Fortinet black logo

Admin Guide

Create profiles

Create profiles

You must create and apply profiles to devices before you can deploy them.

To create a profile:
  1. From the Navigation bar, go to Profile.
  2. Click Add Profile to create a new profile.

    The Add Profile window loads.

  3. Complete the following fields:

    Field Name

    Description

    Profile Name

    Enter a name for the profile.

    Note: Valid characters are: alphanumeric characters and special characters (. -_). Spaces are not permitted.

    Hardware Platform

    Select the hardware platform/model you want to apply the profile to.

  4. Click Add.

    The Profile Settings page loads.

  5. Make your profile configuration selections. For more information about each configuration option, see Profile configuration fields.

  6. Click Save to save the profile.

    The new profile is created. You can return to the Profile page to see it.

Profile configuration fields

The Profile page has multiple fields you can configure. To navigate to each field directly, click the index dropdown list and select which section you want to jump to.

The following sections can be configured:

General Settings

Profile Name

Change the profile name if needed.

CLI Username

Enter a username for accessing the device through out-of-band management (OBM). For more information, see OBM Console.

CLI Password

Enter a password for accessing the device through out-of-band management (OBM). For more information, see OBM Console.

Work Mode

Select a work mode.

  • NAT — The FortiExtender device works as a gateway of the subnet behind it, forwarding all the traffic between the LAN and LTE WAN.

  • IP PASS — The FortiExtender distributes the WAN IP address provided by the Network Service Provider to the device behind it.

Timezone ID

Select a timezone for your FortiExtenders.

Local Access Settings

http

https

ssh

telnet

FortiExtender and FortiGate share the same LTE IP in WAN-extension mode. To distinguish local services from FortiGate services, you must configure FortiExtender to use different ports. Otherwise, all traffic to these default services will be sent to FortiExtender locally instead of FortiGate.

idle-timeout

Set an idle time.

System DNS Settings

Primary

Input a primary DNS address.

Secondary

Input a secondary DNS address.

Search Order Options

Drag and reorder DNS search order options.

SNMP Settings

Status

Select if you want to Enable or Disable SNMP.

Description

Enter a description for the SNMP setting.

Contact Info

Set the contact info.

Location

Set the location.

Hosts

Click Add Host to add a hosts

Name

Enter the host name.

IP

Enter the IPv4 address of the SNMP manager (host), syntax: X.X.X.X/24.

Type

Control whether the SNMP manager sends SNMP queries, receives SNMP traps, or both:

  • any
  • query
  • trap

Communities

Click Add Community to add a community. As an SNMP agent, FortiExtender responds to SNMP managers query on v1/v2c and v3 protocol. It supports the SNMP trap events which can be configured in both SNMP community and user events.

Name

Enter the community name.

Status

Select if you want to Enable or Disable this SNMP community.

Queries V Status

Select if you want to Enable or Disable an SNMP v queries

Queries V Port

Enter an SNMP v query port (default = 161).

Trap V Status

Select if you want to Enable or Disable an SNMP v traps

Trap V Local Port

Enter an SNMP v trap local port (default = 162).

Trap V Remote Port

Enter an SNMP v trap remote port (default = 162).

Hosts

Select a IPv4 SNMP manager (host).

Events

Select SNMP trap events.

Users

Click Add User to add a user.

Name

Enter a User name.

Status

Select if you want to Enable or Disable traps for this SNMP user

Notify Hosts

Select which SNMP managers to send notifications (traps) to.

Events

Select SNMP trap events.

Trap Status

Select if you want to Enable or Disable Trap.

Trap Local Port

Enter an SNMPv3 local trap port (default = 162).

Trap Remote Port

Enter an SNMPv3 trap remote port (default = 162)

Queries Status

Select if you want to Enable or Disable SNMP queries for this user.

Query Port

Enter an SNMPv3 query port (default = 161).

Security Level

Select a Security level for message authentication and encryption:

  • No Authentication No Private
  • Authentication No Private
  • Authentication Private

Health Check Settings

Name

Enter a Health Check name.

Interface

Select the outgoing interface to be monitored.

Some interfaces, such as loopback, cannot be selected. If you configure a VWAN interface, this interface must be the same as the VWAN member's Target Interface.

Protocol

Select which protocol to use for status checks:

  • ping — Use PING to test the link with the probe-target.
  • http — Use HTTP-GET to test the link with the probe-target. Adds new field: port, HTTP URL
  • dns — Use DNS-Query to test the link with the probe-target

Port

Only available if Protocol is set to http. Enter the port number used to communicate with the server

HTTL URL

Only available if Protocol is set to http. Enter the URL used to communicate with the server.

Interval

Enter the monitoring interval in seconds.

Probe Count

Enter the number of probes sent within an interval.

Probe Timeout

Enter the timeout for a probe in seconds.

Probe Target

Enter the target (ipv4-address) to which a probe is sent.

Source Type

The way to set the source address for probes.

  • none — Do not set the source address.
  • interface — Set the source address as the address derived from a specific interface.
  • ip — Set the source address as a specific IP.

Interface Settings - lan/loopback/lte1/sfp/wan

Add Interface

(Optional) Click Add Interfaces to add a dynamic interface to the Profile. See Interface Settings - Dynamic interfaces.

Status

Select the status you want for your interface:

  • Up

  • Down

Mode

Select the interface IP addressing mode:

  • dhcp — FortiExtender will work in DHCP client mode.

  • static — FortiExtender will use a fixed IP address to connect to the Internet.

Allowaccess

Select the types of management traffic allowed to access the interface:

  • http

  • ssh

  • telnet

  • snmp

  • https

  • ping

  • capwap

Override MTU

Select if you want to be able to override the MTU value.

STP

Select enable to activate Spanning Tree Protocol (STP) for the built-in LAN Switch on applicable FortiExtender models.

MTU

Enter the interface's MTU value for the interface.

Distance

Enter the route metric of the interface gateway.

Virtual Wire Pair

When the Work Mode is IP PASS, you can configure the Virtual Wan Interface of a particular port to FortiGate.

VRRP Setting

Add and configure VRRP settings.

  • Backup — Select enable to configure the device's fortigate-backup.vrrp-interface and fortigate-backup.status.
  • Status — Select enable to activate the VRRP.
  • Mode — Select how you want to assign an IP.
    • plan: FortiExtender Cloud automatically assigns the vrrp_setting.virtual_router_ip based on your network plan.
    • manual: Manually enter the virtual_router_ip.

DNS Server Setting

Add and configure DNS Server settings.

  • Name — Enter the name of the DNS Server.
  • Mode — Select the DNS server mode, which can be one of the following:
    • recursive: Is for the shadow DNS database and forward. In this mode, FortiExtender looks up the local shadow DNS database first. If no DNS RR (resource record) is found, the DNS request will be forwarded to the configured system DNS server.

    • non-recursive: Is for the public DNS database only. In this mode, FortiExtender only looks up the local public DNS database. If no DNS RR (resource record) is found, it will reply with an error status of NXDOMAIN.

    • forward-only: Is for forwarding to the system DNS server only. In this mode, FortiExtender will forward DNS requests directly to the configured system DNS servers.

PPPoE Interface Setting

Add and configure a Point-to-Point Protocol over Ethernet (PPPoE) Interface. This is only supported on FEX311F and FEX511F models.

  • Name — Enter the name of the PPPoE interface.
  • Status — Select if you want to bring the PPPoE up or down.
  • Username — Enter the username of the PPPoE account, this is provided by the ISP.
  • Password — Enter the password of the PPPoE account.

SFP DSL Setting

Add and configure DSL configuration in SFP interface settings. This is only supported on FEX311F and FEX511F models.

  • Status — Enable or Disable the use of vdsl or adsl for SFP.
  • Physical Mode — Select the DSL physical mode you want to use, vdsl or adsl.
  • Auto Detect — Enable or Disable sfp-dsl autodetect.
    • If you disable Auto Detect, you must enter the MAC address of the sfp-dsl module.

If you set the Physical Mode as adsl, you can configure the following options:

  • Virtual Path Identifier (vpi) — SFP-DSL ADSL Fallback virtual path identifier.
  • Virtual Channel Identifier (vci) — SFP-DSL ADSL Fallback virtual channel identifier
  • Multiplexer Type — SFP-DSL ADSL Fallback Multiplexer type.
  • PVC VLAN Id — SFP-DSL ADSL Fallback Permanent Virtual Circuit VLAN ID.
  • PVC VLAN TX Id — SFP-DSL ADSL Fallback PVC VLAN ID tx.
  • PVC VLAN RX Id —SFP-DSL ADSL Fallback PVC VLAN ID rx.
  • PVC VLAN TX Op —SFP-DSL ADSL Fallback PVC VLAN TX op.
  • PVC VLAN RX Op —SFP-DSL ADSL Fallback PVC VLAN RX op
  • PVC CRC —SFP-DSL ADSL Fallback PVC CRC option (bit0 = sar LLC preserve, bit1 = ream LLC preserve, bit2 = ream VC-MUX has crc).
  • PVC ATM QoS —SFP-DSL ADSL Fallback PVC ATM QoS.
  • PVC Packet Cell Rate —SFP-DSL ADSL Fallback PVC packet cell rate (0 - 5500 cells per second, default = 0).
  • PVC Sustainable Cell Rate —SFP-DSL ADSL Fallback PVC sustainable cell rate (0 - 5500 cells per second, default = 0).

Network Plan

Select which network plan you want to apply to the interface. Devices associated with this profile will be automatically assigned a subnet based on the network plan. A default subnet 192.168.2.0/24 will be assigned for all devices if no network plan is selected.

DHCP Setting

Configure DHCP Server and Relay settings.

Server Setting

Add and configure a DHCP server for other clients to obtain an IP.

  • Name — Specify the name of the DHCP server.
  • Status — Select if you want to enable, disable, or set the DHCP server status to backup.
  • Mode — Select if you want to use information from the Network plan or if you want to manually input the information.
  • Lease Time — Specify the DHCP address lease time in seconds. The valid range is 300–8640000. 0 means unlimited.
  • MTU — Enter the interface's MTU value
  • NTP Service — The NTP service is automatically set to specify.
  • NTP Server 1-3 — Specify the IP address of each NTP Server.
  • DNS Service — Select one of the options for assigning a DNS server to DHCP clients.
    • default: Clients are assigned the FortiExtender configured DNS server.
    • specify: Specify up to three DNS servers in the DHCP server configuration.
    • wan-dns: The DNS of the WAN interface that is added becomes clients' DNS server IP address.
  • Reserved Addresses — Add a MAC addresses and select if you want to block or assign it a reserved IP address.
    • Reserved: Reserve an IP address for the specified client.
    • Block: Block a specific MAC address.

Relay Setting

When running in static mode, you can configure DHCP relay functionality.

  • Name — Specify the name of the relay setting.
  • Status — Select if you want to enable or disable the relay.
  • Server Interface — Select the server interface.
  • Mode — Select if you want to run in plan or manual mode.
  • Server IP — Enter the server IP.
  • Client Interfaces — Select which interface you want to relay.

Virtual IP Settings

When running in static mode, you can configure how your Virtual IPs direct traffic.

  • IP Mapping — Enter the IP address you want to forward traffic to.
  • Protocol — Select which protocol you want to use.
  • Port Forward —Select if you want to enable port forwarding.
  • Port — Enter the port number you want to forward traffic from.
  • Port Mapping — Enter the port number you want to forward traffic to.

Interface Settings - Dynamic interfaces

Virtual-Wan

Note

VWAN Interface configurations only apply to devices running FEXTOS 7.4.0 and later.

Name

Specify the name of the VWAN interface.

Status

Select the status you want for your interface:

  • Up

  • Down

Algorithm

Select the Load-Balancing algorithm:

  • redundant — Targets work in primary-secondary mode
  • WRR — Targets work in Weighted Round Robin mode.

For more information, refer to the FortiExtender (Standalone) Admin Guide.

Redundant By

Only available if Algorithm is set to redundant. Redundant algorithm using a VWAN member for data transmission based on:

  • priority
  • cost
FEC

Only available if you select WRR as the Algorithm. Select a LLB metric to denote how to distribute traffic:

  • source_ip — Traffic from the same source IP is forwarded to the same target.
  • dest_ip — Traffic to the same destination IP is forwarded to the same target.
  • source_dest_ip_pair — Traffic from the same source IP and to the same destination IP is forwarded to the same target.
  • connection — Traffic with the same 5 tuples (i.e., a source IP address/port number, destination IP address/port number and the protocol) is forwarded to the same target
Session Timeout Specify the session timeout threshold in seconds. The default is 60. This is used to time out a VWAN session. A LLB session is created for each traffic stream. However, when a session times out, it is deleted.

Grace Period

Specify the grace period in seconds to delay fail-back.

Member Setting

Add VWAN members to the VWAN interface.

Name

Specify the name of the VWAN member.

Target Interface

Specify the target to which traffic is forwarded.

Must be the same interface as the Interface.

Priority

Specify the priority of the link member. The lower the value, the higher the priority. The valid value range is 1—7.

Weight

Specify the weight of the member.

Health Check Fail Threshold

Specify the number of consecutive failed probes before the member is considered dead.

Note: The valid value range is 1—10; the default is 5.

Health Check

Specify a link health check you configured in Health Check Settings.

Link Cost Factor

Select which constraints you want enabled:

  • packet-loss
  • latency
  • jitter

Latency Threshold

Set the Latency Threshold in millisecond.

Jitter Threshold

Set the Jitter Threshold in millisecond.

Packet Loss Threshold

Set the Packet Loss Threshold in percentage.

Modem1 Settings/Modem2 Settings

Sim1 PIN

Enter a pin code for your Sim1 card (if applicable).

Sim2 PIN

Enter a pin code for your Sim2 card (if applicable).

Report Interval

Specify a desired report interval in seconds.

Default SIM

If there are two SIM cards, select how you want to define the default SIM card:

  • By Carrier — Select the SIM card with the preferred carrier. You can define the preferred carrier by arranging the order of plans under the Add Plan section in the Profile page.
  • By Cost — Select the SIM card with the lowest Monthly fee. You can specify the Monthly fee from the Carrier plan page.
  • SIM 1 — Select the SIM card in the SIM1 slot.
  • SIM 2 — Select the SIM card in the SIM2 slot.

Auto Switch

Select which event triggers automatic switching between SIM cards. You can select more than one event:

  • Plan Capacity — Switch when your data plan hits your specified data limit and overage is disabled. You can specify data limit from the Carrier plan page.
  • SIM Signal — Switch when the Received Signal Strength Indicator (RSSI) value drops below -100 for 600 seconds. You can configure the default values from the Carrier plan page.
  • SIM Disconnect — Switch when a SIM card disconnects a certain number of times in a specified time period.
    • SIM Disconnect Threshold: Enter the number of times a SIM card can disconnect.
    • SIM Disconnect Period: Enter the time period in seconds.
  • Switch Back by Time — Switch at a certain time of the day.
    • Switch Back Time: Enter the time (hh:mm) for when you want to switch SIM cards.
  • Switch Back By Period — Switch after a certain amount of time has elapsed.
    • Switch Back Period: Enter the time in seconds.

Note: Automatic switching will not occur if you enable the overage function under Plan configuration and also exceed the specified data limit.

VPN Settings

Add VPN

Add existing VPN plans to your profile.

Carrier Plan Settings

Add Plan

Add existing carrier plans to your profile.

Note: If you select the By Carrier option for defining a Default SIM, you can define the preferred carrier by dragging and rearranging the Plans in this section. Plans are prioritized based on their order, with the top plan being the most preferred.

DNS Database Plan Settings

Add DNS Database Plan Add existing DNS plans to your profile.

Credential Plan Settings

Add Credential

Add existing credential plans to your profile.

Services

Edit Services

Edit the services and ports associated with the profile.

Firewall Settings

Mode

Select a mode type:

  • manual — Manually configure firewall policies.

    Note: FortiExtender Cloud only includes a base all-pass policy, all other policies need to be manually entered.

  • planFortiExtender Cloud automatically assigns default policies based on the VPN plan's Phase 1 name, Phase 2 Source/Destination subnets and the Interface plan's IP addresses.

Policies

If you select the manual mode type, you can add up to 96 firewall policies to your profile.

Note: You must define two ACCEPT firewall polices to permit communications between the source and destination addresses.

Static Routing Settings

Name

Enter the name of the static route.

Interface

Select the interface type.

Gateway

Enter the IP address of the gateway.

Status

Set the status of the static route:

  • enable — Enable the static route.
  • disable — Disable the static route.

Destination Subnet

Specify the destination IP address and netmask of the static route.

Distance

Specify the administrative distance. The range is 1–255.

Multicast Routing Settings

Join Prune Interval

Set the period of time between sending periodic PIM join/prune messages in seconds.

Hello Interval Set the period of time between sending PIM hello messages in seconds.

PIM Interface

Select a PIM Interface type:

  • lan
  • lte1
  • loopback
  • wan
RP Address

Click Add RP Address and enter the following:

  • Name —Enter the name for the Rendezvous Point (RP) address.
  • Group —Enter the groups to use this RP.
  • Address — Enter the RP router address.

Policy Routing Settings

Mode

Select a mode type:

  • manual — Manually configure routing policies.

  • planFortiExtender Cloud automatically assigns default policies based on the VPN plan's Phase 1 name, Phase 2 Source/Destination subnets and the Interface plan's IP addresses.

Policy Routes

You can add up to 20 policy routes.

NTP Settings

Type

Select a Network Time Protocol (NTP) server to use:

  • fortiguard
  • custom

    • Enter the Name of your custom NTP server.

    • Enter the IP address or hostname of the custom NTP server.

Firmware Settings

OS Firmware

Select or upload the OS firmware you want to apply to each FortiExtender model associated with this profile.

Modem Firmware

Select the modem firmware you want to apply to each FortiExtender model associated with this profile.

SSIDs

Add SSIDs Add SSIDs to the profile.

ID

Enter an ID or name for the SSID plan.

SSID

Enter the name you want your SSID to show during broadcast.

Broadcast SSID

Select if you want to broadcast the SSID.

Wlan Members

Enter the WLAN members.

Security Mode

Set the security encryption mode of the SSID.

Passphrase

Enter a password for the SSID.

WiFi-Configuration

Add WiFi-Config Add Wi-Fi Configurations to the profile.

ID

Enter an ID or name for the Configuration plan.

SSID

Enter the name of an SSID.

Security Mode

Set the security mode of the SSID.

Passphrase

Enter a passphrase for the SSID.

Country Code

Set a country code.

Radio

Add Radio Add Radio configurations to the profile.

ID

Enter an ID or name for the Radio plan.

Role

Set the Radio role:

  • lan
  • wan

Band

Select the frequency band you want to broadcast:

  • 2GHz
  • 5GHz

Bandwidth

Select the channel width you want to broadcast:

  • auto
  • 20MHz
  • 40MHz

Channel

Select the channel or channels to include.

Status

Set the status of the radio:

  • enable
  • disable

Extension Channel

Select the radio extension channel:

  • auto
  • higher
  • lower

Guard Interval

Select the radio guard interval:

  • auto
  • 800ns
  • 400ns

Operating Standards

Select the radio operating standards.

Power Mode

Set the power mode for your radio:

  • auto
  • percentage
  • dBm

VAP

Select the Virtual APs you want to apply radio configurations to.

Create profiles

You must create and apply profiles to devices before you can deploy them.

To create a profile:
  1. From the Navigation bar, go to Profile.
  2. Click Add Profile to create a new profile.

    The Add Profile window loads.

  3. Complete the following fields:

    Field Name

    Description

    Profile Name

    Enter a name for the profile.

    Note: Valid characters are: alphanumeric characters and special characters (. -_). Spaces are not permitted.

    Hardware Platform

    Select the hardware platform/model you want to apply the profile to.

  4. Click Add.

    The Profile Settings page loads.

  5. Make your profile configuration selections. For more information about each configuration option, see Profile configuration fields.

  6. Click Save to save the profile.

    The new profile is created. You can return to the Profile page to see it.

Profile configuration fields

The Profile page has multiple fields you can configure. To navigate to each field directly, click the index dropdown list and select which section you want to jump to.

The following sections can be configured:

General Settings

Profile Name

Change the profile name if needed.

CLI Username

Enter a username for accessing the device through out-of-band management (OBM). For more information, see OBM Console.

CLI Password

Enter a password for accessing the device through out-of-band management (OBM). For more information, see OBM Console.

Work Mode

Select a work mode.

  • NAT — The FortiExtender device works as a gateway of the subnet behind it, forwarding all the traffic between the LAN and LTE WAN.

  • IP PASS — The FortiExtender distributes the WAN IP address provided by the Network Service Provider to the device behind it.

Timezone ID

Select a timezone for your FortiExtenders.

Local Access Settings

http

https

ssh

telnet

FortiExtender and FortiGate share the same LTE IP in WAN-extension mode. To distinguish local services from FortiGate services, you must configure FortiExtender to use different ports. Otherwise, all traffic to these default services will be sent to FortiExtender locally instead of FortiGate.

idle-timeout

Set an idle time.

System DNS Settings

Primary

Input a primary DNS address.

Secondary

Input a secondary DNS address.

Search Order Options

Drag and reorder DNS search order options.

SNMP Settings

Status

Select if you want to Enable or Disable SNMP.

Description

Enter a description for the SNMP setting.

Contact Info

Set the contact info.

Location

Set the location.

Hosts

Click Add Host to add a hosts

Name

Enter the host name.

IP

Enter the IPv4 address of the SNMP manager (host), syntax: X.X.X.X/24.

Type

Control whether the SNMP manager sends SNMP queries, receives SNMP traps, or both:

  • any
  • query
  • trap

Communities

Click Add Community to add a community. As an SNMP agent, FortiExtender responds to SNMP managers query on v1/v2c and v3 protocol. It supports the SNMP trap events which can be configured in both SNMP community and user events.

Name

Enter the community name.

Status

Select if you want to Enable or Disable this SNMP community.

Queries V Status

Select if you want to Enable or Disable an SNMP v queries

Queries V Port

Enter an SNMP v query port (default = 161).

Trap V Status

Select if you want to Enable or Disable an SNMP v traps

Trap V Local Port

Enter an SNMP v trap local port (default = 162).

Trap V Remote Port

Enter an SNMP v trap remote port (default = 162).

Hosts

Select a IPv4 SNMP manager (host).

Events

Select SNMP trap events.

Users

Click Add User to add a user.

Name

Enter a User name.

Status

Select if you want to Enable or Disable traps for this SNMP user

Notify Hosts

Select which SNMP managers to send notifications (traps) to.

Events

Select SNMP trap events.

Trap Status

Select if you want to Enable or Disable Trap.

Trap Local Port

Enter an SNMPv3 local trap port (default = 162).

Trap Remote Port

Enter an SNMPv3 trap remote port (default = 162)

Queries Status

Select if you want to Enable or Disable SNMP queries for this user.

Query Port

Enter an SNMPv3 query port (default = 161).

Security Level

Select a Security level for message authentication and encryption:

  • No Authentication No Private
  • Authentication No Private
  • Authentication Private

Health Check Settings

Name

Enter a Health Check name.

Interface

Select the outgoing interface to be monitored.

Some interfaces, such as loopback, cannot be selected. If you configure a VWAN interface, this interface must be the same as the VWAN member's Target Interface.

Protocol

Select which protocol to use for status checks:

  • ping — Use PING to test the link with the probe-target.
  • http — Use HTTP-GET to test the link with the probe-target. Adds new field: port, HTTP URL
  • dns — Use DNS-Query to test the link with the probe-target

Port

Only available if Protocol is set to http. Enter the port number used to communicate with the server

HTTL URL

Only available if Protocol is set to http. Enter the URL used to communicate with the server.

Interval

Enter the monitoring interval in seconds.

Probe Count

Enter the number of probes sent within an interval.

Probe Timeout

Enter the timeout for a probe in seconds.

Probe Target

Enter the target (ipv4-address) to which a probe is sent.

Source Type

The way to set the source address for probes.

  • none — Do not set the source address.
  • interface — Set the source address as the address derived from a specific interface.
  • ip — Set the source address as a specific IP.

Interface Settings - lan/loopback/lte1/sfp/wan

Add Interface

(Optional) Click Add Interfaces to add a dynamic interface to the Profile. See Interface Settings - Dynamic interfaces.

Status

Select the status you want for your interface:

  • Up

  • Down

Mode

Select the interface IP addressing mode:

  • dhcp — FortiExtender will work in DHCP client mode.

  • static — FortiExtender will use a fixed IP address to connect to the Internet.

Allowaccess

Select the types of management traffic allowed to access the interface:

  • http

  • ssh

  • telnet

  • snmp

  • https

  • ping

  • capwap

Override MTU

Select if you want to be able to override the MTU value.

STP

Select enable to activate Spanning Tree Protocol (STP) for the built-in LAN Switch on applicable FortiExtender models.

MTU

Enter the interface's MTU value for the interface.

Distance

Enter the route metric of the interface gateway.

Virtual Wire Pair

When the Work Mode is IP PASS, you can configure the Virtual Wan Interface of a particular port to FortiGate.

VRRP Setting

Add and configure VRRP settings.

  • Backup — Select enable to configure the device's fortigate-backup.vrrp-interface and fortigate-backup.status.
  • Status — Select enable to activate the VRRP.
  • Mode — Select how you want to assign an IP.
    • plan: FortiExtender Cloud automatically assigns the vrrp_setting.virtual_router_ip based on your network plan.
    • manual: Manually enter the virtual_router_ip.

DNS Server Setting

Add and configure DNS Server settings.

  • Name — Enter the name of the DNS Server.
  • Mode — Select the DNS server mode, which can be one of the following:
    • recursive: Is for the shadow DNS database and forward. In this mode, FortiExtender looks up the local shadow DNS database first. If no DNS RR (resource record) is found, the DNS request will be forwarded to the configured system DNS server.

    • non-recursive: Is for the public DNS database only. In this mode, FortiExtender only looks up the local public DNS database. If no DNS RR (resource record) is found, it will reply with an error status of NXDOMAIN.

    • forward-only: Is for forwarding to the system DNS server only. In this mode, FortiExtender will forward DNS requests directly to the configured system DNS servers.

PPPoE Interface Setting

Add and configure a Point-to-Point Protocol over Ethernet (PPPoE) Interface. This is only supported on FEX311F and FEX511F models.

  • Name — Enter the name of the PPPoE interface.
  • Status — Select if you want to bring the PPPoE up or down.
  • Username — Enter the username of the PPPoE account, this is provided by the ISP.
  • Password — Enter the password of the PPPoE account.

SFP DSL Setting

Add and configure DSL configuration in SFP interface settings. This is only supported on FEX311F and FEX511F models.

  • Status — Enable or Disable the use of vdsl or adsl for SFP.
  • Physical Mode — Select the DSL physical mode you want to use, vdsl or adsl.
  • Auto Detect — Enable or Disable sfp-dsl autodetect.
    • If you disable Auto Detect, you must enter the MAC address of the sfp-dsl module.

If you set the Physical Mode as adsl, you can configure the following options:

  • Virtual Path Identifier (vpi) — SFP-DSL ADSL Fallback virtual path identifier.
  • Virtual Channel Identifier (vci) — SFP-DSL ADSL Fallback virtual channel identifier
  • Multiplexer Type — SFP-DSL ADSL Fallback Multiplexer type.
  • PVC VLAN Id — SFP-DSL ADSL Fallback Permanent Virtual Circuit VLAN ID.
  • PVC VLAN TX Id — SFP-DSL ADSL Fallback PVC VLAN ID tx.
  • PVC VLAN RX Id —SFP-DSL ADSL Fallback PVC VLAN ID rx.
  • PVC VLAN TX Op —SFP-DSL ADSL Fallback PVC VLAN TX op.
  • PVC VLAN RX Op —SFP-DSL ADSL Fallback PVC VLAN RX op
  • PVC CRC —SFP-DSL ADSL Fallback PVC CRC option (bit0 = sar LLC preserve, bit1 = ream LLC preserve, bit2 = ream VC-MUX has crc).
  • PVC ATM QoS —SFP-DSL ADSL Fallback PVC ATM QoS.
  • PVC Packet Cell Rate —SFP-DSL ADSL Fallback PVC packet cell rate (0 - 5500 cells per second, default = 0).
  • PVC Sustainable Cell Rate —SFP-DSL ADSL Fallback PVC sustainable cell rate (0 - 5500 cells per second, default = 0).

Network Plan

Select which network plan you want to apply to the interface. Devices associated with this profile will be automatically assigned a subnet based on the network plan. A default subnet 192.168.2.0/24 will be assigned for all devices if no network plan is selected.

DHCP Setting

Configure DHCP Server and Relay settings.

Server Setting

Add and configure a DHCP server for other clients to obtain an IP.

  • Name — Specify the name of the DHCP server.
  • Status — Select if you want to enable, disable, or set the DHCP server status to backup.
  • Mode — Select if you want to use information from the Network plan or if you want to manually input the information.
  • Lease Time — Specify the DHCP address lease time in seconds. The valid range is 300–8640000. 0 means unlimited.
  • MTU — Enter the interface's MTU value
  • NTP Service — The NTP service is automatically set to specify.
  • NTP Server 1-3 — Specify the IP address of each NTP Server.
  • DNS Service — Select one of the options for assigning a DNS server to DHCP clients.
    • default: Clients are assigned the FortiExtender configured DNS server.
    • specify: Specify up to three DNS servers in the DHCP server configuration.
    • wan-dns: The DNS of the WAN interface that is added becomes clients' DNS server IP address.
  • Reserved Addresses — Add a MAC addresses and select if you want to block or assign it a reserved IP address.
    • Reserved: Reserve an IP address for the specified client.
    • Block: Block a specific MAC address.

Relay Setting

When running in static mode, you can configure DHCP relay functionality.

  • Name — Specify the name of the relay setting.
  • Status — Select if you want to enable or disable the relay.
  • Server Interface — Select the server interface.
  • Mode — Select if you want to run in plan or manual mode.
  • Server IP — Enter the server IP.
  • Client Interfaces — Select which interface you want to relay.

Virtual IP Settings

When running in static mode, you can configure how your Virtual IPs direct traffic.

  • IP Mapping — Enter the IP address you want to forward traffic to.
  • Protocol — Select which protocol you want to use.
  • Port Forward —Select if you want to enable port forwarding.
  • Port — Enter the port number you want to forward traffic from.
  • Port Mapping — Enter the port number you want to forward traffic to.

Interface Settings - Dynamic interfaces

Virtual-Wan

Note

VWAN Interface configurations only apply to devices running FEXTOS 7.4.0 and later.

Name

Specify the name of the VWAN interface.

Status

Select the status you want for your interface:

  • Up

  • Down

Algorithm

Select the Load-Balancing algorithm:

  • redundant — Targets work in primary-secondary mode
  • WRR — Targets work in Weighted Round Robin mode.

For more information, refer to the FortiExtender (Standalone) Admin Guide.

Redundant By

Only available if Algorithm is set to redundant. Redundant algorithm using a VWAN member for data transmission based on:

  • priority
  • cost
FEC

Only available if you select WRR as the Algorithm. Select a LLB metric to denote how to distribute traffic:

  • source_ip — Traffic from the same source IP is forwarded to the same target.
  • dest_ip — Traffic to the same destination IP is forwarded to the same target.
  • source_dest_ip_pair — Traffic from the same source IP and to the same destination IP is forwarded to the same target.
  • connection — Traffic with the same 5 tuples (i.e., a source IP address/port number, destination IP address/port number and the protocol) is forwarded to the same target
Session Timeout Specify the session timeout threshold in seconds. The default is 60. This is used to time out a VWAN session. A LLB session is created for each traffic stream. However, when a session times out, it is deleted.

Grace Period

Specify the grace period in seconds to delay fail-back.

Member Setting

Add VWAN members to the VWAN interface.

Name

Specify the name of the VWAN member.

Target Interface

Specify the target to which traffic is forwarded.

Must be the same interface as the Interface.

Priority

Specify the priority of the link member. The lower the value, the higher the priority. The valid value range is 1—7.

Weight

Specify the weight of the member.

Health Check Fail Threshold

Specify the number of consecutive failed probes before the member is considered dead.

Note: The valid value range is 1—10; the default is 5.

Health Check

Specify a link health check you configured in Health Check Settings.

Link Cost Factor

Select which constraints you want enabled:

  • packet-loss
  • latency
  • jitter

Latency Threshold

Set the Latency Threshold in millisecond.

Jitter Threshold

Set the Jitter Threshold in millisecond.

Packet Loss Threshold

Set the Packet Loss Threshold in percentage.

Modem1 Settings/Modem2 Settings

Sim1 PIN

Enter a pin code for your Sim1 card (if applicable).

Sim2 PIN

Enter a pin code for your Sim2 card (if applicable).

Report Interval

Specify a desired report interval in seconds.

Default SIM

If there are two SIM cards, select how you want to define the default SIM card:

  • By Carrier — Select the SIM card with the preferred carrier. You can define the preferred carrier by arranging the order of plans under the Add Plan section in the Profile page.
  • By Cost — Select the SIM card with the lowest Monthly fee. You can specify the Monthly fee from the Carrier plan page.
  • SIM 1 — Select the SIM card in the SIM1 slot.
  • SIM 2 — Select the SIM card in the SIM2 slot.

Auto Switch

Select which event triggers automatic switching between SIM cards. You can select more than one event:

  • Plan Capacity — Switch when your data plan hits your specified data limit and overage is disabled. You can specify data limit from the Carrier plan page.
  • SIM Signal — Switch when the Received Signal Strength Indicator (RSSI) value drops below -100 for 600 seconds. You can configure the default values from the Carrier plan page.
  • SIM Disconnect — Switch when a SIM card disconnects a certain number of times in a specified time period.
    • SIM Disconnect Threshold: Enter the number of times a SIM card can disconnect.
    • SIM Disconnect Period: Enter the time period in seconds.
  • Switch Back by Time — Switch at a certain time of the day.
    • Switch Back Time: Enter the time (hh:mm) for when you want to switch SIM cards.
  • Switch Back By Period — Switch after a certain amount of time has elapsed.
    • Switch Back Period: Enter the time in seconds.

Note: Automatic switching will not occur if you enable the overage function under Plan configuration and also exceed the specified data limit.

VPN Settings

Add VPN

Add existing VPN plans to your profile.

Carrier Plan Settings

Add Plan

Add existing carrier plans to your profile.

Note: If you select the By Carrier option for defining a Default SIM, you can define the preferred carrier by dragging and rearranging the Plans in this section. Plans are prioritized based on their order, with the top plan being the most preferred.

DNS Database Plan Settings

Add DNS Database Plan Add existing DNS plans to your profile.

Credential Plan Settings

Add Credential

Add existing credential plans to your profile.

Services

Edit Services

Edit the services and ports associated with the profile.

Firewall Settings

Mode

Select a mode type:

  • manual — Manually configure firewall policies.

    Note: FortiExtender Cloud only includes a base all-pass policy, all other policies need to be manually entered.

  • planFortiExtender Cloud automatically assigns default policies based on the VPN plan's Phase 1 name, Phase 2 Source/Destination subnets and the Interface plan's IP addresses.

Policies

If you select the manual mode type, you can add up to 96 firewall policies to your profile.

Note: You must define two ACCEPT firewall polices to permit communications between the source and destination addresses.

Static Routing Settings

Name

Enter the name of the static route.

Interface

Select the interface type.

Gateway

Enter the IP address of the gateway.

Status

Set the status of the static route:

  • enable — Enable the static route.
  • disable — Disable the static route.

Destination Subnet

Specify the destination IP address and netmask of the static route.

Distance

Specify the administrative distance. The range is 1–255.

Multicast Routing Settings

Join Prune Interval

Set the period of time between sending periodic PIM join/prune messages in seconds.

Hello Interval Set the period of time between sending PIM hello messages in seconds.

PIM Interface

Select a PIM Interface type:

  • lan
  • lte1
  • loopback
  • wan
RP Address

Click Add RP Address and enter the following:

  • Name —Enter the name for the Rendezvous Point (RP) address.
  • Group —Enter the groups to use this RP.
  • Address — Enter the RP router address.

Policy Routing Settings

Mode

Select a mode type:

  • manual — Manually configure routing policies.

  • planFortiExtender Cloud automatically assigns default policies based on the VPN plan's Phase 1 name, Phase 2 Source/Destination subnets and the Interface plan's IP addresses.

Policy Routes

You can add up to 20 policy routes.

NTP Settings

Type

Select a Network Time Protocol (NTP) server to use:

  • fortiguard
  • custom

    • Enter the Name of your custom NTP server.

    • Enter the IP address or hostname of the custom NTP server.

Firmware Settings

OS Firmware

Select or upload the OS firmware you want to apply to each FortiExtender model associated with this profile.

Modem Firmware

Select the modem firmware you want to apply to each FortiExtender model associated with this profile.

SSIDs

Add SSIDs Add SSIDs to the profile.

ID

Enter an ID or name for the SSID plan.

SSID

Enter the name you want your SSID to show during broadcast.

Broadcast SSID

Select if you want to broadcast the SSID.

Wlan Members

Enter the WLAN members.

Security Mode

Set the security encryption mode of the SSID.

Passphrase

Enter a password for the SSID.

WiFi-Configuration

Add WiFi-Config Add Wi-Fi Configurations to the profile.

ID

Enter an ID or name for the Configuration plan.

SSID

Enter the name of an SSID.

Security Mode

Set the security mode of the SSID.

Passphrase

Enter a passphrase for the SSID.

Country Code

Set a country code.

Radio

Add Radio Add Radio configurations to the profile.

ID

Enter an ID or name for the Radio plan.

Role

Set the Radio role:

  • lan
  • wan

Band

Select the frequency band you want to broadcast:

  • 2GHz
  • 5GHz

Bandwidth

Select the channel width you want to broadcast:

  • auto
  • 20MHz
  • 40MHz

Channel

Select the channel or channels to include.

Status

Set the status of the radio:

  • enable
  • disable

Extension Channel

Select the radio extension channel:

  • auto
  • higher
  • lower

Guard Interval

Select the radio guard interval:

  • auto
  • 800ns
  • 400ns

Operating Standards

Select the radio operating standards.

Power Mode

Set the power mode for your radio:

  • auto
  • percentage
  • dBm

VAP

Select the Virtual APs you want to apply radio configurations to.