Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.2 Administration Guide
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Example GUI configuration

Example GUI configuration

In this example, the FortiGate Controller has CAPWAP access allowed on port3. The FortiGate Connector has its WAN port3 connected to the FortiGate Controller, and LAN port5 is connected to the client PCs.

To configure the FortiGate LAN extension:

  1. On the FortiGate Controller, enable the FortiExtender setting. For high-end models (1000 series and higher) and VM models, enter:

    config system global
    set fortiextender enable
end
    Note

    This command is configured by default on entry-level and mid-range models (900 series and lower).

  2. On the FortiGate Controller, configure the port3 settings:

    1. Go to Network > Interfaces and edit port3.

    2. Set the Addressing mode to IPAM.

    3. In this example, IPAM is not enabled yet. Click Enable IPAM. The IPAM Settings pane opens.

    4. Set the Status to Enabled, enable FortiExtender LAN extensions, then click OK.

    5. In the Administrative Access > IPv4 section, select Security Fabric Connection to enable CAPWAP on the interface.

    6. Enable DHCP Server.

    7. Click OK.

  3. On the FortiGate Connector, enable VDOMs:

    1. Go to System > Settings.

    2. In the System Operation Settings sections, enable Virtual Domains.

    3. Click OK. You will be logged out of the device when VDOM mode is enabled.

  4. On the FortiGate Connector, enable the FortiExtender setting. For high-end models (1000 series and higher) and VM models, enter:

    config system global
    set fortiextender enable
end
    Note

    This command is configured by default on entry-level and mid-range models (900 series and lower).

  5. On the FortiGate Connector, configure the LAN extension VDOM:

    1. Go to System > VDOM and click Create New.

    2. Enter a name (lan-extvdom) and set the Type to LAN Extension.

    3. Click OK. The LAN Extension VDOM Created prompt appears.

    4. Click Go to interface list page to assign a role (LAN or WAN) and the LAN extension VDOM.

  6. On the FortiGate Connector, edit port3:

    1. Set the Role to WAN.

    2. Set the Virtual domain to lan-extvdom.

    3. Click OK.

  7. On the FortiGate Connector, edit port5:

    1. Set the Role to LAN.

    2. Set the Virtual domain to lan-extvdom.

      The addressing mode is set to Manual and the IP/Netmask set to 0.0.0.0/0.0.0.0 because port5 will become part of the le-switch software switch, which has its own IP address already assigned.

    3. Click OK.

      Note

      Setting the Role to LAN will automatically add this interface to the le-switch LAN extension software switch, which forms an L2 network with the VXLAN.

      To add more LAN ports to le-switch automatically, set the Role to LAN for other desired LAN ports.

  8. On the FortiGate Connector, select the LAN extension VDOM, and enter the IP address of the FortiGate controller:

    1. Go to Network > LAN Extension.

    2. Set the Access Controller (AC) address to the IP address of port3 on the FortiGate Controller. In this example, use 172.31.0.254.

    3. Click Apply.

  9. On the FortiGate Controller, enable the FortiExtender feature visibility in the GUI, and authorize the FortiGate connector:

    1. Go to System > Feature Visibility. In the Additional Features section, enable FortiExtender and click Apply.

    2. Go to Network > FortiExtenders and select the Managed FortiExtenders tab.

    3. Select the device, then right-click and select Authorization > Authorize.

    4. Click OK to authorize the device.

  10. On the FortiGate Controller, configure the LAN extension interface:

    1. Go to Network > Interfaces and edit the LAN extension interface.

    2. Set the Addressing mode to IPAM and set When to use IPAM to Inherit IPAM auto-manage settings (default).

    3. Enable DHCP Server, and configure the settings as needed (see DHCP servers and relays for more information).

    4. Click OK.

  11. On the FortiGate Controller, configure the default gateway if a static WAN IP configuration is used:

    1. Go to Network > Static Routes and edit the default gateway settings to specify the correct internet gateway address and WAN interface.

    2. Click OK.

  12. On the FortiGate Controller, configure the firewall policy to allow traffic to pass:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Set the Incoming Interface to the LAN extension interface.

    3. Configure the other settings as needed.

    4. Click OK.

  13. On the FortiGate Connector, verify that the LAN extension is connected:

    1. Go to Network > LAN Extension.

    2. Verify that the Status is Connected.

Previous
Next

Example GUI configuration

In this example, the FortiGate Controller has CAPWAP access allowed on port3. The FortiGate Connector has its WAN port3 connected to the FortiGate Controller, and LAN port5 is connected to the client PCs.

To configure the FortiGate LAN extension:

  1. On the FortiGate Controller, enable the FortiExtender setting. For high-end models (1000 series and higher) and VM models, enter:

    config system global
    set fortiextender enable
end
    Note

    This command is configured by default on entry-level and mid-range models (900 series and lower).

  2. On the FortiGate Controller, configure the port3 settings:

    1. Go to Network > Interfaces and edit port3.

    2. Set the Addressing mode to IPAM.

    3. In this example, IPAM is not enabled yet. Click Enable IPAM. The IPAM Settings pane opens.

    4. Set the Status to Enabled, enable FortiExtender LAN extensions, then click OK.

    5. In the Administrative Access > IPv4 section, select Security Fabric Connection to enable CAPWAP on the interface.

    6. Enable DHCP Server.

    7. Click OK.

  3. On the FortiGate Connector, enable VDOMs:

    1. Go to System > Settings.

    2. In the System Operation Settings sections, enable Virtual Domains.

    3. Click OK. You will be logged out of the device when VDOM mode is enabled.

  4. On the FortiGate Connector, enable the FortiExtender setting. For high-end models (1000 series and higher) and VM models, enter:

    config system global
    set fortiextender enable
end
    Note

    This command is configured by default on entry-level and mid-range models (900 series and lower).

  5. On the FortiGate Connector, configure the LAN extension VDOM:

    1. Go to System > VDOM and click Create New.

    2. Enter a name (lan-extvdom) and set the Type to LAN Extension.

    3. Click OK. The LAN Extension VDOM Created prompt appears.

    4. Click Go to interface list page to assign a role (LAN or WAN) and the LAN extension VDOM.

  6. On the FortiGate Connector, edit port3:

    1. Set the Role to WAN.

    2. Set the Virtual domain to lan-extvdom.

    3. Click OK.

  7. On the FortiGate Connector, edit port5:

    1. Set the Role to LAN.

    2. Set the Virtual domain to lan-extvdom.

      The addressing mode is set to Manual and the IP/Netmask set to 0.0.0.0/0.0.0.0 because port5 will become part of the le-switch software switch, which has its own IP address already assigned.

    3. Click OK.

      Note

      Setting the Role to LAN will automatically add this interface to the le-switch LAN extension software switch, which forms an L2 network with the VXLAN.

      To add more LAN ports to le-switch automatically, set the Role to LAN for other desired LAN ports.

  8. On the FortiGate Connector, select the LAN extension VDOM, and enter the IP address of the FortiGate controller:

    1. Go to Network > LAN Extension.

    2. Set the Access Controller (AC) address to the IP address of port3 on the FortiGate Controller. In this example, use 172.31.0.254.

    3. Click Apply.

  9. On the FortiGate Controller, enable the FortiExtender feature visibility in the GUI, and authorize the FortiGate connector:

    1. Go to System > Feature Visibility. In the Additional Features section, enable FortiExtender and click Apply.

    2. Go to Network > FortiExtenders and select the Managed FortiExtenders tab.

    3. Select the device, then right-click and select Authorization > Authorize.

    4. Click OK to authorize the device.

  10. On the FortiGate Controller, configure the LAN extension interface:

    1. Go to Network > Interfaces and edit the LAN extension interface.

    2. Set the Addressing mode to IPAM and set When to use IPAM to Inherit IPAM auto-manage settings (default).

    3. Enable DHCP Server, and configure the settings as needed (see DHCP servers and relays for more information).

    4. Click OK.

  11. On the FortiGate Controller, configure the default gateway if a static WAN IP configuration is used:

    1. Go to Network > Static Routes and edit the default gateway settings to specify the correct internet gateway address and WAN interface.

    2. Click OK.

  12. On the FortiGate Controller, configure the firewall policy to allow traffic to pass:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Set the Incoming Interface to the LAN extension interface.

    3. Configure the other settings as needed.

    4. Click OK.

  13. On the FortiGate Connector, verify that the LAN extension is connected:

    1. Go to Network > LAN Extension.

    2. Verify that the Status is Connected.

Previous
Next