Fortinet white logo
Fortinet white logo

Admin Guide (FGT-Managed)

The default FortiExtender profile

The default FortiExtender profile

In some circumstances, a default profile (or 2 default profiles) will be automatically generated.

The profile or profiles are generated based on the FortiExtender model. For FortiExtender models without LTE/5G modems, such as FortiExtender 200F, FortiGate will generate a LAN extension profile as follows:

config extension-controller extender-profile
    edit "FX200F-lanext-default"
        set id 0
        set model FX200F
        set extension lan-extension
        config lan-extension
            set link-loadbalance loadbalance
            set ipsec-tunnel "fext-ipsec-WrXw"
            set backhaul-interface "port2"
            config backhaul
                edit "1"
                    set port port1
                next
                edit "2"
                    set port port2
                next
            end
        end
    next
  end

In this default FortiExtender 200F profile, there are two default backhaul ports: port1 and port2. It indicates that the FortiExtender 200F will use its port1 and port2 for the uplinks connected to the FortiGate. The underlying data transportation will be VLAN over IPsec, which is transparent to users.

These two ports will be linked as an aggregated interface in the FortiExtender and you can specify load-balance mode on it. More detailed LAN extension configuration is covered in LAN extension configuration in a profile.

For FortiExtender models with LTE/5G modems, two default profiles will be generated: one for WAN extension and the other for LAN extension.

For WAN extension, the default profile with default values for FortiExtender 201E is as follows:

Caution

The following example is for illustration only.

 config extension-controller extender-profile
      edit "FX201E-wanext-default"
          set id 2
          config cellular
              config sms-notification
              end
              config modem1
              end
          end
      next
  end
# get FX201E-wanext-default (default value will be shown below)
  name : FX201E-wanext-default
  id : 2
  model : FX201E
  extension : wan-extension
  allowaccess :
  login-password-change: no
  cellular:
    dataplan :
    controller-report:
        status : disable
    sms-notification:
        status : disable
    modem1:
        redundant-mode : disable
        conn-status : 0
        default-sim : sim1
        gps : enable
        sim1-pin : disable
        sim2-pin : disable
        auto-switch:
            disconnect : disable
            signal : disable
            dataplan : disable
            switch-back :
            switch-back-time : 00:01
            switch-back-timer : 86400

For the LAN extension, the default profile for the FortiExtender 201E generated on the FortiGate would look as follows. For details of LAN extension configuration, go to LAN extension configuration in a profile.

config extension-controller extender-profile
    edit "FX201E-lanext-default"
        set id 3
        set extension lan-extension
        config cellular
            config sms-notification
            end
            config modem1
            end
        end
        config lan-extension
            set ipsec-tunnel "fext-ipsec-ut4Z"
            set backhaul-interface "lan"
            config backhaul
                edit "1"
                    set port wan
                    set role primary
                next
                edit "2"
                    set port lte1
                    set role secondary
                next
            end
        end
    next
end

  # get FX201E-wanext-default (default value will be shown below)
  name : FX201E-lanext-default
  id : 3
  model : FX201E
  extension : lan-extension
  allowaccess :
  login-password-change: no
  enforce-bandwidth : disable
  cellular:
    dataplan :
    controller-report:
        status : disable
    sms-notification:
        status : disable
    modem1:
        redundant-mode : disable
        conn-status : 0
        default-sim : sim1
        gps : enable
        sim1-pin : disable
        sim2-pin : disable
        auto-switch:
            disconnect : disable
            signal : disable
            dataplan : disable
            switch-back :
            switch-back-time : 00:01
            switch-back-timer : 86400
  lan-extension:
    link-loadbalance : activebackup
    ipsec-tunnel : fext-ipsec-ut4Z
    backhaul-interface : lan
    backhaul-ip :
    backhaul:
        == [ 1 ]
        name: 1
        == [ 2 ]
        name: 2
Note

After upgrading to 7.0.2 or later from 3.2, the default behavior is "unset allowaccess" to prevent direct management of the FortiExtender by anything other than the FortiGate. If you want to exert some direct control over the device, you can change the default behavior using the following CLI commands:

config extension-controller extender-profile
   edit "FX211E-wanext-default"
        set allowaccess ping https
        set login-password-change no
end

The default FortiExtender profile

The default FortiExtender profile

In some circumstances, a default profile (or 2 default profiles) will be automatically generated.

The profile or profiles are generated based on the FortiExtender model. For FortiExtender models without LTE/5G modems, such as FortiExtender 200F, FortiGate will generate a LAN extension profile as follows:

config extension-controller extender-profile
    edit "FX200F-lanext-default"
        set id 0
        set model FX200F
        set extension lan-extension
        config lan-extension
            set link-loadbalance loadbalance
            set ipsec-tunnel "fext-ipsec-WrXw"
            set backhaul-interface "port2"
            config backhaul
                edit "1"
                    set port port1
                next
                edit "2"
                    set port port2
                next
            end
        end
    next
  end

In this default FortiExtender 200F profile, there are two default backhaul ports: port1 and port2. It indicates that the FortiExtender 200F will use its port1 and port2 for the uplinks connected to the FortiGate. The underlying data transportation will be VLAN over IPsec, which is transparent to users.

These two ports will be linked as an aggregated interface in the FortiExtender and you can specify load-balance mode on it. More detailed LAN extension configuration is covered in LAN extension configuration in a profile.

For FortiExtender models with LTE/5G modems, two default profiles will be generated: one for WAN extension and the other for LAN extension.

For WAN extension, the default profile with default values for FortiExtender 201E is as follows:

Caution

The following example is for illustration only.

 config extension-controller extender-profile
      edit "FX201E-wanext-default"
          set id 2
          config cellular
              config sms-notification
              end
              config modem1
              end
          end
      next
  end
# get FX201E-wanext-default (default value will be shown below)
  name : FX201E-wanext-default
  id : 2
  model : FX201E
  extension : wan-extension
  allowaccess :
  login-password-change: no
  cellular:
    dataplan :
    controller-report:
        status : disable
    sms-notification:
        status : disable
    modem1:
        redundant-mode : disable
        conn-status : 0
        default-sim : sim1
        gps : enable
        sim1-pin : disable
        sim2-pin : disable
        auto-switch:
            disconnect : disable
            signal : disable
            dataplan : disable
            switch-back :
            switch-back-time : 00:01
            switch-back-timer : 86400

For the LAN extension, the default profile for the FortiExtender 201E generated on the FortiGate would look as follows. For details of LAN extension configuration, go to LAN extension configuration in a profile.

config extension-controller extender-profile
    edit "FX201E-lanext-default"
        set id 3
        set extension lan-extension
        config cellular
            config sms-notification
            end
            config modem1
            end
        end
        config lan-extension
            set ipsec-tunnel "fext-ipsec-ut4Z"
            set backhaul-interface "lan"
            config backhaul
                edit "1"
                    set port wan
                    set role primary
                next
                edit "2"
                    set port lte1
                    set role secondary
                next
            end
        end
    next
end

  # get FX201E-wanext-default (default value will be shown below)
  name : FX201E-lanext-default
  id : 3
  model : FX201E
  extension : lan-extension
  allowaccess :
  login-password-change: no
  enforce-bandwidth : disable
  cellular:
    dataplan :
    controller-report:
        status : disable
    sms-notification:
        status : disable
    modem1:
        redundant-mode : disable
        conn-status : 0
        default-sim : sim1
        gps : enable
        sim1-pin : disable
        sim2-pin : disable
        auto-switch:
            disconnect : disable
            signal : disable
            dataplan : disable
            switch-back :
            switch-back-time : 00:01
            switch-back-timer : 86400
  lan-extension:
    link-loadbalance : activebackup
    ipsec-tunnel : fext-ipsec-ut4Z
    backhaul-interface : lan
    backhaul-ip :
    backhaul:
        == [ 1 ]
        name: 1
        == [ 2 ]
        name: 2
Note

After upgrading to 7.0.2 or later from 3.2, the default behavior is "unset allowaccess" to prevent direct management of the FortiExtender by anything other than the FortiGate. If you want to exert some direct control over the device, you can change the default behavior using the following CLI commands:

config extension-controller extender-profile
   edit "FX211E-wanext-default"
        set allowaccess ping https
        set login-password-change no
end