FortiTester Handbook VERSION 2.7.0

Transcription

1 FortiTester Handbook VERSION 2.7.0

2 FORTINET DOCUMENT LIBRARY FORTINET VIDEO GUIDE FORTINET BLOG CUSTOMER SERVICE & SUPPORT FORTIGATE COOKBOOK FORTINET TRAINING SERVICES FORTIGUARD CENTER END USER LICENSE AGREEMENT FEEDBACK September 12, 2016 FortiTester Handbook st Edition

3 TABLE OF CONTENTS

4 Change Log 6 Introduction 7 Features and benefits 8 What's New 9 Chapter 1 - Getting Started 10 Connecting to FortiTester 10 Configuring the management port 11 Configuring system time 12 Creating the admin password 13 Chapter 2 - Running Tests 14 Test case configuration overview 14 Using port binding 14 Using network configuration templates 15 Starting an HTTP CPS test 17 Starting an HTTP RPS test 20 Starting an HTTP CC test 24 Starting an HTTP throughput test 27 Starting an HTTPS CC test 31 Starting an HTTPS CPS test 35 Starting an HTTPS throughput test 39 Starting an HTTPS RPS test 42 Starting a TCP connection test 46 Starting a TCP throughput test 49 Starting a TurboTCP test 52 Starting a UDP PPS test 55 Starting a UDP Payload test 58 Starting a SMTP test 61 Starting an Attack Replay test 64 Starting a Traffic Replay test 66 Starting a DDoS test 68 Starting a DNS test 72 Starting a Mixed Traffic test 75 Stopping tests 78 Displaying test status 78 Viewing test results 79 Exporting/importing a test case 81 Scheduling cases 82 Chapter 3 - System Administration 83 Displaying system status 83 Updating firmware 83 Shutting down the system 84 Rebooting the system 84

5 Resetting the system 84 Creating test users 85 Chapter 4 - Joining multiple appliances into a Test Center 86 Changing the work mode setting 86 Chapter 5 - Using the Command-Line Interface 89 Getting CLI help 89 Command descriptions 90

6 Change Log Change Log Date Change Description FortiTester initial release. FortiTester Handbook 6

7 Introduction Introduction Welcome, and thank you for selecting Fortinet products for your testing environment. FortiTester appliance models are powerful and easy-to-use tools that test the performance of your network devices. This document describes how to set up your FortiTester appliance. It also describes how to use the web user interface (web UI) and command-line interface (CLI). 7 FortiTester Handbook

8 Features and benefits Introduction Features and benefits FortiTester is a network traffic test tool that is based on Fortinet's specialized hardware and software platform. It provides the following types of tests: HTTP/HTTPS CPS test FortiTester can test new connections per second (CPS) performance by simulating multiple clients that generate HTTP or HTTPS traffic. HTTP/HTTPS RPS test FortiTester can test requests per second (RPS) performance by simulating multiple clients that generate HTTP or HTTPS traffic. HTTP/HTTPS CC test FortiTester can test HTTP or HTTPS concurrent connection (CC) performance by simulating multiple clients that generate HTTP or HTTPS traffic. HTTP/HTTPS throughput test FortiTester can test HTTP or HTTPS throughput performance of a Device Under Test (DUT) by simulating multiple clients that generate HTTP or HTTPS traffic. TCP throughput test FortiTester can test TCP throughput performance of a DUT by generating a specified volume of two-way TCP traffic flows via specified ports. TCP connection test FortiTester can test TCP concurrent connections performance by generating a specified volume of two-way TCP traffic flow via specified ports. TurboTCP test FortiTester can test new connections per second (CPS) performance by generating a specified volume of twoway TurboTCP traffic flows via specified ports. UDP PPS test FortiTester can test UDP throughput performance by sending a specified size of UDP frames at a maximum or limited speed from simulated clients to simulated servers. UDP Payload test FortiTester system can test UDP payload by sending UDP frames with a user-specified payload. Mail SMTP test FortiTester can test SMTP performance by simulating a specified volume of SMTP clients to generate the SMTP traffic. Attack Replay test FortiTester can test security systems by replaying a predefined set of attack traffic or pcaps that you upload. The predefined set covers 100 types of attacks. Traffic Replay test FortiTester can test user-defined scenarios by replaying any pcap file. Typically, pcap files are generated by programs like tcpdump or Wireshark. FortiTester Handbook 8

9 Introduction What's New DDos test FortiTester can send multiple types of distributed denial of service (DDoS) attack traffic to test DDoS detection/prevention systems. DNS Latency test FortiTester can send DNS query traffic to test latency to a server or through a gateway. Mixed traffic test FortiTester can burst all types (except HTTPS) of traffic simultaneously. What's New The following features are introduced in 2.7.0: New test case The SMTP test case is added. By simulating large number of SMTP traffic, this test case evaluate performance of a target device under SMTP traffic (See Starting a SMTP test). Mixed traffic Mixed Traffic test case is enhanced as followings (See Starting a Mixed Traffic test): HTTPS CPS, HTTPS RPS, HTTPS CC and SMTP are added to configuration field Mixed Traffic Type for options. Currently, a mixture of all traffic types, except Attack Replay Test and Traffic Replay Test, is supported for a mixed traffic test case. It is allowed to contain multiple test cases that are in the same type, such as more that two HTTP CPS, in a mixed traffic test case. A mixture of IPv4 and IPv6 traffic is supported for a mixed traffic test cases. A mixture of HTTP CPS, HTTP RPS and HTTP CC traffic is supported for a mixed traffic test cases while the DUT (Device Under Test) is running in proxy mode. Traffic options Enables the users to set information of Virtual Router, VLAN and Mac Masquerade to testing traffic for all the test cases (except Attack Replay Test and Traffic Replay Test). Improved SSL performance Improves SSL acceleration for all the HTTPS test cases. Viewing test results The History diagram and PDF reporting are enhanced in several respects. Web GUI New look and feel. 9 FortiTester Handbook

10 Connecting to FortiTester Chapter 1 - Getting Started Chapter 1 - Getting Started This chapter provides the procedures for getting started with FortiTester. Connecting to FortiTester A basic network connection topology for FortiTester is shown in the following figure. Figure 1: A basic network connection topology A FortiTester appliance has multiple network ports. In most cases, one port is for management and the others are for testing. The management port (usually mgmt or port1) connects to a local network to enable the user to access the FortiTester appliance via the web UI. The test ports are divided into client ports and server ports that connect to the device under test (DUT). Client ports simulate multiple client devices that access the simulated server devices via server ports. When you use one FortiTester appliance in standalone work mode, the test ports on the standalone appliance are divided between client and server. Figure 2 shows the distribution of ports in a standalone environment. Ports 1, a client port, is paired with port 3, a server port; port 2, a client port, is paired with port 4, a server port. Figure 2: Test ports in standalone work mode If your tests require more ports, you can join up to 4 pairs of FortiTester appliances in a Test Center. Figure 3 shows the distribution of ports in a Test Center environment with two FortiTester appliances. Ports 1-4 of the first appliance are client ports; ports 1-4 of the second appliance are server ports. Port 1 on the first appliance is paired with port 1 on the second appliance. FortiTester Handbook 10

11 Chapter 1 - Getting Started Configuring the management port Figure 3: Test ports in Test Center / Slave work mode For information on configuring a Test Center, see Chapter 4 - Joining multiple appliances into a Test Center. Configuring the management port The management port must be connected to the same switch as the administrator client computer. The following procedure assumes that the default management port IP address ( ) is not on the same subnet as your client computer. To configure the management port: 1. Configure your computer to match the FortiTester default management port subnet. For example, from the Windows 7 Control Panel, go to Network and Sharing Center. Click the Local Area Connection link, and then click the Properties button. Select Internet Protocol Version 4 (TCP/IPv4) and then click its Properties button. Select Use the following IP address, and then enter the following settings: IP address: Subnet mask: To connect to the web UI, start a web browser and go to or 3. Type admin in the Username field, enter the password, and then click Login. 4. In the top banner, click the icon to display the System settings page. 5. Click the Device Ports tab. 6. For the management port, change its IP address, netmask, and default gateway. The following example changes the management IP address to FortiTester Handbook

12 Configuring system time Chapter 1 - Getting Started Figure 4: Set management port 7. Click Apply to complete configuration of the management port. 8. Click the DNS Server tab. 9. Enter the IP address for the DNS server, and then click Apply. Note you can add more than one DNS server. 10. Change the IP address of your client PC to the same network segment used by the management port IP address. 11. To log into the web UI again, enter the new management IP address in a web browser. Configuring system time You can use the System page to change the system time. You can manually modify the time or synchronize the system time with an NTP server. To configure system time: 1. In the top banner, click the icon to display the System settings page. 2. Under System Time, click the Change link to display the Time dialog box. 3. Set the system time or synchronize time with a NTP server, as described in Table Save the configuration. Table 1: System Time Time Zone Select the time zone where the FortiTester appliance is installed. System Time The text boxes are populated with the current settings for the system date and time. You can change these manually. Synchronize with NTP Server Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, see The time is not synched at a regular interval, only when you click the Save button. FortiTester Handbook 12

13 Chapter 1 - Getting Started Creating the admin password Creating the admin password FortiTester has a default user admin. By default, there is no password. To change the password for the admin account: 1. In the top banner, click the admin link. 2. Select Modify Password from the drop down menu. 3. Enter the old password, the new password, and save the configuration. 13 FortiTester Handbook

14 Test case configuration overview Chapter 2 - Running Tests Chapter 2 - Running Tests This chapter provides procedures for running tests and viewing test results. Test case configuration overview The test case configuration workflow includes the following standard elements: Test type The test template to use. It determines the mandatory and optional settings for specific cases. Case options IP version, DUT role, DUT mode, network configuration, optional port binding, VLAN and Client Virtual Router. Interface ports Client and server interface port configuration. Optional elements Enable or disable packet capture, scheduling and MAC masquerade. Test case specifics Variables that determine the test parameters, such as load, rates/limits, and client/server profiles and actions. The first four items set up the basic test environment. Once you become familiar with them, you can assume they can be configured in the same manner for each test. The Client Virtual Router will simulate a router between FortiTester's client subnets and the connected DUT. The test case specifics are key to testing the performance of the device under test (DUT). We recommend you become familiar with guidelines for test case specifics whenever you get started with a new test case type. Using port binding FortiTester system can bind multiple physical ports as one logical port. We call this feature port binding. The physical ports in one logical port share one network configuration, such as IP address, netmask, and gateway. This feature is useful in the following scenarios: To test the link aggregation feature of a DUT. A DUT might also support port binding (also called link aggregation or TRUNK). In that case, FortiTester can test this feature and its performance. To test 40G/100G ports of DUT. A DUT might have some ports that have bandwidth greater than a single FortiTester port. To test such port performance, we can bind multiple FortiTester ports as one logical port and connect to a switch to transfer traffic with a DUT. For example, a FortiTester appliance can bind 4 10G ports as one to test a 40G port in DUT via a 10G/40G switch. FortiTester averages traffic on physical ports that belong to one logical port. Note: Only the DNS, TCP, HTTP, and HTTPS tests support port binding. FortiTester Handbook 14

15 Chapter 2 - Running Tests Using network configuration templates Using network configuration templates Many test cases you may want to run will have the same basic network setup. To simplify configuration, you can create a network configuration template and then import it when you initially configure test case settings. The template settings are used to populate the network settings for the new test case configuration. The network configuration template specifies the IP address type, DUT working mode, client/server port settings, subnet settings, port binding and VLAN settings. You can only import template settings if the IP address type and DUT working mode you select in the new test case popup dialog box match the settings in the network configuration template. After the settings have been imported, you can modify client/server port settings, subnet settings, port binding and VLAN settings if necessary. To create a network configuration template: 1. Go to Cases > Config Network. 2. Click Add to display the configuration page. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Note: This setting will be shown only when DUT role is Network Gateway. Tester and Application Server Specify that the FortiTester appliance and the application server are in the same subnet or route by a gateway to send/receive traffic. Note: This setting will be shown only when DUT role is Application Server. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID to the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Complete the configuration as described in Table Save the configuration. After you have created a network configuration template, you can extend it (which means making a copy), or export it as a zip file and import the zip file later. Table 2: Network configuration object settings 15 FortiTester Handbook

16 Using network configuration templates Chapter 2 - Running Tests Basic Information Name Specify a configuration name, or use the default. The name appears in the Network Config drop-down list when you configure test cases. Network Client Ports, Server Ports The page lists all the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon. The same port on the server side is no longer available. Note: You don t need to select the server port if you've selected the DUT role as Application Server. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Server IP Gateway Peer Network Proxy IP/Mask Add Subnet When the DUT role is an application server, specify a single IP address in the standard format. Specify the gateway IP address when the DUT role is an application server or the DUT working mode is in NAT mode. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. FortiTester Handbook 16

17 Chapter 2 - Running Tests Starting an HTTP CPS test Starting an HTTP CPS test FortiTester tests HTTP new connections per second (CPS) performance by simulating multiple clients that generate HTTP traffic. The traffic generated for each connection includes the TCP three-way handshake, HTTP request and HTTP response (complete HTTP transaction), and the TCP connection close (FIN, ACK, FIN, ACK). Each TCP packet has one HTTP GET request. The traffic is HTTP1.0 without HTTP persistent connections (HTTP keep-alive). Note the following limitations: You cannot modify the HTTP request or HTTP response headers. To start an HTTP CPS test: 1. Go to Cases > HTTP > CPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 3: HTTP CPS Test Case configuration 17 FortiTester Handbook

18 Starting an HTTP CPS test Chapter 2 - Running Tests Basic Information Name Ping Server Timeout Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. FortiTester Handbook 18

19 Chapter 2 - Running Tests Starting an HTTP CPS test VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to Test Center mode: The default is 512, and the valid range is from 1 to 2048, for example, for an environment with two FortiTester appliances. Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 1,000 to 850,000 transactions per second (or the special value 0). Test Center mode: The valid range is 1,000 to 1,700,000, for example, for an environment with two FortiTester appliances. Ramp UP Seconds Ramp Down Seconds Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU Preset to Not configurable. Profile (Client) Source Port Range Client Close Mode Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select the connection close method: 3Way_Fin or Reset. IP Change Algorithm / Port Change Algorithm Request Header Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Click the add button to specify more headers. 19 FortiTester Handbook

20 Starting an HTTP RPS test Chapter 2 - Running Tests Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Preset to 80. Not configurable. Response Header Preset to Server: nginx/1.9.5content-type:text/html. Click the add button to specify more headers. Piggybacking Enabled. Not configurable. Action Get page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB. Starting an HTTP RPS test FortiTester tests requests per second (RPS) performance by simulating multiple clients that generate HTTP traffic. All requests include a TCP three-way handshake, one HTTP request and response, and a TCP connection close (FIN, ACK, FIN, ACK). There are 10 HTTP GET requests per TCP connection and 100 HTTP GET requests per TCP connection for Layer4/HTTPS testing. Note the following limitations: You cannot modify the HTTP request or HTTP response headers. To start an HTTP RPS test: 1. Go to Cases > HTTP > RPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. FortiTester Handbook 20

21 Chapter 2 - Running Tests Starting an HTTP RPS test Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 4: HTTP RPS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets 21 FortiTester Handbook

22 Starting an HTTP RPS test Chapter 2 - Running Tests Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to Test Center mode: The default is 512, and the valid range is from 1 to 2048, for example, for an environment with two FortiTester appliances. Requests per Connection Number of HTTP requests per connection. The default is 0, which means as many as possible. The valid range is 0 to 50,000. FortiTester Handbook 22

23 Chapter 2 - Running Tests Starting an HTTP RPS test Speed Limit Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 1,000 to 1,600,000 requests per second (or the special value 0). Test Center mode: The valid range is 1,000 to 3,200,000, for example, for an environment with two FortiTester appliances. Ramp UP Seconds Time in seconds for traffic to ramp up when you start the test. Ramp Down Seconds Time in seconds for traffic to ramp down when you stop the test. Network MTU Preset to Not configurable. Profile (Client) Source Port Range Client port range. The valid range is 10,000 to 65,535, which is also the default. Client Close Mode Select the connection close method: 3Way_Fin or Reset. IP Change Algorithm / Port Change Algorithm Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Request Header Preset to UserAgent: Firefox/41.0. Click the add button to specify more headers. Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Preset to 80. Not configurable. Response Header Preset to Server: nginx/1.9.5content-type:text/html. Click the add button to specify more headers. Piggybacking Enabled. Not configurable. Action Get Page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB. 23 FortiTester Handbook

24 Starting an HTTP CC test Chapter 2 - Running Tests Starting an HTTP CC test FortiTester tests HTTP concurrent connection (CC) performance by simulating multiple clients that generate HTTP traffic. All connections include a TCP three-way handshake, a loop of HTTP requests and responses (complete HTTP transaction), and close the connection with TCP FIN. Note the following limitations: You cannot modify the HTTP request or HTTP response headers. To start an HTTP CC test: 1. Go to Cases > HTTP > CC to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. FortiTester Handbook 24

25 Chapter 2 - Running Tests Starting an HTTP CC test Table 5: HTTP CC Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and FortiTester Handbook

26 Starting an HTTP CC test Chapter 2 - Running Tests VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to Test Center mode: The default is 512, and the valid range is from 1 to 2048, for example, for an environment with two FortiTester appliances. Concurrent Connections Number of concurrent connections. Standalone mode: The default is 6,000,000. The valid range is 5,000 to 6,000,000. Test Center mode: The default is 12,000,000, and the valid range is 5,000 to 12,000,000, for example, for a an environment with two FortiTester appliances. Concurrent Close Number of connections to close at any given time. To avoid the DUT lost packet, the connection close operation will be performed batch by batch. Standalone mode: The default is 256, and the valid range is 1 to 10,000. Test Center mode: The default is 512, and the valid range is 1 to 10,000. Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 256 to 600,000 transactions per second (or the special value 0). Test Center mode: The valid range is 256 to 1,200,000, for example, for an environment with two FortiTester appliances. Think Time Seconds that a simulated user waits between HTTP requests. The default is 5 seconds. Network MTU Preset to Not configurable. FortiTester Handbook 26

27 Chapter 2 - Running Tests Starting an HTTP throughput test Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Client Close Mode Select the connection close method: 3Way_Fin or Reset. IP Change Algorithm/Port Change Algorithm Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Request Header Preset to UserAgent: Firefox/41.0. Click the add button to specify more headers. Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Preset to 80. Not configurable. Response Header Preset to Server: nginx/1.9.5content-type:text/html. Click the add button to specify more headers. Piggybacking Enabled. Not configurable. Action Get page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB. Starting an HTTP throughput test FortiTester tests HTTP throughput performance by simulating multiple clients that generate HTTP traffic. The test traffic establishes a HTTP connection (three-way handshake), loops complete HTTP transactions (HTTP request and response), and closes the HTTP connection (Reset). This load determines the maximum throughput (total bits per second "on the wire"). Note the following limitations: You cannot modify the HTTP request or HTTP response headers. To start an HTTP throughput test: 1. Go to Cases > HTTP > Throughput to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. 27 FortiTester Handbook

28 Starting an HTTP throughput test Chapter 2 - Running Tests DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g., a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. And click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically, so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. FortiTester Handbook 28

29 Chapter 2 - Running Tests Starting an HTTP throughput test Table 6: HTTPS throughput test case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like FortiTester Handbook

30 Starting an HTTP throughput test Chapter 2 - Running Tests Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to Test Center mode: The default is 512, and the valid range is from 1 to 2048, for example, for an environment with two FortiTester appliances. Speed Limit Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 100 to 1,600,000 requests per second (or the special value 0). Test Center mode: The valid range is 100 to 3,200,000, for example, for an environment with two FortiTester appliances. Ramp UP Seconds Ramp Down Seconds Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network Network MTU Preset to Not configurable. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm / Port Change Algorithm Request Header Client port range. The valid range is from 10,000 to 65,535, which is also the default. Preset to Reset. Not configurable. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Click the add button to specify more headers. FortiTester Handbook 30

31 Chapter 2 - Running Tests Starting an HTTPS CC test Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Preset to 80. Not configurable. Response Header Preset to Server: nginx/1.9.5content-type:text/html. Click the add button to specify more headers. Piggybacking Enabled. Not configurable. Action Get page Select the file that the simulated clients access. The default is index.html with 50,000 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB. Starting an HTTPS CC test The HTTPS CC test is the same as the HTTP CC test, except that it uses HTTPS traffic and the MTU is editable. To start an HTTPS CC test: 1. Go to Cases > HTTPS > CC to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. And c lick OK to continue. 4. Configure the test case options as described in Table Click Start to run the test case. 31 FortiTester Handbook

32 Starting an HTTPS CC test Chapter 2 - Running Tests FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. FortiTester Handbook 32

33 Chapter 2 - Running Tests Starting an HTTPS CC test Table 7: HTTPS CC Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like FortiTester Handbook

34 Starting an HTTPS CC test Chapter 2 - Running Tests Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to 900. Test Center mode: The default is 512, and the valid range is from 1 to 1,800, for example, for an environment with two FortiTester appliances. Concurrent Connections Number of concurrent connections. Standalone mode: The default is 200,000. The valid range is 5,000 to 200,000. Test Center mode: The default is 400,000, and the valid range is 5,000 to 400,000, for example, for a an environment with two FortiTester appliances. Speed Limit Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 100 to 1,600,000 requests per second (or the special value 0). Test Center mode: The valid range is 100 to 3,200,000, for example, for an environment with two FortiTester appliances. Think Time The time in seconds that a simulated user waits between HTTP requests. The default is 5 seconds. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limit for packet size. The default is The valid range is from 1,280 to 9,000. Profile (Client) Source Port Range Client Port Mode Preset to Not configurable. Select the connection close method: 3Way_Fin or Reset. FortiTester Handbook 34

35 Chapter 2 - Running Tests Starting an HTTPS CPS test IP Change Algorithm / Port Change Algorithm Determines how the system changes source/destination IP addresses and ports to sim- ulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Request Header Preset to UserAgent: Firefox/41.0. Click the add button to specify more headers. Piggybacking Default enabled. Quiet Shutdown Enable to apply safe shutdown procedure to SSL connections by sending SSL alert to the peer. Allowed SSL Versions Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default is TLSv1.2. SSL Ciphers Select one or more SSL ciphers from the list. Profile (Server) Server Port Preset to 80, 443. Not configurable. Key Length Length of SSL key for encryption/decryption. The default is The valid range is from 1024 to Response Header Preset to Server: nginx/1.9.5content-type:text/html. Click the add button to specify more headers. Piggybacking Default enabled. Action Get page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB Starting an HTTPS CPS test The HTTPS CPS test is the same as the HTTP CPS test, except it uses HTTPS traffic, does not have the Speed Limit option, and the MTU is editable. To start an HTTPS CPS test: 1. Go to Cases > HTTPS > CPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. 35 FortiTester Handbook

36 Starting an HTTPS CPS test Chapter 2 - Running Tests Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 8: HTTPS CPS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets FortiTester Handbook 36

37 Chapter 2 - Running Tests Starting an HTTPS CPS test Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to 900. Test Center mode: The default is 512 and the valid range is from 1 to 1,800, for example, for an environment with two FortiTester appliances. 37 FortiTester Handbook

38 Starting an HTTPS CPS test Chapter 2 - Running Tests Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 100 to 100,000 transactions per second (or the special value 0). Test Center mode: The valid range is 100 to 200,000, for example, for an environment with two FortiTester appliances. Ramp Up Seconds Time in seconds for traffic to ramp up when you start the test. Ramp Down Seconds Time in seconds for traffic to ramp down when you stop the test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is The valid range is 1,280 to 9,000. Profile (Client) Source Port Range Preset to Not configurable. Client Close Mode Select the connection close method: 3Way_Fin or Reset. IP Change Algorithm / Port Change Algorithm Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Request Header Preset to UserAgent: Firefox/41.0. Click the add button to specify more headers. Piggybacking Default enabled. Quiet Shutdown Enable to apply safe shutdown procedure to SSL connections by sending SSL alert to the peer. Allowed SSL Versions Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default is TLSv1.2. SSL Ciphers Select one or more SSL ciphers from the list. Profile (Server) Server Port Preset to 80, 443. Not configurable. Key Length Length of SSL key for encryption/decryption. The default is The valid range is from 1024 to Response Header Preset to Server: nginx/1.9.5content-type:text/html. Click the add button to specify more headers. Piggybacking Default enabled. Action Get page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB. FortiTester Handbook 38

39 Chapter 2 - Running Tests Starting an HTTPS throughput test Starting an HTTPS throughput test The HTTPS Throughput test is the same as the HTTP Throughput test, except that it uses HTTPS traffic and the MTU is editable. To start an HTTPS Throughput test: 1. Go to Cases > HTTPS > Throughput to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. And c lick OK to continue. 4. Configure the test case options as described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. 39 FortiTester Handbook

40 Starting an HTTPS throughput test Chapter 2 - Running Tests Table 9: HTTPS Throughput Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like FortiTester Handbook 40

41 Chapter 2 - Running Tests Starting an HTTPS throughput test Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to 900. Test Center mode: The default is 512, and the valid range is from 1 to 1,800, for example, for an environment with two FortiTester appliances. Speed Limit Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 100 to 1,600,000 requests per second (or the special value 0). Test Center mode: The valid range is 100 to 3,200,000, for example, for an environment with two FortiTester appliances. Ramp Up Seconds Ramp Down Seconds Time (in seconds) for traffic to ramp up when you start the test. Time (in seconds) for traffic to ramp down when you stop the test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limit for packet size. The default is The valid range is from 1,280 to 9,000. Profile (Client) Source Port Range Client Port Mode IP Change Algorithm / Port Change Algorithm Preset to Not configurable. Select the connection close method: 3Way_Fin or Reset. Determines how the system changes source/destination IP addresses and ports to sim- ulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. 41 FortiTester Handbook

42 Starting an HTTPS RPS test Chapter 2 - Running Tests Request Header Preset to UserAgent: Firefox/41.0. Click the add button to specify more headers. Piggybacking Default enabled. Quiet Shutdown Enable to apply safe shutdown procedure to SSL connections by sending SSL alert to the peer. Allowed SSL Versions Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default is TLSv1.2. SSL Ciphers Select one or more SSL ciphers from the list. Profile (Server) Server Port Preset to 80, 443. Not configurable. Key Length Length of SSL key for encryption/decryption. The default is The valid range is from 1024 to Response Header Preset to Server: nginx/1.9.5content-type:text/html. Click the add button to specify more headers. Piggybacking Default enabled. Action Get page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB Starting an HTTPS RPS test The HTTPS RPS test is the same as the HTTP RPS test, except it uses HTTPS traffic, does not have the Speed Limit option, and the MTU is editable. To start an HTTPS RPS test: 1. Go to Cases > HTTPS > RPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. FortiTester Handbook 42

43 Chapter 2 - Running Tests Starting an HTTPS RPS test Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. 43 FortiTester Handbook

44 Starting an HTTPS RPS test Chapter 2 - Running Tests Table 10: HTTPS RPS Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. FortiTester Handbook 44

45 Chapter 2 - Running Tests Starting an HTTPS RPS test VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to 900. Test Center mode: The default is 512, and the valid range is from 1 to 1,800, for example, for an environment with two FortiTester appliances. Requests per Connection The number of HTTP requests per connection. The default is 200. The valid range is 200 to 10,000. Speed Limit Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 100 to 1,600,000 requests per second (or the special value 0). Test Center mode: The valid range is 100 to 3,200,000, for example, for an environment with two FortiTester appliances. Ramp UP Seconds Ramp Down Seconds Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is The valid range is 1,280 to 9,000. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Request Header Preset to Not configurable. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Click the add button to specify more headers. 45 FortiTester Handbook

46 Starting a TCP connection test Chapter 2 - Running Tests Piggybacking Enable to apply piggyback to SSL connections issued by client side. This is enabled by default. Allowed SSL Versions Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 (default). SSL Ciphers Select one or more SSL ciphers from the list. Profile (Server) Server Port Preset to 80, 443. Not configurable. Key Length Length of SSL key for encryption/decryption. The default is The valid range is from 1024 to Response Header Preset to Server: nginx/1.9.5content-type:text/html. Click the add button to specify more headers. Piggybacking Enable to apply piggyback to SSL connections issued by server side. This is enabled by default. Action Get page Select the file that the simulated clients access. The default is index.html with 50,000 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB Starting a TCP connection test FortiTester tests TCP concurrent connection performance by generating a specified volume of two-way TCP traffic flow via specified ports. To start a TCP connection test: 1. Go to Cases > TCP > Connection to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester Handbook 46

47 Chapter 2 - Running Tests Starting a TCP connection test FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 11: TCP Connection Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router 47 FortiTester Handbook

48 Starting a TCP connection test Chapter 2 - Running Tests IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to Test Center mode: The default is 512, and the valid range is from 1 to 2048, for example, for an environment with two FortiTester appliances. Concurrent Connection Number of concurrent connections. Standalone mode: The default is 5,000,000. The valid range is 5,000 to 5,000,000. Test Center mode: The default is 10,000,000, and the valid range is 5,000 to 10,000,000, for example, for an environment with two FortiTester appliances. Concurrent Close Speed Limit Number of connections to close once a time. To avoid the DUT lost packet, the connection close operation will be performed batch by batch. Standalone mode: The default is 256, and the valid range is 1 to 10,000. Test Center mode: The default is 512, and the valid range is 1 to 10,000. Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Standalone mode: The valid range is 256 to 600,000 connections per second (or the special value 0). Test Center mode: The valid range is 256 to 1,200,000, for example, for an environment with two FortiTester appliances. Network FortiTester Handbook 48

49 Chapter 2 - Running Tests Starting a TCP throughput test MTU Preset to Not configurable. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm/Port Change Algorithm Piggybacking Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select the connection close method: 3Way_Fin or Reset. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Disabled. Not configurable. Send Size Specify the buffer size to send out from the client side. The default is 800 bytes. The valid range is from 1 to 100,000. Receive Size Specify the buffer size to receive from the server side. The default is 1,000 bytes. The valid range is from 1 to 100,000. Profile (Server) Server Port Server Close Mode Preset to 80. Not configurable. Preset to 3Way_Fin. Not configurable. Piggybacking Enabled, meaning an acknowledgment is sent on the data frame, not in an individual frame. Not configurable. Starting a TCP throughput test FortiTester tests TCP throughput by generating a specified volume of two-way TCP traffic flow via specified ports. To start a TCP throughput test: 1. Go to Cases > TCP > Throughput to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a 49 FortiTester Handbook

50 Starting a TCP throughput test Chapter 2 - Running Tests routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 12: TCP Throughput Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. FortiTester Handbook 50

51 Chapter 2 - Running Tests Starting a TCP throughput test MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to Test Center mode: The default is 512, and the valid range is from 1 to 2048, for example, for an environment with two FortiTester appliances. Bandwidth Limit TCP data load. The default is the special value 0, which means to transfer as much data as FortiTester can generate. For all other values, the unit is Mbit per second. Standalone mode: The valid range is 10 to 20,000. Test Center mode: The valid range is 10 to 40,000. Ramp Up Seconds Ramp Down Seconds Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network 51 FortiTester Handbook

52 Starting a TurboTCP test Chapter 2 - Running Tests Network MTU Throughput Buffer Size Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Fortinet recommends that you use the default. TCP buffer size. The bigger buffer, the better throughput. The default is 1460 bytes. The valid range is 64 to 10M. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Piggybacking Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Enabled, meaning an acknowledgment is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Server Close Mode Piggybacking Preset to Not configurable. Preset to Reset. Not configurable. Enabled. Not configurable. Starting a TurboTCP test FortiTester tests TurboTCP connections per second (CPS) performance by generating a specified volume of twoway TCP traffic flow via specified ports. The traffic generated for each connection includes the TCP three-way handshake and the TCP connection close (Reset). To start a TurboTCP test: 1. Go to Cases > TCP > TurboTCP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. FortiTester Handbook 52

53 Chapter 2 - Running Tests Starting a TurboTCP test Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 13: TurboTCP Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets 53 FortiTester Handbook

54 Starting a TurboTCP test Chapter 2 - Running Tests Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to Test Center mode: The default is 512, and the valid range is from 1 to 2048, for example, for an environment with two FortiTester appliances. FortiTester Handbook 54

55 Chapter 2 - Running Tests Starting a UDP PPS test Speed Limit Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Standalone mode: The valid range is 1,000 to 2,000,000 connections per second (or the special value 0). Test Center mode: The valid range is 1,000 to 4,000,000, for example, for an environment with two FortiTester appliances. Ramp Up Seconds Ramp Down Seconds Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is The valid range is 1,280 to 9,000. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Piggybacking Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Disabled. Not configurable. Profile (Server) Server Port Preset to The valid range is from 0 to 65,535 Server Close Mode Preset to Reset. Not configurable. Piggybacking Enabled, meaning an acknowledgment is sent on the data frame, not in an individual frame. Not configurable. Starting a UDP PPS test FortiTester tests UDP throughput by sending a specified size of UDP frames at a maximum or limited speed from simulated clients to simulated servers. To start a UDP PPS test: 1. Go to Cases > UDP > PPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 55 FortiTester Handbook

56 Starting a UDP PPS test Chapter 2 - Running Tests 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 14: UDP PPS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network FortiTester Handbook 56

57 Chapter 2 - Running Tests Starting a UDP PPS test Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create UDP connections and transfer data. Load Latency Enable to give the packet latency as the test result. 57 FortiTester Handbook

58 Starting a UDP Payload test Chapter 2 - Running Tests Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to 512. Test Center mode: The default is 512, and the valid range is from 1 to 1024, for example, for an environment with two FortiTester appliances. UDP Package Size The default is 64 bytes. The valid range is 64 to Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Standalone mode: The valid range is 10 to 20,000 (or the special value 0). Test Center mode: The valid range is 10 to 40,000, for example, for an environment with two FortiTester appliances. Ramp Up Seconds Ramp Down Seconds Dual Traffic Mode Dual Traffic Mode Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. When disabled (and also by default), traffic will only be sent out from the client side to the server side; but when enabled, traffic will also be sent out from the server side to the client side. Enable to generate bidirectional UDP traffic between client and server sides. Each side generates and receives UDP packets. Network MTU Preset to Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Increment. Not configurable. The Increment option uses the next IP address or port in the range, for example: > ; port > Profile (Server) Server Port The default is 6,001. The valid range is from 0 to 65,535. Starting a UDP Payload test FortiTester tests UDP payload by sending UDP frames with the specified payload from the client ports to the server ports. FortiTester Handbook 58

59 Chapter 2 - Running Tests Starting a UDP Payload test To start a UDP payload test: 1. Go to Cases > UDP > Payload to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 15: UDP Payload Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network 59 FortiTester Handbook

60 Starting a UDP Payload test Chapter 2 - Running Tests Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create UDP connections and transfer data. Load Payload Use the plain text predefined format to specify the payload. FortiTester Handbook 60

61 Chapter 2 - Running Tests Starting a SMTP test Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to 512. Test Center mode: The default is 512, and the valid range is from 1 to 1024, for example, for an environment with two FortiTester appliances. Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Standalone mode: The valid range is 10 to 20,000 (or the special value 0). Test Center mode: The valid range is 10 to 40,000, for example, for an environment with two FortiTester appliances. Ramp Up Seconds Ramp Down Seconds Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU Preset to Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Increment. Not configurable. The Increment option uses the next IP address or port in the range, for example: > ; port > Profile (Server) Server Port The default is 514. The valid range is 0 to 65,535. Starting a SMTP test FortiTester tests performance of a target device under SMTP traffic by simulating a volume of clients to generate SMTP traffic. To start a UDP payload test: 1. Go to Cases > Mail > SMTP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. 61 FortiTester Handbook

62 Starting a SMTP test Chapter 2 - Running Tests DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 16: SMTP Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets FortiTester Handbook 62

63 Chapter 2 - Running Tests Starting a SMTP test Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create UDP connections and transfer data. Load Mail Set mail content for the simulated SMTP traffic. This is editable. Limit Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to Test Center mode: The default is 512, and the valid range is from 1 to 2048, for example, for an environment with two FortiTester appliances. 63 FortiTester Handbook

64 Starting an Attack Replay test Chapter 2 - Running Tests Mail Send Limit Rate for sending mails per second. The default is 0, which means the maximum possible. Standalone mode: The valid range is 100 to 180,000 (or the special value 0). Test Center mode: The valid range is 100 to 360,000, for example, for an environment with two FortiTester appliances. Ramp Up Seconds Ramp Down Seconds SMTP Address SMTP To SMTP Password Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. The sender address. The default is [email protected]. The receiver address. The default is [email protected]. The password of sender. The default is tester@fts. Network MTU Preset to Not configurable. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm / Port Change Algorithm Piggybacking Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Preset to 3Way_Fin. Not configurable. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Increment. Not configurable. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. An acknowledgment is sent in an individual frame. This is disable and Not configurable. Profile (Server) Server Port Piggybacking Preset to 25. Not configurable. An acknowledgment is sent in an individual frame. This is disable and Not configurable. Starting an Attack Replay test FortiTester can test security systems by replaying a predefined or customized set of attack traffic. The predefined set covers 100 types of attacks. The test result shows the CVE-ID for every type of attack. You can also see the attack list in the Cases > Replay > Attack page. Note: The Attack Replay test is available only in Standalone work mode. Before you begin: FortiTester Handbook 64

65 Chapter 2 - Running Tests Starting an Attack Replay test Optional. If you want to test custom attack traffic, you must create a package of pcap files that can be replayed. Only IPv4 traffic is supported. Follow the file naming convention: Description[_CVE-$CVEID].pcap. Here [] means optional. The file type can be.pcap,.tgz,.tar.gz, or.zip. A.tgz,.tar.gz, or.zip file includes a group of.pcap files. Maximum file size is 200MB. You can upload it, put it into a default or customized group, and the select the group of attack files you want to replay later. To start an Attack Replay test: 1. Go to Cases > Replay > Attack to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 17: Attack Replay Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. 65 FortiTester Handbook

66 Starting a Traffic Replay test Chapter 2 - Running Tests Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load Peer Receiving Timeout Break Once Packet Lost This timeout specifies how long the client waits for a response from the server. If the client does not receive a response within the timeout, it considers the packet lost. The default value is 2 milliseconds. Select Yes or No. The Yes option means when the system identifies packet loss (the server side has not received the packet that client sent out), it stops the current traffic replay (pcap file), and continues the test with the next traffic file. The No option (the default) means a break is not set; the current replay continues. Network MTU Preset to Not configurable. Action Enable System Attack List Enable/disable the system attack list. There are 100 types of attacks in the system attack list. User Intrusion Optional. Select attacks from the user-defined attack list. Before you can select them, you must upload pcap files that contain your customized attack traffic. At the top of the case list, clickuser Attack Management and then upload your file. Starting a Traffic Replay test FortiTester tests user-defined scenarios by replaying pcap files. Typically, pcap files are generated by programs like tcpdump or Wireshark. Note: The Traffic Replay test is available only in Standalone work mode. FortiTester Handbook 66

67 Chapter 2 - Running Tests Starting a Traffic Replay test Before you begin: You must create pcap files that can be replayed. Only IPv4 traffic is supported. Maximum file size is 200MB. To start a Traffic Replay test: 1. Go to Cases > Replay > Traffic to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 18: Traffic Replay Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network 67 FortiTester Handbook

68 Starting a DDoS test Chapter 2 - Running Tests Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load Bandwidth Limit Loops Input Pcap The default is 0, which means the maximum possible. The valid range is 10 to 10,000 Mbps (or the special value 0). Number of times to play the pcap file. The default is 10, means as many as possible. You can upload pcap files from your PC and select one to send. Note the uploaded files can be used for future cases. Network MTU Preset to Not configurable. Starting a DDoS test FortiTester tests the ability of DUT to handle different type of DDoS Attack. This traffic load will try to exhaust the DUT resources by multiple DDoS attack types. FortiTester Handbook 68

69 Chapter 2 - Running Tests Starting a DDoS test To start a DDoS test: 1. Go to Cases > DDoS> [Single Packet Flood TCP Session Flood HTTP Session Flood Concurrent Session Flood] to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 19: DDoS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. 69 FortiTester Handbook

70 Starting a DDoS test Chapter 2 - Running Tests Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load FortiTester Handbook 70

71 Chapter 2 - Running Tests Starting a DDoS test Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to Test Center mode: The default is 512, and the valid range is from 1 to 2048, for example, for an environment with two FortiTester appliances. DDoS Types Speed Limit There are four types of DDoS attack traffic: Single Packet Flood, TCP Session Flood, HTTP Session Flood, and Concurrent Session Flood.. After you select a type, selection boxes for subtypes are displayed below. To change the percentage mix of subtypes, double-click the pie chart and adjust the percentages. Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Standalone mode: The valid range is from 1,000 to 20,000 connections per second (or the special value 0). Test Center mode: The valid range is from 1,000 to 20,000, for example, for an environment with two FortiTester appliances. Concurrent Connection Applies only when DDoS type is Concurrent Session Flood. Number of concurrent connections. Standalone mode: The default is 6,000,000. The valid range is from 10,000 to 6,000,000. Test Center mode: The default is 12,000,000, and the valid range is 10,000 to 12,000,000, for example, for an environment with two FortiTester appliances. Ramp Up Seconds Ramp Down Deconds Time in seconds for traffic to ramp up when you start the test. Not available for Concurrent Session Flood test. Time in seconds for traffic to ramp down when you stop the test. Not available for Concurrent Session Flood test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is The valid range is 1,280 to 9,000. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Piggybacking Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Disabled, meaning an acknowledgment is sent in an individual frame. Not configurable. 71 FortiTester Handbook

72 Starting a DNS test Chapter 2 - Running Tests Profile (Server) Server Port Preset to 80. Not configurable. Piggybacking Enabled. Not configurable. Starting a DNS test FortiTester tests the latency of DUT to handle DNS query request. A DUT could be a gateway device or a DNS server. To start a DNS test: 1. Go to Cases > DNS > Latency to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Aggregate two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Click OK to continue. 4. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 20: DNS Test Case configuration FortiTester Handbook 72

73 Chapter 2 - Running Tests Starting a DNS test Basic Information Name Ping Server Timeout Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and FortiTester Handbook

74 Starting a DNS test Chapter 2 - Running Tests VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to 250,000. Test Center mode: The default is 512, and the valid range is from 1 to 500,000, for example, for an environment with two FortiTester appliances. Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Standalone mode: The valid range is 10 to 20,000 (or the special value 0). Test Center mode: The valid range is 10 to 40,000, for example, for an environment with two FortiTester appliances. Ramp Up Seconds Ramp Down Seconds DNS Renew Socket DNS Query Timeout Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. SpecifyYes or No. If Yes, the client side renews a socket to send out the next query (note if the client profile Domain Policy is set aslist, all queries for the names in the domain list will use the same socket; after that a new socket will be created for next batch of queries). If No, use the old socket. The default is 1000 milliseconds. Network MTU Preset to Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Domain Policy Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Random or List. If Random is selected, FortiTester generates random domain names for queries. If List is select, FortiTester uses queries in the specified list. FortiTester Handbook 74

75 Chapter 2 - Running Tests Starting a Mixed Traffic test Domain List If Domain Policy is List, specify a list of domain name records. For example: fortinet.com:a, fortitester.com:mx A name followed with a :A means it s an address record, while a :MX means a mail exchange record. Profile (Server) Server Port The DNS server access port. The default is 53. The valid range is 0 to 65,535. Starting a Mixed Traffic test FortiTester tests mixed traffic performance by simulating multiple clients that burst all types of traffic simultaneously. To start a Mixed Traffic test: 1. Go to Cases > HTTPS > Mixed Traffic to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support VLAN Optional. Set VLAN ID in the traffic. Support Client Virtual Router Optional. While this function is enabled on a FortiTester's client port, FortiTester simulates a router connecting the client subnets and the DUT. This virtual router will find a routing path out for testing traffic communicating between subnets deployed on the FortiTester's client port and the connected DUT. Virtual Router is available for deployments of Proxy mode and NAT mode. Mixed Traffic Types Select two or more traffic types from the list. And c lick OK to continue. 4. Configure the test case options as described in. 5. Click Start to run the test case. FortiTester saves the configuration automatically, so you can run the test again later. You can also click Save to save the test case without running it. 75 FortiTester Handbook

76 Starting a Mixed Traffic test Chapter 2 - Running Tests Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. FortiTester Handbook 76

77 Chapter 2 - Running Tests Starting a Mixed Traffic test Table 21: Mixed Traffic Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and FortiTester Handbook

78 Stopping tests Chapter 2 - Running Tests VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Stopping tests There are two ways to stop a running test: In the test configuration, specify an automatic stop after a specified duration. Click the Stop button on the running page of a test that is in progress. Displaying test status A few seconds after you start a test, the page automatically switches to a test status page. You can also navigate to the status page by clicking the icon in the top navigation menu. The following example shows status displayed on the Summary tab of a TCP throughput test. FortiTester Handbook 78

79 Chapter 2 - Running Tests Viewing test results Figure 5: Test status Summary tab The following figure shows the Client tab. You can use its subtabs to review results by port or network layer. Figure 6: Test status Client tab Viewing test results When you start a test, a status page is displayed showing results. 79 FortiTester Handbook

80 Viewing test results Chapter 2 - Running Tests The data is updated every second. It includes Layer 2, Layer 3, and Layer 4 data. HTTP/HTTPS test cases also include Layer 7 data. Layer 2 data represents the throughput for every port and a total summary. The throughput includes inbound traffic and outbound traffic for every port. Layer 3 data represents the packets sent and received for every port and a total summary. Layer 4 data represents the number of sessions. Layer 7 data represents the number of requests and connections. You can click the icon in the top banner to display a list of all the test cases on the left side of the page. This list includes cases that are stopped (either normally or abnormally) and are ordered by test start time. Click a test case to view its result. The following example shows results for an HTTP CPS test. Figure 7: HTTP CPS test results The following figure shows results for an Attack Replay test. FortiTester Handbook 80

81 Chapter 2 - Running Tests Exporting/importing a test case Figure 8: Attack Replay results For Attack Replay tests, the results show status for every attack traffic file and a summary count for packets with the following statuses: Peer Received, Packet Lost, or Illegal Packet. Peer Received means the server has received all the packets sent out by the client. Packet Lost means the server has not received all the packets sent out by the client; one or more packets were lost after the traffic passed through the DUT. Illegal Packet means the FortiTester system encountered a packet larger than the MTU (the default is 1500) and has stopped the replay of that pcap file. Exporting/importing a test case After you click Start or Save, FortiTester automatically saves the test configuration. You can edit or make a copy of a test configuration before you run it. You can use the Export/Import utilities to export a test case configuration (as a.zip file) and then import it into another FortiTester appliance. In the top banner, click the icon to display the list of saved test cases. Cases are categorized by test type. 81 FortiTester Handbook

82 Scheduling cases Chapter 2 - Running Tests Scheduling cases You can schedule a test case to run automatically at a time you specify. You can also specify a repeat interval (once, hourly, daily, weekly, monthly). To configure a schedule: 1. Go to Cases > Config Schedule. 2. Click Add to display the configuration page. 3. Select the case type and select an existing case. 4. Set the start date and time. 5. Select a repeat option. 6. Save the schedule configuration. Tip: To set up a schedule from the case list, click the icon to display the schedule configuration page. FortiTester Handbook 82

83 Chapter 3 - System Administration Displaying system status Chapter 3 - System Administration This chapter provides procedures for common system administration tasks. Displaying system status The System page displays the system version and serial number of the appliance. You can also see the information of log disk usage. If the appliance comes installed with an SSL Accelerator card, you will see it and can enable/disable it. Note: The SSL acceleration feature works only when the FortiTester appliance works as the server side. Enabling or disabling it will not influence the performance ofthe client side when performing an HTTPS test. The figure below shows the System Information portlet. Figure 9: System Information Updating firmware You can use the web UI to upgrade the firmware image. Before you begin: Download the firmware file from the Fortinet support website. Read the release notes for the version you plan to install. You must be logged in as the user admin to upgrade firmware. 83 FortiTester Handbook

84 Shutting down the system Chapter 3 - System Administration To upgrade firmware: 1. Go to the System page. 2. Click the Upgrade link in the system information section. 3. Click Browse to locate and select the image file. 4. Click to upload the firmware and reboot. The system replaces the firmware on the active partition and reboots. Shutting down the system Always properly shut down the FortiTester appliance operating system before turning off the power switch or unplugging the appliance. This causes it to finish writing buffered data, and to slow and park the hard disks. Do not unplug or switch off the FortiTester appliance before halting the operating system. Failure to shut down correctly could cause data loss and hardware problems. To power off the appliance via the web UI: 1. Go to the System page. 2. Click the Shutdown button. The appliance becomes quieter when it stops its hardware and operating system, indicating that it is ready for power to be disconnected. 3. Disconnect the power cable from the power supply. To power off the appliance via the CLI: 1. Connect to the CLI using a terminal emulator. 2. Enter the following command: execute shutdown The appliance becomes quieter when it stops its hardware and operating system, indicating that it is ready for power to be disconnected. 3. Disconnect the power cable from the power supply. Rebooting the system Rebooting the appliance is similar to shutting down. To reboot, do one of the following: Go to the System page, click the Reboot button. Enter the execute reboot command via the CLI. Resetting the system To restore the appliance to its initial state, click the Config reset button on the System page. FortiTester Handbook 84

85 Chapter 3 - System Administration Creating test users Warning: This operation clears all the data and cannot be canceled, so use it carefully. Before you reset the system, you can export system configuration data so that you can later import it. The configuration data includes all the test case settings and test results, user accounts, and test HTML pages for HTTP/HTTPS test cases. Creating test users The FortiTester system has one default administrative account named "admin". It also allows you to create other administrative or tester users. The default admin account is the supper administrator, which can create and delete all other accounts, whereas the other administrative accounts can only create administrative/tester account and delete tester account. The administrative user can perform a test, create and delete a tester, and set the system configuration. A tester user can only perform test and view test results. If a user logs in with a tester role, the User Management menu is not shown, and the content in the System page is read-only. To create a test user: 1. Go to the drop-down menu under the admin login in the top navigation bar. 2. Select User Management. 3. Click Add to display the configuration page. 4. Complete the username and password settings. 5. Select a role and set the username and password. 6. Save the configuration. 85 FortiTester Handbook

86 Chapter 4 - Joining multiple appliances into a Test Center Changing the work mode setting Chapter 4 - Joining multiple appliances into a Test Center This chapter provides procedures for joining multiple appliances into a Test Center. Changing the work mode setting The work mode setting determines whether the FortiTester operates as a standalone appliance or is joined with other FortiTester appliances to form a Test Center. By default, FortiTester appliances operate in Standalone work mode. If your test plans require more interfaces than a single FortiTester has, you can join the appliances into what is called a Test Center. One appliance is the Test Center master appliance; the others are Test Center slaves. You manage test cases from the Test Center appliance management interface; the web UI is not available for an appliance in Test Slave work mode. When you enter the web UI address for the Test Slave appliance, it displays the following page instead. To set up a Test Center: 1. Log into the web UI of one FortiTester (e.g ). 2. Go to the System page. 3. Click the Work Mode tab. 4. The appliance is in Standalone work mode by default. 5. Click Test Center to make it the Test Center master. 86 FortiTester Handbook

87 Changing the work mode setting Chapter 4 - Joining multiple appliances into a Test Center The System page shows the current work mode of this appliance is TestCenter, and a table is shown that lists the appliances that are under control of this one. 6. Log into another FortiTester (e.g ). 7. Go to the System page. 8. Click the Work Mode tab. 9. Click Test Slave. The system displays a popup prompt to specify the Test Center master IP address. 10. Enter the IP address of the Test Center master and click Connect. 11. Return to the System page on the master and click Refresh. You will see is in the table. You can click the X to disconnect the slave appliance or click the Disconnect button in the slave Web GUI to return to Standalone mode. When the appliances have been added to the Test Center, you can select one or more FortiTester appliances to work as clients and others to work as servers when you create test cases. In this example, has the client ports; has the server ports. You can add up to four pairs of appliances to a Test Center. FortiTester Handbook 87

88 Chapter 4 - Joining multiple appliances into a Test Center Changing the work mode setting 88 FortiTester Handbook

89 Getting CLI help Chapter 5 - Using the Command-Line Interface Chapter 5 - Using the Command-Line Interface You can configure some settings through a connection to the command-line interface (CLI). Requires: Terminal emulator such as PuTTY, TeraTerm, or a terminal server. To connect to the CLI via serial console: 1. Using the console cable, connect the appliance console port to your terminal server or computer. 2. On your computer or terminal server, start the terminal emulator. Use these settings: Baud rate: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: None 3. Press Enter on your keyboard to connect to the CLI. Note: After you configure the management port, you can connect to the management port and use the CLI remotely using SSH or Telnet. Getting CLI help You can enter the help command or? to display CLI command and setting information. For example: help Help.? Help. get system status show system interface show system route show system setting show system memsize config system hostname config system interface config system route config system setting Telent Daemon...) execute ping execute time <hh:mm:ss> execute date <yyyy-mm-dd> execute reboot System status. Show network interfaces and configurations. Show default route. Show system setting. Show total memory size. Configure hostname. Configure interfaces. Configure route. Configure system settings. (Maintainer Login, PING command. Set time. Set date. Reboot FortiTester. FortiTester Handbook 89

90 Chapter 5 - Using the Command-Line Interface Command descriptions execute shutdown execute factoryreset execute formatlogdisk Shutdown FortiTester. Factory reset FortiTester. Format storage. exit Exit the CLI. sysctl ash Debug mode. The following examples show how to configure the management interface, the default gateway, and the appliance hostname. config system interface edit mgmt set ip next end config system route set gateway end config system hostname set hostname <string> end Command descriptions The following table describes the commonly used CLI commands. Command help Description Shows help information.? Shows help information. get system status show system interface Shows the system version, serial number, hostname, time, and system uptime. Shows information about the configured network interfaces. config system interface edit mgmt set ip next end show system route Shows the gateway address for management port. Default gateway: FortiTester Handbook

91 Command descriptions Chapter 5 - Using the Command-Line Interface Command show system setting show system memsize config system hostname config system interface config system route config system setting execute ping execute time execute date execute reboot execute shutdown execute factoryreset execute formatlogdisk exit Description Shows whether the common mode for HTTP CPS/RPS and TCP throughput is enabled or not. The default is disabled. Also shows whether the system allows login with the maintainer account The default is enabled shows the size of the system's memory. Set the host name for this appliance. Configures network interfaces. Configures the gateway address for the management port. config system route set gateway end Enable/disable the common mode and maintainer login. Execute a ping command. Sets the system time. The time format is hh:mm:ss. Set the system date. The date format is yyyy-mm-dd. Reboots the system. Shuts down the system. Reset the system into an initial state. Note this operation will clear all existing data/configuration. Execute a format disk command for log storage. Exits the current session. sysctl ash Enter the debug mode for troubleshooting. FortiTester Handbook 91

92 Copyright 2016 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.