Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cisco ACI Administration Guide

    Home FortiGate Private Cloud 6.4.0 Cisco ACI Administration Guide
    6.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Configuring FortiOS

    Configuring FortiOS

    To configure the deployment in FortiOS:
    1. Create a PBR virtual domain (VDOM). You must make all following configurations in the PBR VDOM.
    2. Configure a VLAN interface under port 1 with VLAN ID 400:
      1. Go to Network > Interfaces.
      2. Click Create New.
      3. In the Name field, enter vlan400.
      4. For Type, select VLAN.
      5. For Interface, select port1.
      6. In the VLAN ID field, enter 400.
      7. In the VRF ID field, enter 0.
      8. From the Role dropdown list, select LAN.
      9. In the IP/Netmask field, enter 172.16.254/255.255.255.0. Save the interface.

    3. Go to Policy & Objects > Firewall Policy. Configure policies as desired.
    4. Configure a static route to the APIC FW_Svc_OneArm BD GW IP address:
      1. Go to Network > Static Routes.
      2. Click Create New.
      3. Set Destination to Subnet, and leave the IP address and subnet mask as 0.0.0.0/0.0.0.0.
      4. In the Gateway Address field, enter the APIC FW_Svc_OneArm BD GW IP address, which is 172.16.1.1.
      5. From the Interface dropdown list, select vlan400.
      6. Save the configuration.

    5. Go to Log & Report > Forward Traffic. Confirm that you can view the Web and Application EPG traffic, indicating that it is redirected to the FortiGate for inspection.

    6. Run the following commands in the CLI to configure FGCP and FGSP for cluster1:

      config system ha

      set group-id 112

      set group-name "fortinet112"

      set mode a-p

      set pass ENC 6v7bvuVAmnjUK8GLToPP4ctq9GdqRH37cZ01WfMbJzBTXg53bc8KF1C0QFHk9AEzen695Q

      set hbdev "ha" 512

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set ha-mgmt-status enable

      config ha-mgmt-status enable

      edit 1

      set interface "mgmt"

      set gateway 192.168.139.254

      next

      end

      set override disable

      set ha-direct enable

      end

      config system cluster-sync

      edit 5

      set peerip 172.16.88.2

      set syncvd "PBR"

      next

      end

      config system standalone-cluster

      set standalone-group-id 112

      set session-sync-dev "port3"

      end

      note icon

      By default, FortiOS sets layer2-connection to unavailable. If layer2-connection is set to available, the configuration may have issues.

    7. Run the following commands in the CLI to configure FGCP and FGSP for cluster2:

      config system ha

      set group-id 112

      set group-name "fortinet112112"

      set mode a-p

      set pass ENC bhU6+uYFf7IpqOirYnFWOMhGxbpJkXY8bdHWfg9o6x2Wg+IFId6ZEJUGqe2W1ots+g==

      set hbdev "ha" 512

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set ha-mgmt-status enable

      config ha-mgmt-status enable

      edit 1

      set interface "mgmt"

      set gateway 192.168.139.254

      next

      end

      set override disable

      set ha-direct enable

      end

      config system cluster-sync

      edit 5

      set peerip 172.16.88.2

      set syncvd "PBR"

      next

      end

      config system standalone-cluster

      set standalone-group-id 112

      set group-member-id 1

      set session-sync-dev "port6"

      end

      note icon

      By default, FortiOS sets layer2-connection to unavailable. If layer2-connection is set to available, the configuration may have issues.

    8. To debug cluster1, you can run the following commands. The screenshot shows the expected output of each command:

      1. diagnose system ha status

      2. diagnose system ha standalone-peers

      3. diagnose system ha session-sync-dev

    9. To debug cluster2, you can run the following commands. The screenshot shows the expected output of each command:

      1. diagnose system ha status

      2. diagnose system ha standalone-peers

      3. diagnose system ha session-sync-dev

    Previous
    Next

    Configuring FortiOS

    Configuring FortiOS

    To configure the deployment in FortiOS:
    1. Create a PBR virtual domain (VDOM). You must make all following configurations in the PBR VDOM.
    2. Configure a VLAN interface under port 1 with VLAN ID 400:
      1. Go to Network > Interfaces.
      2. Click Create New.
      3. In the Name field, enter vlan400.
      4. For Type, select VLAN.
      5. For Interface, select port1.
      6. In the VLAN ID field, enter 400.
      7. In the VRF ID field, enter 0.
      8. From the Role dropdown list, select LAN.
      9. In the IP/Netmask field, enter 172.16.254/255.255.255.0. Save the interface.

    3. Go to Policy & Objects > Firewall Policy. Configure policies as desired.
    4. Configure a static route to the APIC FW_Svc_OneArm BD GW IP address:
      1. Go to Network > Static Routes.
      2. Click Create New.
      3. Set Destination to Subnet, and leave the IP address and subnet mask as 0.0.0.0/0.0.0.0.
      4. In the Gateway Address field, enter the APIC FW_Svc_OneArm BD GW IP address, which is 172.16.1.1.
      5. From the Interface dropdown list, select vlan400.
      6. Save the configuration.

    5. Go to Log & Report > Forward Traffic. Confirm that you can view the Web and Application EPG traffic, indicating that it is redirected to the FortiGate for inspection.

    6. Run the following commands in the CLI to configure FGCP and FGSP for cluster1:

      config system ha

      set group-id 112

      set group-name "fortinet112"

      set mode a-p

      set pass ENC 6v7bvuVAmnjUK8GLToPP4ctq9GdqRH37cZ01WfMbJzBTXg53bc8KF1C0QFHk9AEzen695Q

      set hbdev "ha" 512

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set ha-mgmt-status enable

      config ha-mgmt-status enable

      edit 1

      set interface "mgmt"

      set gateway 192.168.139.254

      next

      end

      set override disable

      set ha-direct enable

      end

      config system cluster-sync

      edit 5

      set peerip 172.16.88.2

      set syncvd "PBR"

      next

      end

      config system standalone-cluster

      set standalone-group-id 112

      set session-sync-dev "port3"

      end

      note icon

      By default, FortiOS sets layer2-connection to unavailable. If layer2-connection is set to available, the configuration may have issues.

    7. Run the following commands in the CLI to configure FGCP and FGSP for cluster2:

      config system ha

      set group-id 112

      set group-name "fortinet112112"

      set mode a-p

      set pass ENC bhU6+uYFf7IpqOirYnFWOMhGxbpJkXY8bdHWfg9o6x2Wg+IFId6ZEJUGqe2W1ots+g==

      set hbdev "ha" 512

      set session-pickup enable

      set session-pickup-connectionless enable

      set session-pickup-expectation enable

      set ha-mgmt-status enable

      config ha-mgmt-status enable

      edit 1

      set interface "mgmt"

      set gateway 192.168.139.254

      next

      end

      set override disable

      set ha-direct enable

      end

      config system cluster-sync

      edit 5

      set peerip 172.16.88.2

      set syncvd "PBR"

      next

      end

      config system standalone-cluster

      set standalone-group-id 112

      set group-member-id 1

      set session-sync-dev "port6"

      end

      note icon

      By default, FortiOS sets layer2-connection to unavailable. If layer2-connection is set to available, the configuration may have issues.

    8. To debug cluster1, you can run the following commands. The screenshot shows the expected output of each command:

      1. diagnose system ha status

      2. diagnose system ha standalone-peers

      3. diagnose system ha session-sync-dev

    9. To debug cluster2, you can run the following commands. The screenshot shows the expected output of each command:

      1. diagnose system ha status

      2. diagnose system ha standalone-peers

      3. diagnose system ha session-sync-dev

    Previous
    Next