Fortinet Document Library

Version:


Table of Contents

5.4.0
Download PDF
Copy Link

Deploying FortiADC-VM on Oracle Cloud Infrastructure

1. Create a virtual cloud network.

Log into your Oracle Cloud Infrastructure account. Navigate by way of the sidebar to Compute. Make sure that under List Scope (on the sidebar) you are in the right compartment.

Navigate to Networking > Virtual Cloud Networks > Create Virtual Cloud Network (the blue tab).

In the name field, enter the VCN name.

Select between the following two options: 

  • CREATE VIRTUAL CLOUD NETWORK ONLY—allows you to create each resource separately by specifying your own inputs.
  • CREATE VIRTUAL CLOUD NETWORK PLUS RELATED RESOURCES—allows you to create the Internet gateway, routing table, and subnet all together using Oracle default settings.

In this example, the first choice is used.

2. Create a security list.

Navigate to Networking > Virtual Cloud Networks. Click into the individual Virtual Cloud Network you have just created, then go to Security Lists. Click Create Security List, then add or edit the rule according to the actual network environment. The following is an example of a configuration that allows all traffic. However, the user must create rules according to their own network requirements.

3. Create a route table and DHCP options for the internal network.

Navigate to Networking > Virtual Cloud Networks. Click into your individual Virtual Cloud Network and go to Route Tables. Click Create Route Table. You can configure route rules according to the actual network environment.

Click Create DHCP Options. Write a name.

4. Create internal network subnet.

Create internal network subnet In the NAME field, enter the Subnet name. For SUBNET TYPE, select AVAILABILITY DOMAIN-SPECIFIC.

Set the AVAILABILITY DOMAIN, configure the CIDR BLOCK,select ROUTE TABLE.  Go down and select DHCP OPTIONS and Security Lists.

5. Upload the image.

Note

Starting from 5.2.4 we suggest configuring the ADC instance from Marketplace. If the user has gone this route, the user does not need to worry about step 5, "Upload the image," and may proceed to step 6, "Create the FortiADC instance."

We also suggest using Paravirtualized Mode over Emulated Mode for better performance.

Download VM Images from https://support.fortinet.com. Decompress FAD_OCI-V500-buildXXXX-FORTINET.out.oci.gz to get the qcow image.

Navigate to Object Storage > Object Storage. Click Create Bucket. Enter BUCKET NAME and click Create Bucket.

Select the bucket, then upload the qcow image.

Once uploaded, the following screen appears. Click Create Pre-Authenticated Requests from the left or right menu.

Copy the request URL manually for next step (or just click Copy).

Navigate to Compute > Custom Images. Click Import Image. Complete the fields. In the OBJECT STORAGE URL field, enter the URL link obtained in Obtain the deployment image file and place it in your bucket.

Under IMAGE TYPE, select QCOW2. Under LAUNCH MODE, select PARAVIRTUALIZED MODE.

You have now imported the image. Wait until the Importing... status changes to Available. After the change, navigate to the image.

6. Create the FortiADC instance.

Note

Starting from 5.2.4 we suggest configuring the ADC instance from Marketplace, which is newly supported.

FortiADC license requirements

If you are working with FortiADC pre-5.2.2, the trial license only supports 2 vCPU's and 8G memory. When you are selecting an instance shape, be careful not to exceed these limitations. The trial license limitations match the shape VM.Standard.E2.1, with 1 OCPU and 8G memory.

The FortiADC license applies to VCPU and not OCPU, which is an Oracle Cloud object.

Note

The FortADC virtual machine uses 2G bootdisk size by default. However, the OCI allocated "boot volume size" (the same meaning a "bootdisk size") has to be larger than 46.6G, which is its minimum. Thus we use the default bootdisk size (46.6G) when configuring the FortiADC bootdisk.

The FortiADC requires at minimum 1 vCPU and 4G memory. In actual practice, though, it's suggested that you use at least 2 vCPU and 8G memory.

How to create the FortiADC instance: Marketplace and Custom images

There are two options for creating the FortiADC instance: Marketplace and Custom images.

1. Marketplace

Go to Marketplace > find the FortiADC > Launch Instance. Choose the version (Paravirtualized Mode, the default, is suggested). Select compartment. Accept terms of agreement > Launch Instance.

2. Custom images

Navigate to Compute > Instances. Click Create Instance. Enter NAME, select the desired DOMAIN, Under IMAGE SOURCE, select CUSTOM IMAGES, then select the image you imported earlier. Under SHAPE TYPE, select VIRTUAL MACHINE. In the SHAPE FIELD, select one of the following supported instance shapes. For Networking, select the desired VIRTUAL CLOUD NETWORK and SUBNET.

Ensure Assign public IP address is selected so you can access the FortiADC over the Internet. Then click Create, on the very bottom.

7. Attach a storage to FortiADC.

The instance was launched without a log disk. To add log disk, Navigate to Block Storage > Block Volumes. Click Create Block Volume. Set NAME, select DOMAIN, set SIZE and then click Create Block Volume.

Note

The FortADC virtual machine uses 30G logdisk by default. However, the OCI allocated disk size has to be larger than 50G, which is its minimum. As shown in this example, configure the FortiADC logdisk to be 50G (the ADC does not limit its size).

It is recommended that users attach a logdisk, otherwise some functions will not work properly, such as HA and upload image, etc.

Return to the FortiADC instance. Click Attach Block Volumes, select PARAVIRTUALIZED and select BLOCK VOLUME. Click Attach.

After attaching the block volume, ensure you reboot the FortiADC instance. You can use “execute reboot”.

If the instance was configured in Emulated Mode, when attaching the log disk, you will see the following dialogue box. Ensure that Emulated Mode is selected.

8. Access the FortiADC.

In the FortiADC instance, find the public IP address. In a browser, you can now use this public IP to log into FortiADC through the following ways:

  • http://<public_IP_address>
  • https://<public_IP_address>
  • SSH

The default username is admin. The default password is the OCID.

Log into FortiADC by way of HTTP.

Log into FortiADC by way of HTTPS.

Log into FortiADC by way of SSH.

9. Create Console Connection.

Navigate to Instance page. Click Console Connections and click Create Console Connection. Upload your host SSH public key. If you don't have a public key, please use ssh-keygen to generate one.

Click Connectwith SSH and copy the ssh command.

Run the copied command under Linux console. Press Enter to refresh the output.

10. Create the second vNIC.

In the FortiADC instance, click Attached VNICs > Create VNIC. Create the virtual network interface by specifying the name, then specify the Virtual Cloud Network, and the internal subnet created earlier. Ensure Skip Source/Destination Check is selected. Enter an IP address and click Create VNIC.

Note

The FortADC virtual machine supports a maximum 10 ports. Users can add interfaces according to their network requirements. It's suggested that you use at least 2 ports.

11. Configure the second vNIC on the FortiADC.

After attaching the second vNIC to the FortiADC, ensure you reboot the FortiADC, then log into the FortiADC. Log into the GUI console and navigate to Network > Interfaces. You now see two ports, but the second port is not configured with an IP address. Manually configure the same IP address specified on OCI.

12. To assign a new secondary private IP to a VNIC

After configuring the VS on the FortiADC, you must assign the VS IP to the VNIC on OCI.

In addition, if you configure “Secondary IP Address”, “Floating IP”, L4VS “NAT Source Pool”, SNAT “Translation to IP Address”, or DNAT “External Address Range” etc, you must assign these IP to the VNIC on OCI also.

Open the navigation menu. Under Compute, click Instances. Click the instance to view its details. Click Attached VNICs, and then click the VNIC you're interested in. Click Assign IP Address.

If necessary, you can assign a public IP, after then user can access the VS through the public IP.

Example: Set VS on OCI in HA-VRRP mode

Configure HA on ADC1

config system ha

set mode active-active-vrrp

set hbdev port2

set datadev port2

set group-id 31

set local-node-id 1

set group-name oci_group

set config-priority 200

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set hb-type unicast

set local-address 192.168.3.12

set peer-address 192.168.3.8

end

Configure HA on ADC2

config system ha

set mode active-active-vrrp

set hbdev port2

set datadev port2

set group-id 31

set group-name oci_group

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set hb-type unicast

set local-address 192.168.3.8

set peer-address 192.168.3.12

end

Configure Traffic-Group on ADC

config system traffic-group

edit "0_1"

set failover-order 0 1

set preempt enable

next

edit "1_0"

set failover-order 1 0

set preempt enable

next

end

Configure VS on ADC

config load-balance real-server

edit "RS1"

set ip 192.168.3.2

next

edit "RS2"

set ip 192.168.3.3

next

end

config load-balance pool

edit "Pool_1"

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server RS1

next

end

next

edit "Pool_2"

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server RS2

next

end

next

end

config load-balance virtual-server

edit "L7_HTTP_Public_IP"

set type l7-load-balance

set interface port1

set ip 192.168.2.102

set port 8003

set load-balance-profile HTTP

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool Pool_1

set traffic-log enable

set traffic-group 0_1

set fortiview enable

next

edit "L7_HTTP_Public_IP_Slave"

set type l7-load-balance

set interface port1

set ip 192.168.2.101

set port 8003

set load-balance-profile HTTP

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool Pool_2

set traffic-log enable

set traffic-group 1_0

set fortiview enable

next

end

ADC OCI setting
Note

From 5.2.5 and 5.3.1, OCI region type has been added to the GUI. OCI Region and OCI Region Type do not need to be selected, as FortiADC will do it automatically.

The following configuration is necessary in HA mode:

config system oci

set tenant-id xxxx

set user-id xxxx

set region-id [OCI_EU_FRANKFURT | OCI_US_ASHBURN | OCI_US_PHOENIX]

set oci-privatekey-file xxxx.key

end

You can find the tenant-id / user-id / region-id on OCI page:

oci-privatekey

1. Generate private key & public key

Generate the private key:

openssl genrsa -out ~/.oci/oci_api_key.pem 2048

Generate the public key:

openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem

Note

For more details about generating an API key, please refer to this page in the OCI: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm.

2. Upload public key to OCI

Navigate to Identity > Users > User Details > API Keys, click Add Public Key, then upload public key to OCI.

3. Set private key to ADC

Configure on OCI

1. Ensure that the VS IP and Secondary IP are assigned to the VNIC on OCI. Please refer to step 13 of this guide.

In this example, you should assign:

  • VS IP 192.168.2.101 to.............................ADC1 VNIC1
  • VS IP 192.168.2.102 to............................ADC2 VNIC1
  • Secondary IP 192.168.3.13 to .................ADC1 VNIC2
  • Secondary IP 192.168.3.9 to ...................ADC2 VNIC2.

2. Create Reserved Public IP and bind with VS IP. User can access the VS through the public IP.

In this example, you should allocate Public IP for VS1 IP 192.168.2.101 and VS2 IP 192.168.2.102.

Important notes

1. In L4_VS DNAT mode or L7_VS mode enabled "client-address", you need to enable “Skip Source/Destination Check” on OCI_ADC interface, which connects to RS. You also need to ensure that ADC is the gateway for RS. Note: Floating IP is better in HA-VRRP mode.

2. Does not support HA-AP and HA-AA mode.

3. Only supports HA-VRRP group with two ADCs currently.

4. If you configure “VS IP”, “Secondary IP Address”, “Floating IP”, L4VS “NAT Source Pool”, SNAT “Translation to IP Address”, or DNAT “External Address Range” etc. You must assign these IP to the VNIC on OCI.

5. FortiADC trial license can support 2 VCPU on OCI, for the 15 days that trial license is valid. You can execute “get system status” to check the number of VCPU. Starting from 5.2.2, the ADC license does not limit the memory and hard disk size; only the number of VCPUs is limited.

6. It's suggested that you not delete the VNIC on OCI. If you have to delete VNIC for some reason, then when you create a new VNIC, please “set retrieve_physical_hwaddr enable” on the new port.

config system interface

edit portXX

set retrieve_physical_hwaddr enable

end

 

Deploying FortiADC-VM on Oracle Cloud Infrastructure

1. Create a virtual cloud network.

Log into your Oracle Cloud Infrastructure account. Navigate by way of the sidebar to Compute. Make sure that under List Scope (on the sidebar) you are in the right compartment.

Navigate to Networking > Virtual Cloud Networks > Create Virtual Cloud Network (the blue tab).

In the name field, enter the VCN name.

Select between the following two options: 

  • CREATE VIRTUAL CLOUD NETWORK ONLY—allows you to create each resource separately by specifying your own inputs.
  • CREATE VIRTUAL CLOUD NETWORK PLUS RELATED RESOURCES—allows you to create the Internet gateway, routing table, and subnet all together using Oracle default settings.

In this example, the first choice is used.

2. Create a security list.

Navigate to Networking > Virtual Cloud Networks. Click into the individual Virtual Cloud Network you have just created, then go to Security Lists. Click Create Security List, then add or edit the rule according to the actual network environment. The following is an example of a configuration that allows all traffic. However, the user must create rules according to their own network requirements.

3. Create a route table and DHCP options for the internal network.

Navigate to Networking > Virtual Cloud Networks. Click into your individual Virtual Cloud Network and go to Route Tables. Click Create Route Table. You can configure route rules according to the actual network environment.

Click Create DHCP Options. Write a name.

4. Create internal network subnet.

Create internal network subnet In the NAME field, enter the Subnet name. For SUBNET TYPE, select AVAILABILITY DOMAIN-SPECIFIC.

Set the AVAILABILITY DOMAIN, configure the CIDR BLOCK,select ROUTE TABLE.  Go down and select DHCP OPTIONS and Security Lists.

5. Upload the image.

Note

Starting from 5.2.4 we suggest configuring the ADC instance from Marketplace. If the user has gone this route, the user does not need to worry about step 5, "Upload the image," and may proceed to step 6, "Create the FortiADC instance."

We also suggest using Paravirtualized Mode over Emulated Mode for better performance.

Download VM Images from https://support.fortinet.com. Decompress FAD_OCI-V500-buildXXXX-FORTINET.out.oci.gz to get the qcow image.

Navigate to Object Storage > Object Storage. Click Create Bucket. Enter BUCKET NAME and click Create Bucket.

Select the bucket, then upload the qcow image.

Once uploaded, the following screen appears. Click Create Pre-Authenticated Requests from the left or right menu.

Copy the request URL manually for next step (or just click Copy).

Navigate to Compute > Custom Images. Click Import Image. Complete the fields. In the OBJECT STORAGE URL field, enter the URL link obtained in Obtain the deployment image file and place it in your bucket.

Under IMAGE TYPE, select QCOW2. Under LAUNCH MODE, select PARAVIRTUALIZED MODE.

You have now imported the image. Wait until the Importing... status changes to Available. After the change, navigate to the image.

6. Create the FortiADC instance.

Note

Starting from 5.2.4 we suggest configuring the ADC instance from Marketplace, which is newly supported.

FortiADC license requirements

If you are working with FortiADC pre-5.2.2, the trial license only supports 2 vCPU's and 8G memory. When you are selecting an instance shape, be careful not to exceed these limitations. The trial license limitations match the shape VM.Standard.E2.1, with 1 OCPU and 8G memory.

The FortiADC license applies to VCPU and not OCPU, which is an Oracle Cloud object.

Note

The FortADC virtual machine uses 2G bootdisk size by default. However, the OCI allocated "boot volume size" (the same meaning a "bootdisk size") has to be larger than 46.6G, which is its minimum. Thus we use the default bootdisk size (46.6G) when configuring the FortiADC bootdisk.

The FortiADC requires at minimum 1 vCPU and 4G memory. In actual practice, though, it's suggested that you use at least 2 vCPU and 8G memory.

How to create the FortiADC instance: Marketplace and Custom images

There are two options for creating the FortiADC instance: Marketplace and Custom images.

1. Marketplace

Go to Marketplace > find the FortiADC > Launch Instance. Choose the version (Paravirtualized Mode, the default, is suggested). Select compartment. Accept terms of agreement > Launch Instance.

2. Custom images

Navigate to Compute > Instances. Click Create Instance. Enter NAME, select the desired DOMAIN, Under IMAGE SOURCE, select CUSTOM IMAGES, then select the image you imported earlier. Under SHAPE TYPE, select VIRTUAL MACHINE. In the SHAPE FIELD, select one of the following supported instance shapes. For Networking, select the desired VIRTUAL CLOUD NETWORK and SUBNET.

Ensure Assign public IP address is selected so you can access the FortiADC over the Internet. Then click Create, on the very bottom.

7. Attach a storage to FortiADC.

The instance was launched without a log disk. To add log disk, Navigate to Block Storage > Block Volumes. Click Create Block Volume. Set NAME, select DOMAIN, set SIZE and then click Create Block Volume.

Note

The FortADC virtual machine uses 30G logdisk by default. However, the OCI allocated disk size has to be larger than 50G, which is its minimum. As shown in this example, configure the FortiADC logdisk to be 50G (the ADC does not limit its size).

It is recommended that users attach a logdisk, otherwise some functions will not work properly, such as HA and upload image, etc.

Return to the FortiADC instance. Click Attach Block Volumes, select PARAVIRTUALIZED and select BLOCK VOLUME. Click Attach.

After attaching the block volume, ensure you reboot the FortiADC instance. You can use “execute reboot”.

If the instance was configured in Emulated Mode, when attaching the log disk, you will see the following dialogue box. Ensure that Emulated Mode is selected.

8. Access the FortiADC.

In the FortiADC instance, find the public IP address. In a browser, you can now use this public IP to log into FortiADC through the following ways:

  • http://<public_IP_address>
  • https://<public_IP_address>
  • SSH

The default username is admin. The default password is the OCID.

Log into FortiADC by way of HTTP.

Log into FortiADC by way of HTTPS.

Log into FortiADC by way of SSH.

9. Create Console Connection.

Navigate to Instance page. Click Console Connections and click Create Console Connection. Upload your host SSH public key. If you don't have a public key, please use ssh-keygen to generate one.

Click Connectwith SSH and copy the ssh command.

Run the copied command under Linux console. Press Enter to refresh the output.

10. Create the second vNIC.

In the FortiADC instance, click Attached VNICs > Create VNIC. Create the virtual network interface by specifying the name, then specify the Virtual Cloud Network, and the internal subnet created earlier. Ensure Skip Source/Destination Check is selected. Enter an IP address and click Create VNIC.

Note

The FortADC virtual machine supports a maximum 10 ports. Users can add interfaces according to their network requirements. It's suggested that you use at least 2 ports.

11. Configure the second vNIC on the FortiADC.

After attaching the second vNIC to the FortiADC, ensure you reboot the FortiADC, then log into the FortiADC. Log into the GUI console and navigate to Network > Interfaces. You now see two ports, but the second port is not configured with an IP address. Manually configure the same IP address specified on OCI.

12. To assign a new secondary private IP to a VNIC

After configuring the VS on the FortiADC, you must assign the VS IP to the VNIC on OCI.

In addition, if you configure “Secondary IP Address”, “Floating IP”, L4VS “NAT Source Pool”, SNAT “Translation to IP Address”, or DNAT “External Address Range” etc, you must assign these IP to the VNIC on OCI also.

Open the navigation menu. Under Compute, click Instances. Click the instance to view its details. Click Attached VNICs, and then click the VNIC you're interested in. Click Assign IP Address.

If necessary, you can assign a public IP, after then user can access the VS through the public IP.

Example: Set VS on OCI in HA-VRRP mode

Configure HA on ADC1

config system ha

set mode active-active-vrrp

set hbdev port2

set datadev port2

set group-id 31

set local-node-id 1

set group-name oci_group

set config-priority 200

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set hb-type unicast

set local-address 192.168.3.12

set peer-address 192.168.3.8

end

Configure HA on ADC2

config system ha

set mode active-active-vrrp

set hbdev port2

set datadev port2

set group-id 31

set group-name oci_group

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set hb-type unicast

set local-address 192.168.3.8

set peer-address 192.168.3.12

end

Configure Traffic-Group on ADC

config system traffic-group

edit "0_1"

set failover-order 0 1

set preempt enable

next

edit "1_0"

set failover-order 1 0

set preempt enable

next

end

Configure VS on ADC

config load-balance real-server

edit "RS1"

set ip 192.168.3.2

next

edit "RS2"

set ip 192.168.3.3

next

end

config load-balance pool

edit "Pool_1"

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server RS1

next

end

next

edit "Pool_2"

set real-server-ssl-profile NONE

config pool_member

edit 1

set pool_member_cookie rs1

set real-server RS2

next

end

next

end

config load-balance virtual-server

edit "L7_HTTP_Public_IP"

set type l7-load-balance

set interface port1

set ip 192.168.2.102

set port 8003

set load-balance-profile HTTP

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool Pool_1

set traffic-log enable

set traffic-group 0_1

set fortiview enable

next

edit "L7_HTTP_Public_IP_Slave"

set type l7-load-balance

set interface port1

set ip 192.168.2.101

set port 8003

set load-balance-profile HTTP

set load-balance-method LB_METHOD_ROUND_ROBIN

set load-balance-pool Pool_2

set traffic-log enable

set traffic-group 1_0

set fortiview enable

next

end

ADC OCI setting
Note

From 5.2.5 and 5.3.1, OCI region type has been added to the GUI. OCI Region and OCI Region Type do not need to be selected, as FortiADC will do it automatically.

The following configuration is necessary in HA mode:

config system oci

set tenant-id xxxx

set user-id xxxx

set region-id [OCI_EU_FRANKFURT | OCI_US_ASHBURN | OCI_US_PHOENIX]

set oci-privatekey-file xxxx.key

end

You can find the tenant-id / user-id / region-id on OCI page:

oci-privatekey

1. Generate private key & public key

Generate the private key:

openssl genrsa -out ~/.oci/oci_api_key.pem 2048

Generate the public key:

openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem

Note

For more details about generating an API key, please refer to this page in the OCI: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm.

2. Upload public key to OCI

Navigate to Identity > Users > User Details > API Keys, click Add Public Key, then upload public key to OCI.

3. Set private key to ADC

Configure on OCI

1. Ensure that the VS IP and Secondary IP are assigned to the VNIC on OCI. Please refer to step 13 of this guide.

In this example, you should assign:

  • VS IP 192.168.2.101 to.............................ADC1 VNIC1
  • VS IP 192.168.2.102 to............................ADC2 VNIC1
  • Secondary IP 192.168.3.13 to .................ADC1 VNIC2
  • Secondary IP 192.168.3.9 to ...................ADC2 VNIC2.

2. Create Reserved Public IP and bind with VS IP. User can access the VS through the public IP.

In this example, you should allocate Public IP for VS1 IP 192.168.2.101 and VS2 IP 192.168.2.102.

Important notes

1. In L4_VS DNAT mode or L7_VS mode enabled "client-address", you need to enable “Skip Source/Destination Check” on OCI_ADC interface, which connects to RS. You also need to ensure that ADC is the gateway for RS. Note: Floating IP is better in HA-VRRP mode.

2. Does not support HA-AP and HA-AA mode.

3. Only supports HA-VRRP group with two ADCs currently.

4. If you configure “VS IP”, “Secondary IP Address”, “Floating IP”, L4VS “NAT Source Pool”, SNAT “Translation to IP Address”, or DNAT “External Address Range” etc. You must assign these IP to the VNIC on OCI.

5. FortiADC trial license can support 2 VCPU on OCI, for the 15 days that trial license is valid. You can execute “get system status” to check the number of VCPU. Starting from 5.2.2, the ADC license does not limit the memory and hard disk size; only the number of VCPUs is limited.

6. It's suggested that you not delete the VNIC on OCI. If you have to delete VNIC for some reason, then when you create a new VNIC, please “set retrieve_physical_hwaddr enable” on the new port.

config system interface

edit portXX

set retrieve_physical_hwaddr enable

end