FortiTester Handbook VERSION 2.5.0

Similar documents
FortiTester Handbook VERSION 2.4.1

FortiTester Handbook VERSION 2.4.0

FortiTester Handbook VERSION 3.3.1

FortiTester Handbook VERSION 3.2.0

FortiTester Handbook VERSION FortiTester Handbook Fortinet Technologies Inc.

FortiTester 2.1. Handbook

FortiCache - Administration Guide VERSION 4.2.0

FortiBalancer 8.4 Web UI Handbook

Installing and Configuring vcloud Connector

FortiDDoS Deployment Guide for Cloud Signaling with Verisign OpenHybrid

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

Installing and Configuring vcloud Connector

High Availability Synchronization PAN-OS 5.0.3

UDP Director Virtual Edition

Avi Networks Technical Reference (16.3)

GSS Administration and Troubleshooting

Available Commands CHAPTER

FortiDeceptor - Administration Guide. Version 1.0.1

Configure the Cisco DNA Center Appliance

Using the Startup Wizard

ETI/Domo. English. ETI-Domo Config EN

Testing and Restoring the Nasuni Filer in a Disaster Recovery Scenario

User Guide TL-R470T+/TL-R480T REV9.0.2

Step-by-Step Configuration

Barracuda Link Balancer

Xena3918 (v1.8) Step by Step Guide

FortiDDoS Release Notes. Version 4.4.2

SteelCentral AppResponse 11 Virtual Edition Installation Guide

Cisco Prime Collaboration Deployment

Contents. 2 NB750 Load Balancing Router User Guide YML817 Rev1

FortiADC Handbook - D Series VERSION

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Platform Compatibility... 1 Enhancements... 2 Known Issues... 3 Upgrading SonicOS Enhanced Image Procedures... 3 Related Technical Documentation...

StorageGRID Webscale 10.3 Software Installation Guide for OpenStack Deployments

Contrail Sandbox Tutorial Script

Cisco VVB Installation

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

VMware vcenter AppSpeed Installation and Upgrade Guide AppSpeed 1.2

Installing or Upgrading ANM Virtual Appliance

Stealthwatch Flow Sensor Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Deploy the ExtraHop Trace Appliance with VMware

Using Diagnostic Tools

Manage Administrators and Admin Access Policies

Intrusion Detection and Prevention IDP 4.1r4 Release Notes

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN

Deployment Guide AX Series with Oracle E-Business Suite 12

AirLive RS Security Bandwidth Management. Quick Setup Guide

Multi-Homing Broadband Router. User Manual

VIPRION Systems: Configuration. Version 13.0

Manage Administrators and Admin Access Policies

FortiADC Transparent Mode Configuration Guide VERSION 1.0.0

Upgrading from TrafficShield 3.2.X to Application Security Module 9.2.3

VulcanManager. User Manual. This is the User Manual for VulcanManager.

FortiDDoS REST API Reference

Grandstream Networks, Inc. UCM6100 Security Manual

DEPLOYMENT GUIDE A10 THUNDER ADC FOR EPIC SYSTEMS

BIG-IP Analytics: Implementations. Version 13.1

Using the Web Graphical User Interface

Step-by-Step Configuration

Step-by-Step Configuration

Cisco Cloud Services Platform 2100 Quick Start Guide, Release 2.2.0

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Administration Guide vshield Zones 1.0 EN

Cisco Stealthwatch. Installation and Configuration Guide 7.0

SonicOS Enhanced Release Notes

IPMI Configuration Guide

CTX 1000 VoIP Accelerator User Guide

FortiDDoS REST API Reference. Version 4.2

FortiMail AWS Deployment Guide

Polycom Video Border Proxy (VBP ) 7301

Firepower Threat Defense Cluster for the Firepower 4100/9300

LevelOne. Quick Installation Guide. WHG series Secure WLAN Controller. Introduction. Getting Started. Hardware Installation

Using the Web Graphical User Interface

Manage Administrators and Admin Access Policies

Cisco Cloud Services Platform 2100 Quick Start Guide, Release 2.2.5

Deployment Guide: Routing Mode with No DMZ

FortiManager VM - Install Guide VERSION 5.2

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Peplink Balance Multi-WAN Routers

Table of Contents. CRA-200 Analog Telephone Adapter 2 x Ethernet Port + 2 x VoIP Line. Quick Installation Guide. CRA-200 Quick Installation Guide

Configuring Network Proximity

KEMP360 Central. 1 Introduction. KEMP360 Central. Feature Description

EXAM TCP/IP NETWORKING Duration: 3 hours

F5 DDoS Hybrid Defender : Setup. Version

Security SSID Selection: Broadcast SSID:

NetExtender for SSL-VPN

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

IBM Single Sign On for Bluemix Version December Identity Bridge Configuration topics

Broadband Router. User s Manual

Cisco Stealthwatch. Installation and Configuration Guide 7.0

FileCruiser. Administrator Portal Guide

FortiManager VM - Install Guide VERSION 5.4

FortiManager VM - Install Guide. Version 5.6

User Manual Gemtek WiMAX Modem

Wireless LAN Controller Web Authentication Configuration Example

Add and Organize Devices

How to Configure a Remote Management Tunnel for an F-Series Firewall

DHCP and DDNS Services for Threat Defense

MRD-310 MRD G Cellular Modem / Router Web configuration reference guide. Web configuration reference guide

Lab - Using Wireshark to Examine TCP and UDP Captures

Transcription:

FortiTester Handbook VERSION 2.5.0

FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ FORTIGATE COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING SERVICES http://www.fortinet.com/training FORTIGUARD CENTER http://www.fortiguard.com END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/eula.pdf FEEDBACK Email: techdocs@fortinet.com Wednesday, March 09, 2016 FortiTester Handbook 2.5.0 1st Edition

TABLE OF CONTENTS Change Log 5 Introduction 6 Benefits 7 What's New 8 Chapter 1 - Getting Started 9 Connecting to FortiTester 9 Configuring the management port 10 Configuring system time 11 Creating the admin password 12 Chapter 2 - Running Tests 13 Test case configuration overview 13 Using port binding 13 Using network configuration templates 14 Starting an HTTP CPS test 15 Starting an HTTP RPS test 19 Starting an HTTP CC test 23 Starting an HTTPS CPS test 26 Starting an HTTPS RPS test 30 Starting a TCP connection test 33 Starting a TCP throughput test 37 Starting a TurboTCP test 40 Starting a UDP PPS test 43 Starting a UDP Payload test 46 Starting an Attack Replay test 49 Starting a Traffic Replay test 52 Starting a DDoS test 54 Starting a DNS test 57 Stopping tests 61 Displaying test status 61 Viewing test results 62 Exporting/importing a test case 64 Scheduling cases 64

Chapter 3 - System Administration 65 Displaying system status 65 Updating firmware 65 Shutting down the system 66 Rebooting the system 66 Resetting the system 66 Creating test users 67 Chapter 4 - Joining multiple appliances into a Test Center 68 Changing the work mode setting 68 Chapter 5 - Using the Command-Line Interface 71 Getting CLI help 71 Command descriptions 72

Change Log Change Log Date Change Description 2016-3-9 FortiTester 2.5.0 initial release. 5 FortiTester Handbook

Introduction Introduction Welcome, and thank you for selecting Fortinet products for your testing environment. FortiTester appliance models are powerful and easy-to-use tools that test the performance of your network devices. This document describes how to set up your FortiTester appliance. It also describes how to use the web user interface (web UI) and command-line interface (CLI). 6 FortiTester Handbook

Benefits Introduction Benefits FortiTester is a network traffic test tool that is based on Fortinet's specialized hardware and software platform. It provides the following types of tests: HTTP/HTTPS CPS test FortiTester can test new connections per second (CPS) performance by simulating multiple clients that generate HTTP or HTTPS traffic. HTTP/HTTPS RPS test FortiTester can test requests per second (RPS) performance by simulating multiple clients that generate HTTP or HTTPS traffic. HTTP CC test FortiTester can test HTTP concurrent connection (CC) performance by simulating multiple clients that generate HTTP traffic. TCP throughput test FortiTester can test TCP throughput performance of a DUT (Device Under Test) by generating a specified volume of two-way TCP traffic flows via specified ports. TCP connection test FortiTester can test TCP concurrent connections performance by generating a specified volume of two-way TCP traffic flow via specified ports. TurboTCP test FortiTester can test new connections per second (CPS) performance by generating a specified volume of twoway TurboTCP traffic flows via specified ports. UDP PPS test FortiTester can test UDP throughput performance by sending a specified size of UDP frames at a maximum or limited speed from simulated clients to simulated servers. UDP Payload test FortiTester system can test UDP payload by sending UDP frames with a user-specified payload. Attack Replay test FortiTester can test security systems by replaying a predefined set of attack traffic or pcaps that you upload. The predefined set covers 100 types of attacks. Traffic Replay test FortiTester can test user-defined scenarios by replaying any pcap file. Typically, pcap files are generated by programs like tcpdump or Wireshark. DDos test FortiTester can send multiple types of distributed denial of service (DDoS) attack traffic to test DDoS detection/prevention systems. DNS Latency test FortiTester can send DNS query traffic to test latency to a server or through a gateway. FortiTester Handbook 7

Introduction What's New What's New The following features are introduced in 2.5.0: New Test Center / Slave work mode Scale test capacity by joining multiple FortiTester appliances.see Chapter 4 - Joining multiple appliances into a Test Center. New TurboTCP test A case to test new connections per second (CPS) performance by generating a specified volume of two-way TurboTCP traffic flow via specified ports. See Starting a TurboTCP test. New DDoS test case A case to send multiple types of distributed denial of service (DDoS) attack traffic to test DDoS detection/prevention systems. See Starting a DDoS test. New DNS test case A case to send DNS query traffic to test latency to a server or through a gateway. See Starting a DNS test. Network Config template Simply test case configuration using templates for client/server port network settings. See Using network configuration templates. New tuning options Additional settings for test load, as well as client and server profiles. Review the load, client, and server profile options listed for the test cases in Chapter 2 - Running Tests. GUI enhancement Improved presentation of statistics in reports. See Displaying test status. 8 FortiTester Handbook

Chapter 1 - Getting Started Connecting to FortiTester Chapter 1 - Getting Started This chapter provides the procedures for getting started with FortiTester. Connecting to FortiTester A basic network connection topology for FortiTester is shown in the following figure. Figure 1: A basic network connection topology A FortiTester appliance has multiple network ports. In most cases, one port is for management and the others are for testing. The management port (usually mgmt or port1) connects to a local network to enable the user to access the FortiTester appliance via the web UI. The test ports are divided into client ports and server ports that connect to the device under test (DUT). Client ports simulate multiple client devices that access the simulated server devices via server ports. When you use one FortiTester appliance in standalone work mode, the test ports on the standalone appliance are divided between client and server. Figure 2 shows the distribution of ports in a standalone environment. Ports 1, a client port, is paired with port 3, a server port; port 2, a client port, is paired with port 4, a server port. Figure 2: Test ports in standalone work mode If your tests require more ports, you can join up to 4 pairs of FortiTester appliances in a Test Center. Figure 3 shows the distribution of ports in a Test Center environment with two FortiTester appliances. Ports 1-4 of the first appliance are client ports; ports 1-4 of the second appliance are server ports. Port 1 on the first appliance is paired with port 1 on the second appliance. 9 FortiTester Handbook

Configuring the management port Chapter 1 - Getting Started Figure 3: Test ports in Test Center / Slave work mode For information on configuring a Test Center, see Chapter 4 - Joining multiple appliances into a Test Center. Configuring the management port The management port must be connected to the same switch as the administrator client computer. The following procedure assumes that the default management port IP address (192.168.1.99) is not on the same subnet as your client computer. To configure the management port: 1. Configure your computer to match the FortiTester default management port subnet. For example, from the Windows 7 Control Panel, go to Network and Sharing Center. Click the Local Area Connection link, and then click the Properties button. Select Internet Protocol Version 4 (TCP/IPv4) and then click its Properties button. Select Use the following IP address, and then enter the following settings: IP address: 192.168.1.2 Subnet mask: 255.255.255.0 2. To connect to the web UI, start a web browser and go to http://192.168.1.99. 3. Type admin in the Username field, enter the password, and then click Login. 4. In the top banner, click the icon to display the System settings page. 5. Click the Device Ports tab. 6. For the management port, change its IP address, netmask, and default gateway. The following example changes the management IP address to 192.168.1.199. FortiTester Handbook 10

Chapter 1 - Getting Started Configuring system time Figure 4: Set management port 7. Click Apply to complete configuration of the management port. 8. Click the DNS Server tab. 9. Enter the IP address for the DNS server, and then click Apply. Note you can add more than one DNS server. 10. Change the IP address of your client PC to the same network segment used by the management port IP address. 11. To log into the web UI again, enter the new management IP address in a web browser. Configuring system time You can use the System page to change the system time. You can manually modify the time or synchronize the system time with an NTP server. To configure system time: 1. In the top banner, click the icon to display the System settings page. 2. Under System Time, click the Change link to display the Time dialog box. 3. Set the system time or synchronize time with a NTP server, as described in Table 1. 4. Save the configuration. Table 1: System Time Time Zone Select the time zone where the FortiTester appliance is installed. System Time The text boxes are populated with the current settings for the system date and time. You can change these manually. Synchronize with NTP Server Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, see http://www.ntp.org. The time is not synched at a regular interval, only when you click the Save button. 11 FortiTester Handbook

Creating the admin password Chapter 1 - Getting Started Creating the admin password FortiTester has a default user admin. By default, there is no password. To change the password for the admin account: 1. In the top banner, click the admin link. 2. Select Modify Password from the drop down menu. 3. Enter the old password, the new password, and save the configuration. FortiTester Handbook 12

Chapter 2 - Running Tests Test case configuration overview Chapter 2 - Running Tests This chapter provides procedures for running tests and viewing test results. Test case configuration overview The test case configuration workflow includes the following standard elements: Test type The test template to use. It determines the mandatory and optional settings for specific cases. Case options IP version, DUT mode, and optional port binding. Interface ports Client and server interface port configuration. Optional elements Whether to take packet captures, whether to schedule the job. Test case specifics Variables that determine the test parameters, such as load, rates/limits, and client/server profiles and actions. The first four items set up the basic test environment. Once you become familiar with them, you can assume they can be configured in the same manner for each test. The test case specifics are key to testing the performance of the device under test (DUT). We recommend you become familiar with guidelines for test case specifics whenever you get started with a new test case type. Using port binding FortiTester system can bind multiple physical ports as one logical port. We call this feature port binding. The physical ports in one logical port share one network configuration, such as IP address, netmask, and gateway. This feature is useful in the following scenarios: To test the link aggregation feature of a DUT. A DUT might also support port binding (also called link aggregation or TRUNK). In that case, FortiTester can test this feature and its performance. To test 40G/100G ports of DUT. A DUT might have some ports that have bandwidth greater than a single FortiTester port. To test such port performance, we can bind multiple FortiTester ports as one logical port and connect to a switch to transfer traffic with a DUT. For example, a FortiTester appliance can bind 4 10G ports as one to test a 40G port in DUT via a 10G/40G switch. FortiTester averages traffic on physical ports that belong to one logical port. Note: Only the DNS, TCP, HTTP, and HTTPS tests support port binding. 13 FortiTester Handbook

Using network configuration templates Chapter 2 - Running Tests Using network configuration templates Many test cases you may want to run will have the same basic network setup. To simplify configuration, you can create a network configuration template and then import it when you initially configure test case settings. The template settings are used to populate the network settings for the new test case configuration. The network configuration template specifies the IP address type, DUT working mode, client/server port settings, subnet settings, and (optional) port binding settings. You can only import template settings if the IP address type and DUT working mode you select in the new test case popup dialog box match the settings in the network configuration template. After the settings have been imported, you can modify client/server port settings, subnet settings, and port binding settings if necessary. To create a network configuration template: 1. Go to Cases > Config Network. 2. Click Add to display the configuration page. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Complete the configuration as described in Table 2. 5. Save the configuration. Table 2: Network configuration object settings Basic Information Name Specify a configuration name, or use the default. The name appears in the Network Config drop-down list when you configure test cases. FortiTester Handbook 14

Chapter 2 - Running Tests Starting an HTTP CPS test Network Client Ports, Server Ports The page lists all the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon. The same port on the server side is no longer available. Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Starting an HTTP CPS test FortiTester tests HTTP new connections per second (CPS) performance by simulating multiple clients that generate HTTP traffic. The traffic generated for each connection includes the TCP three-way handshake, HTTP request and HTTP response (complete HTTP transaction), and the TCP connection close (FIN, ACK, FIN, ACK). Each TCP packet has one HTTP GET request. The traffic is HTTP1.0 without HTTP persistent connections (HTTP keep-alive). Note the following limitations: The test does not support some TCP packet options, such timestamp, and so on. You cannot modify the HTTP request or HTTP response headers. 15 FortiTester Handbook

Starting an HTTP CPS test Chapter 2 - Running Tests To start an HTTP CPS test: 1. Go to Cases > HTTP > CPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Performance Option Fast HTTP Mode is enabled by default. Not configurable. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 3. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 3: HTTP CPS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Performance Fast HTTP Mode is enabled by default. Not configurable. FortiTester Handbook 16

Chapter 2 - Running Tests Starting an HTTP CPS test Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. 17 FortiTester Handbook

Starting an HTTP CPS test Chapter 2 - Running Tests Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 1,000 to 850,000 transactions per second (or the special value 0). Test Center mode: The valid range is 1,000 to 1,700,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm / Port Change Algorithm Request Header Piggybacking Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select the connection close method: 3Way_Fin or Reset. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Not configurable. Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. FortiTester Handbook 18

Chapter 2 - Running Tests Starting an HTTP RPS test Profile (Server) Server Port Preset to 80. Not configurable. Server Close Mode Select the connection close method: 3Way_Fin or Reset. Response Header Preset to Server: nginx/1.9.5. Not configurable. Piggybacking Enabled. Not configurable. Action Get page Select the file that the simulated clients access. The default is index_4bytes.html. Optionally, you can upload a customized HTML file. For Fast HTTP mode, the file size limit is 1200 bytes; for Common HTTP mode, the file size limit is 20 MB. Starting an HTTP RPS test FortiTester tests requests per second (RPS) performance by simulating multiple clients that generate HTTP traffic. All requests include a TCP three-way handshake, one HTTP request and response, and a TCP connection close (FIN, ACK, FIN, ACK). There are 10 HTTP GET requests per TCP connection and 100 HTTP GET requests per TCP connection for Layer4/HTTPS testing. Note the following limitations: The test does not support some TCP packet options, such timestamp, and so on. You cannot modify the HTTP request or HTTP response headers. To start an HTTP RPS test: 1. Go to Cases > HTTP > RPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Performance Option Fast HTTP Mode is enabled by default. Not configurable. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 19 FortiTester Handbook

Starting an HTTP RPS test Chapter 2 - Running Tests 4. Configure the test case options described in Table 4. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 4: HTTP RPS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Performance Fast HTTP Mode is enabled by default. Not configurable. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. FortiTester Handbook 20

Chapter 2 - Running Tests Starting an HTTP RPS test Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. 21 FortiTester Handbook

Starting an HTTP RPS test Chapter 2 - Running Tests Requests per Connection Speed Limit Number of HTTP requests per connection. The default is 0, which means as many as possible. The valid range is 0 to 50,000. Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 1,000 to 1,600,000 requests per second (or the special value 0). Test Center mode: The valid range is 1,000 to 3,200,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range Client Close Mode IP Change Algorithm / Port Change Algorithm Request Header Piggybacking Client port range. The valid range is 10,000 to 65,535, which is also the default. Select the connection close method: 3Way_Fin or Reset. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Not configurable. Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Server Close Mode Response Header Piggybacking Preset to 80. Not configurable. Preset to 3Way_Fin. Not configurable. Preset to Server: nginx/1.9.5. Not configurable. Enabled. Not configurable. FortiTester Handbook 22

Chapter 2 - Running Tests Starting an HTTP CC test Action Get Page Select the file that the simulated clients access. The default is index_4bytes.html. Optionally, you can upload a customized HTML file. For Fast HTTP mode, the file size limit is 1200 bytes; for Common HTTP mode, the file size limit is 20 MB. Starting an HTTP CC test FortiTester tests HTTP concurrent connection (CC) performance by simulating multiple clients that generate HTTP traffic. All connections include a TCP three-way handshake, a loop of HTTP requests and responses (complete HTTP transaction), and close the connection with TCP FIN. Note the following limitations: The test does not support some TCP packet options, such timestamp, and so on. You cannot modify the HTTP request or HTTP response headers. To start an HTTP CC test: 1. Go to Cases > HTTP > CC to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 5. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. 23 FortiTester Handbook

Starting an HTTP CC test Chapter 2 - Running Tests Table 5: HTTP CC Test Case configuration Basic Information Name Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. FortiTester Handbook 24

Chapter 2 - Running Tests Starting an HTTP CC test Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. Concurrent connections Number of concurrent connections. Standalone mode: The default is 5,000,000. The valid range is 1,000 to 5,000,000. Test Center mode: The default is 10,000,000, and the valid range is 1,000 to 10,000,000, for example, for a an environment with two FortiTester appliances. Speed Limit Rate of new transactions per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 256 to 600,000 transactions per second (or the special value 0). Test Center mode: The valid range is 256 to 1,200,000, for example, for an environment with two FortiTester appliances. 25 FortiTester Handbook

Starting an HTTPS CPS test Chapter 2 - Running Tests Think Time Seconds that a simulated user waits between HTTP requests. The default is 5 seconds. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Client Close Mode Preset to Reset. Not configurable. Request Header Preset to UserAgent: Firefox/41.0. Not configurable. Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Preset to 80. Not configurable. Server Close Mode Preset to 3Way_Fin. Not configurable. Response Header Preset to Server: nginx/1.9.5. Not configurable. Piggybacking Enabled. Not configurable. Action Get page Select the file that the simulated clients access. The default is index_4bytes.html. Optionally, you can upload a customized HTML file. The file size limit is 1200 bytes. Starting an HTTPS CPS test The HTTPS CPS test is the same as the HTTP CPS test, except it uses HTTPS traffic, does not have the Speed Limit option, and the MTU is editable. To start an HTTPS CPS test: 1. Go to Cases > HTTPS > CPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. FortiTester Handbook 26

Chapter 2 - Running Tests Starting an HTTPS CPS test 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 6. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 6: HTTPS CPS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. 27 FortiTester Handbook

Starting an HTTPS CPS test Chapter 2 - Running Tests Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. FortiTester Handbook 28

Chapter 2 - Running Tests Starting an HTTPS CPS test Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 60 to 900. Test Center mode: The default is 512 and the valid range is 60 to 1,800, for example, for an environment with two FortiTester appliances. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is 1500. The valid range is 1,280 to 9,000. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Request Header Preset to 10000-65535. Not configurable. Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Preset to UserAgent: Firefox/41.0. Not configurable. Profile (Server) Server Port Server Close Mode Key Length Response Header Preset to 80, 443. Not configurable. Preset to 3Way_Fin. Not configurable. Length of SSL key for encryption/decryption. The default is 1024. The valid range is 1024 or 2048. Preset to Server: nginx/1.9.5. Not configurable. 29 FortiTester Handbook

Starting an HTTPS RPS test Chapter 2 - Running Tests Action Get page Select the file that the simulated clients access. The default is index_4bytes.html. Optionally, you can upload a customized HTML file. For Fast HTTP mode, the file size limit is 1200 bytes; for Common HTTP mode, the file size limit is 20 MB. Starting an HTTPS RPS test The HTTPS RPS test is the same as the HTTP RPS test, except it uses HTTPS traffic, does not have the Speed Limit option, and the MTU is editable. To start an HTTPS RPS test: 1. Go to Cases > HTTPS > RPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 7. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. FortiTester Handbook 30

Chapter 2 - Running Tests Starting an HTTPS RPS test Table 7: HTTPS RPS Test Case configuration Basic Information Name Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. 31 FortiTester Handbook

Starting an HTTPS RPS test Chapter 2 - Running Tests Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 60 to 900. Test Center mode: The default is 512, and the valid range is 60 to 1,800, for example, for an environment with two FortiTester appliances. Requests per Connection Speed Limit Rate of HTTP requests per connection. The default is 200. The valid range is 200 to 10,000. Rate of requests per second. The default is 0, which means the device will send traffic as fast as possible. Standalone mode: The valid range is 100 to 1,600,000 requests per second (or the special value 0). Test Center mode: The valid range is 100 to 3,200,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. FortiTester Handbook 32

Chapter 2 - Running Tests Starting a TCP connection test Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is 1500. The valid range is 1,280 to 9,000. Profile (Client) Source Port Range Preset to 10000-65535. Not configurable. IP Change Algorithm / Port Change Algorithm Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Random. Not configurable. The Random option selects an IP address or port in the range randomly. Request Header Preset to UserAgent: Firefox/41.0. Not configurable. Profile (Server) Server Port Preset to 80, 443. Not configurable. Server Close Mode Preset to Reset. Not configurable. Key Length Length of SSL key for encryption/decryption. The default is 1024. The valid range is 1024 or 2048. Response Header Preset to Server: nginx/1.9.5. Not configurable. Action Get page Select the file that the simulated clients access. The default is index_4bytes.html. Optionally, you can upload a customized HTML file. The file size limit is 20 MB. Starting a TCP connection test FortiTester tests TCP concurrent connection performance by generating a specified volume of two-way TCP traffic flow via specified ports. To start a TCP connection test: 1. Go to Cases > TCP > Connection to display the test case summary page. 2. Click Add to display the Case Options dialog box. 33 FortiTester Handbook

Starting a TCP connection test Chapter 2 - Running Tests 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 8. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 8: TCP Connection Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. FortiTester Handbook 34

Chapter 2 - Running Tests Starting a TCP connection test Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. 35 FortiTester Handbook

Starting a TCP connection test Chapter 2 - Running Tests Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. Concurrent Connection Number of concurrent connections. Standalone mode: The default is 5,000,000. The valid range is 1,000 to 5,000,000. Test Center mode: The default is 10,000,000, and the valid range is 1,000 to 10,000,000, for example, for an environment with two FortiTester appliances. Speed Limit Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Standalone mode: The valid range is 256 to 600,000 connections per second (or the special value 0). Test Center mode: The valid range is 256 to 1,200,000, for example, for an environment with two FortiTester appliances. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range Client Close Mode Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Preset to Reset. Not configurable. Piggybacking Disabled. Not configurable. Profile (Server) Server Port Preset to 80. Not configurable. FortiTester Handbook 36

Chapter 2 - Running Tests Starting a TCP throughput test Server Close Mode Preset to 3Way_Fin. Not configurable. Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Starting a TCP throughput test FortiTester tests TCP throughput by generating a specified volume of two-way TCP traffic flow via specified ports. To start a TCP throughput test: 1. Go to Cases > TCP > Throughput to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 9. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 9: TCP Throughput Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. 37 FortiTester Handbook

Starting a TCP throughput test Chapter 2 - Running Tests Number of Samples Duration Performance Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Preset to Fast HTTP Mode. Not configurable. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. FortiTester Handbook 38

Chapter 2 - Running Tests Starting a TCP throughput test Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. Bandwidth Limit TCP data load. The default is the special value 0, which means to transfer as much data as FortiTester can generate. For all other values, the unit is Mbit per second. Network Network MTU Throughput Buffer Size Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is 1500. Fortinet recommends that you use the default. TCP buffer size. The bigger buffer, the better throughput. The default is 1460 bytes. The valid range is 64 to 10M. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. 39 FortiTester Handbook

Starting a TurboTCP test Chapter 2 - Running Tests Piggybacking Enabled, meaning an acknowledgment is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Preset to 6500. Not configurable. Server Close Mode Select the connection close method: 3Way_Fin or Reset. Piggybacking Enabled. Not configurable. Starting a TurboTCP test FortiTester tests TurboTCP connections per second (CPS) performance by generating a specified volume of twoway TCP traffic flow via specified ports. The traffic generated for each connection includes the TCP three-way handshake and the TCP connection close (Reset). To start a TurboTCP test: 1. Go to Cases > TCP > TurboTCP to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode, NAT mode, or Web Proxy mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. In Web Proxy mode, the proxy address is used. If the DUT is configured in Web Proxy mode (e.g. a WAF), select Web Proxy. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Port Binding Optional. Port binding aggregates two or more physical ports into one logical port. Click OK to continue. 4. Configure the test case options described in Table 10. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. FortiTester Handbook 40

Chapter 2 - Running Tests Starting a TurboTCP test Table 10: TurboTCP Test Case configuration Basic Information Name Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. 41 FortiTester Handbook

Starting a TurboTCP test Chapter 2 - Running Tests Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Proxy IP/Mask Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Web Proxy mode only. Specify the proxy IP address/netmask. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create TCP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. Speed Limit Rate of new connections per second. The default is 0, which means the device will create connections as fast as possible. Standalone mode: The valid range is 1,000 to 2,000,000 connections per second (or the special value 0). Test Center mode: The valid range is 1,000 to 4,000,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. FortiTester Handbook 42

Chapter 2 - Running Tests Starting a UDP PPS test Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is 1500. The valid range is 1,280 to 9,000. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. IP Change Algorithm / Port Change Algorithm Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. Piggybacking Disabled. Not configurable. Profile (Server) Server Port Preset to 6000. Not configurable. Server Close Mode Select the connection close method: 3Way_Fin or Reset. Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Starting a UDP PPS test FortiTester tests UDP throughput by sending a specified size of UDP frames at a maximum or limited speed from simulated clients to simulated servers. To start a UDP PPS test: 1. Go to Cases > UDP > PPS to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. 43 FortiTester Handbook

Starting a UDP PPS test Chapter 2 - Running Tests Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table 11. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 11: UDP PPS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. FortiTester Handbook 44

Chapter 2 - Running Tests Starting a UDP PPS test Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create UDP connections and transfer data. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 512. Test Center mode: The default is 512, and the valid range is 128 to 1024, for example, for an environment with two FortiTester appliances. UDP Package Size The default is 64 bytes. The valid range is 64 to 1518. 45 FortiTester Handbook

Starting a UDP Payload test Chapter 2 - Running Tests Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Standalone mode: The valid range is 10 to 20,000 (or the special value 0). Test Center mode: The valid range is 10 to 40,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. IP Change Algorithm / Port Change Algorithm Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Increment. Not configurable. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. Profile (Server) Server Port The default is 514. The valid range is 0 to 65,535. Starting a UDP Payload test FortiTester tests UDP payload by sending UDP frames with the specified payload from the client ports to the server ports. To start a UDP payload test: 1. Go to Cases > UDP > Payload to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. FortiTester Handbook 46

Chapter 2 - Running Tests Starting a UDP Payload test 4. Configure the test case options described in Table 12. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 12: UDP Payload Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. 47 FortiTester Handbook

Starting a UDP Payload test Chapter 2 - Running Tests Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network Add Subnet NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. If necessary, click +Add Subnet to display additional subnet configuration controls. An interface port can have multiple subnets. FortiTester uses all IP addresses in the specified subnets to create UDP connections and transfer data. Load Payload Ping Server Timeout Simulated Users Use the plain text predefined format to specify the payload. If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 512. Test Center mode: The default is 512, and the valid range is 128 to 1024, for example, for an environment with two FortiTester appliances. FortiTester Handbook 48

Chapter 2 - Running Tests Starting an Attack Replay test Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Standalone mode: The valid range is 10 to 20,000 (or the special value 0). Test Center mode: The valid range is 10 to 40,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. Network MTU Preset to 2500. Not configurable. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. IP Change Algorithm / Port Change Algorithm Determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. Preset to Increment. Not configurable. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. Profile (Server) Server Port The default is 514. The valid range is 0 to 65,535. Starting an Attack Replay test FortiTester can test security systems by replaying a predefined set of attack traffic. The predefined set covers 100 types of attacks. The test result shows the CVE-ID for every type of attack. You can also see the attack list in the Cases > Replay > Attack page. Note: The Attack Replay test is available only in Standalone work mode. Before you begin: Optional. If you want to test custom attack traffic, you must create a package of pcap files that can be replayed. Only IPv4 traffic is supported. Follow the file naming convention: Description[CVE-$CVEID].pcap. Here [] means optional. The file type can be.pcap,.tgz,.tar.gz, or.zip. A.tgz,.tar.gz, or.zip file includes a group of.pcap files. Maximum file size is 200MB. To start an Attack Replay test: 1. Go to Cases > Replay > Attack to display the test case summary page. 2. Click Add to display the Case Options dialog box. 49 FortiTester Handbook

Starting an Attack Replay test Chapter 2 - Running Tests 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table 13. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 13: Attack Replay Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. FortiTester Handbook 50

Chapter 2 - Running Tests Starting an Attack Replay test Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load Ping Server Timeout Peer Receiving Timeout Break Once Packet Lost If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. This timeout specifies how long the client waits for a response from the server. If the client does not receive a response within the timeout, it considers the packet lost. The default value is 2 milliseconds. Select Yes or No. The Yes option means when the system identifies packet loss (the server side has not received the packet that client sent out), it stops the current traffic replay (pcap file), and continues the test with the next traffic file. The No option (the default) means a break is not set; the current replay continues. Network MTU Preset to 1500. Not configurable. 51 FortiTester Handbook

Starting a Traffic Replay test Chapter 2 - Running Tests Action Enable System Attack List Enable/disable the system attack list. There are 100 types of attacks in the system attack list. User Intrusion Optional. Select attacks from the user-defined attack list. Before you can select them, you must upload pcap files that contain your customized attack traffic. At the top of the case list, click User Attack List and then upload your file. Starting a Traffic Replay test FortiTester tests user-defined scenarios by replaying pcap files. Typically, pcap files are generated by programs like tcpdump or Wireshark. Note: The Traffic Replay test is available only in Standalone work mode. Before you begin: You must create pcap files that can be replayed. Only IPv4 traffic is supported. Maximum file size is 200MB. To start a Traffic Replay test: 1. Go to Cases > Replay > Traffic to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table 14. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 14: Traffic Replay Test Case configuration FortiTester Handbook 52

Chapter 2 - Running Tests Starting a Traffic Replay test Basic Information Name Number of Samples Duration Specify the case name, or just use the default. The name appears in the list of test cases. Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. 53 FortiTester Handbook

Starting a DDoS test Chapter 2 - Running Tests Netmask Specify a netmask between 1 and 31. Gateway NAT mode only. Specify the gateway IP address. Peer Network NAT mode only. Specify the peer network subnet address. Load Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Bandwidth Limit The default is 0, which means the maximum possible. The valid range is 10 to 10,000 Mbps (or the special value 0). Loops Number of times to play the pcap file. The default is 10,000. 0 means as many as possible. Input Pcap You can upload pcap files from your PC and select one to send. Note the uploaded files can be used for future cases. Starting a DDoS test FortiTester tests the ability of DUT to handle different type of DDoS Attack. This traffic load will try to exhaust the DUT resources by multiple DDoS attack types. To start a DDoS test: 1. Go to Cases > DDoS> DDoS Attack to display the test case summary page. 2. Click Add to display the Case Options dialog box. 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table 15. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. FortiTester Handbook 54

Chapter 2 - Running Tests Starting a DDoS test Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 15: DDoS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. 55 FortiTester Handbook

Starting a DDoS test Chapter 2 - Running Tests Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load Ping Server Timeout Simulated Users If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 1024. Test Center mode: The default is 512, and the valid range is 128 to 2048, for example, for an environment with two FortiTester appliances. DDoS Types There are three types of DDos attack traffic: Single Packet Flood, TCP Session Flood, and HTTP Session Flood. After you select a type, selection boxes for subtypes are displayed below. To change the percentage mix of subtypes, double-click the pie chart and adjust the percentages. FortiTester Handbook 56

Chapter 2 - Running Tests Starting a DNS test Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Standalone mode: The valid range is 10 to 20,000 (or the special value 0). Test Center mode: The valid range is 10 to 40,000, for example, for an environment with two FortiTester appliances. Ramp Seconds Time in seconds for traffic to ramp up/down when you start/stop the test. Network Network MTU Maximum Transmission Unit for a data packet. FortiTester does not send out data packets larger than this value. Most DUTs have a limitation for packet size. The default is 1500. The valid range is 1,280 to 9,000. Profile (Client) Source Port Range Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. IP Change Algorithm / Port Change Algorithm Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. Piggybacking Enabled, meaning an acknowledgement is sent on the data frame, not in an individual frame. Not configurable. Profile (Server) Server Port Preset to 80. Not configurable. Piggybacking Enabled. Not configurable. Starting a DNS test FortiTester tests the latency of DUT to handle DNS query request. A DUT could be a gateway device or a DNS server. To start a DNS test: 1. Go to Cases > DNS > Latency to display the test case summary page. 2. Click Add to display the Case Options dialog box. 57 FortiTester Handbook

Starting a DNS test Chapter 2 - Running Tests 3. In the popup dialog, configure the following settings: IP Version IPv4 or IPv6. DUT Working Mode Transparent mode or NAT mode. In the transparent mode, the DUT does not change the IP address of the packet. In NAT mode, the address is translated. Network Config Select the default template or a user-defined template. The network settings and subnet settings for the test case configuration are imported from the template. You can modify these settings after they are imported. Click OK to continue. 4. Configure the test case options described in Table 16. 5. Click Start to run the test case. FortiTester saves the configuration automatically so you can run the test again later. You can also click Save to save the test case without running it. Tip: You can also copy an existing case, and change its settings to create a new case. In the case list, click Extend to clone the configuration. Only the case name is different from the original case. Table 16: DNS Test Case configuration Basic Information Name Specify the case name, or just use the default. The name appears in the list of test cases. Number of Samples Select the number of samples. The default is 20, which means the web UI will show the last 20 sample data (about 20 seconds) in the test case running page. You can select 20, 60, or 120. Duration Specify the test duration. The default is 10 minutes. The test stops automatically after the duration you specify. FortiTester Handbook 58

Chapter 2 - Running Tests Starting a DNS test Network Client Ports, Server Ports The graphic depicts the test ports for client-side and server-side connections. The client ports simulate the behavior of clients; the server ports simulate the behavior of servers. FortiTester builds the TCP connections between client ports and server ports (and through the DUT, of course). You must select at least one client port and one server port. After you select a port for client, a (check mark) is displayed on the port icon, and a tab for the port is added below the graphic. Use the tabs to toggle the Capture Packets and Subnet settings controls for each port. Capture Packets Capture Packets Optional. Set packet capture options if you want to capture the traffic of this port. You can capture all packets or specify a number. You can set packet capture filters for host IP/port and protocol. Note: The system allocates temporary disk space for packet captures. The limit is 200,000 packets. The packets are saved to a temporary file that you can download from the running test case page. The filename indicates whether it is client or server communication and the interface port number. For example, client_ port1.pcap. When a subsequent test case with packet capture enabled uses the same interface port as a previous one, the previous file is overwritten. Subnet Subnet IP Address or Range Specify a single IP address with standard format (for example, 10.1.2.1) or an address range like 10.1.2.1-10.1.2.99. Netmask Specify a netmask between 1 and 31. Gateway Peer Network NAT mode only. Specify the gateway IP address. NAT mode only. Specify the peer network subnet address. Load Ping Server Timeout If a FortiTester connects to a DUT via a switch, the switch might cause a ping timeout, resulting in the test case failing to run. If this occurs, increase the timeout. The default is 15 seconds. The valid range is 1 to 600. 59 FortiTester Handbook

Starting a DNS test Chapter 2 - Running Tests Simulated Users Number of users to simulate. Standalone mode: The default is 256. The valid range is 128 to 250,000. Test Center mode: The default is 512, and the valid range is 128 to 500,000, for example, for an environment with two FortiTester appliances. Bandwidth Limit The default is 0, which means the maximum possible. The unit is Mbps. Standalone mode: The valid range is 10 to 20,000 (or the special value 0). Test Center mode: The valid range is 10 to 40,000, for example, for an environment with two FortiTester appliances. DNS Renew Socket DNS Query Timeout Specify Yes or No. If Yes, the client side renews a socket to send out the next query (note if the client profile Domain Policy is set as List, all queries for the names in the domain list will use the same socket; after that a new socket will be created for next batch of queries). If No, use the old socket. The default is 1000 milliseconds. Network MTU Preset to 1500. Not configurable. Profile (Client) Source Port Range IP Change Algorithm / Port Change Algorithm Domain Policy Domain List Specify a client port range. The valid range is 10,000 to 65,535, which is also the default. Select a change algorithm: Increment or Random. This setting determines how the system changes source/destination IP addresses and ports to simulate multiple client requests. The Increment option uses the next IP address or port in the range, for example: 10.11.12.1 -> 10.11.12.2; port 10000 -> 10001. The Random option selects an IP address or port in the range randomly. Random or List. If Random is selected, FortiTester generates random domain names for queries. If List is select, FortiTester uses queries in the specified list. If Domain Policy is List, specify a list of domain name records. For example: fortinet.com:a,www.fortinet.com:a, fortitester.com:mx A name followed with a :A means it s an address record, while a :MX means a mail exchange record. FortiTester Handbook 60

Chapter 2 - Running Tests Stopping tests Profile (Server) Server Port The DNS server access port. The default is 53. The valid range is 0 to 65,535. Stopping tests There are two ways to stop a running test: In the test configuration, specify an automatic stop after a specified duration. Click the Stop button on the running page of a test that is in progress. Displaying test status A few seconds after you start a test, the page automatically switches to a test status page. You can also navigate to the status page by clicking the icon in the top navigation menu. The following example shows status displayed on the Summary tab of a TCP throughput test. Figure 5: Test status Summary tab The following figure shows the Client tab. You can use its subtabs to review results by port or network layer. 61 FortiTester Handbook

Viewing test results Chapter 2 - Running Tests Figure 6: Test status Client tab Viewing test results When you start a test, a status page is displayed showing results. The data is updated every second. It includes Layer 2 and Layer 4 data. HTTP/HTTPS test cases also include Layer 7 data. Layer 2 data represents the throughput for every port and a total summary. The throughput includes in traffic and out traffic for every port. Layer 4 data represents the number of sessions. Layer 7 data represents the number of requests and connections. You can click the icon in the top banner to display a list of all the test cases on the left side of the page. This list includes cases that are stopped (either normally or abnormally) and are ordered by test start time. Click a test case to view its result. The following example shows results for an HTTP CPS test. FortiTester Handbook 62

Chapter 2 - Running Tests Viewing test results Figure 7: HTTP CPS test results The following figure shows results for an Attack Replay test. Figure 8: Attack Replay results 63 FortiTester Handbook

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback