TCP throughput test 87Starting a TurboTCP test 90Starting aMail SMTP test 93Starting aMail POP3 test 97Starting aMail IMAP test 100Starting a FTP test 104Starting an AttackReplay test 107Starting a Traffic Replay test 109Starting a DDoS single packet flood test 112Starting a DDoS TCP session flood test 115Starting a DDoS HTTP session flood test 119Starting a DDoS concurrent session flood test 122Starting an RTSP test 125Starting a packet capture test 128Starting a mixed traffic test 130Stopping tests 132Displaying test status 132Viewing test results 133Exporting/importing a test case 135Scheduling cases 135
Chapter 3 - System Administration 137Displaying system status 137Updating firmware 137Shutting down the system 138Rebooting the system 138Resetting the system 139Creating test users 139
Chapter 4 - Joining multiple appliances into a Test Center 140Changing the workmode setting 140
Chapter 5 - Using the Command-Line Interface 142Getting CLI help 142Command descriptions 143
Change Log
Change Log
Date Change Description
2017-03-21 FortiTester 2.9.0 initial release
5 FortiTester HandbookFortinet Technologies, Inc.
Introduction
Introduction
Welcome, and thank you for selecting Fortinet products for your testing environment.
FortiTester™ appliance models are powerful and easy-to-use tools that test the performance of your networkdevices.
FortiTester implements DPDK, which provides libraries and user-space NIC drivers for accelerated packetprocessing performance. The implementation allows FortiTester to offer a whole slew of line-rate testing onserver-class hardware.
This document describes how to set up your FortiTester appliance. It also describes how to use the web userinterface (web UI) and command-line interface (CLI).
6 FortiTester HandbookFortinet Technologies, Inc.
Features and benefits Introduction
Features and benefits
FortiTester is a network traffic test tool that is based on Fortinet's specialized hardware and software platform. Itprovides the following types of tests:
l HTTP/HTTPSCPS testFortiTester can test new connections per second (CPS) performance by simulating multiple clients thatgenerate HTTP or HTTPS traffic.
l HTTP/HTTPSRPS testFortiTester can test requests per second (RPS) performance by simulating multiple clients that generate HTTPor HTTPS traffic.
l HTTP/HTTPSCC testFortiTester can test HTTP or HTTPS concurrent connection (CC) performance by simulating multiple clientsthat generate HTTP or HTTPS traffic.
l HTTP/HTTPS throughput testFortiTester can test HTTP or HTTPS throughput performance of a Device Under Test (DUT) by simulatingmultiple clients that generate HTTP or HTTPS traffic.
l IPsecFortiTester can test IPsec gateway performance by measuring IPsec and HTTP connections per second fromsimulated IPsec clients to an HTTP server behind the DUT’s IPsec gateway.
l TCP throughput testFortiTester can test TCP throughput performance of a DUT by generating a specified volume of two-way TCPtraffic flows via specified ports.
l TCP connection testFortiTester can test TCP concurrent connections performance by generating a specified volume of two-wayTCP traffic flow via specified ports.
l TurboTCP testFortiTester can test new connections per second (CPS) performance by generating a specified volume of two-way TurboTCP traffic flows via specified ports.
l UDPPPS testFortiTester can test UDP throughput performance by sending a specified size of UDP frames at a maximum orlimited speed from simulated clients to simulated servers.
l UDPPayload testFortiTester system can test UDP payload by sending UDP frames with a user-specified payload.
l RFC 2544FortiTester implements RFC 2544 throughput, latency, data loss, and back to back test cases for UDPperformance.
l Mail tests
FortiTester HandbookFortinet Technologies, Inc.
7
Introduction What's New
FortiTester can test SMTP, POP3, and IMAP performance by simulating a specified volume of clients to eachsend or receive one message
l Attack Replay testFortiTester can test security systems by replaying a predefined set of attack traffic or pcaps that you upload.The predefined set covers 100 types of attacks.
l Traffic Replay testFortiTester can test user-defined scenarios by replaying any pcap file. Typically, pcap files are generated byprograms like tcpdump or Wireshark.
l DDos testFortiTester can send multiple types of distributed denial of service (DDoS) attack traffic to test DDoSdetection/prevention systems.
l DNS Latency testFortiTester can send DNS query traffic to test latency to a server or through a gateway.
l RTSP testFortiTester can test RTSP connections by generating two-way traffic flow.
l Packet Capture testFortiTester can test packet capture by capturing packets received from the network adapter.
l Mixed traffic testFortiTester can burst all types (except HTTPS) of traffic simultaneously.
l 40G to 4 x 10G fan out for FortiTester 3000EFortiTester can be configured for 4 x 10G fan out.
What's New
The following features are introduced in 2.9.0:
l Support for 40G to 4 x 10G fan out for FortiTester-3000E.l Added a new test case for RTSP/RTP testing.l Added a new test case for IPsec tunnel concurrency testing.l Added a new test case, PacketCapture, for packet capture and analysis on physical ports, which can be used as a
reference when creating mixed-traffic test cases.l Added object management for network profiles, certificates and payloads, which can be selected as templates in
test cases.l Protocol distribution, in terms of percentage of bandwidth allocation, can now be configured for the Mixed Traffic
test case.l FortiTester now allows the same subnet to be configured on multiple ports.l FortiTester now supports port binding for all UDP test cases, such as DNS / PPS / PAYLOAD / RFC2544.l Support for 802.3AD bond mode.l Users can now filter search results from the "History" page, as well as look at detailed results of previous tests.l Users can now start and stop a packet capture from the test summary page while the test is running.
8 FortiTester HandbookFortinet Technologies, Inc.
What's New Introduction
FortiTester HandbookFortinet Technologies, Inc.
9
Chapter 1 - Getting Started Connecting to FortiTester
Chapter 1 - Getting Started
This chapter provides the procedures for getting started with FortiTester.
Connecting to FortiTester
A basic network connection topology for FortiTester is shown in Figure 1.
Figure 1: A basic network connection topology
A FortiTester appliance has multiple network ports. In most cases, one port is for management and the others arefor testing. The management port (usually mgmt or port1) connects to a local network to enable the user toaccess the FortiTester appliance via the web UI.
The test ports are divided into client ports and server ports that connect to the device under test (DUT). Clientports simulate multiple client devices that access the simulated server devices via server ports. Use the providedcables to connect the FortiTester to the DUT.
When you use one FortiTester appliance in standalone work mode, the test ports on the standalone appliance aredivided between client and server. Figure 2 shows the distribution of ports in a standalone environment. Port 1, aclient port, is paired with port 3, a server port; port 2, a client port, is paired with port 4, a server port.
Figure 2: Test ports in standalone work mode
If your tests require more ports, you can join up to 4 pairs of FortiTester appliances in a Test Center. Figure 3shows the distribution of ports in a Test Center environment with two FortiTester appliances. Ports 1-4 of the firstappliance are client ports; ports 1-4 of the second appliance are server ports. Port 1 on the first appliance is pairedwith port 1 on the second appliance.
10 FortiTester HandbookFortinet Technologies, Inc.
Configuring the management port Chapter 1 - Getting Started
Figure 3: Test ports in Test Center / Slave work mode
For information on configuring a Test Center, see Chapter 4 - Joiningmultiple appliances into a Test Center.
Configuring the management port
The management port must be connected to the same switch as the administrator client computer. Use theethernet cord provided with the FortiTester.
The following procedure assumes that the default management port IP address (192.168.1.99) is not on thesame subnet as your client computer.
To configure the management port:
1. Configure your computer to match the FortiTester default management port subnet.For example, from the Windows 7 Control Panel, go to Network and Sharing Center. Click the LocalArea Connection link, and then click the Properties button. Select Internet Protocol Version 4(TCP/IPv4) and then click itsProperties button. Select Use the following IP address, and then enter thefollowing settings:
l IP address: 192.168.1.2l Subnet mask: 255.255.255.0
2. To connect to the web UI, start a web browser and go to http://192.168.1.99, or https://192.168.1.99.3. Type admin in the Username field, enter the password, and then click Login.4. In the top banner, click the icon to display the System settings page.5. Click the Device Ports tab.6. For the management port, change its IP address, netmask, and default gateway.
The following example changes the management IP address to 192.168.1.199.
FortiTester HandbookFortinet Technologies, Inc.
11
Chapter 1 - Getting Started Configuring system time
Figure 4: Set management port
7. ClickApply to complete configuration of the management port.8. Click the DNS Server tab.9. ClickAdd DNS, enter the IP address for the DNS server, and then clickApply. Note you can add more than one
DNS server.10. Change the IP address of your client PC to the same network segment used by the management port IP address.11. To log into the web UI again, enter the new management IP address in a web browser.
Configuring system time
You can use the System page to change the system time. You can manually modify the time or synchronize thesystem time with an NTP server.
To configure system time:
1. In the top banner, click the icon to display the System settings page.2. Under System Time, click the Change link to display the Time Settings dialog box.3. Set the system time or synchronize time with a NTP server, as described in Table 1.4. Save the configuration.
Table 1: System Time
Settings Guidelines
Time Zone Select the time zone where the FortiTester appliance is installed.
System Time The text boxes are populated with the current settings for the system date and time.You can change these manually.
Synchronize withNTP Server
Enter the IP address or domain name of an NTP server. To find an NTP server that youcan use, see http://www.ntp.org. The time is not synched at a regular interval, onlywhen you click the Save button.
12 FortiTester HandbookFortinet Technologies, Inc.
Creating the admin password Chapter 1 - Getting Started
Creating the admin password
FortiTester has a default user admin. By default, there is no password.
To change the password for the admin account:
1. In the top banner, click the admin link.2. Select Modify Password from the drop down menu.3. Enter the old password, the new password, and save the configuration.
Configuring the device under test
The DUT must be configured to connect with FortiTester before tests can be run.
If the DUT is a FortiGate appliance, you generally need to configure interfaces, routes, and a firewall policy.Gateways for the test case are typically set as the IP address of the FortiGate's interfaces. If the client and serversubnets are not on the same network as the gateway addresses, routes must be added.
Refer to the user guide for the specific DUT for instructions on how to configure it for testing.
FortiTester HandbookFortinet Technologies, Inc.
13
Chapter 2 - Running Tests Test case configuration overview
Chapter 2 - Running Tests
This chapter provides procedures for running tests and viewing test results.
Test case configuration overview
The test case configuration workflow includes the following standard elements:
l Test type—The test template to use. It determines the mandatory and optional settings for specific cases.l Case options—IP version, DUT role, DUT mode, network configuration, optional port binding, VLAN and Client
Virtual Router.l Interface ports—Client and server interface port configuration.l Optional elements—Enable or disable packet capture, scheduling and MACmasquerade.l Test case specifics—Variables that determine the test parameters, such as load, rates/limits, and client/server
profiles and actions.
The first four items set up the basic test environment. Once you become familiar with them, you can assume theycan be configured in the same manner for each test. The Client Virtual Router will simulate a router betweenFortiTester's client subnets and the connected DUT.
The test case specifics are key to testing the performance of the device under test (DUT). We recommend youbecome familiar with guidelines for test case specifics whenever you get started with a new test case type.
Using port binding and link aggregation
FortiTester system can bind multiple physical ports as one logical port. We call this feature port binding. Thephysical ports in one logical port share one network configuration, such as IP address, netmask, and gateway.
This feature is useful in the following scenarios:
l To test the link aggregation feature of a DUT. A DUT might also support port binding (also called link aggregation orTRUNK). In that case, FortiTester can test this feature and its performance.
l To test 40G/100G ports of DUT. A DUT might have some ports that have bandwidth greater than a singleFortiTester port. To test such port performance, we can bind multiple FortiTester ports as one logical port andconnect to a switch to transfer traffic with a DUT. For example, a FortiTester appliance can bind 4 10G ports as oneto test a 40G port in DUT via a 10G/40G switch.
FortiTester averages traffic on physical ports that belong to one logical port.
Note: Only the DNS, TCP, UDP, RFC2544, HTTP, and HTTPS tests support port binding.
To change the port binding:
1. Click on theOptional Port Binding link.
14 FortiTester HandbookFortinet Technologies, Inc.
Using port binding and link aggregation Chapter 2 - Running Tests
Figure 5: Optional Port Binding
2. ClickAdd, under Network Settings.3. Configure the settings. You can configure the number of bond interfaces and member ports, as well a the bond
type.4. ClickSave.
Figure 6: Optional Port Binding Configuration
FortiTester HandbookFortinet Technologies, Inc.
15
Chapter 2 - Running Tests Using 40G to 4 x 10G fan out
Using 40G to 4 x 10G fan out
FortiTester 2.9.0 comes with support for 40G to 4 x 10G fan out. This feature splits the 40G port into 4 separate10G ports. Use the corresponding cable to link the 10G ports to the DUT.
To enable fan out:
1. Go to System > Device Ports.2. Switch 40G fan out 4x10G to Enabled.3. ClickOk.4. Wait for the system to reboot.
After you have rebooted the system, the fan out should be enabled. You can check by going to System >DevicePorts.
Using network configuration templates
Many test cases you may want to run will have the same basic network setup. To simplify configuration, you cancreate a network configuration template and then import it when you initially configure test case settings. Thetemplate settings are used to populate the network settings for the new test case configuration.
The network configuration template specifies the IP address type, DUT working mode, client/server port settings,subnet settings, port binding and VLAN settings.
You can only import template settings if the IP address type and DUT working mode you select in the new testcase popup dialog box match the settings in the network configuration template.
After the settings have been imported, you can modify client/server port settings, subnet settings, port bindingand VLAN settings if necessary.
To create a network configuration template:
1. Go to Cases > Config Object.2. ClickAdd to display the configuration page.3. In the popup dialog, configure the following settings:
l IP Version—IPv4, IPv6 or Mixed.l DUT Role—Network Gateway or Application Server. If you want to test an application server, the
FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as bothclient and server.
l DUT Working Mode—Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, theDUT does not change the IP address of the packet. In NAT mode, the device is considered to be a routerhop and the IP addresses can be translated. In Web Proxy mode, the proxy address is used. If the DUT isconfigured in Web Proxy mode (e.g. a WAF), selectWeb Proxy. Note: This setting will be shown onlywhen DUT role is Network Gateway.
l Tester and Application Server—Specify that the FortiTester appliance and the application server are in thesame subnet or route by a gateway to send/receive traffic. Note: This setting will be shown only whenDUT role is Application Server.
16 FortiTester HandbookFortinet Technologies, Inc.
Using network configuration templates Chapter 2 - Running Tests
l Port Binding—Optional. Port binding aggregates two or more physical ports into one logical port.l Support SNAT/DNAT Policy—Optional. Select this to allow DUT to do source and destination NAT on the
same session.l Note: If the DUT performs SNAT/DNAT on the data traffic, use the Translated To field to change
the IP address before starting the run.l Support VLAN—Optional. Set VLAN ID to the traffic.l Virtual Router—Optional. This option allows the clients and/ or servers to be on subnets different from the
DUTs interfaces and all traffic to/ from the DUTs uses the virtual routers MAC address.4. ClickOK to continue.5. Complete the configuration as described in Table 2.6. Save the configuration.After you have created a network configuration template, you can extend it (which means making a copy), orexport it as a zip file and import the zip file later.
Table 2: Network configuration object settings
Settings Guidelines
Basic Information
Name Specify a configuration name, or use the default. The name appears in the NetworkConfig drop-down list when you configure test cases.
Network Settings
Client Ports,Server Ports
The page lists all the test ports for client-side and server-side connections. The clientports simulate the behavior of clients; the server ports simulate the behavior of serv-ers. FortiTester builds the TCP connections between client ports and server ports (andthrough the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon. The same port on the server
side is no longer available.
Note: You don’t need to select the server port if you've selected the DUT role as Applic-ation Server.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
FortiTester HandbookFortinet Technologies, Inc.
17
Chapter 2 - Running Tests Starting an HTTPCPS test
Settings Guidelines
Subnet
IP Address orRange
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Translated To NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Server IP When the DUT role is an application server, specify a single IP address in the standardformat.
Gateway Specify the gateway IP address when the DUT role is an application server or the DUTworking mode is in NAT mode.
Peer Network NAT mode only. Specify the peer network subnet address. If the DUT usesSNAT/DNAT, use the translated IP address.
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Starting an HTTP CPS test
FortiTester tests HTTP new connections per second (CPS) performance by simulating multiple clients thatgenerate HTTP traffic.
The traffic generated for each connection includes the TCP three-way handshake, HTTP request and HTTPresponse (complete HTTP transaction), and the TCP connection close (FIN, ACK, FIN, ACK). Each TCP packethas one HTTPGET request. The traffic is HTTP1.0 without HTTP persistent connections (HTTP keep-alive).
Note the following limitations:
l You cannot modify the HTTP request or HTTP response headers.
To start an HTTP CPS test:
1. Go to Cases > HTTP > CPS to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 3.6. ClickStart to run the test case.
18 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPCPS test Chapter 2 - Running Tests
FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 3: HTTP CPS Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
FortiTester HandbookFortinet Technologies, Inc.
19
Chapter 2 - Running Tests Starting an HTTPCPS test
Settings Guidelines
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
20 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPCPS test Chapter 2 - Running Tests
Settings Guidelines
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
Speed Limit Rate of new transactions per second. The default is 0, which means the device willsend traffic as fast as possible.
Standalone mode: The valid range is 1,000 to 850,000 transactions per second (or thespecial value 0).
Test Center mode: The valid range is 1,000 to 1,700,000, for example, for an envir-onment with two FortiTester appliances.
Ramp UP Seconds Time in seconds for traffic to ramp up when you start the test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test.
Network
MTU Preset to 1500. Not configurable.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
Client Close Mode Select the connection close method: 3Way_Fin orReset.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Request Header Preset to UserAgent: Firefox/41.0. Click the Add Header button to specifymore headers.
Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individualframe. Not configurable.
Profile (Server)
Server Port Preset to 80. Not configurable.
FortiTester HandbookFortinet Technologies, Inc.
21
Chapter 2 - Running Tests Starting an HTTPRPS test
Settings Guidelines
Response Header Preset to Server: nginx/1.9.5Content-Type:text/html. Click the AddHeader button to specify more headers.
Piggybacking Enabled. Not configurable.
Action
Get page Select the file that the simulated clients access. The default is “index.html” with 4bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB.
Post page Select the file that simulated servers send. The default is "index.php" with 4 bytes. Youcan edit the post parameters. The file size limit is 10MB.
Starting an HTTP RPS test
FortiTester tests requests per second (RPS) performance by simulating multiple clients that generate HTTPtraffic.
All requests include a TCP three-way handshake, one HTTP request and response, and a TCP connection close(FIN, ACK, FIN, ACK). There are 10 HTTPGET requests per TCP connection and 100 HTTPGET requests perTCP connection for Layer4/HTTPS testing.
Note the following limitations:
l You cannot modify the HTTP request or HTTP response headers.
To start an HTTP RPS test:
1. Go to Cases > HTTP > RPS to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 4.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 4: HTTP RPS Test Case configuration
22 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPRPS test Chapter 2 - Running Tests
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Test duration. The default is 10 minutes. The test stops automatically after the dur-ation you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
FortiTester HandbookFortinet Technologies, Inc.
23
Chapter 2 - Running Tests Starting an HTTPRPS test
Settings Guidelines
IP Address Web Proxy only. Specify the IP address to the virtual router. This IP addresses is usedto connect to a DUT, therefore it must be in the same subnet with the connected portof the DUT. Please make sure the corresponding routing rules are set on the DUT, sothat DUT correctly forwards traffic to the virtual router. Only a single IP address informat xxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
Requests per Con-nection
Number of HTTP requests per connection. The default is 0, which means as many aspossible. The valid range is 0 to 50,000.
Speed Limit Rate of requests per second. The default is 0, which means the device will send trafficas fast as possible.
Standalone mode: The valid range is 1,000 to 1,600,000 requests per second (or thespecial value 0).
Test Center mode: The valid range is 1,000 to 3,200,000, for example, for an envir-onment with two FortiTester appliances.
24 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPRPS test Chapter 2 - Running Tests
Settings Guidelines
Ramp UP Seconds Time in seconds for traffic to ramp up when you start the test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test.
Network
MTU Preset to 1500. Not configurable.
Profile (Client)
Source Port Range Client port range. The valid range is 10,000 to 65,535, which is also the default.
Client Close Mode Select the connection close method: 3Way_Fin orReset.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Request Header Preset to UserAgent: Firefox/41.0. Click the Add Header button to specifymore headers.
Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individualframe. Not configurable.
Profile (Server)
Server Port Preset to 80. Not configurable.
Response Header Preset to Server: nginx/1.9.5Content-Type:text/html. Click the AddHeader button to specify more headers.
Piggybacking Enabled. Not configurable.
Action
Get Page Select the file that the simulated clients access. The default is “index.html” with 4bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB.
Post page Select the file that simulated servers send. The default is "index.php" with 4 bytes. Youcan edit the post parameters. The file size limit is 10MB.
FortiTester HandbookFortinet Technologies, Inc.
25
Chapter 2 - Running Tests Starting an HTTPCC test
Starting an HTTP CC test
FortiTester tests HTTP concurrent connection (CC) performance by simulating multiple clients that generateHTTP traffic. All connections include a TCP three-way handshake, a loop of HTTP requests and responses(complete HTTP transaction), and close the connection with TCP FIN.
Note the following limitations:
l You cannot modify the HTTP request or HTTP response headers.
To start an HTTP CC test:
1. Go to Cases > HTTP > CC to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 5.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
26 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPCC test Chapter 2 - Running Tests
Table 5: HTTP CC Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
FortiTester HandbookFortinet Technologies, Inc.
27
Chapter 2 - Running Tests Starting an HTTPCC test
Settings Guidelines
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
Concurrent Con-nections
Number of concurrent connections.
Standalone mode: The default is 6,000,000. The valid range is 5,000 to 6,000,000.
Test Center mode: The default is 12,000,000, and the valid range is 5,000 to12,000,000, for example, for a an environment with two FortiTester appliances.
28 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPCC test Chapter 2 - Running Tests
Settings Guidelines
Concurrent Close Number of connections to close at any given time. To avoid the DUT lost packet, theconnection close operation will be performed batch by batch.
Standalone mode: The default is 256, and the valid range is 1 to 10,000.
Test Center mode: The default is 512, and the valid range is 1 to 10,000.
Speed Limit Rate of new transactions per second. The default is 0, which means the device willsend traffic as fast as possible.
Standalone mode: The valid range is 256 to 600,000 transactions per second (or thespecial value 0).
Test Center mode: The valid range is 256 to 1,200,000, for example, for an envir-onment with two FortiTester appliances.
Think Time Seconds that a simulated user waits between HTTP requests. The default is 5seconds.
Network
MTU Preset to 1500. Not configurable.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
Client Close Mode Select the connection close method: 3Way_Fin or Reset.
IP Change Algorith-m/Port ChangeAlgorithm
Select a change algorithm: Increment or Random. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Request Header Preset to UserAgent: Firefox/41.0. Click the Add Header button to specifymore headers.
Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individualframe. Not configurable.
Profile (Server)
Server Port Preset to 80. Not configurable.
FortiTester HandbookFortinet Technologies, Inc.
29
Chapter 2 - Running Tests Starting an HTTP throughput test
Settings Guidelines
Response Header Preset to Server: nginx/1.9.5Content-Type:text/html. Click the AddHeader button to specify more headers.
Piggybacking Enabled. Not configurable.
Action
Get page Select the file that the simulated clients access. The default is “index.html” with 4bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB.
Post page Select the file that simulated servers send. The default is "index.php" with 4 bytes. Youcan edit the post parameters. The file size limit is 10MB.
Starting an HTTP throughput test
FortiTester tests HTTP throughput performance by simulating multiple clients that generate HTTP traffic.
Note the following limitations:
l You cannot modify the HTTP request or HTTP response headers.
To start an HTTP throughput test:
1. Go to Cases > HTTP > Throughput to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 6.6. ClickStart to run the test case.FortiTester saves the configuration automatically, so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
30 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTP throughput test Chapter 2 - Running Tests
Table 6: HTTP Throughput Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is200,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
FortiTester HandbookFortinet Technologies, Inc.
31
Chapter 2 - Running Tests Starting an HTTP throughput test
Settings Guidelines
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
Speed Limit Rate of requests per second. The default is 0, which means the device will send trafficas fast as possible.
Standalone mode: The valid range is 100 to 1,600,000 requests per second (or thespecial value 0).
Test Center mode: The valid range is 100 to 3,200,000, for example, for an envir-onment with two FortiTester appliances.
Ramp UP Seconds Time in seconds for traffic to ramp up when you start the test.
32 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPSCPS test Chapter 2 - Running Tests
Settings Guidelines
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test.
Network
Network MTU Preset to 1500. Not configurable.
Profile (Client)
Source Port Range Client port range. The valid range is from 10,000 to 65,535, which is also the default.
Client Close Mode Preset to Reset. Not configurable.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment or Random. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Request Header Preset to UserAgent: Firefox/41.0. Click the Add Header button to specifymore headers.
Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individualframe. Not configurable.
Profile (Server)
Server Port Preset to 80. Not configurable.
Response Header Preset to Server: nginx/1.9.5Content-Type:text/html. Click the AddHeader button to specify more headers.
Piggybacking Enabled. Not configurable.
Action
Get page Select the file that the simulated clients access. The default is “index.html” with50,000 bytes. Optionally, you can upload a customized HTML file. The file size limit is10 MB.
Post page Select the file that simulated servers send. The default is "index.php" with 4 bytes. Youcan edit the post parameters. The file size limit is 10MB.
Starting an HTTPS CPS test
The HTTPSCPS test is the same as the HTTPCPS test, except it uses HTTPS traffic, does not have the SpeedLimit option, and the MTU is editable.
FortiTester HandbookFortinet Technologies, Inc.
33
Chapter 2 - Running Tests Starting an HTTPSCPS test
To start an HTTPS CPS test:
1. Go to Cases > HTTPS > CPS to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 7.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 7: HTTPS CPS Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600. Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
34 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPSCPS test Chapter 2 - Running Tests
Settings Guidelines
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
FortiTester HandbookFortinet Technologies, Inc.
35
Chapter 2 - Running Tests Starting an HTTPSCPS test
Settings Guidelines
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 900.
Test Center mode: The default is 512 and the valid range is from 1 to 1,800, forexample, for an environment with two FortiTester appliances.
Speed Limit Rate of new transactions per second. The default is 0, which means the device willsend traffic as fast as possible.
Standalone mode: The valid range is 100 to 100,000 transactions per second (or thespecial value 0).
Test Center mode: The valid range is 100 to 200,000, for example, for an envir-onment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Preset to 10000- 65535. Not configurable.
Client Close Mode Select the connection close method: 3Way_Fin or Reset.
IP ChangeAlgorithm /Port ChangeAlgorithm
Determines how the system changes source/destination IP addresses and ports to sim-ulate multiple client requests. Preset to Random. Not configurable. The Randomoption selects an IP address or port in the range randomly.
36 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPSRPS test Chapter 2 - Running Tests
Settings Guidelines
Request Header Preset to UserAgent: Firefox/41.0. Click the Add Header button to specifymore headers.
Piggybacking Default enabled.
Quiet Shutdown Enable to apply safe shutdown procedure to SSL connections by sending SSL alert tothe peer.
Allowed SSL Ver-sions
Supported SSL versions: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default isTLSv1.2.
SSL Ciphers Select one or more SSL ciphers from the list.
Profile (Server)
Server Port Preset to 80, 443. Not configurable.
Server Certificate Length of SSL key for encryption/decryption. The default is 1024. The valid range isfrom 1024 to 2048.
Response Header Preset to Server: nginx/1.9.5Content-Type:text/html. Click the AddHeader button to specify more headers.
Piggybacking Default enabled.
Action
Get page Select the file that the simulated clients access. The default is “index.html” with 4bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB.
Post page Select the file that simulated servers send. The default is "index.php" with 4 bytes. Youcan edit the post parameters. The file size limit is 10MB.
Starting an HTTPS RPS test
The HTTPSRPS test is the same as the HTTPRPS test, except it uses HTTPS traffic, does not have the SpeedLimit option, and the MTU is editable.
To start an HTTPS RPS test:
1. Go to Cases > HTTPS > RPS to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 8.6. ClickStart to run the test case.
FortiTester HandbookFortinet Technologies, Inc.
37
Chapter 2 - Running Tests Starting an HTTPSRPS test
FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 8: HTTPS RPS Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
38 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPSRPS test Chapter 2 - Running Tests
Settings Guidelines
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is200,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
FortiTester HandbookFortinet Technologies, Inc.
39
Chapter 2 - Running Tests Starting an HTTPSRPS test
Settings Guidelines
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 900.
Test Center mode: The default is 512, and the valid range is from 1 to 1,800, forexample, for an environment with two FortiTester appliances.
Requests per Con-nection
The number of HTTP requests per connection. The default is 200. The valid range is 0to 50,000.
Speed Limit Rate of requests per second. The default is 0, which means the device will send trafficas fast as possible.
Standalone mode: The valid range is 100 to 1,600,000 requests per second (or thespecial value 0).
Test Center mode: The valid range is 100 to 3,200,000, for example, for an envir-onment with two FortiTester appliances.
Ramp UP Seconds Time in seconds for traffic to ramp up when you start the test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Preset to 10000-65535. Not configurable.
IP ChangeAlgorithm /Port ChangeAlgorithm
Determines how the system changes source/destination IP addresses and ports to sim-ulate multiple client requests. Preset to Random. Not configurable. The Randomoption selects an IP address or port in the range randomly.
Request Header Preset to UserAgent: Firefox/41.0. Click the Add Header button to specifymore headers.
Piggybacking Enable to apply piggyback to SSL connections issued by client side. This is enabled bydefault.
40 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPSCC test Chapter 2 - Running Tests
Settings Guidelines
Allowed SSL Ver-sions
Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 (default).
SSL Ciphers Select one or more SSL ciphers from the list.
Profile (Server)
Server Port Preset to 80, 443. Not configurable.
Server Certificate Length of SSL key for encryption/decryption. The default is 1024. The valid range isfrom 1024 to 2048.
Response Header Preset to Server: nginx/1.9.5Content-Type:text/html. Click the AddHeader button to specify more headers.
Piggybacking Enable to apply piggyback to SSL connections issued by server side. This is enabledby default.
Action
Get page Select the file that the simulated clients access. The default is “index.html” with50,000 bytes. Optionally, you can upload a customized HTML file. The file size limit is10 MB
Post page Select the file that simulated servers send. The default is "index.php" with 4 bytes. Youcan edit the post parameters. The file size limit is 10MB.
Starting an HTTPS CC test
The HTTPSCC test is the same as the HTTPCC test, except that it uses HTTPS traffic and the MTU is editable.
To start an HTTPS CC test:
1. Go to Cases > HTTPS > CC to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options as described in Table 9.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
FortiTester HandbookFortinet Technologies, Inc.
41
Chapter 2 - Running Tests Starting an HTTPSCC test
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 9: HTTPS CC Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
42 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPSCC test Chapter 2 - Running Tests
Settings Guidelines
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
FortiTester HandbookFortinet Technologies, Inc.
43
Chapter 2 - Running Tests Starting an HTTPSCC test
Settings Guidelines
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 900.
Test Center mode: The default is 512, and the valid range is from 1 to 1,800, forexample, for an environment with two FortiTester appliances.
Concurrent Con-nections
Number of concurrent connections.
Standalone mode: The default is 200,000. The valid range is 5,000 to 200,000.
Test Center mode: The default is 400,000, and the valid range is 5,000 to 400,000,for example, for a an environment with two FortiTester appliances.
Concurrent Close Number of connections to close at any given time. To avoid the DUT lost packet, theconnection close operation will be performed batch by batch.
Standalone mode: The default is 256, and the valid range is 1 to 10,000.
Test Center mode: The default is 512, and the valid range is 1 to 10,000.
Speed Limit Rate of requests per second. The default is 0, which means the device will send trafficas fast as possible.
Standalone mode: The valid range is 100 to 1,600,000 requests per second (or thespecial value 0).
Test Center mode: The valid range is 100 to 3,200,000, for example, for an envir-onment with two FortiTester appliances.
Think Time The time in seconds that a simulated user waits between HTTP requests. The defaultis 5 seconds.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limit for packet size. The default is1500. The valid range is from 1,280 to 9,000.
Profile (Client)
Source Port Range Preset to 10000-65535. Not configurable.
Client Port Mode Select the connection close method: 3Way_Fin or Reset.
44 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPS throughput test Chapter 2 - Running Tests
Settings Guidelines
IP ChangeAlgorithm /Port ChangeAlgorithm
Determines how the system changes source/destination IP addresses and ports tosim- ulate multiple client requests. Preset to Random. Not configurable. The Randomoption selects an IP address or port in the range randomly.
Request Header Preset to UserAgent: Firefox/41.0. Click the Add Header button to specifymore headers.
Piggybacking Default enabled.
Quiet Shutdown Enable to apply safe shutdown procedure to SSL connections by sending SSL alert tothe peer.
Allowed SSL Ver-sions
Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default isTLSv1.2.
SSL Ciphers Select one or more SSL ciphers from the list.
Profile (Server)
Server Port Preset to 80, 443. Not configurable.
Server Certificate Length of SSL key for encryption/decryption. The default is 1024. The valid range isfrom 1024 to 2048.
Response Header Preset to Server: nginx/1.9.5Content-Type:text/html. Click the AddHeader button to specify more headers.
Piggybacking Default enabled.
Action
Get page Select the file that the simulated clients access. The default is “index.html” with 4bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB
Post page Select the file that simulated servers send. The default is "index.php" with 4 bytes. Youcan edit the post parameters. The file size limit is 10MB.
Starting an HTTPS throughput test
The HTTPS Throughput test is the same as the HTTP Throughput test, except that it uses HTTPS traffic and theMTU is editable.
To start an HTTPS Throughput test:
1. Go to Cases > HTTPS > Throughput to display the test case summary page.2. ClickAdd to display the Case Options dialog box.
FortiTester HandbookFortinet Technologies, Inc.
45
Chapter 2 - Running Tests Starting an HTTPS throughput test
3. In the popup dialog, configure the network settings as described in "Using network configuration templates" onpage 16.
4. ClickOK to continue.5. Configure the test case options as described in Table 10.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 10: HTTPS Throughput Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
46 FortiTester HandbookFortinet Technologies, Inc.
Starting an HTTPS throughput test Chapter 2 - Running Tests
Settings Guidelines
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
FortiTester HandbookFortinet Technologies, Inc.
47
Chapter 2 - Running Tests Starting an HTTPS throughput test
Settings Guidelines
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 900.
Test Center mode: The default is 512, and the valid range is from 1 to 1,800, forexample, for an environment with two FortiTester appliances.
Speed Limit Rate of requests per second. The default is 0, which means the device will send trafficas fast as possible.
Standalone mode: The valid range is 100 to 1,600,000 requests per second (or thespecial value 0).
Test Center mode: The valid range is 100 to 3,200,000, for example, for an envir-onment with two FortiTester appliances.
Ramp Up Seconds Time (in seconds) for traffic to ramp up when you start the test.
Ramp DownSeconds
Time (in seconds) for traffic to ramp down when you stop the test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limit for packet size. The default is1500. The valid range is from 1,280 to 9,000.
Profile (Client)
Source Port Range Preset to 10000-65535. Not configurable.
Client Port Mode Select the connection close method: 3Way_Fin or Reset.
IP ChangeAlgorithm /Port ChangeAlgorithm
Determines how the system changes source/destination IP addresses and ports tosim- ulate multiple client requests. Preset to Random. Not configurable. The Randomoption selects an IP address or port in the range randomly.
Request Header Preset to UserAgent: Firefox/41.0. Click the Add Header button to specifymore headers.
Piggybacking Default enabled.
Quiet Shutdown Enable to apply safe shutdown procedure to SSL connections by sending SSL alert tothe peer.
48 FortiTester HandbookFortinet Technologies, Inc.
Starting an IPsec remote access test Chapter 2 - Running Tests
Settings Guidelines
Allowed SSL Ver-sions
Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default isTLSv1.2.
SSL Ciphers Select one or more SSL ciphers from the list.
Profile (Server)
Server Port Preset to 80, 443. Not configurable.
Server Certificate Length of SSL key for encryption/decryption. The default is 1024. The valid range isfrom 1024 to 2048.
Response Header Preset to Server: nginx/1.9.5Content-Type:text/html. Click the AddHeader button to specify more headers.
Piggybacking Default enabled.
Action
Get page Select the file that the simulated clients access. The default is “index.html” with 4bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB
Post page Select the file that simulated servers send. The default is "index.php" with 4 bytes. Youcan edit the post parameters. The file size limit is 10MB.
Starting an IPsec remote access test
FortiTester tests IPSec remote access by establishing a remote access IPSec tunnel, completes a full set ofHTTP transaction (TCP connection, HTTP request, HTTP response, and closes the TCP connection) through thetunnel, and terminates the tunnel.
To start a remote access test:
1. Go to Cases > IPSec > Remote Access to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 11.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Below is a sample FortiGate IPsec configuration for the VPN gateway. FortiTester uses Fortitester as its ID,however in this configuration the VPN gateway uses IKE version 1 Aggressive mode, and is configured to accept
FortiTester HandbookFortinet Technologies, Inc.
49
Chapter 2 - Running Tests Starting an IPsec remote access test
any peer ID. The VPN gateway IP is configured as a secondary IP address and this is used as the local gateway inthe phase 1 config.
config system interfaceedit "port33"
set ip 1.0.0.254 255.255.0.0set allowaccess pingset secondary-IP enableconfig secondaryip
edit 1set ip 1.0.0.253 255.255.0.0set allowaccess ping
nextend
nextendconfig system interface
edit "port35"set ip 2.0.0.254 255.255.0.0set allowaccess ping
nextendconfig vpn ipsec phase1-interface
edit "tester"set type dynamicset interface "port33"set ike-version 2set local-gw 1.0.0.253set peertype anyset psksecret fortinet
nextendconfig vpn ipsec phase2-interface
edit "tester"set phase1name "tester"
nextendconfig firewall policy
edit 1set srcintf "any"set dstintf "any"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set logtraffic disable
nextend
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
50 FortiTester HandbookFortinet Technologies, Inc.
Starting an IPsec remote access test Chapter 2 - Running Tests
Table 11: IPSec Remote Access Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
FortiTester HandbookFortinet Technologies, Inc.
51
Chapter 2 - Running Tests Starting an IPsec remote access test
Settings Guidelines
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
Peer Network NAT mode only. Specify the peer network subnet address.
VPN Gateway NAT mode only. Specify the gateway IP address.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1 to 1000 connections per second (or thespecial value 0).
Test Center mode: The valid range is from 2 to 2000, for example, for an environmentwith two FortiTester appliances.
IKE Version Select either 1 or 2 for the version.
AuthenticationMethod
Select either PSK (Pre-shared Key) or Signature. If using a Signature you will need toimport a client and server certificate.
Pre-shared Key This field is required
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
52 FortiTester HandbookFortinet Technologies, Inc.
Starting an IPsec remote access CC test Chapter 2 - Running Tests
Settings Guidelines
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Profile (Server)
Server Port Preset to 80. Not configurable.
Action
Request Page Select either System Pages with Fixed File Name and Content. Custom, User upload-ing pages
Starting an IPsec remote access CC test
FortiTester tests IPSec remote access tunnel concurrent connections (CC) by establishing a remote access IPSectunnel, completes a full set of HTTP transaction (TCP connection, HTTP request, HTTP response, and closes theTCP connection) through the tunnel, and terminates the tunnel.
To start a remote access CC test:
1. Go to Cases > IPSec > Remote Access CC to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in #IPSec_cc.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Below is a sample FortiGate IPsec configuration for the VPN gateway. FortiTester uses Fortitester as its ID,however in this configuration the VPN gateway uses IKE version 1 Aggressive mode, and is configured to acceptany peer ID. The VPN gateway IP is configured as a secondary IP address and this is used as the local gateway inthe phase 1 config.
config system interfaceedit "port33"
set ip 1.0.0.254 255.255.0.0set allowaccess pingset secondary-IP enable
FortiTester HandbookFortinet Technologies, Inc.
53
Chapter 2 - Running Tests Starting an IPsec remote access CC test
config secondaryipedit 1
set ip 1.0.0.253 255.255.0.0set allowaccess ping
nextend
nextendconfig system interface
edit "port35"set ip 2.0.0.254 255.255.0.0set allowaccess ping
nextendconfig vpn ipsec phase1-interface
edit "tester"set type dynamicset interface "port33"set ike-version 2set local-gw 1.0.0.253set peertype anyset psksecret fortinet
nextendconfig vpn ipsec phase2-interface
edit "tester"set phase1name "tester"
nextendconfig firewall policy
edit 1set srcintf "any"set dstintf "any"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set logtraffic disable
nextend
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 12: IPSec Remote Access Test Case configuration
Settings Guidelines
Basic Information
54 FortiTester HandbookFortinet Technologies, Inc.
Starting an IPsec remote access CC test Chapter 2 - Running Tests
Settings Guidelines
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Subnet
FortiTester HandbookFortinet Technologies, Inc.
55
Chapter 2 - Running Tests Starting an IPsec remote access CC test
Settings Guidelines
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
Peer Network NAT mode only. Specify the peer network subnet address.
VPN Gateway NAT mode only. Specify the gateway IP address.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
Tunnel ConcurrentConnections
Number of tunnel concurrent connections.
Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1,000 to 20,000 connections per second (orthe special value 0).
Test Center mode: The valid range is from 1,000 to 20,000, for example, for an envir-onment with two FortiTester appliances.
IKE Version Select either 1 or 2 for the version.
AuthenticationMethod
Select either PSK (Pre-shared Key) or Signature. If using a Signature you will need toimport a client and server certificate.
Pre-shared Key This field is required
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
56 FortiTester HandbookFortinet Technologies, Inc.
Starting a UDP PPS test Chapter 2 - Running Tests
Settings Guidelines
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Profile (Server)
Server Port Preset to 80. Not configurable.
Action
Request Page Select either System Pages with Fixed File Name and Content. Custom, User upload-ing pages
Starting a UDP PPS test
FortiTester tests UDP throughput by sending a specified size of UDP frames at a maximum or limited speed fromsimulated clients to simulated servers.
To start a UDP PPS test:
1. Go to Cases > UDP > PPS to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog,configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 13.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 13: UDP PPS Test Case configuration
Settings Guidelines
Basic Information
FortiTester HandbookFortinet Technologies, Inc.
57
Chapter 2 - Running Tests Starting a UDP PPS test
Settings Guidelines
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
58 FortiTester HandbookFortinet Technologies, Inc.
Starting a UDP PPS test Chapter 2 - Running Tests
Settings Guidelines
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create UDP connections and transfer data.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 512.
Test Center mode: The default is 512, and the valid range is from 1 to 1024, forexample, for an environment with two FortiTester appliances.
UDP Package Size The default is 64 bytes. The valid range is 64 to 1518.
Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps.
Standalone mode: The valid range is 10 to 20,000 (or the special value 0).
Test Center mode: The valid range is 10 to 40,000, for example, for an environmentwith two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test.
FortiTester HandbookFortinet Technologies, Inc.
59
Chapter 2 - Running Tests Starting a UDP Payload test
Settings Guidelines
Dual Traffic Mode When disabled (and also by default), traffic will only be sent out from the client side tothe server side; but when enabled, traffic will also be sent out from the server side tothe client side. Enable to generate bidirectional UDP traffic between client and serversides. Each side generates and receives UDP packets.
Network
MTU Preset to 1500. Not configurable.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Determines how the system changes source/destination IP addresses and ports to sim-ulate multiple client requests. Preset to Increment. Not configurable. The Incrementoption uses the next IP address or port in the range, for example: 10.11.12.1 ->10.11.12.2; port 10000 -> 10001.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port The default is 6,001. The valid range is from 0 to 65,535.
IP Option DSCP Provide quality of service (QoS)
Starting a UDP Payload test
FortiTester tests UDP payload by sending UDP frames with the specified payload from the client ports to theserver ports.
To start a UDP payload test:
1. Go to Cases > UDP > Payload to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 14.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
60 FortiTester HandbookFortinet Technologies, Inc.
Starting a UDP Payload test Chapter 2 - Running Tests
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 14: UDP Payload Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
FortiTester HandbookFortinet Technologies, Inc.
61
Chapter 2 - Running Tests Starting a UDP Payload test
Settings Guidelines
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create UDP connections and transfer data.
Load
Payload Use the plain text predefined format to specify the payload.
62 FortiTester HandbookFortinet Technologies, Inc.
Starting an RFC 2544 base value test Chapter 2 - Running Tests
Settings Guidelines
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 512.
Test Center mode: The default is 512, and the valid range is from 1 to 1024, forexample, for an environment with two FortiTester appliances.
Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps.
Standalone mode: The valid range is 10 to 20,000 (or the special value 0).
Test Center mode: The valid range is 10 to 40,000, for example, for an environmentwith two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test.
Network
MTU Preset to 1500. Not configurable.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Determines how the system changes source/destination IP addresses and ports to sim-ulate multiple client requests. Preset to Increment. Not configurable. The Incrementoption uses the next IP address or port in the range, for example: 10.11.12.1 ->10.11.12.2; port 10000 -> 10001.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port The default is 514. The valid range is 0 to 65,535.
IP Option DSCP Provide quality of service (QoS)
Starting an RFC 2544 base value test
Before starting an RFC 2544 test, determine the performance and limitations for your specific network topologyand use this information to begin testing.
FortiTester HandbookFortinet Technologies, Inc.
63
Chapter 2 - Running Tests Starting an RFC 2544 base value test
To start an RFC 2544 base value test:
1. Go to Cases > RFC 2544 > Base Value to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 15.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 15: RFC 2544 Base Value Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
64 FortiTester HandbookFortinet Technologies, Inc.
Starting an RFC 2544 base value test Chapter 2 - Running Tests
Settings Guidelines
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
Latency Adds a little traffic from server to client for packet latency counting in Unidirectionalmode.
Traffic Direction Specify the direction of traffic flow
Frame Size Unit: bytes
Traffic CycleSecond
Traffic burst duration in seconds for each frame size. (minimum of 10)
Traffic Stop WaitSecond
Wait time for packet transmitting in seconds after traffic stop. (range: 2 - 300)
FortiTester HandbookFortinet Technologies, Inc.
65
Chapter 2 - Running Tests Starting an RFC 2544 throughput test
Settings Guidelines
Maximum TrafficCycle
Maximum traffic cycle for each frame size. (minimum 1)
Maximum SendSpeed
Range: 0 means throughput speed copy from BaseValue case, 0 - 10000. (unit: Mbps)
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 80. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Starting an RFC 2544 throughput test
FortiTester tests the ability of DUT to handle different types of RFC 2544 throughput. According to RFC2544,throughput is the fastest rate for the number of test frames transmitted by the DUT, which is equal to the numberof test frames sent to it by the test equipment.
To start a throughput test:
1. Go to Cases > RFC 2544 > Throughput to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. Select the base value test case results to use for calculating the performance of DUT in this test.4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all
the other options with values taken from the selected base value test.5. ClickOK to continue.6. Configure the test case options described in Table 16.7. ClickStart to run the test case.
66 FortiTester HandbookFortinet Technologies, Inc.
Starting an RFC 2544 throughput test Chapter 2 - Running Tests
FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 16: RFC 2544 Throughput Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
FortiTester HandbookFortinet Technologies, Inc.
67
Chapter 2 - Running Tests Starting an RFC 2544 throughput test
Settings Guidelines
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
DDoS Type DDoS attack traffic: TCP Session Flood. After you select a type, selection boxes forsubtypes are displayed below. To change the percentage mix of subtypes, double-clickthe pie chart and adjust the percentages.
Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1,000 to 20,000 connections per second (orthe special value 0).
Test Center mode: The valid range is from 1,000 to 20,000, for example, for an envir-onment with two FortiTester appliances.
68 FortiTester HandbookFortinet Technologies, Inc.
Starting an RFC 2544 throughput test Chapter 2 - Running Tests
Settings Guidelines
Concurrent Con-nection
Applies only when DDoS type is Concurrent Session Flood. Number of concurrent con-nections.
Standalone mode: The default is 6,000,000. The valid range is from 10,000 to6,000,000.
Test Center mode: The default is 12,000,000, and the valid range is 10,000 to12,000,000, for example, for an environment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test. Not available for Con-current Session Flood test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test. Not available for Con-current Session Flood test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Piggybacking Disabled, meaning an acknowledgment is sent in an individual frame. Not con-figurable.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 80. Not configurable.
Piggybacking Enabled. Not configurable.
IP Option DSCP Provide quality of service (QoS)
FortiTester HandbookFortinet Technologies, Inc.
69
Chapter 2 - Running Tests Starting an RFC 2544 latency test
Starting an RFC 2544 latency test
FortiTester tests the ability of the DUT to handle different types of RFC 2544 latency. According to RFC1242, forstore and forward devices, latency is the time interval starting when the last bit of the input frame reaches theinput port and ending when the first bit of the output frame is seen on the output port.
To start a latency test:
1. Go to Cases > RFC 2544 > Latency to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. Select the base value test case results to use for calculating the performance of DUT in this test.4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all
the other options with values taken from the selected base value test.5. ClickOK to continue.6. Configure the test case options described in Table 17.7. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 17: RFC 2544 Latency Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Network Settings
70 FortiTester HandbookFortinet Technologies, Inc.
Starting an RFC 2544 latency test Chapter 2 - Running Tests
Settings Guidelines
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Load
FortiTester HandbookFortinet Technologies, Inc.
71
Chapter 2 - Running Tests Starting an RFC 2544 latency test
Settings Guidelines
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
DDoS Type DDoS attack traffic: TCP Session Flood. After you select a type, selection boxes forsubtypes are displayed below. To change the percentage mix of subtypes, double-clickthe pie chart and adjust the percentages.
Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1,000 to 20,000 connections per second (orthe special value 0).
Test Center mode: The valid range is from 1,000 to 20,000, for example, for an envir-onment with two FortiTester appliances.
Concurrent Con-nection
Applies only when DDoS type is Concurrent Session Flood. Number of concurrent con-nections.
Standalone mode: The default is 6,000,000. The valid range is from 10,000 to6,000,000.
Test Center mode: The default is 12,000,000, and the valid range is 10,000 to12,000,000, for example, for an environment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test. Not available for Con-current Session Flood test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test. Not available for Con-current Session Flood test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
72 FortiTester HandbookFortinet Technologies, Inc.
Starting an RFC 2544 loss rate test Chapter 2 - Running Tests
Settings Guidelines
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Piggybacking Disabled, meaning an acknowledgment is sent in an individual frame. Not con-figurable.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 80. Not configurable.
Piggybacking Enabled. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Starting an RFC 2544 loss rate test
FortiTester tests the ability of the DUT to handle different types of RFC 2544 loss rate. According to RFC2544, todetermine the frame loss rate, as defined in RFC1242 of a DUT throughout the entire range of input data ratesand frame sizes.
To start a loss rate test:
1. Go to Cases > RFC 2544 > Loss Rate to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. Select the base value test case results to use for calculating the performance of DUT in this test.4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all
the other options with values taken from the selected base value test.5. ClickOK to continue.6. Configure the test case options described in Table 18.7. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 18: RFC 2544 Loss Rate Test Case configuration
FortiTester HandbookFortinet Technologies, Inc.
73
Chapter 2 - Running Tests Starting an RFC 2544 loss rate test
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
74 FortiTester HandbookFortinet Technologies, Inc.
Starting an RFC 2544 loss rate test Chapter 2 - Running Tests
Settings Guidelines
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
DDoS Type DDoS attack traffic: TCP Session Flood. After you select a type, selection boxes forsubtypes are displayed below. To change the percentage mix of subtypes, double-clickthe pie chart and adjust the percentages.
Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1,000 to 20,000 connections per second (orthe special value 0).
Test Center mode: The valid range is from 1,000 to 20,000, for example, for an envir-onment with two FortiTester appliances.
Concurrent Con-nection
Applies only when DDoS type is Concurrent Session Flood. Number of concurrent con-nections.
Standalone mode: The default is 6,000,000. The valid range is from 10,000 to6,000,000.
Test Center mode: The default is 12,000,000, and the valid range is 10,000 to12,000,000, for example, for an environment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test. Not available for Con-current Session Flood test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test. Not available for Con-current Session Flood test.
FortiTester HandbookFortinet Technologies, Inc.
75
Chapter 2 - Running Tests Starting an RFC 2544 back to back test
Settings Guidelines
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Piggybacking Disabled, meaning an acknowledgment is sent in an individual frame. Not con-figurable.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 80. Not configurable.
Piggybacking Enabled. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Starting an RFC 2544 back to back test
FortiTester tests the ability of the DUT to handle different types of RFC 2544 back to back. According to RFC2544, to characterize the ability of a DUT to process back-to-back frames as defined in RFC 1242.
To start an RFC 2544 back to back test:
1. Go to Cases > RFC 2544> Back to Back to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. Select the base value test case results to use for calculating the performance of DUT in this test.4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all
the other options with values taken from the selected base value test.5. ClickOK to continue.6. Configure the test case options described in Table 19.7. ClickStart to run the test case.
76 FortiTester HandbookFortinet Technologies, Inc.
Starting an RFC 2544 back to back test Chapter 2 - Running Tests
FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 19: RFC 2544 back to back Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
FortiTester HandbookFortinet Technologies, Inc.
77
Chapter 2 - Running Tests Starting an RFC 2544 back to back test
Settings Guidelines
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
DDoS Type DDoS attack traffic: TCP Session Flood. After you select a type, selection boxes forsubtypes are displayed below. To change the percentage mix of subtypes, double-clickthe pie chart and adjust the percentages.
Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1,000 to 20,000 connections per second (orthe special value 0).
Test Center mode: The valid range is from 1,000 to 20,000, for example, for an envir-onment with two FortiTester appliances.
78 FortiTester HandbookFortinet Technologies, Inc.
Starting an RFC 2544 back to back test Chapter 2 - Running Tests
Settings Guidelines
Concurrent Con-nection
Applies only when DDoS type is Concurrent Session Flood. Number of concurrent con-nections.
Standalone mode: The default is 6,000,000. The valid range is from 10,000 to6,000,000.
Test Center mode: The default is 12,000,000, and the valid range is 10,000 to12,000,000, for example, for an environment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test. Not available for Con-current Session Flood test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test. Not available for Con-current Session Flood test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Piggybacking Disabled, meaning an acknowledgment is sent in an individual frame. Not con-figurable.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 80. Not configurable.
Piggybacking Enabled. Not configurable.
IP Option DSCP Provide quality of service (QoS)
FortiTester HandbookFortinet Technologies, Inc.
79
Chapter 2 - Running Tests Starting a DNS latency test
Starting a DNS latency test
FortiTester tests the latency of DUT to handle DNS query requests. A DUT could be a gateway device or a DNSserver. This test traffic sends DNS requests to a DNS server and measures latency.
To start a DNS test:
1. Go to Cases > DNS > Latency to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 20.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 20: DNS Latency Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list oftest cases.
Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a pingtimeout, resulting in the test case failing to run. If this occurs, increase thetimeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can dis-able this end-to-end connectivity test by entering a setting of 0. If the DUT isunable to return packets, it is recommended you do so.
Number of Samples Select the number of samples. The default is 20, which means the web UI willshow the last 20 sample data (about 20 seconds) in the test case running page.You can select 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automaticallyafter the duration you specify.
Network Settings
80 FortiTester HandbookFortinet Technologies, Inc.
Starting a DNS latency test Chapter 2 - Running Tests
Settings Guidelines
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections.The client ports simulate the behavior of clients; the server ports simulate thebehavior of servers. FortiTester builds the TCP connections between client portsand server ports (and through the DUT, of course).
You must select at least one client port and one server port. After you select aport for client, a (check mark) is displayed on the port icon, and a tab for the
port is added below the graphic. Use the tabs to toggle the Capture Packets andSubnet settings controls for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port.You can capture all packets or specify a number. You can set packet capture fil-ters for host IP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limitis 6,000,000 packets. The packets are saved to a temporary file that you candownload from the running test case page. The filename indicates whether it isclient or server communication and the interface port number. For example, cli-ent_port1.pcap. When a subsequent test case with packet capture enabled usesthe same interface port as a previous one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connectto a DUT, therefore it must be in the same subnet with the connected port of theDUT. Please make sure the corresponding routing rules are set on the DUT, sothat DUT correctly forwards traffic to the virtual router. Only a single IP addressin format xxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Address orRange
Specify a single IP address with standard format (for example, 10.1.2.1) or anaddress range like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
FortiTester HandbookFortinet Technologies, Inc.
81
Chapter 2 - Running Tests Starting a DNS latency test
Settings Guidelines
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 250,000.
Test Center mode: The default is 512, and the valid range is from 1 to 500,000,for example, for an environment with two FortiTester appliances.
Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps.
Standalone mode: The valid range is 10 to 20,000 (or the special value 0).
Test Center mode: The valid range is 10 to 40,000, for example, for an envir-onment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test.
Ramp Down Seconds Time in seconds for traffic to ramp down when you stop the test.
DNSRenew Socket SpecifyYes orNo. If Yes, the client side renews a socket to send out the nextquery (note if the client profile “Domain Policy” is set as List, all queries for thenames in the domain list will use the same socket; after that a new socket will becreated for next batch of queries). If No, use the old socket.
DNSQuery Timeout The default is 1000 milliseconds.
Network
MTU Preset to 1500. Not configurable.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP Change Algorithm /Port Change Algorithm
Select a change algorithm: Increment orRandom. This setting determines howthe system changes source/destination IP addresses and ports to simulate mul-tiple client requests. The Increment option uses the next IP address or port in therange, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Ran-dom option selects an IP address or port in the range randomly.
Domain Policy Random or List. If Random is selected, FortiTester generates random domainnames for queries. If List is select, FortiTester uses queries in the specified list.
82 FortiTester HandbookFortinet Technologies, Inc.
Starting a TCP connection test Chapter 2 - Running Tests
Settings Guidelines
Domain List If Domain Policy is List, specify a list of domain name records. For example:
fortinet.com:A,www.fortinet.com:A,fortitester.com:MX
A name followed with a “:A” means it’s an address record, while a “:MX” means amail exchange record.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port The DNS server access port. The default is 53. The valid range is 0 to 65,535.
IP Option DSCP Provide quality of service (QoS)
Starting a TCP connection test
FortiTester tests TCP concurrent connection performance by generating a specified volume of two-way TCPtraffic flow via specified ports.
To start a TCP connection test:
1. Go to Cases > TCP > Connection to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 21.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 21: TCP Connection Test Case configuration
Settings Guidelines
Basic Information
FortiTester HandbookFortinet Technologies, Inc.
83
Chapter 2 - Running Tests Starting a TCP connection test
Settings Guidelines
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
84 FortiTester HandbookFortinet Technologies, Inc.
Starting a TCP connection test Chapter 2 - Running Tests
Settings Guidelines
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that the DUTcorrectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
Concurrent Con-nection
Number of concurrent connections.
Standalone mode: The default is 5,000,000. The valid range is 5,000 to 5,000,000.
Test Center mode: The default is 10,000,000, and the valid range is 5,000 to21,000,000, for example, for an environment with two FortiTester appliances.
Concurrent Close Number of connections to close once a time. To avoid the DUT lost packet, the con-nection close operation will be performed batch by batch. Standalone mode: Thedefault is 256, and the valid range is 1 to 10,000. Test Center mode: The default is512, and the valid range is 1 to 10,000.
FortiTester HandbookFortinet Technologies, Inc.
85
Chapter 2 - Running Tests Starting a TCP connection test
Settings Guidelines
Speed Limit Rate of new connections per second. The default is 0, which means the device will cre-ate connections as fast as possible.
Standalone mode: The valid range is 256 to 600,000 connections per second (or thespecial value 0).
Test Center mode: The valid range is 256 to 1,200,000, for example, for an envir-onment with two FortiTester appliances.
Network
MTU Preset to 1500. Not configurable.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
Client Close Mode Select the connection close method: 3Way_Fin or Reset.
IP Change Algorith-m/Port ChangeAlgorithm
Determines how the system changes source/destination IP addresses and ports to sim-ulate multiple client requests. Preset to Random. Not configurable. The Randomoption selects an IP address or port in the range randomly.
IP Option DSCP Provide quality of service (QoS)
Piggybacking Disabled. Not configurable.
Send Size Specify the buffer size to send out from the client side. The default is 800 bytes. Thevalid range is from 1 to 100,000.
Receive Size Specify the buffer size to receive from the server side. The default is 1,000 bytes. Thevalid range is from 1 to 100,000.
Profile (Server)
Server Port Preset to 80. Not configurable.
Server Close Mode Preset to 3Way_Fin. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Piggybacking Enabled, meaning an acknowledgment is sent on the data frame, not in an individualframe. Not configurable.
86 FortiTester HandbookFortinet Technologies, Inc.
Starting a TCP throughput test Chapter 2 - Running Tests
Starting a TCP throughput test
FortiTester tests TCP throughput by generating a specified volume of two-way TCP traffic flow via specifiedports.
To start a TCP throughput test:
1. Go to Cases > TCP > Throughput to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 22.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 22: TCP Throughput Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
FortiTester HandbookFortinet Technologies, Inc.
87
Chapter 2 - Running Tests Starting a TCP throughput test
Settings Guidelines
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
IP Address orRange
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
88 FortiTester HandbookFortinet Technologies, Inc.
Starting a TCP throughput test Chapter 2 - Running Tests
Settings Guidelines
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
Bandwidth Limit TCP data load. The default is the special value 0, which means to transfer as muchdata as FortiTester can generate. For all other values, the unit is Mbit per second.
Standalone mode: The valid range is 10 to 20,000.
Test Center mode: The valid range is 10 to 40,000.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. Fortinet recommends that you use the default.
Throughput BufferSize
TCP buffer size. The bigger buffer, the better throughput. The default is 1460 bytes.The valid range is 64 to 10M.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm / PortChange Algorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Client Close Mode Preset to Reset. Not configurable.
FortiTester HandbookFortinet Technologies, Inc.
89
Chapter 2 - Running Tests Starting a TurboTCP test
Settings Guidelines
Piggybacking Enabled, meaning an acknowledgment is sent on the data frame, not in an individualframe. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 6500. Not configurable.
Server Close Mode Preset to Reset. Not configurable.
Piggybacking Enabled. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Starting a TurboTCP test
FortiTester tests TurboTCP connections per second (CPS) performance by generating a specified volume of two-way TCP traffic flow via specified ports.
The traffic generated for each connection includes the TCP three-way handshake and the TCP connection close(Reset).
To start a TurboTCP test:
1. Go to Cases > TCP > TurboTCP to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 23.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 23: TurboTCP Test Case configuration
90 FortiTester HandbookFortinet Technologies, Inc.
Starting a TurboTCP test Chapter 2 - Running Tests
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a pingtimeout, resulting in the test case failing to run. If this occurs, increase the timeout.The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return pack-ets, it is recommended you do so.
Number of Samples Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automaticallyafter the duration you specify.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port.You can capture all packets or specify a number. You can set packet capture filtersfor host IP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap.When a subsequent test case with packet capture enabled uses the same interfaceport as a previous one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
FortiTester HandbookFortinet Technologies, Inc.
91
Chapter 2 - Running Tests Starting a TurboTCP test
Settings Guidelines
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUTcorrectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Address orRange
Specify a single IP address with standard format (for example, 10.1.2.1) or anaddress range like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
Speed Limit Rate of new connections per second. The default is 0, which means the device willcreate connections as fast as possible.
Standalone mode: The valid range is 1,000 to 2,000,000 connections per second (orthe special value 0).
Test Center mode: The valid range is 1,000 to 4,000,000, for example, for an envir-onment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test.
92 FortiTester HandbookFortinet Technologies, Inc.
Starting a Mail SMTP test Chapter 2 - Running Tests
Settings Guidelines
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test.
Network
MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP Change Algorithm/ Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple cli-ent requests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random optionselects an IP address or port in the range randomly.
Piggybacking Disabled. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 6000. The valid range is from 0 to 65,535
Server Close Mode Preset to Reset. Not configurable.
Piggybacking Enabled, meaning an acknowledgment is sent on the data frame, not in an individualframe. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Starting a Mail SMTP test
FortiTester tests performance of a target device under SMTP traffic by simulating a volume of clients to generateSMTP traffic.
To start an SMTP test:
1. Go to Cases > Mail > SMTP to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.
FortiTester HandbookFortinet Technologies, Inc.
93
Chapter 2 - Running Tests Starting a Mail SMTP test
5. Configure the test case options described in Table 24.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 24: Mail SMTP Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The nameappears in the list of test cases.
Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switchmight cause a ping timeout, resulting in the test case failingto run. If this occurs, increase the timeout. The default is 15seconds. The valid range is 0 to 600. Note:You can disablethis end-to-end connectivity test by entering a setting of 0. Ifthe DUT is unable to return packets, it is recommended youdo so.
Number of Samples Select the number of samples. The default is 20, whichmeans the web UI will show the last 20 sample data (about20 seconds) in the test case running page. You can select20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The teststops automatically after the duration you specify.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior ofclients; the server ports simulate the behavior of servers.FortiTester builds the TCP connections between client portsand server ports (and through the DUT, of course).
You must select at least one client port and one server port.After you select a port for client, a (check mark) is dis-
played on the port icon, and a tab for the port is added belowthe graphic. Use the tabs to toggle the Capture Packets andSubnet settings controls for each port.
94 FortiTester HandbookFortinet Technologies, Inc.
Starting a Mail SMTP test Chapter 2 - Running Tests
Settings Guidelines
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capturethe traffic of this port. You can capture all packets or specifya number. You can set packet capture filters for host IP/portand protocol.
Note: The system allocates temporary disk space for packetcaptures. The limit is 6,000,000 packets. The packets aresaved to a temporary file that you can download from the run-ning test case page. The filename indicates whether it is cli-ent or server communication and the interface port number.For example, client_port1.pcap. When a subsequent testcase with packet capture enabled uses the same interfaceport as a previous one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addressesis used to connect to a DUT, therefore it must be in the samesubnet with the connected port of the DUT. Please makesure the corresponding routing rules are set on the DUT, sothat DUT correctly forwards traffic to the virtual router. Only asingle IP address in format xxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Address or Range Specify a single IP address with standard format (forexample, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
Add Subnet If necessary, click +Add Subnet to display additional subnetconfiguration controls. An interface port can have multiplesubnets. FortiTester uses all IP addresses in the specifiedsubnets to create UDP connections and transfer data.
Load
FortiTester HandbookFortinet Technologies, Inc.
95
Chapter 2 - Running Tests Starting a Mail SMTP test
Settings Guidelines
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range isfrom 1 to 1024.
Test Center mode: The default is 512, and the valid range isfrom 1 to 2048, for example, for an environment with twoFortiTester appliances.
Mail Set mail content for the simulated SMTP traffic . This is edit-able.
SMTP Email Address The email sender address. The default is “[email protected]”.
SMTP Email To The email receiver address. The default is “[email protected]”.
SMTP Email Password The password of email sender. The default is “tester@fts”.
Limit
Mail Send Limit Rate for sending mails per second. The default is 0, whichmeans the maximum possible.
Standalone mode: The valid range is 100 to 180,000 (or thespecial value 0).
Test Center mode: The valid range is 100 to 360,000, forexample, for an environment with two FortiTester appli-ances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start thetest.
Ramp Down Seconds Time in seconds for traffic to ramp down when you stop thetest.
Network
MTU Maximum Transmission Unit for a data packet. FortiTesterdoes not send out data packets larger than this value. MostDUTs have a limitation for packet size. The default is 1500.The valid range is 1,280 to 9,000.
Profile (Client)
96 FortiTester HandbookFortinet Technologies, Inc.
Starting a Mail POP3 test Chapter 2 - Running Tests
Settings Guidelines
Source Port Range Specify a client port range. The valid range is 10,000 to65,535, which is also the default.
Client Close Mode Preset to 3Way_Fin. Not configurable.
IP Change Algorithm /Port Change Algorithm
Determines how the system changes source/destination IPaddresses and ports to simulate multiple client requests. Pre-set to Increment. Not configurable. The Increment optionuses the next IP address or port in the range, for example:10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Randomoption selects an IP address or port in the range randomly.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 25. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Starting a Mail POP3 test
FortiTester tests the ability of the DUT to handle different types of mail POP3. This test traffic establishes a TCPconnection (three-way handshake), receives one mail by POP3 and closes the TCP connection.
To start a POP3 test:
1. Go to Cases > Mail > POP3 to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 25.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 25: Mail POP3 Test Case configuration
FortiTester HandbookFortinet Technologies, Inc.
97
Chapter 2 - Running Tests Starting a Mail POP3 test
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
98 FortiTester HandbookFortinet Technologies, Inc.
Starting a Mail POP3 test Chapter 2 - Running Tests
Settings Guidelines
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
VLAN ID Specify a VLAN ID between 1 and 4095.
Load
Mail Set mail content for the simulated SMTP traffic . This is editable.
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
Pop3 EmailAddress
The email sender address. The default is “[email protected]”.
Pop3 Email Pass-word
The password of email sender. The default is “tester@fts”.
Limit
Mail Receive Limit Rate for sending mails per second. The default is 0, which means the maximum pos-sible.
Standalone mode: The valid range is 100 to 180,000 (or the special value 0).
Test Center mode: The valid range is 100 to 360,000, for example, for an envir-onment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test.
FortiTester HandbookFortinet Technologies, Inc.
99
Chapter 2 - Running Tests Starting a Mail IMAP test
Settings Guidelines
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 80. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Starting a Mail IMAP test
FortiTester tests the ability of the DUT to handle different types of mail IMAP. This test establishes a TCPconnection (three-way handshake), receives one email by IMAP and closes the TCP connection.
To start a IMAP test:
1. Go to Cases > Mail > IMAP to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 26.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
100 FortiTester HandbookFortinet Technologies, Inc.
Starting a Mail IMAP test Chapter 2 - Running Tests
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 26: Mail IMAP Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
FortiTester HandbookFortinet Technologies, Inc.
101
Chapter 2 - Running Tests Starting a Mail IMAP test
Settings Guidelines
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
VLAN ID Specify a VLAN ID between 1 and 4095.
Load
Mail Set mail content for the simulated SMTP traffic . This is editable.
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
102 FortiTester HandbookFortinet Technologies, Inc.
Starting a Mail IMAP test Chapter 2 - Running Tests
Settings Guidelines
IMAP EmailAddress
The email sender address. The default is “[email protected]”.
IMAP Email Pass-word
The password of email sender. The default is “tester@fts”.
Limit
Mail Receive Limit Rate for sending mails per second. The default is 0, which means the maximum pos-sible.
Standalone mode: The valid range is 100 to 180,000 (or the special value 0).
Test Center mode: The valid range is 100 to 360,000, for example, for an envir-onment with two FortiTester appliances
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 143. Range: 0 - 65535
IP Option DSCP Provide quality of service (QoS)
FortiTester HandbookFortinet Technologies, Inc.
103
Chapter 2 - Running Tests Starting a FTP test
Starting a FTP test
This FortiTester test establishes a TCP connection (three-way handshake), transfers one file by FTP, and thencloses the TCP.
To start a FTP test:
1. Go to Cases > FTP > FTP to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 27.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 27: FTP Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
104 FortiTester HandbookFortinet Technologies, Inc.
Starting a FTP test Chapter 2 - Running Tests
Settings Guidelines
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
FortiTester HandbookFortinet Technologies, Inc.
105
Chapter 2 - Running Tests Starting a FTP test
Settings Guidelines
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
DDoS Type DDoS attack traffic: TCP Session Flood. After you select a type, selection boxes forsubtypes are displayed below. To change the percentage mix of subtypes, double-clickthe pie chart and adjust the percentages.
Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1,000 to 1,050,000 connections per second(or the special value 0).
Test Center mode: The valid range is from 1,000 to 1,050,000, for example, for anenvironment with two FortiTester appliances.
Concurrent Con-nection
Applies only when DDoS type is Concurrent Session Flood. Number of concurrent con-nections.
Standalone mode: The default is 6,000,000. The valid range is from 10,000 to6,000,000.
Test Center mode: The default is 12,000,000, and the valid range is 10,000 to12,000,000, for example, for an environment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test. Not available for Con-current Session Flood test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test. Not available for Con-current Session Flood test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
106 FortiTester HandbookFortinet Technologies, Inc.
Starting an Attack Replay test Chapter 2 - Running Tests
Settings Guidelines
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Piggybacking Disabled, meaning an acknowledgment is sent in an individual frame. Not con-figurable.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 80. Not configurable.
Piggybacking Enabled. Not configurable.
Server Close Mode Set to 3 Way Fin by default. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Starting an Attack Replay test
FortiTester can test security systems by replaying a predefined or customized set of attack traffic. The predefinedset covers 100 types of attacks. The test result shows the CVE-ID for every type of attack. You can also see theattack list in the Cases > Replay > Attack page.
Note: The Attack Replay test is available only in Standalone work mode.
Before you begin:
l Optional. If you want to test custom attack traffic, you must create a package of pcap files that can be replayed.Only IPv4 traffic is supported. Follow the file naming convention: Description[_CVE-$CVEID].pcap. Here []means optional. The file type can be .pcap, .tgz, .tar.gz, or .zip. A .tgz, .tar.gz, or .zip file includes a group of .pcapfiles. Maximum file size is 200MB. You can upload it, put it into a default or customized group, and the select thegroup of attack files you want to replay later.
To start an Attack Replay test:
1. Go to Cases > Replay > Attack to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.
FortiTester HandbookFortinet Technologies, Inc.
107
Chapter 2 - Running Tests Starting an Attack Replay test
5. Configure the test case options described in Table 28.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 28: Attack Replay Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
108 FortiTester HandbookFortinet Technologies, Inc.
Starting a Traffic Replay test Chapter 2 - Running Tests
Settings Guidelines
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Load
Peer ReceivingTimeout
This timeout specifies how long the client waits for a response from the server. If theclient does not receive a response within the timeout, it considers the packet lost. Thedefault value is 2 milliseconds.
Break Once PacketLost
Select Yes orNo. The Yes option means when the system identifies packet loss (theserver side has not received the packet that client sent out), it stops the current trafficreplay (pcap file), and continues the test with the next traffic file. The No option (thedefault) means a break is not set; the current replay continues.
Network
MTU Preset to 1500. Not configurable.
Action
Enable SystemAttack List
Enable/disable the system attack list. There are 100 types of attacks in the systemattack list.
User Intrusion Optional. Select attacks from the user-defined attack list. Before you can select them,you must upload pcap files that contain your customized attack traffic. At the top of thecase list, clickUser Attack Management and then upload your file.
Starting a Traffic Replay test
FortiTester tests user-defined scenarios by replaying pcap files. Typically, pcap files are generated by programslike tcpdump or Wireshark.
Note: The Traffic Replay test is available only in Standalone work mode.
Before you begin:
l You must create pcap files that can be replayed. Only IPv4 traffic is supported. Maximum file size is 200MB.
FortiTester HandbookFortinet Technologies, Inc.
109
Chapter 2 - Running Tests Starting a Traffic Replay test
To start a Traffic Replay test:
1. Go to Cases > Replay > Traffic to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 29.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 29: Traffic Replay Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
110 FortiTester HandbookFortinet Technologies, Inc.
Starting a Traffic Replay test Chapter 2 - Running Tests
Settings Guidelines
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Load
Bandwidth Limit The default is 0, which means the maximum possible. The valid range is 10 to 10,000Mbps (or the special value 0).
Loops Number of times to play the pcap file. The default is 10,000. 0 means as many as pos-sible.
Input Pcap You can upload pcap files from your PC and select one to send. Note the uploadedfiles can be used for future cases.
Network
MTU Preset to 1500. Not configurable.
FortiTester HandbookFortinet Technologies, Inc.
111
Chapter 2 - Running Tests Starting a DDoS single packet flood test
Starting a DDoS single packet flood test
FortiTester tests the ability of DUT to handle different types of DDoS attacks. This test attempts to deplete theDUT resources by flooding the DUT with non-session based attacks.
To start a single packet flood test:
1. Go to Cases > DDoS > Single Packet Flood to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 30.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 30: DDoS Single Packet Flood Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
112 FortiTester HandbookFortinet Technologies, Inc.
Starting a DDoS single packet flood test Chapter 2 - Running Tests
Settings Guidelines
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
FortiTester HandbookFortinet Technologies, Inc.
113
Chapter 2 - Running Tests Starting a DDoS single packet flood test
Settings Guidelines
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
DDoS Type DDoS attack traffic: Single Packet Flood. After you select a type, selection boxes forsubtypes are displayed below. To change the percentage mix of subtypes, double-clickthe pie chart and adjust the percentages.
Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1,000 to 20,000 connections per second (orthe special value 0).
Test Center mode: The valid range is from 1,000 to 20,000, for example, for an envir-onment with two FortiTester appliances.
Concurrent Con-nection
Applies only when DDoS type is Concurrent Session Flood. Number of concurrent con-nections.
Standalone mode: The default is 6,000,000. The valid range is from 10,000 to6,000,000.
Test Center mode: The default is 12,000,000, and the valid range is 10,000 to12,000,000, for example, for an environment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test. Not available for Con-current Session Flood test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test. Not available for Con-current Session Flood test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
114 FortiTester HandbookFortinet Technologies, Inc.
Starting a DDoS TCP session flood test Chapter 2 - Running Tests
Settings Guidelines
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Piggybacking Disabled, meaning an acknowledgment is sent in an individual frame. Not con-figurable.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 80. Not configurable.
Piggybacking Enabled. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Starting a DDoS TCP session flood test
FortiTester tests the ability of DUT to handle different types of DDoS attacks. This test attempts to deplete theDUT resources by flooding the DUT with TCP attacks.
To start a TCP session flood test:
1. Go to Cases > DDoS > TCP Session Flood to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 31.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 31: DDoS TCP Session Flood Test Case configuration
FortiTester HandbookFortinet Technologies, Inc.
115
Chapter 2 - Running Tests Starting a DDoS TCP session flood test
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
116 FortiTester HandbookFortinet Technologies, Inc.
Starting a DDoS TCP session flood test Chapter 2 - Running Tests
Settings Guidelines
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
DDoS Type DDoS attack traffic: TCP Session Flood. After you select a type, selection boxes forsubtypes are displayed below. To change the percentage mix of subtypes, double-clickthe pie chart and adjust the percentages.
Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1,000 to 20,000 connections per second (orthe special value 0).
Test Center mode: The valid range is from 1,000 to 20,000, for example, for an envir-onment with two FortiTester appliances.
FortiTester HandbookFortinet Technologies, Inc.
117
Chapter 2 - Running Tests Starting a DDoS TCP session flood test
Settings Guidelines
Concurrent Con-nection
Applies only when DDoS type is Concurrent Session Flood. Number of concurrent con-nections.
Standalone mode: The default is 6,000,000. The valid range is from 10,000 to6,000,000.
Test Center mode: The default is 12,000,000, and the valid range is 10,000 to12,000,000, for example, for an environment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test. Not available for Con-current Session Flood test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test. Not available for Con-current Session Flood test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Piggybacking Disabled, meaning an acknowledgment is sent in an individual frame. Not con-figurable.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 80. Not configurable.
Piggybacking Enabled. Not configurable.
IP Option DSCP Provide quality of service (QoS)
118 FortiTester HandbookFortinet Technologies, Inc.
Starting a DDoSHTTP session flood test Chapter 2 - Running Tests
Starting a DDoS HTTP session flood test
FortiTester test attempts to deplete the DUT's resources by flooding the DUT with HTTP attacks.
To start a HTTP session flood test:
1. Go to Cases > DDoS > HTTP Session Flood to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 32.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 32: DDoS HTTP Session Flood Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
FortiTester HandbookFortinet Technologies, Inc.
119
Chapter 2 - Running Tests Starting a DDoSHTTP session flood test
Settings Guidelines
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
120 FortiTester HandbookFortinet Technologies, Inc.
Starting a DDoSHTTP session flood test Chapter 2 - Running Tests
Settings Guidelines
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
DDoS Type DDoS attack traffic: Concurrent Session Flood. After you select a type, selection boxesfor subtypes are displayed below. To change the percentage mix of subtypes, double-click the pie chart and adjust the percentages.
Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate ofnew connections per second. The default is 0, which means the device will create con-nections as fast as possible.Standalone mode: The valid range is from 1,000 to 40,000 connections per second (orthe special value 0).
Test Center mode: The valid range is from 1,000 to 40,000, for example, for an envir-onment with two FortiTester appliances.
Concurrent Con-nection
Applies only when DDoS type is Concurrent Session Flood. Number of concurrent con-nections.
Standalone mode: The default is 6,000,000. The valid range is from 10,000 to6,000,000.
Test Center mode: The default is 12,000,000, and the valid range is 10,000 to12,000,000, for example, for an environment with two FortiTester appliances.
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test. Not available for Con-current Session Flood test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test. Not available for Con-current Session Flood test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
Profile (Client)
FortiTester HandbookFortinet Technologies, Inc.
121
Chapter 2 - Running Tests Starting a DDoS concurrent session flood test
Settings Guidelines
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Piggybacking Disabled, meaning an acknowledgment is sent in an individual frame. Not con-figurable.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 80. Not configurable.
Piggybacking Enabled. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Starting a DDoS concurrent session flood test
FortiTester tests the attempts to deplete the DUT's resources by flooding the DUT with HTTP attacks and putsthe session on hold for an extended period of time.
To start a concurrent session flood test:
1. Go to Cases > DDoS> Concurrent Session Flood to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options described in Table 33.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
Table 33: DDoS Concurrent Session FloodTest Case configuration
122 FortiTester HandbookFortinet Technologies, Inc.
Starting a DDoS concurrent session flood test Chapter 2 - Running Tests
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
Virtual Router
FortiTester HandbookFortinet Technologies, Inc.
123
Chapter 2 - Running Tests Starting a DDoS concurrent session flood test
Settings Guidelines
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 1024.
Test Center mode: The default is 512, and the valid range is from 1 to 2048, forexample, for an environment with two FortiTester appliances.
DDoS Type DDoS attack traffic: TCP Session Flood. After you select a type, selection boxes forsubtypes are displayed below. To change the percentage mix of subtypes, double-clickthe pie chart and adjust the percentages.
Concurrent Con-nection
Applies only when DDoS type is Concurrent Session Flood. Number of concurrent con-nections.
Standalone mode: The default is 6,000,000. The valid range is from 10,000 to6,000,000.
Test Center mode: The default is 21,000,000, and the valid range is 10,000 to21,000,000, for example, for an environment with two FortiTester appliances.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limitation for packet size. Thedefault is 1500. The valid range is 1,280 to 9,000.
124 FortiTester HandbookFortinet Technologies, Inc.
Starting an RTSP test Chapter 2 - Running Tests
Settings Guidelines
Profile (Client)
Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also thedefault.
IP ChangeAlgorithm /Port ChangeAlgorithm
Select a change algorithm: Increment orRandom. This setting determines how thesystem changes source/destination IP addresses and ports to simulate multiple clientrequests. The Increment option uses the next IP address or port in the range, forexample: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selectsan IP address or port in the range randomly.
Piggybacking Disabled, meaning an acknowledgment is sent in an individual frame. Not con-figurable.
IP Option DSCP Provide quality of service (QoS)
Profile (Server)
Server Port Preset to 80. Not configurable.
Piggybacking Enabled. Not configurable.
IP Option DSCP Provide quality of service (QoS)
Starting an RTSP test
The RTSP test establishes a TCP connection with a three-way handshake, controls media sessions between endpoints, and closes the TCP connection. This test also tests the firewall's ability to open and close pinholes.
To start an RTSP test:
1. Go to Cases > RTSP > RTSP to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. ClickOK to continue.5. Configure the test case options as described in Table 34.6. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
FortiTester HandbookFortinet Technologies, Inc.
125
Chapter 2 - Running Tests Starting an RTSP test
Table 34: RTSP Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
126 FortiTester HandbookFortinet Technologies, Inc.
Starting an RTSP test Chapter 2 - Running Tests
Settings Guidelines
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Load
Simulated Users Number of users to simulate.
Standalone mode: The default is 256. The valid range is from 1 to 900.
Test Center mode: The default is 512, and the valid range is from 1 to 1,800, forexample, for an environment with two FortiTester appliances.
Speed Limit Rate of requests per second. The default is 0, which means the device will send trafficas fast as possible.
Standalone mode: The valid range is 100 to 180,000 requests per second (or the spe-cial value 0).
Test Center mode: The valid range is 100 to 360,000, for example, for an envir-onment with two FortiTester appliances.
FortiTester HandbookFortinet Technologies, Inc.
127
Chapter 2 - Running Tests Starting a packet capture test
Settings Guidelines
Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test. Not available for Con-current Session Flood test.
Ramp DownSeconds
Time in seconds for traffic to ramp down when you stop the test. Not available for Con-current Session Flood test.
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limit for packet size. The default is1500. The valid range is from 1,280 to 9,000.
Profile (Client)
Source Port Range Preset to 10000-65535. Not configurable.
IP ChangeAlgorithm /Port ChangeAlgorithm
Determines how the system changes source/destination IP addresses and ports tosim- ulate multiple client requests. Preset to Random. Not configurable. The Randomoption selects an IP address or port in the range randomly.
Profile (Server)
Server Port Preset to 80, 443. Not configurable.
Starting a packet capture test
The packet capture test captures packets received from the network adapter.
To start a packet capture test:
1. Go to Cases > Packet Capture > Packet Capture to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. Configure the test case options as described in Table 35.4. ClickStart to run the test case.FortiTester saves the configuration automatically so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
128 FortiTester HandbookFortinet Technologies, Inc.
Starting a packet capture test Chapter 2 - Running Tests
To start /stop a packet capture test while another test is running:
From the run page of the other test, follow the steps below.
1. Go to Capture > Client.2. ClickRestart, under status.3. Configure the desired settings.4. ClickStart to run the packet capture test.
Table 35: Packet Capture Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Network Settings
Client Ports The graphic depicts the test ports for client-side connections. The client ports simulatethe behavior of clients.
You must select at least one client port. After you select a port for client, a (check
mark) is displayed on the port icon, and a tab for the port is added below the graphic.Use the tabs to toggle the Capture Packets controls for each port.
Capture Packets
Capture Packets Set packet capture options if you want to capture the traffic of this port. You can cap-ture all packets or specify a number. You can set packet capture filters for host IP/portand protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
Load
Packet Analysis Select Yes to analyze bandwidth percentage for each protocol.
FortiTester HandbookFortinet Technologies, Inc.
129
Chapter 2 - Running Tests Starting a mixed traffic test
Settings Guidelines
Network
Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out datapackets larger than this value. Most DUTs have a limit for packet size. The default is1500. The valid range is from 1,280 to 9,000.
Starting a mixed traffic test
FortiTester tests mixed traffic performance by simulating multiple clients that burst all types of trafficsimultaneously.
To start a Mixed Traffic test:
1. Go to Cases > Mixed Traffic > Mixed Traffic to display the test case summary page.2. ClickAdd to display the Case Options dialog box.3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on
page 16.4. Select the types of traffic to mix in the test.5. ClickOK to continue.6. Configure the proportions of the mixed traffic.7. Configure the test case options as described in Table 36.8. ClickStart to run the test case.9. For specific settings, refer to the section for that specific test.FortiTester saves the configuration automatically, so you can run the test again later. You can also clickSave tosave the test case without running it.
Tip: You can also copy an existing case, and change its settings to create a new case.In the case list, clickClone to clone the configuration. Only the case name is differentfrom the original case.
130 FortiTester HandbookFortinet Technologies, Inc.
Starting a mixed traffic test Chapter 2 - Running Tests
Table 36: Mixed Traffic Test Case configuration
Settings Guidelines
Basic Information
Name Specify the case name, or just use the default. The name appears in the list of testcases.
Ping ServerTimeout
If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout,resulting in the test case failing to run. If this occurs, increase the timeout. The defaultis 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end con-nectivity test by entering a setting of 0. If the DUT is unable to return packets, it isrecommended you do so.
Number ofSamples
Select the number of samples. The default is 20, which means the web UI will showthe last 20 sample data (about 20 seconds) in the test case running page. You canselect 20, 60, or 120.
Duration Specify the test duration. The default is 10 minutes. The test stops automatically afterthe duration you specify.
Network Settings
Client Ports,Server Ports
The graphic depicts the test ports for client-side and server-side connections. The cli-ent ports simulate the behavior of clients; the server ports simulate the behavior ofservers. FortiTester builds the TCP connections between client ports and server ports(and through the DUT, of course).
You must select at least one client port and one server port. After you select a port forclient, a (check mark) is displayed on the port icon, and a tab for the port is added
below the graphic. Use the tabs to toggle the Capture Packets and Subnet settingscontrols for each port.
Capture Packets
Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. Youcan capture all packets or specify a number. You can set packet capture filters for hostIP/port and protocol.
Note: The system allocates temporary disk space for packet captures. The limit is6,000,000 packets. The packets are saved to a temporary file that you can downloadfrom the running test case page. The filename indicates whether it is client or servercommunication and the interface port number. For example, client_port1.pcap. Whena subsequent test case with packet capture enabled uses the same interface port as aprevious one, the previous file is overwritten.
MAC Masquerade
MACMasquerade Specify the first two bytes of a MAC address for the traffic.
FortiTester HandbookFortinet Technologies, Inc.
131
Chapter 2 - Running Tests Stopping tests
Settings Guidelines
Virtual Router
IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to aDUT, therefore it must be in the same subnet with the connected port of the DUT.Please make sure the corresponding routing rules are set on the DUT, so that DUT cor-rectly forwards traffic to the virtual router. Only a single IP address in formatxxx.xxx.xxx.xxx is accepted here.
Subnet
Subnet IP Addressor Range
Specify a single IP address with standard format (for example, 10.1.2.1) or an addressrange like 10.1.2.1-10.1.2.99.
Netmask Specify a netmask between 1 and 31.
VLAN ID Specify a VLAN ID between 1 and 4095.
Gateway NAT mode only. Specify the gateway IP address.
Peer Network NAT mode only. Specify the peer network subnet address.
Proxy IP/Mask Web Proxy mode only. Specify the proxy IP address/netmask.
Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls.An interface port can have multiple subnets. FortiTester uses all IP addresses in thespecified subnets to create TCP connections and transfer data.
Stopping tests
There are two ways to stop a running test:
l In the test configuration, specify an automatic stop after a specified duration.l Click the Stop button on the running page of a test that is in progress.
Displaying test status
A few seconds after you start a test, the page automatically switches to a test status page.
You can also navigate to the status page by clicking the icon in the top navigation menu.
The following example shows status displayed on the Summary tab of an HTTPCPS test.
132 FortiTester HandbookFortinet Technologies, Inc.
Viewing test results Chapter 2 - Running Tests
Figure 7: Test status Summary tab
The following figure shows the Client tab. You can use its subtabs to review results by port or network layer.
Figure 8: Test status Client tab
Viewing test results
When you start a test, a status page is displayed showing results.
The data is updated every second. It includes Layer 2, Layer 3, and Layer 4 data. HTTP/HTTPS test cases alsoinclude Layer 7 data.
l Layer 2 data represents the throughput for every port and a total summary. The throughput includes inbound trafficand outbound traffic for every port.
l Layer 3 data represents the packets sent and received for every port and a total summary.
FortiTester HandbookFortinet Technologies, Inc.
133
Chapter 2 - Running Tests Viewing test results
l Layer 4 data represents the number of sessions.l Layer 7 data represents the number of requests and connections.
You can click the icon in the top banner to display a list of all the test cases on the left side of the page.This list includes cases that are stopped (either normally or abnormally) and are ordered by test start time. Click atest case to view its result. You can also use the search function, at the top, to search for test cases.
The following example shows results for an HTTPCPS test.
Figure 9: HTTP CPS test results
The following figure shows results for an Attack Replay test.
134 FortiTester HandbookFortinet Technologies, Inc.
Exporting/importing a test case Chapter 2 - Running Tests
Figure 10: Attack Replay results
For Attack Replay tests, the results show status for every attack traffic file and a summary count for packets withthe following statuses: Peer Received, Packet Lost, or Illegal Packet. Peer Received means the server hasreceived all the packets sent out by the client. Packet Lost means the server has not received all the packets sentout by the client; one or more packets were lost after the traffic passed through the DUT. Illegal Packet meansthe FortiTester system encountered a packet larger than the MTU (the default is 1500) and has stopped thereplay of that pcap file.
Exporting/importing a test case
After you clickStart or Save, FortiTester automatically saves the test configuration. You can edit or make a copyof a test configuration before you run it.
You can use the Export/Import utilities to export a test case configuration (as a .zip file) and then import it intoanother FortiTester appliance.
In the top banner, click the icon to display the list of saved test cases. Cases are categorized by test type.
Scheduling cases
You can schedule a test case to run automatically at a time you specify. You can also specify a repeat interval(once, hourly, daily, weekly, monthly).
FortiTester HandbookFortinet Technologies, Inc.
135
Chapter 2 - Running Tests Scheduling cases
To configure a schedule:
1. Go to Cases > Config Schedule.2. ClickAdd to display the configuration page.3. Select the case type and select an existing case.4. Set the start date and time.5. Select a repeat option.6. Save the schedule configuration.
Tip: To set up a schedule from the case list, click the icon to display the schedule configuration page.
136 FortiTester HandbookFortinet Technologies, Inc.
Chapter 3 - System Administration Displaying system status
Chapter 3 - System Administration
This chapter provides procedures for common system administration tasks.
Displaying system status
The System page displays the system version and serial number of the appliance. You can also see theinformation of log disk usage.
If the appliance comes installed with an SSL Accelerator card, you will see it and can enable/disable it.
Note: The SSL acceleration feature works only when the FortiTester appliance works as the server side. Enablingor disabling it will not influence the performance ofthe client side when performing an HTTPS test.
The figure below shows the System Information portlet.
Figure 11: System Information
Updating firmware
You can use the web UI to upgrade the firmware image.
Before you begin:
137 FortiTester HandbookFortinet Technologies, Inc.
Shutting down the system Chapter 3 - System Administration
l Download the firmware file from the Fortinet support website.l Read the release notes for the version you plan to install.l You must be logged in as the user admin to upgrade firmware.
To upgrade firmware:
1. Go to the System page.2. Click the Upgrade link in the system information section.3. ClickBrowse to locate and select the image file.4. Click to upload the firmware and reboot.The system replaces the firmware on the active partition and reboots.
Shutting down the system
Always properly shut down the FortiTester appliance operating system before turning off the power switch orunplugging the appliance. This causes it to finish writing buffered data, and to slow and park the hard disks.
Do not unplug or switch off the FortiTester appliance before halting the operating system. Failure to shut downcorrectly could cause data loss and hardware problems.
To power off the appliance via the web UI:
1. Go to the System page.2. Click the Shutdown button.
The appliance becomes quieter when it stops its hardware and operating system, indicating that it is readyfor power to be disconnected.
3. Disconnect the power cable from the power supply.
To power off the appliance via the CLI:
1. Connect to the CLI using a terminal emulator.2. Enter the following command:
execute shutdown
The appliance becomes quieter when it stops its hardware and operating system, indicating that it is readyfor power to be disconnected.
3. Disconnect the power cable from the power supply.
Rebooting the system
Rebooting the appliance is similar to shutting down. To reboot, do one of the following:
l Go to the System page, click the Reboot button.l Enter the execute reboot command via the CLI.
FortiTester HandbookFortinet Technologies, Inc.
138
Chapter 3 - System Administration Resetting the system
Resetting the system
To restore the appliance to its initial state, click the Config reset button on the System page.
Warning: This operation clears all the data and cannot be canceled, so use it carefully. Before you reset thesystem, you can export system configuration data so that you can later import it. The configuration data includesall the test case settings and test results, user accounts, and test HTML pages for HTTP/HTTPS test cases.
Creating test users
The FortiTester system has one default administrative account named "admin". It also allows you to create otheradministrative or tester user accounts.
The default “admin” account is the super administrator, which can create and delete all other accounts, whereasthe other administrative accounts can only create administrative/tester accounts and delete tester accounts.
The administrative user can perform a test, create and delete a tester, and set the system configuration.
A tester user can only perform tests and view test results. If a user logs in with a tester role, the UserManagement menu is not shown, and the contents in the System page is read-only.
To create a test user:
1. Go to the drop-down menu under the admin login in the top navigation bar.2. Select User Management.3. ClickAdd to display the configuration page.4. Complete the username and password settings.5. Select a role and set the username and password.6. Save the configuration.
139 FortiTester HandbookFortinet Technologies, Inc.
Chapter 4 - Joining multiple appliances into a Test Center Changing the work mode setting
Chapter 4 - Joining multiple appliances into a Test Center
This chapter provides procedures for joining multiple appliances into a Test Center.
Changing the work mode setting
The work mode setting determines whether the FortiTester operates as a standalone appliance or is joined withother FortiTester appliances to form a Test Center.
By default, FortiTester appliances operate in Standalone work mode.
If your test plans require more interfaces than provided by a single FortiTester, you can join the appliances intowhat is called a Test Center. One appliance is the Test Center master appliance; the others are Test Centerslaves. You manage test cases from the Test Center appliance management interface; the web UI is notavailable for an appliance in Test Slave work mode. When you enter the web UI address for the Test Slaveappliance, it displays the following page instead.
Figure 12: Slave Mode
To set up a Test Center:
1. Log into the web UI of one FortiTester (e.g. 172.22.4.217).2. Go to the System page.3. Click theWork Mode tab.4. The appliance is in Standalone work mode by default.5. Click Test Center to make it the Test Center master. The System page shows the current work mode of this
appliance is TestCenter, and a table is shown that lists the appliances that are under control of this one.6. Log into another FortiTester (e.g. 172.22.4.218).7. Go to the System page.8. Click the Work Mode tab.9. Click Test Slave. The system displays a popup, prompting you to specify the Test Center master IP address.10. Enter the IP address of the Test Center master and clickConnect.11. Return to the System page on the master and clickRefresh. You will see 172.22.4.218 is in the table.
140 FortiTester HandbookFortinet Technologies, Inc.
Changing the work mode setting Chapter 4 - Joining multiple appliances into a Test Center
Figure 13: TestCenter
You can click the X to disconnect the slave appliance or click the Disconnect button in the slave Web GUI toreturn to Standalone mode.
When the appliances have been added to the Test Center, you can select one or more FortiTester appliances towork as clients and others to work as servers when you create test cases. In this example, 172.22.4.217 has theclient ports; 172.22.4.218 has the server ports. You can add up to four pairs of appliances to a Test Center.
FortiTester HandbookFortinet Technologies, Inc.
141
Chapter 5 - Using the Command-Line Interface Getting CLI help
Chapter 5 - Using the Command-Line Interface
You can configure some settings through a connection to the command-line interface (CLI).
Requires: Terminal emulator such as PuTTY, TeraTerm, or a terminal server.
To connect to the CLI via serial console:
1. Using the console cable, connect the appliance console port to your terminal server or computer.2. On your computer or terminal server, start the terminal emulator. Use these settings:
l Baud rate: 9600l Data bits: 8l Parity: Nonel Stop bits: 1l Flow control: None
3. Press Enter on your keyboard to connect to the CLI.Note: After you configure the management port, you can connect to the management port and use the CLIremotely using SSH or Telnet.
Getting CLI help
You can enter the help command or ? to display CLI command and setting information. For example:
help Help.
? Help.
get system status System status.
show system interface Show network interfaces and configurations.
show system route Show default route.
show system setting Show system setting.
show system memsize Show total memory size.
config system hostname Configure hostname.
config system interface Configure interfaces.
config system route Configure route.
config system setting Configure system settings. (Maintainer Login,Telent Daemon...)
execute ping PING command.
execute time <hh:mm:ss> Set time.
execute date <yyyy-mm-dd> Set date.
execute reboot Reboot FortiTester.
142 FortiTester HandbookFortinet Technologies, Inc.
Command descriptions Chapter 5 - Using the Command-Line Interface
execute shutdown Shutdown FortiTester.
execute factoryreset Factory reset FortiTester.
execute formatlogdisk Format storage.
exit Exit the CLI.
sysctl ash Debug mode.
The following examples show how to configure the management interface, the default gateway, and theappliance hostname.
config system interfaceedit mgmt
set ip 172.173.1.217 255.255.0.0next
end
config system routeset gateway 192.168.1.1
end
config system hostnameset hostname <string>
end
Command descriptions
The following table describes the commonly used CLI commands.
Command Description
help Shows help information.
? Shows help information.
get system status Shows the system version, serial number, hostname, time, and system uptime.
show system interface Shows information about the configured network interfaces.
config system interfaceedit mgmt
set ip 172.173.1.124 255.255.0.0 next
end
FortiTester HandbookFortinet Technologies, Inc.
143
Chapter 5 - Using the Command-Line Interface Command descriptions
Command Description
show system route Shows the gateway address for management port.
Default gateway: 192.168.1.1
show system setting Shows whether the common mode for HTTPCPS/RPS and TCP throughput isenabled or not. The default is disabled. Also shows whether the system allowslogin with the maintainer account The default is enabled
show system memsize shows the size of the system's memory.
config system hostname Set the host name for this appliance.
config system interface Configures network interfaces.
config system route Configures the gateway address for the management port.
config system route set gateway 172.173.1.248
end
config system setting Enable/disable the common mode and maintainer login.
execute ping Execute a ping command.
execute time Sets the system time. The time format is hh:mm:ss.
execute date Set the system date. The date format is yyyy-mm-dd.
execute reboot Reboots the system.
execute shutdown Shuts down the system.
execute factoryreset Reset the system into an initial state. Note this operation will clear all existingdata/configuration.
execute formatlogdisk Execute a format disk command for log storage.
exit Exits the current session.
sysctl ash
Enter the debug mode for troubleshooting.
144 FortiTester HandbookFortinet Technologies, Inc.
Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or companynames may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, andactual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing hereinrepresents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding writtencontract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identifiedperformancemetrics and, in such event, only the specific performancemetrics expressly identified in such binding written contract shall be binding on Fortinet. Forabsolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make anycommitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,transfer, or otherwise revise this publication without notice, and themost current version of the publication shall be applicable.