Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

PPPoE addressing mode on an interface

PPPoE addressing mode on an interface

If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoE request from the interface.

The FortiGate units support many PPPoE RFC features (RFC 2516) including unnumbered IPs, initial discovery timeout and PPPoE Active Discovery Terminate (PADT).

PPPoE is only configurable in the web-based manager on desktop FortiGate units. 1U FortiGates and up must be configured in the CLI using the commands:

 

config system interface edit <port_name>

set mode pppoe

set username <ISP_username> set password <ISP_password> set idle-timeout <seconds> set distance <integer>

set ipunnumbered <unumbered-IP> set disc-retry-timeout <seconds> set padt-retry-timeout <seconds>

end

set lcp-echo-interval <seconds>

set dns-server-override {enable | disable}

 

Configure PPPoE on an interface in System > Network > Interface. The table describes the PPPoE status information when PPPoE is configured for an interface.

 

Addressing mode section of New Interface page

 

Status                                                Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information. Select Status to refresh the addressing mode status message.

The status is only displayed if you selected Edit. Status can be any one of the following 4 messages.

 

Initializing                         No activity.

 

Connecting                       The interface is attempting to connect to the PPPoE server.

 

Connected

The interface retrieves an IP address, netmask, and other settings from the PPPoE server.

When the status is connected, PPPoE connection information is dis- played.

 

Failed                                The interface was unable to retrieve an IP address and other inform- ation from the PPPoE server.

 

Reconnect

Select to reconnect to the PPPoE server.

Only displayed if Status is connected.

 

User Name                                        The PPPoE account user name.

 

Password                                         The PPPoE account password.

 

Unnumbered IP                               Specify the IP address for the interface. If your ISP has assigned you a block of IP addresses, use one of them. Otherwise, this IP address can be the same as the IP address of another interface or can be any IP address.

 

Initial Disc Timeout                        Enter Initial discovery timeout. Enter the time to wait before starting to retry a PPPoE discovery.

 

Initial PADT timeout                       Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. PADT must be supported by your ISP. Set initial PADT timeout to 0 to disable.

 

Addressing mode section of New Interface page

 

Distance

Enter the administrative distance for the default gateway retrieved from the PPPoE server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1.

 

Retrieve default gateway from server

Enable to retrieve a default gateway IP address from a PPPoE server. The default gateway is added to the static routing table.

 

Override internal DNS

Enable to replace the DNS server IP addresses on the System DNS page with the DNS addresses retrieved from the PPPoE server.

When VDOMs are enabled, you can override the internal DNS only on the management VDOM.

DHCP addressing mode on an interface

DHCP addressing mode on an interface

If you configure an interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP request from the interface. The interface is configured with the IP address and any DNS server addresses and default gateway address that the DHCP server provides.

DHCP IPv6 is similar to DHCP IPv4, however there is:

  • no default gateway option defined because a host learns the gateway using router advertisement messages
  • there is no WINS servers because it is obsolete.

For more information about DHCP IPv6, see RFC 3315.

Configure DHCP for an interface in System > Network > Interface and selecting the interface from the list, and selecting DHCP in the Address Mode. The table describes the DHCP status information when DHCP is configured for an interface.

Addressing mode section of New Interface page for DHCP informatio

Status                                            Displays DHCP status messages as the interface connects to the DHCP server and gets addressing information. Select Status to refresh the addressing mode status message.

Status can be one of:

  • initializing – No activity.
  • connecting – interface attempts to connect to the DHCP server.
  • connected – interface retrieves an IP address, netmask, and other set- tings from the DHCP server.
  • failed – interface was unable to retrieve an IP address and other settings from the DHCP server.

 

Addressing mode section of New Interface page for DHCP informatio

Obtained IP/Netmask

The IP address and netmask leased from the DHCP server. Only dis- played if Status is connected.

Renew                               Select to renew the DHCP license for this interface. Only displayed if Status is connected.

 

Expiry Date

The time and date when the leased IP address and netmask is no longer valid for the interface. The IP address is returned to the pool to be alloc- ated to the next user request for an IP address. Only displayed if Status is connected.

 

Default Gateway               The IP address of the gateway defined by the DHCP server. Only dis- played if Status is connected, and if Receive default gateway from server is selected.

 

Distance

Enter the administrative distance for the default gateway retrieved from

the DHCP server. The administrative distance, an integer from 1-255, spe- cifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more pre- ferred route.

 

Retrieve default gateway from server

Enable to retrieve a default gateway IP address from the DHCP server. The default gateway is added to the static routing table.

 

Override internal DNS

Enable to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page.

When VDOMs are enabled, you can override the internal DNS only on the management VDOM.

Aggregate Interfaces

Aggregate Interfaces

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the only noticeable effect being a reduced bandwidth.

This is similar to redundant interfaces with the major difference being that a redundant interface group only uses one link at a time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).

Support of the IEEE standard 802.3ad for link aggregation is available on some models. An interface is available to be an aggregate interface if:

  • it is a physical interface, not a VLAN interface or subinterface
  • it is not already part of an aggregate or redundant interface
  • it is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs.
  • it does not have an IP address and is not configured for DHCP or PPPoE l  it is not referenced in any security policy, VIP, IP Pool or multicast policy l  it is not an HA heartbeat interface
  • it is not one of the FortiGate-5000 series backplane interfaces

Some models of FortiGate units do not support aggregate interfaces. In this case, the aggregate option is not an option in the web-based manager or CLI. As well, you cannot create aggregate interfaces from the interfaces in a switch port.

To see if a port is being used or has other dependencies, use the following diagnose command:

diagnose sys checkused system.interface.name <interface_name>

When an interface is included in an aggregate interface, it is not listed on the System > Network > Interface page. Interfaces will still appear in the CLI, although configuration for those interfaces will not take affect. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.

 

Example

This example creates an aggregate interface on a FortiGate-3810A using ports 4-6 with an internal IP address of 10.13.101.100, as well as the administrative access to HTTPS and SSH.

 

To create an aggregate interface – web-based manager

1. Go to System > Network > Interface and select Create New.

2. Enter the Name as Aggregate.

3. For the Type, select 802.3ad Aggregate.

If this option does not appear, your FortiGate unit does not support aggregate interfaces.

4. In the Available Interfaces list, select port 4, 5 and 6 and move it to the Selected Interfaces list.

5. Select the Addressing Mode of Manual.

6. Enter the IP address for the port of 10.13.101.100/24.

7. For Administrative Access select HTTPS and SSH.

8. Select OK.

 

To create aggregate interface – CLI

config system interface edit Aggregate

set type aggregate

set member port4 port5 port6 set vdom root

set ip 172.20.120.100/24 set allowaccess https ssh

end

One-armed sniffer

Onearmed sniffer

A one-armed sniffer is used to configure a physical interface on the FortiGate unit as a one-arm intrusion detection system (IDS). Traffic sent to the interface is examined for matches to the configured IPS sensor and application control list. Matches are logged and then all received traffic is dropped. Sniffing only reports on attacks. It does not deny or otherwise influence traffic.

Using the one-arm sniffer, you can configure a FortiGate unit to operate as an IDS appliance by sniffing network traffic for attacks without actually processing the packets. To configure one-arm IDS, you enable sniffer mode on a FortiGate interface and connect the interface to a hub or to the SPAN port of a switch that is processing network traffic.

To assign an interface as a sniffer interface, go to System > Network > Interface, edit the interface and select One-Arm Sniffer.

If the check box is not available, the interface is in use. Ensure that the interface is not selected in any firewall policies, routes, virtual IPs or other features in which a physical interface is specified.

Enable Filters                            Select to include filters to define a more granular sniff of network traffic.

Select specific addresses, ports, VLANs and protocols.

In all cases, enter a number, or number range, for the filtering type. For Pro- tocol values, standard protocols are:

  • UDP – 17
  • TCP – 6
  • ICMP – 1

 

Include IPv6 Packets

If your network is running a combination of IPv4 and IPv6 addressing, select to sniff both addressing types. Otherwise, the FortiGate unit will only sniff IPv4 traffic.

Include Non-IP Packets            Select for a more intense scan of content in the traffic.

 

UTM Security Profiles

IPS sensors, and application control lists enable you to select specific sensors and application you want to identify within the traffic.

Redundant interfaces

Redundant interfaces

On some models you can combine two or more physical interfaces to provide link redundancy. This feature enables you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.

In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for distribution of increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.

An interface is available to be in a redundant interface if:

  • it is a physical interface, not a VLAN interface
  • it is not already part of an aggregated or redundant interface
  • it is in the same VDOM as the redundant interface
  • it has no defined IP address
  • is not configured for DHCP or PPPoE
  • it has no DHCP server or relay configured on it
  • it does not have any VLAN subinterfaces
  • it is not referenced in any security policy, VIP, or multicast policy
  • it is not monitored by HA
  • it is not one of the FortiGate-5000 series backplane interfaces

When an interface is included in a redundant interface, it is not listed on the System > Network > Interface page. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, or routing.

Loopback interfaces

Loopback interfaces

A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table.

The FortiGate’s loopback IP address does not depend on one specific external port, and is therefore possible to access it through several physical or VLAN interfaces. Multiple loopback interfaces can be configured in either non-VDOM mode or in each VDOM.

Loopback interfaces still require appropriate firewall policies to allow traffic to and from this type of interface. A loopback interface can be used with:

  • Management access
  • BGP (TCP) peering
  • PIM RP

Loopback interfaces are a good practice for OSPF. Setting the OSPF router ID the same as loopback IP address troubleshooting OSPF easier, and remembering the management IP addresses (telnet to “router ID”).

Dynamic routing protocols can be enabled on loopback interfaces

For black hole static route, use the black hole route type instead of the loopback interface.

Virtual Switch

Virtual Switch

Virtual switch feature enables you create virtual switches on top of the physical switch(es) with designated interfaces/ports so that a virtual switch can build up its forwarding table through learning and forward traffic accordingly. When traffic is forwarded among interfaces belonging to the same virtual switch, the traffic doesn’t need to go up to the software stack, but forwarded directly by the switch. When traffic has to be relayed to interfaces not on the virtual switch, the traffic will go through the normal data path and be offloaded to NP4 when possible.

This feature is only available on mid to high end FortiGate units, including the 100D, 600C, 1000C, and 1240B.

 

To enable and configure the virtual switch, enter the CLI commands:

config system virtual-switch edit vs1

set physical-switch sw0 config port

edit 1

set port port1 set speed xx set duplex xx

set status [up|down]

edit 2

set port port2 set …

end

end

Software switch

Software switch

A software switch, or soft switch, is a virtual switch that is implemented at the software, or firmware level, rather than the hardware level. A software switch can be used to simplify communication between devices connected to different FortiGate interfaces. For example, using a software switch, you can place the FortiGate interface connected to an internal network on the same subnet as your wireless interfaces. Then devices on the internal network can communicate with devices on the wireless network without any additional configuration such as additional security policies, on the FortiGate unit.

It can also be useful if you require more hardware ports on for the switch on a FortiGate unit. For example, if your FortiGate unit has a 4-port switch, WAN1, WAN2 and DMZ interfaces, and you need one more port, you can create a soft switch that can include the 4-port switch and the DMZ interface all on the same subnet. These types of applications also apply to wireless interfaces and virtual wireless interfaces and physical interfaces such as those with FortiWiFi and FortiAP unit.

Similar to a hardware switch, a software switch functions like a single interface. A software switch has one IP address; all of the interfaces in the software switch are on the same subnet. Traffic between devices connected to each interface are not regulated by security policies, and traffic passing in and out of the switch are affected by the same policy.

 

There are a few things to consider when setting up a software switch:

  • Ensure you create a back up of the configuration.
  • Ensure you have at least one port or connection such as the console port to connect to the FortiGate unit. If you accidentally combine too many ports, you will need a way to undo any errors.
  • The ports that you include must not have any link or relation to any other aspect of the FortiGate unit. For example, DHCP servers, security policies, and so on.
  • For increased security, you can create a captive portal for the switch, allowing only specific user groups access to the resources connected to the switch.

 

To create a software switch – web-based manager

1. Go to System > Network > Interface and select Create New.

2. For Type, select Software Switch.

3. In the Physical Interface Members option, select the interfaces to include.

4. Configure the remaining interface settings

5. Select OK.

 

To create a software switch – CLI

config system switch-interface edit <switch-name>

set type switch

set member <interface_list>

end

config system interface edit <switch_name>

set ip <ip_address>

set allowaccess https ssh ping

end

 

Soft switch example

For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1 interface to facilitate wireless syncing from an iPhone and a local computer. The synching between two subnets is problematic. By putting both interfaces on the same subnet the synching will work. The software switch will accomplish this.

In this example, the soft switch includes a wireless interface. Remember to configure any wireless security before proceeding. If you leave this interface open without any password or other security, it leaves open access to not only the wireless interface but to any other interfaces and devices connected within the software switch.

 

Clear the interfaces and back up the configuration

First, ensure that the interfaces are not being used with any other security policy or other use on the FortiGate unit. Check the WiFi and DMZ1 ports to ensure DHCP is not enabled on the interface and there are no other dependencies with these interfaces.

Next, save the current configuration, in the event something doesn’t work, recovery can be quick.

 

Merge the interfaces

The plan is to merge the WiFi port and DMZ1 port. This will create a software switch with a name of “synchro” with an IP address of 10.10.21.12. The steps will create the switch, add the IP and then set the administrative access for HTTPS, SSH and Ping.

 

To merge the interfaces – CLI

config system switch-interface edit synchro

set type switch

set member dmz1 wifi

end

config system interface edit synchro

set ip 10.10.21.12

set allowaccess https ssh ping

end

 

Final steps

With the switch set up, you can now add security policies, DHCP servers an any other configuration that you would normally do to configure interfaces on the FortiGate unit.