Tag Archives: fortigate FortiExtender

FortiExtender

FortiExtender

FortiGate units support the use of wireless, 3G and 4G modems connected to a FortiExtender which will be connected to the FortiGate unit.

 

Installing the 3G/4G modem

Remove the housing cover of the FortiExtender and use the provided USB extension cable to connect your 3G/4G modem to the device.

For more information on installing the 3G/4G modem, see the QuickStart Guide.

 

Connecting the FortiExtender unit

 

If you are using the provided PoE injector:

1. Plug the provided Ethernet cable into the Ethernet port of the FortiExtender and insert the other end of the

Ethernet cable into the AP/Bridge port on the injector, then plug the injector into an electrical outlet.

2. Connect the LAN port of the PoE injector to a FortiGate, FortiWifi, or FortiSwitch device.

 

If you are not using the PoE injector:

1. Insert the other end of the Ethernet cable into a PoE LAN port on an appropriate FortiGate, FortiWifi or FortiSwitch device.

For more information on connecting the FortiExtender unit, see the QuickStart Guide.

Once connected, your FortiGate appliance can automatically detect, connect with, and control the FortiExtender and modem via a CAPWAP tunnel.To do this, FortiExtender and FortiGate must be on the same Layer 2/3 subnet (or have DHCP relay between) and FortiGate must respond to FortiExtender’s request. In this example FortiExtender is connected to the lan interface of the FortiGate unit.

 

By default, FortiExtender is hidden and disabled.Enable it in FortiGate’s CLI:

config system global

set fortiextender enable

set wireless-cotnroller enable end

 

The control and provisioning of Wireless Access Point (CAPWAP) service must be enabled on the port to which the FortiExtender unit is connected (lan interface in this example) using the following CLI commands:

config system interface edit lan

set allowaccess capwap end

 

Once FortiExtender is discovered and authorized, a virtual WAN interface such as fext-wan1 is created on the Fortigate.

 

Configuring the FortiExtender unit

At this point, you can fully manage the FortiExtender from the FortiGate unit. To achieve this, you need to authorize the FortiExtender by going to System > Network > FortiExtender and click on Authorize. Once authorized, you can configure you device as required:

Link Status: Shows you if the link is Up or Down, click on Details to see the System and Modem Status.

IP Address: Shows you the current FortiExtender’s IP address, click on the link of the IP address to connect to the FortiExtender GUI.

OS Version: Shows the current FortiExtender’s build, click on Upgrade if you wish to upgrade the Firmware.

Configure Settings: Allows you to configure the Modem Settings, PPP Authentication, General, GSM / LTE, and CDMA.

Diagnostics: Allows you to diagnose the FortiExtender unit, you can choose a command form the existing commands and click on Run.

Existing commands are: Show device info, Show data session connection status, test connection, test disconnection, Get signal strength, AT Command.

 

Sample output of Show device info:

Manufacturer: Sierra Wireless, Incorporated

Model: AirCard 330U

Revision: SWI9200X_03.00.08.03AP R4019 CARMD-EN-10527 2011/12/07 18:43:13

IMEI: 359615040996060

IMEI SV: 7

FSN: CDU3153118210

3GPP Release 8

+GCAP: +CGSM OK

 

Modem Settings

The FortiExtender unit allows for two modes of operation for the modem; On Demand and Always Connect. In On Demand mode, the modem connects to an ISP only upon execution of the dial up operation and disconnects only upon subsequent hang up operation from the CLI.

 

Syntax

To connect, run the following CLI command:

execute extender dial <SN> // <SN> is the FortiExtender’s serial number.

 

To disconnect, run the following CLI command:

execute extender hangup <SN> // <SN> is the FortiExtender’s serial number.

 

In Always Connect mode, the modem is always connected to the internet, it can acts as a primary or backup method of connecting to the Internet.

 

By default, the Fortiextender will be in Always Connect mode once authorized.

 

Modem Settings is a matter of configuring the dialing mode. The dial mode is either Always Connect or On demand. Selecting Always Connect ensures that once the modem has connected, it remains connected to the ISP.

 

To configure the dial mode as needed – web-based manager

1. Go to System > Network > FortiExtender and click Configuring Settings.

2. Extend Modem Settings.

3. Select the Dial Mode of Always Connect or On Demand.

4. Enter the Redial Limit to 5 – Only applicable in On Demand mode.

5. If needed, enter the Quota Limit to the desired limit in Mega Byte -The recorded quota usage values are not persistent and lost upon rebooting Fortigate.

6. Select Ok.

 

Configuring the FortiGate unit

In order to allow inbound and outbound traffic through the 3G/4G modem, you need to add a security policy and, depending the scenario, a static route in the FortiGate unit.

 

Adding a policy

If your network will be using IPv4 addresses, go to Policy & Objects > Policy > IPv4 and select Create New to add a policy that allows users on the private network to access the Internet.

In the policy, set the Incoming Interface to the internal interface and the Outgoing Interface to fext-wan1 interface. You will also need to set Source Address, Destination Address, Schedule, and Service according to your network requirements.

Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Destination Interface Address is selected. Select OK.

 

Alwayson, redundant of wan1

No route required as in FortiOS 5.2.2 the routing shows only active routes. Use the following CLI command to show all routes:

get router info routing-table all

 

Sample Output

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area

* – candidate default

S* 0.0.0.0/0 [10/0] via 172.20.120.2, wan1

C 25.49.248.0/24 is directly connected, fext-wan1

C 169.254.1.1/32 is directly connected, ssl.root is directly connected, ssl.root

C 172.20.120.0/24 is directly connected, wan1

C 192.168.1.0/24 is directly connected, lan

 

Alwayson, with select traffic going through the FortiExtender

In this scenario, a static route is required, if your network using IPv4 addresses, go to Router > Static > Static Routes or System > Network > Routing, depending on your FortiGate model, and select Create New. Set the Destination IP/Mask to 0.0.0.0/0.0.0.0, Device to fext-wan1, and set the Gateway to your gateway IP or to the next hop router, depending on your network requirements. Select OK.