FortiTester Handbook VERSION 2.5.0
FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ FORTIGATE COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING SERVICES http://www.fortinet.com/training FORTIGUARD CENTER http://www.fortiguard.com END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/eula.pdf FEEDBACK Email: techdocs@fortinet.com Wednesday, March 09, 2016 FortiTester Handbook 2.5.0 1st Edition
TABLE OF CONTENTS Change Log 5 Introduction 6 Benefits 7 What's New 8 Chapter 1 - Getting Started 9 Connecting to FortiTester 9 Configuring the management port 10 Configuring system time 11 Creating the admin password 12 Chapter 2 - Running Tests 13 Test case configuration overview 13 Using port binding 13 Using network configuration templates 14 Starting an HTTP CPS test 15 Starting an HTTP RPS test 19 Starting an HTTP CC test 23 Starting an HTTPS CPS test 26 Starting an HTTPS RPS test 30 Starting a TCP connection test 33 Starting a TCP throughput test 37 Starting a TurboTCP test 40 Starting a UDP PPS test 43 Starting a UDP Payload test 46 Starting an Attack Replay test 49 Starting a Traffic Replay test 52 Starting a DDoS test 54 Starting a DNS test 57 Stopping tests 61 Displaying test status 61 Viewing test results 62 Exporting/importing a test case 64 Scheduling cases 64
Chapter 3 - System Administration 65 Displaying system status 65 Updating firmware 65 Shutting down the system 66 Rebooting the system 66 Resetting the system 66 Creating test users 67 Chapter 4 - Joining multiple appliances into a Test Center 68 Changing the work mode setting 68 Chapter 5 - Using the Command-Line Interface 71 Getting CLI help 71 Command descriptions 72
Change Log Change Log Date Change Description 2016-3-9 FortiTester 2.5.0 initial release. 5 FortiTester Handbook
Introduction Introduction Welcome, and thank you for selecting Fortinet products for your testing environment. FortiTester appliance models are powerful and easy-to-use tools that test the performance of your network devices. This document describes how to set up your FortiTester appliance. It also describes how to use the web user interface (web UI) and command-line interface (CLI). 6 FortiTester Handbook
Benefits Introduction Benefits FortiTester is a network traffic test tool that is based on Fortinet's specialized hardware and software platform. It provides the following types of tests: HTTP/HTTPS CPS test FortiTester can test new connections per second (CPS) performance by simulating multiple clients that generate HTTP or HTTPS traffic. HTTP/HTTPS RPS test FortiTester can test requests per second (RPS) performance by simulating multiple clients that generate HTTP or HTTPS traffic. HTTP CC test FortiTester can test HTTP concurrent connection (CC) performance by simulating multiple clients that generate HTTP traffic. TCP throughput test FortiTester can test TCP throughput performance of a DUT (Device Under Test) by generating a specified volume of two-way TCP traffic flows via specified ports. TCP connection test FortiTester can test TCP concurrent connections performance by generating a specified volume of two-way TCP traffic flow via specified ports. TurboTCP test FortiTester can test new connections per second (CPS) performance by generating a specified volume of twoway TurboTCP traffic flows via specified ports. UDP PPS test FortiTester can test UDP throughput performance by sending a specified size of UDP frames at a maximum or limited speed from simulated clients to simulated servers. UDP Payload test FortiTester system can test UDP payload by sending UDP frames with a user-specified payload. Attack Replay test FortiTester can test security systems by replaying a predefined set of attack traffic or pcaps that you upload. The predefined set covers 100 types of attacks. Traffic Replay test FortiTester can test user-defined scenarios by replaying any pcap file. Typically, pcap files are generated by programs like tcpdump or Wireshark. DDos test FortiTester can send multiple types of distributed denial of service (DDoS) attack traffic to test DDoS detection/prevention systems. DNS Latency test FortiTester can send DNS query traffic to test latency to a server or through a gateway. FortiTester Handbook 7
Introduction What's New What's New The following features are introduced in 2.5.0: New Test Center / Slave work mode Scale test capacity by joining multiple FortiTester appliances.see Chapter 4 - Joining multiple appliances into a Test Center. New TurboTCP test A case to test new connections per second (CPS) performance by generating a specified volume of two-way TurboTCP traffic flow via specified ports. See Starting a TurboTCP test. New DDoS test case A case to send multiple types of distributed denial of service (DDoS) attack traffic to test DDoS detection/prevention systems. See Starting a DDoS test. New DNS test case A case to send DNS query traffic to test latency to a server or through a gateway. See Starting a DNS test. Network Config template Simply test case configuration using templates for client/server port network settings. See Using network configuration templates. New tuning options Additional settings for test load, as well as client and server profiles. Review the load, client, and server profile options listed for the test cases in Chapter 2 - Running Tests. GUI enhancement Improved presentation of statistics in reports. See Displaying test status. 8 FortiTester Handbook
Chapter 1 - Getting Started Connecting to FortiTester Chapter 1 - Getting Started This chapter provides the procedures for getting started with FortiTester. Connecting to FortiTester A basic network connection topology for FortiTester is shown in the following figure. Figure 1: A basic network connection topology A FortiTester appliance has multiple network ports. In most cases, one port is for management and the others are for testing. The management port (usually mgmt or port1) connects to a local network to enable the user to access the FortiTester appliance via the web UI. The test ports are divided into client ports and server ports that connect to the device under test (DUT). Client ports simulate multiple client devices that access the simulated server devices via server ports. When you use one FortiTester appliance in standalone work mode, the test ports on the standalone appliance are divided between client and server. Figure 2 shows the distribution of ports in a standalone environment. Ports 1, a client port, is paired with port 3, a server port; port 2, a client port, is paired with port 4, a server port. Figure 2: Test ports in standalone work mode If your tests require more ports, you can join up to 4 pairs of FortiTester appliances in a Test Center. Figure 3 shows the distribution of ports in a Test Center environment with two FortiTester appliances. Ports 1-4 of the first appliance are client ports; ports 1-4 of the second appliance are server ports. Port 1 on the first appliance is paired with port 1 on the second appliance. 9 FortiTester Handbook
Configuring the management port Chapter 1 - Getting Started Figure 3: Test ports in Test Center / Slave work mode For information on configuring a Test Center, see Chapter 4 - Joining multiple appliances into a Test Center. Configuring the management port The management port must be connected to the same switch as the administrator client computer. The following procedure assumes that the default management port IP address (192.168.1.99) is not on the same subnet as your client computer. To configure the management port: 1. Configure your computer to match the FortiTester default management port subnet. For example, from the Windows 7 Control Panel, go to Network and Sharing Center. Click the Local Area Connection link, and then click the Properties button. Select Internet Protocol Version 4 (TCP/IPv4) and then click its Properties button. Select Use the following IP address, and then enter the following settings: IP address: 192.168.1.2 Subnet mask: 255.255.255.0 2. To connect to the web UI, start a web browser and go to http://192.168.1.99. 3. Type admin in the Username field, enter the password, and then click Login. 4. In the top banner, click the icon to display the System settings page. 5. Click the Device Ports tab. 6. For the management port, change its IP address, netmask, and default gateway. The following example changes the management IP address to 192.168.1.199. FortiTester Handbook 10
Chapter 1 - Getting Started Configuring system time Figure 4: Set management port 7. Click Apply to complete configuration of the management port. 8. Click the DNS Server tab. 9. Enter the IP address for the DNS server, and then click Apply. Note you can add more than one DNS server. 10. Change the IP address of your client PC to the same network segment used by the management port IP address. 11. To log into the web UI again, enter the new management IP address in a web browser. Configuring system time You can use the System page to change the system time. You can manually modify the time or synchronize the system time with an NTP server. To configure system time: 1. In the top banner, click the icon to display the System settings page. 2. Under System Time, click the Change link to display the Time dialog box. 3. Set the system time or synchronize time with a NTP server, as described in Table 1. 4. Save the configuration. Table 1: System Time Time Zone Select the time zone where the FortiTester appliance is installed. System Time The text boxes are populated with the current settings for the system date and time. You can change these manually. Synchronize with NTP Server Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, see http://www.ntp.org. The time is not synched at a regular interval, only when you click the Save button. 11 FortiTester Handbook
Creating the admin password Chapter 1 - Getting Started Creating the admin password FortiTester has a default user admin. By default, there is no password. To change the password for the admin account: 1. In the top banner, click the admin link. 2. Select Modify Password from the drop down menu. 3. Enter the old password, the new password, and save the configuration. FortiTester Handbook 12
Chapter 2 - Running Tests Test case configuration overview Chapter 2 - Running Tests This chapter provides procedures for running tests and viewing test results. Test case configuration overview The test case configuration workflow includes the following standard elements: Test type The test template to use. It determines the mandatory and optional settings for specific cases. Case options IP version, DUT mode, and optional port binding. Interface ports Client and server interface port configuration. Optional elements Whether to take packet captures, whether to schedule the job. Test case specifics Variables that determine the test parameters, such as load, rates/limits, and client/server profiles and actions. The first four items set up the basic test environment. Once you become familiar with them, you can assume they can be configured in the same manner for each test. The test case specifics are key to testing the performance of the device under test (DUT). We recommend you become familiar with guidelines for test case specifics whenever you get started with a new test case type. Using port binding FortiTester system can bind multiple physical ports as one logical port. We call this feature port binding. The physical ports in one logical port share one network configuration, such as IP address, netmask, and gateway. This feature is useful in the following scenarios: To test the link aggregation feature of a DUT. A DUT might also support port binding (also called link aggregation or TRUNK). In that case, FortiTester can test this feature and its performance. To test 40G/100G ports of DUT. A DUT might have some ports that have bandwidth greater than a single FortiTester port. To test such port performance, we can bind multiple FortiTester ports as one logical port and connect to a switch to transfer traffic with a DUT. For example, a FortiTester appliance can bind 4 10G ports as one to test a 40G port in DUT via a 10G/40G switch. FortiTester averages traffic on physical ports that belong to one logical port. Note: Only the DNS, TCP, HTTP, and HTTPS tests support port binding. 13 FortiTester Handbook
Using network configuration templates Chapter 2 - Running Tests Using network configuration templates Many test cases you may want to run will have the same basic network setup. To simplify configuration, you can create a network configuration template and then import it when you initially configure test case settings. The template settings are used to populate the network settings for the new test case configuration. The network configuration template specifies the IP address type, DUT working mode, client/server port settings, subnet settings, and (optional) port binding settings. You can only import template settings if the IP address type and DUT working mode you select in the new test case popup dialog box match the settings in the network configuration template. After the settings have been imported, you can modify client/server port settings, subnet settings, and port binding settings if necessary. To create a network configuration template: 1. Go to Cases > Config Network. 2. Click Add to display the configuration page. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Complete the configuration as described in Table 2. 5. Save the configuration. Table 2: Network configuration object settings Basic Information Name Specify a configuration name, or use the default. The name appears in the Network Config drop-down list when you configure test cases. FortiTester Handbook 14
Chapter 2 - Running Tests Starting an HTTP CPS test Network Client Ports, Server Ports The page lists all the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon. The same port on the server side is no longer available. Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Starting an HTTP CPS test FortiTester tests HTTP new connections per second (CPS) performance by simulating multiple clients that generate HTTP traffic. The traffic generated for each connection includes the TCP three-way handshake, HTTP request and HTTP response (complete HTTP transaction), and the TCP connection close (FIN, ACK, FIN, ACK). Each TCP packet has one HTTP GET request. The traffic is HTTP1.0 without HTTP persistent connections (HTTP keep-alive). Note the following limitations: The test does not support some TCP packet options, such timestamp, and so on. You cannot modify the HTTP request or HTTP response headers. 15 FortiTester Handbook
Starting an HTTP CPS test Chapter 2 - Running Tests To start an HTTP CPS test: 1. Go to Cases > HTTP > CPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Performance Option Fast HTTP Mode is enabled by default. Not configurable. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 3. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 3: HTTP CPS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Performance Fast HTTP Mode is enabled by default. Not configurable. FortiTester Handbook 16
Chapter 2 - Running Tests Starting an HTTP CPS test Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. 17 FortiTester Handbook
Starting an HTTP CPS test Chapter 2 - Running Tests Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 1,000 to 850,000 transactions per second (or the special value 0). Test Center mode: The valid range is 1,000 to 1,700,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm / Port Change Algorithm Request Header Piggybacking Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select the connection close method: 3Way_Fin or Reset. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Not configurable. Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. FortiTester Handbook 18
Chapter 2 - Running Tests Starting an HTTP RPS test Profile (Server) Server Port Preset to 80. Not configurable. Server Close Mode Select the connection close method: 3Way_Fin or Reset. Response Header Preset to Server: nginx/1.9.5. Not configurable. Piggybacking Enabled. Not configurable. Action Get page Select the file that the simulated clients access. The default is index_4bytes.html. Optionally, you can upload a customized HTML file. For Fast HTTP mode, the file size limit is 1200 bytes; for Common HTTP mode, the file size limit is 20 MB. Starting an HTTP RPS test FortiTester tests requests per second (RPS) performance by simulating multiple clients that generate HTTP traffic. All requests include a TCP three-way handshake, one HTTP request and response, and a TCP connection close (FIN, ACK, FIN, ACK). There are 10 HTTP GET requests per TCP connection and 100 HTTP GET requests per TCP connection for Layer4/HTTPS testing. Note the following limitations: The test does not support some TCP packet options, such timestamp, and so on. You cannot modify the HTTP request or HTTP response headers. To start an HTTP RPS test: 1. Go to Cases > HTTP > RPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Performance Option Fast HTTP Mode is enabled by default. Not configurable. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 19 FortiTester Handbook
Starting an HTTP RPS test Chapter 2 - Running Tests 4. Configure the test case options described in Table 4. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 4: HTTP RPS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Performance Fast HTTP Mode is enabled by default. Not configurable. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. FortiTester Handbook 20
Chapter 2 - Running Tests Starting an HTTP RPS test Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. 21 FortiTester Handbook
Starting an HTTP RPS test Chapter 2 - Running Tests Requests per Connection Speed Limit Number of HTTP requests per connection. The default is 0, which means as many as possible. The valid range is 0 to 50,000. Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 1,000 to 1,600,000 requests per second (or the special value 0). Test Center mode: The valid range is 1,000 to 3,200,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm / Port Change Algorithm Request Header Piggybacking Client port range. The valid range is 10,000 to 65,535, which is also the default. Select the connection close method: 3Way_Fin or Reset. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Not configurable. Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Server Close Mode Response Header Piggybacking Preset to 80. Not configurable. Preset to 3Way_Fin. Not configurable. Preset to Server: nginx/1.9.5. Not configurable. Enabled. Not configurable. FortiTester Handbook 22
Chapter 2 - Running Tests Starting an HTTP CC test Action Get Page Select the file that the simulated clients access. The default is index_4bytes.html. Optionally, you can upload a customized HTML file. For Fast HTTP mode, the file size limit is 1200 bytes; for Common HTTP mode, the file size limit is 20 MB. Starting an HTTP CC test FortiTester tests HTTP concurrent connection (CC) performance by simulating multiple clients that generate HTTP traffic. All connections include a TCP three-way handshake, a loop of HTTP requests and responses (complete HTTP transaction), and close the connection with TCP FIN. Note the following limitations: The test does not support some TCP packet options, such timestamp, and so on. You cannot modify the HTTP request or HTTP response headers. To start an HTTP CC test: 1. Go to Cases > HTTP > CC to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 5. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. 23 FortiTester Handbook
Starting an HTTP CC test Chapter 2 - Running Tests Table 5: HTTP CC Test Case configuration Basic Information Name Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. FortiTester Handbook 24
Chapter 2 - Running Tests Starting an HTTP CC test Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. Concurrent connections Number of concurrent connections. Standalone mode: The default is 5,000,000. The valid range is 1,000 to 5,000,000. Test Center mode: The default is 10,000,000, and the valid range is 1,000 to 10,000,000, for example, for a an environment with two FortiTester appliances. Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 256 to 600,000 transactions per second (or the special value 0). Test Center mode: The valid range is 256 to 1,200,000, for example, for an environment with two FortiTester appliances. 25 FortiTester Handbook
Starting an HTTPS CPS test Chapter 2 - Running Tests Think Time Seconds that a simulated user waits between HTTP requests. The default is 5 seconds. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Client Close Mode Preset to Reset. Not configurable. Request Header Preset to UserAgent: Firefox/41.0. Not configurable. Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Preset to 80. Not configurable. Server Close Mode Preset to 3Way_Fin. Not configurable. Response Header Preset to Server: nginx/1.9.5. Not configurable. Piggybacking Enabled. Not configurable. Action Get page Select the file that the simulated clients access. The default is index_4bytes.html. Optionally, you can upload a customized HTML file. The file size limit is 1200 bytes. Starting an HTTPS CPS test The HTTPS CPS test is the same as the HTTP CPS test, except it uses HTTPS traffic, does not have the Speed Limit option, and the MTU is editable. To start an HTTPS CPS test: 1. Go to Cases > HTTPS > CPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. FortiTester Handbook 26
Chapter 2 - Running Tests Starting an HTTPS CPS test 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 6. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 6: HTTPS CPS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. 27 FortiTester Handbook
Starting an HTTPS CPS test Chapter 2 - Running Tests Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. FortiTester Handbook 28
Chapter 2 - Running Tests Starting an HTTPS CPS test Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 60 to 900. Test Center mode: The default is 512 and the valid range is 60 to 1,800, for example, for an environment with two FortiTester appliances. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is 1500. The valid range is 1,280 to 9,000. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Request Header Preset to 10000-65535. Not configurable. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Not configurable. Profile (Server) Server Port Server Close Mode Key Length Response Header Preset to 80, 443. Not configurable. Preset to 3Way_Fin. Not configurable. Length of SSL key for encryption/decryption. The default is 1024. The valid range is 1024 or 2048. Preset to Server: nginx/1.9.5. Not configurable. 29 FortiTester Handbook
Starting an HTTPS RPS test Chapter 2 - Running Tests Action Get page Select the file that the simulated clients access. The default is index_4bytes.html. Optionally, you can upload a customized HTML file. For Fast HTTP mode, the file size limit is 1200 bytes; for Common HTTP mode, the file size limit is 20 MB. Starting an HTTPS RPS test The HTTPS RPS test is the same as the HTTP RPS test, except it uses HTTPS traffic, does not have the Speed Limit option, and the MTU is editable. To start an HTTPS RPS test: 1. Go to Cases > HTTPS > RPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 7. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. FortiTester Handbook 30
Chapter 2 - Running Tests Starting an HTTPS RPS test Table 7: HTTPS RPS Test Case configuration Basic Information Name Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. 31 FortiTester Handbook
Starting an HTTPS RPS test Chapter 2 - Running Tests Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 60 to 900. Test Center mode: The default is 512, and the valid range is 60 to 1,800, for example, for an environment with two FortiTester appliances. Requests per Connection Speed Limit Rate of HTTP requests per connection. The default is 200. The valid range is 200 to 10,000. Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 100 to 1,600,000 requests per second (or the special value 0). Test Center mode: The valid range is 100 to 3,200,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. FortiTester Handbook 32
Chapter 2 - Running Tests Starting a TCP connection test Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is 1500. The valid range is 1,280 to 9,000. Profile (Client) Source Port Range Preset to 10000-65535. Not configurable. IP Change Algorithm / Port Change Algorithm Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Request Header Preset to UserAgent: Firefox/41.0. Not configurable. Profile (Server) Server Port Preset to 80, 443. Not configurable. Server Close Mode Preset to Reset. Not configurable. Key Length Length of SSL key for encryption/decryption. The default is 1024. The valid range is 1024 or 2048. Response Header Preset to Server: nginx/1.9.5. Not configurable. Action Get page Select the file that the simulated clients access. The default is index_4bytes.html. Optionally, you can upload a customized HTML file. The file size limit is 20 MB. Starting a TCP connection test FortiTester tests TCP concurrent connection performance by generating a specified volume of two-way TCP traffic flow via specified ports. To start a TCP connection test: 1. Go to Cases > TCP > Connection to display the test case summary page. 2. Click Add to display the Case Options dialog box. 33 FortiTester Handbook
Starting a TCP connection test Chapter 2 - Running Tests 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 8. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 8: TCP Connection Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. FortiTester Handbook 34
Chapter 2 - Running Tests Starting a TCP connection test Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. 35 FortiTester Handbook
Starting a TCP connection test Chapter 2 - Running Tests Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. Concurrent Connection Number of concurrent connections. Standalone mode: The default is 5,000,000. The valid range is 1,000 to 5,000,000. Test Center mode: The default is 10,000,000, and the valid range is 1,000 to 10,000,000, for example, for an environment with two FortiTester appliances. Speed Limit Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Standalone mode: The valid range is 256 to 600,000 connections per second (or the special value 0). Test Center mode: The valid range is 256 to 1,200,000, for example, for an environment with two FortiTester appliances. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range Client Close Mode Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Preset to Reset. Not configurable. Piggybacking Disabled. Not configurable. Profile (Server) Server Port Preset to 80. Not configurable. FortiTester Handbook 36
Chapter 2 - Running Tests Starting a TCP throughput test Server Close Mode Preset to 3Way_Fin. Not configurable. Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Starting a TCP throughput test FortiTester tests TCP throughput by generating a specified volume of two-way TCP traffic flow via specified ports. To start a TCP throughput test: 1. Go to Cases > TCP > Throughput to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 9. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 9: TCP Throughput Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. 37 FortiTester Handbook
Starting a TCP throughput test Chapter 2 - Running Tests Number of Samples Duration Performance Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Preset to Fast HTTP Mode. Not configurable. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. FortiTester Handbook 38
Chapter 2 - Running Tests Starting a TCP throughput test Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. Bandwidth Limit TCP data load. The default is the special value 0, which means to transfer as much data as FortiTester can generate. For all other values, the unit is Mbit per second. Network Network MTU Throughput Buffer Size Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is 1500. Fortinet recommends that you use the default. TCP buffer size. The bigger buffer, the better throughput. The default is 1460 bytes. The valid range is 64 to 10M. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. 39 FortiTester Handbook
Starting a TurboTCP test Chapter 2 - Running Tests Piggybacking Enabled, meaning an acknowledgment is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Preset to 6500. Not configurable. Server Close Mode Select the connection close method: 3Way_Fin or Reset. Piggybacking Enabled. Not configurable. Starting a TurboTCP test FortiTester tests TurboTCP connections per second (CPS) performance by generating a specified volume of twoway TCP traffic flow via specified ports. The traffic generated for each connection includes the TCP three-way handshake and the TCP connection close (Reset). To start a TurboTCP test: 1. Go to Cases > TCP > TurboTCP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 10. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. FortiTester Handbook 40
Chapter 2 - Running Tests Starting a TurboTCP test Table 10: TurboTCP Test Case configuration Basic Information Name Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. 41 FortiTester Handbook
Starting a TurboTCP test Chapter 2 - Running Tests Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. Speed Limit Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Standalone mode: The valid range is 1,000 to 2,000,000 connections per second (or the special value 0). Test Center mode: The valid range is 1,000 to 4,000,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. FortiTester Handbook 42
Chapter 2 - Running Tests Starting a UDP PPS test Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is 1500. The valid range is 1,280 to 9,000. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. IP Change Algorithm / Port Change Algorithm Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. Piggybacking Disabled. Not configurable. Profile (Server) Server Port Preset to 6000. Not configurable. Server Close Mode Select the connection close method: 3Way_Fin or Reset. Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Starting a UDP PPS test FortiTester tests UDP throughput by sending a specified size of UDP frames at a maximum or limited speed from simulated clients to simulated servers. To start a UDP PPS test: 1. Go to Cases > UDP > PPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. 43 FortiTester Handbook
Starting a UDP PPS test Chapter 2 - Running Tests Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table 11. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 11: UDP PPS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. FortiTester Handbook 44
Chapter 2 - Running Tests Starting a UDP PPS test Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create UDP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 512. Test Center mode: The default is 512, and the valid range is 128 to 1024, for example, for an environment with two FortiTester appliances. UDP Package Size The default is 64 bytes. The valid range is 64 to 1518. 45 FortiTester Handbook
Starting a UDP Payload test Chapter 2 - Running Tests Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Standalone mode: The valid range is 10 to 20,000 (or the special value 0). Test Center mode: The valid range is 10 to 40,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. IP Change Algorithm / Port Change Algorithm Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Increment. Not configurable. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. Profile (Server) Server Port The default is 514. The valid range is 0 to 65,535. Starting a UDP Payload test FortiTester tests UDP payload by sending UDP frames with the specified payload from the client ports to the server ports. To start a UDP payload test: 1. Go to Cases > UDP > Payload to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. FortiTester Handbook 46
Chapter 2 - Running Tests Starting a UDP Payload test 4. Configure the test case options described in Table 12. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 12: UDP Payload Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. 47 FortiTester Handbook
Starting a UDP Payload test Chapter 2 - Running Tests Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create UDP connections and transfer data. Load Payload Ping Server Timeout Simulated Users Use the plain text predefined format to specify the payload. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 512. Test Center mode: The default is 512, and the valid range is 128 to 1024, for example, for an environment with two FortiTester appliances. FortiTester Handbook 48
Chapter 2 - Running Tests Starting an Attack Replay test Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Standalone mode: The valid range is 10 to 20,000 (or the special value 0). Test Center mode: The valid range is 10 to 40,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. Network MTU Preset to 2500. Not configurable. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. IP Change Algorithm / Port Change Algorithm Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Increment. Not configurable. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. Profile (Server) Server Port The default is 514. The valid range is 0 to 65,535. Starting an Attack Replay test FortiTester can test security systems by replaying a predefined set of attack traffic. The predefined set covers 100 types of attacks. The test result shows the CVE-ID for every type of attack. You can also see the attack list in the Cases > Replay > Attack page. Note: The Attack Replay test is available only in Standalone work mode. Before you begin: Optional. If you want to test custom attack traffic, you must create a package of pcap files that can be replayed. Only IPv4 traffic is supported. Follow the file naming convention: Description[CVE-$CVEID].pcap. Here [] means optional. The file type can be.pcap,.tgz,.tar.gz, or.zip. A.tgz,.tar.gz, or.zip file includes a group of.pcap files. Maximum file size is 200MB. To start an Attack Replay test: 1. Go to Cases > Replay > Attack to display the test case summary page. 2. Click Add to display the Case Options dialog box. 49 FortiTester Handbook
Starting an Attack Replay test Chapter 2 - Running Tests 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table 13. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 13: Attack Replay Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. FortiTester Handbook 50
Chapter 2 - Running Tests Starting an Attack Replay test Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load Ping Server Timeout Peer Receiving Timeout Break Once Packet Lost If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. This timeout specifies how long the client waits for a response from the server. If the client does not receive a response within the timeout, it considers the packet lost. The default value is 2 milliseconds. Select Yes or No. The Yes option means when the system identifies packet loss (the server side has not received the packet that client sent out), it stops the current traffic replay (pcap file), and continues the test with the next traffic file. The No option (the default) means a break is not set; the current replay continues. Network MTU Preset to 1500. Not configurable. 51 FortiTester Handbook
Starting a Traffic Replay test Chapter 2 - Running Tests Action Enable System Attack List Enable/disable the system attack list. There are 100 types of attacks in the system attack list. User Intrusion Optional. Select attacks from the user-defined attack list. Before you can select them, you must upload pcap files that contain your customized attack traffic. At the top of the case list, click User Attack List and then upload your file. Starting a Traffic Replay test FortiTester tests user-defined scenarios by replaying pcap files. Typically, pcap files are generated by programs like tcpdump or Wireshark. Note: The Traffic Replay test is available only in Standalone work mode. Before you begin: You must create pcap files that can be replayed. Only IPv4 traffic is supported. Maximum file size is 200MB. To start a Traffic Replay test: 1. Go to Cases > Replay > Traffic to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table 14. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 14: Traffic Replay Test Case configuration FortiTester Handbook 52
Chapter 2 - Running Tests Starting a Traffic Replay test Basic Information Name Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. 53 FortiTester Handbook
Starting a DDoS test Chapter 2 - Running Tests Netmask Specify a netmask between 1 and 31. Gateway NAT mode only. Specify the gateway IP address. Peer Network NAT mode only. Specify the peer network subnet address. Load Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Bandwidth Limit The default is 0, which means the maximum possible. The valid range is 10 to 10,000 Mbps (or the special value 0). Loops Number of times to play the pcap file. The default is 10,000. 0 means as many as possible. Input Pcap You can upload pcap files from your PC and select one to send. Note the uploaded files can be used for future cases. Starting a DDoS test FortiTester tests the ability of DUT to handle different type of DDoS Attack. This traffic load will try to exhaust the DUT resources by multiple DDoS attack types. To start a DDoS test: 1. Go to Cases > DDoS> DDoS Attack to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table 15. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. FortiTester Handbook 54
Chapter 2 - Running Tests Starting a DDoS test Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 15: DDoS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. 55 FortiTester Handbook
Starting a DDoS test Chapter 2 - Running Tests Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. DDoS Types There are three types of DDos attack traffic: Single Packet Flood, TCP Session Flood, and HTTP Session Flood. After you select a type, selection boxes for subtypes are displayed below. To change the percentage mix of subtypes, double-click the pie chart and adjust the percentages. FortiTester Handbook 56
Chapter 2 - Running Tests Starting a DNS test Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Standalone mode: The valid range is 10 to 20,000 (or the special value 0). Test Center mode: The valid range is 10 to 40,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is 1500. The valid range is 1,280 to 9,000. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. IP Change Algorithm / Port Change Algorithm Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Preset to 80. Not configurable. Piggybacking Enabled. Not configurable. Starting a DNS test FortiTester tests the latency of DUT to handle DNS query request. A DUT could be a gateway device or a DNS server. To start a DNS test: 1. Go to Cases > DNS > Latency to display the test case summary page. 2. Click Add to display the Case Options dialog box. 57 FortiTester Handbook
Starting a DNS test Chapter 2 - Running Tests 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table 16. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 16: DNS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. FortiTester Handbook 58
Chapter 2 - Running Tests Starting a DNS test Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_ port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. 59 FortiTester Handbook
Starting a DNS test Chapter 2 - Running Tests Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 250,000. Test Center mode: The default is 512, and the valid range is 128 to 500,000, for example, for an environment with two FortiTester appliances. Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Standalone mode: The valid range is 10 to 20,000 (or the special value 0). Test Center mode: The valid range is 10 to 40,000, for example, for an environment with two FortiTester appliances. DNS Renew Socket DNS Query Timeout Specify Yes or No. If Yes, the client side renews a socket to send out the next query (note if the client profile Domain Policy is set as List, all queries for the names in the domain list will use the same socket; after that a new socket will be created for next batch of queries). If No, use the old socket. The default is 1000 milliseconds. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Domain Policy Domain List Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. Random or List. If Random is selected, FortiTester generates random domain names for queries. If List is select, FortiTester uses queries in the specified list. If Domain Policy is List, specify a list of domain name records. For example: fortinet.com:a,www.fortinet.com:a, fortitester.com:mx A name followed with a :A means it s an address record, while a :MX means a mail exchange record. FortiTester Handbook 60
Chapter 2 - Running Tests Stopping tests Profile (Server) Server Port The DNS server access port. The default is 53. The valid range is 0 to 65,535. Stopping tests There are two ways to stop a running test: In the test configuration, specify an automatic stop after a specified duration. Click the Stop button on the running page of a test that is in progress. Displaying test status A few seconds after you start a test, the page automatically switches to a test status page. You can also navigate to the status page by clicking the icon in the top navigation menu. The following example shows status displayed on the Summary tab of a TCP throughput test. Figure 5: Test status Summary tab The following figure shows the Client tab. You can use its subtabs to review results by port or network layer. 61 FortiTester Handbook
Viewing test results Chapter 2 - Running Tests Figure 6: Test status Client tab Viewing test results When you start a test, a status page is displayed showing results. The data is updated every second. It includes Layer 2 and Layer 4 data. HTTP/HTTPS test cases also include Layer 7 data. Layer 2 data represents the throughput for every port and a total summary. The throughput includes in traffic and out traffic for every port. Layer 4 data represents the number of sessions. Layer 7 data represents the number of requests and connections. You can click the icon in the top banner to display a list of all the test cases on the left side of the page. This list includes cases that are stopped (either normally or abnormally) and are ordered by test start time. Click a test case to view its result. The following example shows results for an HTTP CPS test. FortiTester Handbook 62
Chapter 2 - Running Tests Viewing test results Figure 7: HTTP CPS test results The following figure shows results for an Attack Replay test. Figure 8: Attack Replay results 63 FortiTester Handbook