FortiTester Handbook VERSION 3.2.0

Size: px

Start display at page:

Download "FortiTester Handbook VERSION 3.2.0"

Moris Bond
5 years ago
Views:

1 FortiTester Handbook VERSION 3.2.0

FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTIGATE COOKBOOK http://cookbook.

2 FORTINET DOCUMENT LIBRARY FORTINET VIDEO GUIDE FORTINET BLOG CUSTOMER SERVICE & SUPPORT FORTIGATE COOKBOOK FORTINET TRAINING SERVICES FORTIGUARD CENTER END USER LICENSE AGREEMENT FEEDBACK January 4, 2018 FortiTester Handbook 1st Edition

3 TABLE OF CONTENTS TABLE OF CONTENTS 3 Change Log 6 Introduction 7 Features and benefits 8 What's New 11 Chapter 1 - Getting Started 12 Connecting to FortiTester 12 Configuring the management port 13 Configuring system time 14 Creating the admin password 15 Configuring the device under test 15 Chapter 2 - Running Tests 16 Test case configuration overview 16 Using port binding and link aggregation 16 Using 40G to 4 x 10G fan out 18 Using network configuration templates 18 Using certification configuration templates 20 Using payload templates 21 Using URL list templates 21 Using script object templates 21 Using DUT monitoring 22 Using success criteria 23 Starting an HTTP CPS test 23 Starting an HTTP RPS test 27 Starting an HTTP CC test 31 Starting an HTTP throughput test 36 Starting a web crawler test 41 Starting an HTTPS CPS test 42 Starting an HTTPS RPS test 46 Starting an HTTPS CC test 50 Starting an HTTPS throughput test 54 Starting an IPsec remote access test 58 Starting an IPsec remote access CC test 62 Starting a UDP PPS test 66 Starting a UDP Payload test 70 Starting an RFC 2544 base value test 73 Starting an RFC 2544 throughput test 76 Starting an RFC 2544 latency test 79

4 Starting an RFC 2544 loss rate test 82 Starting an RFC 2544 back to back test 85 Starting a TCP throughput test 88 Starting a TurboTCP test 92 Starting a TCP connection test 95 Starting an SMTP test 98 Starting a POP3 test 102 Starting an IMAP test 106 Starting an FTP test 109 Starting an LDAP test 112 Starting an NTP test 116 Starting a DNS latency test 119 Starting a TFTP test 122 Starting a RADIUS test 126 Starting an RTSP/RTP test 129 Starting a DHCP test 133 Starting an IGMP test 135 Starting an Attack Replay test 138 Starting a Traffic Replay test 141 Starting a GTP Replay test 143 Starting a DDoS single packet flood test 145 Starting a DDoS TCP session flood test 148 Starting a DDoS HTTP session flood test 151 Starting a DDoS concurrent session flood test 155 Starting a packet capture test 158 Starting a mixed traffic test 159 Stopping tests 162 Modifying traffic load mid-run 162 Displaying test status 163 Viewing test results 164 Exporting/importing a test case 165 Scheduling cases 165 Chapter 3 - System Administration 167 Displaying system status 167 Updating firmware 167 Shutting down the system 168 Rebooting the system 168 Resetting the system 169 Creating test users 169 Chapter 4 - Joining multiple appliances into a Test Center 170 Changing the work mode setting 170 Chapter 5 - Using the CLI 172

5 Getting CLI help 172 Command descriptions 173 Chapter 6 - Using the Rest API 175 Introduction 175 Enabling REST API Support 175 Authentication 175 Format 175 Error Codes 175 Example API commands 175 User login 175 Create user 176 Reboot system 177 Chapter 7 - Setting up a VM 178 Introduction 178 Licensing and deployment 178 Licensing 178 Deployment package 178 Deploying the appliance 179 Upload the license file 179 Deployment examples 179 Creating the virtual machine 179 VMware vsphere 179 Linux KVM 181 Getting started with the virtual machine 183

6 Change Log Change Log Date Change Description FortiTester initial release FortiTester Handbook 6

7 Introduction Introduction Welcome, and thank you for selecting Fortinet products for your testing environment. FortiTester appliances offer enterprises and service providers a cost-effective solution for performance testing and validating their network security infrastructure and services, providing a comprehensive range of application test cases to evaluate equipment and right-size infrastructure. All test functionality is included in one simple device-based license. FortiTester provides powerful yet easy-to-use test cases that simulate many applications and a case history browser for simple analysis. It enables you to establish performance standards and run audits to validate they continue to be met. A single 40 GE appliance allows 20 million concurrent connections and new TCP connection rates greater than 1 million/second, hardware-based acceleration supports new HTTPS connection rates above 20,000/second. Up to 8 appliances can be grouped in Test Center mode to massively scale performance. 40 GE device interfaces can be split to 4x 10 GE SPF+ for additional testing flexibility. Furthermore, the virtual appliance version provides an ideal tester for NFV and SDN environments. Meanwhile, the 100 GE device has a single QSFP28 interface and is designed to run in test center mode. Two devices in test center mode have 93 Gbps HTTP throughput and 84,000,000 HTTP concurrent connections. FortiTester implements DPDK, which provides libraries and user-space NIC drivers for accelerated packet processing performance. The implementation allows FortiTester to offer comprehensive line-rate testing on server-class hardware. This document describes how to set up your FortiTester appliance. It also describes how to use the web user interface (web UI) and command-line interface (CLI). 7 FortiTester Handbook

8 Features and benefits Introduction Features and benefits FortiTester is a network traffic test tool that is based on Fortinet's specialized hardware and software platform. It provides the following types of tests: HTTP/HTTPS CPS test FortiTester can test new connections per second (CPS) performance by simulating multiple clients that generate HTTP or HTTPS traffic. HTTP/HTTPS RPS test FortiTester can test requests per second (RPS) performance by simulating multiple clients that generate HTTP or HTTPS traffic. HTTP/HTTPS CC test FortiTester can test HTTP or HTTPS concurrent connection (CC) performance by simulating multiple clients that generate HTTP or HTTPS traffic. HTTP/HTTPS throughput test FortiTester can test HTTP or HTTPS throughput performance of a Device Under Test (DUT) by simulating multiple clients that generate HTTP or HTTPS traffic. IPsec FortiTester can test IPsec gateway performance by measuring IPsec and HTTP connections per second from simulated IPsec clients to an HTTP server behind the DUT s IPsec gateway. TCP throughput test FortiTester can test TCP throughput performance of a DUT by generating a specified volume of two-way TCP traffic flows via specified ports. TCP connection test FortiTester can test TCP concurrent connections performance by generating a specified volume of two-way TCP traffic flow via specified ports. TurboTCP test FortiTester can test new connections per second (CPS) performance by generating a specified volume of twoway TurboTCP traffic flows via specified ports. UDP PPS test FortiTester can test UDP throughput performance by sending a specified size of UDP frames at a maximum or limited speed from simulated clients to simulated servers. UDP Payload test FortiTester system can test UDP payload by sending UDP frames with a user-specified payload. RFC 2544 FortiTester implements RFC 2544 throughput, latency, data loss, and back to back test cases for UDP performance. Mail tests FortiTester Handbook 8

9 Introduction Features and benefits FortiTester can test SMTP, POP3, and IMAP performance by simulating a specified volume of clients to each send or receive one message Attack Replay test FortiTester can test security systems by replaying a predefined set of attack traffic or pcaps that you upload. The predefined set covers 100 types of attacks. Traffic Replay test FortiTester can test user-defined scenarios by replaying any pcap file. Typically, pcap files are generated by programs like tcpdump or Wireshark. DDos test FortiTester can send multiple types of distributed denial of service (DDoS) attack traffic to test DDoS detection/prevention systems. DNS Latency test FortiTester can send DNS query traffic to test latency to a server or through a gateway. RTSP/RTP test FortiTester can test RTSP/RTP connections by generating two-way traffic flow. Packet Capture test FortiTester can test packet capture by capturing packets received from the network adapter. Mixed traffic test FortiTester can burst all types (except HTTPS) of traffic simultaneously. NTP test FortiTester can send NTP query traffic to test NTP server response capabilities. DHCP test FortiTester can send DHCP requests to a DHCP server to measure latency. Web crawler test FortiTester can run a web crawler simulation to test the web access policies of a DUT. GTP replay test FortiTester can replay the GTP traffic passed through the device under test, as well as test the GTP feature on Fortigate. LDAP test FortiTester can send LDAP requests to test LDAP servers and network gateways. 40G to 4 x 10G fan out for FortiTester 3000E FortiTester can be configured for 4 x 10G fan out. TFTP test FortiTester can send TFTP requests to a TFTP server to measure the number of requests sent and performed per second. RADIUS test FortiTester can send RADIUS requests to a RADIUS server to measure the number of each type of response. IGMP test FortiTester can send join messages to a DUT to test if the DUT can send a data stream from the server. 9 FortiTester Handbook

10 Features and benefits Introduction FortiTester Handbook 10

11 What's New What's New The following features are introduced in 3.2.0: FortiTester now supports the 4000E model. FortiTester now supports the KVM platform. Added a new test case for TFTP testing. Added a new test case for RADIUS testing. Added a new test case for IGMP (Multicast) testing. FortiTester now supports jumbo packets. MTU can now be set up to FortiTester now supports VLAN in replay tests. FortiTester now supports QinQ VLAN. FortiTester 4000E now has an RxDrop counter on the Mellamox 100G network adapter. FortiTester 4000E now uses an Intel QAT card to improve HTTPS and IPSec test case performance. The Cavium driver and Turbo SSL have been upgraded. The IPSec CC test has been improved. A success criteria has been added to the HTTP and HTTPS tests. Users can configure these criteria to determine whether a test succeeds or fails. Multiple vulnerabilities have been resolved. 11 FortiTester Handbook

Chapter 1 - Getting Started Connecting to FortiTester Chapter 1 - Getting Started This chapter provides the procedures for getting started with FortiTester.

12 Chapter 1 - Getting Started Connecting to FortiTester Chapter 1 - Getting Started This chapter provides the procedures for getting started with FortiTester. Connecting to FortiTester A basic network connection topology for FortiTester is shown in Figure 1. Figure 1: A basic network connection topology A FortiTester appliance has multiple network ports. In most cases, one port is for management and the others are for testing. The management port (usually mgmt or port1) connects to a local network to enable the user to access the FortiTester appliance via the web UI. The test ports are divided into client ports and server ports that connect to the device under test (DUT). Client ports simulate multiple client devices that access the simulated server devices via server ports. Use the provided cables to connect the FortiTester to the DUT. When you use one FortiTester appliance in standalone work mode, the test ports on the standalone appliance are divided between client and server. Figure 2 shows the distribution of ports in a standalone environment. Port 1, a client port, is paired with port 3, a server port; port 2, a client port, is paired with port 4, a server port. Figure 2: Test ports in standalone work mode If your tests require more ports, you can join up to 4 pairs of FortiTester appliances in a Test Center. Figure 3 shows the distribution of ports in a Test Center environment with two FortiTester appliances. Ports 1-4 of the first appliance are client ports; ports 1-4 of the second appliance are server ports. Port 1 on the first appliance is paired with port 1 on the second appliance. 12 FortiTester Handbook

13 Configuring the management port Chapter 1 - Getting Started Figure 3: Test ports in Test Center / Slave work mode For information on configuring a Test Center, see Chapter 4 - Joining multiple appliances into a Test Center. Configuring the management port The management port must be connected to the same switch as the administrator client computer. Use the ethernet cord provided with the FortiTester. The following procedure assumes that the default management port IP address ( ) is not on the same subnet as your client computer. To configure the management port: 1. Configure your computer to match the FortiTester default management port subnet. For example, from the Windows 7 Control Panel, go to Network and Sharing Center. Click the Local Area Connection link, and then click the Properties button. Select Internet Protocol Version 4 (TCP/IPv4) and then click its Properties button. Select Use the following IP address, and then enter the following settings: IP address: Subnet mask: To connect to the web UI, start a web browser and go to or 3. Type admin in the Username field, enter the password, and then click Login. 4. In the top banner, click the icon to display the System settings page. 5. Click the Device Ports tab. 6. For the management port, change its IP address, netmask, and default gateway. The following example changes the management IP address to FortiTester Handbook 13

Chapter 1 - Getting Started Configuring system time Figure 4: Set management port 7. Click Apply to complete configuration of the management port. 8. Click the DNS Server tab. 9.

14 Chapter 1 - Getting Started Configuring system time Figure 4: Set management port 7. Click Apply to complete configuration of the management port. 8. Click the DNS Server tab. 9. Click Add DNS, enter the IP address for the DNS server, and then click Apply. Note you can add more than one DNS server. 10. Change the IP address of your client PC to the same network segment used by the management port IP address. 11. To log into the web UI again, enter the new management IP address in a web browser. Configuring system time You can use the System page to change the system time. You can manually modify the time or synchronize the system time with an NTP server. To configure system time: 1. In the top banner, click the icon to display the System settings page. 2. Under System Time, click the Change link to display the Time dialog box. 3. Set the system time or synchronize time with a NTP server, as described in Table Save the configuration. Table 1: System Time Time Zone System Time Synchronize with NTP Server Select the time zone where the FortiTester appliance is installed. The text boxes are populated with the current settings for the system date and time. You can change these manually. Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, see The time is not synched at a regular interval, only when you click the Save button. 14 FortiTester Handbook

15 Creating the admin password Chapter 1 - Getting Started Creating the admin password FortiTester has a default user admin. By default, there is no password. To change the password for the admin account: 1. In the top banner, click the admin link. 2. Select Modify Password from the drop down menu. 3. Enter the old password, the new password, and save the configuration. Configuring the device under test The DUT must be configured to connect with FortiTester before tests can be run. If the DUT is a FortiGate appliance, you generally need to configure interfaces, routes, and a firewall policy. Gateways for the test case are typically set as the IP address of the FortiGate's interfaces. If the client and server subnets are not on the same network as the gateway addresses, routes must be added. Refer to the user guide for the specific DUT for instructions on how to configure it for testing. FortiTester Handbook 15

16 Chapter 2 - Running Tests Test case configuration overview Chapter 2 - Running Tests This chapter provides procedures for running tests and viewing test results. Test case configuration overview The test case configuration workflow includes the following standard elements: Test type The test template to use. It determines the mandatory and optional settings for specific cases. Case options IP version, DUT role, DUT mode, network configuration, optional port binding, VLAN and Client Virtual Router. Interface ports Client and server interface port configuration. Optional elements Enable or disable packet capture, scheduling and MAC masquerade. Test case specifics Variables that determine the test parameters, such as load, rates/limits, and client/server profiles and actions. The first four items set up the basic test environment. Once you become familiar with them, you can assume they can be configured in the same manner for each test. The Client Virtual Router will simulate a router between FortiTester's client subnets and the connected DUT. The test case specifics are key to testing the performance of the device under test (DUT). We recommend you become familiar with guidelines for test case specifics whenever you get started with a new test case type. Using port binding and link aggregation FortiTester system can bind multiple physical ports as one logical port. We call this feature port binding. The physical ports in one logical port share one network configuration, such as IP address, netmask, and gateway. This feature is useful in the following scenarios: To test the link aggregation feature of a DUT. A DUT might also support port binding (also called link aggregation or TRUNK). In that case, FortiTester can test this feature and its performance. To test 40G/100G ports of DUT. A DUT might have some ports that have bandwidth greater than a single FortiTester port. To test such port performance, we can bind multiple FortiTester ports as one logical port and connect to a switch to transfer traffic with a DUT. For example, a FortiTester appliance can bind 4 10G ports as one to test a 40G port in DUT via a 10G/40G switch. FortiTester averages traffic on physical ports that belong to one logical port. Note: Only the DNS, TCP, UDP, RFC2544, HTTP, and HTTPS tests support port binding. To change the port binding: 1. Click on the Optional Port Binding link. 16 FortiTester Handbook

You can configure the number of bond interfaces and member ports, as well a the

17 Using port binding and link aggregation Chapter 2 - Running Tests Figure 5: Optional Port Binding 2. Click Add, under Network. 3. Configure the settings. You can configure the number of bond interfaces and member ports, as well a the bond type. 4. Click Save. Figure 6: Optional Port Binding Configuration FortiTester Handbook 17

18 Chapter 2 - Running Tests Using 40G to 4 x 10G fan out Using 40G to 4 x 10G fan out FortiTester comes with support for 40G to 4 x 10G fan out. This feature splits the 40G port into 4 separate 10G ports. Use the corresponding cable to link the 10G ports to the DUT. To enable fan out: 1. Go to System > Device Ports. 2. Switch 40G fan out 4x10G to Enabled. 3. Click Ok. 4. Wait for the system to reboot. After you have rebooted the system, the fan out should be enabled. You can check by going to System >Device Ports. Using network configuration templates Many test cases you may want to run will have the same basic network setup. To simplify configuration, you can create a network configuration template and then import it when you initially configure test case settings. The template settings are used to populate the network settings for the new test case configuration. The network configuration template specifies the IP address type, DUT working mode, client/server port settings, subnet settings, port binding and VLAN settings. You can only import template settings if the IP address type and DUT working mode you select in the new test case popup dialog box match the settings in the network configuration template. After the settings have been imported, you can modify client/server port settings, subnet settings, port binding and VLAN settings if necessary. To create a network configuration template: 1. Go to Cases > Config Object > Network Topology. 2. Click Add to display the configuration page. 3. In the popup dialog, configure the following settings: IP Version IPv4, IPv6 or Mixed. DUT Role Network Gateway or Application Server. If you want to test an application server, the FortiTester appliance will work as a pure client; if you want to test a network gateway, it will work as both client and server. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the device is considered to be a router hop and the IP addresses can be translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Note: This setting will be shown only when DUT role is Network Gateway. Tester and Application Server Specify that the FortiTester appliance and the application server are in the same subnet or route by a gateway to send/receive traffic. Note: This setting will be shown only when DUT role is Application Server. 18 FortiTester Handbook

19 Using network configuration templates Chapter 2 - Running Tests Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Support SNAT/DNAT Policy Optional. Select this to allow DUT to do source and destination NAT on the same session. Note: If the DUT performs SNAT/DNAT on the data traffic, use the Translated To field to change the IP address before starting the run. Support VLAN Optional. Set VLAN ID to the traffic. Virtual Router Optional. This option allows the clients and/ or servers to be on subnets different from the DUTs interfaces and all traffic to/ from the DUTs uses the virtual routers MAC address. 4. Click OK to continue. 5. Complete the configuration as described in Table Save the configuration. After you have created a network configuration template, you can extend it (which means making a copy), or export it as a zip file and import the zip file later. This template can now be selected from the Network Config option on the popup dialogue when running a test. Table 2: Network configuration object settings Basic Information Name Specify a configuration name, or use the default. The name appears in the Network Config drop-down list when you configure test cases. Network Client Ports, Server Ports The page lists all the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon. The same port on the server side is no longer available. Note: You don t need to select the server port if you've selected the DUT role as Application Server. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Virtual Router FortiTester Handbook 19

20 Chapter 2 - Running Tests Using certification configuration templates IP Address Specify the IP address to the virtual router. This IP addresses is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Server IP Gateway Peer Network Proxy IP/Mask Add Subnet When the DUT role is an application server, specify a single IP address in the standard format. Specify the gateway IP address when the DUT role is an application server or the DUT working mode is in NAT mode. NAT mode only. Specify the peer network subnet address. If the DUT uses SNAT/DNAT, use the translated IP address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Using certification configuration templates Some of the test cases you may want to run will require you to provide an SSL certificate. To simplify configuration, you can create a certification template and then import it when you configure test case settings. To create a certificate configuration template: 1. Go to Cases > Config Object > Certificate Files. 2. Click Add to display the configuration page. 3. Configure the following settings: Name Name of your certificate template. Client/Server Certificate Length of SSL key for encryption/decryption. Import/Download You may import or download a certificate. The download option downloads a.zip file with all the certificates and keys currently in the FortiTester. 4. Save the configuration. 20 FortiTester Handbook

21 Using payload templates Chapter 2 - Running Tests After you have created a certificate configuration template, you can clone it or export it as a zip file. This template can now be selected from the Certificate Config option on the popup dialogue when running a test. Using payload templates Some of the test cases you may want to run will require you to provide a payload. To simplify configuration, you can create a payload template and then import it when you configure test case settings. To create a payload template: 1. Go to Cases > Config Object > Payload Group. 2. Click Add to display the configuration page. 3. In the popup dialog, choose the payload type. 4. Click OK. 5. Configure the following settings: Name Name of your payload template. Payload The payload you wish to use. 6. Save the configuration. After you have created a payload template, you can clone it or export it as a zip file. This template can now be selected from the payload Group option on the popup dialogue when running a test. Using URL list templates Some of the test cases you may want to run will require you to provide a list of URLs. To simplify configuration, you can create a URL list template and then import it when you configure test case settings. To create a URL list template: 1. Go to Cases > Config Object > URL Group. 2. Click Add to display the configuration page. 3. Enter a name for your URL template. 4. Click URLs Management. 5. In the popup dialogue box, add URLs by using the Add URL box or the Upload file option. 6. Click OK. 7. Save the configuration. After you have created a URL list template, you can clone it or export it as a zip file. This template can now be selected from the URL Group option on the popup dialogue when running a test. Using script object templates FortiTester allows you to give shell commands to the device under test (DUT) before running a test. To simplify configuration, you can create a script object template and then import it when you configure test case settings. FortiTester Handbook 21

Chapter 2 - Running Tests Using DUT monitoring To create a script object template: 1. Go to Cases > Config Object > Script Config. 2. Click Add to display the configuration page. 3.

22 Chapter 2 - Running Tests Using DUT monitoring To create a script object template: 1. Go to Cases > Config Object > Script Config. 2. Click Add to display the configuration page. 3. Configure the following settings: Name Name of your script object template. Script Setting Shell commands you wish to run before running the test. 4. Save the configuration. After you have created a script object template, you can clone it or export it as a zip file. This template can now be selected from the Script Config option on the popup dialogue when running a test. Using DUT monitoring FortiTester allows you to monitor a FortiGate device under test (DUT) from the management interface. To do so, you must create a DUT monitor object template and then import it when you configure test settings. To create a DUT monitor object template: 1. Go to Cases > Config Object > DUT Monitor. 2. Click Add to display the configuration page. 3. Configure the following settings: Name Name of your DUT monitor object template. Management IP IP address of the DUT. Community Name Community name you choose for the DUT. 4. Save the configuration. After you have created a script object template, you can clone it or export it as a zip file. This template can now be selected from the DUT Monitor option on the popup dialogue when running a test. If selected, you can monitor the DUT from the DUT Monitor tab on the management interface. 22 FortiTester Handbook

Using success criteria Chapter 2 - Running Tests Using success criteria FortiTester allows you to set specific success criteria for HTTP and HTTPS tests.

23 Using success criteria Chapter 2 - Running Tests Using success criteria FortiTester allows you to set specific success criteria for HTTP and HTTPS tests. If the layer 7 criteria is set, the test will only be considered successful if the average CPS is equal to or greater than the set number. If the layer 4 criteria is set, the test will only be considered successful if the number of attempted connections equals both the number of established connections and the number of connections terminated through a successful 3-way handshake. If the layer 2 or 3 criteria is set, the test will be considered successful if the server receives the same number of bytes the client sent out, and vice-versa. If any test fails because of a success criteria, an error message similar to the following will be displayed: The test will have a result of "Failed". Starting an HTTP CPS test FortiTester tests HTTP new connections per second (CPS) performance by simulating multiple clients that generate HTTP traffic. The traffic generated for each connection includes the TCP three-way handshake, HTTP request and HTTP response (complete HTTP transaction), and the TCP connection close (FIN, ACK, FIN, ACK). Each TCP packet has one HTTP GET request. The traffic is HTTP 1.0 without HTTP persistent connections (HTTP keep-alive). Note the following limitations: You cannot modify the HTTP request or HTTP response headers. To start an HTTP CPS test: 1. Go to Cases > HTTP > CPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. FortiTester Handbook 23

24 Chapter 2 - Running Tests Starting an HTTP CPS test 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 3: HTTP CPS Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network 24 FortiTester Handbook

25 Starting an HTTP CPS test Chapter 2 - Running Tests Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. FortiTester Handbook 25

26 Chapter 2 - Running Tests Starting an HTTP CPS test VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. Load (Limit) Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU The maximum transmission unit size. Preset to MSS The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range Client Close Mode Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select the connection close method: 3Way_Fin or Reset. 26 FortiTester Handbook

27 Starting an HTTP RPS test Chapter 2 - Running Tests IP Change Algorithm / Port Change Algorithm Request Header Piggybacking IP Option DSCP Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Click the Add Header button to specify more headers. If enabled, this means an acknowledgement is sent on the data frame, not in an individual frame. Provide quality of service (QoS). Profile (Server) Server Port Response Header Piggybacking IP Option DSCP Preset to 80. Not configurable. Preset to Server: nginx/1.9.5content-type:text/html. Click the Add button to specify more headers. If enabled, this means an acknowledgement is sent on the data frame, not in an individual frame. Provide quality of service (QoS). Action Get page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB. Post page Success criteria Select the file that simulated servers send. The default is "index.php" with 4 bytes. You can edit the post parameters. The file size limit is 10MB. Select criteria to determine if the test succeeds or fails. If the test does not match the criteria set, the test fails. Starting an HTTP RPS test FortiTester tests requests per second (RPS) performance by simulating multiple clients that generate HTTP traffic. All requests include a TCP three-way handshake, one HTTP request and response, and a TCP connection close (FIN, ACK, FIN, ACK). There are 10 HTTP GET requests per TCP connection and 100 HTTP GET requests per TCP connection for Layer4/HTTPS testing. Note the following limitations: FortiTester Handbook 27

28 Chapter 2 - Running Tests Starting an HTTP RPS test You cannot modify the HTTP request or HTTP response headers. To start an HTTP RPS test: 1. Go to Cases > HTTP > RPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 4: HTTP RPS Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network 28 FortiTester Handbook

29 Starting an HTTP RPS test Chapter 2 - Running Tests Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. FortiTester Handbook 29

30 Chapter 2 - Running Tests Starting an HTTP RPS test VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. Requests per Connection Number of HTTP requests per connection. The default is 0, which means as many as possible. The valid range is 0 to 50,000. Load (Limit) Speed Limit Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU The maximum transmission unit size. Preset to MSS The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range Client Close Mode Client port range. The valid range is 10,000 to 65,535, which is also the default. Select the connection close method: 3Way_Fin or Reset. 30 FortiTester Handbook

31 Starting an HTTP CC test Chapter 2 - Running Tests IP Change Algorithm / Port Change Algorithm Request Header IP Option DSCP Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Click the Add Header button to specify more headers. Provide quality of service (QoS). Profile (Server) Server Port Response Header IP Option DSCP Preset to 80. Not configurable. Preset to Server: nginx/1.9.5content-type:text/html. Click the Add Header button to specify more headers. Provide quality of service (QoS). Action Get Page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB. Post page Success criteria Select the file that simulated servers send. The default is "index.php" with 4 bytes. You can edit the post parameters. The file size limit is 10MB. Select criteria to determine if the test succeeds or fails. If the test does not meet the criteria set, the test fails. Starting an HTTP CC test FortiTester tests HTTP concurrent connection (CC) performance by simulating multiple clients that generate HTTP traffic. All connections include a TCP three-way handshake, a loop of HTTP requests and responses (complete HTTP transaction), and close the connection with TCP FIN. Note the following limitations: You cannot modify the HTTP request or HTTP response headers. To start an HTTP CC test: 1. Go to Cases > HTTP > CC to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page 18. FortiTester Handbook 31

32 Chapter 2 - Running Tests Starting an HTTP CC test 4. Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. 32 FortiTester Handbook

33 Starting an HTTP CC test Chapter 2 - Running Tests Table 5: HTTP CC Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. FortiTester Handbook 33

34 Chapter 2 - Running Tests Starting an HTTP CC test MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. 34 FortiTester Handbook

35 Starting an HTTP CC test Chapter 2 - Running Tests Concurrent Connections Number of concurrent connections. Concurrent Close Number of connections to close at any given time. To avoid the DUT lost packet, the connection close operation will be performed batch by batch. Think Time Seconds that a simulated user waits between HTTP requests. The default is 5 seconds. Load (Limit) Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Network MTU The maximum transmission unit size. Preset to MSS The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm/Port Change Algorithm Request Header IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select the connection close method: 3Way_Fin or Reset. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Click the Add Header button to specify more headers. Provide quality of service (QoS). Profile (Server) FortiTester Handbook 35

36 Chapter 2 - Running Tests Starting an HTTP throughput test Server Port Response Header IP Option DSCP Preset to 80. Not configurable. Preset to Server: nginx/1.9.5content-type:text/html. Click the Add Header button to specify more headers. Provide quality of service (QoS). Action Get page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB. Post page Success criteria Select the file that simulated servers send. The default is "index.php" with 4 bytes. You can edit the post parameters. The file size limit is 10MB. Select criteria to determine if the test succeeds or fails. If the test does not meet the criteria set, the test fails. Starting an HTTP throughput test FortiTester tests HTTP throughput performance by simulating multiple clients that generate HTTP traffic. Note the following limitations: You cannot modify the HTTP request or HTTP response headers. To start an HTTP throughput test: 1. Go to Cases > HTTP > Throughput to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically, so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. 36 FortiTester Handbook

37 Starting an HTTP throughput test Chapter 2 - Running Tests Table 6: HTTP Throughput Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. FortiTester Handbook 37

38 Chapter 2 - Running Tests Starting an HTTP throughput test MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. Translated To NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. Load (Limit) 38 FortiTester Handbook

39 Starting an HTTP throughput test Chapter 2 - Running Tests Bandwidth Limit Rate of requests per second. The default is 0, which means the device is set to provide the maximum bandwidth. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU The maximum transmission unit size. Preset to MSS The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm / Port Change Algorithm Request Header IP Option DSCP Client port range. The valid range is from 10,000 to 65,535, which is also the default. Select the connection close method: 3Way_Fin or Reset. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Click the Add Header button to specify more headers. Provide quality of service (QoS). Profile (Server) Server Port Response Header IP Option DSCP Preset to 80. Not configurable. Preset to Server: nginx/1.9.5content-type:text/html. Click the Add Header button to specify more headers. Provide quality of service (QoS). Action Get page Select the file that the simulated clients access. The default is index.html with 50,000 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB. FortiTester Handbook 39

40 Chapter 2 - Running Tests Starting an HTTP throughput test Post page Success criteria Select the file that simulated servers send. The default is "index.php" with 4 bytes. You can edit the post parameters. The file size limit is 10MB. Select criteria to determine if the test succeeds or fails. If the test does not meet the criteria set, the test fails. 40 FortiTester Handbook

41 Starting a web crawler test Chapter 2 - Running Tests Starting a web crawler test The web crawler test runs a web crawler simulation to query URLs through the DUT. This is done to test the DUT's web access security policies. FortiTester only stores the URL responses. To start a web crawler test: 1. Go to Cases > HTTP > Web Crawler to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. Configure the test case options as described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 7: HTTP Web Crawler Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets FortiTester Handbook 41

42 Chapter 2 - Running Tests Starting an HTTPS CPS test Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. Gateway NAT mode only. Specify the gateway IP address. Profile (Client) URLs Use the search bar to search for URLs. Click on URLs management to add or upload URLs. Starting an HTTPS CPS test The HTTPS CPS test is the same as the HTTP CPS test, except it uses HTTPS traffic, does not have the Speed Limit option, and the MTU is editable. To start an HTTPS CPS test: 1. Go to Cases > HTTPS > CPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. 42 FortiTester Handbook

43 Starting an HTTPS CPS test Chapter 2 - Running Tests Table 8: HTTPS CPS Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600. Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. FortiTester Handbook 43

44 Chapter 2 - Running Tests Starting an HTTPS CPS test MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. Load (Limit) 44 FortiTester Handbook

45 Starting an HTTPS CPS test Chapter 2 - Running Tests Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU MSS Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is The valid range is 1,280 to 9,000. The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm / Port Change Algorithm Request Header Piggybacking IP Option DSCP Quiet Shutdown Allowed SSL Versions SSL Ciphers Preset to Not configurable. Select the connection close method: 3Way_Fin or Reset. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Not configurable. The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Click the Add Header button to specify more headers. Default enabled. Provide quality of service (QoS). Enable to apply safe shutdown procedure to SSL connections by sending SSL alert to the peer. Supported SSL versions: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default is TLSv1.2. Select one or more SSL ciphers from the list. Profile (Server) Server Port Preset to 80, 443. Not configurable. FortiTester Handbook 45

46 Chapter 2 - Running Tests Starting an HTTPS RPS test Server Certificate Response Header Piggybacking IP Option DSCP Length of SSL key for encryption/decryption. You may also import or download an SSL key. Preset to Server: nginx/1.9.5content-type:text/html. Click the Add Header button to specify more headers. Default enabled. Provide quality of service (QoS). Action Get page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB. Post page Success criteria Select the file that simulated servers send. The default is "index.php" with 4 bytes. You can edit the post parameters. The file size limit is 10MB. Select criteria to determine if the test succeeds or fails. If the test does not meet the criteria set, the test fails. Starting an HTTPS RPS test The HTTPS RPS test is the same as the HTTP RPS test, except it uses HTTPS traffic, does not have the Speed Limit option, and the MTU is editable. To start an HTTPS RPS test: 1. Go to Cases > HTTPS > RPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 9: HTTPS RPS Test Case configuration 46 FortiTester Handbook

47 Starting an HTTPS RPS test Chapter 2 - Running Tests Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. FortiTester Handbook 47

48 Chapter 2 - Running Tests Starting an HTTPS RPS test QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. Requests per Connection Number of HTTP requests per connection. The default is 0, which means as many as possible. The valid range is 0 to 50,000. Load (Limit) 48 FortiTester Handbook

49 Starting an HTTPS RPS test Chapter 2 - Running Tests Speed Limit Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU MSS Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is The valid range is 1,280 to 9,000. The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm / Port Change Algorithm Request Header Piggybacking IP Option DSCP Quiet Shutdown Allowed SSL Versions SSL Ciphers Preset to Not configurable. Select the connection close method: 3Way_Fin or Reset. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Not configurable. The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Click the Add Header button to specify more headers. Enable to apply piggyback to SSL connections issued by client side. This is enabled by default. Provide quality of service (QoS). Enable to apply safe shutdown procedure to SSL connections by sending SSL alert to the peer. Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 (default). Select one or more SSL ciphers from the list. Profile (Server) FortiTester Handbook 49

50 Chapter 2 - Running Tests Starting an HTTPS CC test Server Port Server Certificate Response Header Piggybacking IP Option DSCP Preset to 80, 443. Not configurable. Length of SSL key for encryption/decryption. You may also import or download an SSL key. Preset to Server: nginx/1.9.5content-type:text/html. Click the Add Header button to specify more headers. Enable to apply piggyback to SSL connections issued by server side. This is enabled by default. Provide quality of service (QoS). Action Get page Post page Success criteria Select the file that the simulated clients access. The default is index.html with 50,000 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB Select the file that simulated servers send. The default is "index.php" with 4 bytes. You can edit the post parameters. The file size limit is 10MB. Select criteria to determine if the test succeeds or fails. If the test does not meet the criteria set, the test fails. Starting an HTTPS CC test The HTTPS CC test is the same as the HTTP CC test, except that it uses HTTPS traffic and the MTU is editable. To start an HTTPS CC test: 1. Go to Cases > HTTPS > CC to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options as described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. 50 FortiTester Handbook

51 Starting an HTTPS CC test Chapter 2 - Running Tests Table 10: HTTPS CC Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. FortiTester Handbook 51

52 Chapter 2 - Running Tests Starting an HTTPS CC test MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. 52 FortiTester Handbook

53 Starting an HTTPS CC test Chapter 2 - Running Tests Concurrent Connections Number of concurrent connections. Concurrent Close Number of connections to close at any given time. To avoid the DUT lost packet, the connection close operation will be performed batch by batch. Think Time The time in seconds that a simulated user waits between HTTP requests. The default is 5 seconds. Load (Limit) Speed Limit Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Network MTU MSS Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limit for packet size. The default is The valid range is from 1,280 to 9,000. The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range Client Port Mode IP Change Algorithm / Port Change Algorithm Request Header Piggybacking IP Option DSCP Preset to Not configurable. Select the connection close method: 3Way_Fin or Reset. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Not configurable. The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Click the Add Header button to specify more headers. Enabled by default. Provide quality of service (QoS). FortiTester Handbook 53

54 Chapter 2 - Running Tests Starting an HTTPS throughput test Quiet Shutdown Allowed SSL Versions SSL Ciphers Enable to apply safe shutdown procedures to SSL connections by sending SSL alerts to the peer. Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default is TLSv1.2. Select one or more SSL ciphers from the list. Profile (Server) Server Port Server Certificate Response Header Piggybacking IP Option DSCP Preset to 80, 443. Not configurable. Length of SSL key for encryption/decryption. You may also import or download an SSL key. Preset to Server: nginx/1.9.5content-type:text/html. Click the Add Header button to specify more headers. Default enabled. Provide quality of service (QoS). Action Get page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB Post page Success criteria Select the file that simulated servers send. The default is "index.php" with 4 bytes. You can edit the post parameters. The file size limit is 10MB. Select criteria to determine if the test succeeds or fails. If the test does not meet the criteria set, the test fails. Starting an HTTPS throughput test The HTTPS Throughput test is the same as the HTTP Throughput test, except that it uses HTTPS traffic and the MTU is editable. To start an HTTPS Throughput test: 1. Go to Cases > HTTPS > Throughput to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options as described in Table Click Start to run the test case. 54 FortiTester Handbook

55 Starting an HTTPS throughput test Chapter 2 - Running Tests FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 11: HTTPS Throughput Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets FortiTester Handbook 55

56 Chapter 2 - Running Tests Starting an HTTPS throughput test Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. 56 FortiTester Handbook

57 Starting an HTTPS throughput test Chapter 2 - Running Tests Load (Load) Simulated Users Number of users to simulate. Load (Limit) Bandwidth Limit Bandwidth in Mbps. The default is 0, which means the device will send traffic as fast as possible. Ramp Up Time Ramp Down Time Time (in seconds) for traffic to ramp up when you start the test. Time (in seconds) for traffic to ramp down when you stop the test. Network MTU MSS Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limit for packet size. The default is The valid range is from 1,280 to 9,000. The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range Client Port Mode IP Change Algorithm / Port Change Algorithm Request Header Piggybacking IP Option DSCP Quiet Shutdown Preset to Not configurable. Select the connection close method: 3Way_Fin or Reset. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Not configurable. The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Click the Add Header button to specify more headers. Default enabled. Provide quality of service (QoS). Enable to apply safe shutdown procedure to SSL connections by sending SSL alert to the peer. FortiTester Handbook 57

58 Chapter 2 - Running Tests Starting an IPsec remote access test Allowed SSL Versions SSL Ciphers Supported SSL version: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default is TLSv1.2. Select one or more SSL ciphers from the list. Profile (Server) Server Port Server Certificate Response Header Piggybacking IP Option DSCP Preset to 80, 443. Not configurable. Length of SSL key for encryption/decryption. You may also import or download an SSL key. Preset to Server: nginx/1.9.5content-type:text/html. Click the Add Header button to specify more headers. Default enabled. Provide quality of service (QoS). Action Get page Select the file that the simulated clients access. The default is index.html with 4 bytes. Optionally, you can upload a customized HTML file. The file size limit is 10 MB Post page Success criteria Select the file that simulated servers send. The default is "index.php" with 4 bytes. You can edit the post parameters. The file size limit is 10MB. Select criteria to determine if the test succeeds or fails. If the test does not meet the criteria set, the test fails. Starting an IPsec remote access test FortiTester tests IPSec remote access by establishing a remote access IPSec tunnel, completes a full set of HTTP transactions (TCP connection, HTTP request, HTTP response, TCP connection close) through the tunnel, and terminates the tunnel. To start a remote access test: 1. Go to Cases > IPSec > Remote Access to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. 58 FortiTester Handbook

59 Starting an IPsec remote access test Chapter 2 - Running Tests FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Below is a sample FortiGate IPsec configuration for the VPN gateway. FortiTester uses Fortitester as its ID. However, in this configuration the VPN gateway uses IKE version 1 Aggressive mode, and it is configured to accept any peer ID. The VPN gateway IP is configured as a secondary IP address, and this is used as the local gateway in the phase 1 config. config system interface edit "port33" set ip set allowaccess ping set secondary-ip enable config secondaryip edit 1 set ip set allowaccess ping next end next end config system interface edit "port35" set ip set allowaccess ping next end config vpn ipsec phase1-interface edit "tester" set type dynamic set interface "port33" set ike-version 2 set local-gw set peertype any set psksecret fortinet next end config vpn ipsec phase2-interface edit "tester" set phase1name "tester" next end config firewall policy edit 1 set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable next end FortiTester Handbook 59

60 Chapter 2 - Running Tests Starting an IPsec remote access test Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 12: IPSec Remote Access Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets 60 FortiTester Handbook

61 Starting an IPsec remote access test Chapter 2 - Running Tests Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. Peer Network VPN Gateway Add Subnet NAT mode only. Specify the peer network subnet address. NAT mode only. Specify the gateway IP address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. IKE Version Select either version 1 or 2. Authentication Method Select either PSK (Pre-shared Key) or Signature. If using a Signature you will need to import a client and server certificate. Load (Limit) FortiTester Handbook 61

62 Chapter 2 - Running Tests Starting an IPsec remote access CC test Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is 1500.Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Profile (Server) Server Port Preset to 80. Not configurable. Action Request Page Select either System Pages or upload your own pages. Starting an IPsec remote access CC test FortiTester tests IPSec remote access tunnel concurrent connections (CC) by establishing a remote access IPSec tunnel, completes a full set of HTTP transaction (TCP connection, HTTP request, HTTP response, and TCP connection close) through the tunnel, and terminates the tunnel. To start a remote access CC test: 1. Go to Cases > IPSec > Remote Access CC to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described intable Click Start to run the test case. 62 FortiTester Handbook

63 Starting an IPsec remote access CC test Chapter 2 - Running Tests FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Below is a sample FortiGate IPsec configuration for the VPN gateway. FortiTester uses FortiTester as its ID, however in this configuration the VPN gateway uses IKE version 1 Aggressive mode, and is configured to accept any peer ID. The VPN gateway IP is configured as a secondary IP address and this is used as the local gateway in the phase 1 config. config system interface edit "port33" set ip set allowaccess ping set secondary-ip enable config secondaryip edit 1 set ip set allowaccess ping next end next end config system interface edit "port35" set ip set allowaccess ping next end config vpn ipsec phase1-interface edit "tester" set type dynamic set interface "port33" set ike-version 2 set local-gw set peertype any set psksecret fortinet next end config vpn ipsec phase2-interface edit "tester" set phase1name "tester" next end config firewall policy edit 1 set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable next end FortiTester Handbook 63

64 Chapter 2 - Running Tests Starting an IPsec remote access CC test Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 13: IPSec Remote Access CC Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets 64 FortiTester Handbook

65 Starting an IPsec remote access CC test Chapter 2 - Running Tests Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. Peer Network VPN Gateway Add Subnet NAT mode only. Specify the peer network subnet address. NAT mode only. Specify the gateway IP address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Tunnel Concurrent Connections Number of tunnel concurrent connections. Think Time Delay in seconds between client HTTP requests. IKE Version Select either version 1 or 2. Authentication Method Select either PSK (Pre-shared Key) or Signature. If using a Signature you will need to import a client and server certificate. Load (Limit) FortiTester Handbook 65

66 Chapter 2 - Running Tests Starting a UDP PPS test Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Profile (Server) Server Port Preset to 80. Not configurable. Action Request Page Select either System Pages or upload your own pages. Starting a UDP PPS test FortiTester tests UDP throughput by sending a specified size of UDP frames at a maximum or limited speed from simulated clients to simulated servers. To start a UDP PPS test: 1. Go to Cases > UDP > PPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog,configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. 66 FortiTester Handbook

67 Starting a UDP PPS test Chapter 2 - Running Tests FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 14: UDP PPS Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets FortiTester Handbook 67

68 Chapter 2 - Running Tests Starting a UDP PPS test Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create UDP connections and transfer data. Load (Load) 68 FortiTester Handbook

69 Starting a UDP PPS test Chapter 2 - Running Tests Simulated Users Number of users to simulate. UDP Package Size The default is 64 bytes. The valid range is 64 to Dual Traffic Mode When disabled (and also by default), traffic will only be sent out from the client side to the server side; but when enabled, traffic will also be sent out from the server side to the client side. Enable to generate bidirectional UDP traffic between client and server sides. Each side generates and receives UDP packets. Load (Limit) Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limit for packet size. The default is The valid range is from 1,280 to 9,000. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Increment. Not configurable. The Increment option uses the next IP address or port in the range, for example: > ; port > Provide quality of service (QoS) Profile (Server) Server Port The default is 6,001. The valid range is from 0 to 65,535. IP Option DSCP Provide quality of service (QoS) FortiTester Handbook 69

70 Chapter 2 - Running Tests Starting a UDP Payload test Starting a UDP Payload test FortiTester tests UDP payload by sending UDP frames with the specified payload from the client ports to the server ports. To start a UDP payload test: 1. Go to Cases > UDP > Payload to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 15: UDP Payload Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. 70 FortiTester Handbook

71 Starting a UDP Payload test Chapter 2 - Running Tests Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. FortiTester Handbook 71

72 Chapter 2 - Running Tests Starting a UDP Payload test Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create UDP connections and transfer data. Load (Load) Payload Simulated Users Use the plain text predefined format to specify the payload. Number of users to simulate. Load (Limit) Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limit for packet size. The default is The valid range is from 1,280 to 9,000. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Increment. Not configurable. The Increment option uses the next IP address or port in the range, for example: > ; port > FortiTester Handbook

73 Starting an RFC 2544 base value test Chapter 2 - Running Tests IP Option DSCP Provide quality of service (QoS) Profile (Server) Server Port The default is 514. The valid range is 0 to 65,535. IP Option DSCP Provide quality of service (QoS) Starting an RFC 2544 base value test Before starting an RFC 2544 test, determine the performance and limitations for your specific network topology and use this information to begin testing. NOTE: The RFC 2544 base-value test case can be done back-to-back (using a cross-over cable). Its purpose is to calculate the latency of FortiTester itself, as well as the transceivers used. FortiTester's latency, from the selected base-value test results, is then subtracted from the DUT latency test results. Furthermore, FortiTester cannot perform at line rate for some RFC 2544 configurations, such as bidirectional traffic, and 64-byte packets. Therefore, the basevalue test case identifies the maximum bandwidth, without packet loss, which will then be used for RFC 2544 tests, unless this value is overridden with a manual configuration. To start an RFC 2544 base value test: 1. Go to Cases > UDP > RFC 2544 > Base Value to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 16: RFC 2544 Base Value Test Case configuration Basic Information FortiTester Handbook 73

74 Chapter 2 - Running Tests Starting an RFC 2544 base value test Name Ping Server Timeout Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. The maximum time out in seconds allotted for FortiTesterto close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Subnet 74 FortiTester Handbook

75 Starting an RFC 2544 base value test Chapter 2 - Running Tests Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Load Simulated Users Number of users to simulate. Latency Traffic Direction Frame Size Adds a little traffic from server to client for packet latency counting in Unidirectional mode. Specify the direction of traffic flow Unit: bytes Traffic Cycle Time Traffic burst duration in seconds for each frame size. (minimum of 10) Traffic Stop Wait Time Maximum Traffic Cycle Maximum Send Speed Wait time for packet transmitting in seconds after traffic stop. (range: 2-300) Maximum traffic cycle for each frame size. (minimum 1) Speed in Mbps. Choose 0 for a maximum send speed of 40,000 Mbps. Network Network MTU The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. FortiTester Handbook 75

76 Chapter 2 - Running Tests Starting an RFC 2544 throughput test IP Option DSCP Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset. Not configurable. Provide quality of service (QoS) Starting an RFC 2544 throughput test FortiTester tests the ability of the DUT to handle different types of RFC 2544 throughput. According to RFC2544, throughput is the fastest rate for the number of test frames transmitted by the DUT, which is equal to the number of test frames sent to it by the test equipment. To start a throughput test: 1. Go to Cases > UDP > RFC 2544 > Throughput to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. Select the base value test case results to use for calculating the performance of the DUT in this test. 4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all the other options with values taken from the selected base value test. 5. Click OK to continue. 6. Configure the test case options described in Table 17. Many of the specific settings will depend upon the base value test case results chosen. 7. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 17: RFC 2544 Throughput Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. 76 FortiTester Handbook

77 Starting an RFC 2544 throughput test Chapter 2 - Running Tests Ping Server Timeout Stopping Status in Second If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. The maximum time out in seconds allotted for FortiTesterto close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. FortiTester Handbook 77

78 Chapter 2 - Running Tests Starting an RFC 2544 throughput test Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Load Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is from 1 to Test Center mode: The default is 512, and the valid range is from 1 to 2048, for example, for an environment with two FortiTester appliances. Traffic Direction Frame Size Specify the direction of traffic flow Unit: bytes Traffic Cycle Time Traffic burst duration in seconds for each frame size. (minimum of 10) Traffic Stop Wait Time Maximum Traffic Cycle Acceptable Packet Loss Rate Maximum Send Speed Traffic Speed Granularity Wait time for packet transmitting after traffic stop, in seconds. (range: 2-300) Maximum traffic cycle for each frame size. (minimum 1) Percentage of packets that can be lost. Speed in Mbps. A setting of 0 means throughput speed is copied from the BaseValue case. Traffic speed per cycle. 0 means sending speed in the next traffic cycle is equal to "Receive Mbps" in the previous cycle is the sending speed float percentage of maximum speed in the next cycle. Network Network MTU The default is Not configurable. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. 78 FortiTester Handbook

79 Starting an RFC 2544 latency test Chapter 2 - Running Tests IP Change Algorithm / Port Change Algorithm IP Option DSCP Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset. Not configurable. Provide quality of service (QoS) Starting an RFC 2544 latency test FortiTester tests the ability of the DUT to handle different types of RFC 2544 latency. According to RFC1242, for store and forward devices, latency is the time interval starting when the last bit of the input frame reaches the input port and ending when the first bit of the output frame is seen on the output port. To start a latency test: 1. Go to Cases > UDP > RFC 2544 > Latency to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. Select the base value test case results to use for calculating the performance of the DUT in this test. 4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all the other options with values taken from the selected base value test. 5. Click OK to continue. 6. Configure the test case options described in Table 18. Many of the specific settings will depend upon the base value test case results chosen. 7. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 18: RFC 2544 Latency Test Case configuration FortiTester Handbook 79

80 Chapter 2 - Running Tests Starting an RFC 2544 latency test Basic Information Name Ping Server Timeout Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. The maximum time out in seconds allotted for FortiTesterto close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router 80 FortiTester Handbook

81 Starting an RFC 2544 latency test Chapter 2 - Running Tests IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Load Simulated Users Number of users to simulate. Traffic Direction Frame Size Specify the direction of traffic flow Unit: bytes Traffic Cycle Time Traffic burst duration in seconds for each frame size. (minimum of 10) Traffic Stop Wait Time Maximum Traffic Cycle Maximum Send Speed Wait time for packet transmitting after traffic stop, in seconds. (range: 2-300) Maximum traffic cycle for each frame size. (minimum 1) Speed in Mbps. A setting of 0 means throughput speed is copied from the BaseValue case. Network Network MTU The default is Not configurable. Profile (Client) FortiTester Handbook 81

82 Chapter 2 - Running Tests Starting an RFC 2544 loss rate test Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset. Not configurable. Provide quality of service (QoS) Starting an RFC 2544 loss rate test FortiTester tests the ability of the DUT to handle different types of RFC 2544 loss rate. According to RFC2544, to determine the frame loss rate, as defined in RFC1242 of a DUT throughout the entire range of input data rates and frame sizes. To start a loss rate test: 1. Go to Cases > UDP > RFC 2544 > Loss Rate to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. Select the base value test case results to use for calculating the performance of the DUT in this test. 4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all the other options with values taken from the selected base value test. 5. Click OK to continue. 6. Configure the test case options described in Table 19. Many of the specific settings will depend upon the base value test case results chosen. 7. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 19: RFC 2544 Loss Rate Test Case configuration 82 FortiTester Handbook

83 Starting an RFC 2544 loss rate test Chapter 2 - Running Tests Basic Information Name Ping Server Timeout Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. The maximum time out in seconds allotted for FortiTesterto close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router FortiTester Handbook 83

84 Chapter 2 - Running Tests Starting an RFC 2544 loss rate test IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load Simulated Users Number of users to simulate. Traffic Direction Frame Size Specify the direction of traffic flow Unit: bytes Traffic Cycle Time Traffic burst duration in seconds for each frame size. (minimum of 10) Traffic Stop Wait Time Maximum Traffic Cycle Acceptable Packet Loss Rate Correct Loss Rate Cycle Maximum Send Speed Wait time for packet transmitting after traffic stop, in seconds. (range: 2-300) Maximum traffic cycle for each frame size. (minimum 1) Percentage of packets that can be lost. The number of traffic cycles with less than acceptable loss rate for each frame size. Speed in Mbps. A setting of 0 means throughput speed is copied from the BaseValue case. 84 FortiTester Handbook

85 Starting an RFC 2544 back to back test Chapter 2 - Running Tests Traffic Speed Granularity Traffic speed per cycle. 0 means sending speed in the next traffic cycle is equal to "Receive Mbps" in the previous cycle is the sending speed float percentage of maximum speed in the next cycle. Network Network MTU The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset. Not configurable. Provide quality of service (QoS) Starting an RFC 2544 back to back test FortiTester tests the ability of the DUT to handle different types of RFC 2544 back to back. According to RFC 2544, to characterize the ability of a DUT to process back-to-back frames as defined in RFC To start an RFC 2544 back to back test: 1. Go to Cases > UDP > RFC 2544 > Back to Back to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. Select the base value test case results to use for calculating the performance of the DUT in this test. 4. In the pop-up dialog, configure DUT Working Mode as TP or NAT. Note: The system automatically populates all the other options with values taken from the selected base value test. 5. Click OK to continue. 6. Configure the test case options described in Table 20. Many of the specific settings will depend upon the base value test case results chosen. 7. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. FortiTester Handbook 85

86 Chapter 2 - Running Tests Starting an RFC 2544 back to back test Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 20: RFC 2544 back to back Test Case configuration Basic Information Name Ping Server Timeout Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. The maximum time out in seconds allotted for FortiTesterto close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade 86 FortiTester Handbook

87 Starting an RFC 2544 back to back test Chapter 2 - Running Tests MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Load Simulated Users Number of users to simulate. Traffic Direction Frame Size Specify the direction of traffic flow. Unit: bytes Initial Traffic Cycle Time Traffic Stop Wait Time Maximum Traffic Cycle Acceptable Packet Loss Rate Traffic burst duration in seconds for each frame size. (minimum of 10) Wait time for packet transmitting after traffic stop, in seconds. (range: 2-300) Maximum traffic cycle for each frame size. (minimum 1) Percentage of packets that can be lost. FortiTester Handbook 87

88 Chapter 2 - Running Tests Starting a TCP throughput test Maximum Send Speed Duration Resolution Second Maximum Traffic Cycle Time Speed in Mbps. A setting of 0 means throughput speed is copied from the BaseValue case. Minimum test duration of traffic cycle for each frame size. Maximum traffic cycle, in seconds. Network Network MTU The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset. Not configurable. Provide quality of service (QoS) Starting a TCP throughput test FortiTester tests TCP throughput by generating a specified volume of two-way TCP traffic flow via specified ports. To start a TCP throughput test: 1. Go to Cases > TCP > Throughput to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. 88 FortiTester Handbook

89 Starting a TCP throughput test Chapter 2 - Running Tests FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 21: TCP Throughput Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets FortiTester Handbook 89

90 Chapter 2 - Running Tests Starting a TCP throughput test Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) 90 FortiTester Handbook

91 Starting a TCP throughput test Chapter 2 - Running Tests Simulated Users Number of users to simulate. Throughput Buffer Size Set the throughput buffer size. The valid range is from 64-10M. Load (Limit) Bandwidth Limit TCP data load. The default is the special value 0, which means to transfer as much data as FortiTester can generate. For all other values, the unit is Mbit per second. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU MSS Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Fortinet recommends that you use the default. The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Client Close Mode IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Preset to Reset. Not configurable. Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset to Not configurable. Provide quality of service (QoS) FortiTester Handbook 91

92 Chapter 2 - Running Tests Starting a TurboTCP test Starting a TurboTCP test FortiTester tests TurboTCP connections per second (CPS) performance by generating a specified volume of twoway TCP traffic flow via specified ports. The traffic generated for each connection includes the TCP three-way handshake and the TCP connection close (Reset). To start a TurboTCP test: 1. Go to Cases > TCP > TurboTCP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 22: TurboTCP Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this endto-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. 92 FortiTester Handbook

93 Starting a TurboTCP test Chapter 2 - Running Tests Stopping Status in Second The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like FortiTester Handbook 93

94 Chapter 2 - Running Tests Starting a TurboTCP test Translated To NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. Load (Limit) Speed Limit Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Not configurable. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. 94 FortiTester Handbook

95 Starting a TCP connection test Chapter 2 - Running Tests IP Change Algorithm / Port Change Algorithm IP Option DSCP Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port Preset to The valid range is from 0 to 65,535 Server Close Mode IP Option DSCP Preset to Reset. Not configurable. Provide quality of service (QoS) Starting a TCP connection test FortiTester tests TCP concurrent connection performance by generating a specified volume of two-way TCP traffic flow via specified ports. To start a TCP connection test: 1. Go to Cases > TCP > Connection to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 23: TCP Connection Test Case configuration Basic Information FortiTester Handbook 95

96 Chapter 2 - Running Tests Starting a TCP connection test Name Ping Server Timeout Number of Samples Duration Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ 96 FortiTester Handbook

97 Starting a TCP connection test Chapter 2 - Running Tests Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that the DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. Concurrent Connection Number of concurrent connections. Concurrent Close Number of connections to close once a time. To avoid the DUT lost packet, the connection close operation will be performed batch by batch. Standalone mode: The default is 256, and the valid range is 1 to 10,000. Test Center mode: The default is 512, and the valid range is 1 to 10,000. Load (Limit) FortiTester Handbook 97

98 Chapter 2 - Running Tests Starting an SMTP test Speed Limit Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Network MTU MSS Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Fortinet recommends that you use the default. The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm/Port Change Algorithm IP Option DSCP Send Size Receive Size Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select the connection close method: 3Way_Fin or Reset. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Specify the buffer size to send out from the client side. The default is 800 bytes. The valid range is from 1 to 100,000. Specify the buffer size to receive from the server side. The default is 1,000 bytes. The valid range is from 1 to 100,000. Profile (Server) Server Port IP Option DSCP Preset to 80. Not configurable. Provide quality of service (QoS) Starting an SMTP test FortiTester tests performance of a target device under SMTP traffic by simulating a volume of clients to generate SMTP traffic. To start an SMTP test: 1. Go to Cases > Protocol > TCP > SMTP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 98 FortiTester Handbook

99 Starting an SMTP test Chapter 2 - Running Tests 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 24: Mail SMTP Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600. Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network FortiTester Handbook 99

100 Chapter 2 - Running Tests Starting an SMTP test Client Ports, Server Ports The graphic depicts the test ports for client-side and serverside connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet 100 FortiTester Handbook

101 Starting an SMTP test Chapter 2 - Running Tests Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Add Subnet If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create UDP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. SMTP Address SMTP To SMTP Password Payload The sender address. The default is tester@mailserver.com. The receiver address. The default is receiver@mailserver.com. The password of sender. The default is tester@fts. Set payload content for the simulated SMTP traffic. This is editable. Load (Limit) Speed Limit Choose whether to set a speed limit by action or by bandwidth. Set the speed limit. Ramp Up Time Time in seconds for traffic to ramp up when you start the test. FortiTester Handbook 101

102 Chapter 2 - Running Tests Starting a POP3 test Ramp Down Time Time in seconds for traffic to ramp down when you stop the test. Network MTU MSS Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is The valid range is 1,280 to 9,000. The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Increment. Not configurable. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port Preset to 25. IP Option DSCP Provide quality of service (QoS) Starting a POP3 test FortiTester tests the ability of the DUT to handle different types of POP3. This test traffic establishes a TCP connection (three-way handshake), receives one mail by POP3 and closes the TCP connection. To start a POP3 test: 1. Go to Cases > Protocol > TCP > POP3 to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. 102 FortiTester Handbook

103 Starting a POP3 test Chapter 2 - Running Tests FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 25: Mail POP3 Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets FortiTester Handbook 103

104 Chapter 2 - Running Tests Starting a POP3 test Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Load (Load) Simulated Users Number of users to simulate. 104 FortiTester Handbook

105 Starting a POP3 test Chapter 2 - Running Tests Pop3 Address Pop3 Password Payload The sender address. The default is tester@mailserver.com. The password of sender. The default is tester@fts. Set payload content for the simulated traffic. This is editable. Load (Limit) Speed Limit Choose whether to set a speed limit by action or by bandwidth. Set the speed limit. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU MSS Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is The valid range is 1,280 to 9,000. The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port Preset to 110. IP Option DSCP Provide quality of service (QoS) FortiTester Handbook 105

106 Chapter 2 - Running Tests Starting an IMAP test Starting an IMAP test FortiTester tests the ability of the DUT to handle different types of IMAP. This test establishes a TCP connection (three-way handshake), receives one by IMAP and closes the TCP connection. To start an IMAP test: 1. Go to Cases > Protocol > TCP > IMAP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 26: Mail IMAP Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. 106 FortiTester Handbook

107 Starting an IMAP test Chapter 2 - Running Tests Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. FortiTester Handbook 107

108 Chapter 2 - Running Tests Starting an IMAP test Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Load (Load) Simulated Users Number of users to simulate. IMAP Address IMAP Password Payload The sender address. The default is tester@mailserver.com. The password of sender. The default is tester@fts. Set payload content for the simulated traffic. This is editable. Load (Limit) Speed Limit Choose whether to set a speed limit by action or by bandwidth. Set the speed limit. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU MSS Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is The valid range is 1,280 to 9,000. The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. 108 FortiTester Handbook

109 Starting an FTP test Chapter 2 - Running Tests IP Change Algorithm / Port Change Algorithm IP Option DSCP Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port Preset to 143. Range: IP Option DSCP Provide quality of service (QoS) Starting an FTP test This FortiTester test establishes a TCP connection (three-way handshake), transfers one file by FTP, and then closes the TCP. To start an FTP test: 1. Go to Cases > Protocol > TCP > FTP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 27: FTP Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. FortiTester Handbook 109

110 Chapter 2 - Running Tests Starting an FTP test Ping Server Timeout Number of Samples Duration Stopping Status in Second If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. 110 FortiTester Handbook

111 Starting an FTP test Chapter 2 - Running Tests Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load (Load) Simulated Users Number of users to simulate. Load (Limit) Speed Limit Choose whether to set a speed limit by action or by bandwidth. Set the speed limit. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Not available for Concurrent Session Flood test. Time in seconds for traffic to ramp down when you stop the test. Not available for Concurrent Session Flood test. Network MTU MSS Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is The valid range is 1,280 to 9,000. The maximum segment size. If MSS is bigger than the MTU, IP fragmentation will be triggered conditionally. FortiTester Handbook 111

112 Chapter 2 - Running Tests Starting an LDAP test Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP FTP Mode FTP user FTP Password Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Choose either active mode FTP or passive mode FTP. Create a username. Create a password. Profile (Server) Server Port Server Close Mode IP Option DSCP Preset to 21. Not configurable. Set to 3 Way Fin by default. Not configurable. Provide quality of service (QoS) Action Request File Select the file that is transferred. The default is ftp.docx with 4 bytes. Starting an LDAP test This FortiTester test establishes a TCP connection (three-way handshake), searches entries by LDAP, and then closes the TCP connection. To start an LDAP test: 1. Go to Cases > Protocol > TCP > LDAP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in. 6. Click Start to run the test case. 112 FortiTester Handbook

113 Starting an LDAP test Chapter 2 - Running Tests FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 28: LDAP Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets FortiTester Handbook 113

114 Chapter 2 - Running Tests Starting an LDAP test Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Load (Load) Simulated Users Number of users to simulate. 114 FortiTester Handbook

115 Starting an LDAP test Chapter 2 - Running Tests Load (Limit) Speed Limit Choose whether to set a speed limit by action or by bandwidth. Set the speed limit. LDAP Speed Limit Set an LDAP speed limit. The range is from 100 to 100,000. Ramp Up Time Time in seconds for traffic to ramp up when you start the test.. Ramp Down Time Time in seconds for traffic to ramp down when you stop the test.. Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Search Type Login Type Base DN Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS). Choose either Single level or Base object. A single level search will search one level below the base object, while a Base object search will only search the base object. Choose either Anonymous bind or Simple authentication. Enter the base distinguished name (DN) of the LDAP forest. Profile (Server) Server Port IP Option DSCP Preset. Not configurable. Provide quality of service (QoS) FortiTester Handbook 115

116 Chapter 2 - Running Tests Starting an NTP test Starting an NTP test The NTP test sends NTP query traffic to an NTP server under test. FortiTester receives real time information from the DUT and measures latency. To start an NTP test: 1. Go to Cases >Protocol > UDP > NTP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. Configure the test case options as described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 29: NTP Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600. Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network 116 FortiTester Handbook

117 Starting an NTP test Chapter 2 - Running Tests Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and FortiTester Handbook 117

118 Chapter 2 - Running Tests Starting an NTP test Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. NTP Query Time Out Time in microseconds before an NTP query times out. Load (Limit) Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Preset to Not configurable. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) 118 FortiTester Handbook

119 Starting a DNS latency test Chapter 2 - Running Tests Server Port IP Option DSCP Preset to 80, 443. Not configurable. Provide quality of service (QoS) Starting a DNS latency test FortiTester tests the latency of the DUT while handling DNS query requests. The DUT could be a gateway device or a DNS server. This test traffic sends DNS requests to a DNS server and measures latency. To start a DNS test: 1. Go to Cases > Protocol > UDP > DNS Latency to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 30: DNS Latency Test Case configuration Basic Information Name Ping Server Timeout Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. FortiTester Handbook 119

120 Chapter 2 - Running Tests Starting a DNS latency test Number of Samples Duration Stopping Status in Second Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router 120 FortiTester Handbook

121 Starting a DNS latency test Chapter 2 - Running Tests IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load (Load) Simulated Users Number of users to simulate. DNS Renew Socket DNS Query Timeout Specify Yes or No. If Yes, the client side renews a socket to send out the next query (note if the client profile Domain Policy is set as List, all queries for the names in the domain list will use the same socket; after that a new socket will be created for next batch of queries). If No, use the old socket. The default is 1000 microseconds. Load (Limit) Speed Limit Choose to limit speed by Action or Bandwidth. Set the speed limit. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network MTU Preset to Not configurable. FortiTester Handbook 121

122 Chapter 2 - Running Tests Starting a TFTP test Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Domain Policy Domain List Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Random or List. If Random is selected, FortiTester generates random domain names for queries. If List is select, FortiTester uses queries in the specified list. If Domain Policy is List, specify a list of domain name records. For example: fortinet.com:a, fortitester.com:mx A name followed with a :A means it s an address record, while a :MX means a mail exchange record. IP Option DSCP Provide quality of service (QoS) Profile (Server) Server Port The DNS server access port. The default is 53. The valid range is 0 to 65,535. IP Option DSCP Provide quality of service (QoS) Starting a TFTP test The TFTP test sends TFTP requests to a TFTP server to measure the number of requests sent and performed per second. To start a TFTP test: 1. Go to Cases >Protocol > UDP > TFTP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. Configure the test case options as described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. 122 FortiTester Handbook

123 Starting a TFTP test Chapter 2 - Running Tests Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 31: TFTP Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600. Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets FortiTester Handbook 123

124 Chapter 2 - Running Tests Starting a TFTP test Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) 124 FortiTester Handbook

125 Starting a TFTP test Chapter 2 - Running Tests Simulated Users Number of users to simulate. Load (Limit) Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network Network MTU TFTP Block Size Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is The valid range is 1,280 to 9,000. Specify a Block Size. The default is 512 bytes. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP TFTP Mode TFTP Re-Transfer Time TFTP Retry Limit Preset to Not configurable. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Select Read to download a file from the server or Write to uload a file to the server. Select a time limit after which FortiTester will resend the data packet. Select the number of times FortiTester will attempt a transfer. Profile (Server) Server Port IP Option DSCP Preset to 80, 443. Not configurable. Provide quality of service (QoS) FortiTester Handbook 125

126 Chapter 2 - Running Tests Starting a RADIUS test Action Request File Select the file that FortiTester requests to read or write. The default is ftp.docx with 4 bytes. Optionally, you can upload a customized file. The file size limit is 10 MB. Starting a RADIUS test The RADIUS test sends RADIUS requests to a RADIUS server to measure the number of response types per second. To start a RADIUS test: 1. Go to Cases >Protocol > UDP > RADIUS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. Configure the test case options as described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 32: RADIUS Test Case configuration Basic Information Name Ping Server Timeout Duration Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600. Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. 126 FortiTester Handbook

127 Starting a RADIUS test Chapter 2 - Running Tests Number of Samples Stopping Status in Second Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet FortiTester Handbook 127

128 Chapter 2 - Running Tests Starting a RADIUS test Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load (Load) Simulated Users Number of users to simulate. RADIUS Request Time Out Time in microseconds before a RADIUS request times out. Load (Limit) Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Not configurable. Profile (Client) Source Port Range Preset to FortiTester Handbook

129 Starting an RTSP/RTP test Chapter 2 - Running Tests IP Change Algorithm / Port Change Algorithm IP Option DSCP RADIUS Secret Key Username Password Authentication Method Radius Accounting Time Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Specify a shared secret key for the transaction. Specify a username. Specify a password. Select an authentication method. Specify an accounting time. A time of 0 means accounting features will be disabled. Profile (Server) Server Port IP Option DSCP Preset to Not configurable. Provide quality of service (QoS) Starting an RTSP/RTP test The RTSP/RTP test establishes a TCP connection with a three-way handshake, controls media sessions between end points, and closes the TCP connection. This test also tests the firewall's ability to open and close pinholes. To start an RTSP test: 1. Go to Cases > Protocol > RTSP/RTP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options as described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. FortiTester Handbook 129

130 Chapter 2 - Running Tests Starting an RTSP/RTP test Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 33: RTSP Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets 130 FortiTester Handbook

131 Starting an RTSP/RTP test Chapter 2 - Running Tests Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. FortiTester Handbook 131

132 Chapter 2 - Running Tests Starting an RTSP/RTP test Load (Load) Simulated Users Number of users to simulate. Load (Limit) Speed Limit Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Not available for Concurrent Session Flood test. Time in seconds for traffic to ramp down when you stop the test. Not available for Concurrent Session Flood test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limit for packet size. The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Preset to Not configurable. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset. Not configurable. Provide quality of service (QoS) 132 FortiTester Handbook

133 Starting a DHCP test Chapter 2 - Running Tests Starting a DHCP test The IPv4 DHCP test sends DHCP requests to the DHCP server and measures latency. The IPv6 DHCP test sends NS and RA messages to request an IPv6 address through DHCPv6 stateless mode. To start a DHCP test: 1. Go to Cases > Protocol > DHCP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. Configure the test case options as described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 34: DHCP Test Case configuration Basic Information Name Ping Server Timeout Duration Number of Samples Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600. Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network FortiTester Handbook 133

134 Chapter 2 - Running Tests Starting a DHCP test Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Load Simulated Users Number of users to simulate. 134 FortiTester Handbook

135 Starting an IGMP test Chapter 2 - Running Tests DHCP Time Out Time in seconds before a DHCP time out. Limit Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Preset to Not configurable. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset. Not configurable. Provide quality of service (QoS) Starting an IGMP test The IGMP test sends join messages to the device under test (DUT), such as a router or firewall, and the DUT forwards the data stream from the server. Before starting an IGMP test: Configure a multicast firewall with multicast-routing protocols. The following shows an example configuration using FortiGate. FortiTester Handbook 135

136 Chapter 2 - Running Tests Starting an IGMP test FG1K5D3I # get system settings grep multicast multicast-forward : enable multicast-ttl-notchange: disable gui-multicast-policy: enable FG1K5D3I # get router multicast grep routing multicast-routing : disable FG1K5D3I # show firewall multicast-policy config firewall multicast-policy edit 1 set srcintf "port35" set dstintf "port33" set srcaddr "host " set dstaddr "m " next end To start an IGMP test: 1. Go to Cases > Protocol > IGMP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. Configure the test case options as described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. While the test case is running, use the following command on your FortiGate firewall to see the multicast session: FG1K5D3I # diagnose sys mcast-session list Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 35: IGMP Test Case configuration Basic Information Name Ping Server Timeout Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600. Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. 136 FortiTester Handbook

137 Starting an IGMP test Chapter 2 - Running Tests Duration Number of Samples Stopping Status in Second Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. Gateway Specify the gateway IP address. FortiTester Handbook 137

138 Chapter 2 - Running Tests Starting an Attack Replay test Peer Network Specify the peer network subnet address. For the example FortiGate configuration shown above, the peer network would be /16. Load Simulated Users Number of users to simulate. Limit IGMP Bandwidth Limit Specify the bandwidth, in Mbps. The default is 0, which means the maximum bandwidth. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Time in seconds for traffic to ramp down when you stop the test. Network Network MTU Multicast IP Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Not configurable. Specify a multicast IP. For the example FortiGate configuration shown above, the Muticast IP would be Profile (Server) Server Port Preset. Not configurable. Starting an Attack Replay test FortiTester can test security systems by replaying a predefined or customized set of attack traffic. The predefined set covers 100 types of attacks. The test result shows the CVE-ID for every type of attack. You can also see the attack list in the Cases > Replay > Attack page. Note: The Attack Replay test is available only in Standalone work mode. Before you begin: Optional. If you want to test custom attack traffic, you must create a package of pcap files that can be replayed. Only IPv4 traffic is supported. Follow the file naming convention: Description[_CVE-$CVEID].pcap. Here [] means optional. The file type can be.pcap,.tgz,.tar.gz, or.zip. A.tgz,.tar.gz, or.zip file includes a group of.pcap 138 FortiTester Handbook

139 Starting an Attack Replay test Chapter 2 - Running Tests files. Maximum file size is 200MB. You can upload it, put it into a default or customized group, and the select the group of attack files you want to replay later. To start an Attack Replay test: 1. Go to Cases > Replay > Attack to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 36: Attack Replay Test Case configuration Basic Information Name Ping Server Timeout Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets FortiTester Handbook 139

140 Chapter 2 - Running Tests Starting an Attack Replay test Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Load Replay Time Out Break Once Packet Lost This timeout specifies how long the client waits for a response from the server. If the client does not receive a response within the timeout, it considers the packet lost. The default value is 2 milliseconds. Select Yes or No. The Yes option means when the system identifies packet loss (the server side has not received the packet that client sent out), it stops the current traffic replay (pcap file), and continues the test with the next traffic file. The No option (the default) means a break is not set; the current replay continues. Network MTU Preset to Not configurable. Action Enable System Attack List User Intrusion Enable/disable the system attack list. There are 100 types of attacks in the system attack list. Optional. Select attacks from the user-defined attack list. Before you can select them, you must upload pcap files that contain your customized attack traffic. At the top of the case list, click User Attack Management and then upload your file. 140 FortiTester Handbook

141 Starting a Traffic Replay test Chapter 2 - Running Tests Starting a Traffic Replay test FortiTester tests user-defined scenarios by replaying pcap files. Typically, pcap files are generated by programs like tcpdump or Wireshark. Note: The Traffic Replay test is available only in Standalone work mode. Before you begin: You must create pcap files that can be replayed. Only IPv4 traffic is supported. Maximum file size is 200MB. To start a Traffic Replay test: 1. Go to Cases > Replay > Traffic to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 37: Traffic Replay Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. FortiTester Handbook 141

142 Chapter 2 - Running Tests Starting a Traffic Replay test Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Load (Load) Loops Input Pcap Number of times to play the pcap file. The default is 10, means as many as possible. Select a pcap file to send. Note the uploaded files can be used for future cases. 142 FortiTester Handbook

143 Starting a GTP Replay test Chapter 2 - Running Tests Load (Limit) Bandwidth Limit The default is 0, which means the maximum possible. The valid range is 10 to 10,000 Mbps (or the special value 0). Network MTU Preset to Not configurable. Starting a GTP Replay test FortiTester tests GTP connections by replaying existing GTPv1 and GTPv2 files. FortiTester uses these files to send test packets to the device under test (DUT). Note: The GTP Replay test is available only in Standalone work mode. Before you begin: You must create pcap files that can be replayed. Only IPv4 traffic is supported. Maximum file size is 200MB. To start a GTP Replay test: 1. Go to Cases > Replay > GTP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in. 6. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 38: GTP Replay Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. FortiTester Handbook 143

144 Chapter 2 - Running Tests Starting a GTP Replay test Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Load Replay Time Out This timeout specifies how long the client waits for a response from the server. If the client does not receive a response within the timeout, it considers the packet lost. The default value is 2 milliseconds. 144 FortiTester Handbook

145 Starting a DDoS single packet flood test Chapter 2 - Running Tests Break Once Packet Lost Select Yes or No. The Yes option means when the system identifies packet loss (the server side has not received the packet that client sent out), it stops the current GTP replay (pcap file), and continues the test with the next GTP file. The No option (the default) means a break is not set; the current replay continues. Network MTU Preset to Not configurable. Action GTP Packet List Select pcap files to test. Starting a DDoS single packet flood test FortiTester tests the DUT's ability to handle different types of DDoS attacks. This test attempts to deplete the DUT's resources by flooding the DUT with non-session based attacks. To start a single packet flood test: 1. Go to Cases > DDoS > Single Packet Flood to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 39: DDoS Single Packet Flood Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. FortiTester Handbook 145

146 Chapter 2 - Running Tests Starting a DDoS single packet flood test Ping Server Timeout Number of Samples Duration Stopping Status in Second If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. 146 FortiTester Handbook

147 Starting a DDoS single packet flood test Chapter 2 - Running Tests Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Load (Load) Simulated Users Number of users to simulate. DDoS Type DDoS attack traffic: Single Packet Flood. After you select a type, selection boxes for subtypes are displayed below. To change the percentage mix of subtypes, double-click the pie chart and adjust the percentages. Load (Limit) Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Not available for Concurrent Session Flood test. Time in seconds for traffic to ramp down when you stop the test. Not available for Concurrent Session Flood test. FortiTester Handbook 147

148 Chapter 2 - Running Tests Starting a DDoS TCP session flood test Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset to 80. Not configurable. Provide quality of service (QoS) Starting a DDoS TCP session flood test FortiTester tests the DUT's ability to handle different types of DDoS attacks. This test attempts to deplete the DUT's resources by flooding the DUT with TCP attacks. To start a TCP session flood test: 1. Go to Cases > DDoS > TCP Session Flood to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. 148 FortiTester Handbook

149 Starting a DDoS TCP session flood test Chapter 2 - Running Tests Table 40: DDoS TCP Session Flood Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. FortiTester Handbook 149

150 Chapter 2 - Running Tests Starting a DDoS TCP session flood test MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Load (Load) Simulated Users Number of users to simulate. DDoS Type DDoS attack traffic: TCP Session Flood. After you select a type, selection boxes for subtypes are displayed below. To change the percentage mix of subtypes, double-click the pie chart and adjust the percentages. Load (Limit) 150 FortiTester Handbook

151 Starting a DDoS HTTP session flood test Chapter 2 - Running Tests Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Not available for Concurrent Session Flood test. Time in seconds for traffic to ramp down when you stop the test. Not available for Concurrent Session Flood test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset to 80. Not configurable. Provide quality of service (QoS) Starting a DDoS HTTP session flood test FortiTester tests the DUT's ability to handle attempts to deplete the DUT's resources by flooding the DUT with HTTP attacks. To start a HTTP session flood test: 1. Go to Cases > DDoS > HTTP Session Flood to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on page 18. FortiTester Handbook 151

152 Chapter 2 - Running Tests Starting a DDoS HTTP session flood test 4. Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 41: DDoS HTTP Session Flood Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. 152 FortiTester Handbook

153 Starting a DDoS HTTP session flood test Chapter 2 - Running Tests Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Load (Load) FortiTester Handbook 153

154 Chapter 2 - Running Tests Starting a DDoS HTTP session flood test Simulated Users Number of users to simulate. DDoS Type DDoS attack traffic: Concurrent Session Flood. After you select a type, selection boxes for subtypes are displayed below. To change the percentage mix of subtypes, doubleclick the pie chart and adjust the percentages. Load (Limit) Speed Limit Applies only when DDoS type is TCP Session Flood or HTTP Session Flood. Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Ramp Up Time Ramp Down Time Time in seconds for traffic to ramp up when you start the test. Not available for Concurrent Session Flood test. Time in seconds for traffic to ramp down when you stop the test. Not available for Concurrent Session Flood test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset to 80. Not configurable. Provide quality of service (QoS) 154 FortiTester Handbook

155 Starting a DDoS concurrent session flood test Chapter 2 - Running Tests Starting a DDoS concurrent session flood test FortiTester tests the DUT's ability to handle attempts to deplete the DUT's resources. FortiTester floods the DUT with HTTP attacks and then puts the session on hold for an extended period of time. To start a concurrent session flood test: 1. Go to Cases > DDoS > Concurrent Session Flood to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the pop-up dialog, configure the network settings as described in "Using network configuration templates" on page Click OK to continue. 5. Configure the test case options described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. Table 42: DDoS Concurrent Session FloodTest Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. FortiTester Handbook 155

156 Chapter 2 - Running Tests Starting a DDoS concurrent session flood test Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Translated To Specify a single IP address with standard format (for example, ) or an address range like NAT mode only. If the DUT uses SNAT/DNAT, specify the new, translated, IP address. 156 FortiTester Handbook

157 Starting a DDoS concurrent session flood test Chapter 2 - Running Tests Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. VLAN ID Specify a VLAN ID between 1 and Load Simulated Users Number of users to simulate. Concurrent Connection Applies only when DDoS type is Concurrent Session Flood. Number of concurrent connections. DDoS Type DDoS attack traffic: TCP Session Flood. After you select a type, selection boxes for subtypes are displayed below. To change the percentage mix of subtypes, double-click the pie chart and adjust the percentages. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm IP Option DSCP Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: > ; port > The Random option selects an IP address or port in the range randomly. Provide quality of service (QoS) Profile (Server) Server Port IP Option DSCP Preset to 80. Not configurable. Provide quality of service (QoS) FortiTester Handbook 157

158 Chapter 2 - Running Tests Starting a packet capture test Starting a packet capture test The packet capture test captures packets received from the network adapter. To start a packet capture test: 1. Go to Cases > Packet Capture > Packet Capture to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. Configure the test case options as described in Table Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. To start /stop a packet capture test while another test is running: From the run page of the other test, follow the steps below. 1. Go to Capture > Client. 2. Click Restart, under status. 3. Configure the desired settings. 4. Click Start to run the packet capture test. Table 43: Packet Capture Test Case configuration Basic Information Name Duration Number of Samples Specify the case name, or just use the default. The name appears in the list of test cases. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Network 158 FortiTester Handbook

159 Starting a mixed traffic test Chapter 2 - Running Tests Client Ports The graphic depicts the test ports for client-side connections. The client ports simulate the behavior of clients. You must select at least one client port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets controls for each port. Capture Packets Capture Packets Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Load Packet Analysis Select Yes to analyze bandwidth percentage for each protocol. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limit for packet size. The default is Not configurable. Starting a mixed traffic test FortiTester tests mixed traffic performance by simulating multiple clients that burst all types of traffic simultaneously. To start a Mixed Traffic test: 1. Go to Cases > Mixed Traffic > Mixed Traffic to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, select the kind of mixed traffic test you wish to create. You can create a test based on Protocol, Action, Case Type, or Existing Test Cases. 4. Select the types of traffic to mix in the test. 5. configure the other network settings as described in "Using network configuration templates" on page Click OK to continue. 7. Configure the proportions of the mixed traffic. FortiTester Handbook 159

160 Chapter 2 - Running Tests Starting a mixed traffic test 8. Configure the test case options as described in Table 44. The specific settings will depend on what types of traffic were included in the mix. Refer to the section for that specific test for more information. 9. Click Start to run the test case. FortiTester saves the configuration automatically, so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Clone to clone the configuration. Only the case name is different from the original case. 160 FortiTester Handbook

161 Starting a mixed traffic test Chapter 2 - Running Tests Table 44: Mixed Traffic Test Case configuration Basic Information Name Ping Server Timeout Number of Samples Duration Stopping Status in Second Specify the case name, or just use the default. The name appears in the list of test cases. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 0 to 600.Note:You can disable this end-to-end connectivity test by entering a setting of 0. If the DUT is unable to return packets, it is recommended you do so. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. The maximum time out in seconds allotted for FortiTester to close all TCP connections after the test finishes. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 6,000,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. FortiTester Handbook 161

162 Chapter 2 - Running Tests Stopping tests MAC Masquerade MAC Masquerade Specify the first two bytes of a MAC address for the traffic. QinQ Outer VLAN ID Specify a Service VLAN tag for FortiTester to use during the test. Virtual Router IP Address Specify the IP address to the virtual router. This IP address is used to connect to a DUT, therefore it must be in the same subnet with the connected port of the DUT. Please make sure the corresponding routing rules are set on the DUT, so that DUT correctly forwards traffic to the virtual router. Only a single IP address in format xxx.xxx.xxx.xxx is accepted here. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, ) or an address range like Netmask Specify a netmask between 1 and 31. VLAN ID Specify a VLAN ID between 1 and Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Stopping tests There are two ways to stop a running test: In the test configuration, specify an automatic stop after a specified duration. Click the Stop button on the running page of a test that is in progress. Modifying traffic load mid-run Users can modify a test's traffic load while the test is running. 162 FortiTester Handbook

A message will appear saying you have "Set case limit configuration successfully". Displaying test status A few seconds after you start a test, the page automatically switches to a test status page.

163 Displaying test status Chapter 2 - Running Tests 1. Click the Case Limit tab. 2. Modify any settings you wish to change. For example, to limit an HTTP CPS test to 560 connections per second, enter in 560 for the Speed Limit option. 3. Click Reset. A message will appear saying you have "Set case limit configuration successfully". Displaying test status A few seconds after you start a test, the page automatically switches to a test status page. You can also navigate to the status page by clicking the icon in the top navigation menu. The following example shows status displayed on the Summary tab of an HTTP CPS test. Figure 7: Test status Summary tab The following figure shows the Client tab. You can use its subtabs to review results by port or network layer. FortiTester Handbook 163

Chapter 2 - Running Tests Viewing test results Figure 8: Test status Client tab Viewing test results When you start a test, a status page is displayed showing results.

Layer 2 data represents the throughput for every port and a total summary. The throughput includes inbound traffic and outbound traffic for every port.

164 Chapter 2 - Running Tests Viewing test results Figure 8: Test status Client tab Viewing test results When you start a test, a status page is displayed showing results. The data is updated every second. It includes Layer 2, Layer 3, and Layer 4 data. HTTP/HTTPS test cases also include Layer 7 data. Layer 2 data represents the throughput for every port and a total summary. The throughput includes inbound traffic and outbound traffic for every port. Layer 3 data represents the packets sent and received for every port and a total summary. Layer 4 data represents the number of sessions. Layer 7 data represents the number of requests and connections. You can click the icon in the top banner to display a list of all the test cases on the left side of the page. This list includes cases that are stopped (either normally or abnormally) and are ordered by test start time. Click a test case to view its result. You can also use the search function, at the top, to search for test cases. The following example shows results for an HTTP CPS test. Figure 9: HTTP CPS test results The following figure shows results for an Attack Replay test. 164 FortiTester Handbook

Exporting/importing a test case Chapter 2 - Running Tests Figure 10: Attack Replay results For Attack Replay tests, the results show status for every attack traffic file and a summary count for

165 Exporting/importing a test case Chapter 2 - Running Tests Figure 10: Attack Replay results For Attack Replay tests, the results show status for every attack traffic file and a summary count for packets with the following statuses: Peer Received, Packet Lost, or Illegal Packet. Peer Received means the server has received all the packets sent out by the client. Packet Lost means the server has not received all the packets sent out by the client; one or more packets were lost after the traffic passed through the DUT. Illegal Packet means the FortiTester system encountered a packet larger than the MTU (the default is 1500) and has stopped the replay of that pcap file. Exporting/importing a test case After you click Start or Save, FortiTester automatically saves the test configuration. You can edit or make a copy of a test configuration before you run it. You can use the Export/Import utilities to export a test case configuration (as a.zip file) and then import it into another FortiTester appliance. In the top banner, click the icon to display the list of saved test cases. Cases are categorized by test type. Scheduling cases You can schedule a test case to run automatically at a time you specify. You can also specify a repeat interval (once, hourly, daily, weekly, monthly). To configure a schedule: 1. Go to Cases > Config Schedule. 2. Click Add to display the configuration page. 3. Select the case type and select an existing case. FortiTester Handbook 165

166 Chapter 2 - Running Tests Scheduling cases 4. Set the start date and time. 5. Select a repeat option. 6. Save the schedule configuration. Tip: To set up a schedule from the case list, click the icon to display the schedule configuration page. 166 FortiTester Handbook

167 Chapter 3 - System Administration Displaying system status Chapter 3 - System Administration This chapter provides procedures for common system administration tasks. Displaying system status The System page displays the system version and serial number of the appliance. You can also see the information of log disk usage. If the appliance comes installed with an SSL Accelerator card, you will see it and can enable/disable it. Note: The SSL acceleration feature works only when the FortiTester appliance works as the server side. Enabling or disabling it will not influence the performance of the client side when performing an HTTPS test. The figure below shows the System Information. Figure 11: System Information Updating firmware You can use the web UI to upgrade the firmware image. Before you begin: 167 FortiTester Handbook

168 Shutting down the system Chapter 3 - System Administration Download the firmware file from the Fortinet support website. Read the release notes for the version you plan to install. You must be logged in as the user admin to upgrade firmware. To upgrade firmware: 1. Go to the System page. 2. Click the Upgrade link in the system information section. 3. Click Browse to locate and select the image file. 4. Click to upload the firmware and reboot. The system replaces the firmware on the active partition and reboots. Shutting down the system Always properly shut down the FortiTester appliance operating system before turning off the power switch or unplugging the appliance. This causes it to finish writing buffered data, and to slow and park the hard disks. Do not unplug or switch off the FortiTester appliance before halting the operating system. Failure to shut down correctly could cause data loss and hardware problems. To power off the appliance via the web UI: 1. Go to the System page. 2. Click the Shutdown button. The appliance becomes quieter when it stops its hardware and operating system, indicating that it is ready for power to be disconnected. 3. Disconnect the power cable from the power supply. To power off the appliance via the CLI: 1. Connect to the CLI using a terminal emulator. 2. Enter the following command: execute shutdown The appliance becomes quieter when it stops its hardware and operating system, indicating that it is ready for power to be disconnected. 3. Disconnect the power cable from the power supply. Rebooting the system Rebooting the appliance is similar to shutting down. To reboot, do one of the following: Go to the System page, click the Reboot button. Enter the execute reboot command via the CLI. FortiTester Handbook 168

169 Chapter 3 - System Administration Resetting the system Resetting the system To restore the appliance to its initial state, click the Config reset button on the System page. Warning: This operation clears all the data and cannot be canceled, so use it carefully. Before you reset the system, you can export system configuration data so that you can import it later. The configuration data includes all the test case settings and test results, user accounts, and test HTML pages for HTTP/HTTPS test cases. Creating test users The FortiTester system has one default administrative account named "admin". It also allows you to create other administrative or tester user accounts. The default admin account is the super administrator, which can create and delete all other accounts, whereas the other administrative accounts can only create administrative/tester accounts and delete tester accounts. The administrative user can perform a test, create and delete a tester, and set the system configuration. A tester user can only perform tests and view test results. If a user logs in with a tester role, the User Management menu is not shown, and the contents in the System page is read-only. To create a test user: 1. Go to the drop-down menu under the admin login in the top navigation bar. 2. Select User Management. 3. Click Add to display the configuration page. 4. Complete the username and password settings. 5. Select a role and set the username and password. 6. Save the configuration. 169 FortiTester Handbook

Chapter 4 - Joining multiple appliances into a Test Center Changing the work mode setting Chapter 4 - Joining multiple appliances into a Test Center This chapter provides procedures for joining

170 Chapter 4 - Joining multiple appliances into a Test Center Changing the work mode setting Chapter 4 - Joining multiple appliances into a Test Center This chapter provides procedures for joining multiple appliances into a Test Center. Changing the work mode setting The work mode setting determines whether the FortiTester operates as a standalone appliance or is joined with other FortiTester appliances to form a Test Center. By default, FortiTester appliances operate in Standalone work mode. If your test plans require more interfaces than provided by a single FortiTester, you can join the appliances into what is called a Test Center. One appliance is the Test Center master appliance; the others are Test Center slaves. You manage test cases from the Test Center appliance management interface; the web UI is not available for an appliance in Test Slave work mode. When you enter the web UI address for the Test Slave appliance, it displays the following page instead. Figure 12: Slave Mode To set up a Test Center: 1. Log into the web UI of one FortiTester (e.g ). 2. Go to the System page. 3. Click the Work Mode tab. 4. The appliance is in Standalone work mode by default. 5. Click Test Center to make it the Test Center master. The System page shows the current work mode of this appliance is TestCenter, and a table is shown that lists the appliances that are under control of this one. 6. Log into another FortiTester (e.g ). 7. Go to the System page. 8. Click the Work Mode tab. 9. Click Test Slave. The system displays a popup, prompting you to specify the Test Center master IP address. 10. Enter the IP address of the Test Center master and click Connect. 11. Return to the System page on the master and click Refresh. You will see is in the table. 170 FortiTester Handbook

Changing the work mode setting Chapter 4 - Joining multiple appliances into a Test Center Figure 13: TestCenter You can click the X to disconnect the slave appliance or click the Disconnect button in

171 Changing the work mode setting Chapter 4 - Joining multiple appliances into a Test Center Figure 13: TestCenter You can click the X to disconnect the slave appliance or click the Disconnect button in the slave Web GUI to return to Standalone mode. When the appliances have been added to the Test Center, you can select one or more FortiTester appliances to work as clients and others to work as servers when you create test cases. In this example, has the client ports; has the server ports. You can add up to four pairs of appliances to a Test Center. FortiTester Handbook 171

FortiTester Handbook VERSION 3.3.1

FortiTester Handbook VERSION 3.3.1 FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com