Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Docker Administration Guide

    Home FortiAnalyzer Public Cloud 7.6.0 Docker Administration Guide
    7.6.0
    7.6.0
    7.4.0

    Configuring MACVLAN networks for Linux-based deployments

    Configuring MACVLAN networks for Linux-based deployments

    Applications such as network traffic monitoring and system management tools may require the FortiAnalyzer-Docker to be connected directly to the physical network. In these situations, you can use MACVLAN networking.

    In a MACVLAN network, the MACVLAN network driver assigns a MAC address to each container's virtual network interface, making it appear as though it is a physical network interface that is directly connected to the network. In order to use a MACVLAN network, the networking equipment must be able to handle "promiscuous mode", where one physical interface can be assigned multiple MAC addresses.

    When using a MACVLAN network it is possible to unintentionally damage the network due to IP address exhaustion or to "VLAN spread", in which an inappropriately large number of unique MAC addresses become available in the network. The benefit of running a FortiAnalyzer-Docker on a MACVLAN network is that no additional port mapping is required.

    This topic explains how to configure a MACVLAN network for use with your FortiAnalyzer Docker.

    MACVLAN network topology

    The examples included in the instructions below use the following information and network topology. Although FortiManager is used in the example, the instructions can apply for a FortiAnalyzer-Docker as well.

    • MACVLAN Network Name: mnd01

    • Docker host interface: enp1s0
    • FortiManager-Docker image: fortinet/qa-fortimanager:7.0.2.0174

    Configuration

    To set up a MACVLAN network configuration:

    1. Create a new MACVLAN network in your docker host. You must specify the subnet, IP range, gateway, docker interface, and name of the MACVLAN network.
      In your docker host, run the following commands:

      docker network create \

      -d macvlan \

      --subnet=<Subnet mask> \

      --ip-range=<Ip range and its prefix> \

      --gateway=<Gateway IP> \

      -o parent=<Docker host interface name> \

      <MACVLAN network name>

      For example:

      docker network create -d macvlan --subnet=10.2.124.0/16 --ip-range=10.2.124.208/28 --gateway=10.2.0.250 -o parent=ens160 mnd01

    2. Provision the FortiAnalyzer-Docker container. For more information, see Introduction.
      In your docker host, run the following commands:

      docker run \

      -dit \

      --name <Container name> \

      --restart always \

      --cap-add=ALL \

      -v/var/faz/var:/var \

      -v/var/faz/data:/data \

      --network <MACVLAN network> \

      --ip <FAZ-Docker IP> \

      <FAZ-Docker image>

      For example:

      docker run -dit --name faztest --restart always --cap-add=ALL -v/var/faz/var_b0174_03:/var -v/var/faz/data_b0174_03:/data --network mnd01 --ip 172.18.49.239 fortinet/fortianalyzer:7.0.2.0174

    3. Next, configure the container to have access to the docker host.
      In your docker host, run the following commands:

      ip link add <MACVLAN network>_SelfN link <docker host interface> type macvlan mode bridge

      ip addr add <IP address> dev <MACVLAN network>_SelfN

      ip link set <MACVLAN network>_SelfN up

      ip route add <IP route> dev <MACVLAN network>_SelfN

      For example:

      ip link add mnd01_SelfN link enp1s0 type macvlan mode bridge

      ip addr add 172.18.49.236/32 dev mnd01_SelfN

      ip link set mnd01_SelfN up

      ip route add 172.18.49.236/30 dev mnd01_SelfN

    Results

    Once the MACVLAN network is configured, the FortiAnalyzer-Docker container has a MAC address and appears as though it is connected using a physical network interface. For more information on licensing the docker, see Introduction.

    You can modify the GUI access port through the settings menu in FortiAnalyzer-Docker.

    Optionally, FortiAnalyzer-Dockers configured in a MACVLAN network can be configured in an HA cluster.

    Previous
    Next

    Configuring MACVLAN networks for Linux-based deployments

    Configuring MACVLAN networks for Linux-based deployments

    Applications such as network traffic monitoring and system management tools may require the FortiAnalyzer-Docker to be connected directly to the physical network. In these situations, you can use MACVLAN networking.

    In a MACVLAN network, the MACVLAN network driver assigns a MAC address to each container's virtual network interface, making it appear as though it is a physical network interface that is directly connected to the network. In order to use a MACVLAN network, the networking equipment must be able to handle "promiscuous mode", where one physical interface can be assigned multiple MAC addresses.

    When using a MACVLAN network it is possible to unintentionally damage the network due to IP address exhaustion or to "VLAN spread", in which an inappropriately large number of unique MAC addresses become available in the network. The benefit of running a FortiAnalyzer-Docker on a MACVLAN network is that no additional port mapping is required.

    This topic explains how to configure a MACVLAN network for use with your FortiAnalyzer Docker.

    MACVLAN network topology

    The examples included in the instructions below use the following information and network topology. Although FortiManager is used in the example, the instructions can apply for a FortiAnalyzer-Docker as well.

    • MACVLAN Network Name: mnd01

    • Docker host interface: enp1s0
    • FortiManager-Docker image: fortinet/qa-fortimanager:7.0.2.0174

    Configuration

    To set up a MACVLAN network configuration:

    1. Create a new MACVLAN network in your docker host. You must specify the subnet, IP range, gateway, docker interface, and name of the MACVLAN network.
      In your docker host, run the following commands:

      docker network create \

      -d macvlan \

      --subnet=<Subnet mask> \

      --ip-range=<Ip range and its prefix> \

      --gateway=<Gateway IP> \

      -o parent=<Docker host interface name> \

      <MACVLAN network name>

      For example:

      docker network create -d macvlan --subnet=10.2.124.0/16 --ip-range=10.2.124.208/28 --gateway=10.2.0.250 -o parent=ens160 mnd01

    2. Provision the FortiAnalyzer-Docker container. For more information, see Introduction.
      In your docker host, run the following commands:

      docker run \

      -dit \

      --name <Container name> \

      --restart always \

      --cap-add=ALL \

      -v/var/faz/var:/var \

      -v/var/faz/data:/data \

      --network <MACVLAN network> \

      --ip <FAZ-Docker IP> \

      <FAZ-Docker image>

      For example:

      docker run -dit --name faztest --restart always --cap-add=ALL -v/var/faz/var_b0174_03:/var -v/var/faz/data_b0174_03:/data --network mnd01 --ip 172.18.49.239 fortinet/fortianalyzer:7.0.2.0174

    3. Next, configure the container to have access to the docker host.
      In your docker host, run the following commands:

      ip link add <MACVLAN network>_SelfN link <docker host interface> type macvlan mode bridge

      ip addr add <IP address> dev <MACVLAN network>_SelfN

      ip link set <MACVLAN network>_SelfN up

      ip route add <IP route> dev <MACVLAN network>_SelfN

      For example:

      ip link add mnd01_SelfN link enp1s0 type macvlan mode bridge

      ip addr add 172.18.49.236/32 dev mnd01_SelfN

      ip link set mnd01_SelfN up

      ip route add 172.18.49.236/30 dev mnd01_SelfN

    Results

    Once the MACVLAN network is configured, the FortiAnalyzer-Docker container has a MAC address and appears as though it is connected using a physical network interface. For more information on licensing the docker, see Introduction.

    You can modify the GUI access port through the settings menu in FortiAnalyzer-Docker.

    Optionally, FortiAnalyzer-Dockers configured in a MACVLAN network can be configured in an HA cluster.

    Previous
    Next