Category Archives: FortiGate

Virtual domains

2 Replies

Virtual domains

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. A single FortiGate unit is then flexible enough to serve multiple departments of an organization, separate organizations, or to act as the basis for a service provider’s managed security service.

VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations. By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the FortiGate physical interfaces, modem, VLAN subinterfaces, zones, security policies, routing settings, and VPN settings.

When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can create security policies for connections between Virtual LAN (VLAN) subinterfaces or zones in the VDOM. Packets do not cross the virtual domain border internally. To travel between VDOMs, a packet must pass through a firewall on a physical interface. The packet then arrives at another VDOM on a different interface, but it must pass through another firewall before entering the VDOM Both VDOMs are on the same FortiGate unit. Inter-VDOMs change this behavior in that they are internal interfaces; however their packets go through all the same security measures as on physical interfaces.

This example shows how to enable VDOMs on the FortiGate unit and the basic and create a VDOM accounting on the DMZ2 port and assign an administrator to maintain the VDOM. First enable Virtual Domains on the FortiGate unit. When you enable VDOMs, the FortiGate unit will log you out.

For desktop and low-end FortiGate units, VDOMs are enabled using the CLI. On larger FortiGate units, you can enable on the web-based manager or the CLI. Once enabled all further configuration can me made in the web- based manager or CLI.

 

To enable VDOMs – web-based manager

1. Go to System > Dashboard > Status.

2. In the System Information widget, select Enable for Virtual Domain.

The FortiGate unit logs you out. Once you log back in, you will notice that the menu structure has changed. This reflects the global settings for all Virtual Domains

 

To enable VDOMs – CLI

config system global

set vdom-admin enable end

Next, add the VDOM called accounting.

 

To add a VDOM – web-based manager

1. Go to System > VDOM > VDOM, and select Create New.

2. Enter the VDOM name accounting.

3. Select OK.

 

To add a VDOM – CLI

config vdom

edit <new_vdom_name>

end

 

With the Virtual Domain created, you can assign a physical interface to it, and assign it an IP address.

To assign physical interface to the accounting Virtual Domain – web-based manager

1. Go to System > Network > Interface.

2. Select the DMZ2 port row and select Edit.

3. For the Virtual Domain drop-down list, select accounting.

4. Select the Addressing Mode of Manual.

5. Enter the IP address for the port of 10.13.101.100/24.

6. Set the Administrative Access to HTTPS and SSH.

7. Select OK.

 

To assign physical interface to the accounting Virtual Domain – CLI

config global

config system interface edit dmz2

set vdom accounting

set ip 10.13.101.100/24 set allowaccess https ssh

next end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Secondary IP addresses to an interface

6 Replies

Secondary IP addresses to an interface

If an interface is configured with a manual or static IP address, you can also add secondary static IP addresses to the interface. Adding secondary IP addresses effectively adds multiple IP addresses to the interface. Secondary IP addresses cannot be assigned using DCHP or PPPoE.

All of the IP addresses added to an interface are associated with the single MAC address of the physical interface and all secondary IP addresses are in the same VDOM as the interface that are added to. You configure interface status detection for gateway load balancing separately for each secondary IP addresses. As with all other interface IP addresses, secondary IP addresses cannot be on the same subnet as any other primary or secondary IP address assigned to a FortiGate interface unless they are in separate VDOMs.

To configure a secondary IP, go to System > Network > Interface, select Edit or Create New and select the Secondary IP Address check box.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Interface MTU packet size

1 Reply

Interface MTU packet size

You can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits to improve network performance. Ideally, the MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets. If the packets that the FortiGate unit sends are larger than the smallest MTU, they are broken up or fragmented, which slows down transmission. You can easily experiment by lowering the MTU to find an MTU size for optimum network performance.

To change the MTU, select Override default MTU value (1500) and enter the MTU size based on the addressing mode of the interface

  • 68 to 1 500 bytes for static mode
  • 576 to 1 500 bytes for DHCP mode
  • 576 to 1 492 bytes for PPPoE mode
  • larger frame sizes if supported by the FortiGate model – up to 9216 bytes for NP2, NP4, and NP6-accelerated interfaces

Only available on physical interfaces. Virtual interfaces associated with a physical interface inherit the physical interface MTU size.

Interfaces on some models support frames larger than the traditional 1500 bytes. Jumbo frames are supported on FortiGate models that have either a SOC2 or NP4lite, except for the FortiGate-30D, as well as on FortiGate-100D series models (for information about your FortiGate unit’s hardware, see the Hardware Acceleration guide). For other models, please contact Fortinet Customer Support for the maximum frame size that is supported.

If you need to enable sending larger frames over a route, you need all Ethernet devices on that route to support that larger frame size, otherwise your larger frames will not be recognized and are dropped.

If you have standard size and larger size frame traffic on the same interface, routing alone cannot route them to different routes based only on frame size. However, you can use VLANs to make sure the larger frame traffic is routed over network devices that support that larger size. VLANs will inherit the MTU size from the parent interface. You will need to configure the VLAN to include both ends of the route as well as all switches and routers along the route.

MTU packet size is changed in the CLI. If you select an MTU size larger than your FortiGate unit supports, an error message will indicate this. In this situation, try a smaller MTU size until the value is supported.

In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces on the FortiGate unit to match the new MTU.

To change the MTU size, use the following CLI commands:

config system interface edit <interface_name>

set mtu-override enable set mtu <byte_size>

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Wireless

Leave a reply

Wireless

A wireless interface is similar to a physical interface only it does not include a physical connection. The FortiWiFi units enables you to add multiple wireless interfaces that can be available at the same time (the FortiWiFi-30B can only have one wireless interface). On FortiWiFi units, you can configure the device to be either an access point, or a wireless client. As an access point, the FortiWiFi unit can have up to four separate SSIDs, each on their own subnet for wireless access. In client mode, the FortiWiFi only has one SSID, and is used as a receiver, to enable remote users to connect to the existing network using wireless protocols.

Wireless interfaces also require additional security measures to ensure the signal does not get hijacked and data tampered or stolen.

For more information on configuring wireless interfaces see the Deploying Wireless Networks Guide.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Administrative access

Leave a reply

Administrative access

Interfaces, especially the public-facing ports can be potentially accessed by those who you may not want access to the FortiGate unit. When setting up the FortiGate unit, you can set the type of protocol an administrator must use to access the FortiGate unit. The options include:

  • HTTPS
  • HTTP
  • SSH
  • TELNET
  • SNMP
  • PING
  • FortiManager Access (FMG-Access)
  • FortiHeartBeat

 

You can select as many, or as few, even none, that are accessible by an administrator.

This example adds an IPv4 address 172.20.120.100 to the WAN1 interface as well as the administrative access to HTTPS and SSH. As a good practice, set the administrative access when you are setting the IP address for the port.

 

To add an IP address on the WAN1 interface – web-based manager

1. Go to System > Network > Interface.

2. Select the WAN1 interface row and select Edit.

3. Select the Addressing Mode of Manual.

4. Enter the IP address for the port of 172.20.120.100/24.

5. For Administrative Access, select HTTPS and SSH.

6. Select OK.

 

To create IP address on the WAN1 interface – CLI

config system interface

edit wan1

set ip 172.20.120.100/24 set allowaccess https ssh

end

 

When adding to, or removing a protocol, you must type the entire list again. For example, if you have an access list of HTTPS and SSH, and you want to add PING, typing:

set allowaccess ping

…only PING will be set. In this case, you must type…

set allowaccess https ssh ping


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

PPPoE addressing mode on an interface

Leave a reply

PPPoE addressing mode on an interface

If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request from the interface.

The FortiGate units support many PPPoE RFC features (RFC 2516) including unnumbered IPs, initial discovery timeout and PPPoE Active Discovery Terminate (PADT).

PPPoE is only configurable in the web-based manager on desktop FortiGate units. 1U FortiGates and up must be configured in the CLI using the commands:

 

config system interface edit <port_name>

set mode pppoe

set username <ISP_username> set password <ISP_password> set idle-timeout <seconds> set distance <integer>

set ipunnumbered <unumbered-IP> set disc-retry-timeout <seconds> set padt-retry-timeout <seconds>

end

set lcp-echo-interval <seconds>

set dns-server-override {enable | disable}

 

Configure PPPoE on an interface in System > Network > Interface. The table describes the PPPoE status information when PPPoE is configured for an interface.

 

Addressing mode section of New Interface page

 

Status                                                Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information. Select Status to refresh the addressing mode status message.

The status is only displayed if you selected Edit. Status can be any one of the following 4 messages.

 

Initializing                         No activity.

 

Connecting                       The interface is attempting to connect to the PPPoE server.

 

Connected

The interface retrieves an IP address, netmask, and other settings from the PPPoE server.

When the status is connected, PPPoE connection information is dis- played.

 

Failed                                The interface was unable to retrieve an IP address and other inform- ation from the PPPoE server.

 

Reconnect

Select to reconnect to the PPPoE server.

Only displayed if Status is connected.

 

User Name                                        The PPPoE account user name.

 

Password                                         The PPPoE account password.

 

Unnumbered IP                               Specify the IP address for the interface. If your ISP has assigned you a block of IP addresses, use one of them. Otherwise, this IP address can be the same as the IP address of another interface or can be any IP address.

 

Initial Disc Timeout                        Enter Initial discovery timeout. Enter the time to wait before starting to retry a PPPoE discovery.

 

Initial PADT timeout                       Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. PADT must be supported by your ISP. Set initial PADT timeout to 0 to disable.

 

Addressing mode section of New Interface page

 

Distance

Enter the administrative distance for the default gateway retrieved from the PPPoE server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1.

 

Retrieve default gateway from server

Enable to retrieve a default gateway IP address from a PPPoE server. The default gateway is added to the static routing table.

 

Override internal DNS

Enable to replace the DNS server IP addresses on the System DNS page with the DNS addresses retrieved from the PPPoE server.

When VDOMs are enabled, you can override the internal DNS only on the management VDOM.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

DHCP addressing mode on an interface

Leave a reply

DHCP addressing mode on an interface

If you configure an interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP request from the interface. The interface is configured with the IP address and any DNS server addresses and default gateway address that the DHCP server provides.

DHCP IPv6 is similar to DHCP IPv4, however there is:

  • no default gateway option defined because a host learns the gateway using router advertisement messages
  • there is no WINS servers because it is obsolete.

For more information about DHCP IPv6, see RFC 3315.

Configure DHCP for an interface in System > Network > Interface and selecting the interface from the list, and selecting DHCP in the Address Mode. The table describes the DHCP status information when DHCP is configured for an interface.

Addressing mode section of New Interface page for DHCP informatio

Status                                            Displays DHCP status messages as the interface connects to the DHCP server and gets addressing information. Select Status to refresh the addressing mode status message.

Status can be one of:

  • initializing – No activity.
  • connecting – interface attempts to connect to the DHCP server.
  • connected – interface retrieves an IP address, netmask, and other set- tings from the DHCP server.
  • failed – interface was unable to retrieve an IP address and other settings from the DHCP server.

 

Addressing mode section of New Interface page for DHCP informatio

Obtained IP/Netmask

The IP address and netmask leased from the DHCP server. Only dis- played if Status is connected.

Renew                               Select to renew the DHCP license for this interface. Only displayed if Status is connected.

 

Expiry Date

The time and date when the leased IP address and netmask is no longer valid for the interface. The IP address is returned to the pool to be alloc- ated to the next user request for an IP address. Only displayed if Status is connected.

 

Default Gateway               The IP address of the gateway defined by the DHCP server. Only dis- played if Status is connected, and if Receive default gateway from server is selected.

 

Distance

Enter the administrative distance for the default gateway retrieved from

the DHCP server. The administrative distance, an integer from 1-255, spe- cifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more pre- ferred route.

 

Retrieve default gateway from server

Enable to retrieve a default gateway IP address from the DHCP server. The default gateway is added to the static routing table.

 

Override internal DNS

Enable to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page.

When VDOMs are enabled, you can override the internal DNS only on the management VDOM.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Aggregate Interfaces

Leave a reply

Aggregate Interfaces

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the only noticeable effect being a reduced bandwidth.

This is similar to redundant interfaces with the major difference being that a redundant interface group only uses one link at a time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).

Support of the IEEE standard 802.3ad for link aggregation is available on some models. An interface is available to be an aggregate interface if:

  • it is a physical interface, not a VLAN interface or subinterface
  • it is not already part of an aggregate or redundant interface
  • it is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs.
  • it does not have an IP address and is not configured for DHCP or PPPoE l  it is not referenced in any security policy, VIP, IP Pool or multicast policy l  it is not an HA heartbeat interface
  • it is not one of the FortiGate-5000 series backplane interfaces

Some models of FortiGate units do not support aggregate interfaces. In this case, the aggregate option is not an option in the web-based manager or CLI. As well, you cannot create aggregate interfaces from the interfaces in a switch port.

To see if a port is being used or has other dependencies, use the following diagnose command:

diagnose sys checkused system.interface.name <interface_name>

When an interface is included in an aggregate interface, it is not listed on the System > Network > Interface page. Interfaces will still appear in the CLI, although configuration for those interfaces will not take affect. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.

 

Example

This example creates an aggregate interface on a FortiGate-3810A using ports 4-6 with an internal IP address of 10.13.101.100, as well as the administrative access to HTTPS and SSH.

 

To create an aggregate interface – web-based manager

1. Go to System > Network > Interface and select Create New.

2. Enter the Name as Aggregate.

3. For the Type, select 802.3ad Aggregate.

If this option does not appear, your FortiGate unit does not support aggregate interfaces.

4. In the Available Interfaces list, select port 4, 5 and 6 and move it to the Selected Interfaces list.

5. Select the Addressing Mode of Manual.

6. Enter the IP address for the port of 10.13.101.100/24.

7. For Administrative Access select HTTPS and SSH.

8. Select OK.

 

To create aggregate interface – CLI

config system interface edit Aggregate

set type aggregate

set member port4 port5 port6 set vdom root

set ip 172.20.120.100/24 set allowaccess https ssh

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!