Fortinet black logo

Admin Guide (FGT-Managed)

FortiExtender and FortiGate integration

Copy Link
Copy Doc ID 9915b360-0a29-11ee-8e6d-fa163e15d75b:103815
Download PDF

FortiExtender and FortiGate integration

FortiExtender works as an extended WAN interface in IP pass-through mode.

The following paragraphs highlight the network topology for integrating FortiExtender with FortiGate.

In this scenario, FortiGate manages FortiExtender over the Control and Provisioning of Wireless Access Points (CAPWAP) protocol in IP pass-through mode. Unlike a standalone 3G/4G/5G wireless WAN extender, the FortiExtender managed by FortiGate integrates directly into the FortiGate Connected UTM (Unified Threat Management) and is managed from the familiar FortiOS interface. This not only enables security policies to be seamlessly applied to the FortiExtender, but also provides visibility to the performance and data usage of the connection.

In this scenario, you can connect one FortiExtender to two FortiGate devices for a high availability (HA) configuration in active-passive deployment, or two FortiExtenders to two FortiGate devices in active-active deployment to provide dual active redundancy for wireless WAN access as well.

The FortiExtender and the FortiGate share the same LTE IP in WAN-extension mode. In pre-4.2.2 releases, FortiExtender does not allow access to SSH/HTTPS/HTTP/Telnet service via the LTE interface, so all the traffic to those default services goes to FortiGate. FortiExtender 4.2.2 adds local SSH/HTTPS/HTTP/Telnet service support via the LTE interface. To distinguish local services from FortiGate services, you must configure the FortiExtender to use different ports. Otherwise, all traffic to these default services will be sent to the

FortiExtender locally instead of FortiGate.

To configure FortiExtender local SSH/HTTPS/HTTP/Telnet service support via the LTE interface:

config system management

config local-access

set https 22443

set ssh 2222

end

end

FortiExtender and FortiGate integration

FortiExtender works as an extended WAN interface in IP pass-through mode.

The following paragraphs highlight the network topology for integrating FortiExtender with FortiGate.

In this scenario, FortiGate manages FortiExtender over the Control and Provisioning of Wireless Access Points (CAPWAP) protocol in IP pass-through mode. Unlike a standalone 3G/4G/5G wireless WAN extender, the FortiExtender managed by FortiGate integrates directly into the FortiGate Connected UTM (Unified Threat Management) and is managed from the familiar FortiOS interface. This not only enables security policies to be seamlessly applied to the FortiExtender, but also provides visibility to the performance and data usage of the connection.

In this scenario, you can connect one FortiExtender to two FortiGate devices for a high availability (HA) configuration in active-passive deployment, or two FortiExtenders to two FortiGate devices in active-active deployment to provide dual active redundancy for wireless WAN access as well.

The FortiExtender and the FortiGate share the same LTE IP in WAN-extension mode. In pre-4.2.2 releases, FortiExtender does not allow access to SSH/HTTPS/HTTP/Telnet service via the LTE interface, so all the traffic to those default services goes to FortiGate. FortiExtender 4.2.2 adds local SSH/HTTPS/HTTP/Telnet service support via the LTE interface. To distinguish local services from FortiGate services, you must configure the FortiExtender to use different ports. Otherwise, all traffic to these default services will be sent to the

FortiExtender locally instead of FortiGate.

To configure FortiExtender local SSH/HTTPS/HTTP/Telnet service support via the LTE interface:

config system management

config local-access

set https 22443

set ssh 2222

end

end