Fortinet black logo

Admin Guide

Home FortiExtender 4.1.2 Admin Guide

Extended cellular WAN of FortiGate

4.1.2
4.2.2
4.2.1
4.2.0
4.1.3
4.1.2
4.1.1
4.0.2
4.0.0
Copy Link
Copy Doc ID f815156d-f108-11e9-8977-00505692583a:103815
Download PDF

Extended cellular WAN of FortiGate

Connect to FortiGate

  1. Connect your FortiExtender LAN port to the POE-enabled port of FortiGate.
    1. Enable the FortiExtender Controller on FortiGate.

      2. # config system global

      (global) # set fortiextender enable

      (global) # end

    2. Make sure that your FortiGate enables FortiExtender Controller.

      3. The FortiExtender-related GUI is hidden by default. To enable it, go to System > Feature Visibility.

    3. Enable the CAPWAP access to use the FortiGate interface to which FortiExtender is connected.

      4. config system interface

      edit lan

      append allowaccess capwap

      end

  2. Authorize the FortiExtender device.

    3. Once the FortiExtender is discovered, you must authorize it by associating it either with a virtual WAN interface or a VLAN interface.

    1. Go to Network > FortiExtender, and wait for the FortiExtender device to be discovered by FortiGate.
    2. Bind the device to an interface and authorize it.

      3. In FortiGate 5.4 and higher releases, you must manually create either a virtual WAN interface of type FEX-WAN or a VLAN sub-interface, and link it to FortiExtender as part of the authorization process, as illustrated below.

Make sure that FortiExtender and FortiGate are connected on Layer 2 by default. If they are not connected via Layer 2 but can reach each other via Layer-3 networking, configure your FortiExtender with static discovery using the following FortiExtender CLI commands:

config system management fortigate

set ac-discovery-type static

set static-ac-ip-addr 192.168.1.99

set ac-ctl-port 5246

set ac-data-port 25246

end

VLAN mode and performance

While using the FEX-WAN type interface, all the traffic to/from FortiGate is encapsulated in the CAPWAP data channel, whereas for VLAN type interface, the traffic is sent/received on the VLAN interface. Due to absence of encapsulation overheads, VLAN mode delivers better speeds with the requirement that the VLAN interface be directly created on top of the port on which FortiExtender is connected to FortiGate.

Note that VLAN mode must be explicitly enabled, as it is disabled by default on FortiGate, and that all the FEX-WAN interfaces must be deleted before VLAN mode is enabled.

#config system global

(global) # set fortiextender-vlan-mode enable

(global) # end

Ensure that the VLAN interface is created based on the physical interface of your connected FortiExtender.

Modem connectivity

FortiExtender allows for multiple modes of operation of the modem from FortiGate.

  • Always Connect—By default, this feature is enabled when a FortiExtender is authorized. In this mode, the modem is always connected to the Internet, meaning that the FortiExtender is readily available for Internet access from the FortiGate. If there are multiple active WAN interfaces on the FortiGate, care must be taken to ensure that the distances of the FortiExtender interface and other WAN interfaces are configured appropriately. The FortiExtender’s modem is always connected to the Internet. It can be a primary or backup method of connecting to the Internet for the FortiGate.
  • On Demand—In this mode, FortiExtender instructs the modem to connect to an ISP for Internet access only upon executing the dial-up command and disconnects only upon a subsequent hang-up command from the FortiGate CLI.
To connect

execute extender dial <SN>

// <SN> is the FortiExtender's serial number.

To disconnect

execute extender hangup <SN>

// <SN> is the FortiExtender's serial number.

Dual FortiExtender operations

Active/Passive mode

By default, each FortiGate device can support up to two FortiExtenders at a time. Typically, the first FortiExtender that it has authorized takes the primary role and the second one takes the secondary role. The primary FortiExtender always provides Internet access and the secondary FortiExtender stays in passive mode. If the primary FortiExtender goes down, the secondary FortiExtender gets activated, and vice versa.

Active/Active mode

To have access to active Internet sessions on both FortiExtenders simultaneously, the role of the secondary FortiExtender needs to be changed to primary.

config extender-controller extender

edit < fext serial no > /* FortiExtender with secondary

role */

set role primary

end

Cellular as backup of Ethernet WAN

In this redundant mode of operation, the FortiExtender daemon running on FortiGate monitors a given WAN link on the FortiGate, and brings up FortiExtender’s cellular Internet access when the WAN link is down and brings down the FortiExtender cellular Internet when the WAN link comes up. For example:

config extender-controller extender

edit <FEXT serial number>

set admin enable

set ifname <fext interface>

set mode redundant

set redundant-intf < wan interface I,e wan1>

end

In this mode of operation, the FortiExtender interface comes up if the WAN interface goes down and goes down if the WAN interface comes up.

ECMP across FEX-wan1 and wan1

To set up Equal-cost multi-path routing (ECMP) to automatically find the best path:

  1. On the FortiGate UI, go to Router > Static > Settings, and do the following:
    1. Configure ECMP Load Balancing Method.
    2. Choose among Source IP based, Weighted Load Balance, Spillover, Source-Destination IP based, and
    3. Configure your settings as required.
  2. Go to System > Network > Interfaces and edit FEX-wan1, setting the distance to the same distance as the wan1 interface under Router > Static > Static Routes. (In this example, the distance is 10.)

Now the traffic is shared between the wan1 and FEX-wan1 links according to the ECMP Load Balancing Method used. This deployment can be extrapolated for dual FortiExtender installation.

SD-WAN in FortiOS 5.6 and higher

FortiOS now recognizes and uses FEX as a valid interface within an SD-WAN interface bundle. Using SD-WAN, FortiGate becomes a WAN path controller and supports diverse connectivity methods. With FEX, 3G/4G can be used as a primary connection, a backup interface, or a load-balanced WAN access method with Application-Aware WAN path control selection. It provides high availability and QoS for business-critical applications by using the best effort access for low-priority applications through low-cost links, and backs up service through associations with an FEX link. This enables aggregation of multiple interfaces into a single SD-WAN interface using a single policy.

To accomplish this:
  1. Add the FortiExtender interface as a member of the SD-WAN interface, as illustrated below.

  2. Define a load-balancing algorithm, as shown in the following example of volume-based distribution.

  3. Define your policies for the whole bundle (but not per interface) as illustrated below.

For more information about how to deploy SD-WAN in general, refer to FortiOS documentation.

Previous
Next

Extended cellular WAN of FortiGate

Connect to FortiGate

  1. Connect your FortiExtender LAN port to the POE-enabled port of FortiGate.
    1. Enable the FortiExtender Controller on FortiGate.

      2. # config system global

      (global) # set fortiextender enable

      (global) # end

    2. Make sure that your FortiGate enables FortiExtender Controller.

      3. The FortiExtender-related GUI is hidden by default. To enable it, go to System > Feature Visibility.

    3. Enable the CAPWAP access to use the FortiGate interface to which FortiExtender is connected.

      4. config system interface

      edit lan

      append allowaccess capwap

      end

  2. Authorize the FortiExtender device.

    3. Once the FortiExtender is discovered, you must authorize it by associating it either with a virtual WAN interface or a VLAN interface.

    1. Go to Network > FortiExtender, and wait for the FortiExtender device to be discovered by FortiGate.
    2. Bind the device to an interface and authorize it.

      3. In FortiGate 5.4 and higher releases, you must manually create either a virtual WAN interface of type FEX-WAN or a VLAN sub-interface, and link it to FortiExtender as part of the authorization process, as illustrated below.

Make sure that FortiExtender and FortiGate are connected on Layer 2 by default. If they are not connected via Layer 2 but can reach each other via Layer-3 networking, configure your FortiExtender with static discovery using the following FortiExtender CLI commands:

config system management fortigate

set ac-discovery-type static

set static-ac-ip-addr 192.168.1.99

set ac-ctl-port 5246

set ac-data-port 25246

end

VLAN mode and performance

While using the FEX-WAN type interface, all the traffic to/from FortiGate is encapsulated in the CAPWAP data channel, whereas for VLAN type interface, the traffic is sent/received on the VLAN interface. Due to absence of encapsulation overheads, VLAN mode delivers better speeds with the requirement that the VLAN interface be directly created on top of the port on which FortiExtender is connected to FortiGate.

Note that VLAN mode must be explicitly enabled, as it is disabled by default on FortiGate, and that all the FEX-WAN interfaces must be deleted before VLAN mode is enabled.

#config system global

(global) # set fortiextender-vlan-mode enable

(global) # end

Ensure that the VLAN interface is created based on the physical interface of your connected FortiExtender.

Modem connectivity

FortiExtender allows for multiple modes of operation of the modem from FortiGate.

  • Always Connect—By default, this feature is enabled when a FortiExtender is authorized. In this mode, the modem is always connected to the Internet, meaning that the FortiExtender is readily available for Internet access from the FortiGate. If there are multiple active WAN interfaces on the FortiGate, care must be taken to ensure that the distances of the FortiExtender interface and other WAN interfaces are configured appropriately. The FortiExtender’s modem is always connected to the Internet. It can be a primary or backup method of connecting to the Internet for the FortiGate.
  • On Demand—In this mode, FortiExtender instructs the modem to connect to an ISP for Internet access only upon executing the dial-up command and disconnects only upon a subsequent hang-up command from the FortiGate CLI.
To connect

execute extender dial <SN>

// <SN> is the FortiExtender's serial number.

To disconnect

execute extender hangup <SN>

// <SN> is the FortiExtender's serial number.

Dual FortiExtender operations

Active/Passive mode

By default, each FortiGate device can support up to two FortiExtenders at a time. Typically, the first FortiExtender that it has authorized takes the primary role and the second one takes the secondary role. The primary FortiExtender always provides Internet access and the secondary FortiExtender stays in passive mode. If the primary FortiExtender goes down, the secondary FortiExtender gets activated, and vice versa.

Active/Active mode

To have access to active Internet sessions on both FortiExtenders simultaneously, the role of the secondary FortiExtender needs to be changed to primary.

config extender-controller extender

edit < fext serial no > /* FortiExtender with secondary

role */

set role primary

end

Cellular as backup of Ethernet WAN

In this redundant mode of operation, the FortiExtender daemon running on FortiGate monitors a given WAN link on the FortiGate, and brings up FortiExtender’s cellular Internet access when the WAN link is down and brings down the FortiExtender cellular Internet when the WAN link comes up. For example:

config extender-controller extender

edit <FEXT serial number>

set admin enable

set ifname <fext interface>

set mode redundant

set redundant-intf < wan interface I,e wan1>

end

In this mode of operation, the FortiExtender interface comes up if the WAN interface goes down and goes down if the WAN interface comes up.

ECMP across FEX-wan1 and wan1

To set up Equal-cost multi-path routing (ECMP) to automatically find the best path:

  1. On the FortiGate UI, go to Router > Static > Settings, and do the following:
    1. Configure ECMP Load Balancing Method.
    2. Choose among Source IP based, Weighted Load Balance, Spillover, Source-Destination IP based, and
    3. Configure your settings as required.
  2. Go to System > Network > Interfaces and edit FEX-wan1, setting the distance to the same distance as the wan1 interface under Router > Static > Static Routes. (In this example, the distance is 10.)

Now the traffic is shared between the wan1 and FEX-wan1 links according to the ECMP Load Balancing Method used. This deployment can be extrapolated for dual FortiExtender installation.

SD-WAN in FortiOS 5.6 and higher

FortiOS now recognizes and uses FEX as a valid interface within an SD-WAN interface bundle. Using SD-WAN, FortiGate becomes a WAN path controller and supports diverse connectivity methods. With FEX, 3G/4G can be used as a primary connection, a backup interface, or a load-balanced WAN access method with Application-Aware WAN path control selection. It provides high availability and QoS for business-critical applications by using the best effort access for low-priority applications through low-cost links, and backs up service through associations with an FEX link. This enables aggregation of multiple interfaces into a single SD-WAN interface using a single policy.

To accomplish this:
  1. Add the FortiExtender interface as a member of the SD-WAN interface, as illustrated below.

  2. Define a load-balancing algorithm, as shown in the following example of volume-based distribution.

  3. Define your policies for the whole bundle (but not per interface) as illustrated below.

For more information about how to deploy SD-WAN in general, refer to FortiOS documentation.

Previous
Next