Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Admin Guide (FGT-Managed)

    Home FortiExtender 7.2.5 Admin Guide (FGT-Managed)
    7.2.5
    7.6.0
    7.4.4
    7.4.1
    7.4.0
    7.2.5
    7.2.0
    7.0.3
    7.0.2
    7.0.1

    Data transportation over the LAN extension interface

    Data transportation over the LAN extension interface

    FortiGate automatically generates a "lan-extension" interface for each FortiExtender that it has authorized. The name of the interface is the same as the FortiExtender entry name.

    config extension-controller extender
    edit "FX0015919000027"
        set id "FX201E5919000027"
        set authorized enable
        set device-id 1
        set extension-type lan-extension
        set override-allowaccess enable
        set profile "FX201E-lanext-default"
    next
end
config system interface
    edit "FX0015919000027"
        set vdom "root"
        set type lan-extension
        set role lan
        set snmp-index 26
        set interface "fext-ipsec-ut4Z"
    next
end

    This interface is the virtual interface that abstracts all the details of the underlying transportation tunneling protocol. You can view the interface as a LAN interface in the FortiGate. Unlike a real LAN interface, this "lan-extension" interface will connect the FortiExtender across the internet.

    It is transparent to users to provide a reliable, secure interface. For example, you can configure the "ip" of this interface and enable DHCP server on it.

    config system interface
        edit "FX0015919000027"
            set vdom "root"
            set ip 192.168.3.99 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
            set type lan-extension
            set role lan
            set snmp-index 26
           set interface "fext-ipsec-ut4Z"
        next
    end
    config system dhcp server
        edit 3
            set default-gateway 192.168.3.99
            set netmask 255.255.255.0
            set interface "FX0015919000027"
            config ip-range
                edit 1
                    set start-ip 192.168.3.2
                    set end-ip 192.168.3.98
                next
            end
        next
    end

    An appropriate firewall policy can be used to forward traffic out of the FortiGate's WAN interface. Suppose that "wan1" is the WAN interface of the FortiGate, you can configure it as follows. You can also apply a more strict firewall policy based on your need.

    config firewall policy
    edit 1
        set name "LAN-EXT"
        set uuid 8b7c21e4-221e-51ec-0a0d-34e7b478557b
        set srcintf "FX0015919000027"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

    On the FortiExtender side, the "lan" interface will be mapped to the "lan-extension" interface on the FortiGate. You can have computers directly connected to any of the LAN ports on the FortiExtender, or have a switch between the LAN and the computers. The computers will get IPs from the DHCP server configured in "lan-extenson" interface and can forward traffic out through the FortiGate based on the firewall policy.

    Previous
    Next

    Data transportation over the LAN extension interface

    Data transportation over the LAN extension interface

    FortiGate automatically generates a "lan-extension" interface for each FortiExtender that it has authorized. The name of the interface is the same as the FortiExtender entry name.

    config extension-controller extender
    edit "FX0015919000027"
        set id "FX201E5919000027"
        set authorized enable
        set device-id 1
        set extension-type lan-extension
        set override-allowaccess enable
        set profile "FX201E-lanext-default"
    next
end
config system interface
    edit "FX0015919000027"
        set vdom "root"
        set type lan-extension
        set role lan
        set snmp-index 26
        set interface "fext-ipsec-ut4Z"
    next
end

    This interface is the virtual interface that abstracts all the details of the underlying transportation tunneling protocol. You can view the interface as a LAN interface in the FortiGate. Unlike a real LAN interface, this "lan-extension" interface will connect the FortiExtender across the internet.

    It is transparent to users to provide a reliable, secure interface. For example, you can configure the "ip" of this interface and enable DHCP server on it.

    config system interface
        edit "FX0015919000027"
            set vdom "root"
            set ip 192.168.3.99 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
            set type lan-extension
            set role lan
            set snmp-index 26
           set interface "fext-ipsec-ut4Z"
        next
    end
    config system dhcp server
        edit 3
            set default-gateway 192.168.3.99
            set netmask 255.255.255.0
            set interface "FX0015919000027"
            config ip-range
                edit 1
                    set start-ip 192.168.3.2
                    set end-ip 192.168.3.98
                next
            end
        next
    end

    An appropriate firewall policy can be used to forward traffic out of the FortiGate's WAN interface. Suppose that "wan1" is the WAN interface of the FortiGate, you can configure it as follows. You can also apply a more strict firewall policy based on your need.

    config firewall policy
    edit 1
        set name "LAN-EXT"
        set uuid 8b7c21e4-221e-51ec-0a0d-34e7b478557b
        set srcintf "FX0015919000027"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

    On the FortiExtender side, the "lan" interface will be mapped to the "lan-extension" interface on the FortiGate. You can have computers directly connected to any of the LAN ports on the FortiExtender, or have a switch between the LAN and the computers. The computers will get IPs from the DHCP server configured in "lan-extenson" interface and can forward traffic out through the FortiGate based on the firewall policy.

    Previous
    Next